APD/GBA (Belgium) - 71/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=71/2022 |ECLI= |Ori...") |
No edit summary |
||
Line 73: | Line 73: | ||
}} | }} | ||
The Belgian DPA fined the Belgian National Railway €10.000 because it added promotional information in a service message. This resulted | The Belgian DPA fined the Belgian National Railway €10.000 because it added promotional information in a service message. This resulted the promotion message being classified as direct marketing. Neither consent nor an opt-out button were present. | ||
== English Summary == | == English Summary == |
Revision as of 12:58, 12 May 2022
APD/GBA - 71/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12 GDPR Article 21(2) GDPR Article 21(4) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 14.10.2020 |
Decided: | 04.05.2022 |
Published: | 04.05.2022 |
Fine: | 10000 EUR |
Parties: | NMBS |
National Case Number/Name: | 71/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 71/2022 van 4 mei 2022 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA fined the Belgian National Railway €10.000 because it added promotional information in a service message. This resulted the promotion message being classified as direct marketing. Neither consent nor an opt-out button were present.
English Summary
Facts
A person tweeted an image of a newsletter they had received by the NMBS (Belgian National Railway). Following on that tweet, the DPA initiated an investigation on the data processing activities of the NMBS.
Their inspection of the DPA noted several issues: - There was no way to unsubscribe to the newsletter - There was no legal basis to send the newsletter - There were less intrusive ways to reach the purposes of the newsletter (informing passengers). - There were no appropriate technical and organisational measures put into place to ensure the processing complied with the GDPR.
The NMBS claims the newsletter was sent based on its terms and conditions: to inform passengers of the protective measures taken against the spread of the corona virus e.g. sanitary safety. As a governmental body, they also have this duty to inform passengers.
Holding
The DPA does not contest the intentions of informing the data subjects. However, the newsletter included more information than just the safety measures. The purpose of the newsletter was as such broader than purely informing the data subjects of the measures. It included (indirect) promotions of services and products. The newsletter must thus be classified as direct marketing and falls outside the scope of article 6(1)(b).
Since the newsletter is classified as direct marketing, the NMBS breaches article 12(2)article 21(2) and article 21(4) by not providing an adequate way to opt-out and by not informing the data subjects.
The DPA holds that the NMBS did not have a legal basis to send the newsletter to the data subjects and breaches article 5(1) and article 6(1). Additionally, there were less intrusive ways to reach the purpose of informing them e.g. publication on their website. The processing of personal data was not necessary.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/29 Dispute room Decision on the merits 71/2022 of 4 May 2022 File number: DOS-2020-04750 Subject : Newsletter Hello Belgium Railpass NMBS The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Yves Poullet and Frank De Smet; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has made the following decision: The defendant: NATIONAL COMPANY OF BELGIAN RAILWAYS (“NMBS”), nv of public law, with registered office at Francestraat 56, 1060 Brussels, registered with the Crossroads Bank for Enterprises (CBE) in Brussels, under number 0203.430.576, hereinafter referred to as “the defendant”, Decision on the merits 71/2022 - 2/29 I. Fact-finding procedure 1. On 14 October 2020, the GBA received a notification from a Twitter user about a newsletter they received from NMBS about the Hello Belgium Railpass. The Hello Belgium Railpass is a ticket with a number of free train rides that are free of charge to Belgian residents on request was provided. According to the person who made the report, the newsletter did not contain any possibility to deregistration thereof. 2. On 19 October 2020, the Inspectorate decided to bring the case before pursuant to Article 63, 6° WOG because serious indications could be established about the existence of a practice that could give rise to a breach of the fundamental principles of protection of personal data. 3. The inspection will be completed by the Inspectorate on 9 November 2020, the report will be submitted to the file is added and the file is transferred by the Inspector General to the Chairman of the Disputes Chamber (art. 91, § 1 and § 2 WOG). 4. The report contains the following findings: • The newsletter sent by e-mail was not necessary for the execution of the agreement (by requesting the Hello Belgium Railpass) between the defendant and the travelers involved. er a different way of publishing the newsletter could have been chosen. There was moreover, there is no legal basis for the processing of the personal data, since the sending of the newsletter by e-mail did not fulfill the agreement between defendant and the passengers. There are no appropriate technical and organizational measures taken to ensure and demonstrate that the processing took place in accordance with the GDPR. According to the Inspectorate, this leads to a violation of Articles 5.1, a) and c) and 5.2 of the GDPR, Article 6.1 of the GDPR, Article 24.1 of the GDPR and Articles 25.1 and 25.2 of the GDPR; • The right to object was not facilitated by the defendant while the targeted emails can be regarded as “direct marketing” which constitutes infringements of Article 12. 2 of the GDPR and Articles 21. 2, 21.3 and 21.4 of the GDPR. The report also contains findings regarding the data protection officer: • The DPO did not report to senior management body within the defendant's organization. • The job description, number of working hours per week, and access to resources by the data protection officer were found to be sufficient by the Inspectorate. The Opinions provided by the officer in the context of the targeted e-mails sent was, Decision on the substance 71/2022 - 3/29 according to the Inspectorate, also sufficient to assume that the legal obligation the level of advice was met. Therefore, the Inspectorate establishes an infringement of Article 38.3 of the GDPR, but no infringement on Article 38. 1, 38.2 and 38.6 of the GDPR and no infringement of Article 39 of the GDPR. 5. On February 19, 2021, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° and art. 98 WOG that it file is ready for processing on the merits. 6. On February 19, 2021, the defendant will be notified of the provisions as referred to in Article 95, § 2, as well as those in art. 98 WOG. It is also on the basis of art. 99 WOG notified the time limit for submitting its defences. 7. The latest date for receipt of the defendant's statement of defense set at 2 Apr 2021. 8. On March 4, 2021, the defendant will request a copy of the file, and the defendant will accept electronically all communication regarding the case and he indicates that he wishes to make use of the possibility to be heard, in accordance with article 98 WOG. (art. 95, §2, 3° WOG) the file was transferred on March 17, 2021. Conclusion of the defendant's answer 9. On April 2, 2021, the Disputes Chamber will receive the statement of defense from the defendant. 10. According to the defendant, she received the e-mail containing the newsletter about the Hello Belgium Railpass sent lawfully. Defendant argues that the e-mails were sent in the context of the execution of the agreement between applicants/users of the Hello Belgium Railpass and defendant. The intended processing of personal data was therefore, according to the defendant, necessary for the execution of the agreement pursuant to Article 6.1 sub b GDPR and for the sanitary to ensure passenger safety. The conditions for using the Hello Belgium Railpass together with the General Conditions of Carriage are part of the transport contract with the passengers. Moreover, according to the defendant, it was necessary that the emails were sent given the precarious situation at the time, with a second wave in the Covid-19 epidemic in Belgium was coming and everyone therefore had to be extra alert in order to prevent the to ensure safety on the trains. In order to reach the travelers in time, NMBS was therefore forced to send applicants the newsletter by e-mail. The disclaimer of the email According to the defendant, it contained clear information about the intended purpose of the e-mail, namely the inform passengers about how the Railpass is used as correctly and optimally as possible had to be. According to the defendant, the principle of minimum data processing in accordance with article 5.1 sub c, as there is no realistic and less intrusive alternatives were available to give effect to the agreement., Decision on the merits 71/2022 - 4/29 11. Moreover, according to the defendant, the targeted e-mail did not constitute direct marketing in the sense of the article 21.2 GDPR because the email was not intended to directly or indirectly promote goods, services or the image of SNCB. The e-mail was part of the implementation of the government tasks of SNCB and these tasks are excluded from the term 'direct marketing'. Now that there is no direct marketing and processing took place on the basis of Article 6.1, b (performance of the agreement), According to the respondent, this means that the right of objection as laid down in Article 21.1 AVG does not applies to. In addition, the disclaimer of the e-mail regarding the Hello Belgium Railpass according to the defendant, clearly a hyperlink to the privacy statement of NMBS. The involved were therefore informed of the rights available to them. 12. The defendant further argues that the determination of the Inspectorate, according to which the officer data protection would not report directly to the highest management body within NMBS, is incorrect. Defendant makes it clear that the data protection officer reports to the CEO of SNCB, both periodically and ad hoc. The CEO is chairman of the Executive Committee as well as of the Executive Committee. Therefore, the officer reports for data protection fully in accordance with Article 38.3 to the highest body within NMBS and there is according to the defendant, there is no violation of this article. 13. On 14 February 2022, the parties are notified that the hearing will be held on February 28, 2022. 14. On February 28, 2022, the parties will be heard by the Disputes Chamber. 15. The minutes of the hearing will be submitted to the parties on March 16, 2022. 16. On March 23, 2022, the Dispute Chamber will receive the defendant's comments regarding until the official report. Defendant notes the following with regard to the representation in the proceedings- verbal: the communication that is the subject of the present procedure does not concern a newsletter but communication addressed to holders of the Hello Belgium Railpass. Defendant is from believes that the emphasis in the official report is placed on the first part of the communication containing the message “rediscover more than 500 destinations in Belgium”. According to the defendant, the foregoing is not consistent with what was submitted at the hearing by Defendant. In the Defendant's opinion, all elements in the communication should be regarded as equivalent The representation of what was not explained by the defendant during the hearing is according to defendant is also incomplete. Each of the components of the communication was aimed at spreading of travelers, encouraging them to use the Move Safe App and correctly pre- completing the Railpass to avoid aggression against personnel and to facilitate control. The The Disputes Chamber emphasizes that the response to the trial story does not reopen the debates, but that the representation of this reaction is useful in this case, for a better understanding of the position of the defendant., Decision on the merits 71/2022 - 5/29 17. On March 16, 2022, the Disputes Chamber notified the defendant of its intention to to proceed with the imposition of an administrative fine, as well as the amount thereof in order to give the defendant another opportunity to defend itself, before the sanction becomes effective imposed. 18. On April 8, 2022, the Disputes Chamber will receive the defendant's response to the intention to 1 imposing an administrative fine, as well as the amount thereof. II. Justification II.1. Compliance with the principles governing the processing of personal data (Articles 5.1 and 5.2 GDPR) and the lawfulness of the processing (Article 6.1 GDPR) 19. The processing of personal data is only lawful if it is based on one of the conditions set out in Article 2 6.1 GDPR listed legal bases. The Inspectorate has established that the processing of personal data of travelers who e-mail, containing a newsletter about the Hello Belgium Railpass, happened without a valid legal basis. In contrast to the defendant who believes that he can legally invoke Article 6.1.b GDPR, namely the execution of an agreement, the Inspection Service is of the opinion that that is not the case. According to the Inspectorate, the processing of personal data of train passengers by sending a communication via e-mail not necessarily for the implementation or preparation of the contract between the defendant and the applicants/travellers of the Hello Belgium Railpass. In addition, the processing was not necessary since the defendant had may choose to disseminate the information through other channels such as its website. The according to the Inspectorate, processing was therefore not based on one of the provisions set out in Article 6.1 of the GDPR listed legal grounds and, according to the Inspectorate, was in violation of Article 6.1 of the GDPR. 1 See point 68 of this decision. 2Article 6.1subbGDPR:“The processing is only lawful and subject to at least one of the following conditions is completed: a) the data subject has consented to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party, or to of the data subject before the conclusion of a contract; c) the processing is necessary for compliance with a legal obligation incumbent on the controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person to protect; e) the processing is necessary for the performance of a task carried out in the public interest or of a task carried out in the context of the exercise of official authority vested in the controller; f) the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject require the protection of personal data outweigh those interests, in particular where the data subject has a child.”, Decision on the merits 71/2022 - 6/29 20. Defendant invokes the performance of the agreement (Article 6.1 (b) GDPR) that NMBS/SNCB has with the the person concerned has. According to the defendant, the reliance on this legal ground is lawful since the legal conditions under NMBS/SNCB are fulfilled: there is a valid agreement with the The data subject and the processing is objectively necessary for the execution of the agreement. 21. Defendant makes it clear that the decision to provide a free Hello Belgium Railpass to Belgian residents was a decision taken by Royal Decree “with a view to the 3 recovery of the Belgian economy and the promotion of rail as public transport”. 22. The Hello Belgium Rail Passes could be used from October 5, 2020. This moment coincided with the “second wave” of the Covid-19 epidemic becoming increasingly critical. There was a large number rail passes requested and issued, so that NMBS could expect problems (again) on certain stations. In its submission, the defendant also submits a number of newspaper articles from which it appears that there was already concern among its management when the Hello Belgium Railpass was announced on the impact of the initiative on the sanitary safety of staff and travellers. To for the aforementioned reasons, the start of the validity period of the Hello Belgium Railpass according to defendant postponed twice. 23. In view of the situation described, according to the defendant, there was a need to do everything possible to ensure that this runs smoothly and where possible to avoid crowds. According to the defendant, therefore decides that: “(i) sending a communication to the holders (and thus to the expected users) of the Hello Belgium Railpass was necessary to support the existing initiatives of SNCB to avoid crowds and to draw attention to the conditions for using the ticket and (ii) that this was the only possible way to reach the travelers (on time). 24. Defendant states by conclusion that the conditions for the use of the HelloBelgium Railpass together with the General Conditions of Carriage of NMBS, the contract of carriage with the applicant/traveler. According to the defendant, these General Conditions of Carriage are available on the NMBS website and are listed in the footnote on every page of the website displayed. In view of the foregoing, according to the defendant, there is therefore a legally valid agreement between SNCB and the applicant for the Hello Belgium Railpass. 25. The endorsed e-mail that the defendant sent to the applicants for the Hello Belgium Railpass contains the following text: (i) “Rediscover more than 500 destinations in Belgium” accompanied by a “Find inspiration” button; 3Royal Decree of 28 July 2020 amending the Royal Decree of 21 December 2013 establishing the provisional rules that apply as a management contract of Infrabel and NMBS, Belgian Official Gazette 31 July 2020: “In the Royal Decree of 21 December 2013 to adoption of the provisional rules that apply to the management contract of Infrabel and SNCB, as last amended by the decree of 9 April 2020, an article 4/5 will be inserted, which reads as follows: "Art. 4/5.§1. In response to the COVID-19 crisis, wildfederalState to promote the use of rail transport, the tourist, recreational, cultural and economic sectors by, on the one hand, the Ask NMBS to distribute a new free ticket for domestic passenger transport, i.e. de12-TRAJECTS-PASS, and by temporarily allowing the bicycle to be taken on the train for free, Decision on the merits 71/2022 - 7/29 (ii) “MoveSafe app: your safety” accompanied by a button “Download the app” (iii) “Ready for your first trip?”; (iv) “Any questions? Consult our FAQ on how to use your Hello Belgium Railpass”, accompanied of a button 'View the conditions'; (v) The message “We wish you pleasant journeys with your Hello Belgium Railpass!” (vi) Disclaimer “With the above communication, NMBS wants to inform you about how you can use your Hello Belgium Railpass correctly and as optimally as possible. NMBS processes your personal data data to implement the agreement based on the Hello Belgium Railpass consists. You will find more details about how SNCB processes your personal data and about your rights 4 at www.nmbs.be/privacy” 26. In Article 4.1 GDPR, personal data is defined as: “Any information about an identified or identifiable natural person.” In this case you have the majority of the applicants for the Hello Belgium Railpass provided their name and e-mail address. This is personal data within the meaning of article 4.1 GDPR. Article 4.2 contains the definition of a processing, which reads: 'processing': a operation or set of operations on personal data or set of personal data, whether or not carried out by automated processes, such as collection, record, organize, structure, store, update or modify, retrieve, consult, use, provide by transmission, distribution or otherwise make available, align or combine, shield, erase or destroy data. The applicants personal data provided were (initially) collected by the defendant and used for the processing the Railpass application. Therefore, there is a processing of personal data within the meaning of Article 4.2 GDPR. 27. According to the defendant, the targeted e-mail from NMBS should be regarded as "an official" reminder of some of the essential terms of the contract of carriage with the traveler, in particular the obligation to use the ticket correctly and to always to monitor their own safety. Both obligations cannot be fulfilled by all simultaneously to the obvious (coastal) destinations. † 28. First of all, the Disputes Chamber points out that for a successful appeal to Article 6.1.b GDPR it is necessary that there is an agreement to which the person concerned is a party and that the processing is a necessary consequence of the agreement. In this case it should therefore be assessed whether the targeted e-mail can be regarded as a necessary corollary of the contract of carriage between the applicants for the railpass and the defendant. 4 See Appendix 1 to this decision for the targeted e-mail in its entirety, Decision on the merits 71/2022 - 8/29 29. For the Disputes Chamber there is no doubt that guaranteeing the sanitary safety of the train herons is a necessary element for the performance of the agreement in question. However, the e-mail also contains general information (which is rather promotional in nature) in which not only and specifically communicated about the sanitary situation at that time and the precautions to be taken to ensure safety. Becomes reported the large number of applications for a Hello Belgium Railpass. However, this is - as described above - not the only information given in the email. The text below For example, the section “Rediscover more than 500 destinations in Belgium” reads: Nearly 3.6 million Belgians have applied for a Hello Belgium Railpass. They are right! je must of course be able to explore our country in complete safety. Get inspired through our blogs that are overflowing with ideas to go on a city trip, to go out in the nature, with family or with friends… You will find something for everyone in Belgium! 30. The Disputes Chamber rules - in accordance with the findings of the Inspectorate - that the e-mail therefore also contains general promotional information that does not relate to the specific sanitary situation. Therefore, according to the Disputes Chamber, the e-mail can be sent, other than by the defendant argued, should not be classified as “An official reminder of some of the essential conditions of the contract of carriage with the traveler, in particular the obligation to to use the transport ticket correctly and to always monitor his own safety as a passenger ...”. The After all, the newsletter contains, in addition to a reference to the Move Safe app and announcements about the correct use of the Hello Belgium Railpass, also blogs to get inspiration to visit certain places to discover. 31. The Disputes Chamber also rules that the information contained in the e-mail can equally well be processing of the personal data of applicants for the Hello Belgium Railpass could have been to happen. The Inspectorate has established that the defendant also provided the aforementioned information had published his website https://www.belgiantrain.be. The content of the e-mail had The Disputes Chamber is not of such an urgent nature, because it would suffice in this specific case to publish on the website and/or the SNCB application, given its content. 5https://www.belgiantrain.be/nl of the VV which were taken on 27/10/2020 by the Inspectorate. See the screenshots of the website on the next page, Decision on the merits 71/2022 - 9/29 In this regard, the Disputes Chamber refers to the Guidelines of the European Committee for Data Protection (EDPB) on Article 6.1. b which states: “What the data protection legislation, data controllers should take into account that the foreseen processing activities must have an appropriate legal basis to have. When the agreement consists of several separate services or parts of a service that can in fact reasonably be provided independently of each other, the question arises to what extent Article 6(1)(b) can serve as a legal basis. In accordance with the principle of proportionality, the applicability of Article 6(1)(b) must be assessed in the Decision on the merits 71/2022 - 10/29 context of each of those services separately, looking at what is objectively needed is milk of the individual services that the data subject has actively performed or reported. This assessment may show that certain processing activities are not necessary are requested by the data subject for individual services, but rather are necessary for the broader business model of the controller. In that case, Article 6(1)(b) not be a legal basis for those activities. However, there may be other legal bases for those processing are available, such as Article 6(1)(a) or (f), provided that the relevant criteria are met.” 32. The EDPB further points out that an agreement defines the categories of personal data or the type of processing operations necessary for the performance of the agreement whereby the data subject is not allowed to artificially expand. It is also pointed out that what is covered by an agreement depends not only on the perspective of the controller, but also the reasonable expectations of the data subject. A very strict application is therefore appropriate in view of the high degree of precision of this legal basis. 33. Although not strictly necessary, since SNCB invokes Article 6.1.b, the Disputes Chamber ex officio and superfluously whether the defendant possibly has a successful appeal accrues to the legal bases of Article 6. 1 c, e and f of the GDPR. The Disputes Chamber notes that for the intended processing, the defendant invoked Article 6.1 b, (the implementation of the agreement) but on the other hand also stated: "Secondly, the e-mail regarding the Hello Belgium Railpass within the implementation of the government tasks of SNCB. NMBS has a public service obligation for domestic passenger transport by rail. like higher mentioned, NMBS was instructed by the Royal Decree on 28 July 2020 to issue the Hello Belgium Rail Passes To make available to the Belgian population to provide train journeys for which this title could be used.” Defendant was instructed by the King to dispose of the Rail passenger and had to process personal data for this to process the requests for Rail Passes The Royal Decree, however, does not contain any clearly defined provisions about the further processing of the personal data after the applications have been processed. One any appeal to article 6.1 sub c cannot succeed for this reason alone. 34. Article 6. 1e contains the legal basis task of general interest or a task for the implementation of the public authority. As already indicated above, this legal ground also applies that there is must be necessary for the processing. The Disputes Chamber does not consider it plausible that the (content of the) e-mail was necessary to carry out the task of general interest (making available of the Hello Belgium Rail Passes). 35. The Disputes Chamber points out in this regard that in accordance with Article 6.3 GDPR, read in coherence with Article 22 of the Constitution and in the light of Articles 7 and 8 of the European 6 EDPB, Guidelines 2/2019 on the processing of personal data pursuant to Article 6(1)(b) of the GDPR in within the framework of the provision of online services to data subjects,8 October 2019., Decision on the merits 71/2022 - 11/29 Charter of Fundamental Rights, a legislative standard, the essential characteristics of data processing must establish what is necessary for the performance of a task in the public interest or for the exercise of official authority entrusted to the controller. Qe7 Litigation room emphasizes that the processing involved should be framed by a standard that sufficiently clear accurate is foreseeable of the application for the persons involved is. In accordance with Article 6.3 GDPR, the precise purpose(s) of the processing in the legal standard itself. The foregoing was not the case in this case. In addition, do not come to establish that the e-mails sent were necessary for the implementation of the Royal Decree. This stipulates that the defendant can do the necessary and limit the use of the Railpass or terminate in case of force majeure. The Covid-19 epidemic and its consequences are not in sight discussion. However, according to the Disputes Chamber, the e-mails sent were - as already stated in the decision - not necessary for the mere provision of the Hello Belgium Rail passes, as a result of which a possible appeal to Article 6.1 e cannot succeed. 36. The legal basis of legitimate interest is laid down in Article 6.1 fAVG. The Disputes Chamber investigates or the further processing of the personal data of the railpass applicants in this case may have been lawful under the aforementioned provision. To determine this, the controller in accordance with the case law of the Court of Justice Which: 1) the interests they pursue with the processing can be justified as legitimate recognized (the “target test”) 2) the intended processing is necessary for the realization of those interests (the “necessity test”) 3) balancing those interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favor of the controllers or a third party (the “balancing test”). 37. First of all, the question is what interest and purpose the controller with the further processing of the personal data (target test). Due to the personal data of the to use those involved to send them an email mainly promoting the railpass, According to the Disputes Chamber, the defendant's aim was, among other things, to to encourage the railpass to travel. The promotion of the railpass by becoming a defendant regarded as a (commercial) legitimate interest. 38. In order to satisfy the second condition, it must be demonstrated that the processing was necessary for the achievement of the objectives pursued 7 See also the advice of the Knowledge Center of the GBA 36/2020, 42/2020, 44/2020, 46/2020, 52/2020 and 64/2020(https://www.dataprotectionauthority.be/burger/zoeken?q=&search_category%5B%5D=taxonomy%3Apublicati us&search_type%5B%5D=advice&s=recent&l=2, Decision on the merits 71/2022 - 12/29 (necessity test). This means that the question must be asked whether means the same result can be achieved without processing personal data or without unnecessary processing for the data subjects. The Disputes Chamber determines that it was by no means necessary to further process the passengers' personal data To send them the targeted e-mail believe that the message announced in the e-mail is also in a different way could have been made known. The second condition is therefore not met. 39. The third condition concerns the “balancing test” between the interests of the controller on the one hand, and the fundamental freedoms and rights of concerned, on the other. In accordance with Recital 47 GDPR, when determining this, verify whether the “data subject at the time and in the context of the collection of the personal data can reasonably expect that processing for that purpose can take place” The Disputes Chamber establishes that those involved could not have expected that the personal data provided in the context of a transport contract be used for purposes other than processing the request for a rail pass, in particular promotional activities. Therefore, any recourse to Article 6. 1, f would not to succeed. 40. In view of the above, the Disputes Chamber is of the opinion that the processing of the personal data by sending e-mails happened without the choice (and even the presence) for a lawful basis. Defendant's appeal on the legal basis execution of the agreement of Article 6.1b, cannot be invoked in this case, since the e-mail mail is not a necessary corollary of the contract of carriage between the parties. That's why there is also not met the principle of necessity as laid down in Article 5.1c of the GDPR. The The Disputes Chamber therefore establishes infringements of Articles 5.1 a and c, 5 . 2 and 6 . 1 GDPR. Right to object and direct marketing 41. The Inspectorate has come to the conclusion that there was direct marketing by the dispatch of the newsletters by the defendant and that there is no effective right to object was awarded to those concerned. Therefore, according to the Inspectorate, there was an infringement on Articles 21. 2 and 21.4 GDPR. 42. On the basis of Article 12 of the GDPR, the controller should inform the data subjects transparent information. In doing so, the controller must, among other things: exercise of the data subject's rights on the basis of Articles 15 to 22 of the to facilitate GDPR. Article 21 of the GDPR sets out the right of objection of the data subjects vis-à-vis by the controller. Article 21. 2 provides that when personal data are processed for direct marketing purposes, the data subject at all times has the right to object to the processing of the data concerning him at any time personal data. If the data subject exercises that right against processing for direct, Decision on the merits 71/2022 - 13/29 marketing, the personal data may no longer be processed for that purpose by the controller. The right to object according to Article 21. 4 must be submitted at the latest at the first contact with the data subject to be brought to the attention of the data subject and displayed clearly and distinctly from the other information. 43. The defendant disputes the findings of the Inspectorate and argues that there was no direct marketing, as: ”(i) the email was not intended for direct or indirect promotion of goods, services or the image of SNCB and (ii) the e-mail is part of the implementation of the government tasks of SNCB that are excluded from the concept of 'direct marketing'. 44. The GDPR does not define what is meant by “direct marketing”. Nor there is to date an official, legal, or generally accepted definition of this term on European level. The GBA clarified its interpretation of this legal concept in recommendation 1/2020 as follows : “Any communication, in whatever form, solicited or unsolicited, from a organization or person and aimed at the promotion or sale of services, products (whether or not fee), as well as brands or ideas addressed by an organization or person who acts in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and who involves personal data”. Thus, under “direct marketing” various forms of promotion, such as email newsletters, commercial telephone calls or text messages or e-mails, or online advertising and this, whether or not in a commercial context.” 45. According to the above interpretation, the promotion or sale of services or products where does not have to be paid for can also be regarded as direct marketing. The defendant stated, however, that e-mails regarding the Hello Belgium Railpass - among other things - cannot be regarded as direct marketing because the railpass was awarded completely free of charge to the applicants thereof. The Disputes Chamber is of the opinion that this view is incorrect based on the the above interpretation of the term direct marketing. 46. In addition, according to the defendant, the e-mail regarding the Hello Belgium Railpass falls within the scope of the implementation of SNCB's government tasks. In its conclusion, it states in fact: ”NMBS has a public service obligation for domestic passenger transport by rail. She received at KB 28july2020fromtheKingtheordertofittheHelloBelgiumRailtotheBelgianpopulation and to provide the train journeys for which this title could be used. As a result, e-mail cannot be considered "direct marketing" for this reason either after all, expressly confirmed by the Direct Marketing Recommendation of the GBA itself.” 8 GBA, Recommendation No. 01/2020 of January 17, 2020 regarding the processing of personal data for direct marketing purposes”, p. 9, Decision on the merits 71/2022 - 14/29 47. The defendant also quotes the following from the Direct Marketing recommendation of the GBA: “This definition includes all forms of communication, whether or not they are promotional” of goods or services, the promotion of ideas suggested or supported by any person or organization, but also the promotion of that person or organization itself, including its brand image of the brands owned or used by it, with the exception of the promotion carried out at the initiative of public authorities acting strictly in the under their legal obligations or public service tasks for services for which they alone are responsible.” Finally, communications from government services conducting certain campaigns (eg. vaccination campaigns) or services (e.g. telephone centers for assistance to persons in difficulty) promote what they are legally responsible for or offer as a public service, not considered direct marketing communications unless they simultaneously provide specific services or promote products offered by private service providers.” 9 48. It is apparent from the above and from what was stated at the hearing that the defendant argues a duty to have to promote the Hello Belgium Railpass because they have a legal had responsibility. The emails should therefore be classified as a “public authorities notice” or a “promotion at the initiative of public authorities”. The However, the recommendation of the GBA emphasizes that there must be a promotion that is carried out at the initiative of public authorities acting strictly within the framework of their legal obligations or public service duties. 49. In addition, the defendant cannot simply be regarded as a “public service”, such as defined above. After all, the defendant is an autonomous public company. Characteristic of the status of an autonomous public company is the express possibility that these companies are allowed to perform, in addition to their statutory public service missions 10 develop other activities. A restrictive conception of According to the Disputes Chamber, government service is appropriate in view of the foregoing. The The Disputes Chamber also wishes to point out that according to article 221 § 2 of the Act protection of personal data is a legal person under public law that offers services on the market which makes it unlike "the government and their appointees or agents" an administrative fine within the meaning of 83 GDPR may be imposed. This is according to the The Disputes Chamber also provides an indication that the defendant cannot be considered "classic" government. 9Quotation and marking by defendant from recommendation Direct marketing GBA 01/2020 10 Article 7 of the Act on the Reform of Certain Economic Public Enterprises, Decision on the Substance 71/2022 - 15/29 50. The Disputes Chamber is of the opinion that the email sent (which also contains general information that not related to the specific sanitary situation or not specifically valid when used of the Hello Belgium Railpass but could also be applicable when using other tickets) cannot be regarded as promotion strictly limited to the carrying out the legal obligation imposed on SNCB in the context of offering the Hello Belgium Railpass or which was limited to the provision of a public service. The The Disputes Chamber also points out that the e-mail sent may also contain the (possibly indirectly) promoting services or products provided by private service providers are offered, which is an additional indication that the email was not exclusively related on a public service. 51. It would also be assumed by the petitioner that it concerns a communication originating from a government agency, the content of that communication cannot be unlimited. The defense that the email which was sent would not be direct marketing because SNCB had the task as a government agency informing the travelers is of no use, according to the Disputes Chamber. It would free the defendant have stood in the context of its statutory task / task of general interest, the travelers to notify and inform with regard to the special sanitary situation due to the pandemic. Therefore, the defendant could have included in the e-mail that the stations were being crowded expected and that this crowding could pose a danger. In doing so, she should have limit to informing travelers of this danger. 52. In the opinion of the Disputes Chamber, however, the content of the e-mail cannot be interpreted as merely factual information about the sanitary situation at the time in which travelers were warned and asked to exercise caution and to spread out as much as possible. On the contrary, the e-mail had little to do with the referrals and content that the sanitary situation, (also) acquired a commendable character, in order to ensure that there as many people as possible would use the Railpass (and other services or products, or (indirectly) even from other transport tickets). 53. Accordingly, it has not been demonstrated by the defendant that the e-mails were strictly for the purpose of encourage travelers to choose less crowded cities. Although there are tips given to visit certain cities, the main message of the e-mail is according to the Dispute chamber does indeed promote the Hello Belgium Railpass or even others tickets and services or products (although not always explicitly mentioned). In addition, it is not important that NMBS/SNCB would not derive any financial advantage from this of the e-mails referred to the special services provided by SNCB, which corporate image. The Disputes Chamber therefore agrees with the Inspectorate, where this states that there is promotion: After all, the message is that the services of the VV allow train passengers to (1) rediscover more than 500 Belgian destinations, (2) travel comfortably and safely and (3) easily use their Railpass.” Defendant had can choose to send a notification that immediately and clearly conveys the message, Decision on the substance 71/2022 - 16/29 it could be deduced that there was a fear that certain cities would be too crowded and travelers should take this into account. In addition, the communication between the data protection officer and various employees of the defendant that one is aware of the fact that the mailing could be classified as direct marketing and that for these reasons a correct balance and description was sought so that the e-mail emails would be regarded as part of the execution of the agreement. That's how it falls among other things to read in this communication: ”Provided that we have the direct link to the blogs be able to extract it and replace it with a text that points more to our planning module on the site we can bring this information under the justification ground “execution of a contract” which is a stronger argument to say that people cannot afford this unsubscribe.” 54. The Dispute Board is therefore of the opinion that the targeted e-mails should be marked as direct marketing. 55. Article 21.1 provides that the right to object should be facilitated in the event that data is processed on the basis of Article 6.1(e) off) GDPR. In accordance with article 21. 2 of the GDPR has the data subject whose personal data is used for direct marketing purposes also processes the right to object to the processing concerning him at any time personal data, including profiling related to direct marketing 56. Defendant invoked with regard to the processing of the personal data for the transmission of the e-mails to the applicants (wrongly, by the way, cf. supra) on the legal basis of the execution of an agreement article 6.1, b, arguing that the targeted e-mails were necessary to comply with that agreement and to ensure the safety of the travelers and the employees as a result of which art 21.1 AVG would not apply. from direct marketing would also be out of the question since the defendant in the context of its assignment from the government has sent these e-mails, so that Art 21.2 AVG would not apply. As discussed above, according to the Disputes Chamber, the e-mails can be regarded as direct marketing whereby the defendant had the obligation to art. 21.2 and art. 12.2 GDPR to provide and facilitate the right to object. 57. The defendant points out that the disclaimer of the e-mail regarding the Hello Belgium Railpass contains a contained a clear hyperlink to the SNCB privacy statement. Via this hyperlink, data subjects informed about other rights such as the right to erasure about which they possessed. Therefore, according to the defendant, the persons concerned had invoked the right to having their data erased can have the same effect as the right to object. 58. The Disputes Chamber rules that the right to object has not been facilitated in this case. Defendant points out that data subjects could have other rights such as the right to erasure 11 Document 11 to the defendant's claim: e-mail from DPO of 6 October 2020, Decision on the merits 71/2022 - 17/29 This should be done by sending an e-mail to SNCB together with a copy of the identity card. The Disputes Chamber emphasizes that the right of objection is a right that is expressly assigned to data subjects according to Article 21. 2 GDPR. This right is according to Article 21.4 in addition, during the first contact and clearly separated from other any other information to be displayed. With regard to information about the right to object (Article 14.2 b) GDPR) in particular, Article 21.4 GDPR expressly states that this possibility, separate from the other information, already in the first message to the data subject, should be Hospitalized. However, the e-mail that is the subject of these proceedings does not in no way expresses the right of objection. What's more, it doesn't contain any reference to this right of objection. Recital 70 GDPR provides, however, that this right is expressly, in a clear manner and separately from other information, should be brought to the attention of the data subject brought. In the absence of notice of this right of objection in the emails targeted, the controller also acted in violation of Article 21.4 of the GDPR. 59. In Recommendation 1/2020 on direct marketing, the DPA also states that the data subject is entitled to object to direct marketing should be easy to exercise, taking into account the means by which the controller communicates with the data subject: “if the mandatory information is provided digitally or if you contact the person through digital channels, 13 a single click should suffice” 60. In view of the above, the Disputes Chamber establishes infringements of Articles 12. 2, 21.2, 21. 3 and 21.4 of the GDPR as the defendant does not have the right to object for data subjects facilitated while the targeted e-mails can be regarded as direct marketing. The Data Protection Officer 61. Article 38.3 provides that the data protection officer reports directly to the highest management level of the controller. In the guidelines of the Working Group 29 on the Data Protection Officer becomes the following explanation given to reporting to the most senior manager as referred to in Article 38.3: ”If the controller or processor makes decisions that are not in line subject to the General Data Protection Regulation and the opinion of the officer data protection, the latter should be given a chance to express his/her dissenting opinion to the top managers and to those who make the decisions Article 38.3 provides that the data protection officer "directly [reports] to the senior manager of the controller or the 14 processor". Such reporting ensures that senior management (e.g. the 12Article 21.4 GDPR. The right referred to in paragraphs 1 and 2 shall be exercised at the latest at the time of the first contact with the data subject expressly brought to the attention of the data subject and presented clearly and separately from any other information. 13 GBA, Recommendation no.01/2020 of January 17, 2020 on the processing of personal data for direct marketing purposes, marginal number 162, p. 54 14Guidelines for the Data Protection Officer of the Working Group 29, WP 243 rev.01, p.19, adopted by the EDPB., Decision on the merits 71/2022 - 18/29 board of directors) is aware of the advice and recommendations that the officer data protection provided in the context of its mission to the controller or to inform and advise the processor. 62. The Inspectorate has established that the defendant does not comply with this provision, as explained by the Working Group 29. From the respondent's answer to questions from the Inspection service about the exact position of the official within the organization chart, according to the Inspectorate that the officer does not report directly to the highest level, in this case the CEO. 63. The defendant disagrees with the Inspectorate's finding. To demonstrate this lay defendant in conclusion various documents about e-mail correspondence between the data protection officer and the assistant to the CEO regarding privacy issues. A PowerPoint prepared by the data protection officer is also available presentation to the executive committee entitled: “GDPR points for attention and interim update audit” added. A “Governance Charter for the Protection of Personal Data” was issued also inserted therein it reads: - That the Data Protection Officer together with the Chief Information Security develop a policy for the protection of personal data and submit it to the executive committee. - He advises the Executive Committee and all parts of SNCB on the protection of personal data and on setting up a structure and processes to ensure compliance with the ensure rules for the protection of personal data - The DPO reports important shortcomings in the processing of personal data, the comply with the rules or policies for the protection of personal data directly to the Executive Committee - The management committee ratifies the policy for the protection of personal data and the information security policy and makes the necessary resources available to the Data Protection Officer to indicate the direction desired by SNCB for the management of personal data to the entire organization. 64. The Disputes Chamber is of the opinion that, on the basis of the documents submitted and has made sufficiently plausible what was stated by the official at the hearing that the data protection officer reports or can report directly to the highest management level within the organization. At the hearing, the officer declared not to have experienced any opposition and was encouraged by the board is fulfilling its legal obligations. According to the Disputes Chamber, the mail correspondence between the data protection officer and the CEO as well as from the “Governance Charter” that can be reported directly to the CEO who also, Decision on the merits 71/2022 - 19/29 is permanent chairman of the Executive Committee as well as the Executive Committee of SNCB. The The Disputes Chamber is therefore of the opinion - unlike the Inspectorate - that the defendant has Article 38. 3 GDPR and there is therefore no infringement of that Article. III.Sanction 65. The Disputes Chamber puts the following points first when determining the sanction. emails sent to customers in connection with the use of the Hello Belgium Railpass. It it has been established before the Disputes Chamber that the NMBS/SNCB/NMBS is responsible for the sanitary and commercial considerations mixes. Where it is justifiable in connection with the Covid-19 crisis that the NMBS are inform customers about health risks associated with the use of the train, this does not apply to incentives to use the train as much as possible, including for tourist field trips. 66. Another point concerns the power to impose a fine on SNCB. The SNCB is a legal entity under public law that offers services to a market NMBS/SNCB does not fall under the exception with regard to the imposition of administrative fines, as provided for in art. 221 § 2 of the Law on the Protection of Natural Persons with with regard to the processing of personal data from 30 July 2018. 67. The Disputes Chamber decides to impose an administrative fine that does not matter serves to end an offense committed, but with a view to a powerful enforcement of the rules of the GDPR. As is clear from Recital 148 GDPR, the GDPR states after all, it is important to note that for every infringement – thus also when an infringement is first established – penalties, including administrative fines, in addition to or instead of appropriate measures imposed. 15 68. Next, the Disputes Chamber shows that the infringements committed by the defendant of the Articles GDPR in no way concerns minor infringements, nor that the fine would be a disproportionate burden to a natural person as referred to in Recital 148 GDPR, where in any of in both cases a fine can be waived. The fact that it is a first finding of a violation of the GDPR committed by the defendant, thus in no way prejudices 15Recital 148 states: “In order to strengthen the enforcement of the rules of this Regulation, penalties, including including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in lieu of appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If it is a small infringement or if the expected monetary fine would cause a disproportionate burden and on a natural person, instead of a fine are chosen for a reprimand. However, the nature, severity and duration of the the infringement, with the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement came to the attention of the supervisory authority, with compliance with the measures taken against the controller or processor, with the affiliation with a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including administrative fines must be subject to adjusting the procedure and guarantees in accordance with the general principles of Union law and the Charter, including an effective remedy and a fair administration of justice. [own underline], Decision on the substance 71/2022 - 20/29 the possibility for the Disputes Chamber to impose an administrative fine. The The Disputes Chamber imposes the administrative fine in accordance with Article 58.2 i) GDPR. It The administrative fine is in no way intended to end infringements. To that end the GDPR and the WOG provide for a number of corrective measures, including the orders mentioned in article 100, § 1, 8° and 9° WOG. 69. Taking into account Article 83 AVG and the case law 16 of the Marktenhof, the motivation Dispute chamber imposing an administrative sanction in concrete terms: - The gravity of the infringement: It is established that the defendant has committed several infringements of the principles of Articles 5 and 6 of the GDPR and the rights of data subjects in Articles 12 and 21 of the GDPR. Such infringements constitute a significant infringement of the objectives of the Regulation, namely to protect fundamental rights and fundamental freedoms of natural persons and in particular their right to the protection of personal data.In addition, article 83.5 prescribes before the highest administrative fines may be imposed for violations of the aforementioned articles. The NMBS has cooperated during the investigation. - The duration of the infringement: sending the newsletter to the applicants of the Hello Belgium Railpass happened in October 2020. It is therefore a one-off violation, which justifies the relatively low amount of the fine. - The size : As can be seen from the sent targeted newsletter itself, there are 3.6 million Hello Belgium Rail passes requested. This therefore concerns almost a third of the entire Belgian population, making the size of the infringement exceptionally large. - The necessary deterrent effect to prevent further infringements. It appears from this file that insufficient account was taken of the personal data protection of data subjects, which should actually be central given the defendant's business model. Processing personal data is after all an important part of the defendant's activity. It is of crucial importance that such companies comply with data protection rules. The facts anddeterminedviolationsnoontoapenaltythatmeetstheemergencysome to have sufficient deterrent effect, whereby the defendant becomes sufficiently strong sanctioned, so that practices involving such violations would not be repeated, and so that the defendant would henceforth pay more attention to personal data protection. 70. On March 18, 2022, a sanction form (“form for response against intended sanction") addressed to the defendant. In summary, the defendant responded as follows: 16 Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020. Judgment on the merits 71/2022 - 21/29 According to the defendant, the Disputes Chamber did not take sufficient account of the special situation and context in which the respondent was at the time of sending the newsletter. The communication happened during the second wave of the epidemic and served as much as possible to distribute travelers. Defendant was obliged by the government to issue the Railpass and received a flat-rate compensation, regardless of whether the card was used or not. Defendant was only trying to properly perform the contractual obligation that it was entered into with Railpass users. Referring to other destinations in the newsletter was only a limited part of the communication. There is no mention of it knowingly mixing commercial and sanitary considerations by such as by the Dispute chamber is stated in the sanction form. The defendant argues that there is also political no initiative has been taken to spread travelers across different destinations, as a result of which the defendant has done this in order to properly implement the contractual relationship with Railpass users. According to the defendant, the Disputes Chamber furthermore, disregarding the fact that the defendant has indeed taken into account taking into account the rights of data subjects. According to the defendant, the aforesaid was done by a analyze the legal basis used, seek advice from the officer and facilitating the rights of data subjects. 71. The defendant is of the opinion that the sanctions are unacceptable. Especially now that the Railpass was framed within the public service obligation of the defendant to offer the Railpass free of charge. In other words, the defendant would be sanctioned for failing to take the measures it imposed by the government. 72. The Disputes Chamber is of the opinion that all arguments put forward by the defendant in the sanction form have already been dealt with in this decision and were taken into consideration taken in the determination of the administrative fine in accordance with article 83.2 AVG Defendant's assertion that it was trying to properly implement the agreement between her and the travelers cannot succeed, according to the Disputes Chamber, since the processing in this case was not necessary for the execution of the agreement (see above marginal 29 ff.) The reference to other destinations in the e-mail was according to defendant only a limited part of the communication and there is no question of the the deliberate mixing of commercial and sanitary considerations disagree with this. According to the Disputes Chamber, the targeted e-mail does contain earlier commercially oriented content. Therefore, the sanitary purposes which according to the defendant the actual purpose in sending the email was deliberate and commercial considerations mixed. Finally, the Disputes Chamber points out that it is not under any obligation, nor on the basis of the AVG or the WOG, nor on the basis of case law of the Market Court, to explain the motivation of the present decision prior to the taking of the decision concerned to the to submit contradictions of the defendants, the sanction form serves only to offer the possibility of opposing the intended sanction., Decision on the merits 71/2022 - 22/29 73. On the basis of all the elements set out above, the Disputes Chamber decides to maintain the intended sanction of €10,000. The determined infringements justify and a effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account with the assessment criteria specified therein. The Disputes Chamber points out that the other criteria of art. 83.2. GDPR in this case are not of a nature that they lead to a different administrative fine than that which the Disputes Chamber has set in the context of this decision. IV. Publication of the decision 74. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data protection authority, stating the identification data of the defendant having regard to the public interest of the present decision, on the one hand, and the inevitable possibility of re-identification of the defendant in case of pseudonymization, on the other hand. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - Pursuant to article 100, §1, 13° WOG and art. 101 WOG to impose an administrative fine to impose €10,000 for infringements of Articles 5.1 sub a and c, 5. 2 , 6. 1, 12. 2, 21. 2, 3 and 4 GDPR. Against this decision, pursuant to art. 108, § 1 WOG, appeal to be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant Against this decision, pursuant to art. 108, § 1 WOG, appeal must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (trans.) Hielke Hijmans Chairman of the Disputes Chamber, Decision on the merits 71/2022 - 23/29 Attachment: The targeted e-mail in Dutch and French together with the website where you are right comes after clicking on the link in the mail, Decision on the merits 71/2022 - 24/29, Decision on the merits 71/2022 - 25/29, Decision on the merits 71/2022 - 26/29 NL, Decision on the substance 71/2022 - 27/29, Decision on the substance 71/2022 - 28/29 Via the link "rediscover more than 500 destinations in Belgium" you recently (May 2, 2022) ended up on the website with the following:,Decision on the merits 71/2022 - 29/29