APD/GBA (Belgium) - 146/24: Difference between revisions
From GDPRhub
mNo edit summary |
m (→Facts) |
||
| Line 86: | Line 86: | ||
After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. | After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation. | ||
Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial | Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller. | ||
Three main points were raised in the investigation. First, the | Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties. | ||
=== Holding === | === Holding === | ||
The DPA started its decision by | The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data, which consisted in sharing and updating all personal data of customers subscribed to the Custocentrix service, which regrouped different brands, which in turn would advertise the controller´s website. | ||
The court found that the data processing and the sharing of data are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system. | The court found that the data processing and the sharing of data are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system. | ||
Therefore, the DPA considered it appropriate to examine whether or not | Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes of processing; and, second, of the means of processing. The purpose was found to be the data collection and processing, which is shared between the controller and the other brands. Similarly, the means are shared, with the controller collecting personal data from their website and app, and the other brands advertising this service. In light of this, the controller and the other brands were considered joint controllers as per [[Article 26 GDPR|Article 26 GDPR]]. | ||
'''Violation of Articles 5(2) and 7 GDPR''' | '''Violation of Articles 5(2) and 7 GDPR''' | ||
Revision as of 08:01, 11 December 2024
| APD/GBA - 146/24 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 7 GDPR Article 7(3) GDPR Article 24 GDPR Article 25 GDPR Article 25(1) GDPR Article 26 GDPR Article 100 of the Belgian LCA |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 28.11.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Freedelity |
| National Case Number/Name: | 146/24 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Autorité de protection des données (in FR) |
| Initial Contributor: | elu |
The DPA reprimanded Freedelity, a tech company active in the online retail sector, due to violations of the data minimization, storage limitation, accountability principles, as well as data protection by default and by design.
English Summary
Facts
After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation.
Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller.
Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties.
Holding
The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data, which consisted in sharing and updating all personal data of customers subscribed to the Custocentrix service, which regrouped different brands, which in turn would advertise the controller´s website.
The court found that the data processing and the sharing of data are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system.
Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes of processing; and, second, of the means of processing. The purpose was found to be the data collection and processing, which is shared between the controller and the other brands. Similarly, the means are shared, with the controller collecting personal data from their website and app, and the other brands advertising this service. In light of this, the controller and the other brands were considered joint controllers as per Article 26 GDPR.
Violation of Articles 5(2) and 7 GDPR
With regards to the lawfulness of the legal basis, the DPA found that a violation of Article 5(2) and 7 GDPR existed as the consent collected by the joint controllers was not “collected for specified, explicit and legitimate purposes”.
Violation of Articles 5(2), 7(3), 24 and 25 GDPR
Additionally, the DPA considers that the joint controllers did not respect the documentation requirements and liability arising from Articles 24 and 5(2) GDPR in matter of withdrawal of consent, as current mechanisms do not allow for a withdrawal of consent that is both simple and direct as required by Article 7(3) GDPR, in accordance with the principle of data protection by design under Article 25 GDPR.
Violation of Articles 5(1)(c) and 25(1) GDPR
A violation of the principle of data minimization under Article 5(1)(c) GDPR and of data protection by default under Article 25(1) GDPR was found as data concerning the municipality of issue of the identity card, the date of validity of the identity card and the history of this data has been collected, even if the DPA finds that it has no relevance in the framework of the processing carried out by the joint controllers.
Violation of Articles 5(1)(e), 5(2), 24 and 25(1) GDPR
Finally, the DPA found that a violation of Article 5(1)(e) GDPR, namely the storage limitation principle, as it established a data storage period of 8 years, which is overly long, and also does not have in place a good storage system to keep the data subject´s data safe from third party interventions.
Reprimand
In the case at hand, as per Article 100 of the Belgian LCA, the DPA considered it sufficient to reprimand the controller, but also imposed a deadline of 4 months to correct these GDPR violations. After those 4 months, a €5,000 daily fine will be imposed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/67
Contentious Chamber
Decision on the merits 146/2024 of 28 November 2024
Case number: DOS-2019-04308
Subject: Investigation concerning two processing operations implemented by Freedelity
The Contentious Chamber of the Data Protection Authority, consisting of Mr. Hielke
Hijmans, President, and Messrs. Yves Poullet and Romain Robert, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";
1
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter the "LCA");
Having regard to the internal regulations as approved by the Chamber of Representatives on 20
December 2
2018 and published in the Belgian Official Gazette on 15 January 2019;
Having regard to the documents in the file;
Has taken the following decision concerning:
The defendant: Freedelity, whose registered office is established at Rue Altiero Spinelli7, 1401 Nivelles,
registered under company number 0818.399.886, represented by Maîtres
Christian Defauw, Alexandre Cassart, Etienne Wéry, Victoria Ruelle and Fanny
Cotton, hereinafter: "the defendant"
1The DPA recalls that the revised organic law entered into force on 01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024, such as this case, are subject to the provisions of the old version of the LCA accessible here: https://www.autoriteprotectiondonnees.be/publications/loi-organique-de-l-apd.pdf
2
The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023 amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA), came into force on
01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024 are subject to the
provisions of the internal regulations as they existed before that date. Decision on the merits 146/2024 – 2/67
I. Facts and procedure
1. On 8 July 2019, the newspaper l’Echo published an article entitled “Freedelity proposes to
pool customer data management”. On 2 August 2019, a member of the
Management Committee proposed to the Chairman of the Management Committee to examine this service.
2. This discussion was put on the agenda of the Management Committee meeting of 20
August 2019. At this meeting, the Management Committee decided to send a letter to the
defendant to inquire about the operation of the service described in the article in l’Echo.
3. On 30 August 2019, the Director of the General Secretariat sent a letter containing a
series of approximately 10 questions to the defendant. On 9 October 2019, the defendant
forwarded its answers to the General Secretariat.
4. On the basis of these answers, the General Secretariat drafted a letter to the
Management Committee entitled “DIRCO Report – Preliminary Information Letter –
Freedelity”. On 6 December 2019, on the basis of the latter, the Management Committee of
the Data Protection Authority (hereinafter “DPA”) decided to request an investigation
from the Inspection Service, pursuant to Article 63.1° of the LCA.
5. On 20 April 2022, the Inspection Service's investigation was closed, the report was attached to the
file and the latter was forwarded by the Inspector General to the President of the
Litigation Chamber (Art. 91, § 1 and § 2 of the LCA).
The Inspection Service notes, broadly, that:
- Finding 1: Freedelity was unable to demonstrate the collection of
valid consent (in accordance with Article 4.11 of the GDPR) in violation of Articles
5.1.a., 6.1.a., 7 and 5.2. of the GDPR.
- Finding 2: Freedelity was unable to demonstrate that appropriate measures
had been put in place to facilitate the withdrawal of consent
in violation of Article 7.3. of the GDPR, read in light of the principle of
accountability (Articles 5.2., 24 and 25 of the GDPR).
- Finding 3: Freedelity was unable to demonstrate that it has implemented
appropriate measures to ensure the validity and collection of consent
(within the meaning of Article 4.11. of the GDPR) for the processing operations for which Freedelity
acts as data controller, in violation of Articles 5.2., 24 and 25 of the GDPR.
- Finding 4: Freedelity has violated the principle of data minimization set out in
Article 5.1.c. of the GDPR and Article 25.1 of the GDPR.
3 This article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de-
mutualiser-la-gestion-des-donnees-clients/10143718.html Decision on the merits 146/2024 – 3/67
- Finding 5: Freedelity failed to justify the data retention periods
determined in violation of Articles 5.1.e., 5.2., 24 and 25.1. of the GDPR.
6. On 6 July 2022, the Litigation Chamber decided, pursuant to Article 95, § 1, 1° and
Article 98 of the LCA, that the case could be dealt with on the merits.
7. On the same day, the defendant is informed by registered mail of the provisions as
set out in Articles 95§2 and 98 of the LCA. It is also informed, pursuant to
Article 99 of the LCA, of the deadlines for submitting its submissions.
8. The deadline for receipt of the submissions in response from the defendant
was set at 31 August 2022
9. On 7 July 2022, the defendant requests a copy of the file (Art. 95, §2, 3° LCA),
which is sent to it on 12 July 2022.
10. On 18 July 2022, the defendant agrees to receive all communications relating
to the case by electronic means and expresses its intention to use the possibility of being
heard, in accordance with Article 98 of the LCA. She also requests an extension of the
deadline for submitting submissions to 30 October 2022.
11. On 2 August 2022, the Litigation Chamber accepts an extension of the deadline to 21
September 2022.
12. On 15 September 2022, the defendant requests to be able to consult the paper version of the
administrative file. She also requests an extension of the deadline for submitting
submissions to 21 October 2022.
13. On 21 September 2022, the Litigation Chamber agrees to extend the deadline for
filing submissions by two weeks, until 5 October 2022. It reminds the
defendant that, at her request, she had already obtained a complete digital copy of the
administrative file on 12 July 2022. However, she adds that she can consult the file by
contacting the registry.
14. On 28 September 2022, the consultation of the paper administrative file took place in the premises
of the APD.
15. On 5 October 2022, the Litigation Chamber received the submissions from the
defendant. When sending its submissions, the defendant also requested,
before ruling on the matter, documents that it considered necessary for the exercise of the
rights of the defence. It also requested to be granted a new deadline for submissions
after receipt of these documents.
16. On 2 May 2023, the Litigation Chamber sent the defendant numerous
documents and also authorised the defendant to conclude on these elements until 17
May 2023. Decision on the merits 146/2024 – 4/67
17. On 3 May 2023, the defendant requested that the deadline for submission of
conclusions be extended to 15 June.
18. On 8 May 2023, the Litigation Chamber agreed to extend the deadline by one week,
until 24 May 2023.
19. On 9 May 2023, the parties were informed that the hearing would take place on 14 June 2023.
20. On 23 May 2023, the defendant informed the Litigation Chamber that it wished
to receive a full copy of the minutes of the Management Committee meeting of 6
December 2019. It requested a copy of the decision to lift the mandate of the President of
the APD in 2022 and, in the event that the APD did not have it, it demanded that the
latter take steps to obtain it. It considers that the deadlines for submitting the
submissions granted to it are unreasonable, that the hearing is premature and that
the file is not ready.
21. On 24 May 2023, the Litigation Chamber receives the additional submissions from
the defendant.
22. On 2 June 2023, the Litigation Chamber responds to the defendant, stating that the
extracts from the minutes of the Management Committee meeting contain all the
information relating to this file. It adds that it has provided all the documents
at its disposal and that it is up to the defendant to present in support of its
submissions all the documents it considers useful. The Litigation Chamber concludes
that the file is ready and that the hearing can take place.
23. On 12 June 2023, the defendant informed the Litigation Chamber that it had filed
a request with the Commission for Access to Administrative Documents (hereinafter, “CADA”)
against the Litigation Chamber. It requested a further postponement of the hearing.
24. On 12 June 2023, the Litigation Chamber reiterated the position expressed on 2 June 2023. It
added that the APD did not currently consider itself subject to the law of 11 April 1994 on
the publicity of the administration.
25. On 12 June 2023, the defendant informed the Litigation Chamber that one of its
counsel was unavailable due to illness and that it was therefore unable
to argue the case on the scheduled hearing date.
26. On 13 June 2023, the Litigation Chamber informed the defendant that
the hearing had been postponed to 29 June 2023.
27. On 15 June 2023, the defendant sent the Litigation Chamber a request for
4
disqualification of its president on the basis of Article 828, 1° of the Judicial Code.
4 Art. 828 of the Judicial Code: "Any judge may be challenged for the following reasons: 1° if there is legitimate suspicion (…)" Decision on the merits 146/2024 – 5/67
28. On June 19, 2023, the President of the Litigation Chamber dismissed the challenge request
recalling in particular that the Judicial Code is not applicable to him, and that the
defendant's arguments concerning the lack of impartiality of the President of the
Litigation Chamber are unfounded.
29. On 20 June 2023, the defendant filed a challenge application with the Market Court, which informed the Litigation Division on 22 June 2023.
30. On 26 June 2023, the registry of the Litigation Division informed the defendant that
the hearing scheduled for 29 June 2023 was postponed to a date to be determined.
31. On 27 June 2023, the defendant sent an email to the President of the Data Protection Authority. In this email, the defendant recalled its various requests
concerning the documents and indicated that it considered that this issue should be
dealt with by the President of the DPA or the DPA Management Committee and not by the President
of the Litigation Division.
32. On 4 July 2023, the APD received Opinion No. 2023-95 from the CADA. The latter considered itself
competent to give an opinion on a request for access to a document made to
the APD. It also considered that the defendant's request was admissible.
33. In its opinion, the CADA indicated that the APD was not required to guarantee access to a
document that it did not possess, but that it must designate, if it was aware of it, the
authority that held the requested document. Following this opinion, the defendant again requested
access to documents that it considered necessary for the exercise of the rights of the defense.
34. On 11 July 2023, the Litigation Division responded to the defendant, informing it
that it was forwarding its request to the APD's Management Committee.
35. On 18 July 2023, the Management Committee, through the Chair of the APD, responded to the
defendant. She first stated that the CADA’s position constituted a reversal
of its previous position. She added that she was not taking a position at this stage
on the applicability of the law of 11 April 1994 to the APD, but she saw no objection to the
fact that, in this case, the agenda and minutes of the Management Committee meeting of 6
December 2019 were provided to the defendant, with the removal of information
concerning other data controllers.
36. On 31 October 2023, the Market Court issued a judgment 2023/7566 concerning the application for
disqualification filed by the defendant against the President of the Contentious
Chamber. In this judgment, the Market Court declared itself without jurisdiction and without
competence to hear the application for disqualification filed by the defendant against
the President of the Contentious Chamber.
5Judgment of the Market Court of 31 October 2023, No. 2023/AR/821 (judgment not registrable) Decision on the merits 146/2024 – 6/67
37. On 28 November 2023, the defendant was informed that the hearing would take place on 15
January 2024.
38. On 22 December 2023, the defendant filed a summons for interim relief with the
Interim Relief Chamber of the Brussels Court of First Instance requesting the production
of all documents relating to Freedelity under penalty of a penalty payment.
39. The Chamber of Interim Relief issued a first order on 12 February 2024 in which it
declared Freedelity’s application unfounded with regard to the production of the
decision to lift the mandate of the former president of the APD and the
documents that are not linked to the decision of the Management Committee of 6
December 2019. It ordered the APD to produce several of the
documents requested by the defendant.
40. On 20 March 2024, the Chamber of Interim Relief issued an order in which it
found Freedelity’s application to be partially founded and ordered the APD to produce
several additional documents, including internal emails between APD
employees that were included in the inventory of exhibits.
41. On 22 March 2024, the APD provided the additional exhibits to Freedelity. In accordance with the
second order of the Chamber of Interim Relief, it grants a period of 15 days to
Freedelity to conclude on all the documents provided by the APD and invites it to the hearing which
will take place on April 11.
42. On April 9, Freedelity files its additional submissions.
43. On April 11, 2024, the defendant is heard by the Litigation Chamber.
44. On April 29, 2024, the minutes of the hearing are submitted to the defendant.
45. On May 3, 2024, the defendant informs the Litigation Chamber that it does not
wish to comment on the minutes of the hearing and that it sticks to its procedural
writings and pleadings.
II. Reasons
II.1. Background
46. Since its creation in 2010, Freedelity has offered technology aimed at simplifying the
collection and updating of personal data, in particular by using data
contained in the chip of the Belgian electronic identity card (hereinafter, "eID").
47. Freedelity's services make it possible to centralise commercial advantages offered
by different brands to consumers, as well as the latter's loyalty cards or proofs of
purchase. These services are offered both (i) by Freedelity to its customers of the
"brand" type (according to a B2B model, as part of the CustoCentrix service), and (ii) by
Freedelity to consumers (according to a B2C model). Decision on the merits 146/2024 – 7/67
48. While the article in the aforementioned Echo focused on the presentation of CustoCentrix, from
the inspection phase, the investigation focused on the “Freedelity file”, maintained
by Freedelity as data controller, this file remaining largely
supplied by data collected by the brands.
49. As Freedelity explains in its responses to the inspection service (Exhibit 5 of the file),
“the Freedelity file allows the personal identification of each consumer,
access to the Myfreedelity portal as well as the management of the process of pooling the
maintenance of consumer data between Freedelity customers”.
50. The Inspection Service has only analysed the conformity of the processing operations relating to the
Freedelity file, and consequently (1) the collection of personal
identification and contact data, (2) the pooling of these personal
data, and (3) the transfer of identity data contained in the Freedelity
file to third parties such as Z1 and Z2.
51. The Litigation Chamber will successively analyse the legality of the processing operations (1) and (2)
referred to above in section II.5. However, it notes that the
Inspection Service’s investigation report does not contain sufficient elements to allow
an in-depth examination of the processing operation (3), in particular
concerning the possible legal bases and the roles of the actors involved. Consequently, this
decision will not concern this processing operation (3).
II.2. Preliminary question: Deportation of the President of the Litigation Division
52. As a preliminary point, the defendant requests the President of the Litigation Division to
withdraw due to the legitimate doubt that exists as to his impartiality. For the purposes of
readability and clarity of this decision, the response of the Litigation Division to this
argument will be examined later in the decision, in the section devoted to
respect for the rights of the defence, and more particularly to the impartiality of the members of
the Management Committee, including the President of the Litigation Division (section II.4.1.1).
II.3. Procedure: Stages of the procedure
53. The Litigation Division notes that the defendant has raised a significant
number of arguments relating to all stages of the procedure. However, without prejudging
its jurisdiction and the extent of its duty to provide reasons with regard to the arguments
raised - questions which have not been decided by the Markets Court -, the
Litigation Chamber wishes to respond to them below for the proper understanding of the decision.
6Freedelity’s role as the data controller of this file is not contested. Decision on the merits 146/2024 – 8/67
II.3.1. The questioning of the Director of the General Secretariat (at the time also
Chairman of the Management Committee) by the Director of the Knowledge Centre
54. The defendant considers that the Director of the Knowledge Centre at the time had
no authority to question the Director of the General Secretariat, either in her
capacity as a member of the Management Committee or as Director of the Knowledge Centre.
55. For all practical purposes, the Litigation Chamber recalls that the Management Committee is
composed of the five directors of the APD (Article 12 of the LCA). In this capacity, the Director of the
Knowledge Centre was, along with this function, a member of the
Steering Committee at the time of the questioning of the Director of the
General Secretariat. Furthermore, the Director of the
General Secretariat at the time was also the President of the
Data Protection Authority, and therefore, in this capacity, chaired the
Steering Committee in accordance with Article 13§1 of the
LCA.
56. Article 10§1 of the LCA provides that “The Steering Committee shall monitor
developments in the technological, commercial and other
fields that have an impact on the protection of personal data” (emphasis added).
57. It is clear from the documents in the case that the Director of the Knowledge Center (member of the
Management Committee) proposed to the Chairman of the Management Committee to examine a Freedelity
service whose operation was described as innovative in an article in
L’Echo published on 8 July 2019, entitled “Freedelity proposes to pool the management of
customer data”.
58. The APD, through its predecessor the Commission for the Protection of
Privacy (hereinafter “CPVP”), was aware of the existence of the service offered by Freedelity, consisting of
an innovative technology allowing access from one’s identity card to
economic advantages (e.g. points accumulated on a loyalty card). However,
the L’Echo article presented an evolution of the technological service in question:
“Today, the Nivelles company is going a step further. With Custocentrix, it is launching a
cloud platform enabling retailers to better organise and keep up to date
all of their customers' personal and behavioural data".
59. It should be noted that an evolution of a technological service offered by a private company
requiring the use of the Belgian identity card, which contains a unique identifier of
a highly sensitive and regulated nature (the national register number), has an
impact on the protection of personal data in Belgium. If the members of the
APD Management Committee were not able to understand the extent of
7As of 1 June 2024, this service is called the "Authorisation and Advice Service".
8The Echo article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de-
mutualiser-la-gestion-des-donnees-clients/10143718.html
9Without however being considered as a special category of personal data within the meaning of Article 9 of the GDPR. Decision on the merits 146/2024 – 9/67
the impact of this development on the basis of a simple newspaper article, nor whether the processing of the
national register number was involved in this development, the latter have fully assumed
their responsibility by deciding to analyse said development on the basis of Article
10 of the LCA. Any contrary interpretation of this article would amount to limiting this monitoring power
conferred specifically on the members of the Management Committee 10 and to emptying it of its
meaning. The Director of the Knowledge Center was therefore entitled to formally request
the Chairman of the Management Committee that this discussion be placed on the agenda
of the Management Committee meeting of 20 August 2019.
60. Under the conditions mentioned in the two preceding paragraphs, any member of the
Management Committee is authorized to formally request the Chairman of the
Management Committee to place a discussion concerning such monitoring on the agenda of
Management Committee meetings. For the Litigation Chamber, this interpellation comes within the
framework of this obligation to monitor developments in technological fields,
falling to the APD and therefore, first and foremost, to the members of the Management
Committee. Such monitoring requires the possibility of an internal interpellation between members of the
Management Committee and is therefore perfectly justified.
61. A member of the Management Committee wished to put on the agenda a discussion
concerning the new service proposed by Freedelity, in order to allow the
Management Committee to monitor this development in the technological field. This
legitimate questioning occurs within the framework of Article 10§1 of the LCA and is
therefore in accordance with the law.
II.3.2. Sending of a letter requesting information to the defendant by the
Chairman of the General Secretariat (at the time, also Chairman of the Management
Committee)
62. First, the defendant considers that following the decision of the
Management Committee to monitor the Freedelity service, the General
Secretariat exceeded its powers by sending a letter requesting information to the
defendant (Exhibit 2 of the file). It relies in particular on a report from the Court of Auditors which, according to it,
criticises the fact that the General Secretariat grants itself a "role of filtering files".
Secondly, the defendant argues that sending this letter requesting
information in Dutch to the defendant is contrary to the law on the use of
languages in administrative matters and that by application of Article 58 of the
Law of 18 July 1966, the nullity of this act must be established and, by extension, that of the
entire procedure.
10It should be noted that the members of the Management Committee make particularly moderate use of this monitoring power conferred
by Article 10 of the LCA. This power is included in the new version of the LCA, as applicable to files initiated
after 01/06/2024. Decision on the merits 146/2024 – 10/67
63. First, the Litigation Chamber points out that during the meeting of the
Management Committee, its members decided that a letter could be sent on the basis of Article
20§1,1° of the LCA, after consulting the files that had previously been opened
concerning the defendant with the Front Line Service (“FLS”). The first
letter was drafted by the General Secretariat and sent to the defendant on 30 August 2019.
64. The President of the APD (and therefore of the Management Committee) was assisted in the
performance of his tasks by the General Secretariat (Article 13§3 of the LCA). In addition, the General
Secretariat has its own mission of “monitoring” technological developments, which
have an impact on the protection of personal data (Article 20§1,1° of the
LCA). This mission presents a certain redundancy with that of the Management Committee,
consisting of “monitoring” developments in the technological field having an impact
on the protection of personal data (Article 10 of the LCA). However, the
“monitoring” mission11 of the General Secretariat implies a priori an active control of a higher
degree than that implied by the notion of “monitoring” incumbent on the Management Committee. Furthermore,
the Management Committee does not have its own department and cannot ensure its
monitoring without going through another body of the APD to assist it, which was in this case the
General Secretariat, whose director chaired the Management Committee.
65. The Litigation Chamber does not share the defendant’s reading according to which the
General Secretariat arrogated to itself in this case “investigative” powers (a mission
incumbent solely on the Inspection Service) or “filtering of files”. In the
present case, the General Secretariat sent about ten neutral questions
concerning the operation of the new Freedelity service, in order to
understand how it works. The General Secretariat is in fact
authorized to exercise such surveillance
under Article 20§1,1° of the LCA), which is distinct in all respects
from the power of investigation reserved for the Inspection Service (Article 28 of the LCA).
66. Thus, the criticisms of the Court of Auditors concerning the fact that the General Secretariat
would play a role of filtering files are not relevant to the present case,
since in this case, the file was opened at the request of a member of the
Management Committee and the Management Committee decided to send a letter on 20 August 2019. The
General Secretariat merely assisted the Chairman of the Management Committee while
remaining within the limits of its legal powers, and, in this way, enabled the Management
Committee to monitor developments in the technological field in question.
1According to the Larousse dictionary, the primary meaning of the term "surveillance" is defined as: "Action of monitoring, of controlling
something, someone". See in this sense the online version available on the following link:
https://www.larousse.fr/dictionnaires/francais/surveillance/75897
12
According to the Larousse dictionary, the primary meaning of the term "monitoring" is defined as: "Set of operations consisting of
monitoring and controlling a process to achieve the desired result in the best conditions". See in this sense the
online version available at the following link: https://www.larousse.fr/dictionnaires/francais/suivi/75313 Decision on the merits 146/2024 – 11/67
67. Prohibiting the General Secretariat from contacting the stakeholders concerned regarding
technological developments in order to fully assume its “monitoring” mission,
would amount for the APD to requesting the intervention of another body (for example the
Inspection Service) to ensure this monitoring. This mode of operation would be completely
contrary to the spirit of the LCA, and to the logic of the distribution of internal powers between
the bodies of the APD, as explained above: it is not only provided in the text that
the General Secretariat follows technological developments, but it is also logical that
the General Secretariat assists the Management Committee in the performance of its tasks,
particularly when Article 13§3 of the LCA provides that the President of the APD – therefore the
President of the Management Committee – is assisted in the performance of his tasks by the
General Secretariat. Furthermore, the Inspection Service could not be contacted at this stage,
since its referral cannot come from a request from the General Secretariat (Article 63 of the
LCA) and no procedure justifies the sharing of an investigation by the Inspection Service
with the General Secretariat, which must remain secret as a matter of principle (Article 28 of the LCA).
68. For these reasons, the General Secretariat remained within the limits of its powers by
contacting Freedelity, as part of its monitoring mission, in order to measure
itself the impact of a technological development on data protection, as provided
for by Article 20§1,1° of the LCA, to inquire about the technological
development that constitutes the new service offered by Freedelity, a service whose
impact was certain due to the sensitive nature of the processing in question requiring the use of the
identity card.
Sending a letter requesting information concerning the processing of
personal data in the context of the new Freedelity service therefore constitutes a
proportionate measure in the context of the monitoring mission of the General
Secretary and of monitoring technological developments within the remit of the Management
Committee.
69. Secondly, regarding the use of language, as the Market Court has already decided, "Despite its public policy nature, an illegality relating to the language of a decision cannot give rise to annulment if it is not such as to affect the meaning of the decision, if it has not deprived the interested parties of any guarantee or if it has not had the effect of influencing the competence of the author of the decision" (free translation). In this case,
Exhibit 2 of the file was processed by the defendant without difficulty, and it was sent at a stage
prior to the investigation by the Inspection Service.
70. In this case, the Litigation Chamber recalls the chronology of the facts:
- Sending of a letter requesting information in Dutch (Exhibit 2) - 30.08.2019;
13Judgment of the Market Court, of September 4, 2019, 2018/AR/1446 and others, original version: “Ondanks zijn karakter van de
open order, kan een eventuale onwettigheid in verband met de taal van een beslissing, een aanleiding geven tot
vernietiging indian deze onwettigheid niet van aard is om, te dezen, een invloed hebben op de richting van de beslissing, zij
de belanghebbende partijen geen waarborg heeft ontzegd de zij niet het effect heeft gehad om van invloed te zijn op de
bevoegdheid van de auteur van het besluit”. Decision on the merits 146/2024 – 12/67
- Freedelity requests to be able to respond in French – 10.09.2019;
- APD agrees that the file be handled in French – 20.09.2019;
- Freedelity sends its responses in French – 09.10.2019
- The rest of the file is handled in its entirety in French.
71. The responses provided by the defendant to the letter requesting information in
Dutch were written in French by the defendant, who was therefore perfectly able
to understand the questions addressed to it.
72. In accordance with the defendant’s request, the rest of the procedure was conducted
in its entirety in French. The defendant was therefore in no way deprived of procedural
guarantees that could affect the present procedure.
73. Consequently, the Disputes Chamber considers that the sending of a letter requesting
information to the defendant by the President of the General Secretariat (at the
time, also President of the Management Committee) complies with Articles 10 and
20§1,1° of the LCA. The fact that this letter was written in Dutch is not such as
to taint the proceedings with nullity since the rights of the defence were not
affected.
II.3.3. Sending of a note to the Management Committee by the
General Secretariat (“DIRCO Report – Preliminary Information Letter –
Freedelity”)
74. First, the defendant criticises the fact that the General Secretariat drafted a
note (“Preliminary Information Letter”) for the Management Committee on the basis
of the responses provided by the defendant (document 6 of the file). It also criticises that
this note uses elements from the contacts between the CPVP and the
responses provided by Freedelity to the questions of the General Secretariat. Secondly, the
defendant claims that the document entitled “probe letter” which is attached to the
decision of the Management Committee of 6 December 2019 is not produced in the file. It adds that
the use of the terminology “probe” demonstrates the implementation of
exploratory, abusive, unfair and arbitrary procedures. It concludes that in this case, the APD
had no serious evidence at the time it contacted Freedelity.
75. Firstly, the Litigation Chamber notes that following the
defendant’s response to the letter requesting information, an opinion was drawn up by the
General Secretariat for the Management Committee on the basis of the
responses provided (document 6 of the file).
On this basis, the Management Committee decided on 6 December 2019 to ask the
Inspection Service to open an investigation.
76. As stated above, the Litigation Chamber recalls that the General
Secretariat has a monitoring mission (Article 20§1, 1° of the LCA). When this Decision on the merits 146/2024 – 13/67
monitoring mission follows a request for monitoring from the Management Committee (Article 10
of the LCA), it is logical that a document be drawn up on the basis of the answers provided to the
questions asked, to enable the Management Committee to ensure the continuity of its
monitoring (Article 10 of the LCA).
77. Indeed, in order to pursue “developments in the technological field” (emphasis added)
within the meaning of Article 10 of the LCA, it is necessary for the Management Committee to take into
account all information relevant to understanding such developments. The
Management Committee has therefore legitimately cross-checked and used the information made
available by Freedelity during its contacts with the CPVP, of which the APD is the
continuation.
78. The provision of information necessary for monitoring cannot be carried out by the
Management Committee itself since it does not have a department - as already
indicated previously - and must therefore necessarily be carried out by a body of the APD. In
this case, the General Secretariat was the natural APD department to do this: the
request for information already came from the General Secretariat, which logically
followed up on its letter, not to mention that this body is entrusted by
Article 10 of the LCA with a mission to monitor technological development.
79. The Litigation Chamber concludes that the General Secretariat was perfectly justified in
drafting an opinion for the Management Committee by gathering the information made available to
it so that the Management Committee could decide to open an investigation at a later
stage. Moreover, it was only on the basis of the information reported by the
General Secretariat that the Management Committee was able to assess the follow-up to be given to the procedure. No opinion or
recommendation is binding on the Management Committee, which is sovereign in its assessment.
In this case, the Management Committee decided that the next step in the procedure would be the implementation
of Article 63.1° of the LCA.
80. Secondly, the document entitled “probe letter” whose legality the defendant is contesting
is indeed document 6 of the inventory which has been part of the file since the beginning of the case and
which was provided to the defendant when it requested a copy of the file.
81. Furthermore, the term "probe" on which Freedelity's complaint is based is used only once by a legal adviser who wrote the opinion to the Management Committee on which the latter ruled on 6 December 2019. The term is never used again subsequently and the
letter is officially entitled ("DIRCO Report - Preliminary Information Letter -
Freedelity").
82. In its internal communications, the APD alternately uses the terms "monitoring" or
"system surveillance procedure" in relation to this letter. The unfair nature of the APD cannot be deduced from the
simple use of these terms. Indeed, these terms are taken from the very letter of the LCA, at most they are translated into English. The Litigation Chamber
recognises at most the use of different terms in the
internal communications to identify the procedure in question, which
has no legal consequences on the procedure.
83. The actions taken by the General Secretariat constitute a
necessary step in order to be able to provide a complete file to the
Management Committee so that it can make an informed decision. The
defendant wrongly confuses on the one hand (i) the preparatory
actions for the follow-up of a file as well as the decision of the
Management Committee, and on the other hand (ii) the investigation
itself.
84. The Litigation Chamber firmly reaffirms that an investigation can only be
carried out by the Inspection Service (Article 28 of the
LCA). Unlike the latter, neither the
General Secretariat nor the Management Committee have the power to note
infringements or violations of the GDPR before submitting their findings to the
Litigation Chamber.
85. The sending by the General Secretariat to the Management Committee of the contested note (the “DIRCO
Report – Preliminary Information Letter – Freedelity”) was done legally, on the basis
of Articles 10 and 20§1, 1° of the LCA.
II.3.4. Finding of serious evidence by the Management Committee
86. First, the defendant maintains that it was the General Secretariat that referred the
Management Committee, with reference to Article 63.1 of the LCA, when it did not have
serious evidence to do so and that it therefore illegally decided to ask
questions of the defendant. It considers that the article in L’Echo was not sufficient
in itself to trigger the opening of a file. Secondly, it adds that the
Management Committee did not find serious evidence in its decision of 6 December 2019 since
it merely repeated the report made by the General Secretariat. It refers in particular
14
to the judgment of the Court of Markets of 22 February 2023 to argue that the
Management Committee’s reasoning is deficient. Third, the defendant considers that the DPA has
undermined the defendant’s legitimate expectations by using information
present in files from 2014 to 2016, while the DPA’s predecessor, the CPVP
had closed these files.
87. First, with regard to the question of the General Secretariat’s jurisdiction, the
Litigation Chamber refers to section II.3.3 above, in which no illegality
is established. Furthermore, the Litigation Chamber notes a reading error on the part of the
defendant. The General Secretariat did not assist the Management Committee on the basis of
14 Judgment of the Court of Markets, dated 22 February 2023, No. 2022/AR/253, available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf Decision on the merits 146/2024 – 15/67
Article 63.1° of the LCA, but rather on the basis of Article 20§1,1° of the LCA, as it clearly emerges
from the documents in the file.
88. The Litigation Chamber recalls that, by virtue of the powers conferred on the Management Committee, it is up to it to ask the Inspection Service to open an investigation if serious evidence reveals the existence of practices that could give rise to a violation of the fundamental principles of data protection (Article 63.1° of the LCA). As recalled by the Markets Court, this is a discretionary power of the APD.15
89. The elements covered by the report comply with the letter of the LCA, insofar as the object of the monitoring or surveillance is precisely the impact or incidence on the
protection of personal data as required by Articles 10 and 20§1, 1° of the LCA).
The elements retained by the General Secretariat were indeed focused on such an object:
a) Article 10 of the LCA concerns technological areas that have
an “impact on the protection of personal data”
b) Article 20§1, 1° of the LCA requires the monitoring of technological
developments having an “impact on the protection of personal data”
90. A report on a technology having an impact or an impact on the protection of
personal data, may reveal serious indications of the existence of a practice
likely to give rise to an infringement of the fundamental principles of the protection of
personal data (Article 63.1 of the LCA).
91. Secondly, concerning the reference by reference, the Litigation Chamber recalls that
the Council of State accepts the motivation by reference, provided that the document to which reference is made is part of the
file. This is the case here since document number 6, which constitutes the opinion of the General Secretariat (“DIRCO Report – Preliminary
Information Letter – Freedelity”), is annexed to the decision of the Management Committee and has always been
part of the file. The decision of the Management Committee is formulated as follows:
“The conclusions of the attached annex contain indications of non-compliance with the
following principles: obtaining consent, profiling and sharing of data,
minimisation of data, retention period and recipients of data”
(free translation).
15
Judgment of the Market Court of 22 February 2023, No. 2023/1527, p. 40., available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf.
16Decision of the Council of State of 7 May 2013, No. 223.440
17
Extract from the minutes of the Management Committee of 6 December 2019. Exhibit 7 of the file. Original version: "The extensive statements in
bijlage gevoegd bevatten aanwijzingen betreffende do not comply with the following principles: as per Décision sur le fond 146/2024 – 16/67
92. The decision of the Management Committee therefore justifies its decision by referring to the note
provided to it, and relies on it to identify serious indications of
breaches of the following principles:
- obtaining consent,
- profiling and sharing of data,
- minimisation of data,
- retention period,
- and recipients of the data.
93. Thirdly, with regard to the defendant’s argument that the consultation and
use of the information in the files opened within the CPVP, the predecessor of the
APD, violated the principle of legitimate expectations, the Litigation Chamber recalls that, like any public
authority, it is subject to the duty of thoroughness which requires it to “conduct a meticulous
research into the facts, to gather the information necessary for decision-making and to take into account
all the elements of the file in order to make its decision in full knowledge of the
facts and after having reasonably assessed all the elements useful for resolving the
specific case”. 18
94. This duty requires the APD, when it wishes to make a decision concerning
an individual, to check whether and to what extent files have already been opened
against that individual. This research is also essential in order to be able to
ensure compliance with the principle of non bis in idem. The Litigation Chamber
therefore considers that the General Secretariat was perfectly entitled to consult all
the files concerning the defendant, including the closed files, to enable
the Management Committee to make an informed decision.
95. The Litigation Chamber recalls that, according to the Council of State, the principle of
legitimate trust, "means that the person administered must be able to count on a clear and
well-defined line of conduct from the authority or, in principle, on promises made to him by
the authority in a specific case. The violation of the general principle of legitimate
trust requires three conditions, namely an error by the administration, a legitimate
expectation raised following this error and the absence of a reason to go back on this
recognition. This principle cannot be invoked on the basis of acts emanating from an
authority distinct from that which adopted the contested act. »
of toestemming, profiling in delen van gegevens, gegevensminimalisatie, bewaartermijn en ontvangers van de
gegevens. »
18Judgment of the Council of State, of December 6, 2021, No. 252.324, p. 13.
19Judgment of the Council of State of 8 May 2024, No. 259.704. Decision on the merits 146/2024 – 17/67
96. The Litigation Chamber notes that in its analysis, the General Secretariat
found five indications of non-compliance. Two of these indications (indications 3 and 5) are based
solely on the responses provided by the defendant in its letter of 9 October 2019.
These indicators are not based on elements of older files. The three other
indicators of non-compliance are based on a comparison between the elements contained
in a letter from the defendant to the CPVP dated 26 November 2015 and the
response of 9 October 2019. The General Secretariat noted in its three instances a
change in the defendant's practice which, according to it, could
constitute a breach of the principles of personal data protection. The General
Secretariat had to carry out this verification to allow the Management Committee to
"monitor developments", as explained previously, and decide to refer the
matter to the Inspection Service.
97. Thus, in its analysis, the General Secretariat claims that between 2015 and 2019, the duration of
data retention by the defendant increased from 5 to 8 years. It also writes
that the defendant would now carry out profiling based on the data collected,
which it had indicated that it did not do before.
98. For the Litigation Chamber, the General Secretariat's analysis does not reveal
any change in the position of the APD or an erroneous interpretation on its part. It therefore has
no impact on the procedure. Indeed, it emerges from the Chamber's analysis that
when the General Secretariat uses information from past cases, it is to compare
them with the current practices that the defendant has informed it of. This
comparison allowed the Management Committee to ensure its follow-up (Article 10 of the LCA).
99. For the Litigation Chamber, even if the CPVP had authorised the processing in question
by the defendant, quod non, the principle of legitimate expectation does not mean that in the face of
new facts and changes in practices, the public authority must maintain a
line of conduct that it would have expressed in the past on facts that were
significantly different. The defendant is therefore wrong to invoke a violation of the
principle of legitimate expectation.
100. In view of the foregoing, the Litigation Chamber concludes that the decision of the
Management Committee complies with the requirements of Article 63.1 of the LCA.
II.3.5. Referral to the Inspection Service by the Management Committee (validity of the minutes)
101. First, the defendant explains that the versions of the minutes sent to it
do not allow it to be established whether the President of the Litigation Division, who abstained
during the Management Committee’s vote on this point, participated in the discussion. In addition, it
considers that it has not been demonstrated that the majority of the members of the
Management Committee were present, nor that a majority of the members voted in favour under
Article 3 of the ROI. Finally, the defendant considers that there are doubts that a record of the
Management Committee’s decision was drawn up and signed by the President of the
Management Committee, which would constitute a violation of Article 16 of the LCA.
102. Secondly, the defendant also argues that since this decision was taken
in Dutch, it would be contrary to the law on the use of languages in administrative
matters, since the defendant is based in a French-speaking region.
103. Firstly, the Litigation Chamber recalls that the minutes of the
Management Committee cover many topics, including strategic decisions of the APD and
that they contain personal data. In accordance with the principle of data minimisation
(Article 5.1.c of the GDPR), and compliance with the principle of confidentiality
applying to the members of the Management Committee (Art. 48 LCA), the Litigation
Chamber does not transmit the minutes of the Management Committee in their entirety to the
parties concerned by a procedure, but only an extract of said minutes in order to
enable the parties to a procedure to assess their existence for the part that
concerns them.
104. The defendant had at the outset of the proceedings on the merits an extract from the minutes
of the Management Committee concerning the activation of Article 63.1° against it. At its
request, a broader extract was provided to it on 2 May 2023. A full version of the minutes
was provided to it on 18 July 2023 by the President of the APD.
105. The defendant was able to note from the minutes, firstly, that all the
members of the Management Committee were present at the meeting of the Management
Committee, but that the President of the Litigation Chamber recused himself for this item on the agenda,
secondly, that no objection from any of the members of the Management
Committee was noted, thirdly, that the minutes were indeed signed by the President of the
Management Committee, and fourthly, that the Management Committee decided to refer the
Inspection Service on the basis of Article 63.1° of the LCA. The conditions of Articles 15 and
16 of the LCA are therefore met. The defendant’s argument contesting
the existence of a report and compliance with its formalism is therefore unfounded.
106. With regard to the complaint concerning the bias of the members, the Disputes Chamber
refers to its examination in section II.4.1 below.
107. Therefore, neither the validity of the minutes of the Management Committee nor the participation of the
directors can be called into question. The procedure complied with the legal
requirements, and no evidence of bias has been provided. Decision on the merits 146/2024 – 19/67
21
108. Secondly, in a judgment of 7 July 2021, the Procurement Court recalled that the APD
must be considered a central service within the meaning of the Act on the use of languages in
administrative matters and that as such, it must comply with Articles 40 et seq. of that
Act.
109. However, the decision to refer the matter to the Inspection Service by the Management Committee does not constitute
communication with individuals, within the meaning of Article 41 of the Act on the Use of
Languages in Administrative Matters, but rather internal communication; the use of
French by the Management Committee was therefore not required.
110. The referral to the Inspection Service by the minutes of the Management
Committee is therefore valid and complies with the requirements of Articles 15 and 16 of the
LCA, as well as Article 3 of the ROI.
II.3.6. Procedure before the Inspection Service
111. The defendant argues that the file reference used by the APD has been the same
since the first letter sent by the General Secretariat, which tends to prove that there was a
well-established “pre-inspection” procedure within the APD. It adds that the Inspection Service
has taken up the exchanges between the General Secretariat and Freedelity
under the name “Surveillance of the General Secretariat”. The defendant also considers
that there is no evidence of the taking of an oath by an inspector who worked on the
case (“inspector concerned”), even though the latter contributed to the investigation.
112. The Litigation Chamber notes that the defendant draws no conclusions from the first two
arguments mentioned and linked to the reference and title of the case. Insofar as
necessary, it refers in this regard to the previous developments on this point (see
paragraph 8282).
113. With regard to the taking of an oath, at the defendant’s request, the Litigation
Chamber provided it with a document on 2 May 2023, the subject of which is “designation of
inspectors of the inspection service”. This document signed by the Inspector General and the
Director of the General Secretariat is dated June 25, 2019. It states that "Only the names
of the agents of the Data Protection Authority below who took the oath
on November 19, 2018 retain the status of inspector of the inspection service." This is followed
by a list of agents whose names have been redacted by the Litigation Chamber for
reasons of privacy, with the exception of the name of the inspector concerned which appears in the
list.
114. For the Litigation Chamber, this document demonstrates that the inspector concerned took the
oath on 19 November 2018 and that on 25 June 2019, the APD considered that he retained
21 Judgment of the Market Court of 7 July 2021, No. 2021/AR/320 available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-juillet-2021-de-la-cour-des-marches-ar-320-
disponible-en-neerlandais.pdf Decision on the merits 146/2024 – 20/67
the quality of inspector of the inspection service. At the date of the referral to the Inspection Service
by the Management Committee on 6 December 2019, the inspector concerned had indeed taken the
oath and was still an inspector.
115. The Litigation Chamber also recalls that this type of request is not based on
any legal basis. Indeed, the law provides that inspectors take an oath (Article 30
§1 of the LCA), which must be considered as an established fact, except in cases of serious doubt
which must be proven by the defendant. The defendant cannot therefore rely on any legal basis to demand the transmission of these documents.
116. The Litigation Division concludes that the procedure before the Inspection Service
is not flawed.
II.3.7. Referral to the Litigation Division by the Inspection Service
117. The defendant argues that the Litigation Division could not have been validly referred to
given that the Inspection Service itself was not validly referred to.
118. The Litigation Division did not find any irregularity in the referral to the
Inspection Service. Consequently, it considers itself legally referred to on the basis of Article 92.3°
of the LCA.
119. The referral to the Litigation Division was made legally on the basis of Article
92.3° of the LCA.
II.4. Procedure: respect for the rights of the defence
II.4.1. Impartiality of the members of the Management Committee and of the Committee itself
120. The grievances raised by the defendant must be distinguished according to whether they concern the
members of the Management Committee or the Management Committee itself.
II.4.1.1. The President of the Litigation Chamber
Position of the defendant
121. As a preliminary matter, and as stated in Section II.2, the defendant requests the President
of the Litigation Chamber to withdraw on the grounds of the legitimate doubts that exist
regarding his impartiality. In the absence of a specific procedure established by the
LCA, the defendant argues that Article 828, 1° of the Judicial Code should apply by analogy.
122. According to the defendant, the possibility of requesting the recusal of a judge is an integral part
of Article 6 of the European Convention on Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union. These same guarantees
of independence and impartiality are contained in Article 52 of the GDPR, which has been transposed
into Belgian law by Article 36 of the LCA. Decision on the merits 146/2024 – 21/67
123. In the event that the Contentious Chamber considers that the absence of an explicit
provision in the law would mean that recusal is not possible, the defendant
requests that a prejudicial question be submitted to the Constitutional Court. 124. It considers that this bias or appearance of bias arises from the following elements:
a) First, the President of the Litigation Chamber was aware of
several documents concerning Freedelity that led to the decision of the
Management Committee of 6 December 2019 and that despite his disqualification
during the examination of this point, it is impossible to know what his role was at this
meeting.
b) Second, the President of the General Secretariat was allegedly dismissed from his
mandate, in particular due to “pre-inspection” procedures such as those carried
out in this case. However, the President of the Litigation Chamber testified
before the Justice Commission on the occasion of the lifting of the mandate of the
President of the APD before the House of Representatives and also constituted himself
an intervener in the appeal for extremely urgent suspension brought by the
President of the APD before the Council of State against the decision to lift the
mandate.
He himself filed an appeal for suspension of the decision to lift the mandate
before the Council of State. For the defendant, the president of the Litigation
Chamber would defend the conduct of the president of the APD which was allegedly the
cause of his lifting of his mandate.
c) Thirdly, the president of the Litigation Chamber could not refuse access
to the request made by the defendant to access the decision to lift the
mandate of the president of the APD on the grounds that he did not have this document, since
he intervened in various proceedings before the Council of State on the subject
of this decision and therefore necessarily had access to it.
d) Fourthly, the fact that the president of the Litigation Chamber refused to
provide certain documents requested by the defendant and that he took a position
on the competence of the CADA with regard to requests for access
concerning documents held by the APD.
(e) Fifth, the defendant also considers that being a creditor is
a ground for challenge, which would be the case for the President of the Litigation Chamber
in this case since in the context of the challenge proceedings brought by
Freedelity before the Market Court, the President requested and obtained
a procedural indemnity, the payment of which he has not yet demanded.
Review by the Litigation Chamber Decision on the merits 146/2024 – 22/67
125. As a preliminary point, the Litigation Chamber does not dispute that the principle of impartiality
applies to administrative authorities. It should be stressed, however, that the principle
22
of impartiality “must be reconciled with the structure of the active administration”, as
described below, in paragraph 127.
126. The Litigation Chamber of the APD is chaired by Mr Hijmans. The proper functioning of
the Litigation Chamber and the APD requires that the president be available, and be able
to sit during decisions on the merits (Articles 33§1 and 92 to 107 of the LCA), as well as within the
Management Committee, as is apparent from the dual competence of the directors of the
organs of the APD established by Article 12 of the LCA.
127. According to consistent case law of the Council of State:
“the general principle of impartiality must be applied to all organs of the active administration.
It is sufficient that an appearance of bias could have raised legitimate doubts in the applicant
as to the ability to approach his case with complete impartiality. However, this principle
only applies to the extent that it is compatible with the specific nature, and in particular
with the structure of the active administration. Furthermore, the impartiality of a collegiate body
can only be called into question if, on the one hand, specific facts which raise suspicions of bias
on one or more members of that college can be legally established and
on the other hand, it is clear from the circumstances that the bias of that
member or members could have influenced the entire college. It is up to the person alleging that the authority did not act
with independence, impartiality and thoroughness to provide proof of this. 23
128. It is therefore up to the party invoking the breach of the principle of impartiality to
demonstrate the existence of specific facts from which it should be concluded that the
principle of impartiality has been breached. If the facts concern a member of a collegiate body, it
is appropriate for the party invoking the breach of the principle of impartiality to demonstrate
that the facts it identifies are likely to have affected the impartiality not only
of their author, but also of at least a majority of the members of the collegiate body
in question.24
- The bias of the president of the Litigation Division as a member either of the
management committee or of the Litigation Division sitting with three members.
129. First, the criticism concerns the fact that the President of the Litigation Chamber had received
documents concerning the defendant prior to the meeting of the Management Committee
of 6 December 2019. The defendant has not demonstrated why the fact of receiving
22
C.E., 25 April 2023, 256.341, Di Livio.
23 C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX.
24 See in particular Cour des marchés, 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-.r-556.pdf Decision on the merits 146/2024 – 23/67
these documents would demonstrate indications of bias on the part of the President of the Chamber
Contentious, especially since the latter did not, at any time, react to these documents and
that he recused himself during the discussion on this point as proven by the minutes of the meeting. It
is also not demonstrated how this bias, if it were demonstrated, could have
influenced the other members of the Management Committee.
130. Secondly, the Disputes Chamber considers that the impartiality of the President of the
Disputes Chamber cannot be called into question by the fact that he
filed in his own name an appeal to suspend the decision to lift the request of the
President of the APD, since this appeal was filed because he considered that this
decision posed a risk to his personal independence as President of the
25
Disputes Chamber. Furthermore, the President of the APD did not conduct
any “pre-inspections” in the present case (see section II.3.2 of the
decision) and the defendant presents evidence without proof of what it claims, nor
an explanation allowing the Disputes Chamber to follow its reasoning.
- The bias of the President of the Litigation Chamber sitting alone
131. Third, the fact that the President of the Litigation Chamber responded to the
defendant that the APD does not have the decision to lift the mandate of the President of
the APD is a factual observation that does not reveal any bias. This assertion was
further corroborated by the President of the APD in her letter dated 18 July 2023.
132. The fact that the President of the Litigation Chamber could have had knowledge of this
document is irrelevant since this took place in the context of his
private activities, since he was appearing before the Council of State
"on his own initiative, without being
authorised to do so by the data protection authority" (free
translation). It cannot be reasonably argued that the request for access to
documents that the defendant made to the APD would also extend to
documents that could be held by the directors outside their function within the
APD.
133. The Litigation Chamber also emphasises that access to this document was
also refused by the Chamber of Representatives when the defendant requested
access.
In its order of 12 February 2024, the Interim Relief Chamber of the Court of First Instance
also dismissed the defendant’s request for production of this
document.
134. Fourthly, the fact that the President of the Litigation Chamber granted access to
certain documents and not to others requested by the applicant does not mean
25
C.E. No. 256,827 of 19 June 2023, § 8.
26 C.E. of 17 August 2022, No. 254,326. Original version: “on its own title, without prejudice to the
Gegevensbeschesmingsauthority”. Decision on the merits 146/2024 – 24/67
that he thereby lacked impartiality. The President of the Litigation Chamber
is required to take a number of actions in the context of the organisation of the
procedure, actions that he considers legitimate and these do not prejudge his personal assessment
of the merits of the case.
135. Moreover, the bias of the President of the Litigation Chamber is not
demonstrated by the response to the request for production of documents made by the
defendant on the basis of the law of 11 April 1994 relating to the publicity of the
administration. Indeed, in its response, the Litigation Chamber states that the APD does not consider
itself currently subject to the law of 11 April 1994 relating to the publicity of the
administration.
This position does not demonstrate the bias of the President of the Contentious Division since
it concerns the position of the Management Committee as a whole and that the CADA itself
shared this position in the past.
136. In this regard, the case-law of the European Court of Human Rights teaches that
a problem linked to a lack of judicial impartiality does not arise when the judge has
already rendered formal and procedural decisions at other stages of the proceedings. On the other hand,
this problem may arise if, at other stages of the proceedings, the judge has already ruled
on the guilt of the accused.
137. However, in the present case, what is being criticised against the President of the Contentious Division does not imply
any position whatsoever on the part of the latter as to the merits of the case and, in
particular, as to the conduct or responsibility of the applicant.
138. This teaching of the European Court of Human Rights concerns judges; it applies
even more so with regard to members of an administrative college.
139. Fifth, the President of the Litigation Chamber is not acting in his
personal capacity in this case. The procedural compensation in question was requested in the
context of the exercise of his functions within the APD, that is to say, as President of
the Litigation Chamber; he has no personal or financial interest in this claim.
140. The lack of impartiality of the President of the Litigation Chamber has therefore not
been demonstrated. No valid reason can justify his removal from the present case.
II.4.1.2. The Director of the Knowledge Centre
27
See in particular CADA, opinion 2018-14, available at:
https://www.ibz.rrn.fgov.be/fileadmin/user upload/fr/com/publicite/avis/2018/ADVIES-2018-14.pdf
28European Court of Human Rights (ECHR), George-Laviniu Ghiurău v. Romania, 16/06/2020, Application no.
15549/16, § 67
29Gómez de Liaño y Botella v. Spain, 22/07/2008, Application no. 21369/04, § 67-72. See also ECHR, Guide on
Article 6 of the European Convention on Human Rights, Right to a fair trial – criminal aspect,
https://www.echr.coe.int/documents/guide art 6 criminal eng.pdf. Decision on the merits 146/2024 – 25/67
141. The defendant claims that the then Director of the Knowledge Centre, in the context of her previous employment, had worked with Freedelity and validated their legal model. The defendant considers that these agreements were covered by professional secrecy, business secrecy and confidentiality agreements and that this information was shared with the DPA, which allegedly was complicit in the violation of this confidentiality.
142. The Disputes Chamber recalls that the members of the Management Committee are bound by the
principle of impartiality (Article 43 of the LCA), which prohibits them from being present during
a deliberation or decision on cases in which they have a personal and
direct interest. According to the doctrine, "The personal and direct interest may be of a moral
nature, in particular when one or more members of the decision-making authority have
already expressed a clear point of view or have formed a personal opinion and could not
go back on it without losing face." (free translation).
143. This principle means that no member of the Management Committee may have a personal
interest in the decision taking a certain direction (nemo iudex in causa
sua). In particular, being morally unable to revise a previous point of view
carries the risk that members of the administration, having already expressed
(publicly) their opinion, can no longer assess the case objectively. Furthermore, the
Litigation Chamber notes that the defendant does not justify how the
situation meets the definition of a conflict of interest provided for in Article 58 of the ROI.
144. In this case, the Director of the Knowledge Center has never worked
within Freedelity, and therefore was not in a situation where the demonstration of a personal and direct
interest in Freedelity, or a conflict of interest, could be inferred from her previous
position. The fact that the Director of the Knowledge Center was aware of the Freedelity
legal model and had “validated” it in the past does not demonstrate that she had a
personal and direct interest in the decisions of the Management Committee based on
Articles 10 and 63.1° of the LCA. The Director of the Knowledge Center has never expressed
any public negative opinion regarding Freedelity. At most, the Director of the
Knowledge Center has expressed a positive opinion in the context of her former
functions on Freedelity in the past. If the director of the Knowledge Center had
actually used information collected in the course of their duties
30Wolters Kluwer – Tijdschrift voor Bestuurswetenschappen en Publiekrecht, “Partijdigheid en belangenconflicten bij het
actief bestuur: de sluipweg van het gelijkheidsbeginsel”, Lise Van den Eynde, 2024, paragraph 4. Original version: “De
This class in the well-known category is the person of subject matter. Het komt erop neer dat
Iemand met een personlijk en rechtstreeks belang zich moet onthouden van deelname aan het besluitvormingsproces » and
“Het personlijk en rechtstreeks belang kan van morele aard zijn, onder andere wanneer een de meer leden van de
be overheid eerder al een duidelijk standpunt hebben ingenomen de een eigen mening hebben gevormd en niet
zonder gezichtsverlies daarop zouden kunnen terugkomen”.
31See above Decision on the merits 146/2024 – 26/67
previous, this should have led to the only conclusion that the Freedelity service
was valid.
145. Furthermore, contrary to what Freedelity claims, there is no evidence in the case file
that the Knowledge Centre Director used confidential information or shared it with the
APD. The only statement on which Freedelity relies is the following:
“When I analysed the Freedelity offer a year ago, it constituted a clear violation of
the Privacy Regulation in several respects.” 32
146. No other sentence or information from the Knowledge Centre Director
can be found in the subsequent exchanges, opinions and documents in the case file. The
Litigation Chamber cannot therefore conclude that this was confidential information cited
by the defendant and the entire procedure is based only on information
legitimately collected by the APD.
147. The Litigation Chamber concludes that the Director of the Knowledge Centre did not
breach the principle of impartiality applicable to members of the Management Committee
(Article 43 of the LCA).
II.4.1.3. The Director of the General Secretariat (Chairman of the Management Committee)
148. First, the defendant also criticises the APD for not having forwarded to it the
decision relating to the lifting of the mandate of the President of the APD. Second, the
defendant maintains that the Director of the General Secretariat was biased because he was
the initiator of the request for information to the defendant. Third, the
defendant claims that the type of procedure followed by the Management Committee
in this case was the cause of the lifting of his mandate. It justifies itself by
supporting press articles and judgments handed down by the Council of State in cases
concerning the decision to lift the mandate.
149. First, the Litigation Chamber maintains that the APD does not have the
decision to lift the mandate of its former president.
150. Second, the Litigation Chamber recalls that situations of bias cannot arise
33
from the normal application of the law. However, the law provides that the director of the
General Secretariat may be in a position to chair the Management Committee (Article 13§2
of the LCA), and that the Chairman of the Management Committee is assisted in the performance of his
32
Email from the President of the Knowledge Center of August 2, 2019
33See the decision of the Council of State of May 11, 2021, No. 250.571 Decision on the merits 146/2024 – 27/67
tasks by the General Secretariat (Article 13§3 of the LCA). For the remainder, the Litigation Chamber refers to the previous developments on this point (see section II.3.2).
151. Third, of the nine press articles provided by the defendant, only one (exhibit 28 of the defendant’s file) makes a brief reference (one sentence in a four-page article) to a possible excess of authority by the president of the APD.
The file in question concerned questions put to a school in Ghent on a possible use of biometric data. No other file is mentioned.
152. The defendant does not provide evidence that this element was actually, alone
or among others, the reason for the lifting of the mandate of the president of the APD. It also does not explain
how the finding of an excess of competence that was allegedly noted by
the House of Representatives in the case identified by the press could be transposed to
the present case or even relevant for its processing.
153. Nor does it appear from the extracts of the decisions of the Council of State that the president of the APD
had his mandate lifted for facts related to the present case, or to the procedures put
in place for the activation of Article 63.1 of the LCA. The elements emerging from the extracts
cited are in fact very general and report serious failings and incapacities that
are not specified. Furthermore, as demonstrated above, this case was
proposed to the Management Committee by a director other than the President of the APD. The sending
of the first letter to the defendant, as well as the request to open an investigation, were
decided by the Management Committee. These elements seem difficult to reconcile
with allegations of exceeding the powers of the President of the APD.
154. The Litigation Chamber concludes that none of the elements put forward by the
defendant allows it to conclude that the General Secretariat or its director
was in a situation of bias or exceeding the powers of the defendant.
II.4.1.4. The Director of the Inspection Service (the Inspector General)
155. First, the defendant claims that the Inspector General (also a member of the
Steering Committee) had met with Freedelity in the past when he was working
for the CPVP and, secondly, had participated in the preparation of the file and decided on his
own referral. It maintains that the involvement of the Inspector General at the stage of
preparing the file for examination by the Steering Committee impacts his own
referral and the admissibility of his work.
156. Second, it also maintains that the Inspector General cannot take a position
on the activation of Article 63.1 of the LCA by the Steering Committee without affecting his
impartiality. Decision on the merits 146/2024 – 28/67
157. First, regarding the arguments on the partiality of the Inspector General, the
Litigation Chamber refers to its previous developments regarding the analysis
of situations of partiality (see paragraphs 142-143) and recalls that a situation of
partiality cannot arise from the normal application of the law. The fact that the Inspector
General sits on the Management Committee during the decision-making phase of monitoring developments in
the technological field (Article 10 of the LCA) or the phase of establishing serious indications
(Article 63.1° of the LCA), is legally provided to be compatible with his function
as Inspector General (Article 12 of the LCA).
158. Furthermore, the activation of Article 63.1 of the LCA (or Article 63.6) cannot in any case be
equated with an indictment or investigation procedure as the defendant
maintains. This is a preliminary step to the opening of an investigation, which does not
entail any definitive finding and which in no way prevents the Inspection Service from
conducting its investigation impartially thereafter. As it has proven in the past, the
Inspection Service is perfectly capable of conducting an investigation concluding that there
were no violations despite the findings of serious indications by the
Management Committee.
159. The fact that a member of the Management Committee has
“met” one or more members of a company’s staff does not
put him in a position of bias towards that company on that sole basis. Bias must be concretely demonstrated, which requires highlighting
specific facts or behaviors. 35 This obviously does not depend on the fact
that he has worked on a case in the past or met a person on this occasion.
160. For the Litigation Chamber, the exchange of information within the APD is
a sine qua non condition for the proper execution of its mission to ensure compliance with data
protection. A partitioning of information between services only takes place when
it is provided for by law. This is the case of Article 64.3 of the LCA, which provides that the investigation is secret.
161. The LCA does not provide for any other restriction on the exchange of information within the APD
when this exchange is necessary for its operation. Informal exchanges between
directors when carrying out preparatory acts for the adoption of a decision are
normal and essential steps in the decision-making process. The files opened with
the SPL concerning the defendant and the information available to the Inspector
General who was involved in these files as a lawyer at the time are entirely relevant
to assess whether an investigation should be requested against the defendant. The APD
34See in particular the decision of the Litigation Chamber 77/2020, in which the Management Committee had requested
the opening of an investigation by the Inspection Service. The latter found that the incriminated activity did not
involve the processing of personal data. The case was therefore closed by a filing without further action.
35See in this sense the judgment of the Court of Markets, 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf,
p.21. What applies to collegiate bodies also applies to a member of an administrative body. Decision on the merits 146/2024 – 29/67
allegedly acted negligently by not using the information it had on
the defendant to inform its decision.
162. Indeed, if the latter could not handle cases in which he had been involved as a
lawyer before his appointment as Inspector General, this would de facto prevent the
Inspection Service from exercising its powers with regard to a large number of
data controllers. This is certainly not the intention of the House of
Representatives, which appointed the Inspector General while being fully
informed of the fact that he had been a lawyer within the CPVP. According to the
Litigation Chamber, this situation does not allow his impartiality to be called into
question.
163. Secondly, the argument that the Inspector General cannot take a position
on the activation of Article 63.1 of the LCA by the Management Committee without
affecting his impartiality is no more convincing to the Litigation Chamber. Indeed, the Management Committee
is not the only one that can request an investigation on the basis of serious evidence, since
Article 63.6° of the LCA provides that the Inspection Service may, on its own initiative,
open an investigation if there are serious indications of an offence. If the law provides that the
Inspection Service, and therefore the Inspector General, can decide alone that there are
serious indications of an offence, it can logically decide this collegially within the framework of the
Management Committee, without this affecting its impartiality in conducting the investigation.
164. The LCA also provides for a clear distinction between the investigative power, which is
devoted to the Inspection Service, and the sanctioning power, which is the prerogative of the
Litigation Chamber.
165. In this case, the Litigation Chamber concludes that no evidence of bias has been
demonstrated on the part of the Inspector General, who merely carried out
the tasks assigned to him under the LCA.
II.4.1.5. The Management Committee
166. The defendant argues that since the majority of the members of the
Management Committee were in a position of bias, the Management Committee was itself biased.
167. As already recalled by the Litigation Chamber on numerous occasions in this
decision, in accordance with the consistent case law of the Council of State, criticism of
36
bias cannot be based on a situation arising from the normal application of the law.
168. Furthermore, "the impartiality of a collegiate body can only be called into question if, on the one hand,
specific facts which raise suspicions of bias on the part of one or more members of
that college can be legally established and, on the other hand, it is clear from the
circumstances that the bias of that or those members could have influenced the entire
36 Decision of the Council of State of 11 May 2021, No. 250.571 Decision on the merits 146/2024 – 30/67
college. It is up to the person alleging that the authority did not act with independence, impartiality and thoroughness to provide proof of this."
169. The Markets Court specifies that the alleged bias of a collegiate body must be
concretely demonstrated, which requires highlighting specific facts or
38
behaviors that concern this body, therefore committed by its members.
170. The Management Committee is composed of the directors of the APD (Article 12 LCA). Each
director ensures the management of a body, as is apparent from the powers established by the
LCA. The Management Committee is competent to refer the matter to the Inspection Service in the event
of finding serious evidence of the existence of a practice likely to violate the
fundamental principles of the protection of personal data (Article 63.1° of the
LCA).
171. For the Litigation Chamber, the defendant must therefore demonstrate for each of the
members of the Management Committee against whom it makes this reproach, that on the one hand, he
showed bias, and that on the other hand, he was able to influence the other members of the college. The
Litigation Chamber adds, moreover, that the fact that a member of the
Management Committee allegedly showed a lack of bias – quod non in the present case – is not sufficient in
itself to invalidate a decision of the Management Committee. 39
172. However, as explained in sections II.4.1.1, II.4.1.2, II.4.1.3 and II.4.1.4, the bias of the
members has not been demonstrated. Furthermore, even if the bias of a member of the
Management Committee were demonstrated, this is not such as to taint the decisions
taken by the Management Committee, which are valid on condition that the “majority”
of the members were present (Article 15 of the LCA).
173. Therefore, neither the bias of the members of the Management
Committee nor that of the Management Committee itself has been demonstrated. The Litigation
Chamber concludes that the arguments of the defence on the issue of bias are not valid.
II.4.2. Processing within a reasonable time and adequate time to prepare its defence
174. The defendant argues that the proceedings lasted almost five years after the first
disputed letter, which exceeds the reasonable time and that it did not have the opportunity to
properly defend itself. She accuses the APD of deliberately soliciting
written contributions from the defendant during periods of leave. She cites
37
C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684.
38 Judgment of the Market Court of 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf .
39 Judgment of the Market Court of 7 December 2022, 2022/AR/556, , available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf. Decision on the merits 146/2024 – 31/67
including a judgment of the Brussels Court of Appeal which provides that a file which had
experienced a period of inertia of two years exceeded the reasonable time limit.
175. The defendant invokes unreferenced case law to argue that the rights of
the defence from the perspective of the useful time limit and the right to a reasonable time limit apply to the APD.
176. The Litigation Chamber confirms that it is indeed subject to respect for the rights of
the defence, including the right to a reasonable time, protected by Article 48 of the
Charter of Fundamental Rights of the European Union and
Article 6 of the European Convention on Human Rights.
177. Concerning the reasonable time, the defendant mentions a judgment of the
Brussels Court of Appeal in which it allegedly found that the reasonable time had been exceeded in
a case that had experienced a period of inertia of two years. This judgment is not provided to the
Litigation Chamber. It cannot therefore take it into account.
178. The Litigation Chamber recalls that, according to the case law of the Council of
State, "the principle of a reasonable time, which is derived from the general
principles of good administration and legal certainty, is capable of being applied to all
administrative decisions. The reasonable period within which any administrative authority
must ensure that it takes a decision only begins to run from the moment it is
able to do so. The assessment of whether or not the duration of a procedure is
reasonable is a question of the individual case which depends, in particular, on the
circumstances of the case, and more particularly on the respective
conduct of the authority and the person concerned. » 40
179. The Inspection Service sent letters containing questions to the
defendant in June and October 2020. It subsequently carried out technical
findings and asked Freedelity new questions in October 2021. It carried out new
technical findings between December 2021 and February 2022. In April 2022, it sent its report to the
Litigation Chamber.
180. The Litigation Chamber considers that an investigation that lasted approximately two years does not exceed
the reasonable period since numerous investigative acts were carried out during
these two years, which is the case here. Furthermore, in the present case, the
Litigation Chamber does not note any period of inertia that would be close to two years.
181. For its part, the Litigation Chamber notified the defendant of its intention to deal
with the case on the merits in July 2022, three months after it was referred to it. The period between
this decision to deal with the case on the merits and the adoption of the present decision was
marked successively by requests for the production of documents, by a 41
40Judgment of the Council of State, 13 September 2022, no. 254.469, p. 16.
41See exhibit 94 of the file Decision on the merits 146/2024 – 32/67
request to the CADA, by an application for recusal followed by proceedings before the
Court of Procurement and a summons for interim relief, by requests for postponement of the hearing, and by
multiple requests for a stay of proceedings, in particular pending the publication of a
judgment of the Court of Justice of the European Union, requests which were all made by the
defendant. In view of these very numerous procedures which led to several
postponements of the hearing, it cannot be reasonably argued that the case was the subject
of an abnormally long period of inertia or that the Litigation Division was
able to adopt a decision more quickly.
182. As regards the right to a time limit for the defence, the Market Court ruled in a
judgment of 12 June 2019 that "The establishment of a timetable for submissions where each
party has approximately one month and where the defendant is granted the final deadline is
consistent with the rules on the rights of the defence." (free translation) 44
183. The Litigation Chamber notes that during the investigation by the Inspection Service, the
defendant always had a response period of at least 30 calendar days and
a maximum of 45 days, which is consistent with the case law of the Market Court. The
Litigation Chamber cannot therefore conclude that there was a violation of the right to a time limit for the
defence at the investigation stage.
184. As regards the time limits granted to the defendant during the proceedings on the merits, the
Litigation Chamber recalls that these are identical in all the cases it
deals with on the merits and that they are extended by two weeks during the
months of July and August. The defendant therefore had a period of 8 weeks, which is
identical to that which would have been granted to any other defendant in
proceedings based on an investigation report. This period was subsequently
extended by three weeks at the request of the defendant. It was again
extended by two weeks at its request, bringing the total to 13 weeks.
185. When additional documents were provided to the defendant following its
requests, it was given a period of two weeks 45 to adapt its conclusions (period
extended by one week at its request). The defendant cannot therefore reasonably
maintain that the time limits granted to it by the Litigation Chamber, and which were
42
See Exhibit 94 of the case file
43 See in particular Exhibits 87 and 136 of the case file, and the following pages of the defendant's additional submissions:
(i) page 163, "The Litigation Chamber must stay its decision on this point pending the outcome of case C154/21
pending before the Court of Justice",.
44 Judgment of the Market Court, of June 12, 2019, No. 2019/AR/741, available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-12-juin-2019-de-la-cour-des-marches-available-en-
Dutch.pdfP.11.Original version:“Hetopstellenvaneenconclusiekalenderwaarbijelkepartijoverongeveeréénmaand
beschiktenwaarbijdeverwerendepartijdelaatstetermijnverkrijgtisconformaanderegelsvanderechtenvanverdediging”.
45The Litigation Chamber notes in this regard that when the Interim Relief Chamber of the Court of First Instance of Brussels ordered the APD to provide additional documents to the defendant, it also considered that a period of 15 days was sufficient for the defendant to be able to conclude on the documents (a period which was granted to the
defendant by the APD). Decision on the merits 146/2024 – 33/67
extended by his act on multiple occasions, did not allow him to have a useful period
to prepare his defense.
186. The Contentious Chamber in concludes that there has been no exceeding of the reasonable time limit
in this case, nor any failure concerning the right to a useful time limit.
II.4.3. The principle of adversarial proceedings
187. The defendant considers that by repeatedly and constantly refusing to provide
certain documents that it requested, the APD has violated the principle of adversarial proceedings and the
rights of the defence. The defendant considers that the APD has repeatedly refused to provide
decisive elements in the file and in its defence.
188. The The Contentious Chamber reminds that the LCA does not define the composition of the administrative
file. This is composed of all the official decisions and documents related to a
case (decisions of the SPL, investigation report of the SI, decisions of the CC, etc.). The Litigation Chamber
forwarded the entire administrative file to Freedelity when the
latter requested it to do so.
189. The defendant subsequently demanded the production of internal documents from the APD that are
not traditionally present in an administrative file.The defendant's requests have varied on numerous occasions and have been made on
varying grounds.
190. On 2 May 2023, the Litigation Chamber transmitted to Freedelity all the
additional documents that it requested, to the extent that the APD had these.
191. On 18 July 2023, APD again sent Freedelity certain documents following
the CADA's opinion, namely the agenda of the meeting of the Management Committee of the APD of 6
December 2019 as well as a more complete version of the minutes of the same
meeting.
192. It was only on 22 December 2023, by a first summary summons, that Freedelity
requested (from the Court) access wider than that previously requested and obtained.
193. The APD responded to this new request by sending Freedelity the most recent documents in the administrative file – these documents were all already known to Freedelity – since they were correspondence between Freedelity and the APD. 194. The APD again sent additional documents to Freedelity on its own initiative
dated 12 January 2024, which it considered could be relevant in the
46The Litigation Chamber recalls in this regard that the opinions of the CADA are not not binding at all. See C.E., 15
November 2002, 111.522, Poncin. Decision on the merits 146/2024 – 34/67
framework of the criticism that Freedelity intended to formulate concerning the way in which the APD was seized of the case concerning it .
195. Then, in the context of the interim relief proceedings, Freedelity and the APD agreed that
the APD would provide certain additional documents.
196. Finally, following the order of the Interim Relief Chamber, the APD provided additional
documents, including preparatory documents, such as internal
communications between APD employees.
197. It is clear from the chronological description above that the APD has, on several
occasions and voluntarily, provided additional documents to the defendant. It also
complied with the order of the Chamber of Interim Relief when it required it to
provide certain additional documents.
198. The fact that a party to a case requests the production of additional documents
to the case file administrative does not mean that the Litigation Chamber is obliged to follow it up without being able to contest the need for such production.
199. The fact that the APD contested, for certain documents, the need to produce them cannot
result in a violation of the principle of adversarial proceedings and the right of defence. It is
moreover right that the APD opposed the production of certain documents and
since both the CADA and the Chamber of Interim Relief refused Freedelity access to certain
documents .In addition, all the exhibits could have been the subject of an adversarial debate, in particular
during the hearing.
200. As regards more specifically the decision to lift the request of the former president
of the APD, the Litigation Chamber refers to the developments above (see
paragraphs 130-133 and section II.4.1.3).201. Furthermore, the Litigation Chamber notes that the defendant was ultimately able to obtain
all the documents necessary for its defence, since it was able to exhaustively
formulate the grievances it wished to make concerning the legality of the procedure.
202 . The Litigation Chamber cannot find a violation of the principles of
adversarial proceedings and the right of defense in this case.
II.4.4. Violations of the principles of good administration
203. The defendant considers that the duty of "fair play", the duty of " solicitude" and the duty
of motivation were not respected by the APD, without further details concerning
these complaints.
204. The Litigation Chamber notes that the defendant does not explain what it means
by "duty to do- play" and "solicitude", does not cite its sources, and does not justify in
why the duty of motivation was not respected by the APD. Decision on the merits 146/2024 – 35/67
205. With regard to the duties of “fair play” and “care”, the defendant’s complaints are
formulated as follows: “The Authority is seriously failing in its duty of fair play and
care, which constitute principles of good administration in their own right." The
Litigation Chamber can only note the absence of factual arguments which
should corroborate the lack of respect for such duties.
206. The Litigation Chamber cannot therefore respond to these arguments, and refers, as far as necessary, to its considerations concerning the principle of adversarial proceedings and
access to files above (see section II.4.3).
207. The Litigation Chamber considers that the principles of good administration have been
respected.
II. 5. On the merits
II.5.1. On the processing operations in question, the responsibility for the processing operations and the legal bases
1. On the processing operations in question
208. Article 4, 2) of the GDPR defines processing as “any operation or set of operations
whether or not performed using automated processes and applied to
personal data or sets of data, such as the collection,
recording, organization, structuring, storage, adaptation or
modification, extraction, consultation, 'use, communication by transmission,
diffusion or any other form of making available, the approximation or interconnection,
limitation, erasure or destruction'.
209. In this case, the Litigation Chamber notes, on the basis of the information provided by
Freedelity to the Inspection Service, that the following data processing operations are
implemented:
47
210. Firstly, the collection of personal data:
a) directly provided by customers through the reading of the eID card. The reading of
the eID card can be carried out, in particular via eID readers, via a terminal
installed at Freedelity customers' premises, or via any other type of terminal. For
people who do not have a Belgian eID card or who do not want to make use of, the
same data may be entered manually into the screen of a terminal
or via the partner's website by the person concerned or the staff of
Freedelity's customers, based on the information provided by the person
concerned.
47See page 24 of the additional submissions Decision on the merits 146/2024 – 36/67
b) by Freedelity:
- via its MyFreedelity platform or application, including cookies embedded in
emails and other digital interfaces, or
- by recording the data communicated by the person concerned as part of
their voluntary registration in the Freedelity file.
48
211. In its responses to the questions from the Inspection Service, Freedelity indicates that the
49
data collected is largely collected through Freedelity terminals , in
a less significant portion, the data is collected through a seller
authorized by the Freedelity customer, and very rarely, the data is collected through
the filling of an online form.
50
212. Secondly, the pooling of personal data consists of sharing and
automatically updating the information of a common consumer between
several brands that have subscribed to the Custocentrix service, with which
he has a relationship, while guaranteeing that those who already have his data
can access these updates if the consumer's personal data has changed. To understand
this processing, it is essential to remember that most of the electronic data
contained in the identity card are updated in the event of a change. Thus, as the defendant recalls in its submissions, if a brand A has more recent information on a consumer
in common with a brand B, then pooling allows for the transfer of this up-to-date data to brand B. Only companies that already have
a commercial relationship with the consumer (i.e. they have, prior to granting the card, this consumer in their database) can access the
updated data via this pooling.
213. The Litigation Chamber considers that the collection and pooling processes are
inextricably linked, insofar as the purpose of collecting data from the
electronic identity card is to allow the Freedelity file to be populated, which
is presented as a precise and constantly updated database. Indeed,
52
as Freedelity points out, "Saving in the Freedelity file does not entail
any particular purposes other than those related to the management of the Freedelity file. It is
one and the same processing. These data flows reach us through
48See page 11 of the responses provided by Freedelity to the Inspection Service on 29 October 2020.
49
Freedelity only collects information contained in the eID card through the terminals and readers
distributed through it (see page 14 of the responses provided by Freedelity to the Inspection Service on 29 October
2020)
50See page 14 of the defendant’s additional submissions
51For example, Belgian citizens have eight days to declare their new address to the population service of the municipality
into which they are moving. This new address is recorded by the municipality in their electronic identity card,
even if this data does not appear on the official (physical) document.
52
See page 3 of the responses provided by Freedelity to the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 37/67
different methods of data collection and consents as described
above”. These will be examined jointly in the following sections.
214. The Litigation Chamber notes that the defendant does not contest implementing
the processing described in the preceding paragraphs.
2. On the responsibility for processing
215. A controller is defined as "the natural or legal person, public
authority, agency or other body which, alone or jointly with
others, determines the purposes and means of processing" (Article 4.7 of the
GDPR) (emphasis added). This is an autonomous concept specific to
data protection regulation, which must be assessed according to the criteria it
establishes: determining the "purposes" and "means" of processing involves
deciding the "why" (the reason or objective of the
processing) and the "how" (the way in which this objective will be
achieved).
216. In some cases, responsibility is considered joint. For there to be
joint responsibility for data processing, it is necessary that two or more
entities participate together in determining the purposes and means of
processing. This participation may be manifested by a joint decision or by convergent
decisions that complement each other and are essential to the performance of the
processing. A key criterion is that the processing could not be carried out without the
contribution of each party, which means that the processing operations are inseparable and
inextricably linked.
217. The Litigation Chamber recalls that in the event of joint responsibility, Article 26 of the
GDPR requires joint controllers to ensure, by means of a contract,
that they mutually comply with the GDPR.
218. According to the EDPB Guidelines on the concepts of controller and processor, “Joint participation may take the form of a joint decision
taken by two or more entities or result from converging decisions adopted by two or more entities, where the decisions complement each other and are necessary for
the processing to be carried out in such a way that they have a concrete effect on determining the purposes
and means of the processing. An important criterion is that the processing would not be possible without the participation of both parties in the sense that the processing by
each party is inseparable from that of the other, i.e. inextricably linked.
53EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (v. 2), adopted on 7 July 2021, (hereinafter “Guidelines 07/2020”), section 35.
54
EDPB, Guidelines 07/2020, page 3.
55EDPB, Guidelines 07/2020, page 3. Decision on the merits 146/2024 – 38/67
Joint participation must encompass, on the one hand, the determination of the purposes and, on the other, the determination of the means” (emphasis added).
219. The Litigation Chamber will successively analyse situations of joint participation
in the context of the determination of the purposes (a) and the determination of the means
(b).
a) Determination of the purposes
220. First, the Litigation Chamber notes that the purpose of the collection and
pooling of personal data is to feed the pooled Freedelity file
to enable unique and up-to-date identification of consumers.
221. Freedelity considers that it exclusively controls this purpose, with the
brands only intervening in the collection methods and without making a decision
regarding the final objectives of the processing. In this sense, Freedelity considers that joint
liability does not apply.
222. Contrary to what the defendant maintains, the Litigation Chamber considers that
this purpose is common to Freedelity and the brands. Indeed, this purpose is
necessary to enable Freedelity to enrich its database to attract
brands interested in reliable and up-to-date identification of their consumers. It
is also essential for brands wishing to avoid any confusion between their
consumers and thus prevent the accumulation of obsolete data.
223. The fact that these treatments occur one after the other has no impact on the
qualification of joint controller. According to the CJEU, "the existence of
joint responsibility does not necessarily translate into equivalent
responsibility of the different operators concerned by the processing of personal
data. On the contrary, these operators may be involved at different stages of this
processing and to different degrees, such that the level of responsibility of
each of them must be assessed taking into account all the relevant
circumstances of the individual case." 6
224. In order to remove any ambiguity, the Litigation Chamber specifies that this
decision does not concern the processing purposes specific to the brands (such as
registration for consumer loyalty programs, sending digital invoices, etc.), for
which Freedelity does not have joint responsibility. It is
important not to confuse these purposes specific to the brands with the common
purpose in question, which is the collection and pooling of data to
update the Freedelity file. Confusing these different purposes, as the defendant does,
56Judgment of the CJEU of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C 210/16, EU:C:2018:388, paragraph 43. Decision on the merits 146/2024 – 39/67
leads to an incorrect characterisation of the roles of the parties. Furthermore, the
Contentious Chamber also does not dispute that when a brand ceases its collaboration
with Freedelity, Freedelity remains the sole data controller for future
processing, even if the data was initially collected by the brand that
terminated its contract with Freedelity.
(b) Determination of the means
225. Secondly, as regards the means, the Litigation Chamber recalls that according
to the EDPB guidelines, “It may also be the case that one of the entities concerned
provides the means of processing and makes them available for the personal data
processing activities carried out by other entities. The entity that
decides to use these means so that personal data can be processed for a
particular purpose also participates in determining the means of processing. This
scenario may occur in particular in the case of platforms, standardised
tools or other infrastructures that allow the parties to process the same personal
data and that have been created in a certain way by one of the
parties for use by other parties, who may also decide how to create them”.
226. In this case, the means of processing are also defined jointly: the collection is
carried out mainly by customers via devices provided by Freedelity and offered
by the brands (particularly via the terminals). In terms of means, Freedelity
centralises the data in a technical infrastructure that it has developed, but the
pooling is itself made possible by the continuous contributions of customers,
who regularly transfer identity data to make it possible
to update the information.
227. In addition, Freedelity explains that the content of the terminal varies between the
brands in order to take into account the multiple customer journeys and actions related to the
collection of personal data as well as the expectations of its customers regarding the
consideration of elements specific to them, in particular their identity and their graphic charters. Regarding
manual forms, Freedelity explains that forms can vary from one client
to another (i.e. the visual and text content). For some, it is even Freedelity
that does the formatting work on behalf of the client.
228. Regarding this last point, the Inspection Service requested further
clarification. Freedelity responded that: “The process is similar to that of the
57EDPB, Guidelines 07/2020, sections 64 and 65.
58
See page 8 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020.
59 See page 9 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 40/67
design of the forms used in the Kiosks when the implementation of the form is entrusted to us. We do not reinvent the wheel for each customer, which explains why the underlying logic remains similar.”60
229. In a document intended for retailers, although after excluding joint liability, Freedelity reveals a non-exhaustive list of cases where collaboration is evident
must take place between Freedelity and the brands, which reinforces the analysis of the
61
Litigation Chamber that this is a case of joint liability. This non-exhaustive list refers, among other things, to:
- the validation of forms and processes for collecting personal data via
terminals, cash register systems or other digital interfaces,
- the production and delivery of leaflets intended to inform consumers,
- informing consumers when collecting their consent to the
processing of their data by providing oral explanations supported by the
delivery of the explanatory information leaflet,
- the provision of alternative solutions to reading the identity card in order
to benefit from the advantages or the loyalty program.
- explicit mention of the use of Freedelity's services in the terms and privacy policy,
- validation of the robustness of the processing of data flows between customers'
applications and CustoCentrix,
- mandatory and immediate coordination in the event of a personal data
leak,
- coordination in response to requests for deletion of their data by
certain consumers,
- the implementation of IT systems ensuring the required IT security.
230. In conclusion, if the collection is mainly the responsibility of the brands, while the
pooling is carried out by Freedelity, these operations are inseparable and
inextricably linked, since the second could not happen without the first. In other
words, pooling by Freedelity is only possible through the collaboration of the
brands in the process of collecting identity data.
60See page 15 of the responses provided by Freedelity to the additional questions posed by the Inspection Service on
29 October 2021
61“White Paper” by Freedelity, 2020 edition. Decision on the merits 146/2024 – 41/67
231. This technical infrastructure, configured by Freedelity but integrated mainly
in the customers’ environment, shows a convergence of the means of processing and
the purposes implemented to carry it out. The Litigation Chamber considers, like
the Inspection Service, that this is a case of joint liability.
232. Freedelity is joint data controller with its customers for the collection and
pooling of identity data.
3. On the legal bases of processing
233. Article 5.1.a of the GDPR requires that data be processed lawfully, fairly and
transparently, which requires in particular securing a legal basis to implement
the data processing.
234. Under Article 6.1 of the GDPR, several legal bases may be invoked by
the data controller, including consent: "processing is lawful only if, and
to the extent that, at least one of the following conditions is met:
235. a) the data subject has consented to the processing of his or her personal data
for one or more specific purposes;
236. […]".
237. The collection and sharing of personal data must take place in accordance
with applicable law, in particular Article 6, §4 of the 1991 law 62 and the GDPR. This article
of the 1991 law requires the prior obtaining of "free, specific and informed" consent
for the electronic reading of data appearing on the identity card. The CPVP
(predecessor of the APD) issued a recommendation on 25 May 2011 63 in which
it recommended: "The prior obtaining of the free, specific and informed consent
of the customer to proceed with the electronic reading of his identity card as part of a
loyalty system. An alternative to the use of his identity card must also be offered to him" (emphasis added).
238. These criteria directly echo the criteria for valid consent within the meaning of the GDPR 64
and must meet the conditions for consent of Article 6.1.a) of the GDPR, provided for in
Article 4.11) of the GDPR, and explained in the EDPB Guidelines 5/2020 on
consent within the meaning of Regulation (EU) 2016/679.
62 Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf
63
CPVP, recommendation No. 03/2011 of 25 May 2011, on taking copies of identity cards, as well as their use and electronic reading, the link to which is available opposite:
https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf (page 7)
64
Under Article 4.11) of the GDPR, consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she accepts, by a declaration or by a clear affirmative act, that
personal data concerning him/her are processed" (emphasis added). Decision on the merits 146/2024 – 42/67
239. These criteria ensure that each individual retains full control over the use of
his/her personal data, particularly when it comes to reading his/her electronic
identity card, for which the Belgian legislator has provided a specific regime. In France, the
National Commission for Information Technology and Civil Liberties has even considered that
an electronic identity card contains information that can be considered as "highly personal
data". 65
240. Consent ensures that this control is exercised with full knowledge of the facts,
thus allowing the person concerned to decide freely whether or not
he/she accepts that his/her data is used in this specific context. This choice must be made freely and
specifically, i.e. relate to a clearly defined purpose. In addition,
the obligation to offer an alternative to the use of the eID card is essential to ensure
that the use of this card remains an option, and not an obligation.
241. In this sense, Article 6§4 of the 1991 law protects citizens by ensuring that the processing
of their identity data takes place in a transparent framework, respectful of their
privacy, and in accordance with the fundamental principles set out by the GDPR. The use
of consent, as provided for in Article 6.1.a of the GDPR, is therefore the appropriate legal
basis for the processing of personal data collection and pooling.
242. In conclusion, the collection and sharing of personal data must be based
on the consent of the persons concerned, namely the consumers of the
brands, in accordance with Article 6.1.a of the GDPR.
II.5.2. Finding 1: On the validity of consent (5.1.a., 6.1.a, 7 and 5.2. of the GDPR):
243. As a preliminary, some consent mechanisms implemented by
Freedelity and certain brands will be recalled. The brands whose processing has been examined
offer an alternative to data collection by identity card, i.e. by
66
filling out a manual form. This obligation is provided for by the 1991 law and is
applied – for example – as follows:
a) On the Freedelity website, to create a profile, the person concerned must
enter their identity card number and activate the toggle “I consent to
registering with Freedelity and agree to its privacy policy” (associated with a link).
b) At Enseigne A, a terminal associated with a home screen offers the
consumer to enter their identity card to give their consent,
65See the doctrine of the French data protection authority (the Commission Nationale de l’Informatique et
des Libertés), which considers that the NIR [personal registration number] is “highly personal data”: https://www.cnil.fr/fr/tout-savoir-sur-le-decret-cadre-nir-dans-le-champ-de-la-sante
66Article 6§4 of the Law of 19 July 1991 relating to population registers, identity cards, foreigners’ cards
and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 43/67
which must be deemed to have been obtained, according to the defendant, when the person inserts
his card into the card reader and continues to browse the pages of the
terminal:
“By using your identity card, you agree that Enseigne A and Freedelity
use the identity data to inform you of actions that correspond to your
profile and interests and to update the databases of Freedelity’s commercial
partners. Find out more”.
By clicking on "Learn more", a page opens on which EnseigneA presents
three distinct purposes for which this consent is obtained:
(i) To update the information of the persons concerned in the
databases of Enseigne A and other Freedelity partners,
(ii) To allow Enseigne A to carry out its marketing actions based on
the registration of the telephone number and email address,
(iii) To allow Enseigne A to send a digital proof of guarantee
(proof of purchase) in replacement of the receipt.
c) At Enseigne B, two consent mechanisms are offered through the
terminals: 1) “I agree that Enseigne B uses my data to inform me
of future actions based on my interests”, and 2) “I agree that Freedelity,
Enseigne B’s partner designated to manage my loyalty card, manages my data
in this context, informs me of actions based on my interests and updates the
databases of Freedelity’s partners”. However, on the
Enseigne B website, three consent mechanisms are present: 1) “I consent
to registering with Enseigne B and agreeing to its privacy policy [link]”, 2) “I consent
to registering with Freedelity and agreeing to its privacy policy [link]”, 3) “I consent
to receiving offers by SMS and email from Enseigne B”.
d) On the Enseigne C website, three consent mechanisms are offered during manual
registration: 1) “I accept the registration, the general terms and conditions [link]
and privacy policy [link] of Freedelity”, 2) “I accept the registration and the
general terms and conditions of Enseigne C [link]”, 3) “I agree to receive offers by
SMS and email from Enseigne C”.
244. The defendant maintains that the various consent-obtaining
mechanisms set up by the brands for the collection and sharing of personal
data are all compliant with the GDPR. With regard to its three aforementioned partners, it
successively analyses the characteristics of consent in an attempt to demonstrate
that they meet the requirements of Article 4.11 of the GDPR. While it is not possible to
present the defendant’s arguments in detail in this section, which extends over Decision on the merits 146/2024 – 44/67
50 pages of conclusions, the Litigation Chamber will respond to the defendant’s
arguments in its analysis below.
245. The Litigation Chamber refers to its previous paragraphs concerning the
need to obtain a legal basis for processing within the meaning of Article 5.1.a of the GDPR (see
paragraph 233), and consent as a possible legal basis within the meaning of
Article 6.1.a of the GDPR (see paragraph 234234).
246. It recalls that under Article 4.11) of the GDPR, consent is defined as
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which
the data subject signifies agreement, by a statement or by a clear affirmative action, to the processing of
personal data relating to him or her".
247. Article 7.1 of the GDPR relating to the conditions applicable to consent provides that:
"where processing is based on consent, the controller
shall be able to demonstrate that the data subject has given his or her consent to the
processing of personal data relating to him or her". In addition, the controller
shall be able to demonstrate that valid consent has been given
(Article 5.2 of the GDPR).
248. It emerges from the Inspection Service's investigation and the observations
sent by Freedelity that the brands are contractually designated as separate
data controllers. The clauses of the contract subject them to general obligations of
cooperation with Freedelity, to collect valid consent and provide
information to the persons concerned. The Litigation Chamber recalls that it is
not bound by a qualification of the role of the parties as it results from the agreements concluded
between them.
249. The Litigation Chamber notes that the different mechanisms presented in
paragraph 243243 are significantly different, and each fails in its own way,
to meet the essential criteria of consent. The defendant uses as a general argument
that the EDPB guidelines on consent, used to support the analysis made
by the Inspection Service, are not enforceable against Freedelity because they were
adopted after the investigation. This argument is irrelevant, since these guidelines
essentially take up the achievements of the guidelines on consent
adopted in 2017 by the Article 29 Working Party ("WP29") 68:
A) Free nature of consent: For consent to be considered
free within the meaning of Article 4.11 of the GDPR, the data subject must be able to consent
67
EDPB, Guidelines 07/2020, section 191
68G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017, and available on the following link:
https://ec.europa.eu/newsroom/article29/items/623051/en. Decision on the merits 146/2024 – 45/67
freely, i.e. without being subject to pressure or negative consequences if
they refuse the processing of their personal data. Consent must be given
without the obligation to adhere to other conditions, and the data subject must be able
to withdraw their consent without suffering any harm. In addition, the eID cardholder
may refuse to have their data read and/or recorded in the context of
loyalty, which means that they must be able to benefit from the possibility of subscribing to
a loyalty program outside of any eID card reading. In the
situations presented, several elements show that consent is not
free:
- At Enseigne C, the services offered require acceptance of the
Freedelity general conditions as consent within the meaning of Article 6.1.a of the GDPR.
The fact that the data subject must accept the general terms and conditions of
Freedelity in order to benefit from the commercial advantages offered by Enseigne C
demonstrates a lack of freedom offered to the data subjects. Such
consent, which combines both (i) the acceptance of the general terms and
conditions of Freedelity and (ii) the obtaining of consent (Article 6.1.a of the GDPR)
necessary for the processing of the collection and sharing of personal data, is to
the detriment of the data subject and is not free by nature. 71
- It is incorrect for the defendant to assert that when consent is
requested separately for the processing of data by (i) a brand and
(ii) by Freedelity, this circumstance makes the consent free. Indeed, assuming
that all the other conditions of consent are met, it is up to the
defendant to demonstrate that consent to processing operations by
Freedelity is completely optional, such that, by setting up
separate consent mechanisms, the data subject does not need to
consent to the pooling service offered by Freedelity and its partners in
order to benefit from the commercial advantages offered by the brand.
- Thus, in all cases where the persons concerned are forced to consent to the
processing of their personal data by Freedelity (in particular the
pooling), in order to obtain the desired commercial advantages, this consent is
vitiated because it is not free (see in particular the example of Enseigne A). Indeed,
consent can only be free if the person has the choice to accept or refuse
69EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 (v1.1), adopted on 4 May 2020,
(hereinafter, "Guidelines 5/2020"), section 13 et seq., and available at the following link:
https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf
70Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards
and residence documents, available at the following link :
https://www.ejustice.just.fgov.be/img_l/pdf/1991/07/19/1991000380_F.pdf
71EDPB, Guidelines 5/2020, section 13 et seq. Decision on the merits 146/2024 – 46/67
the pooling of his personal data, envisaged as a service that would benefit him
distinctly from the commercial advantages offered by the brand in question.
B) Specific nature of consent: To be considered specific within the meaning
of Article 4.11 of the GDPR, consent must relate to precise and
distinct purposes. Each purpose must be clearly separated from the others in order to avoid any use
of the data collected that has not been previously and clearly announced to the person
concerned. In all the cases presented, the consent is not specific:
- On the Freedelity website, the request for consent related to the creation of a
profile includes the obligation to provide one's identity card number and to accept the
privacy charter. Contrary to the defendant's allegations, the presence
of a link to the privacy charter containing more information on the
processing does not make the consent specific. Indeed, the
Litigation Chamber notes that the request is global, not distinguishing
between consents (i) to the creation of an account, and (ii) to the subsequent use of the
data in order to feed the shared Freedelity file using data collected by
other partners. The absence of specification of each purpose prevents the
data subject from understanding and consenting separately to the
different uses of their personal data.
- At Enseigne A, the terminal does not allow specific consent: by inserting
their identity card, the person concerned generally accepts the use of their
data for three separate purposes (updating Freedelity’s databases,
marketing actions, and sending proof of digital guarantee). However, each
purpose should be presented as requiring a separate request for consent to
ensure control of the user’s data, which is not the case in this instance. The
Litigation Chamber disputes the defendant’s claims that the
EDPB’s guidelines on consent do not prohibit several
purposes from being linked. The Litigation Chamber refers to the version of these guidelines
adopted in 2017 by the G29.73
- Retailer B and Retailer C offer different consent mechanisms
through a system of terminals (Retailer B only) and their websites, but the
structure of these options creates confusion. In Retailer B, consent
to Freedelity's processing operations groups together several distinct purposes. On
72
EDPB, Guidelines 5/2020, section 55 et seq.
73 See Guidelines 5/2020, section 58: "Without prejudice to the provisions relating to the compatibility of purposes,
consent must be specific to the purpose". "If a data controller processes data based on consent and wishes to process the data for another purpose, it must seek additional consent for that other purpose unless another legal basis better reflects the situation", which on this point echoes a well-established position since the publication of the 2017 G29 guidelines on consent also cited above (see page 12). Decision on the merits 146/2024 – 47/67
the websites of these brands, the consents are not specifically
linked to clear and distinct purposes. For example, it is not specified whether the data
collected are used only by Brand B or whether they will be shared in the
Freedelity file, accessible by other partners. Specific consent
would have required separating the purposes related to Enseigne B and those common to Enseigne
B and Freedelity, to obtain the explicit consent of the data subject for their
personal data to be shared and updated in the Freedelity file, using
the contributions of Freedelity’s partners.
250. C) Informed nature of consent: The GDPR requires that consent be informed,
i.e. allowing data subjects to understand precisely what
74
they are consenting to. In addition, the minimum requirements for informed consent are
75
included in the guidelines on consent and include in particular (i)
the identity of the data controller, (ii) the purpose of each of the
processing operations for which consent is requested, (iii) the (types of) data
collected and used, (iv) the existence of the right to withdraw consent (etc.).
Regarding points (i) and (iii), the EDPB points out that if the consent requested must serve as a basis
for several (joint) controllers or if the data must be transferred to, or processed by, other controllers who wish to rely on the
original consent, these organisations should all be named.
251. The 1991 law also requires that “informed” consent be provided in the event
of electronic reading of the information on the identity card. In the situations described,
the consent cannot be described as informed:
- On the websites of Freedelity, Enseigne B, and Enseigne C, the concept of
mutualisation, requiring the sharing of data with Freedelity’s partners, is not
explained at all to the data subject when obtaining their consent.
This information is nevertheless essential for the persons concerned
to understand the processing that will be done of their personal data, making the
consent uninformed. The fact that the categories of recipients are
included in Freedelity's privacy policy is not sufficient to make the consent
informed, as the defendant maintains, since this separate obligation is governed by the
transparency obligations of Articles 13 and 14 of the GDPR.
- On the terminals of Enseigne A and Enseigne B, if the concept of mutualisation is referred to in a more or less direct manner, the recipients of the personal data are not mentioned.
74
EDPB, Guidelines 5/2020, section 62 et seq.
75 EDPB, Guidelines 5/2020 , sections 64 and 65
76 Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 48/67
However, since each recipient of the data acts as a (joint) data controller with Freedelity, and therefore as a potential recipient of the data collected by the other joint controllers of
Freedelity, it is essential to inform the person by announcing the identity of the
recipients of this data. It was therefore appropriate to name them individually, without
which the consent could not be considered informed, and therefore valid. The
Guidelines on consent, both in their previous version 77 and in their
current version, specifically mention this point. This omission, in violation of the
GDPR, is aggravated by the circumstances of the processing, which require the
electronic collection of particularly sensitive identity data, and their subsequent
automated exchange between data controllers in the event of an update of the latter.
D) Unambiguous nature of consent: For consent to be considered
unambiguous, it must result from a clear positive act by the data subject. This requirement
excludes any ambiguity: the action by which the person concerned consents must be
clearly distinguished from other possible actions, in particular the simple continuation of
navigation.The Litigation Chamber notes that the consent cannot be described as
unambiguous for the following reasons:
- In the case of Enseigne A, the defendant considers that the person who inserts his
identity card into a reader and clicks on a green button to continue
browsing, gives unambiguous consent. Contrary to what the
defendant maintains, the simple fact of navigating from page to page on a terminal by
pressing a green button to continue does not amount to a clear expression of
consent. For the Litigation Chamber, the simple click on the green button to
navigate from page to page does not meet the requirements of valid consent,
in accordance with Article 4.11) of the GDPR. 80
- Indeed, successive navigation from one page to another can just as well indicate
an exploration of options or an acknowledgement of information, rather than
an approval of a specific data processing. The fact of moving from page to page,
even with a return option (via a red button), remains ambiguous and can mean
several things: exploration, search for more information, or simple navigation,
without it being possible to unequivocally deduce the intention to consent. Thus,
for consent to be unequivocal, the terminal should include a mechanism
77G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017: “With regard to item (i) and (iii),
WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be
transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be
named” (page 13).
78
EDPB, Guidelines 5/2020, section 65
79EDPB, Guidelines 5/2020, section 75 et seq.
80See also, EDPB, Guidelines 5/2020. Decision on the merits 146/2024 – 49/67
explicit request for consent, such as a specific and dedicated button,
formulated in such a way that the data subject understands unequivocally that by
clicking, he or she is giving his or her consent to the processing of his or her personal data.
252. The Litigation Chamber wishes to clarify that the examples mentioned above are
limited to three specific cases detailed by Freedelity, in which consent,
although not valid, was actually obtained. It notes, however, that Freedelity does not
provide proof of the very existence of any collection of consent
by Freedelity's other partner brands.
253. In conclusion, the Litigation Chamber argues that the mechanisms put in place by
the brands to ensure compliance with Articles 5.1.a and 6.1.a of the GDPR do not
allow valid consent to be considered to have been obtained, in violation
of Articles 5.2 and 7 of the GDPR.
II.5.3. Finding 2: Measures put in place to facilitate the right to withdraw
consent at any time (Arts. 7.3, 5.2, 24 and 25 of the GDPR)
254. According to the defendant, data subjects who wish to withdraw their
consent to the processing of their data by Freedelity can do so by going to the
“My profile” tab of the MyFreedelity portal and disabling the “Validation and updating
of my data with Freedelity customers” toggle. Concerning Brand A, Freedelity
indicates that the possibility for the person concerned to return to the previous page by
clicking on a red button associated with a cross constitutes a right to withdraw consent. It
considers that for certain brands: "The fact that the person concerned has the
possibility of simply not confirming their account is an additional way
made available to them by Freedelity to withdraw their consent to the
processing of their data".
255. It also explains that the person concerned can always send their
withdrawal request by email or by post, or make their request to the
seller of the brand. In this sense, Freedelity considers that it allows the persons
concerned to withdraw their consent at any time. Furthermore, and notwithstanding
these measures which it considers satisfactory, Freedelity admits that it is in the process of changing the
terminal screens in order to provide the possibility for the person concerned to delete their
accounts directly via the terminal.
256. The Litigation Chamber recalls that Article 7.3 of the GDPR provides that: "The data subject
has the right to withdraw his or her consent at any time. The withdrawal of
consent does not compromise the lawfulness of processing based on consent
81As of 12 November 2020, there were 5 customers who used terminals (page 8 of the responses provided by the
defendant to the questions from the inspection service asked on 29 October 2020). Decision on the merits 146/2024 – 50/67
made before this withdrawal. The data subject is informed of this before giving his/her
consent. It is as easy to withdraw as it is to give your
consent. Articles 24.1 and 5.2 of the GDPR impose
accountability obligations on the data controller, requiring it to be able to
demonstrate that the processing is carried out in accordance with the
GDPR.
257. Article 25.1 of the GDPR requires the data controller to
apply data protection measures by design and by default, depending in particular
on the nature, scope and risks of the processing for the rights and freedoms of
the data subjects. It requires the implementation of technical and
organisational measures to ensure compliance with the GDPR.
258. In this case, Freedelity is criticised for not having
implemented sufficiently simple and direct means to allow the withdrawal of
consent. Although
options exist via the MyFreedelity portal and in-store terminals, these methods do not
meet the simplicity requirement of Article 7.3 of the GDPR, according to which
withdrawing consent must be as simple as giving it. Indeed, the need for
data subjects to navigate through various tabs or interfaces, as well as
the absence of an explicit and immediate withdrawal option, may discourage
consumers from withdrawing their consent.
259. The principle of data protection by design and by default, as set out in
Article 25 of the GDPR, requires the data controller to implement adequate
technical and organizational measures to ensure the protection of personal
data, in particular with regard to the rights of data subjects. This
principle of protection by default should have led Freedelity to provide
withdrawal mechanisms directly at the terminals themselves, even before the
processing is set up. Having to revise the interfaces of the terminals to facilitate the withdrawal of
consent demonstrates a lack of anticipation regarding the requirements of data protection by
default, which should have guided the initial design of the device.
260. Freedelity has implemented a system where the right of
withdrawal, as currently proposed, does not fully meet the requirements of simplicity and
accessibility established by the GDPR. In accordance with the Guidelines on Consent, a
consent mechanism cannot be considered compliant with the GDPR if the conditions of the right of
withdrawal are not effectively respected. The fact that data subjects must go through
separate steps or interfaces to withdraw their consent, instead of a
withdrawal functionality directly integrated into the terminals, does not meet the conditions for
withdrawal of consent provided for in Article 7.3 of the GDPR.
82EDPB, Guidelines 5/2020, section 116 Decision on the merits 146/2024 – 51/67
261. In conclusion, the Litigation Chamber considers that Freedelity has not complied with the
documentation and accountability requirements arising from Articles 24 and 5.2 of the GDPR
regarding withdrawal of consent, as the current mechanisms do not allow for a
simple and direct withdrawal of consent (Art. 7.3 of the GDPR), in accordance with the
principle of data protection by design (Art. 25 of the GDPR).
II.5.4. Finding 3: Measures put in place to demonstrate that the consent
collected complies with the GDPR (Arts. 5.2, 24 and 25 of the GDPR)
262. The defendant maintains that its standard contract requires brands to collect
quality consent, combined with a clause providing that the brand will indemnify
Freedelity in the event of a failure to obtain consent or the quality of the
consent. It also states that its consent register includes important
information, such as the date of consent or the consent log and
the source of the consent.
263. The Litigation Chamber recalls that Article 5.2 enshrines the principle of
accountability and requires that the data controller be able to demonstrate
compliance with the principles of the GDPR in its data processing. Article 24 supplements
this obligation by requiring data controllers to implement
technical and organizational measures adapted to the nature, scope, context,
purposes of the processing as well as the risks to the rights of the data subjects, with
an obligation of continuous review to ensure compliance. Article 25.1, finally,
enshrines the obligation of data protection by design and by default, implying
the implementation of concrete measures that must be applied from the definition of the
processing means. This finding is limited to examining the measures put in
place to ensure the validity of the consent collected.
264. In this case, Freedelity, whose role as data controller is not
contested, must respect these principles of accountability, by demonstrating that the
consents collected comply with the requirements of the GDPR. Indeed, when
processing is based on consent, the data controller must be able to
demonstrate that the data subject has given consent to the processing of
personal data concerning him or her (Article 7.1 of the GDPR). Recital 42
provides that: “Where processing is based on the data subject’s consent, the
controller should be able to prove that the data subject has consented to the
processing operation.”
265. Freedelity explains in its answers to the questions of the Inspection Service 83 that “The
management of consent and its collection is tailored to each client. The IT aspect
83See page 12 of the responses provided by Freedelity to the questions asked by the inspection service on 29 October 2020. Decision on the merits 146/2024 – 52/67
of the management of this consent within the software is complex and is not
documented in itself”. To the extent that this consent can be adapted to each customer,
at least at the level of the Freedelity terminals, the Litigation Chamber questions
the reasons why Freedelity has not secured quality consent for the
collection and sharing of data at the terminals themselves.
266. In addition, the Litigation Chamber notes that the agreements concluded by Freedelity with the
brands do not allow Freedelity to demonstrate the collection of valid and systematically GDPR-compliant consent
for each person concerned. By limiting itself to requiring the implementation of "quality consent" on a case-by-case basis,
Freedelity takes the risk that certain consent forms are non-
compliant.
267. Without prejudging the compliance procedures that could have been
considered to enable compliance, the Litigation Chamber notes that the
following procedures seemed entirely feasible in this case to guarantee Freedelity's
compliance with the requirements of the GDPR in view of the risks presented by the processing in
question:
- Freedelity could have established a precise model for collecting valid consent,
relating to the collection and pooling of identification and contact data,
integrated directly into the Freedelity terminals.
- For brands wishing to implement the consent
mechanisms themselves (for example via their websites), Freedelity could have
established a precise model for collecting consent, described in its contracts with the
brands.
- As far as necessary, ask brands to provide proof that they
have put in place valid consent once the implementation is complete and
add to this obligation an audit clause allowing Freedelity to verify the
compliance of the consent mechanism in a timely manner.
268. The Litigation Chamber insists on the fact that a data controller, even in
a context of joint responsibility, cannot be exempted from this obligation to
demonstrate the collection of valid consent.
269. The sole obligation to compensate Freedelity in the event of collection of invalid consent is not sufficient in itself to demonstrate the sufficiency of the measures implemented
84See in this sense the IAB decision of the Litigation Chamber of 2 February 2022, No. 21/2022, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-en.pdf
And the deliberation of the restricted formation of the CNIL, the French data protection authority, No. SAN-2023-009 of
15 June 2023 concerning the company CRITEO, available from the following link:
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047707063. This decision is currently the subject of an appeal before
the French Council of State. Decision on the merits 146/2024 – 53/67
to ensure the collection of valid consent. Indeed, appropriate technical and
organizational measures should have supplemented such contractual measures. In
addition, the presence of a register that simply contains information on the
presence of a consent mechanism is also insufficient, as it only
allows one to note that consent has been obtained. Neither the quality of the
consent nor its specific nature to Freedelity can be deduced from such a
register.
270. In these circumstances, the Litigation Chamber considers that Freedelity has not
implemented the necessary measures to enable it to demonstrate that the consent
collected for the collection and pooling of data complies with the GDPR within the meaning
of Articles 5.2, 24 and 25 of the GDPR.
II.5.5. Finding 4: Principle of minimisation of personal data (Art. 5.1.c
of the GDPR), and principle of data protection by default (Art. 25.1 of the GDPR)
271. The defendant maintains that given the large amount of personal data processed
by Freedelity, a balance must be struck between the principle of minimisation (Art. 5.1.c of the GDPR) and
the principle of accuracy (Art. 5.1.d of the GDPR). It points out that in order
to carry out its missions, it must quickly limit the risk of confusion between
individuals, avoid duplication, and identify potential fraud, hence the large volume
of information collected. Finally, it maintains that the recording of changes
of postal or electronic address in order to allow consumers to receive
promotional offers, advertisements or any other
information and new tenants or purchasers not to receive
unwanted advertising.
272. The Litigation Chamber recalls that the principle of data minimisation, set
out in Article 5.1.c of the GDPR, requires that the personal data collected be adequate,
relevant and limited to what is strictly necessary in relation to the
purposes for which they are processed. In other words, only data that is
essential to achieve the objectives of the processing must be collected, thus
avoiding any excessive collection of information that would not be
directly useful or justified by the intended purposes. As stated above, Article 25.1 of the GDPR, enshrines the obligation of
data protection by design and by default, implying the implementation of
concrete measures that must be applied as soon as the processing means
are defined.
273. The Inspection Service indicated that with regard to the
processing carried out for the purposes of registration in the
"Freedelity file" as well as for the pooling of data
with Freedelity customers and partners, the following personal
data would be processed in particular: Decision on the merits 146/2024 - 54/67
- Identification data, namely: "surname, first name(s), gender, place and date of birth,
nationality, home address, identity card number, municipality of issue of the
identity card, validity date of the identity card and history of this data"; and
- Contact data: "your email address, telephone/mobile number and history of
this data".
274. In addition, the 2011 recommendation of the CPVP states: "Certain commercial
practices also lead the Commission to look into the use of the identity
card as a loyalty card. (…) This choice must be offered to customers in a
transparent and explicit manner as soon as a loyalty system is offered to them. In
addition, the principle of proportionality of the privacy law requires that only the
necessary data of the identity card can be read in this context. There can be no question
of processing and storing for this purpose either the photo of the cardholder,
nor the number of his identity card, his identification
number in the National Register, his nationality, his place of
birth" (emphasis added). The underlined data are nevertheless collected by
Freedelity. ". Therefore, contrary to what the defendant claims, the CPVP has not
only never approved this practice but has also limited in its opinion the
modalities of lawful processing of identity card data.
275. A fortiori, data such as the municipality where the identity card was issued, the
validity date of the identity card and the history of this data are of no relevance
in the context of the processing carried out by Freedelity and the brands. This data is
generally not included in the manual collection form set up by
certain brands, which shows that it is not useful, and therefore a fortiori not
necessary for the implementation of the processing.
276. As the Inspection Service rightly points out, only a few data items would have been
necessary for Freedelity to fully comply with the GDPR’s principles of minimisation and
accuracy when feeding the Freedelity file. The Litigation Chamber considers that the surname, first name and contact details (postal
address, email or telephone) are sufficient to provide a sufficiently precise indication of the
data subject in view of the purpose in question, which does not require irrefutable
identification of the data subject’s identity. These data items could have been the only
ones collected from the start of the processing, without the operation of the
Freedelity file being affected.
85The identity card number is an identifier distinct from the national register registration number (NIR), which Freedelity
assures that it does not collect.
86CPVP, recommendation No. 03/2011 of 25 May 2011, relating to the taking of copies of identity cards, as well as their
use and electronic reading, the link to which is available opposite:
https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf. Decision on the merits 146/2024 – 55/67
277. The risk of having obsolete data in the Freedelity file does not justify the collection
of around ten additional and optional information. Furthermore, the greater the
number of personal data collected, the more difficult it is to comply with both the
principle of accuracy and the principle of minimisation. The defendant’s arguments on
this point cannot therefore convince. The Litigation Chamber is
particularly concerned about the impact on the persons concerned in the event of a data
breach, due to their quantity and precision. Indeed, the massive centralisation of data
of a large part of the population and their data collected directly on their
identity card poses a high risk to the privacy of millions of consumers.
278. For these reasons, the Litigation Chamber considers that Freedelity has failed to comply with the
principle of minimisation of personal data (art. 5.1.c of the GDPR), and with the principle of
data protection by default (art. 25.1 of the GDPR).
II.5.6. Finding 5: Principle of limitation of the retention of personal data (art. 5.1.e, 5.2, 24 and 25.1 of the GDPR)
279. The defendant claims that the retention of data for a period of 8 years in the
context of the management of the Freedelity file is appropriate. The starting point of this retention period is
calculated, according to the defendant, from the last "activity" of the person
concerned (e.g.: checkout).
280. It maintains that the data retention period of 8 years is justified first of all
by the specific purpose of the Freedelity file, which requires regular updating and immediate
accessibility of the data. Then, it underlines the legitimate economic interest
of retaining the data for a sufficient period to allow optimal operation
of its service. This retention period is also justified by
accounting and tax considerations, both for customers and for the company itself. It
highlights the fact that the legal guarantee of consumer goods of 2 years, 87
which can be extended by traders, requires a longer data retention period than the strict 2-year period proposed by the Inspection Service.
281. The Litigation Chamber recalls that within the meaning of Article 5.1.e of the GDPR, data
must be retained in a manner that guarantees that they are not kept in a form
that allows the identification of individuals for longer than is necessary for
the purposes for which they are processed. The data controller is
responsible for compliance with this principle and must be able to demonstrate that it is
87Article 1649quater of the Civil Code Decision on the merits 146/2024 – 56/67
complied with (Arts. 5.2 and 24 of the GDPR). The Litigation Chamber refers to its
previous findings concerning Art. 25 of the GDPR (see paragraph 263).
282. The Litigation Chamber notes that the defendant's arguments are
not sufficient to justify such a long retention period. Indeed, while regular updating of the
file and immediate accessibility of the data are necessary to ensure quality customer
service, it should be noted that these objectives can be achieved with a
retention period significantly shorter than 8 years.
283. Concerning the retention periods invoked by the defendant, the
Chamber notes that these apply mainly to purposes distinct from the management of the
Freedelity file, and for which Freedelity does not act as data controller. Indeed, the legal requirements relating to
guarantees essentially concern the relations between the consumer and the seller. Thus, the
legal obligations weighing on Freedelity in terms of data retention cannot be based
on these requirements alone.
284. Furthermore, the Freedelity file is not the appropriate medium for storing data based
on such requirements, specific to customers. Indeed, the CustoCentrix
database is the one that hosts, in the form of Silos, the data strictly
specific to each brand and the processing of which is subcontracted to Freedelity by
each of the brands. To this extent, and based on the responses provided by
89
Freedelity to the Inspection Service, the Silo specific to each customer could serve
90
as an intermediate archive of data whose retention in an active database, on the
Freedelity file, is no longer justified.
285. In this case, the Chamber considers that a retention period of maximum 3
years from the last activity would be sufficient to meet the needs of the defendant, while
respecting the rights of the persons concerned. This period is aligned with the
current practices recommended by the National Commission for Information Technology and
91
Liberties. The Chamber considers that a consumer who has not shown any
activity for a period of two to three years within the partner brands of
Freedelity can be presumed to no longer wish to benefit from the services associated with this file.
88As explained by Freedelity in its 2020 WhitePaper, (page 5): "the database specific to each client within
CustoCentrix containing consumer data that cannot be shared with other clients and
for which Freedelity acts as a subcontractor within the meaning of data protection regulations".
89See page 22 of the responses provided by Freedelity to the additional questions from the Inspection Service asked on 29 October 2021.
90
The concepts of “intermediate archiving” and “active base” are used by the CNIL in its reference documents on data retention. See for example this article from the CNIL on the determination of retention periods:
https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees
91
CNIL reference document on the processing of personal data – management of commercial activities.
https://www.cnil.fr/sites/cnil/files/atoms/files/referentiel traitement-donnees-caractere-personnel gestion-activites-
commerciales.pdf (page 5) Decision on the merits 146/2024 – 57/67
It is indeed reasonable to consider that such a consumer has lost all interest in
this type of loyalty program.
286. In this perspective, the defendant is free to set up a mechanism
for regular verification of the activity of the persons concerned to ensure that their
data - and their account - should not be deleted. For example, an
email could be sent to consumers who have not shown any activity
for 3 years, in order to ask them to confirm their wish to maintain their registration
in the Freedelity file. In the absence of a response from them within a reasonable time, the
defendant could consider that these persons have waived the benefit of this
service and proceed to the deletion of their data or their archiving, if applicable.
287. In view of all these elements, the Chamber considers that the retention period
of 8 years set by the defendant is disproportionate to the purpose pursued.
The principle of data minimization, enshrined in Article 5.1.e of the GDPR, requires the
data controller to limit the retention of data to a strictly
necessary period.
288. In conclusion, the Litigation Chamber finds a violation of the principle of
limitation of the retention of personal data (Art. 5.1.e, 5.2, 24 and 25.1 of the
GDPR) due to the excessive retention period of 8 years for the management of the Freedelity file.
III. Corrective measures and sanctions
289. Under Article 100§1 of the LCA, the Litigation Chamber has the power to:
1° dismiss the complaint;
2° order that there be no further action;
3° order a suspension of the decision;
4° propose a transaction;
5° issue warnings or reprimands;
6° order compliance with the requests of the person concerned to exercise these rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of the processing;
9° order that the processing be brought into compliance;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of the accreditation of the certification bodies; Decision on the merits 146/2024 – 58/67
12° impose periodic penalty payments;
13° impose administrative fines;
14° order the suspension of cross-border data flows to another State or an
international body;
15° forward the file to the Public Prosecutor's Office of the Brussels
King's Prosecutor, who shall inform him of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.
III.1. Choice of the appropriate corrective measure or sanction
290. In light of the above and on the basis of the powers assigned to it by
the legislator, the Litigation Chamber decides to order measures to bring
processing into compliance, pursuant to Article 100, §1, 9° of the LCA, as
well as the deletion of certain data, in accordance with Article 100, §1, 10° of the LCA. In order
to guarantee the effective execution of these measures, the Litigation Chamber considers it
necessary to combine them with periodic penalty payments, considering that this approach
constitutes the most appropriate response to the circumstances of the case.
291. The Litigation Chamber considers that a combination of such measures is
appropriate to achieve the effective, proportionate and dissuasive nature of the sanction. Indeed, it is
imperative that Freedelity implements this decision by bringing its
processing into compliance and deleting certain data. In this case, the planned penalty payment is
able to put sufficient pressure on Freedelity to achieve this end.
292. The Litigation Chamber could decide to impose an administrative fine under
its powers on the basis of Article 83 of the GDPR and Article 100, § 1, 13° of the
LCA, with regard to the violations found of Articles 4, 5, 6, 7, 24 and 25 of the GDPR.
293. Nevertheless, the Litigation Chamber considers that compliance orders accompanied
by a penalty payment do not require the imposition of a fine since the injunctions issued
require the company to significantly transform its business model in order to
comply with the requirements of the GDPR. This complex and demanding process will require
significant financial resources from the defendant.
294. The penalty payment, through its incentive mechanism, guarantees that the corrective measures will
be effectively implemented without unduly weakening the financial stability of the company. This approach, combined with the other sanctions adopted, ensures a response
that respects the principles of effectiveness, proportionality and dissuasion of the GDPR.
295. Therefore, pursuant to Article 100§ 1 of the LCA, the Litigation Chamber decides to:
a) in accordance with Article 100§ 1, 9° of the LCA, order compliance
of the processing operations within a period of 4 months, in accordance with injunctions 1 to 5;
b) in accordance with Article 100§ 1, 10° of the LCA, order the erasure of the data
in accordance with injunctions 4 and 5 within a period of 4 months;
c) in accordance with Article 100§ 1, 12° of the LCA, impose periodic penalty payments of EUR 5,000
per day of delay from the day on which the Litigation Chamber notifies it that it
has partially or not at all complied with the injunctions issued in
this decision, on the basis of the responses provided by the defendant to the
Litigation Chamber, which must have been received by the end of the
period allowed for compliance;
d) in accordance with Article 100§ 1, 16° of the LCA decide to publish the decision on the
website of the Data Protection Authority, with direct identification of
the defendant.
III.2. Order for compliance and erasure of data
296. The Litigation Chamber considers that it is appropriate to impose several injunctions for
compliance and erasure of data on the defendant, by virtue of the
breaches noted.
297. Injunction 1: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders
Freedelity to put in place consent collection mechanisms guaranteeing
that consent is free, specific, informed and unequivocal, in accordance with Article 4.11 of
the GDPR, and this for each processing of personal data that it carries out, including the
pooling of data with its commercial partners.
298. Freedelity must in particular:
- Ensure that access to the commercial advantages offered by a brand is not
conditioned on the acceptance of other non-essential processing or conditions, including the
pooling of data.
- Clearly and comprehensibly inform the persons concerned, at the time
of the collection of their data, on the specific purposes of each processing, the
categories of data concerned, and allow consumers to know the identity of the recipients with whom the data will be shared. Decision on the merits 146/2024 – 60/67
- Implement explicit mechanisms to obtain unambiguous consent, such as
a button that is not checked by default allowing data subjects to expressly confirm
their agreement for each processing purpose envisaged.
- Verify the existence of free, informed, unequivocal and specific consent for
all data subjects whose data is processed in the Freedelity file, in light of the above requirements and in the event of a negative finding, either
delete the data currently present in the Freedelity file without
valid consent, or renew the consent of the data subjects before the end of the period
allowed for compliance with this Injunction 1.
- Transmit to the Litigation Chamber evidence of compliance with this Injunction 1,
including a copy of the Freedelity-specific consent form template (or
consent forms) modified or implemented pursuant to Injunction 1 issued by the Litigation Chamber.
299. Injunction 2: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders
Freedelity to put in place simple, accessible and direct mechanisms to
allow data subjects to withdraw their consent, in accordance
with Article 7.3 of the GDPR.
300. Freedelity must in particular:
- Integrate on all physical terminals used by its partners an explicit
and immediate option allowing the withdrawal of consent, without the need to navigate
through complex menus or interfaces.
- Update the MyFreedelity portal to include a clearly visible and
directly accessible feature allowing data subjects to withdraw their
consent in as many steps as it takes them to give their consent.
- Inform the persons concerned, at the time of collecting consent, of the
means available to withdraw this consent, ensuring that this information
is clear, understandable and easily accessible.
- Adopt and document technical and organizational measures in accordance with
the principle of data protection by design and by default (Article 25 of the GDPR),
ensuring that withdrawal mechanisms are integrated from the design of any
new interface or terminal.
- Transmit to the Litigation Chamber evidence of compliance with this Injunction 2,
including screenshots of the new consent withdrawal mechanisms as
implemented or modified by Freedelity and the brands. Decision on the merits 146/2024 – 61/67
301. Injunction 3: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders
Freedelity to document precisely the consent collection process, in
such a way as to be able to demonstrate, at any time, that it was obtained in
accordance with the requirements of the GDPR, and this in order to ensure in particular
compliance with Articles 5.2, 24 and 25 of the GDPR. Freedelity shall provide the Litigation Chamber with evidence of
compliance with this Injunction 3.
302. Injunction 4: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders
Freedelity to immediately cease the collection and processing of personal data
from consumers’ identity cards, with the exception of data
strictly necessary for the stated purpose, namely, to take the example of a
classic loyalty program: the surname, first name and contact details
(postal address, email or telephone). Pursuant to Article 100§ 1, 10° of the
LCA, the Litigation Chamber also requires the deletion of any data that has been
collected beyond this information within a period of four months.
303. Freedelity shall in particular:
- Update, or order the updating of all collection interfaces and tools
used by Freedelity and its partners (in-store terminals, digital portals,
manual forms, etc.) in order to guarantee that only authorized data is
collected.
- Prohibit, with respect to third parties, any resale or transfer of
unnecessary data collected before the definitive deletion of this data, unless
valid consent from the persons concerned is obtained. This prohibition includes
data previously collected that does not comply with the principle of minimization.
- Notify the persons concerned of the deletion of unnecessary data
already collected, reminding them of their rights regarding the data that continues to be
processed by Freedelity, in particular the right to access, rectify, delete their data, as
well as their right to withdraw their consent.
- Freedelity must provide the Litigation Chamber with evidence of compliance with this
Injunction 4, in particular a copy of the template for the notification to the persons
concerned and proof of the effective deletion of the unnecessary personal data
identified in Finding 4 of this decision.
304. Injunction 5: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders
Freedelity to reduce the retention period of personal data processed in the
context of the Freedelity file to a maximum of three years from the last activity of the
persons concerned. Pursuant to Article 100§ 1, 10° of the LCA, the Litigation Chamber
requires Freedelity to erase data that has been retained for a period of more than three years, unless a separate legal basis justifies their retention in an
intermediate archive such as Customer Silos (for example, specific legal obligations for
brands).
305. Freedelity must in particular:
- Delete all personal data retained beyond this period of three
years for persons who have not demonstrated any activity, unless a separate legal basis
justifies their retention (for example, specific legal obligations or ongoing disputes).
Apply this erasure to all data currently contained in the
Freedelity file and purge the Freedelity file of obsolete data.
- Ensure that when a separate legal basis justifies the retention of data for
more than 3 years, the data is archived on a medium separate from the Freedelity file and
that it is processed for no purpose other than that of storage justified by the legal
basis in question.
- Send a reminder by email or any other appropriate means to
consumers who have not shown any activity for three years or more, in order to
ask them to confirm their wish to maintain their registration. In the absence of a
response within a reasonable period (for example, one month), archive the data under
the conditions listed above, or delete them if applicable.
- Freedelity must provide the Litigation Chamber with evidence of compliance with this
Injunction 5, in particular documents demonstrating the effective erasure of
personal data beyond the authorized periods, in accordance with Finding 5 of
this decision.
III.3. Conditional sanction: the penalty payment
III.3.1. Preliminary considerations
306. The penalty payment is unique in that it is fully conditional. The amount to be paid
is indeed uncertain. The defendant first has a period of time to comply or to appeal the
decision. It is only in the event of non-compliance on its part
after a period of 4 months from notification of this decision that the penalty
payment will be implemented. Therefore, the amount of the penalty payment is variable, and it may even be zero,
where applicable.
92See on this point the recommendations of the CNIL (French data protection authority) regarding intermediate data archiving: https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees Decision on the merits 146/2024 – 63/67
307. The penalty payment is distinguished from the administrative fine in that it constitutes an indirect means of enforcement of the main penalty(s) in order to comply
with the law in force, whereas the administrative fine is punitive in nature.
308. The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine are thus different both in nature and in the objectives they pursue.
309. In light of the reasons set out above, the Litigation Chamber decides to impose
periodic penalty payments on the defendant in this case, and does not consider that it must inform
the defendant in advance by means of a penalty form.
III.3.2. Practical arrangements for the periodic penalty payment
310. In order to give the defendant the time necessary to comply with the
injunctions issued in this decision, the periodic penalty payment will not be implemented
directly following the notification of this decision to the defendant. In this case, the
Litigation Chamber considers that a period of 4 months from the notification of this
decision is sufficient to allow the defendant to comply with the said
injunctions.
311. The time limit shall run from the day on which the defendant receives the registered letter notifying it
of this decision or from the day of expiry of the time limit during which the
defendant is, where applicable, required to collect said registered letter from
the post office.
312. From the expiry of the 4-month period from the notification of this
decision, and provided that it has received the evidence requested in the various
injunctions within the time limits, the Litigation Division shall notify the defendant, after
examining the documents:
1) That the latter has fully complied with the injunctions issued in
this decision; or
2) That the defendant has partially complied with the injunctions issued in
this decision; or
3) That the defendant has not complied with the injunctions issued in
this decision.
313. The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as the
notification in the second and third cases. In case of doubt, the APD may use
its powers derived from the LCA or the ROI in order to continue the procedure or open a
new file, if necessary.
93Decision on the merits of the Contentious Chamber, No. 131/2024 of 11 October 2024, paragraphs 113 to 116. Decision on the merits 146/2024 – 64/67
314. The amount of the periodic penalty payments is defined as follows:
a) Injunction 1: the defendant must pay EUR 1,000 per day of delay from the day on which
the Contentious Chamber notifies it that it has partially or not at all complied with
the injunctions issued in this decision;
b) Injunction 2: the defendant must pay EUR 1,000 per day of delay from the day on which
the Contentious Chamber notifies it that it has partially or not at all complied with
the injunctions issued in this decision.
(c) Injunction 3: The defendant shall pay EUR 1,000 for each day of delay from the day on which
the Litigation Chamber notifies it that it has complied partially or not at all with
the injunctions issued in this decision.
(d) Injunction 4: The defendant shall pay EUR 1,000 for each day of delay from the day on which
the Litigation Chamber notifies it that it has complied partially or not at all with
the injunctions issued in this decision.
(e) Injunction 5: The defendant shall pay EUR 1,000 for each day of delay from the day on which
the Litigation Chamber notifies it that it has complied partially or not at all with
the injunctions issued in this decision.
315. If the defendant fails to comply with the six injunctions, it must then pay EUR 5,000
for each day of delay from the day on which the Litigation Chamber notifies it that it has
partially or not at all complied with the injunctions issued in this
decision.
316. The Litigation Chamber recalls that the penalty payment is not punitive in nature. The
injunctions are each accompanied by a penalty payment to ensure their proper execution.
The amount of the penalty payments is reasonable in view of the infringement that the
defendant has caused to the rights of the plaintiff, and of users more generally, but also
in view of the financial capacity of the defendant, whose turnover is less
than [amount], and the profit that it can derive from the non-execution of the injunctions in question.
317. If the defendant considers that full execution of the injunctions is impossible
within the prescribed period despite all reasonable efforts, it may submit a
reasoned request for an extension of time to the Litigation Chamber within 45
days of notification of this decision to it.
318. The penalty payment is daily. The Litigation Chamber decides that the maximum
cumulative amount of the penalty payment may not exceed EUR 100,000. Decision on the merits 146/2024 – 67/67
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, with the Market Court (Brussels Court of
Appeal), with the Data Protection Authority as the defendant.
Such an appeal may be filed by means of an interlocutory application which must contain the
information listed in Article 1034ter of the Judicial Code. The interlocutory application must be
filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or 95
via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code)
(sé). Hielke H IJMANS
President of the Litigation Chamber
94
The application contains, under penalty of nullity:
1° the indication of the day, month and year;
2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualities and his/her national register number or
company number;
3° the surname, first name, address and, where applicable, the quality of the person to be summoned;
4° the subject and summary statement of the grounds of the application;
5° the indication of the judge who is seized of the application;
the signature of the applicant or his lawyer.
95The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.
