APD/GBA (Belgium) - 48/2021: Difference between revisions
(→Facts) |
No edit summary |
||
Line 52: | Line 52: | ||
}} | }} | ||
The Belgian DPA held that, for lack of a legal basis pursuant to Article 6 | The Belgian DPA held that, for lack of a legal basis pursuant to Article 6 GDPR, a notary cannot consult the national register for natural persons in order to obtain personal data for other purposes than those defined by the law and within the scope of their profession. | ||
== English Summary == | == English Summary == |
Revision as of 08:05, 5 May 2021
APD/GBA - 48/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 3 of the Belgian law for organizing a national register of natural persons |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 08.04.2021 |
Published: | 08.04.2021 |
Fine: | None |
Parties: | A private individual (plaintiff) A notary (defendant) |
National Case Number/Name: | 48/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Website of the Belgian DPA (in FR) |
Initial Contributor: | Maïlys Lemaître |
The Belgian DPA held that, for lack of a legal basis pursuant to Article 6 GDPR, a notary cannot consult the national register for natural persons in order to obtain personal data for other purposes than those defined by the law and within the scope of their profession.
English Summary
Facts
The plaintiff lodged a complaint with the Belgian DPA after their former employer, the defendant, sent them the remaining money they were owed to an address obtained by consulting the national register for natural persons. The plaintiff argued that the defendant had not processed the data lawfully, since they had not consulted the register within its defined purposes.
To this the defendant replied that they were unsure of their former employees' address and thought that the national register could be consulted in any case, because they had access to it within the scope of their profession.
Dispute
Can the collection by a notary of personal data contained in the national register for natural persons be justified by the sole fact that within the scope of their work they can already access said register?
Holding
The Belgian DPA reminded the defendant that, notwithstanding the fact that notary was one of the professions allowed to consult the national register for natural persons, they should, pursuant to Article 3 of the Belgian law for organising a national register for natural persons, always do so for tasks that fall within their competence and are specific to the performance of their notary assignments.
The register should therefore not be used for tasks that are common to any employer, such as sending mail to their employees or former employees. By consulting the national register for that purpose, the defendant processed data unlawfully, thus going against Article 6 combined with Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision on the merits 48 / 2021- 1/15 Litigation Chamber Decision on the merits 48/2021 of 08 April 2021 File No .: DOS-2020-02322 Subject: Complaint against a notary for unlawful consultation of the National Register The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of these data, and repealing Directive 95/46 / EC (General Regulation on the Data Protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Considering the Law of August 8, 1983 organizing a National Register of Natural Persons (hereinafter the RN Law); Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Took the following decision regarding: The complainant: Mrs X. Hereinafter "the complainant". The defendant: Mrs Y, Advised by Maître Sari Depreeuw, lawyer, whose firm is established avenue Louise, 81 in 1050 Brussels. Hereinafter "the defendant". 1. Feedback from the procedure Having regard to the complaint lodged by the complainant with the Data Protection Authority (APD) on May 14 2020; Decision on the merits 48 / 2021- 2/15 Considering the decision of 11 June 2020 of the Front Line Service (SPL) of the APD declaring the complaint admissible and its transmission to the Litigation Chamber; Having regard to the letters of July 14 and August 19, 2020 from the Litigation Chamber informing the parties of its decision to consider the case as ready for treatment on the merits on the basis of the article 98 LCA and providing them with a timetable for exchanging conclusions; Having regard to the conclusions filed by the defendant on October 1, 2020; Considering the conclusions filed by the complainant on October 21, 2020; Having regard to the final submissions filed by the defendant on November 13, 2020; Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on January 20, 2021; Having regard to the hearing during the session of the Contentious Chamber of March 2, 2021 in the presence of Maître S. DEPREEUW and Maître O. BELLEFLAMME representing the defendant; Having regard to the minutes of the hearing and the observations made thereon by the counsel of the defendant which were attached to these minutes. 2. The facts and the subject of the request 1. The defendant is a notary in Flanders. 2. The defendant, in the course of 2019, hired the plaintiff as a notarial lawyer in his study under an open-ended contract which began in August 2019. Under the terms of contract, the complainant is identified as being domiciled in Wallonia. A second relative contract the allocation of ecocheques was also signed between the parties. According to the latter, the complainant is also identified as being domiciled in Wallonia. This contract provides in its Article 4 that the ecocheques will be credited monthly to the ecocheque account of the complainant. During the hearing (see below), however, the defendant indicated that there has always been sending ecocheques by post during the term of the contract with the complainant. 3. The defendant states that the plaintiff had settled in Flanders near the study for that she was working with her to limit the travel time between her place of work and her place of residence, while retaining its domicile in Wallonia. 4. This employment relationship ended in February 2020 following the resignation of the complainant in a climate that the defendant describes as tense, all trust being broken between the parties. Decision on the merits 48 / 2021- 3/15 5. At the end of this employment relationship, the defendant remained liable for an amount of 56.07 euros in ecocheques vis-à-vis the complainant. After a first reminder, the complainant sent a second reminder to the defendant by email on March 16, 2020. 6. These eco-checks were sent by the defendant to the address of the plaintiff's domicile, namely in Wallonia, by registered letter of March 16, 2020. Beforehand, the defendant indicates have verified the complainant's address in the National Register. 7. On April 19, 2020, the Complainant sent an email to the Respondent complaining of this consultation of its National Register on March 14th. 8. In response, the defendant explained to the complainant the reasons for this consultation. The defendant thus indicated that she had wanted to verify the exact address to which she was to send the ecocheques to the complainant as soon as she knew that the complainant had several addresses, in Flanders and Wallonia. The defendant stated that at the end of the relationship contract, she was uncertain as to which address it was suitable for, on the eve of the entry into force of the containment measures, send the eco-checks to the complainant. 9. On May 14, 2020, the complainant filed a complaint with the APD. Subject of the Complainant's Complaint 10. According to her complaint, the complainant complains "of a consultation of her national register by the defendant without any consent on its part and any legal framework ”as well as "The use of access to the population register outside of the specific regulations to obtaining information from population registers ". 11. According to her conclusions, the complainant also raises a lack of information in the defendant in violation of Article 14 of the GDPR. More specifically the complainant asks the Litigation Chamber: - declare their complaint admissible and well founded; - to note the violation of the Law of August 8, 1983 organizing a National Register of Persons physical (RN Law) and the Royal Decree of 11 September 1986 authorizing access by notaries to national register of natural persons; - to find the violation of the fundamental principles of data protection personal; - to pronounce a sanction. Decision on the merits 48 / 2021- 4/15 Defendant's position 12. Mainly, the defendant asks the Litigation Chamber to declare itself incompetent to process the complainant's complaint and dismiss it as inadmissible. 13. In the alternative, the defendant asks the Contentious Chamber to declare the complaint unfounded, considering that it did not violate the fundamental principles of data protection personal and consequently, order a dismissal. 14. In the alternative, if the Contentious Chamber were to find a violation of the principles fundamental principles of the protection of personal data, the defendant seeks the suspension of the delivery. 15. Finally, in the very alternative, the defendant requests that account be taken of extenuating circumstances to limit the corrective action pronounced to a warning or even to a reprimand. 3. The hearing on March 2, 2021 16. During the hearing, the minutes of which were drawn up, the following elements were brought to light light by the defendant, the complainant not being present at the hearing: - the incompetence of the Litigation Chamber to deal with the complaint; - the relational difficulties encountered from the outset with the complainant and the loss of confidence gradual progress of the defendant with regard to the plaintiff, this rupture finding its climax at the time of termination of the contract; - the fact that it is incorrect to claim that notaries would have access to all the data at personal character contained in the National Register, their consultation being limited to data referred to in the Royal Decree of 11 September 1986 on the one hand and the mention that the application available to notaries does not allow consultation targeting the only data "Address" to the exclusion of any other on the other hand; - the good faith of the defendant who, faced with a conflictual situation, acted out of concern for protect against any reproach sending to an address that would not have been the right one; - the implementation of a series of measures adopted by the defendant aimed at putting compliance with the obligations of the GDPR resulting from his capacity as person responsible for processing: security policy, register of processing activities, designation of a delegate data protection etc. Decision on the merits 48 / 2021- 5/15 PLACE 4. As to the jurisdiction of the APD, in particular its Litigation Chamber 17. The DPA is the Belgian authority, in particular responsible for monitoring compliance with the GDPR in application of Article 8 of the Charter of Fundamental Rights of the European Union (EU), of Article 16 of Treaty on the Functioning of the European Union (TFEU) and article 51 of the GDPR. Regarding of Article 51 of the GDPR in particular, it requires each EU member state to set up one or more independent public authorities, responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of individuals with regard to the processing of their data. The GDPR adds to this effect that each authority must benefit from a number of missions (listed in Article 57 of the GDPR) including that of dealing with complaints (article 57.1.f) of the GDPR) as well as a number of powers (article 58 of the GDPR). 18. Pursuant to Article 3 LCA, the Belgian legislator has instituted the DPA, the Litigation Chamber of which is the administrative litigation body (Article 32 LCA). 19. This control by the DPA, via its Litigation Chamber in particular, is an essential element of protection of individuals during the processing of personal data concerning them. 20. As the Contentious Chamber has already had the opportunity to express it in its decisions 17/2020 and 1 80/2020 among others, supervisory authorities - such as ODA - must exercise their powers for the effective application of European data protection law. To guarantee the effectiveness of European law is one of the major tasks of data protection authorities member states under EU law. Control by the contentious chamber constitutes In this regard, one of the instruments available to ODA to ensure compliance with the rules relating to data protection, in accordance with the provisions of the European treaties, the GDPR and of the LCA. 21. In Article 4 LCA, it is provided that the ODA is "responsible for monitoring compliance with the principles fundamentals of the protection of personal data, within the framework of this law and laws containing provisions relating to the protection of the processing of personal data staff ". 22. The explanatory memorandum to the LCA has clearly and unequivocally clarified the interpretation to be give Article 4 LCA in the following terms: "Art. 4: The Authority for the Protection of 1https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf 2https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf Decision on the merits 48 / 2021- 6/15 data is competent to exercise the missions and mandates of monitoring compliance with the principles fundamental protection of personal data as established in the Regulation 2016/679. The Data Protection Authority acts with regard to the regulations which contains provisions relating to the processing of personal data such as, for example, example, the law establishing a national register, the law relating to the crossroads bank for security 3 social, the law relating to the crossroads bank for enterprises, etc. (...) "(This is the Chamber Litigation which underlines). 23. Under these “laws containing provisions relating to the protection of data processing of a personal nature ”, the RN Law is therefore explicitly mentioned. 24. In conclusion, the oversight mission of the ODA encompasses compliance with the GDPR in its entirety. This reading is the only one which gives a useful effect to articles 3 and 4 LCA, which must be read in in combination with Article 51 of the GDPR. The competence of the APD (and its litigation body administrative - the Litigation Chamber) is therefore, in support of the foregoing, in no way limited by the concept of "fundamental principles of data protection" read in isolation, whatever either the content that some would seek to give to this notion for the needs of one or the other cause or attempting to escape the control of the ODA (see point 26 below). Likewise, it is certain that the competence of the DPA also encompasses monitoring compliance with the protective provisions data contained in specific legislation such as the RN Law or the "Law Cameras ”to name just these two examples. Here again, all of these provisions are intended and not only those which would participate in "fundamental principles of the protection Datas ". 3 Explanatory memorandum to the Law of 3 December 2017 establishing the Data Protection Authority (DPA), House of Representatives, DOC 54 2648/001, page 13 under article 4. 4 Ibidem 5 Law of March 21, 2007 regulating the installation and use of surveillance cameras (hereinafter the Cameras Law), M.B., May 31, 2007. 6 Decision 19/2020 regarding the consultation of the National Register within a city: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf Decision 16/2020 with regard to surveillance cameras installed at the entrance of a store: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-16-2020.pdf; Decision 61/2020 relating to a complaint for unlawful processing of personal data after consultation in the National Register by a public interest body: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf Decision 80/2020 relating to camera surveillance in a car wash: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf . Decision on the merits 48 / 2021- 7/15 25. The Contentious Chamber finally draws attention to the fact that Article 4.2 LCA excludes jurisdiction of ODA in a very limited number of cases, specifically provided for by the LCA itself or by other legislation. The APD is the data protection supervisory authority responsible for default, any legal void, any lack of supervisory jurisdiction over one or the other processing of personal data to be avoided. Application to the present case - the issue of access to the National Register (rather than another database) 26. While admitting the competence of the DPA under the RN Law, the defendant nevertheless indicates than to avoid conflicts of jurisdiction (with regard to the Minister of the Interior with regard to the RN in the present case), the legislature would have limited the competence of the DPA to monitoring compliance with " fundamental principles of data protection ”. These "fundamental principles of data protection "not being defined by the national legislator, it would be appropriate according to the defendant to understand them as being limited to the principles set out in Article 8 of the Charter fundamental rights of the Union and, having regard to the structure of the GDPR, the content of Chapter II GDPR and the rights of data subjects. 27. In this regard, the defendant puts forward the fact that “If Me Y, [read the defendant], as that a notary had access to the National Register and, as an employer, to the Banque-Carrefour de la Social Security (BCSS) and whether the National Register and the BCSS both contain the same information relating to Ms. X's address [read complainant], the relevant question before the DPA is not that of the legitimacy of the processing of personal data but that of access to respective databases ”. The defendant adds in conclusion that "what remains to be verified is compliance with the conditions for access to the national register resp. the BCSS ”. This verification would fall under according to the defendant the competence of the Minister of the Interior, the ODA not having the competence decide on the preference for access to one or the other database. The defendant indeed considers that this access preference does not participate in the "fundamental principles of data protection ”. 28. The Contentious Chamber refutes the arguments developed by the defendant with regard to its skill. As it has explained above in paragraphs 21-24, its competence is not at all limited to monitoring compliance with "fundamental principles of data protection" such as that restrictively interpreted by the defendant. 29. The Litigation Chamber will also demonstrate that there is not, and cannot be, a conflict of competence with the Minister of the Interior (point 35). Decision on the merits 48 / 2021- 8/15 30. The Litigation Chamber is therefore of the opinion that the complaint was rightly declared admissible by the SPL on the basis of Article 60.1. LCA for the following reasons. 31. The Chamber notes on the one hand that, according to the terms of its complaint, the Complainant accuses the Respondent to have consulted his data in the National Register outside any legal framework and in the absence basis of legality. Access to the National Register being strictly regulated as will be detailed below, its consultation (which constitutes processing within the meaning of Article 4.2. of the GDPR) must, in order to be qualified as lawful, meet all the conditions required by both the GDPR and 7 by the RN Law (see point 35 and title 5 below). 32. The Litigation Chamber recalls Article 5.1 of the RN Law which lists in paragraph 4 the notaries among professionals authorized to access data in the National Register, including the address, with permission. This authorization, now issued by the Minister of the Interior, was in the past either by the Sectorial Committee of the National Register (CSRN) or by way of an order royal.9 33. The Contentious Chamber underlines that in this case, the Royal Decree of 11 September 1986 specifies in its Article 1 that it is for the accomplishment of the tasks which fall within their competence that notaries are authorized to access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and paragraph 2, of the RN Law among which appears the data "address" (M.B., October 2, 1986). 34. Therefore, it is not indifferent to consult the National Register rather than another database although both contain partly similar data. Legally regulated access to a database such as the National Register cannot be diverted from its purpose under the pretext of that the person who consults it has, in any event, authorized access to the data consulted 7 In the same sense see. Decision 16/2020: "The processing of images filmed by surveillance cameras is in fact, as soon as these images constitute personal data, subject to the GDPR at apply in parallel with the Cameras Act ”. 8 Art. 5 § 1. Authorization to access or obtain the information referred to in Article 3, paragraphs 1 to 3] communication, and authorization to access information on foreigners entered in the register waiting period referred to in article 1, § 1, paragraph 1, 2 °, of the law of 19 July 1991 on population registers, identity cards, foreigner's cards and residence documents and amending the law of 8 August 1983 organizing a National Register of Natural Persons, are granted by the Minister of the Interior in its attributions: (…) 4 ° to notaries and bailiffs for the information they are authorized to provide know by law, decree or ordinance; 9 See. Article 5 of the RN law before its amendment by the law of 25 November 2018 (M.B. 13 December 2018) which granted authorization competence to the Sectoral Committee of the National Register. See. also article 5 of the initial law of August 8, 1983 (M.B. April 21, 1984) which granted the King the power to authorize access to the Register national before this competence is entrusted to the Sectorial Committee of the National Register. Decision on the merits 48 / 2021- 9/15 (the address of the complainant in this case) via another database (the BCSS in this case). In this, the consultation of the National Register by the defendant must be examined from the point of view of its legality, an examination which is unquestionably within the competence of the DPA. 35. As to the division of jurisdiction with the Ministry of the Interior invoked by the defendant, the Contentious Chamber notes that since the abolition of the CSRN in application of Article 109 LCA, it is indeed the Minister of the Interior who is responsible for issuing access permits in the National Register. This authorization competence in no way excludes the control competence of ODA. Access to the National Register constitutes, as already mentioned in point 31 below above, processing within the meaning of Article 4.2. of the GDPR, by definition subject to the control of a independent authority within the meaning of Article 8 of the EU Charter of Fundamental Rights, Article 16 of the TFEU and article 51 of the GDPR (see above). This control competence, in addition to the fact 10 that it is not, in concreto, granted by law to the Minister of the Interior, cannot in any case hypothesis be exercised by a Minister who, by definition, does not meet the required conditions to perform the duties of an independent data protection authority within the meaning of Article 51 of the GDPR (and which more generally must meet all the conditions set out in Chapter VI of the GDPR). There is therefore no question here of "conflict of jurisdiction with the Ministry of the interior "contrary to what the defendant claims. On the contrary, Article 17 of the Law RN itself refers to the competence of the DPA. 36. Thus, article 17 requires that each public authority, public or private body having obtained authorization to access information in the National Register is able to justify the consultations carried out and that for this purpose, in order to ensure the traceability of the consultations, each user keeps a log of consultations. 37. This article 17 further specifies that this register must contain: (1) the identification of the user individual (or process or system) that accessed the data, (2) the data that was consulted, (3) the way in which they were consulted, namely in reading or for modification, (4) the date and time of the consultation as well as (5) the purpose for which the data were consulted. 38. Finally, the same Article 17 also provides that this register of consultations is to be made available of the Data Protection Authority (APD) and this, in the opinion of the Litigation Chamber, for him 10 See. also in this regard Decision 61/2020 of the Contentious Chamber, point 40: “By virtue of Article 4 of the LCA, the Data Protection Authority is competent to monitor compliance with "laws containing provisions relating to the protection of the processing of personal data ". the case, no other supervisory authority is competent under the legislation in force, and no jurisdiction has not been withdrawn from the Data Protection Authority in this specific context, it is the competent supervisory authority (article 4.2. paragraph 2 LCA) ”. https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf Decision on the merits 48 / 2021- 10/15 allow the exercise of its control mission. It is indeed up to the data controllers authorized to consult the National Register to implement the conditions of the authorization in compliance with the requirements thereof and in accordance with the principle of accountability set out in articles 5.2. and 24 of the GDPR, whose compliance rests with the DPA. 11 39. In conclusion of the above, the Contentious Chamber rejects the argument of inadmissibility invoked primarily by the Respondent and continues to examine the merits of the complaint below. 5. As to the breaches on the part of the defendant 40. As the Litigation Chamber pointed out in point 32 above, Article 5.1 of the RN Law lists in paragraph 4 the notaries among the professionals authorized to access the data of the Register national, including address, with permission. 41. The Royal Decree of 11 September 1986 specifies in its article 1 that it is for the performance of the tasks that fall within their competence that notaries are authorized to access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and paragraph 2, of the RN Law among which contains the data "address" (M.B., 2 October 1986) (paragraph 33). 42. The Litigation Chamber is of the opinion that by consulting the "address" data of the complainant, either of an employee, the defendant did not consult in the context of the performance of a task that falls within his competence as a notary. These tasks must indeed be understood as being limited to what falls within the specific performance of the profession of notary and not tasks that are common to any employer, whatever it is, such as sending one or the other mail to its employees. 43. By virtue of his function, and for the sole accomplishment of the tasks relating to him, the notary has access to certain data in the National Register. It is incumbent upon him to scrupulously respect the purposes of this access which he prefers because of his profession. The circumstance that in all hypothesis, the defendant would have had access to the address data via another source (i.e. the BCSS in this case) is irrelevant in this regard. Indeed, the bases of legitimacy authorizing, under of Article 6 of the GDPR, access to these databases are separate as are the data to which access is therefore permitted are different. This is how the complainant rightly highlights the fact that the data contained in the BCSS and in the National Register (article 3 RN Law) are not identical - even if there are data common to the two databases data and that notaries do not have access to all of the data contained in the Register national - and that the basis of legitimacy to access it is their own. At most, the fact that the Decision on the Merits 48 / 2021-11 / 15 defendant would, in any event, have had access to the "address" data via another source could it be taken into account in the assessment of the sanction that the Contentious Chamber would decide to impose (see. infra). 44. By failing to respect the purpose of the access granted to it, the defendant consulted the National Register without an adequate legal basis. Therefore, she proceeded to a treatment of data in relation to which it is unable to validly invoke any basis of lawfulness required by Article 6 GDPR. In doing so, the defendant was guilty of a breach of Article 6 of the GDPR. This breach is combined with a breach of Article 5.1.a) of the GDPR according to which the processing of personal data must, in particular, to be lawful. This requirement, while not limited to compliance with Article 6, encompasses undoubtedly. 45. Nor does it appear to the Contentious Chamber that consultation of the National Register or of the BCSS, on the other hand, would have been necessary in this case. Indeed, the official address of the complainant appeared in the two contracts which bound it to the defendant. This address had been recalled by twice by email on January 23 and February 2, 2020 by the complainant. On the day of dispatch ecocheques in the mail on March 16, 2020, the complainant wrote to the respondent. This In response, the latter could have inquired about the address to which to send the requested ecocheques. In view of the context described by the defendant, the Contentious Chamber limits itself here to recalling that the principle of minimization expressed in Article 5.1.c) of the GDPR under which only the data processing necessary to achieve the purpose pursued must be respected. 6. As to corrective measures and sanctions 46. Under Article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; Decision on the merits 48 / 2021- 12/15 10 ° order the rectification, restriction or erasure of the data and the notification thereof data recipients; 11 ° order the withdrawal of accreditation of certification bodies; 12 ° give periodic penalty payments; 13 ° issue administrative fines; 14 ° order the suspension of transborder data flows to another State or an organization international; 15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences data on file; 16 ° decide on a case-by-case basis to publish its decisions on the website of the data. 47. It is important to contextualize the breaches for which the defendant has been held responsible with a view to to identify the most appropriate corrective measures and sanctions. 48. In this context, the Litigation Chamber will take into account all the circumstances of the species. 49. The Litigation Chamber found a breach of Article 6 combined with Article 5.1.a) of the GDPR on the part of the defendant, or a breach of one of the founding principles of protection data devoted to Chapter II "Principles" of the GDPR: the principle of lawfulness (article 5. 1. a) of the GDPR. In the absence of a legal basis, the data processing simply cannot have place (article 6 of the GDPR). 50. Without this circumstance alone establishing the seriousness of the breach, the Chamber Litigation recalls that the violation of the provisions listed in Article 83.5 of the GDPR (including Articles 5 and 6 of the GDPR) may result in a fine of up to 20,000,000 euros or in the case of a company, up to 4% of the total worldwide annual turnover of the previous exercise. The maximum amounts of fine that may be applied in the event of violation of these provisions are superior to those provided for other types of breaches listed in article 83.4. of the GDPR. 51. The quality of the defendant is a factor which contributes to the seriousness of the breach. Indeed, as the Litigation Chamber explained above, access to the National Register is strictly regulated and limited to certain professions in particular. Indeed, the National Register is not a innocuous database. As the Litigation Chamber had the opportunity to point out in its Decision on the merits 48 / 2021- 13/15 Decision 19/2020, this database including a certain amount of information - admittedly limited - relating to more than 11 million people, it requires, by its very nature, particularly rigorous, not only given its scope, but also due to its the very purpose of recording, storing and communicating information relating to (unique) identification of natural persons. It is therefore quite essential that those who benefit from access to the National Register, in strict compliance with its conditions. The notary is a public officer, appointed by the King. He exercises this public function within the framework of a strictly regulated liberal profession. He exercises public power by establishing acts authentic which have the force of a judgment in particular. The notary is also subject to a Code of ethics. All these elements require him to adopt an exemplary attitude towards compliance with the law, including data protection rules. The Litigation Chamber has already had the opportunity to underline this requirement with regard to public officials such as mayors and aldermen, but also companies benefiting from public concessions of parking lot or with regard to bailiffs. The same goes for notaries. 52. The Litigation Chamber further notes that this is a priori isolated breach, committed by a notary as part of the activities of his office, which can be qualified as an SME. Said breaches only concern an employee in a specific, punctual context, marked by loss of confidence and fears. These fears were linked both to the tense climate between the parties and the potential difficulties of movement in the event of a shipment to an incorrect address in the context of emerging confinement following the covid-19 pandemic. Nothing allows the Litigation Chamber to believe that the disputed processing is structurally part of the professional practice of the defendant. 53. The fact that the data "address" is relatively innocuous, not considered particularly sensitive by the defendant as well as the fact that it was already in the possession of the defendant and that this data was in any event accessible to him via the BCSS are also taken into account, 12 See. the Decision 19/2020 of the Contentious Chamber, page 13: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf In the same sense, see. with regard to the Vehicle Registration Directorate (DIV) database, access to which is also regulated, Decision 81/2020 of the Contentious Chamber (point 82): https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf 13 See. Decision 10/2019 of the Contentious Chamber: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as the Decision 11/2019: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-11- 2019.pdf and Decision 53/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au- fond-n-53-2020.pdf 14 See. Decision 81/2020 of the Contentious Chamber: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 48 / 2021- 14/15 to a certain extent, by the Litigation Chamber in its assessment of the sanction adequate. Indeed, by consulting the National Register, the defendant also has access to a number of other data - admittedly limited by the Royal Decree of 11 September 1986 already cited - relating to the complainant. The defendant further states in this regard that it has no other choice but to access all of this data, the available application cannot do not allow you to target your consultation on the single "address" data. The Litigation Chamber takes note of this double consideration. 54. The Litigation Chamber wishes to emphasize that, however, one should not be mistaken about the scope of this decision as to the substance and as to the breach sanctioned. It is, as it has been described above, access to a datum X (in this case the address) contained in a database data for strictly reserved access outside the legal conditions which is at the heart of this decision and here sanctioned; and this, much more than knowledge of the data "Address" as such. However, the Litigation Chamber is no less sensitive to the fact that in this case, the impact of this consultation on the complainant is low and possible prejudice in its head not demonstrated. 55. Finally, the Litigation Chamber also takes into account the measures put in place by the defendant to comply with the obligations incumbent on him in his capacity as processing: appointment of a data protection officer (article 37-39 of the GDPR), establishment of a register of processing activities (Article 30 of the GDPR), adoption of a policy protection of personal data intended for citizens, adoption of a security policy information accompanied by a procedure in the event of a data breach as well as the establishment a procedure for managing the rights of data subjects. 56. In conclusion of the foregoing, and in view of all the circumstances of the case, now aggravating, sometimes mitigating, the Litigation Chamber considers that the reprimand (i.e. the call to order referred to in Article 58.2.b) of the GDPR) 15 is in this case, the effective sanction, proportionate and dissuasive which is imposed on the defendant. 57. Finally, with regard to the breach of Article 14 of the GDPR invoked by the complainant by way of conclusions, the Contentious Chamber decides to dismiss the complaint with regard to this grievance. The Contentious Chamber is in fact of the opinion that this grievance came to be grafted on that of the absence of basis of lawfulness of the consultation of the National Register is not such as to modify its decision. The defendant explained in terms of its conclusions that the work regulations signed by the 15 As it has already had the opportunity to specify in several decisions, the Litigation Chamber recalls here that the warning punishes a breach that is likely to occur: see. Article 58.2.a) of the RPD in this regard. Decision on the merits 48 / 2021- 15/15 complainant contains a certain amount of information relating to the data processing carried out by the defendant with regard to its employees (Title VIII). The defendant specifies in this regard that this regulation dates from 2016 and is currently being updated. The Litigation Chamber recalls here the necessary compliance with the obligation of transparency and articles 12, 13 and 14 of the GDPR in terms of information to the persons concerned, including by an employer to its employees. 7. Regarding publicity and transparency 58. Considering the importance of transparency with regard to the decision-making process and decisions of the Litigation Chamber, this decision will be published on the website of the APD by deleting the direct identification data of parties and persons physical cited. FOR THESE REASONS, THE LITIGATION CHAMBER Decided - To issue a reprimand against the defendant on the basis of Article 100.1, 5 ° LCA given the breach noted in Article 6 of the GDPR combined with Article 5.1.a) of GDPR; - To dismiss the remainder of the complaint on the basis of Article 100.1.1 ° LCA. Under Article 108.1 LCA, this decision can be appealed to the Court of contracts (Brussels Court of Appeal) within 30 days of notification, with the Data Protection Authority as respondent. (Sé) Hielke Hijmans President of the Litigation Chamber