APD/GBA (Belgium) - 114/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=114/2024 |ECLI= |Original_Source_Name_1=APD/GBA (Belgium) |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-114-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_...")
 
mNo edit summary
Line 105: Line 105:


During the investigation, the legal basis of the processing was not found, nor the rules regarding the retention period nor written security and privacy policy. According to the documents provided by the controller, the processing of fingerprints served the purpose of:
During the investigation, the legal basis of the processing was not found, nor the rules regarding the retention period nor written security and privacy policy. According to the documents provided by the controller, the processing of fingerprints served the purpose of:
• recording of working (including the preparation of paychecks);  
 
• fraud prevention;  
•recording of working (including the preparation of paychecks);  
• safety reasons, including to know at all times how many people are present on the production site in case of fire or in case of monitoring the change of successive shifts;  
 
• control of access to the employer's building.
•fraud prevention;  
 
•safety reasons, including to know at all times how many people are present on the production site in case of fire or in case of monitoring the change of successive shifts;  
 
•control of access to the employer's building.


=== Holding ===
=== Holding ===
Line 132: Line 136:


For the violations of:
For the violations of:
• [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 30 GDPR#1a|Article 30(1)(a) GDPR]], [[Article 30 GDPR#1b|Article 30(1)(b) GDPR]], [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]], Article 30(1)(d) and [[Article 35 GDPR|Article 35 GDPR]], the DPA issued the reprimand;
 
• [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 30 GDPR#1a|Article 30(1)(a) GDPR]], [[Article 30 GDPR#1b|Article 30(1)(b) GDPR]], [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]], Article 30(1)(d) and [[Article 35 GDPR]], the DPA issued the reprimand;
 
• [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 15 GDPR#1|Article 15(1) GDPR]], the controller received a warning;
• [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 15 GDPR#1|Article 15(1) GDPR]], the controller received a warning;
• [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#2|Article 5(2) GDPR]], Article 6(1)(a), [[Article 9 GDPR#1|Article 9(1) GDPR]], GDPR and [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]], , [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]], [[Article 13 GDPR#2c|Article 13(2)(c) GDPR]], [[Article 13 GDPR#2d|Article 13(2)(d) GDPR]], [[Article 13 GDPR#2e|Article 13(2)(e) GDPR]] the DPA fined the controller €45,00.
• [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#2|Article 5(2) GDPR]], Article 6(1)(a), [[Article 9 GDPR#1|Article 9(1) GDPR]], GDPR and [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]], , [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]], [[Article 13 GDPR#2c|Article 13(2)(c) GDPR]], [[Article 13 GDPR#2d|Article 13(2)(d) GDPR]], [[Article 13 GDPR#2e|Article 13(2)(e) GDPR]] the DPA fined the controller €45,00.



Revision as of 07:46, 30 September 2024

APD/GBA - 114/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 12(1) GDPR
Article 13(1)(c) GDPR
Article 13(2)(c) GDPR
Article 13(2)(d) GDPR
Article 13(2)(e) GDPR
Article 15(1) GDPR
Article 30(1)(a) GDPR
Article 30(1)(b) GDPR
Article 30(1)(c) GDPR
Article 30(1)(d) GDPR
Article 35 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.09.2024
Published:
Fine: 45,000 EUR
Parties: n/a
National Case Number/Name: 114/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in NL)
Initial Contributor: wp

A controller was fined €45,000 for unlawful processing of personal data within a system of timekeeping, based on employees’ fingerprints collection.

English Summary

Facts

A company (a controller) introduced a system of timekeeping, based on fingerprints collection, within its two premises. The controller used a software provided by a third party (a processor), a subsidiary of Japanese company, operating in also in the USA and China.

One of the controller employees filed an access request with the controller twice. The first access request was answered orally, during the meeting with the representative of the union and the controller. The other reply only partially covered the questions asked by the data subject, for example by providing an fragmented list of the processing purposes pursued by the controller or not responding to the possible consent refusal.

The data subject lodged a complaint with the Belgian DPA (APD/GBA). They claimed the processing of their fingerprints violated their right to data protection. The data subject didn’t provide the fingerprints voluntarily and was not informed about the data retention periods. Doubts regarding the adequate level of data protection in third countries, where the data may be transfers was also expressed.

During the investigation, the legal basis of the processing was not found, nor the rules regarding the retention period nor written security and privacy policy. According to the documents provided by the controller, the processing of fingerprints served the purpose of:

•recording of working (including the preparation of paychecks);

•fraud prevention;

•safety reasons, including to know at all times how many people are present on the production site in case of fire or in case of monitoring the change of successive shifts;

•control of access to the employer's building.

Holding

The DPA upheld the complaint.

Initially, the DPA noted the controller processed biometric data under Article 4(14) GDPR, and consequently sensitive data under Article 9(1) GDPR, because the biometric data were used to identify the data subject.

The controller didn’t clarify which legal basis of Article 6(1) GDPR and Article 9(2) GDPR was used to process the data at stake. After the investigation, the DPA stated it was a consent. Nevertheless, the consent obtained by the controller didn’t provide the accurate information to the data subject and violated Article 7(1) GDPR. Also, the consent was not freely given, since it was a part of employment relationship and the controller didn’t implement alternative timekeeping mechanism. As a result, the controller violated Article 9(1) GDPR, Article 6(1)(a) GDPR and Article 9(2)(a) GDPR.

The DPA found the controller didn’t communicate all of the purpose of the data processing. The brochure given to the data subject mentioned only the time recording and site security needs. However, as the processing was not legitimate, there was no legitimate purpose of data processing and the controller violated Article 5(1)(b) GDPR. Moreover, the controller violated Article 5(1)(c) GDPR, because they relied on privacy intrusive mechanism for the employees’ timekeeping, while potentially other, less intrusive solutions were available to pursue the controller’s purposes, for example time clocks or personal card.

The controller used a welcome brochure to inform the data subject and other employees about processing of their fingerprints. Yet, the brochure didn’t contain all the information prescribed by the Article 13 GDPR, especially no information about the legal basis of processing. Hence, Article 12(1) GDPR, Article 13(1)(c) GDPR, Article 13(2)(c) GDPR, Article 13(2)(d) GDPR, Article 13(2)(e) GDPR were violated by the controller.

For the DPA the controller’s answer to the first access request was fulfilled in accordance with Article 12 GDPR. On the other hand, the answer to the other request was incomplete and as such it violated Article 12 (1) GDPR in conjunction with Article 15(1)(d) GDPR.

The investigation also proved the controller violated Article 28 GDPR. There was no due diligence performed over the technical and organisational measures used by the processor. Instead, the controller relied on the brochure for the processor and in-person negotiations with the processor employer. Such a conduct was insufficient under Article 28(1) GDPR.

The controller failed to create internal policies describing the technical and organisational measures used. However, the controller implemented the measures, which met the requirements of Article 32 GDPR, so no violation was found. Notwithstanding that, the controller violated Article 5(2) GDPR by failing to demonstrate, in particular, how the measures were checked or a data breach handled.

Furthermore, Article 35 GDPR was violated. No data protection impact assessment was performed, whilst the processing included sensitive data of employees (being vulnerable data subjects) and constituted a large scale-processing (approximately 200 employees). In addition, the controller’s record of processing activities was lacking of, inter alia, appropriate description of categories of data processed. As a result, the controller violated Article 30(1)(a) GDPR, Article 30(1)(b) GDPR, Article 30(1)(c) GDPR, Article 30(1)(d) GDPR.

Regarding the transfer of data to the third countries, the DPA emphasised the there was no proofs of Chapter V GDPR violation. Equally, the DPA found no violation of Article 28(3) GDPR or Article 37(1) GDPR.

For the violations of:

Article 5(2) GDPR, Article 30(1)(a) GDPR, Article 30(1)(b) GDPR, Article 30(1)(c) GDPR, Article 30(1)(d) and Article 35 GDPR, the DPA issued the reprimand;

Article 12(1) GDPR and Article 15(1) GDPR, the controller received a warning;

Article 5(1)(a) GDPR, Article 5(1)(b) GDPR, Article 5(1)(c) GDPR, Article 5(2) GDPR, Article 6(1)(a), Article 9(1) GDPR, GDPR and Article 9(2)(a) GDPR, , Article 12(1) GDPR, Article 13(1)(c) GDPR, Article 13(2)(c) GDPR, Article 13(2)(d) GDPR, Article 13(2)(e) GDPR the DPA fined the controller €45,00.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/71

Litigation Chamber

Decision on the merits 114/2024 of 6 September 2024

File number: DOS-2022-00896

Subject: : Time registration via biometric data at work

The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Mr Dirk Van Der Kelen and Mr Jelle Stassijns, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;

Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on

15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The complainant: X, represented by Mr. Gert Buelens, with offices at 2800

Mechelen, Nekkerspoelstraat 97, hereinafter “the complainant”;

The defendants: Y1, represented by Mr. Meester Bernard Dewit, with offices at

1050 Brussels, Albert Leemansplein 20, hereinafter “the first defendant”;

Y2, represented by Mr. Jos De Wachter and Mr. Charlotte Peeters,

with offices at 3600 Genk, Jaarbeurslaan 19, box 3, hereinafter referred to as "the second

defendant";
together referred to as "the defendants". Decision on the merits 114/2024 – 2/71

I. Facts and procedure

1. On 3 February 2022, the complainant filed a complaint with the Data Protection Authority

against the first defendant. This was initially inadmissible. The complaint was

re-filed and declared admissible on 29 March 2022.

The complainant worked for the first defendant from March 2021 to 24 February 2022,

initially as a temporary worker and from June 2021 as an employee with a permanent

contract. On 16 March 2020, the first defendant introduced a time registration system using fingerprints at both of its

sites for all staff members working there. According to the first defendant, the system

applies to around 200 employees, of whom 44 are employees, 74 workers, 29

temporary workers and the remainder are "foreign employees". The supplier of

the system (the second defendant) is a subsidiary of an international group with its

head office in Japan and activities in, among others, the United States and China.

The complainant believes that the processing of his fingerprints (one from each hand)

violates his right to the protection of personal data because he did not

voluntarily provide the fingerprints and because he was not informed of the

modalities of the storage of the data and the retention period. Finally, in his complaint, the complainant also expresses his

concern about a possible transfer to a third country that does not offer
appropriate safeguards, given the geographical location of the registered office of the
parent company of the first defendant.

2. On 29 March 2022, the complaint is declared admissible by the First Line Service
on the basis of Articles 58 and 60 WOG and the complaint is

transferred to the Dispute Resolution Chamber on the basis of Article 62, § 1 WOG.

3. On 21 April 2022, in accordance with Article 96, § 1 WOG, the request of the
Dispute Resolution Chamber to conduct an investigation is transferred to the Inspectorate,

together with the complaint and the inventory of the documents.

4. On 29 August 2022, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector General
to the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG).

The report contains findings regarding the subject of the complaint and makes the

following findings in respect of the first defendant:

1. a violation of Article 5.1, a), 6.1 and 9.1 GDPR;

2. a violation of Article 5.1, b) GDPR;

3. no violation of Article 5.1, c) GDPR;

4. a violation of Article 5.1, a) j° 12.1 and 13 GDPR; Decision on the substance 114/2024 – 3/71

5. a breach of Article 5.1, a) j° 12.1 and 15 GDPR;

6. a breach of Article 5, paragraph 2 GDPR;

7. a breach of Article 28, paragraph 3 GDPR;

8. a breach of Article 28, paragraph 1 GDPR;

9. a breach of Article 32 GDPR;

10. a breach of Article 35 GDPR;

11. no indication of any transfers of the biometric data to

third countries or international organisations.

The report contains findings relating to the subject-matter of the complaint on the

part of the second defendant and states that the second defendant has failed to fulfil its obligation

under Article 28.3 GDPR to conclude a valid processing agreement.

The report also contains findings that go beyond the subject of the complaint.

The Inspection Service establishes, in broad terms, that:

1. there is a breach of Article 30 GDPR on the part of the first defendant

due to the failure to maintain a processing register prior to the

Inspection investigation and due to the defective content of the current processing register;

2. there is a breach of the obligation to appoint a data protection officer

pursuant to Article 37.1, b) and c) GDPR on the part of the

second defendant.

5. On 1 September 2022, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article

98 WOG that the file is ready for consideration on the merits.

6. On 1 September 2022, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG.

They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG.

As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the defendants’ conclusions of reply

was set at 13 October 2022, that for the complainant’s conclusions of reply

was set at 3 November 2022 and finally that for the defendants’ conclusions of reply

was set at 24 November 2022. Decision on the merits 114/2024 – 4/71

As regards the findings outside the subject matter of the complaint, the deadline

for receipt of the second defendant’s conclusions of reply was set at 13 October 2022.

7. On 9 September 2022, the second defendant requested a copy of the file (Article 95,

§ 2, 3° WOG), which was sent to her on 13 September 2022.

8. On 25 September 2022, the complainant requests a copy of the file (Article 95, § 2, 3° WOG),
which was sent to him on 5 October 2022.

9. On 25 September 2022, the complainant electronically accepts all communication

regarding the case and indicates that he wishes to make use of the possibility to be heard,
in accordance with Article 98 WOG.

10. On 28 September 2022, the first defendant electronically accepts all communication

regarding the case and requests a copy of the file (Article 95, § 2, 3° WOG),
which was sent to him on 5 October 2022 and indicates that he wishes to make use
of the possibility to be heard, in accordance with Article 98 WOG.

11. On 13 October 2022, the Dispute Chamber receives the conclusion of the response from the

first defendant regarding the findings regarding the subject of the

complaint. First, the first defendant outlines the troubled employment relationship with the

complainant. The findings of the Inspection Service regarding the lawfulness of the processing, the

transparency principle, the principle of purpose limitation and the principle of minimal

data processing are not disputed by the first defendant. She states that she has remedied these

infringements in the meantime. However, the defendant disputes the findings

regarding the complainant's right of access and states that she has responded in

accordance with the GDPR. The first defendant also disputes the finding that no

sufficient security measures were taken. She has engaged an expert in the matter and

received sufficient documentation to convince herself of the seriousness of the

measures taken by the supplier (the second defendant). 12. On 13 October 2022, the Disputes Chamber receives the conclusion of the response from the

second defendant regarding the findings regarding the subject of

the complaint. The second defendant claims to be able to share the correct knowledge about the

system. She also states that she has provided the relevant information to the

first defendant in a timely manner. Furthermore, the second defendant claims that she does not

process personal data, including biometric personal data, since the data subjects are

not identifiable to her, since she only has encrypted files. This conclusion also

contains the response from the second defendant regarding the findings made by the Inspectorate

outside the scope of the complaint. The second defendant argues that it was not obliged to appoint a data protection officer under either Article 37.1.b), Decision on the merits 114/2024 – 5/71

or Article 37.1.c) of the GDPR. In the meantime, the second defendant has voluntarily appointed a data protection officer.

13. On 3 November 2022, the Dispute Chamber receives the conclusion of the reply from the complainant.

First, the complainant argues that the situation sketch of the first defendant regarding the

employment relationship between the two of them is not relevant in these proceedings. As regards the

findings of the Inspection Service regarding the subject of the complaint, he asks the
Dispute Chamber to confirm them.

14. On 24 November 2022, the Dispute Chamber receives the conclusion of the rejoinder

from the first defendant regarding the findings regarding the subject of the

complaint in which she repeats the arguments of her conclusion of the response.

15. On 24 November 2022, the Dispute Chamber receives the conclusion of the rejoinder

from the second defendant regarding the findings regarding the subject of the

complaint. The second defendant refers to her conclusion of the answer and also requests the Dispute Chamber to take into account the real motives of the parties.

16. On 2 December 2022, the parties are informed that the hearing will take place on 17 February 2023.

17. On 2 December 2022, the complainant indicates that he no longer wishes to be heard.

18. On 17 February 2023, the parties present are heard by the Dispute Chamber.

19. On 22 February 2023, the minutes of the hearing are submitted to the parties present.

20. On 28 February 2023, the Dispute Chamber receives a number of comments from the second defendant regarding the minutes, which it decides to include in its deliberations.

21. On 4 June 2024, the Dispute Chamber notified the first defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to give it the opportunity to defend itself before the sanction is actually imposed.

22. On 26 August 2024, the Dispute Chamber received the first defendant's response to the intention to impose an administrative fine, as well as the amount thereof.

II. Reasons for Decision on the merits 114/2024 – 6/71

II.1. Lawfulness of the processing (Articles 5.1, a), 6.1 and 9.2 GDPR) with regard to the first defendant

23. The question arises whether the processing of personal data in the context of the

time registration by the first defendant constitutes lawful processing.

24. The starting point of Article 5.1.a) GDPR is that personal data may only be processed lawfully.

II.1.1.1. (Special) personal data

25. According to Article 4(1) GDPR, personal data means any information relating to an

identified or identifiable natural person (‘data subject’). An

identifiable natural person is one who can be identified, directly or indirectly,

for example by reference to one or more factors specific to the physical or physiological

identity of that natural person.

26. According to Article 4(14) GDPR, biometric data are personal data resulting

from specific technical processing relating to the physical, physiological or behavioural characteristics

of a natural person, which allow or confirm the unique identification of that natural

person, such as facial images or fingerprint data. 27. Article 9.1 of the GDPR defines special personal data as follows: “[...]
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and

the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning

health or data concerning a natural person’s sex life or sexual orientation [...]”.

The parties do not dispute that the first defendant acts as a

controller within the meaning of Article 4, 7) GDPR with regard to the

time registration of its employees based on their biometric data.

28. In view of the above, the Dispute Resolution Chamber finds that the fingerprint

constitutes a biometric data within the meaning of Article 4.14) GDPR. Since this is used by the first defendant to identify the data subject in the context of time registration, it also constitutes special personal data within the meaning of Article 9.1 of the GDPR in the first defendant's possession.

II.1.1.2. Prohibition on the processing of biometric data Decision on the merits 114/2024 – 7/71

29. The Litigation Chamber will assess below whether the first defendant has lawfully processed the special

categories of personal data in the context of the time registration of its employees.

30. Personal data that are particularly sensitive deserve specific protection, because their

processing can entail high risks for fundamental rights and freedoms. The processing of special categories of

personal data is therefore prohibited under Article 9.1 of the GDPR, unless a statutory exception applies.

31. If processing of categories of special personal data takes place

in accordance with Article 9.1 GDPR, the controller must indicate a

legal basis in accordance with Article 6 GDPR and an exception from Article 9.2 GDPR

in order to be able to speak of lawful processing. This combination of

legal grounds from Articles 6.1 and 9.2 GDPR was recently confirmed in the

judgment of the Court of Justice in Meta (C-

252/21), in which the Court expressly ruled that the

processing of sensitive personal data is only permitted if such processing can be

considered lawful under Article 6.1 GDPR. The opinion

2/2019 of the European Data Protection Board (hereinafter: EDPB) and the opinion 06/2014 of

the Article 29 Working Party also consistently refer to the cumulative

application of both Article 6 GDPR and Article 9 GDPR in the case of processing of

special personal data. Finally, recital 51 GDPR clearly indicates that Article 6

GDPR must always be applied.

32. It is up to the controller to determine which legal basis is appropriate

in relation to the purpose of the processing. Since different legal bases

have different consequences, in particular with regard to the rights of data subjects,

the controller is not allowed to rely on one or the other legal basis,

depending on the circumstances. Once a particular legal basis has been chosen, it is not the intention that there will be any further exchanges or, when the chosen legal basis ceases to apply, that there will be a recourse to another legal basis for the same processing activity, for the same purposes. Article 5.1.b) GDPR requires that personal data be collected “for specified, explicit and legitimate purposes”

1See recital 51 of the GDPR.

2
CJEU Judgment of 4 July 2023, Meta, C-252/21, ECLI:EU:C:2023:537, para. 90.
3 Opinion 2/2019 (EDPB) on the questions and answers on the interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) of 23 January 2019.
4 Opinion 06/2014 (WP 29) on the concept of “legitimate interest of the controller”

in Article 7 of Directive 95/46/EC.
5 See also decision 77/2023, para 74, of the Litigation Chamber.
6
See, for example, decisions 38/2021, 54/2023 and 77/2023 of the Litigation Chamber. Decision on the substance 114/2024 – 8/71

and […] not subsequently processed in a manner incompatible with those purposes; […] (“purpose limitation”)”. Where a single processing operation pursues multiple purposes,

each purpose must be based on a legal basis.7

33. The question therefore arises as to which legal basis under Articles 6.1 and 9.2 of the GDPR the first defendant

relies on for the disputed processing of a special category of personal

data. After investigation, the Inspectorate concludes that the

documentation provided does not clearly show which legal basis the first defendant

relies on for the disputed processing. On the one hand, the first defendant

relies on different legal grounds in different documents, and on the other hand, it does not

rely on one, but on several legal grounds at the same time. In any case, it is clear that none of the

relied on legal grounds can be a valid legal basis for the disputed processing,

as the Inspectorate concludes.

34. The first defendant does not dispute the Inspectorate’s findings. In her

conclusions, the first defendant states that the HR manager hands out the welcome brochure on the

welcoming day of new staff and that the employee then gives permission

for time registration based on the fingerprint. The first defendant acknowledges that

this is contrary to the recommendation of the Knowledge Centre of the GBA concerning

the processing of biometric data dated 1 December 2021, which states that it

is unlikely that the data subject could withhold his/her consent to data

processing without fear of adverse consequences resulting from that refusal

because of the mismatch in the work context. As a mitigating circumstance, the

first defendant argues that when the new work regulations were introduced, no

employee commented on the additions regarding the biometric system. Comments could be made

anonymously. No trade union delegation made comments. Furthermore, the employees themselves have indicated that they prefer the biometric system over a system with access cards.

35. As regards the lawfulness of the processing, the Dispute Chamber finds that the

first defendant does not expressly state in its statement of defence on which

legal basis under Article 6.1 in conjunction with Article 9.2 GDPR it relies for the

processing at issue. The

Dispute Chamber also finds that during the investigation, various

legal grounds were put forward for the processing of the personal data at issue.

Based on the conclusions and the hearing, the Dispute Chamber finds that the

first defendant ultimately relies on consent as a legal basis.

The Dispute Chamber will assess below whether the first

defendant can lawfully rely on the exception of consent as included in Article 9.2.a) GDPR.

7See also decision 77/2023, para 77, of the Dispute Resolution Chamber Decision on the merits 114/2024 – 9/71

36. According to Article 4, 11) of the GDPR, consent is a freely given, specific, informed

and unambiguous indication of the data subject’s wishes by which he or she, by a statement or

by a clear affirmative action, signifies their agreement to the processing of personal

data relating to him or her.

37. In order for consent to be given with full knowledge of the facts, the data subject must,

among other things, be informed of the identity of the controller, the purpose of the processing, the

type of data that is being processed and the existence of the right to withdraw consent. 8

38. In addition, a data subject must be able to give consent freely. The EDPB Guidelines

on consent under the GDPR note the following in this regard:

“A lack of consistency also occurs in the context of employment relationships. Given the dependency that results from the employer-employee relationship, it is

unlikely that the data subject could withhold his/her consent to data processing without fear or real threat of adverse consequences as a result of a

refusal. It is unlikely that the employee could freely respond to a request for consent from his/her employer, for

example, to activate surveillance systems such as CCTV in the workplace, or to fill in

assessment forms, without feeling pressure to consent. Therefore,

WP29 considers that it is problematic for employees to process personal data of

current or prospective employees on the basis of consent, because it is

unlikely to be freely given. For most such workplace data processing, the

legal basis cannot and should not be the employees’ consent (Article 6(1)(a)) due to the

nature of the employer-employee relationship. However, this does not mean that employers can never

rely on consent as a legal basis for processing. There may be situations in which the employer can demonstrate that consent is indeed freely given. Given the imbalance between an employer and its staff, employees may only give their consent freely in exceptional circumstances, and when there are no negative consequences if they do or do not give their consent. [...] Imbalances are not limited to public authorities and employees, they can also occur in other situations. As WP29 has emphasised in several opinions, ‘consent’ can only be valid if the data subject has a genuine choice and there is no deception, intimidation or coercion and the data subject is not at risk of significant negative consequences (for example, significant additional costs) if he or she does not give their consent. 

8 See Recital 42 of the GDPR, the Guidelines on consent under Regulation 2016/679 dd. 28
November 2017 p. 15 and Article 7, paragraph 3, of the GDPR. Decision on the merits 114/2024 – 10/71

Consent is not free in cases where there is any element of coercion, pressure or inability

to exercise free will”.

39. On this basis, the Dispute Resolution Chamber emphasises that in an employment relationship processing can only be based on consent in

exceptional circumstances. It examines to what extent such a circumstance applies here.

40. On the basis of Article 7.1 of the GDPR, the controller must also be able

to demonstrate that the data subject has given consent to the processing of his/her personal

data.

41. The conditions of Article 7 of the GDPR also apply to the concept of consent in

Article 9.2 of the GDPR. In order to meet the requirement of Article 9.2.a) GDPR for an exception to the prohibition of processing biometric data in Article 9.1 GDPR, in addition to the conditions imposed on consent by Article 7 GDPR, the data subject must give explicit consent. In other words, inferring consent from the fact that someone does not act or protest is not permitted.

42. In its response of 5 August 2022, the first defendant confirmed to the

Inspection Service that previous versions of the employment regulations dating from before the version

of June 2022 did not contain any provision regarding the biometric time registration

system. There is therefore no informed consent.

43. The first defendant submits to the Dispute Resolution Chamber the welcome brochure that was provided to

new employees upon initial employment as well as the employment regulations.

These documents inform the employee about the time registration

system. These documents were signed, but for receipt and

not for approval. Although these documents provide the employees with some - brief - information

about the time registration system, it cannot be concluded on the basis of this that

there is unambiguous consent.

44. In addition, the first defendant has not demonstrated that there is

a released consent. The welcome brochure states the following: "[y]our pay is based

on your ticks, so don't forget this". In addition, article 32 of the

employment regulations states that failure to comply with the rules regarding ticking can lead

to the imposition of penalties. Based on the Inspection Report, the Dispute Resolution Chamber

finds that fingerprint time registration is the only means of time registration

in operation. This implies that if a data subject were to refuse to give his consent

to fingerprint time registration, he would be exposed to sanctions as provided for

in the employment regulations, since no alternative methods for time registration

are provided for. On the contrary, the employment regulations even state that all

9 Guidelines on consent pursuant to Regulation 2016/679 of 28 November 2017, p. 23 Decision on the substance 114/2024 – 11/71

staff members are required to register their working time via Z, and that there is no

other system for registering working time, which means that there is no freedom of choice

on the part of the employees. Consequently, there are negative consequences associated with

the employee's refusal to give his consent. The Dispute Resolution Chamber also notes

that the complainant was initially employed as a temporary worker, which puts him

in an even less favourable position to comment on the time registration system.

45. The first defendant is of the opinion that the employees gave their consent

to the use of their fingerprints and that no one ever objected to it.

The first defendant states that the badge system was experienced as inconvenient

for employees and that she had only good intentions. Moreover, the employees could also

indicate that they wanted an alternative method of time registration, as the first

defendant argues. The first defendant is therefore of the opinion that the employees could

have freely given their consent.

46. The Dispute Resolution Chamber does not follow this view. Given the dependency resulting

from the relationship between employer and employee, it is unlikely that the employee

can freely give his or her consent. In this context, the Dispute Resolution Chamber refers

10
to the EDPB Guidelines on consent, which state that there may be an

imbalance of power in an employment context. Given that the

relationship in question is an employer/employee relationship, it is unlikely that the person

concerned, as an employee, can refuse his consent without fear or real risk of

harmful consequences. The Dispute Resolution Chamber also notes that neither the welcome brochure nor the

work regulations at the time of the complainant's employment mention that alternative

methods of time registration can be requested. During the hearing, the first defendant

nevertheless produces documents showing that the time registration system at issue was

stopped following the findings of the Inspection Service. 47. Based on the following facts, the Dispute Chamber concludes that the first

defendant has not demonstrated that its employees have given their express consent

to the processing of their biometric data. The free, specific,

informed and unambiguous expression of will has not been established.

48. The Dispute Resolution Chamber therefore concludes that the first defendant has breached the principle prohibition on

processing special categories of personal data in the present case, since it cannot rely on Article 6.1.a) in conjunction with Article 9.2.a) of the GDPR

for the disputed processing of special categories of personal data, namely

time registration based on biometric data. Consequently, there is a

10https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. Decision on the substance 114/2024 – 12/71

breach of Article 9.1, in conjunction with Article 6.1.a) and Article 9.2.a) of the GDPR. The fact that the disputed

processing operations were stopped following the findings of the Inspection Service

does not prevent the historical infringement from being established.

II.2. Principle of purpose limitation (Article 5.1, b) GDPR) with regard to the first defendant

49. To the extent necessary, the Dispute Resolution Chamber recalls that personal data may only

be collected and processed for specific, explicitly defined and

legitimate purposes. If the data are subsequently used for another

purpose, that new purpose must be compatible with the original purpose of collection.

The principle of purpose limitation therefore has two elements:

a. the purposes for which personal data are processed must be specific,

explicitly defined and legitimate; and

b. when personal data are collected, they may not be further processed

in a manner that is incompatible with those purposes. In this way, the principle of purpose limitation ensures that limits are set for the use of personal data, taking into account the reasonable expectations of the data subjects and the fact that further use for purposes other than those for which the data were initially collected may also be useful.

50. During the Inspection investigation, the first defendant referred to four purposes:

- registration of working hours so that pay slips can be drawn up;

- prevention of fraud in time registration;

- security reasons, including knowing at all times how many people are present at the

production site in the event of a fire or in the event of checking the change of successive shifts; and

- checking access to the employer's building.

51. The Inspection Service notes that the fourth purpose (access control to the building) is not found in

any other document and that the first defendant's letter shows that processing for this purpose had not yet been

realised. This

therefore concerns potential further processing, the purpose of which, pursuant to Article

5.1.b) and Article 6.4 GDPR, may not be incompatible with the original purposes. The

Inspection Service concludes that processing for access control purposes will only be possible in very limited

cases, given that it concerns biometric data, and points out that the initial

collection was already unlawful. The Inspection Service refers to the work regulations (version June 2022) in which reference is made in two places to the

same three purposes as in the first defendant's answer: time registration (including

payroll administration), combating fraud and security. However, in the processing register, Decision on the merits 114/2024 – 13/71

only one purpose can be found, namely time registration. In the welcome brochure, the

Inspection Service finds two purposes, namely time registration and security reasons. The

Inspection Service argues that the purpose of combating fraud is missing from the

welcome brochure. This is important for the Inspection Service because this is the only document

that the first defendant can demonstrate was brought to the attention of the complainant

prior to processing. The Inspection Service therefore finds that the condition of collection for

‘specific, explicitly described and legitimate purposes’ has not been

met.

52. Finally, the Inspection Service concludes that no purpose meets the

condition of legitimacy as set out in Article 5.1.b) GDPR. Since the

initial processing was unlawful, any purpose for which the data is

collected is unlawful. Consequently, the Inspection Report also states that the purposes cited by the

first defendant are not justified in all cases, and in some cases are also

not specific and clearly described. 53. The first defendant argues that it has taken this conclusion into account and that

it intends to follow it. It therefore immediately suspended all future

projects relating to the biometric security of its business site.

54. The Dispute Chamber examines below whether the principle of purpose limitation has been met.

A specific purpose

55. As already stated, a purpose must be specific, which means that the

processing purpose must be determined before the data are obtained.

In accordance with Article 13.1 GDPR, the controller must, in the event of obtaining

personal data from the data subject, communicate the processing purpose when

obtaining it. Consequently, only the two purposes “time registration” and “security

of the business site” meet this condition, since they were communicated to the

complainant in the welcome brochure. An explicit, well-defined purpose

56. The purposes can be expressed in different ways, such as a
12
description of the purposes in a notification to the data subjects. The

Litigation Chamber states that communicating the purposes in the welcome brochure can

meet this condition. In addition, the Litigation Chamber states that the

average citizen understands what the purposes of “time registration” and “security of the
company site” entail.

1https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 17.
1https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 18. Decision on the substance 114/2024 – 14/71

A legitimate purpose

57. The personal data must be obtained or collected for legitimate

purposes. In order for the purposes to be legitimate, the processing must be based - at all

different stages and at all times - on at least one of the legal grounds referred to in

Article 6. 13 Since it has already been established in section II.1

that the processing is not lawful, there is also no legitimate purpose.

58. In view of the above, the Litigation Chamber finds that there is an infringement of

Article 5.1.b) GDPR.

II.3. Principle of data minimisation (Article 5.1.c) GDPR with respect to the first

defendant

59. The principle of data minimisation as set out in Article 5.1.c) GDPR states that

the personal data processed must be adequate, relevant and limited to

what is necessary for the purposes for which they are processed. It follows that

personal data may only be processed if the purpose of the processing cannot

reasonably be achieved in another way. The processing must be

proportionate to the intended purpose.

60. The Inspectorate notes that the first defendant cannot produce any internal

document or evidence of deliberation or decision-making that demonstrates the

performance of a proportionality test. The Inspection Service therefore concludes that the

first defendant failed to investigate whether the objective pursued could not reasonably

have been achieved in another way, such as by means of multi-factor authentication.

61. With regard to the purpose of "combating fraud", the Inspection Service finds that the

time registration system is not proportionate to the fraud incident that led to the

introduction of the system at issue. That incident involved an employee who had left work

prematurely and had wrongly signed for the end of the day in the paper attendance

register. The Inspection Service argues that a less drastic control system would also

have been sufficient to detect and prevent such fraud incidents. 62. As regards the purpose of “staff safety”, namely the assurance that the machines are systematically monitored by an employee, the Inspection Service sees no clear link between the stated purpose and the means (the contested time registration) since the presence of an employee on the company site does not

13https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 19. Decision on the substance 114/2024 – 15/71

equivalent to the systematic manning of a particular machine, especially since

tapping out for breaks is not necessary according to the welcome brochure. In the sense that

fire safety must also be included under the objective of "safety of

personnel", the Inspection Service does understand the importance of a correct

attendance register. However, the Inspection Service points out that in the event of an evacuation

it is especially important to know how many people are present in the building and,

in subordinate order, their identity.

63. In its conclusions, the first defendant undertakes to immediately stop the time registration system

based on biometric data. The first defendant explains

that its customers are demanding in terms of security, which is why they require it to

obtain a whole series of certifications, which are subject to numerous conditions regarding

security.

To this end, the first defendant produces two documents. It argues that the

environment in which it has to operate is very restrictive and that this has led it to

work with the time registration system at issue.

64. The Litigation Chamber recalls that when assessing the need to use sensitive personal data, such as biometric data, to keep working time records, consideration should be given to the means available that achieve the same objective with less intrusion into the privacy of employees. It can be assumed that employers have a wide range of means at their disposal for signing employees in and out of a payroll system that is not based on biometric or other sensitive personal information. Examples include time clocks, staff cards and access codes. Furthermore, the above-mentioned means can be combined with a so-called random check or inspection body at the entrance to the workplace. The Litigation Chamber understands that the first defendant must meet high

requirements from its customers, but at the same time considers that the processing of special

personal data is not necessary for achieving the purposes of the first defendant - namely time

registration, combating fraud or staff safety - and that these purposes can be

achieved by other, less stringent measures that do not require the systematic

processing of employees' biometric data.

65. The Litigation Chamber emphasises that the use of biometric information to

uniquely identify a person is generally subject to very strict

restrictions. This is particularly relevant where other, less stringent measures are not

sufficient and may be relevant where the processing is intended for the purpose of

controlling access to certain areas of the workplace for special safety

considerations, such as the handling of foodstuffs or dangerous substances

Decision on the substance 114/2024 - 16/71

(Article 9.2.g) GDPR). Such circumstances are not at issue in the

present case. Consequently,

the Dispute Resolution Chamber finds that there is an infringement of Articles 5.1.c) GDPR.

II.4. Principle of storage limitation (Article 5.1.e) GDPR) with regard to the first defendant

66. According to Article 5.1.e) GDPR, personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". In concrete terms,

this means that once the purpose of the processing has been fulfilled, or when the legal basis

ceases to exist (for example, due to the withdrawal of consent by the data subjects or the loss of the substantial public interest), the

biometric data in question must be deleted. However, this does not preclude the data from being

retained for a longer period pursuant to a legal obligation or when these data are necessary

in the context of legal proceedings. 67. The GBA Knowledge Centre points out that the raw biometric data collected during the first collection phase of a biometric system

(registration phase) must in principle be deleted immediately once the biometric

template has been created. In addition, the data collected during the second collection phase may not be kept longer than the time required to

compare the collected data with the reference information. 14

68. As regards the principle of storage limitation, the Inspection Service does not

receive any reference to the retention period of the first defendant. From Annex 10 to the

employment regulations (version June 2022) and from the processing register, the Inspection Service

infers that the data are kept for as long as the employment relationship lasts. However, these

documents do not distinguish between the raw biometric data and the templates derived from

them. Based on its investigation, the Inspection Service concludes that the

retention periods of the raw biometric data appear to correspond to the principles set out

by the Knowledge Centre of the GBA. The Inspection Service states that

further investigation is not proportionate, since the processing at issue has already

been shown to be unlawful on several points.

69. The Dispute Chamber notes that the Inspection Service has not established any infringement

in this regard and sees no reason to take a different position in this regard. The

Dispute Chamber therefore finds that there is no infringement of Article 5.1.e) GDPR.

14 Recommendation on the processing of biometric data, p. 35, available at
https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.01-2021-van-1-december-2021.pdf. Decision on the merits 114/2024 – 17/71

II.5. Information obligations (Article 5.1.a) in conjunction with Articles 12.1 and 13 GDPR) with regard to the first

defendant

70. During its investigation, the Inspection Service establishes that the

information requirements under Article 12.1 and Article 13 GDPR, which require that the

information must be provided to the data subjects when the personal data were obtained, have not been met.

71. Based on Articles 12.1, 13.1 and 13.2 of the GDPR, it is necessary that the first

defendant, as controller, provides the data subjects with concise, transparent

and comprehensible information about the personal data that are processed. The aforementioned transparency obligations are a concretisation of the general transparency obligation of Article 5.1.a) of the GDPR. The Dispute Chamber will investigate whether the first defendant has complied with its information obligations.

72. The Dispute Chamber reads in the Inspection Report that the Inspection Service concludes that there has been a

violation of Articles 12.1 and 13 of the GDPR, since the welcome brochure, the only document

containing information on the processing at issue that was provided to the complainant upon

entering into employment, did not contain all the information required by the GDPR. Article 13 of the GDPR stipulates which

information the controller must provide to the data subject when this data

is collected from that person, and this when obtaining the personal data. From the welcome brochure, the Inspection Service can only derive the following

information for the data subject: the category of processed personal data, one

of the purposes of the time registration explicitly (i.e. time registration via fingerprint) and

one purpose implicitly (i.e. the safety of the staff). During a second inquiry

in this regard, the first defendant did not provide any new elements.

73. According to the findings of the Inspection Service, the work regulations (version

2020), which were provided to the complainant upon his entry into service, referred only to the use of

“electronic recording devices” for the measurement and control of work and

it only contains the following reference to data protection law:

“The law on the protection of privacy of 8 December 1992 and/or the

General Data Protection Regulation (GDPR) will be respected

when processing personal data”.

74. According to the Inspectorate, the above information provision did not meet the information obligations under Articles 12.1 and 13 GDPR. The first defendant argues in her conclusions that, as soon as the inspection investigation was underway, she immediately took stock of the obligations she had to meet. That is why she started to adjust her work rules; she will continue to correct them.

75. The Dispute Chamber will assess whether the information obligations under Article 13 GDPR in conjunction with Article 12.1 GDPR have been met. After examining the Decision on the merits 114/2024 – 18/71 conclusions submitted by the first defendant and the accompanying documents, the Dispute Chamber notes that the first defendant has indeed taken steps in this regard. This is evident from the fact that, with her conclusions, she submitted work regulations that were amended in 2022. In view of the Inspection Report,

the Dispute Chamber finds that, at the time the complainant entered into employment, the

welcome brochure was the only source of information for the employees, until the

employment regulations were amended in June 2022 (hereinafter: "employment regulations (version 2022)").

The Dispute Chamber will therefore first discuss the

welcome brochure as it was applicable at the time the complainant entered into employment and then the

employment regulations (version 2022), including in terms of the disputed time registration system.

Welcome brochure

76. The welcome brochure provides the following information about the disputed processing:

"We use a time registration system via fingerprint. After the

welcome moment, you will be registered and then the intention is to type in and out at the start and

end of your shift. We have a short shift handover, so you need to be typed in at least 5 minutes before the start. Your pay is based on your

types, so don't forget this. During your break, you should not type out or in, except

when you leave the premises. This is for safety reasons."

77. With regard to the mention of the identity of the controller in the

welcome brochure, the Dispute Chamber finds that the identity of the first

defendant as employer is implicitly put forward as the controller, although the

Dispute Chamber notes that it is advisable to explicitly mention this. The

Dispute Chamber further finds that the welcome brochure does not meet other information

obligations. With regard to, among other things, the retention periods (Article 13.2.e) GDPR), purposes and legal basis

(Article 13.1.c) GDPR), the Dispute Chamber finds that these were not (adequately)

included in the welcome brochure. Since the first defendant – albeit

unlawfully – relies on consent based on Article 6.1.a) and Article 9.2.a) GDPR,

the data subjects should also have been informed that they had the right to withdraw their

consent (Article 13.2.c) GDPR). As regards the mention of the

possibility to file a complaint with the GBA (Article 13.2.d) GDPR), the

Dispute Resolution Chamber finds that this is also not mentioned in the welcome brochure.

78. In view of the above, the Dispute Resolution Chamber concludes that the welcome

brochure does not meet the information obligations as prescribed by Article 13 GDPR and that

the information included in the welcome brochure is not included in a transparent and

comprehensible manner as stipulated in Article 12.1 GDPR. Decision on the merits 114/2024 – 19/71

Employment regulations (version 2022)

79. The first defendant argues that it has already taken steps to comply with its
information obligations by amending the employment regulations. The

Dispute Chamber notes that the employment regulations (version 2022) contain an appendix 10 called

“GDPR and privacy policy for employees”.

80. In the employment regulations (version 2022), the Dispute Chamber notes the following
with regard to information obligations regarding the processing of biometric

data. 81. As regards the purposes of and the legal basis for the processing (Article 13.1.c)

GDPR), the Dispute Chamber finds that the employment regulations (version 2022) stipulate that the

biometric data and time registration information via fingerprints are processed

on the basis of Article 6.1.f) GDPR, namely "the processing is necessary for the

pursuit of the legitimate interests of [first defendant], including (i) the

protection of the company by means of a solid time registration system, (ii) ensuring

the safety of the staff, (iii) controlling and facilitating access to the

premises. As regards the lawfulness of the processing basis and the

applicable legal basis, the Dispute Chamber refers to section II.1. Furthermore, the

Dispute Chamber finds that the employment regulations (version 2022) comply

with the information obligations under Article 13 GDPR. The information is also presented schematically, making it accessible to the data subject in a concise, transparent and understandable manner (Article 12.1 GDPR).

82. Based on the above, the Dispute Resolution Chamber finds that the first defendant has

infringed Article 12.1 GDPR in conjunction with Articles 13.1.c), 13.2.c), d) and e) GDPR for

the lack of transparency in the welcome brochure and Article 12.1 GDPR in conjunction with Article

13.1.c) as regards the work regulations (2022) from the entry into force of the

contested time registration system until its discontinuation in December 2022. The fact that the

infringements of Article 13.2.c), d) and e) have been remedied does not prevent the

Dispute Resolution Chamber from establishing a historical infringement.

II.6. Article 12.1 and Article 15 GDPR (right of access) with regard to the first defendant

Findings in the Inspection Report

83. In the Inspection Report, the Inspection Service concludes that there has been a violation of

Article 5.1.a) in conjunction with Article 12.1 and Article 15 GDPR concerning the right of access. The

Inspection Service notes that the complainant has exercised his right of access in writing on two occasions. The first time by email on 21 February 2022, the second time by

registered letter dated. March 31, 2022. During the Inspection investigation, the first

defendant argues that she responded orally to the first request during a Decision on the merits 114/2024 – 20/71

meeting with the union representative on March 15, 2022. From the e-mail correspondence between

the union secretary and the first defendant, with the complainant in copy, the

Inspection Service can infer that the requested information was part of the agenda of this

meeting and that the initiative for the meeting came from the complainant via his

union representative. Since the initiative came (indirectly) from the complainant, the

Inspection Service considers that, pursuant to Article 12.1 in fine GDPR, the first

defendant could legally comply with the request orally. In view of the power of representation of the trade union delegation established in Belgium by the

interprofessional collective labour agreement

15
and prior communication via the trade union secretary in question, the first defendant could reasonably assume, according to the Inspection Service, that the

request for inspection could be fulfilled orally via the trade union secretary. The

Inspection Service therefore concludes that the first defendant makes it plausible that

it responded to the first request for inspection of 21 February 2022 within the period set in

Article 12.3 GDPR.

84. In the second request for inspection dated 31 March 2022, the complainant repeats his initial question and

requests the first defendant to respond in writing. This answer follows by
registered letter on 20 April 2022. The Inspection Service states that certain questions from

the complainant related to information elements included in Article 13 GDPR

and not in Article 15 GDPR. Since the first defendant had not complied with the

information obligation under Article 13 GDPR (at the time of exercising the right of

access), the Inspection Service concludes that the first defendant should also have answered these questions.

According to the Inspection Service, the first defendant's answer is incomplete on the following points:

- Only 2 of the 3 processing purposes are mentioned. The purpose of

combating fraud is missing (Article 15.1.a) GDPR).

- The complainant asked whether he could refuse his consent for the processing and also

stated that he had never given this consent voluntarily. The answer of the first

defendant does not address this question, but merely refers to the fact that the

consent was validly granted according to the first defendant and that the data

has been deleted in the meantime (since the termination of employment). If, according to the

first defendant, consent was the applicable legal basis for the processing, it should have

informed the complainant, pursuant to Article 13.2.c) GDPR, that this

consent could always be withdrawn.

15See CBA no. 5/1. 5.10.2022 Collective Labour Agreement No. 5 of 24 May 1971 on the status of trade union
delegations of the staff of undertakings, amended and supplemented by collective labour agreements
No. 5a of 30 June 1971, No. 5 of 21 December 1978 and No. 5quater of 5 October 2011. Decision on the substance 114/2024 – 21/71

- If, according to the first defendant, consent was not the applicable

legal basis, the response should have specified, pursuant to Article 13.1.c) GDPR, on which

legal basis the processing was based.

- Depending on the legal basis provided (as explained above, the first defendant relies on several legal grounds at the same time), it should then have

respectively stated on which legitimate interests the processing was based (Article 13.1.d) GDPR) and that the complainant had a right to object to the

processing (Article 15.1.e) GDPR) or – if the first defendant relies on a legal

obligation – that a refusal or objection was not possible because the processing was

necessary for the performance of a legal obligation of the first defendant.

85. The Inspection Service notes that the obligation on the part of the first defendant to

respond in a complete and correct manner to the request for access has continued to

exist despite the fact that between the complainant's initial request dated 21 February 2022 and

the response dated April 20, 2022 the processing was stopped (due to the dismissal of the complainant). The Inspection Service could not verify what additional or deviating information was provided orally during the meeting of March 15, 2022 via the union secretary.

Position of the first defendant

86. In her conclusions, the first defendant reiterates the request for inspection dated February 21, 2022. The first defendant infers the following questions from the complainant from this:

(i) The policy on who has access to the admin section of the time clock;

(ii) The possibility to refuse the use of the biometric system;

(iii) The disappearance of this administrative access and the person responsible on the

outgoing service;

(iv) The retention period and the retention modalities; and

(v) The security of the data.

87. According to the first defendant, the first two questions were no longer relevant at the time of

the second letter dated 31 March 2022, since the complainant was dismissed on 24 February 2022.

However, question (i) was answered orally and in writing. With regard to question

(ii), the first defendant states that it has not been demonstrated that the complainant would not have had the right

to opt for a different time registration system, since the complainant was dismissed on 24 February 2022. The complainant was the only employee who

complained that he did not consent to having his fingerprints taken. Consequently,

it cannot be assumed that the first defendant would have refused such an alternative Decision on the merits 114/2024 – 22/71

if the complainant had remained on the payroll. The first defendant

points out that no other employee made any comments about the

biometric system at the time it was introduced in the new employment

regulations (version 2022).

88. With regard to question (iii), the first defendant confirms that it was

answered orally - during the meeting of 15 March 2022 with the

trade union representative - that the complainant would not run any risk. After all, the

first defendant no longer had the complainant's biometric data at his disposal. This

was also confirmed in writing.

89. According to the first defendant, question (iv) was no longer relevant since the

data had already been removed from the system at the time of the response to the right of

access.

The first defendant points out that the applicant was dismissed 3 days after exercising his

right of access. At the same time and since 3 February 2022, he is

represented by the trade union representative who confirms an appointment on 15 March 2022

to discuss these specific issues in particular. Question (v) was also, according to

the first defendant, no longer relevant. Since his personal data had already

been deleted, the complainant would no longer be at risk in this regard.

90. The first defendant therefore concludes that it cannot be blamed for not having

answered the complainant's requests of 21 February 2022 and 31 March 2022

insofar as the exercise of this right no longer has a legitimate interest. The complainant's personal data were deleted and he knew this or should reasonably have known this, given the meeting of 15 March 2022.

Assessment by the Dispute Chamber

91. In accordance with the Inspection Report, the Dispute Chamber establishes that the complainant exercised his right to access the data for the first time on 21 February 2022. The file contains e-mail correspondence from which the Dispute Chamber, in accordance with the findings of the Inspection Service, can infer that a meeting took place on 15 March 2022 during which an answer was provided to the complainant's questions.

However, the complainant himself was not present at these meetings but was represented by the trade union representative, as is also stated by the trade union representative himself. In its Guidelines 01/2022 on the rights of
16
data subjects — Right of access, the European Data Protection Board (hereinafter: EDPB)

states that the right of access is usually exercised by the data subject himself, but it is

16
EDPB,
Guidelines 01/2022 on the rights of data subjects — Right of access v2.0, 17 April 2023,
https://www.edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf. At
the time of the complainant’s request for access, the first version applicable was the one available at
https://www.edpb.europa.eu/system/files/2022-01/edpb guidelines 012022 right-of-access 0.pdf. Decision on the merits 114/2024 – 23/71

not ruled out that the request may be exercised in the name of the person concerned. Since

such power of representation is not regulated in the GDPR, the applicable

national rules must be considered, in this case the applicable Belgian collective

agreements as explained by the Inspection Service in the inspection report. These rules allow the

trade union representative to represent the complainant in exercising the right of

access. Given the e-mails dated 28 February 2022 and 2 March 2022 from the

trade union representative to the first defendant, the first defendant could

legitimately assume that the latter would represent the complainant during the meeting

dated 15 March 2022. During this meeting, the system of time registration

via biometric data would also be discussed. In the e-mail dated 28 February 2022, the

trade union representative indicated that the complainant would like more clarity

about the rights he has as an employee and about the functioning of the biometric

system.

92. Also in the aforementioned Guidelines 1/2022, the EDPB discusses the manner in which

access to personal data should be granted. This should mainly be done by

means of a copy of the data, but other modalities, such as oral information

may suffice if the data subject requests this. Since the proposal for a

interview came from the trade union representative, the first defendant

may lawfully provide the requested information orally and therefore lawfully

answer the request for access.

93. In view of the above, the first defendant may lawfully assume that the

trade union representative, as the complainant's representative, received the information

provided by the first defendant during the interview dd. 15 March 2022 to the complainant.

94. In view of the above and in line with the findings of the Inspection Service, the

Dispute Chamber concludes that the first respondent lawfully responded to

the complainant's right of access, which took place in the manner requested by

the complainant's representative.

95. The Dispute Chamber points out that the aforementioned conversation between the first respondent and

the complainant's representative took place on 15 March 2022.

96. On 31 March 2022, the complainant exercised his right of access a second time. In this

statement, the complainant states that the first respondent had not responded substantively to his

email dated 21 February 2022. The failure to respond would have caused the complainant to

file the present complaint with the GBA.

97. The Dispute Chamber recalls that the right to access is not absolute. Article 12.5 GDPR

states that if requests from a data subject are manifestly unfounded or excessive, in particular Decision on the merits 114/2024 – 24/71

because of their repetitive nature, the controller may either charge a

reasonable fee or refuse to comply with the request.

As also stipulated in recital 63 of the GDPR, the data subject may exercise his right to access

easily and at reasonable intervals. The EDPB identifies four criteria by which a controller may determine whether an exercise of the

right of access is excessive:

(i) How often the personal data are changed;

(ii) The nature of the personal data;

(iii) The purpose of the processing, including whether or not the processing has

negative consequences for the complainant;

(iv) Whether the successive requests concern the same requested information or

the same processing, or different ones.

98. In applying the above criteria to the above case, the

Dispute Chamber arrives at the following findings. As regards the first criterion,

the Dispute Chamber notes that the biometric data are specific to the data subject

and are therefore not changed. The sampling times that were carried out on the basis of the

fingerprints no longer change and are also no longer supplemented, given the

dismissal of the complainant on 24 February 2022. The nature of the personal data, being

biometric data, is more sensitive, which may shorten the duration of the

above-mentioned “reasonable period”. The purpose of the processing, i.e. the third criterion, is the safety of the

staff, time registration for the purpose of calculating wages and the prevention of needle fraud,

although this purpose is not always mentioned by the first defendant. These

purposes in themselves are not such that they have a negative impact on the data

data subject. Moreover, the request dated 31 March 2022 concerns the same information as the

information provided on 15 March 2022 as a result of the exercise of the right

of access dated 21 February 2022 by the complainant.

99. The Dispute Chamber notes that the Inspection Service stated that the

dismissal of the complainant dated 24 February 2022 does not prevent the first

defendant from having to respond to the request for access in a complete and

correct manner. The Dispute Chamber

recalls that the controller must indeed respond in a complete

manner; However, if the complainant’s request was limited to a specific processing, the information provided by the controller may also be limited to that specific processing. 17 Since the complainant, through the trade union representative as his representative, limited the request to the

17EDPB, Guidelines 1/2022 on data subject rights, right of access, dd. 18 January 2022, para 35. Available at
https://edpb.europa.eu/system/files/2022-01/edpb guidelines 012022 right-of-access 0.pdf. Decision on the substance 114/2024 – 25/71

system of time registration via biometric personal data and the related

aspects such as the retention period and the security of these personal data, the

Litigation Chamber considers that the information provided by the controller may be limited to this

specific processing.

100. As regards the first defendant's position that she no longer had to

answer questions 4 and 5 of the complainant because the personal data had already

been deleted, the Dispute Resolution Chamber recalls that the right of access is the "gateway"

that enables the exercise of other rights granted to the data subject by the GDPR,

such as the right to rectification, the right to erasure and the right to

restriction of processing. 18The reasoning that certain information no longer

needs to be communicated for the past, for example because the data has been

erased, cannot be followed. This would prevent the exercise of these rights

from being effective. Given that the personal data had recently been deleted before the dismissal and that the system of time registration via fingerprint was still in force at the time of the requests for access, the Disputes Chamber is of the opinion that it did not require any unreasonable efforts from the first defendant to answer questions 4 and 5 of the second request for access. In addition, the Disputes Chamber also points out that, although Article 15 GDPR does not stipulate that information must be provided about the security measures in the context of a request for access, this does not mean that no answer must be given to the right of access. After all, the first defendant could provide information about the security measures to the complainant in a more general manner. 

101. In view of the above, the Disputes Chamber finds that the first defendant has lawfully complied with the request for access from the complainant with regard to the first request for access dated 21 February 2022 and to questions 1 to 3. 3 of the

second request for inspection dated 31 March 2022. However, the Disputes Chamber finds that the

first defendant has not adequately answered questions 4 and 5 of the

second request for inspection dated 31 March 2022, which means that there is a violation of

Article 12.1 in conjunction with Article 15.1.d) GDPR.

II.7. Article 28.1 GDPR with respect to the first defendant

102. In accordance with Article 28.1 GDPR and recital 81 of the GDPR, the first

defendant, as controller, has the obligation to “rely exclusively on

18
See recentlyCJEU,12 January 2023, ÖsterreichischePostAG, C-154/21, ECLI:EU:C:2023:3, para 38, but alsoCJEU,
17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16,
EU:C:2017:994, para 57, see also decision 15/2021 dd. 9 February 2021, para 141, and decision 41/2020 dd. 29 July 2020, para
47
19CJEU dd. 9 May 2009, Rijkeboer, C-553/07, ECLI:EU:C:2009:293, para 54. Decision on the merits 114/2024 – 26/71

processors who provide sufficient guarantees regarding the application of appropriate

technical and organisational measures”.

103. The Inspection Service finds that the first defendant has not complied with the due diligence

obligation, namely to assess the suitability of the technical and organisational measures

taken by the second defendant. The Inspection Service

states that the first defendant only received the sales brochure concerning the

time registration system from the second defendant in the phase preceding the

contractual relationship. However, the technical information in this document regarding the

security is scarce and nothing is added to the summary information from the

processing agreement. The only element that was not included in the

processing agreement but that does appear in the brochure is the clarification that the

encryption when sending data from the terminal to the server is carried out according to the

HTTPS protocol, according to the Inspection Report. 104. Following the first letter from the Inspection Service to the first defendant,

the first defendant requested additional information from the second defendant in order to

demonstrate that the applied security level was adequate. The Inspection Service

notes that this documentation should have been requested prior to the processing

and not at the time when an inspection by the Inspection Service is announced. The

Inspection Service points out that both the first and second defendants confirm that

such an exchange of documentation did not take place earlier. Consequently,

the Inspection Service concludes that the first controller cannot demonstrate that it

has actually satisfied itself of the guarantees offered by the processor regarding

organisational and technical measures that are adapted to the risks associated with the

processing of biometric personal data at issue, which constitutes a violation

of Article 28.1 GDPR.

II.7.1. Position of the first defendant

105. The first defendant disputes the finding that insufficient

security measures were taken. It has engaged an expert in the matter

and has received sufficient documentation to convince itself of the seriousness of the

second defendant as a supplier. It claims that an annex to the

processing agreement was mistakenly not submitted. This annex forms part of the

processing agreement concluded between the parties and contains very specific guarantees

concerning the security of the processing. Consequently, the content of the

processing agreement is not limited to a simple description of the general

security measures of the second defendant, but is in fact detailed about

what is actually carried out. The categories of data are displayed on the

application, based on the information previously provided to the Inspection

Service Decision on the merits 114/2024 – 27/71

. The first defendant has indeed made a choice from the various

options offered by the second defendant. There is thus no violation

of Article 28, paragraph 1 GDPR.

106. In addition, during the inspection investigation, the second defendant submitted

documentation that has been in the possession of the first defendant since the

processing agreement was concluded. These documents were submitted because they were the subject of an

exchange between the parties, which would show that the first defendant had carried

out due diligence. The first defendant argues that the

evidence of the Inspection Service does not clearly show that the security documents

were only transferred at the end of the Inspection investigation and not prior to the

data processing. Furthermore, the first defendant argues that the

Inspection Service does not demonstrate that the only document relating to the contractual

documentation is the “sales brochure”. The first defendant notes that the

Inspection Service did not take note of the first defendant’s full response. In its response, the first defendant had indicated that the

commercial manager of the first defendant is no longer employed by the

company.

II.7.2. Assessment by the Dispute Resolution Chamber

107. The controller has the obligation to use "only

processors that provide sufficient guarantees for the implementation of appropriate

technical and organizational measures", so that the processing meets the requirements of the

GDPR - including the security of the processing - and also guarantees the protection of the

rights of the data subject. 20The controller is therefore

responsible for assessing the measures taken by the processor and

must be able to demonstrate that it has taken all the elements mentioned

seriously into account for the purposes of the GDPR, the so-called due diligence

obligation. This will usually entail an exchange of documents, such as the

privacy policy, the general terms and conditions and the register of processing

activities. 108. The above assessment must be made by the controller on a case-by-case basis and will depend largely on the type of processing entrusted to the processor, taking into account the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons.

109. The following elements must be taken into account by the controller in assessing the safeguards: the expertise of the processor (e.g.

technical expertise regarding security measures and breaches of

20Article 28, paragraph 1 GDPR and Recital 81 GDPR. Decision on the substance 114/2024 – 28/71

21
data), the reliability of the processor, and the resources of the processor. The reputation of the processor on the market may also be a relevant factor for the controller to take into

consideration. Furthermore, the adherence to an approved code of conduct or certification mechanism can be used as an element to demonstrate sufficient guarantees.

110. The obligation contained in Article 28.1 GDPR to only use processors that

"provide sufficient guarantees" is a permanent obligation. It does not end when the controller and the processor

conclude a contract or other legal act. Rather, the controller must verify the processor's guarantees at

appropriate intervals, including through audits and inspections where necessary.

111. The Dispute Chamber finds that the processing agreement consists of three parts, as

indicated in the conclusions of the second defendant, the main agreement itself with 2

annexes (Enclosure 1 and Enclosure 2). Annex 2 to the main agreement included 2

annexes, namely the Z IT Guide, and a document called “data processing agreement”.

As also indicated by the second defendant, the Dispute Chamber notes that the Z

IT Guide was missing from the file of the Inspection Service, which meant that it was not taken

into account during the investigation.

112. The Dispute Chamber is of the opinion that the description of these security

measures enables the first defendant to carry out the necessary due diligence regarding the

expertise of the second defendant as a processor. Both the first defendant and

the second defendant indicate that there have been various exchanges between

both parties prior to concluding the processing agreement, but that the

persons involved are no longer employed in the companies. Consequently, no more

information can be provided about these exchanges. To the extent necessary, the

Dispute Chamber notes that, in the context of the accountability obligation, such

exchanges should ideally be documented so that clarity is provided in this regard,

even after the departure of the persons involved.

113. In view of the above, the Dispute Chamber finds that the

documents submitted, including the processing agreement with annexes, show that the first

defendant was able to make the necessary efforts to assess the adequacy of the second

defendant as a processor. Consequently, there is no infringement of Article

28.1 GDPR.

II.8. Article 32 GDPR with regard to the first defendant

2Recital 81 GDPR.

22Article 28, paragraph 3, h) GDPR. Decision on the merits 114/2024 – 29/71

II.8.1. Findings in the Inspection Report

114. During its investigation, the Inspection Service establishes that there has been an infringement of

Article 32 GDPR by the first defendant as controller.

115. Article 5.1.f) GDPR stipulates that “[personal data] shall be processed, using appropriate

technical or organisational measures, in such a way that they are protected, inter alia, against

unauthorised or unlawful processing and against accidental loss, destruction or

damage”.

116. Further elaborating on Article 5.1.f) GDPR, Article 32.1 GDPR states that the

controller must implement appropriate technical and organisational measures

to ensure a level of security appropriate to the risk. This

must take into account the state of the art, the costs of implementation, as well as

the nature, scope, context, purposes of the processing and the likelihood and

severity of the various risks to the rights and freedoms of individuals.

117. Article 32.1 GDPR also stipulates that when assessing the

appropriate level of security, account must be taken of the risks posed to the processing, in particular

from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or

access to personal data transmitted, stored or otherwise processed. 118. The Inspection Service states that the first defendant cannot demonstrate that it has

any written information security policy or procedures concerning the

protection of personal data. Annex 10 to the employment regulations version 2022

was not provided for in the version of the employment regulations that applied at the time of the

processing in question and was drawn up after the first contact with the Inspection Service. The

security measures included therein are also, according to the Inspection Service, insufficiently

specific to give the Inspection Service any indication of their appropriateness.

119. The register of processing activities that was also drawn up after the first

contact with the Inspection Service contains for the processing in question only the description

that “only HR has access to this data. The personnel files are secured on the

server and are physically stored in a locked cabinet to which only HR has a key. The

time registration is processed on a separate computer to which only HR has access”.

In a second letter from the Inspection Service to the first defendant, clarification was requested a second time on the implemented technical and organizational

information security measures. A second piece of evidence was provided by the first

defendant, but the Inspection Service found that this piece of evidence only shows that the
software of the second defendant allows the level of access within the first

defendant to be refined on the basis of different roles. The Inspection Service cannot

determine how access was specifically implemented within the first defendant, which

means that an internal policy on logical access management to the data of the time

registration system is not demonstrated. The Inspection Service adds that a general information

security policy is in any case lacking. Consequently, according to the Inspection Service, there

is an infringement of Article 32 GDPR.

II.8.2. Assessment by the Dispute Chamber

120. The first step in determining the appropriate level of security for the processing of

personal data is to identify the risks of that processing and

to weigh them up. On that basis, it must be determined which measures

are necessary to provide sufficient security against these risks. The GDPR stipulates that

when weighing the data security risks, the necessary attention must be paid to risks that

may arise during the processing of personal data, such as unauthorised provision of or

unauthorised access to processed data.

When identifying and assessing the risks, the consequences that

individuals may experience from unlawful processing of personal data are particularly relevant.

The more sensitive the data is, or the context in which it is

used poses a greater threat to personal privacy, the more stringent requirements are

imposed on the security of personal data. 121. Based on the Inspection Report, the Dispute Chamber establishes that there was no general

information security policy regarding the processing of biometric

data. After initial contact with the Inspection Service, the first

defendant adjusted its register of processing activities and included the

security measures in it.

122. With regard to the technical measures, the Dispute Chamber establishes that the second

defendant, as supplier of the system, provides the necessary encryption (ISO certified).

Based on the Inspection Report, the Dispute Chamber establishes that various

organizational measures have been taken, such as limiting the number of employees who have

access to the personal data, limiting the access area in which the personal data

were located, storing personal data on a server in a locked room and storing the

paper personnel files in a locked room. 123. As regards the findings concerning the policy on the follow-up of the

security measures, the Litigation Chamber points out that a distinction must be made

between the security measures themselves and their documentation in the context of

the accountability obligation. As regards the security measures themselves, the Decision on the substance 114/2024 – 31/71

Litigation Chamber finds that they meet the requirements of Article 32 GDPR. In view

of the above, the Litigation Chamber finds no infringement of Article 32 GDPR.

II.9. Data Protection Impact Assessment (Article 35 GDPR) with respect to the first

defendant

124. In its Inspection Report, the Inspection Service concludes that it is unclear whether the

first defendant claims that it did not have to carry out a Data Protection Impact Assessment (hereinafter:

DPIA) because the processing was unlikely to entail a high risk within the

meaning of Article 35.1 GDPR, or whether it carried out a DPIA that resulted in

no high residual risk within the meaning of Article 36 GDPR. In both cases, the

Inspection Service finds that the first defendant did not act in accordance with the GDPR.

125. The first defendant has not taken a position on this.

126. According to Article 35.1 GDPR, the controller shall, prior to processing,

carry out an assessment of the impact of the intended processing operations

on the protection of personal data where the processing, in particular

when using new technologies, is likely to result in a high risk to the rights and

freedoms of natural persons, taking into account the nature, scope, context

and purposes of the processing. 127. As is apparent from point 6 of decision no. 01/2019, a DPIA must always be carried out when the processing uses biometric data for the purpose of uniquely identifying data subjects who are in a public space or in private spaces accessible to the public. However, the Knowledge Centre of the DPA emphasises in its recommendation that the processing of biometric data for purposes other than those expressly included in decision no. 01/2019 of the General Secretariat is also subject to the obligation to carry out a DPIA. Moreover, given the high inherent risk to the rights and freedoms of data subjects that the processing of biometric data implies, the failure to carry out a DPIA will only be justified in exceptional cases.

128. In accordance with Article 35 of the GDPR, a DPIA must be carried out when

processing of personal data is likely to result in a high risk to the

rights and freedoms of data subjects. When assessing the necessity of a DPIA,

various factors must be taken into account, such as the nature, scope,

context and purposes of the processing, as well as the potential risks to the rights

and freedoms of data subjects. 129. In order to provide a more concrete set of processing operations that require a DPIA on the grounds of their inherent high risk, taking into account the specific elements of Article 35.1, and Decision on the substance 114/2024 – 32/71

Article 35.3(a) to (c) GDPR, the list to be established at national level in accordance

with Article 35.4 GDPR and recitals 71, 75 and 91, and other

references in the GDPR to processing operations that are ‘likely to result in a high risk’,

the Working Party29 has developed the following nine criteria that should be

taken into account. 23

130. The Dispute Resolution Chamber considers that several of these criteria have been met, namely:

- First criterion: evaluation including profiling and prediction, in particular

of "characteristics concerning professional performance". This condition has been met

since the registration of an employee's working hours is a characteristic

concerning a professional performance.

- Second criterion: automated decision-making with legal effect or a similar

substantial effect. As already explained, there was no demonstrably offered

alternative in terms of time registration available for the employees of the first

defendants and no wages could be paid if there was no time registration

by the employees.

- Fourth criterion (sensitive data or data of a very personal nature). This

concerns, among other things, the special categories of personal data as

described in Article 9 GDPR, including biometric data used

for the purpose of identification.

- Fifth criterion (persons processed on a large scale). The GDPR does not contain a definition of

the term “large-scale” but Group 29 recommends taking the following factors

into account, including the number of data subjects, either as a specific number or as a

part of the relevant population. In the present case, the time registration via fingerprint

concerns all employees of the first defendant, which means that there may be a large-scale

processing.

- Seventh criterion: data relating to vulnerable data subjects. As stated,

employees in this case are vulnerable data subjects because they are in a dependent relationship

with the first defendant as their employer.

131. In most cases, a controller can assume that a DPIA must be carried

out for a processing that meets two criteria, Group 29 states. As explained above, five of the

proposed criteria have been met. The

Litigation Chamber adds that the use of biometric data for the

23Working Group 29, “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely
to result in a high risk’ for the purposes of Regulation 2016/679, adopted on 4 October 2017 (WP 248 rev. 01), p. 9 et seq.

24See WP29 Guidelines for Data Protection Officers 16/EN WP 243 Decision on the substance 114/2024 – 33/71

time registration of employees may entail significant risks to the privacy of the

data subjects, such as the high risk of unauthorised access, hacking and

identity theft. In view of the above, the Litigation Chamber finds that the first

defendant should have carried out a DPIA, which constitutes an infringement of

Article 35 GDPR.

II.10.Transfer to third countries or international organisations (Chapter V GDPR) with regard to the

first defendant

II.10.1.Findings in the Inspection Report

132. The Inspection Service notes that the documents show that the servers used are only

located on Belgian territory. The first defendant also states in its response and

register of processing activities that no transfers take place. According to the response of the second

defendant, templates cannot be extracted by the first defendant, which

seems to exclude the risk of a possible forwarding of these files by the first

defendant. Consequently, the Inspection Service concludes that there are no indications of any

transfers of biometric data to third countries or international organisations.

II.10.2. Assessment by the Dispute Resolution Chamber

133. As already stated, the Inspection Service has no indications regarding possible

transfers of biometric data to third countries or international organisations.

The Dispute Resolution Chamber has no indications to judge otherwise in this regard.

Consequently, the Dispute Resolution Chamber finds that there has been no infringement of Chapter V of the GDPR.

II.11. Register of processing activities (Article 30 GDPR) with regard to the first defendant

II.11.1. Findings of the Inspection Service

134. The Inspection Service finds that the register of processing activities provided

dates from after the first contact with the Inspection Service. The Inspection Service reaches this

conclusion on the basis of the following elements. The register of processing activities

mentions the e-mail address dataprotection@benepack.com as the contact address of the

controller. However, this address was only created after the first

contact with the Inspection Service. Since the first defendant indicates during the Inspection investigation that this is the only version of the register of processing activities, the Inspection Service concludes that the first defendant did not have a register of processing activities prior to the Inspection investigation. The Inspection Service finds that this constitutes an infringement of Article 30 GDPR, since the first defendant must maintain a register of processing activities at least with regard to the processing activities concerning its staff. After all, the processing activities cannot be considered incidental within the meaning of Article 30.5 GDPR. Furthermore, the first defendant processes special categories of personal data and criminal data, the Inspection Service finds. 

135. Furthermore, according to the findings of the Inspection Service, the register of processing activities is defective on several points. The CEO and HR manager of the first defendant are proposed as data protection officers (Article 30.1.a) GDPR). The processing purposes in the register of processing activities differ in several respects from the processing purposes included for these processing operations in the employment regulations (version June 2022) (Article 30.1.b) GDPR). The ten categories of personal data appearing in the employment regulations (version June 2022) are not or not fully found in the processing register (Article 30.1.c) GDPR) and internal employees are proposed as processors, while, for example, the processor for the biometric time registration system remains unmentioned (Article 30.1.d) GDPR). II.11.2.Assessment by the Dispute Resolution Chamber

136. Under Article 30 GDPR, each controller must keep a register

of the processing activities carried out under its responsibility.

Article 30.1(a) - (g) GDPR provides that, with regard to the processing

carried out in the capacity of controller, the following information must be

available:

a) the name and contact details of the controller and any joint controllers and, where

applicable, of the controller's representative and the data protection officer;

b) the purposes of the processing;

c) a description of the categories of data subjects and of the categories of

personal data;

d) the categories of recipients to whom the personal data have been or

will be disclosed, including recipients in third countries or international

organisations; e) where applicable, transfers of personal data to a third country or an

international organisation, including the identification of that third country or

international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1)

GDPR, the documentation on the appropriate safeguards;

f) where possible, the envisaged periods within which the different categories of

data must be erased;

g) where possible, a general description of the technical and organisational

security measures referred to in Article 32.1 GDPR.

137. As regards the name and contact details of the data controller (Article 30.1.a) GDPR), the

Litigation Chamber, in accordance with the Inspection Report, finds that the register of processing

activities does indeed include the details of the CEO and the HR manager with the

Data Protection Officer.

138. With regard to the processing purposes (Article 30.1.b) GDPR), the Dispute Chamber

finds that the purposes included in the register of processing activities do not

correspond to the purposes included in the employment regulations (version June 2022).

The register of processing activities states as the processing purpose for the

fingerprint: "is registered for time registration. At the start and end of the working day, employees must enter and exit by

fingerprint". The employment regulations (version June 2022) not only mention time registration, but also fraud prevention and safety of

staff members. The Dispute Chamber also notes a discrepancy between the processing purposes with

regard to camera surveillance. The register of processing activities prioritizes “safety and health”, while the

work regulations (June 2022) prioritize “workplace control: to ensure the safety of all

personnel, combating possible fraud, crimes and possible infringements by third

parties; and protecting company assets” as processing purposes.

139. As regards the categories of personal data (Article 30.1.c) GDPR), the

Dispute Chamber notes that the employment regulations list various categories of processed

personal data that are not included in the register of processing

activities. These are the following categories: contact details of any

emergency contacts, (former and) current position of the data subjects at the

first defendant, salary, bonus and benefits, company assets in the possession of the

data subject (mobile phone, company car, laptop, etc.), information about the

data subject in the context of performance management, learning and development, health at

work and accidents at work, information provided by the data subject or about the

data subject in the context of the internal whistleblowing procedure and, finally,

information about certain violations, such as traffic accidents for which the data

subject or the first defendant can be held liable. The categories of "image recordings by the use of surveillance cameras and information provided by or about the data subject in the context of pension accounts, pensions, hospitalisation insurance and other benefit information" are incompletely included in the register of processing activities.

140. Finally, the Dispute Resolution Chamber notes that the second defendant, in her capacity as a processor in the context of the biometric time registration system, is not listed as a recipient in the register of processing activities (Article 30.1.d) GDPR).

141. In order to be able to apply the obligations contained in the GDPR effectively, it is essential that the controller (and the processors) have an overview of the processing of personal data that they carry out. This register is therefore primarily an instrument to help the controller comply with the GDPR for the various data processing operations that it carries out. The Dispute Chamber is of the opinion that the processing register is an essential instrument in the context of the accountability obligation already mentioned (Article 5.2 and Article 24.1 GDPR) and that this register forms the basis for all obligations that the GDPR imposes on the controller. It is therefore important that the register is complete and correct.

142. The Dispute Chamber finds that the processing register that was submitted by the first defendant is incomplete and partly incorrect, as established in the Inspection Report.

In this context, the Dispute Resolution Chamber notes that, although the first defendant is currently taking steps to rectify these infringements, insufficient efforts have been made to update the processing register as provided for in Article 30 of the GDPR. The Dispute Resolution Chamber therefore finds that there has been an infringement of Article 30.1. a), b) c), d) of the GDPR.

II.12. Accountability (Article 5.2 of the GDPR) of the first defendant

143. The Dispute Resolution Chamber recalls that every controller must comply with the fundamental principles of the protection of personal data as set out in Article

5.1 of the GDPR and must be able to demonstrate this. This follows from the accountability obligation in Article 5.2 of the GDPR in conjunction with Article 24.1 of the GDPR as

confirmed by the Dispute Resolution Chamber. 25

144. Based on Articles 24 and 25 of the GDPR, the controller must

implement appropriate technical and organisational measures to ensure and

be able to demonstrate that the processing is carried out in accordance with the GDPR. In doing so, he must

effectively implement the principles of data protection, protect the rights of the data

data subjects.

25 Decision on the merits 34/2020 of 23 June 2020 available on the webpage

https://www.gegevensbeschermingsautoriteit.be/professioneel/publicaties/besluiten. Decision on the merits 114/2024 – 37/71

and only process personal data that are necessary for each

specific purpose of the processing.

145. In the context of its investigation, the Inspectorate assessed the extent to which the first

defendant has taken the necessary technical and organizational measures to comply with these

principles from Article 5.1 GDPR and in particular the principles of

legality and transparency, purpose limitation, minimal data processing and

storage limitation (see II.1-II.6).

146. Furthermore, the Dispute Chamber notes that the description of the

security measures taken under section II.8 does not show how adequate supervision of these

measures is organized, nor does it specify the extent to which the first defendant

verifies whether the measures are effective and how frequently this is checked. Finally, no policy has been drawn up

for the effective handling of information security incidents. The Litigation Chamber considers that the

sensitive nature of the biometric data processed on a large scale by the first defendant

should have prompted it earlier to better comply with the above-mentioned principles of the

GDPR (including data security), in particular by anticipating the risks associated with such

infringements.

147. It follows from the above that the installation and commissioning of the

time registration system via biometric data indicates that the technical and organisational

measures were not suitable to ensure compliance with the fundamental principles of the GDPR,

and in particular the principles of lawfulness, purpose limitation, transparency and

data minimisation. The first defendant, as controller, has not taken any

or has taken insufficient appropriate measures to ensure and be able to demonstrate that the

processing at issue was carried out in accordance with the GDPR, which results in a

infringement of Article 5.2 GDPR.

II.13.Article 28.3 GDPR with regard to the second defendant

II.13.1.Findings in the Inspection Report

148. The Inspection Service notes in its report that the processing agreement between the

first and second defendants does not meet the conditions of Article 28.3 GDPR,

as it would only contain a description of the general security measures, and

no detailed description focused on the high security requirements for the processing of biometric

data. According to the Inspection Service, the processing agreement itself

incorporates the statutory provisions from Article 32.1 GDPR and refers to the

Annex for more details. According to the Inspection Service, this Annex B

contains a concrete, but still brief and insufficient description

focused on the specific nature of the data processed. This Decision on the merits 114/2024 – 38/71

generality and limited level of detail in Annex B, does not allow for clarity on, for example, the level of encryption applied to the raw or

template-stored biometric data, the use of a verification function or

identification function in the comparison phase of the biometric authentication process, the

system used by the processor for the deletion and destruction of the

biometric data after the retention period, and the precise modalities of the

logical and physical access policy applied by the processor.

149. According to the Inspection Report, the processing agreement is also defective

as regards the description of the nature and purpose of the processing and the

type of personal data processed as prescribed in Article 28.3 GDPR.

150. As regards the nature and purpose of the processing, the Inspection Service establishes that it is

impossible to verify this on the basis of the provisions of the processing agreement. The only purpose that can be inferred is the performance of the service contract

between the two defendants. The Inspection Service can at most infer from the service contract itself that fingerprints and

time registration data of employees are being processed. The processing agreement does not allow the

Inspection Service to obtain clarity about the type of personal data that is

processed by the second defendant on behalf of the first defendant. The

agreement only contains an open selection list with, in addition to the selection list, 20 fields that the

customer can freely fill in. The customer has also not indicated a choice of the

categories to be processed.

151. The Inspection Service attaches particular importance to the role of the processor in fulfilling

this joint obligation under Article 28.3 GDPR, because the processor is the only one of the

parties who has the technical knowledge that allows a complete description of the processing.

Without this complete description, neither the controller nor the supervisory authority can make a correct

assessment of the content and risks of the processing entrusted to the processor.

152. The Inspection Service notes that, even at its explicit request, the processor (the second

defendant) is unable to provide a complete technical description of the processing entrusted

to it. This is evident from the minimalist answer to the Inspection Service's question

about the operation of the time registration system. Subsequently, the

second defendant appears unable to provide further information on certain

elements such as: the encryption of the raw biometric data and the

templates, the presence of an integrity check linked to biometric data, precise

technical modalities of the collection and comparison phase of the biometric

authentication process and the technique used for the deletion and destruction of the

data after the end of the retention period. Decision on the substance 114/2024 – 39/71

153. In its report, the Inspection Service also refers to paragraph 103 of the

Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR 26

of the EDPB, which states that both the controller and the

processor have the responsibility to ensure that there is a contract or other legal act

governing the processing. The supervisory authority

may impose an administrative fine on both the controller and the processor, taking into account Article 83 GDPR and the individual circumstances

of each case. Agreements concluded before the date of application of the GDPR

should have been updated within the meaning of Article 28.3 GDPR. Failure to do so

constitutes a breach of the latter provision.

154. Finally, the Inspection Service states that the second defendant questions the legal qualification

of the personal data processed by it as biometric personal data (in the context of the

processing at issue). However, the processing agreement refers to the biometric templates of personal data

processed by the second defendant. The Inspection Service does not agree with this position.

The Inspection Service therefore has doubts about the technical and organisational measures taken by the second defendant, since, on the basis of Article 32.1 GDPR, these must be tailored to the processing risk that was apparently incorrectly assessed by the second defendant.

155. The Inspection Service therefore concludes that the processing agreement does not comply with Article 28.3 GDPR, because the processing agreement does not meet the minimum requirements of this provision, in particular the description of the nature and purpose of the processing, the type of personal data and the technical and organisational measures applied by the processor.

II.13.2. Position of the second defendant

156. The second defendant argues in its conclusions that it is able to share the correct knowledge about the system. It provided the first defendant with the relevant information in a timely manner. At the time of the conclusion of the contract, the first defendant had extensive

documentation and information in the processing agreement and had access to the online platform, and

also received several training courses. In addition, it is the first defendant who will register the

persons on the system. The processing of personal data therefore only began when the first

defendant started doing so. Consequently, the first defendant was able to familiarise herself with all

available information regarding the processes before starting the processing. As for her minimalist answer

26EDPB, Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, v.2.0, 7 July
2021, available at https://www.edpb.europa.eu/system/files/2023-
10/edpb guidelines 202007 controllerprocessor final nl.pdf Decision on the merits 114/2024 – 40/71

to the Inspection Service, the second defendant notes that the Inspection Service immediately

after the first questioning of the second defendant closed the investigation and drew up the

Inspection report; however, the first defendant was questioned on

more than one occasion.

157. Furthermore, the second defendant objects that the Inspection Service

compiled an incomplete file. The Inspection Service only requested the processing agreement from the first defendant, which the first defendant had transferred, but without the Z IT Guide. This Z IT Guide forms an integral part of the processing agreement as an appendix. The second defendant was not aware of the fact that an incomplete processing agreement had been transferred and she was also not asked about it. Furthermore, the second defendant denounces the fact that the Inspection Service not only questions her about the processing entrusted to her, but also about the tasks and processing of the first defendant. The second defendant argues that the Inspection Service reproaches her, in the absence of an answer (quod non, according to the second defendant), for not providing a full technical description of the processing by the first defendant, which she does not have to provide. The reference by the Inspectorate to paragraph 103 of Guidelines 07/2020 was only approved in July 2021, while this paragraph was not yet present in the 2020 version. It is important to note that the processing agreement was concluded on 14 February 2020. Consequently, a lack of answers by the first defendant, if such a lack were to be established, cannot be blamed on the second defendant, but the Inspectorate must question the first defendant about this.

158. Furthermore, the second defendant points out that it is accused of not providing information on the technique used for the removal and destruction (e.g.

overwriting, demagnetisation, cryptographic erasure, etc.) of the data after the retention period, with a reference to Recommendation 03/2020 of the GBA. The

Inspection Service reaches this conclusion after an answer from the second defendant to the

question "Which system is used for the removal and destruction of the

biometric data/templates after the retention period has expired. Who is responsible for this

deletion [first defendant] or [second defendant]?". The second defendant

replied that no raw biometric data is stored. The

encrypted templates are stored on the ST25 terminal and in the SQL cloud

database as long as the employee exists in the SQL cloud database. Distribution on one or

more ST25 terminals is carried out based on configuration in the Z Web Application

T&A application. This answer was apparently not considered conclusive by the

Inspection Service, as the second defendant notes. The second defendant points out that

the Inspection Service could have asked an additional question in this regard if it considered the

given answer to be insufficient. Decision on the merits 114/2024 – 41/71

159. The legal qualification of the data processed by the processor is a point of contention

between the second defendant and the Inspection Service. The second defendant believes that it

does not process biometric data or any other special category of personal

data under Z. The second defendant points out that biometric data

(Article 4.14 GDPR) only constitute a special category under Article 9 GDPR if they

are processed for the purpose of unique identification. No comparison is carried out on the online platform that the

second defendant makes available, the second defendant states. The comparison of the biometric data only takes place in the specific

reader, which is linked to the customer, i.c. the first defendant. Only the reader, as a separate module,

contains proprietary software with secret algorithms, the operation of which is only known to the supplier of the module; the

technology used constitutes a trade secret. The manufacturer does not reveal how the

templates are created, nor which key is used for encryption. The

manufacturer does confirm that these are never released. The second defendant adds

to this that it is impossible for anyone to identify a person with the data

released by the biometric reader when registering a user. The only thing the file

makes possible is to return it to a reader of the same manufacturer within the system

with the aim of obtaining the verification of an identity (match or no match) as a

answer. The only answer a reader will therefore give is a match with a known ID or no

match. Anyone who can unlawfully obtain the encrypted file of the data from the

biometric reader after registering a user cannot use this file in any other type of

biometric tool because they do not have the unique key(s). The second defendant therefore decides that it offers an online storage system,

but does not choose which terminals on the premises of the first defendant store certain data

linked to biometrics, and it certainly does not organise the comparison phase on

its own (online) platform. It is only the service provider of storage for a file

that no one can decrypt without hacking the reader of the manufacturer.

160. The second defendant also argues that it is reasonably impossible for her to

access the information for deciphering, which raises the question whether the

files actually constitute personal data within the meaning of Article 4.14 GDPR.

II.13.3. Assessment by the Dispute Resolution Chamber

161. Any processing of personal data by a processor must be governed by

a contract or other legal act under EU or Member State law between the

controller and the processor, as required by Article 28.3 GDPR. Decision on the merits 114/2024 – 42/71

162. The Inspection Service finds several infringements of Article 28.3 GDPR: (i) the
processing agreement between the first defendant as controller

and the second defendant as processor does not meet the requirements under Article 28.3 GDPR,

in particular as regards the minimum requirements regarding the description of the nature

and purpose of the processing, the type of personal data and the technical and organisational measures

applied by the processor; (ii) the failure to comply with the

obligations of the second defendant under Article 28.3 GDPR, given that

it was the only one with technical knowledge of the system and

nevertheless failed to adequately describe the processing and, finally, to cast doubt on the

legal qualification of biometric data. (i) Description of the nature and purpose of the processing, type of personal data and

the technical and organisational measures applied

163. First, the Dispute Chamber assesses to what extent the processing agreement

between the first defendant as controller and the second defendant

as processor meets the requirements under Article 28.3 GDPR, in particular with

regard to the minimum requirements regarding the description of the nature and purpose of the processing, the

type of personal data and the technical and organisational measures applied by the processor. 27

164. The Dispute Chamber notes that the processing agreement consists of several

parts, as indicated in the conclusions of the second defendant, the

main agreement itself with 2 annexes (Enclosure 1 and Enclosure 2). In Enclosure 2 to the

main agreement, there were again 2 annexes, namely Attachment 1: “ZITGuide”

and Attachment 2 “Dataprocessing agreement”, with again 3 annexes: Attachment

A (description of the processing), Attachment B (technical and organizational security

measures) and Attachment C (subprocessors).

165. Referring to Guidelines 07/2020 on the concepts

of “controller” and “processor” in the GDPR 28, the Dispute Resolution Chamber

recalls that the processing agreement must include, among other things, the following elements:

description of the nature and purpose of the processing, and the type of personal data.

As regards the nature and purpose of the processing, the EDPB states that this description

should be as complete as possible, depending on the specific processing activity, so that

external parties (such as a supervisory authority) can understand the content and risks of the processing entrusted

27See finding 12 of the Inspection Report.

28EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dated 7 July
2021, available at
https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the substance 114/2024 – 43/71

29
to the processor. The “description of the

processing” as determined in Attachment 2 of the processing agreement states that the

agreement relates to the storage of different categories of personal data and sensitive

data. Indirectly, it can be inferred from the

processing agreement with all annexes that there is a question of the

processing of fingerprints and time registration of employees, namely from Enclosure

1 to the processing agreement in which mention is made of Fingerprint licenses

and in which it is stated that all information provided by the customer (in this case the

controller) with regard to the time registration for a certain period is stored in the

database of Z.

166. The EDPB states that the types of personal data must be

specified in as much detail as possible. Merely specifying whether it concerns

personal data within the meaning of Article 4.1 GDPR or special categories of

personal data in accordance with Article 9 GDPR is not sufficient.0 The Dispute Chamber

notes that the processing agreement in the aforementioned Enclosure 2 “Description of the processing”

allows the possibility to indicate which personal data are specifically processed on the basis of the

processing agreement [“Please select the categories you intend to use with the

Services”]. The processing agreement also provides for four categories

of special personal data that are processed by the second defendant on the

basis of the processing agreement. Here too, the relevant

categories are requested to be indicated [“Please select the categories you intend to use with the

services”]. The Dispute Chamber finds that the relevant categories were not indicated for

either the personal data or the special personal data. The

Dispute Chamber finds that this infringement was only attributed by the Inspectorate

to the second defendant, while the obligations under Article 28.3 GDPR apply to both

contracting parties. However, the lack of indication could also be attributed

to the first defendant, since it determines the purpose and means of the processing as the controller.

167. In conclusion, the Dispute Chamber finds that the required information under Article 28.3.

first paragraph (the nature and purpose of the processing and type of personal data) can be

derived from the overall reading of the processing agreement, but that it is recommended, for the sake of clarity, that the processed (categories of) personal data, whether or not special

are indicated in the annex as provided.

29EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dd. 7 July

2021, para 114, available at
https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf.
30EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dd. 7 July
2021, para 114, available at
https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the merits 114/2024 – 44/71

168. The Inspection Service also found in its report that there was an infringement of

Article 28.3.c) GDPR given the generality and limited level of detail of the

enumeration of the technical and organisational measures applied.

169. Article 28.3.c) GDPR requires that all security measures required under

Article 32 GDPR be reflected in the processing agreement. This

processing agreement may not simply repeat the provisions of the GDPR, but must

contain information on the security measures, or references to them. The

level of detail must enable the controller to assess the

suitability of the measures in accordance with Article 32.1 GDPR. 31

170. Article 32.1 GDPR provides that when assessing the appropriate level of

security, account must be taken of the risks posed to the processing, in particular from

accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or

access to personal data transmitted, stored or otherwise processed. This must also take

into account the special nature of the personal data processed, which is a point of

contention between the Inspectorate and the second defendant.

171. As regards the qualification of the personal data processed by the second

defendant, the Litigation Chamber recalls the definition of biometric data and the

processing of a possible special category of personal data. As the second defendant also states in her conclusions,

biometric data do not immediately constitute a special category of personal data under

Article 9 GDPR. The purpose of unique identification is required for this. As already stated, the

purpose of identification is present in the head of the first defendant as a

controller in the context of time registration, but not in the case of the second

defendant. She receives data from the first defendant that she processes (i.e. stores)

without the purpose of identification or authentication, which means that there is no question of the

processing of special personal data as included in Article 9 GDPR. The

applicable security measures must therefore be tailored to this.

172. As already explained, the processing agreement consists of the main agreement

with 2 annexes (Attachment 1 and Attachment 2). As also indicated by the second

defendant, the Dispute Chamber notes that the Z IT Guide (Attachment 2) was missing from the

file of the Inspection Service, which meant that it was not taken into account during the

investigation.

31EDPB, Guidelines 7/2020 on the concepts of "controller" and "processor" in the GDPR v2.0, dd. 7 July
2021, para 126, available at
https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the merits 114/2024 – 45/71

173. This Z IT Guide sets out the security aspects of the Z application in 13 pages, with

concrete information about the security measures taken for the processing entrusted to it,

namely the storage of the data in the Z. This guide contains information about

the servers on which the data is stored, the security measures (such as anti-
virus systems, firewalls, SSL certificates and monitoring services). The Dispute Chamber

finds that the level of detail of the description of the security measures

meets the requirements imposed in Article 28.3.c) GDPR.

(ii) the failure to comply with the obligations of the second defendant under Article 28.3 GDPR, given that it was the only one with technical knowledge of the system and allegedly did not sufficiently describe the processing and the second defendant allegedly questioned the legal qualification of biometric data.

174. The Dispute Chamber notes that these findings do not relate to the content of the processing agreement as stipulated in Article 28.3 GDPR, but rather to the pre-contractual information exchanges with the first defendant (for example on the basis of Article 28.1 GDPR) or to the accountability obligation under Article 5.2 GDPR.

175. As regards the finding that the second defendant did not sufficiently describe the processing, the Dispute Chamber refers to section II.7 in which it finds that the processing agreement was not transferred in its entirety to the Inspection Service by the first defendant. The second defendant was not asked to

transfer the processing agreement to the Inspection Service.

176. As explained, the Z IT Guide contains information about the technical knowledge of the

system. The second defendant provided all this information to the first defendant,

the controller, on the basis of which the latter could carry out the required analysis

in this regard (see section II.8). In addition, the second defendant also offered training

on the operation of the Z. In addition, the Disputes Chamber notes that there was also

additional documentation, a portal and help function available online, as well as a

helpdesk. As the second defendant also argues, the registration of the employees

only starts when the first defendant starts doing so. Consequently, she could

request additional information if necessary before starting the time registration. The

Dispute Chamber therefore finds that the processing has been sufficiently described and that the
second defendant has provided the necessary information to the first defendant.

177. Furthermore, the Inspection Service finds that the second defendant, even at the explicit request

of the Inspection Service, is unable to provide a complete technical description

of the processing entrusted to it. In this regard, the Inspection Service refers to the
minimalist answers of the second defendant and to the fact that it could not

provide further information on certain elements. Decision on the merits 114/2024 – 46/71

178. The Dispute Chamber first notes that a possible minimalist answer to the

Inspection Service two years after the conclusion of the processing agreement has no influence

on the correct or incorrect compliance with Article 28.3 GDPR, which

only stipulates substantive requirements of the processing agreement.

179. The Dispute Chamber further notes that the Inspection Service in its letter dated 6 July 2022

requested the second defendant to explain the technical functioning of the system

and in particular how the biometric data collected via the system is handled.

The Inspection Service requests that this explanation be accompanied by

an overview as schematically as possible of the various phases of the processing from

collection to deletion. Furthermore, the Inspection Service requests clarification of the

technical and organisational security measures that the second defendant takes to

protect the integrity, availability and confidentiality of the data,

where it is actually the first defendant who is subject to these obligations.

The Inspection Service then asked 12 additional questions. These questions also concern the

various phases of time registration.

180. The Dispute Chamber notes that the second defendant answered the 12 questions

but could not answer each question in detail. Certain information is not known to the second defendant, since it is not the controller for the entire chain of processing in the context of the time registration in question.

The second defendant has formulated an answer to the questions that related to the processing entrusted to it in its capacity as processor. In doing so, the second defendant also indicated why it could not answer the other questions, for example because it did not deal with certain aspects of the time registration chain.

181. In view of the above, the Dispute Chamber concludes that there is no infringement of Article 28.3 of the GDPR on the part of the second defendant.

II.14.Data Protection Officer (Article 37.1, b) and c) GDPR) with regard to the second

defendant

II.14.1.Findings in the Inspection Report

182. The Inspection Service finds in the Inspection Report that the second

defendant does not comply with the obligations regarding the appointment of a data

protection officer as included in Article 37.1. b) and c) GDPR. Initially, the Inspection Service states that

the requirements for appointing a data protection officer have been met

as included in Article 37.1. c) GDPR, since it processes biometric data, that it

concerns large-scale processing and that it is mainly responsible for this. Consequently, Decision on the merits 114/2024 – 47/71

the Inspection Service concludes that a data protection officer

should have been appointed. 183. First, the Inspection Service does not follow the second defendant's view regarding

the fact that it would not process biometric data (see II.13). Furthermore, the

Inspection Service refers to the standard clause in Annex A of the processing agreement

in which the second defendant, as a processor, also opens itself up to the processing of

other categories of personal data. Second, with regard to the large-scale nature of the

processing, the Inspection Service notes that the report of the board of directors of the second

defendant shows that Z is divided into nine European countries, from which the

Inspection Service understands a large geographical area. The Inspection Service states that it has no

insight into the number of persons involved or the amount of data processed, but

further notes that the duration and permanence of the data processing inherent to a

working time registration system constitute an additional element for assessing the large-scale

of the processing. Thirdly, as regards the criterion of principality, the Inspectorate states that it is clear that

data processing constitutes a principal activity of the undertaking and not a necessary

supporting function of the principal activity of the organisation.

184. Finally, the Inspectorate notes that the second defendant can also be considered to be obliged to appoint a

data protection officer on the basis of Article 37.1.b) of the GDPR, since the daily registration of the times of arrival

and departure of employees at a particular workplace constitutes regular and systematic observation of the

data subjects.

II.14.2. Position of the second defendant

185. In its conclusions, the second defendant argues that it is not obliged to appoint a

data protection officer, neither on the basis of Article 37.1.c) of the GDPR nor on the basis of Article 37.1.b) of the

GDPR. 186. As regards the applicability of Article 37.1.c) GDPR, the second defendant

argues that the Inspectorate's argument is not based on objective findings

but that its analysis results from half-assumptions and incorrect interpretations.

As regards the processing of a special category of personal data, the

second defendant reiterates its position that serious doubts can be raised as to whether there is

indeed a processing of biometric data and a special category of personal data in the

context of the processing for the first defendant. The

second defendant adds that the Inspection Service has extrapolated its findings

to the entire operation and all activities of the second defendant. The

second defendant points out that its activities are divided between services Decision on the merits 114/2024 – 48/71

concerning parking systems and time registration. The figures for the 2021 financial year show that

74.29% of turnover is attributed to parking system services

compared to 25.71% for time registration. Time registration itself also extends beyond the Z

services. The share of the second defendant's total turnover for Z in 2021

amounted to only 8.50%. The second defendant denounces that the Inspection Service

assumes that the second defendant would always fall back on biometric

readers for Z and that it would therefore set up a Z solution for other customers using

biometric readers. It points out that only 10.93% of the turnover is specifically

generated by Z-related projects where biometric readers are also used.

The second defendant wonders whether there are serious indications that these projects in

which use biometric readers involve the processing of a special category of data.

If there were indeed any processing of a special category of personal

data, which the second defendant questions, then this need not be the case for other customers

who use the Z application.

187. As regards the large-scale nature, the second defendant denounces that the

Inspection Service infers the large-scale nature from the fact that the Z is

marketed in 9 countries. The second defendant points out that not all Z

solutions work with biometric readers and that for the assessment of the large-scale nature, only those solutions that

do process special categories of data can be taken into account. The second defendant disputes that, on

the basis of a study in which the Inspection Service concludes that it has no insight

into the number of persons involved or the amount of data processed, but does establish that the

duration and permanence of data processing inherent to work time registration constitutes an

additional element for assessing the large-scale nature of the processing, it can be

concluded that the processing is large-scale. 188. Finally, the second defendant refers to the Inspection Service's finding that the

main criterion relates to the processor's main activity and not

to a secondary activity. It wonders whether the processing of storage of the special

category should be regarded as a core task within its activities. In this regard, it

refers to the preparatory works of the GDPR, which indicate that

main activities mean: "activities in the context of which 50% of the annual

turnover resulting from the sale of data or income from the use of this

data is earned". A contrario, this means that data processing activities

that do not account for more than 50% of a company's turnover are

considered secondary activities. The second defendant points out that the turnover resulting from Z and

where biometric readers are used represented only 0.93% of its turnover

in 2021. Consequently, there is no core task. Decision on the substance 114/2024 – 49/71

189. As regards the alleged obligation to appoint a data protection officer on the basis of Article 37.1.b) GDPR, the second

defendant points out that the cumulative conditions of principality and large-scale are not re-examined. In addition, the second

defendant points out that it is not the party carrying out the regular and systematic observation in the context of the

processing at issue, if any.

II.14.3. Assessment by the Litigation Chamber

190. Under Article 37.1 GDPR, the appointment of a data protection

officer is mandatory in three specific cases:

(a) where the processing is carried out by a public authority or body;

b) where the core tasks of the controller or processor consist of

processing operations that require regular and systematic large-scale

monitoring of data subjects; or

c) where the core tasks of the controller or processor consist of

processing on a large scale of special categories of data or of

personal data relating to criminal convictions and offences.

191. Article 37 GDPR applies to the designation of a data protection

officer to both controllers and processors. Depending on who meets the

criteria for mandatory designation, in some cases it is only the controller or only the

processor that must designate a data protection officer, while in other cases it applies to both.

192. The question arises whether the second defendant falls under one of these 3

cases, so that it is subject to the obligation to appoint a data protection

officer. 193. Since the second defendant is not a public authority, Article 37.1.a) GDPR does not apply.

194. As regards Article 37.1.c) GDPR, the Dispute Resolution Chamber recalls that three cumulative conditions apply: (i) processing of special categories,

of data or of personal data relating to criminal convictions and offences, (ii) on a large scale and (iii) primarily/core task.

195. As already established above, the Dispute Resolution Chamber follows the position of the second

defendant that it does not process special categories of personal data as defined in

Article 9 in the context of the processing agreement concluded with the first

defendant. The fact that the second defendant offers the possibility to process biometric

data in the context of the Z does not automatically mean that the second

defendant processes biometric data for all its customers. Furthermore, Decision on the substance 114/2024 – 50/71

processing of biometric personal data does not automatically mean that there is a

processing of a special category of personal data under Article 9 GDPR,

since it is not demonstrated that there is an identification or verification. It has

therefore not been demonstrated that the first condition is met.

196. As regards the condition of large-scale, the GDPR does not provide a definition.

According to recital 91, this concerns "large-scale processing operations intended for the

processing of a significant amount of personal data at regional, national or

supranational level, which could affect a large number of data subjects and which

could entail a high risk". The Litigation Chamber finds that the Inspection Service has not

demonstrated that the processing of special categories of personal data is carried out on a large

scale. The fact that Z is distributed in 9 European

countries does not demonstrate that special categories of personal data under Article 9 of the GDPR are

processed on a large scale. Finally, as regards the criterion of mainness, the

Dispute Chamber finds that the turnover of the second defendant, resulting from Z and

where biometric readers are used, represented only 0.93% of the turnover of the second

defendant in 2021. The Dispute Chamber finds that this is insufficient

to speak of a core task.

197. Furthermore, the Inspection Service argues that the second defendant can also be

considered to be obliged to appoint a data protection officer on the basis of Article

37.1.b) of the GDPR, since the daily registration of the times of arrival and

departure of employees at the workplace constitutes regular and systematic observation of the data

data subjects. In this context, the Dispute Chamber

follows the position of the second defendant that any regular and systematic

observation is carried out by the first defendant in the context of time registration,

and not by the second defendant. After all, it only offers storage of pre-encrypted

(personal) data.

198. In view of the above, the Dispute Chamber therefore finds that there is no

infringement of the obligation under Article 37.1.b) and c) GDPR to appoint a

data protection officer.

III. Corrective measures

III.1. With regard to the first defendant

III.1.1. Established infringements and measures taken by the Dispute Chamber

III.1.1.1. Established infringements

199. The Dispute Chamber has established the following infringements. First, the

Dispute Chamber found that the first defendant unlawfully processed special Decision on the merits 114/2024 – 51/71

categories of personal data in the context of the time registration system

and thereby also violated the principles of purpose limitation and data minimization (Article 5.1.a)

GDPR, Article 9.1, j° Article 6.1 GDPR, Article 9.2 GDPR 5.1.b) GDPR, Article 5.1.c) GDPR).

200. The Dispute Chamber then ruled that the welcome brochure did not sufficiently inform the

data subjects about the processing at issue. More specifically, the welcome brochure fell short in general with regard to the obligation under Article 12.1 GDPR that the controller must take appropriate measures to receive the information referred to in Article 13 GDPR in a concise, transparent, comprehensible and easily accessible form in clear language, and in particular the Dispute Chamber states that the retention periods (Article 13.2.e) GDPR), purposes and legal basis (Article 13.1.c) GDPR) were not (adequately) included in the welcome brochure. Since the first defendant invokes Article 6.1.a) and Article 9.2.a) GDPR – albeit unlawfully – the data subjects should also have been informed that they had the right to withdraw their consent (Article 13.2.c) GDPR). As regards the mention of the possibility to file a complaint with the Data Protection Authority (Article 13.2.d) GDPR), the

Dispute Chamber notes that this is also not mentioned in the welcome brochure.

201. Furthermore, the Dispute Chamber found that the first defendant did not provide sufficient

information in response to the second request for access, namely information about the

retention period and the retention modalities and the security of the data, which is in

conflict with the obligation incumbent on the first defendant to inform the data subject in

an understandable and easily accessible form and in clear and simple language, as set out in Article 15.1.d) in

conjunction with Article 12.1 of the GDPR.

202. Furthermore, the Dispute Chamber ruled that there were multiple breaches of the first defendant's

documentation obligations. For the processing of special personal data in the context of time

registration, the first defendant did not perform a DPIA before commencing the

processing at issue (Article 35 GDPR).

203. The first defendant also failed to include the identity of the

data protection officer in the processing register (Article 30.1.a) GDPR). The

first defendant also violated Article 30.1.b) and c) GDPR by not including

all purposes and categories of personal data in the context of time registration as

stated in the employment regulations version 2022 in the register of

processing activities. Finally, the Dispute Chamber finds that the second defendant

as recipient of the personal data in her capacity as processor in the context of

the biometric time registration system is not listed in the register for

processing activities (Article 30.1.d) GDPR). Decision on the merits 114/2024 – 52/71

204. Finally, in view of the above infringements, the Dispute Chamber found that the

first defendant has committed an infringement of the accountability obligation under Article 5.2

GDPR.

III.1.1.2. Measures taken by the Dispute Chamber

205. According to Article 100 of the WOG, the Dispute Chamber has the power to:

1° dismiss the complaint;

2° order that the prosecution be dismissed;

3° order a suspension of the judgment;

4° propose a settlement;

5° to issue warnings and reprimands;

6° to order that the data subject's requests to exercise his/her rights be complied with;

7° to order that the data subject be informed of the security problem;

8° to order that the processing be temporarily or definitively frozen, restricted or prohibited;

9° to order that the processing be brought into compliance;

10° to order the correction, restriction or erasure of data and the notification

thereof to the recipients of the data;

11° to order the withdrawal of the recognition of certification bodies;

12° to impose penalty payments;

13° to impose administrative fines;

14° to order the suspension of cross-border data flows to another State or

an international institution;

15° to transfer the file to the public prosecutor of Brussels,

who will inform it of the action taken on the file;

16° to decide, on a case-by-case basis, to publish its decisions on the website of

the Data Protection Authority.

206. With regard to the above-mentioned infringements established with regard to the

documentation obligations pursuant to Article 30.1.a), b), c) and d) GDPR and Article 35 GDPR,
the Dispute Chamber decides to impose a reprimand on the basis of Article 100, 5° WOG.

The importance of drawing up a DPIA pursuant to Article 35 GDPR should not be

underestimated. The obligation to carry out a DPIA is intended to describe the process of

processing personal data, so that not only the necessity and

proportionality of the processing are mapped out, but also the risks to the

rights and freedoms of data subjects in the processing of personal data. Failure to

carry out a DPIA is therefore in itself (therefore) a violation of the GDPR, while

it also increases the chance of new violations of the GDPR because risks of

possible (other) violations of the GDPR are not recognized in a timely manner. Decision on the merits 114/2024 – 53/71

207. With regard to the obligations regarding the drawing up of a processing register

pursuant to Article 30 GDPR, the Dispute Resolution Chamber points out that, in order to be able to

effectively apply the obligations contained in the GDPR, it is essential that the

controller and the processors maintain a complete and accurate overview of the

processing of personal data that they carry out. This register of processing activities is therefore primarily an instrument to help the controller or processor comply with the GDPR for the various data processing operations that it carries out, because the register makes the most important characteristics of the processing activities visible. The Dispute Chamber is of the opinion that this processing register is an essential instrument in the context of the already mentioned accountability obligation (Article 5.2 GDPR and Article 24 GDPR) and that this register forms the basis for all obligations that the GDPR imposes on the controller and the processor. It is therefore of the utmost importance that it is complete and correct.

208. The Dispute Chamber is of the opinion that there are sufficient elements to impose a reprimand for the infringements of Article 5.2, Article 30 and Article 35 GDPR, which constitutes a light sanction and is sufficient in light of the infringements of the GDPR found in this file. In determining the sanction, the Dispute Chamber takes into account the fact that

the first defendant has already taken several steps to comply with its obligations as prescribed by the GDPR and provides evidence of this.

209. With regard to the infringement resulting from the incomplete execution of the second

request for access (in Article 15.1.d) in conjunction with Article 12.1 of the GDPR), the

Dispute Chamber warns the first defendant for the future on the basis of Article 100, 5° WOG

on the one hand that the fact that the personal data of the data subject are no longer

processed by the controller does not mean that the right of access must no longer be

executed, and on the other hand that if the requested information does not fall under the list in Article 15.1

GDPR, this does not mean that no response must be formulated to a request for access, since the

obligation to provide information in a concise, transparent, comprehensible and easily

accessible manner also applies to the information obligations under Article 13 GDPR. The fact that this

information is requested in a request for access does not mean that this request for information

must not be followed up. The Dispute Chamber is of the opinion that a

warning is sufficient, given that it is not the case that the first defendant has made it completely

impossible for the complainant to exercise his right of access.

On the contrary, the first defendant had already responded to the complainant's first request

for access, which was partly repeated in its response to the complainant's second request

for access. Decision on the merits 114/2024 – 54/71

210. As regards the infringements of Article 5.1.a) GDPR, Article 6.1 GDPR, Article 9.1 and 9.2

GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR) on the principles of lawfulness,

purpose limitation and data minimisation and the infringement of Article 13.1.c), 13.2.c), 13.2.d) and 13.2.e)

GDPR on the information obligations, the Dispute Chamber decides to

impose an administrative fine pursuant to its powers based on

Article 83 GDPR and Article 100, §1, 13° WOG.

III.1.1.3. Calculation of the fine

211. On 24 May 2023, the EDPB adopted Guidelines 04/2022 on the calculation of

administrative fines under GDPR 32 (hereinafter: the Guidelines). The

Guidelines are immediately applicable, as they do not provide for transitional law

for procedures that were already ongoing at the time of the adoption of the Guidelines. The

Litigation Chamber will therefore apply these Guidelines to this case.

212. The Guidelines describe a methodology for determining the amount of the fine as

follows:

Step 1: which and how many acts and infringements are subject to assessment;

Step 2: which amount forms the starting point for calculating the fine for the

infringements established (starting amount);

Step 3: which mitigating or aggravating circumstances, if any, arise

that require an adjustment of the amount in step 2;

Step 4: what maximum amounts apply to the infringements and whether any increases from the previous step do not exceed this amount;

Step 5: the assessment of whether the final amount of the calculated fine meets the

requirements of effectiveness, deterrence and proportionality, and if necessary is

adjusted accordingly.

213. The Dispute Chamber will determine the size of the administrative fine on the basis

of this methodology.

III.1.1.4. Step 1: Identifying the acts and determining the infringements

214. In order to determine the starting amount of the fine, as described in the Guidelines,

it must first be determined whether there is one or more sanctionable acts. The

Litigation Chamber found that the first defendant unlawfully

processed special categories of personal data in the context of the

32EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the merits 114/2024 – 55/71

time registration system and also the principles of purpose limitation and data minimization

violated (Article 5.1.a) GDPR, Article 6.1 GDPR, 9.2 GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR).

215. Furthermore, the Disputes Chamber ruled that the welcome brochure did not sufficiently inform the data subjects about the processing at issue. More specifically, the

welcome brochure was inadequate with regard to, among other things, the retention periods (Article

13.2.e) GDPR), purposes and legal basis (Article 13.1.c) GDPR). The Disputes Chamber considers

that these were not (adequately) included in the welcome brochure. Since

the first defendant invokes – albeit unlawfully – Article 6.1.a) and Article

9.2.a) GDPR, the data subjects should also have been informed that they had the right

to withdraw their consent (Article 13.2.c) GDPR). As regards the mention of the
possibility of lodging a complaint with the GBA (Article 13.2.d) GDPR), the

Dispute Resolution Chamber notes that this is also not mentioned in the welcome brochure.

216. In the opinion of the Dispute Resolution Chamber, this case concerns one

sanctionable conduct. In this context, the Dispute Resolution Chamber refers to the Guidelines, which

state that when assessing “the same or related processing activities”, it

must not be forgotten that the supervisory authority may, in its assessment of

infringements, take into account all obligations prescribed by law

for the lawful performance of processing activities, including transparency

obligations (e.g. Article 13 GDPR). This is also underlined by the

wording “in relation to the same or related processing activities”, which shows that this

provision applies to all infringements that relate to and may affect the same or

related processing activities. 33 The Litigation Chamber finds that the infringements established above with regard to the principles of lawfulness, purpose limitation, data minimisation, information obligations and accountability relate to the same processing activity, namely the time registration system by means of fingerprints. Consequently, the Litigation Chamber finds that the circumstances constitute a single act, which will result in a single fine being imposed for the infringements resulting from the act in question.

III.1.1.5. Step 2: determining the starting amount

217. As described in the Guidelines, the starting amount of the fine must then be determined. This starting amount forms the basis for the further

calculation in later steps, taking into account all relevant facts and circumstances. The Guidelines state that the starting amount is determined on the basis of three elements: i) the categorisation of the infringements according to Article 83, fourth

33
EDPB – Guidelines04/2022 for the calculation of administrative fines under theGDPR (v2.1, 24 May 2023),
p. 13, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the merits 114/2024 – 56/71

up to and including paragraph 6 of theGDPR (step 2.1); ii) the seriousness of the infringement (step 2.2) and iii) the turnover

of the undertaking (step 2.3).

III.1.1.5.1. Step 2.1: Categorisation of infringements according to Article 83, paragraphs 4 to 6

218. As stated in the Guidelines, almost all obligations of the controller are categorised in the provisions of Article 83, paragraphs 4 to 6, of the GDPR. The GDPR distinguishes between two types of infringements.

On the one hand, infringements that are punishable under Article 83.4 of the GDPR and for which a maximum fine of EUR 10 million applies (or in the case of an undertaking,

2% of the annual turnover, whichever is higher), on the other hand, infringements that are punishable

under Article 83, fifth and sixth paragraphs, of the GDPR and for which a maximum fine of

EUR 20 million applies (or in the case of an undertaking, 4% of the annual turnover, whichever is

higher). With this distinction, the legislator has provided a first indication in abstracto

of the seriousness of the infringement: the more serious the infringement, the higher the fine.

219. For the infringements of Article 5.1.a) GDPR, Article 6.1 GDPR, Articles 9.1 and 9.2 GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR, Article 13.1.c, 13.2.c), d) and e) GDPR j°

Article 12.1 GDPR, an administrative fine of up to EUR 20 million may be imposed, or in the case of an undertaking, 4% of the worldwide annual turnover, whichever is higher

(Article 83.5 GDPR). It follows from this categorisation that the infringements of these provisions are considered by

the legislator to be serious.

III.1.1.5.2. Seriousness of the infringements in the present case

220. In determining the seriousness of the infringement, the Guidelines require that account be taken

of the nature, gravity and duration of the infringement, as well as the intentional or

negligent nature of the infringement and the categories of personal data concerned.

221. Nature of the infringement - The Guidelines provide that the supervisory

authority may examine the interest to be protected by the breached provision and its place

in the data protection framework. The GDPR provides that there are six legal bases for the

lawfulness of the processing of personal data. When the controller carries out or plans to carry

out processing of personal data, it must give due consideration to the most appropriate

legal basis for the intended processing. 34 The applicable legal basis also affects the

applicable rights of data subjects or the applicable information obligations. Breaches of these core principles

34 EDPB – Guidelines 5/2020 on consent under Regulation 2016/679 (5 May 2020) p. 5
https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf Decision on the substance 114/2024 – 57/71

therefore constitute serious breaches, which can be punished with the highest administrative fines provided for in the

GDPR. Consequently, the Litigation Chamber concludes that the

legality is central to data protection and therefore

justifies the imposition of a fine.

222. Nature, gravity and duration of the infringement (Article 83.2.a) GDPR) — With regard to the gravity of the infringement, the Litigation Chamber notes that the principle of lawfulness (Article 5.1.a) and Article 6 GDPR), in conjunction with the principles of purpose limitation (Article 5.1.b) GDPR) and data minimisation (Article 5.1.c) GDPR) are fundamental principles of the protection guaranteed by the GDPR. Furthermore, the controller must provide the data subject with the information necessary to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed. 

223. As regards the nature of the processing, the Litigation Chamber notes that a valid legal basis and transparent information are core elements of the fundamental right to data protection. Breaches of these core principles therefore constitute

serious infringements, which can be punished with the highest administrative fines provided for in the GDPR.

224. In its response to the penalty form, the first defendant does not dispute the seriousness of the

infringement, but points out that the seriousness must be assessed in the light of all the

circumstances below, specific to this case. It points out that the nature of the

processing did not involve a high risk, since the system put in place by the second

defendant only allowed a code to be linked to the sensitive data, while the

digital fingerprint remained in the hardware. Consequently, when processing sensitive data, only a

code could be created which was then linked to the employee's individual file in which only the

hours worked were recorded. The sensitive data are not reproduced, communicated or

analysed. Only clock times are taken and linked to a code, the digital

fingerprint remains in the hardware of the second defendant which, the first

defendant argues, does not seem to have been criticised by the Litigation Chamber. The

Litigation Chamber takes these circumstances into account in step 3 when assessing any

aggravating or mitigating circumstances, as prescribed by the

Guidelines. 35According to the Guidelines, each criterion of Article 83.2 GDPR

may only be taken into account once.

35
EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023),),
p. 29. Decision on the substance 114/2024 – 58/71

225. With regard to the purpose of the processing, the Dispute Chamber finds that the

purpose of the processing was to record the employees' working hours and to calculate and pay

wages on that basis. As also indicated, no payment could

be made if no clockings were recorded, which could lead to measures with

negative consequences being taken. In accordance with the Guidelines, the

Dispute Chamber attaches more weight to this factor in view of the relationship between

the parties concerned as employees and the first defendant as employer. 36

226. In its response to the penalty form, the first defendant states that it is active in the

production of light metal packaging products (aluminium cans). In that capacity, it

only processes data on working hours, which are obtained by biometric clocking in and

out. The sensitive data remains secured and included in the system of the second defendant. The periphery of the main activity is therefore limited to the salary calculation based on the registration of working hours.

227. The Dispute Chamber notes that the intended purpose of the disputed

processing would also have been possible without the processing of the

biometric personal data in question. The processing of personal data is not a

core activity of the first defendant, but it is an important secondary activity

in the fulfilment of its core task. The Dispute Chamber attaches great weight to

this factor.

228. With regard to the seriousness of the infringement, the Dispute Chamber

considers that the unlawful processing in the context of the time registration

in question applied to all employees. The same also applies to the information obligations for employees, at least until the adoption of the 2022 employment regulations. Subsequently, the Dispute Chamber does indeed take into account the above-mentioned violations when assessing the seriousness of the infringement. However, it is not the case that the first defendant has not complied with its obligations under the GDPR in any way. The first defendant has unlawfully invoked consent as a legal basis for the processing in question. Although the Dispute Chamber has established several infringements regarding the information obligations regarding the processing in question, it cannot be said that the first defendant has completely failed to inform its employees of the processing in question. Furthermore, it is not apparent that the employees have suffered substantial damage as a result of the processing in question and the inadequate provision of information. The Dispute Chamber attaches a light weight to this factor. 36 EDPB – Guidelines 5/2020 on consent under Regulation 2016/679 (5 May 2020) p. 20
https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf Decision on the substance 114/2024 – 59/71

229. As regards the duration, it was found that the contested time registration system was

introduced on 16 March 2020 and was stopped following the Inspection Report

at the end of 2022, which represents a relatively short period. As regards the duration of the

infringement, the first defendant argues in its response to the penalty form that it

is a relatively new company that made an error in its system for recording working

hours. It also argues that it stopped the time registration system immediately. The Dispute Resolution Chamber gives a light weight to this factor.

230. As regards the scope of the processing, the first defendant argues that the

sensitive data in question, i.e. fingerprints, remain locked and secure in the

hardware system of the second defendant. The scope of the processing is therefore very

local and shows that the risk is very low or even non-existent, since the sensitive

data remain in the second defendant's system, which is secured and encrypted.

The first defendant does not itself have the fingerprint, but only the

encrypted code linked to the fingerprint and the working time registration data.

The first defendant notes that this code is itself produced by the

second defendant's equipment and that the encryption key is not known to the first

defendant should it wish to obtain the digital fingerprint as such. The

extent of local processing made it impossible to exclude any association between the

code and the fingerprints stored in the second defendant's hardware, so that the

risk of dissemination was very low. The Litigation Chamber takes these

circumstances into account in step 3 when assessing any aggravating or

mitigating circumstances, as prescribed by the Guidelines. 37

According to the Guidelines, each criterion of Article 83.2 GDPR may

be taken into account only once.

231. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) —

The Litigation Chamber recalls that "intent" generally includes both knowledge

and wilfulness with regard to the characteristics of a criminal offence, while "unintentional"

means that there was no intention to cause the infringement, although the controller

or processor breached the duty of care prescribed by law. In other words, two cumulative elements are required to

consider an infringement as intentional, i.e., knowledge of the infringement and

intentionality with regard to this act.9

37
EDPB – Guidelines04/2022 on the calculation of administrative fines under theGDPR (v2.1, 24 May 2023),
p. 29.
38 Article 29 Data Protection Working Party – Guidelines on the application and setting of administrative

fines

within the meaning of Regulation (EU) 2016/679 (WP253, 3 October 2017), p. 12.
39See alsoEDPB–BindingDecision1/2023onthedisputesubmittedbytheIESAondatatransfersbyMetaPlatformsIreland Substantive decision 114/2024 – 60/71

232. As regards the element of intention, the Litigation Chamber also recalls

that the Court of Justice has established a high threshold for an act to be considered

intentional. Thus, in criminal cases, the Court of Justice has held that there is

"serious negligence" rather than "intent" when "the person liable commits a serious breach of his duty of care which he

should and could have observed, taking into account his capacity, his knowledge, his

40
skills and his individual situation". Even though an undertaking, whose

processing of personal data does not constitute the core of its business,

is expected to take sufficient measures to protect personal data

and to be thoroughly aware of its obligations in this regard, such a serious

41
breach does not necessarily demonstrate that there has been an intentional infringement.

233. In other words, this means that a controller can also be

punished with an administrative fine under Article 83 GDPR for an act falling within

the scope of the GDPR, if this controller could not have been unaware that his act

constituted an infringement, regardless of whether he was aware that he was

violating the provisions of the GDPR. 42 According to the Dispute Chamber, there is no — obvious — intention on the part of

the first defendant to deliberately violate the GDPR in the context of the introduction of

the time registration system by means of biometric data, nor in the context of

the inadequate information obligations. In the opinion of the Dispute Chamber, there is, however,

negligence in committing the infringements. The infringements found are

due to an incorrect assessment by the first defendant. She has taken the

combating fraud in the context of time registration as a guiding principle,

which is a legitimate objective, but in that context the first defendant should also

have assessed compliance with the GDPR. A professional party such as the first

defendant may be expected, also in view of the special nature of the personal data,

to thoroughly satisfy itself of the standards applicable to it and to comply with them.

234. In its response to the penalty form, the first defendant follows the position of the

Dispute Chamber and recalls that it wished to introduce a system to prevent fraud with

working hours, since this problem is a problem in the context of the present

Ltd (Facebook), paragraph 103, available at https://www.edpb.europa.eu/our-work-tools/our-documents/binding-
decision-board-art-65/binding-decision-12023-dispute-submitted and.

40CJEU, 3 June 2008, C-308/06, Intertanko and others (ECLI:EU:C:2008:312), edge no. 77 41See also EDPB – Binding Decision 2/2022 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, July 28, 2022, edge no. 204. 42CJEU,5December2023,C-807/21,DeutscheWohnenSEt.StaatsanwaltschaftBerlin(ECLI:EU:C:2023:950),edgeno.76.

See also CJEU, 18 June 2013, C-681/11, Schenker & Co. et al. (ECLI:EU:C:2013:404), para. 37; ECJ, 25 March 2021,
Lundbeck v. Commission, C-591/16 P (ECLI:EU:C:2021:243), para. 156; and ECJ 25 March 2021, C-601/16 P, Arrow Group
and Arrow Generics v. Commission (ECLI:EU:C:2021:244), para. 97. Decision on the merits 114/2024 – 61/71

procedure was indeed present and demonstrated). The first defendant acknowledges

that it should have used a different system for recording working time.

235. The Litigation Chamber recognises the need of the first defendant to tackle and/or prevent possible fraud and assigns an average weight to this factor.

236. Categories of personal data concerned by the infringement (Article 83.2.g)

GDPR) — The Guidelines point out that the GDPR clearly specifies the types of data that require special protection and which should therefore be subject to stricter

penalties. These are at least the types of data referred to in Articles 9 and 10 GDPR. In general, the more of these categories of data are involved or the more sensitive the data, the
43
more weight the supervisory authority can assign to this factor. The

Dispute Chamber has designated the personal data processed by the first defendant as

special within the meaning of Article 9 GDPR. The established infringements

concerning the legality and the information obligations therefore concern the special

personal data under Article 9 GDPR, which is why the Dispute Chamber attaches more

weight to this factor.

III.1.1.5.3. Turnover of the undertaking

237. The Dispute Chamber specifies in this regard that at the time of sending the

sanction form dated 4 June 2024, it did not yet have the turnover figures for the year 2023

and should therefore take the turnover figures for 2022 into account. After

sending the sanction form, the annual accounts for the financial year 2023 were published on the

website of the National Bank of Belgium, in which a turnover of [/] EUR was recorded.

i. Conclusion starting amount

a. Theoretical starting amount (based on the gravity of the infringement)

238. Under Article 83.5 of the GDPR, the maximum fine is EUR 20 million or, for an undertaking, up to 4 % of the total worldwide annual turnover in the preceding financial year,

whichever is higher, which is not the case here. Consequently, the statutory

maximum amount is EUR 20 million.

239. Based on the evaluation of the criteria set out above, the Litigation Chamber

must determine whether the infringement is considered to be of minor, medium or high gravity. This

43 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 22, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the substance 114/2024 – 62/71

categories do not affect the question of whether or not a fine may be

imposed. 44

240. This assessment is not a mathematical calculation in which the above-mentioned

factors are considered separately, but rather a thorough evaluation of the specific circumstances of the

case, in which all the above-mentioned factors are interrelated.

Therefore, when assessing the gravity of the infringement, the

infringement as a whole must be taken into account.

▪ When calculating the administrative fine for minor infringements, the

supervisory authority will set the basic amount for further calculation at an

amount between 0 and 10% of the applicable statutory maximum.

▪ When calculating the administrative fine for infringements of medium

seriousness, the supervisory authority will set the starting amount for further calculation

at an amount between 10 and 20% of the applicable statutory maximum.

▪ When calculating the administrative fine for infringements of high

seriousness, the supervisory authority will set the starting amount for further calculation

at an amount between 20 and 100% of the applicable statutory maximum. 46

241. As a rule, the more serious the infringement within the relevant category, the

higher the starting amount is likely to be.47

242. In its response to the penalty form, the first defendant argues that, given the

above criteria, the level of infringement could be considered low. It

refers to the elements discussed above, such as the nature of the processing, the

scope of the processing, the purpose of the processing, the extent of the damage and the

duration of the infringement. 243. The Litigation Chamber found that there was an infringement of Article 5.1.a), b) and c)

GDPR, Article 9.1 in conjunction with 6.1 and 9.2 GDPR on the one hand and an infringement of Article 13.1, c) and

13.2, c), d), e) GDPR in conjunction with Article 12.1 on the other hand, which are included in the infringements of Article 83.5 GDPR.

The Litigation Chamber then made an analysis of the nature of the infringement, the purpose,

scope and duration of the processing, as well as the categories of personal data processed and the
48
negligent nature of the infringement.

44 EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf.
45
EDPB – Guidelines04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf.
46 EDPB – Guidelines04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 23.

47EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 23.
48
See paragraphs 95 to 102 of this decision. Decision on the substance 114/2024 – 63/71

244. Based on the previous assessments of the above circumstances,

the Litigation Chamber finds that the conduct falling within Article 83.5 GDPR is in itself

of average seriousness. In doing so, the Litigation Chamber takes particular account, on the one hand,

of the sensitive nature of the biometric personal data and their nature, the

professional capacity of the first defendant as employer with regard to the complainant and the

large scope, given that the time registration system applies to all employees. 245. On the other hand, the Litigation Chamber also takes into account the relatively limited duration of the infringement, the unintentional nature of the negligence on the part of the first defendant and the fact that it informed the data subjects, albeit incompletely, of the processing at issue.

246. Consequently, the starting amount for further calculation must be set at an amount between 10% and 20% of the applicable statutory maximum. The Litigation Chamber

decides to set a theoretical starting amount of EUR 2 million per infringement, i.e. 10% of the applicable statutory maximum amount of EUR 20 million (Article 83.5

GDPR).

b. Adjustment of the starting amount based on the size of the undertaking

247. The Litigation Chamber must then examine whether the starting amount should be

adjusted based on the size of the undertaking. This adjustment only applies to undertakings to which the static statutory scope applies,

namely when the undertaking achieved a turnover of less than EUR 500 million

in the previous financial year. Since this is the case in the present case, the fine must be

adjusted on the basis of the static statutory scope.

248. The Dispute Chamber has already explained that the conduct established

above falls under Article 83.5 GDPR and is of average seriousness. For infringements referred to in

Article 83.5 GDPR, of average seriousness, applied to an undertaking with a turnover

between EUR 50 million and EUR 100 million, the fine amounts to 8 to 20% of the starting amount,

whereby the fine may not be less than EUR 160,000 and not more than

EUR 800,000. 49

249. Taking into account the minimum and maximum amounts per level set in the Guidelines on the one hand, and the relevant annual turnover of the controller on the other hand, the Litigation Chamber decides to reduce the final

starting amount of each of the established infringements (falling under Article 83.5 GDPR with

49
EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),
p. 52. Decision on the substance 114/2024 – 64/71

to an adjusted starting amount of EUR 160,000,

i.e. 8% of the theoretical starting amount of EUR 2 million.

III.1.1.6. Step 3: assessment of aggravating and mitigating

circumstances

i) Assessment of the application of any aggravating or mitigating

circumstances

250. As stated in the Guidelines, it must then be assessed whether, in the

circumstances of the case, there is reason to set the fine higher or lower than the

starting amount determined above. The circumstances to be taken into account are listed in Article 83, paragraph 2, introductory phrase and under a to k, of

the GDPR. Each of the circumstances listed in that provision may only be

assessed once. 50 The previous step has already taken into account the nature, gravity and

duration of the infringement, the intentional or negligent nature of the infringement and the

categories of personal data. This leaves sections c to f and h to k.

251. Measures taken to mitigate the harm suffered by data subjects (Article

83.2.c) GDPR) – As stated in the Working Party 29 54 Guidelines WP 253, controllers and processors are already required to take “technical and

organisational measures to ensure a level of security appropriate to the risk, to carry out data protection

impact assessments and to mitigate the risks to the rights and freedoms of individuals

resulting from the processing of personal data”. In the event of a breach, the

controller or processor must therefore do “everything possible” to mitigate the

consequences of the breach for the data subject(s). The first defendant should have

failed to process the biometric data of its employees in this case.

By doing so, the first defendant violated the essence of this obligation.

Since the employees of the first defendant were insufficiently informed about the processing and it has not been established that they (freely) gave their express

consent, the first defendant has undermined the protection of the personal data of its employees by

doing this processing.

50EDPB – Guidelines 04/2022 for the calculation of administrative fines under theGDPR (v2.1, 24 May 2023),
p. 23.
51
See paras 95-98 of this decision.
52 See paras 99-101 of this decision.
53 See para 102 of this decision.

54 Data Protection Working Party 29, Guidelines on the application and determination of administrative fines within the meaning of Regulation (EU) 2016/679 (3 October 2017). Decision on the substance 114/2024 – 65/71

252. The extent to which the controller or processor is responsible

in view of the technical and organisational measures implemented

in accordance with Articles 25 and 32 GDPR (Article 83.2.c) GDPR) – The Litigation Chamber

found in II.8 that the first defendant had taken various organisational

measures to secure the personal data in question. Furthermore,

the first defendant has appealed to the second defendant with regard to

the technical security of the personal data. The Dispute Chamber has determined

in sections II.7 and II.8 that there is no infringement of Article 32 of the GDPR. Consequently,

the Dispute Chamber takes into account the fact that the first defendant did show the intention

to adequately protect the processed special personal data and has also concluded a processing

agreement with the second defendant to this end. In this regard, the

Dispute Chamber takes into account in particular the fact that the fingerprints themselves

did not leave the secure environment of the second defendant and the first

defendant only had a code that could be linked to the time registration as a mitigating

circumstance. 253. Previous relevant breaches by the controller or processor

(Article 83.2.e) GDPR) – The Litigation Chamber takes into account that no other proceedings have been brought against the first defendant to date.

In accordance with the Guidelines, this factor should therefore be considered neutral.

55

254. The manner in which the supervisory authority became aware of the breach

(Article 83.2.h) Since the Litigation Chamber became aware of the breach as a result

of a complaint, this element is considered neutral in accordance with the
56
Guidelines.

255. The extent to which cooperation has been provided with the supervisory authority to remedy the

breach and mitigate its possible negative consequences (Article 83.2.f) GDPR) — The Litigation Chamber notes that the first defendant has

been cooperative towards it. In accordance with the Guidelines, the

Litigation Chamber considers the ordinary obligation to cooperate to be neutral in view of the

general obligation to cooperate under Article 31 GDPR.

256. In its response to the penalty form, the first defendant points out that it not only

fully cooperated, but that it also immediately stopped using the biometric

time registration system without a decision from the

55
EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),),
p. 32.

56 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),),
p. 33. Decision on the substance 114/2024 – 66/71

Litigation Chamber to await. This limited the duration of the infringement, which could have extended to the duration of the entire procedure.

257. The Litigation Chamber acknowledges that the first defendant immediately stopped the biometric

working time registration system, but points out that it has already taken this into account

when assessing the duration of the infringement (see above).

In accordance with the Guidelines, each criterion in Article 83.2 GDPR may only be

taken into account once in the context of the overall assessment of Article 83.2

57
GDPR.

258. Any other circumstance of the case applicable as an aggravating or mitigating

factor (Article 83.2.k) GDPR) – The Litigation Chamber takes into account the fact that the

processing at issue does not generate any financial gain for the first defendant,

which the Litigation Chamber takes into account as a mitigating factor when

determining the amount of the fine. The Disputes Chamber also took into account, as an additional circumstance, the long period between the completion of the investigation report and the hearing on the one hand and (the publication of) this decision on the other. This component was considered a mitigating factor with regard to the amount of the fine.

259. The first defendant argues that when determining the amount of the fine in the penalty form, account was taken of its turnover figures. It points out to the court that the company has not made a profit since its establishment in 2019, but that it is even making losses that are attributable to the nature of the investments. When drafting the response to the penalty form, the first defendant points out that the annual accounts for 2023 had not yet been completed, but that the financial prospects are not positive.

Consequently, it had to carry out a series of redundancies for economic reasons at the end of 2023 and the beginning of 2024. The first defendant explains that its turnover is very high, given the nature of its investments and activities, namely wholesale sales to professionals. On the other hand, the company's profit is modest, or even negative, given the economic climate. The first defendant states that it has not yet achieved the results it was aiming for when it started its activities in Belgium. In addition, it generates a significant number of jobs in Flanders, some of which may be jeopardised by the proposed fine of EUR 90,000. 

260. The Litigation Chamber points out that, in accordance with the EDPB Guidelines, it must calculate the amount of the proposed fine on the basis of the turnover figures for the previous financial year, with no deviations from this calculation method being provided for. However, the

Litigation Chamber acknowledges the difficult economic climate and the fact that the

57
EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023),),
p. 29. Decision on the substance 114/2024 – 67/71

proposed fine would jeopardise a significant number of jobs as mitigating

factors in this case. The Litigation Chamber also takes particular account of

the fact that the first defendant has already acknowledged the infringement

from the beginning of the procedure and has assumed its responsibility in this

respect throughout the entire present procedure.

261. Other mitigating or aggravating circumstances - The other

circumstances do not apply in this case because the circumstances to which they refer

do not apply in this case. ii) Impact on the amount of the fine

262. The specific starting amount of EUR 160,000 was determined above. Subsequently, any mitigating or aggravating circumstances were examined. The

Litigation Chamber ruled that various circumstances with a mitigating

factor could be taken into account. Consequently, the fine in the

penalty form was adjusted to EUR 90,000.

263. In accordance with the elements set out above, including the arguments

put forward by the first defendant in her response to the penalty form, the

Litigation Chamber decides to reduce the proposed fine from EUR 90,000 to

45,000.

III.1.1.7. Step 4: Checking whether the maximum amounts were exceeded

264. As already explained, the maximum fine for the infringement found is 4% of the

worldwide annual turnover of the company. Given the turnover

of the first defendant ([/] EUR), the statutory maximum of the fine to be imposed

is therefore EUR 3,417,778.64. The fine amount determined in the penalty form for the

infringements found was set at EUR 90,000, which was below the statutory

maximum amount. The reduced amount of the fine of EUR 45,000 is also

well below the above-mentioned statutory maximum, meaning that there is no

excess thereof.

III.1.1.8. Step 5: Assessment of the effective, proportionate and

deterrent nature

265. As regards the disproportionate nature of the proposed fine, the first

defendant refers in its response to the penalty form to previous decisions of the

Litigation Chamber concerning the processing of biometric data, including the

decisions concerning the use of thermal imaging cameras at Brussels

Zaventem and Charleroi airports. The first defendant states that the fines imposed by the Dispute Chamber were considered disproportionate by the Market Court. According to the first defendant, it is clear that the two judgments in the aforementioned cases apply to the present case, since they concern the unlawful processing of Decision on the merits 114/2024 – 68/71

biometric data. The following points in particular are of importance according to the first defendant: (i) the first defendant does not carry out marketing advertising, unlike the airports in the above cases, and it does not process personal data in the context of its main activity, (ii) the defendant never registered the fingerprint as such, because it remained within the system of the second defendant and it was only given a code to generate the information regarding working hours, which is fundamentally different from the method used at Brussels Airport, and (iii) the turnover of the first defendant is much lower than that of Brussels and Charleroi airports. Given these circumstances, the proposed amount of 90,000 would be disproportionate, according to the first defendant.

266. The Litigation Chamber first points out that, in accordance with Article 83.2 of the GDPR as well as the

Guidelines of Group 29 and the EDPB Guidelines 58 on fines

are imposed "according to the circumstances of the specific case". In addition,

the Litigation Chamber refers in this regard to the case-law of the Court of Appeal of Brussels,

Market Court section, according to which "the Belgian legal system does not attribute binding

precedent value to either administrative or judicial decisions.

Any decision of a judge (and this also applies to any decision of an

administrative authority, provided that the principle of equality is not violated) is specific

and does not extend to a case other than the one being dealt with". 59With regard to the

amount of the administrative fine imposed, the Market Court also referred to the

margin of appreciation of the Litigation Chamber: "This means in practice that the GBA can

not only decide not to impose a fine on the offender, but also that, if it does

decide to impose a fine, it must be between the minimum, starting from EUR 1, and the

maximum provided for. The fine to be imposed is decided by the GBA, taking

into account the criteria listed in Article 83, paragraph 2 of the GDPR". 60 The

Litigation Chamber is therefore not bound by the amounts of previous fines that it has

imposed in previous cases.

267. The Litigation Chamber then refers to the fact that the EDPB has

issued Guidelines on the calculation of administrative fines, which was not yet the case

when the aforementioned decisions on thermal cameras at airports

were taken. These Guidelines set out the calculation of these fines on the basis of

various factors that the Litigation Chamber must take into account. Therefore, the

calculation of the administrative fine prior to the issuance of the

58
Data Protection GroupArticle 29, Guidelines on the application and setting of administrative fines for the purposes

of Regulation 2016/679, 3 October 2017, EDPB – Guidelines 04/2022 for the calculation of administrative fines

under the GDPR (v2.1, 24 May 2023),), p. 34.
59
Court of Appeal Brussels (section Market Court), NV N.D.P.K. v. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 12.
60 Court of Appeal Brussels (section Market Court), NV N.D.P.K. v. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 42. Decision on the merits 114/2024 – 69/71

EDPB Guidelines cannot be compared with the calculation of the

administrative fine based on these Guidelines.

268. On the basis of Article 83.5, introductory phrase and under b, GDPR, the Litigation Chamber may impose an

administrative fine for the infringements described above. As described in the

Guidelines, the imposition of a fine can be considered effective if it achieves the

purpose for which it was imposed. The Litigation Chamber states that the

intended purpose is twofold: on the one hand, to punish unlawful conduct

and, on the other hand, to promote compliance with the applicable rules. The

Litigation Chamber considers that the requirement of effectiveness has been met. As regards

proportionality, the Litigation Chamber refers to the nature, seriousness and duration

of the infringement, as well as the other factors in Article 83, paragraph 2, GDPR, as assessed

in sections III.1.1.2 to III.1.1.6 of this decision. The weighing of the above factors

in combination with the taking into account of the turnover of the first defendant, leads the

Litigation Chamber to determine that the fine imposed meets the requirement

of proportionality. Finally, as regards the deterrent effect, the fine

encourages the first defendant to avoid repetition in the future, and the

imposed fine also has a deterrent effect with regard to other controllers. 61 Consequently, the Litigation Chamber also considers that the

imposed fine of EUR 45,000 meets the requirements of effectiveness,

proportionality and deterrent effect.

III.1.1.9. Other grievances

269. The Dispute Chamber will proceed to a dismissal of the other grievances and

findings of the Inspection Service because, based on the facts and documents in the

file, it cannot conclude that there would be infringements of the GDPR in this

case.

III.2. With regard to the second defendant

270. The Dispute Chamber will proceed to a dismissal of the grievances and

findings of the Inspection Service with regard to the second defendant because, based on the

facts and documents in the file, it cannot conclude that there would be infringements of the

GDPR in this case.

IV. Publication of the decision

271. Given the importance of transparency with regard to the decision-making of the

Litigation Chamber, this decision is published on the website of the

6The deterrent character should deter the first defendant and others from committing the

same infringement in the future, see European Data Protection Board (EDPB), Guidelines 04/2022 for the calculation of

administrative fines under the GDPR (version 2.1), 24 May 2023, paragraph 142. Decision on the merits 114/2024 – 71/71

an inter partes application must be lodged with the registry of the Market Court

63
in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit

information system of Justice (Article 32ter of the Judicial Code).

(signed). Hielke H IJMANS

Chairman of the Dispute Chamber

5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.

63 The application with its appendix shall be sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or lodged with the clerk.