APD/GBA (Belgium) - 62/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 76: | Line 76: | ||
Second, it was alleged that the controller sent a group e-mail (16 recipients) and put all of them in CC instead of BCC. This revealed the e-mail addresses of all recipients to one another. | Second, it was alleged that the controller sent a group e-mail (16 recipients) and put all of them in CC instead of BCC. This revealed the e-mail addresses of all recipients to one another. | ||
Third, it was alleged that the controller was sending out | Third, it was alleged that the controller was sending out a newsletter which, among others, invited the recipients to donate to the controller without having a legal basis for such communications. The controller argued that the newsletter does not qualify as direct marketing but is an essential tool of the controller to keep the parents of the children involved, especially the ones whose children are staying in living groups of the controller. | ||
In its investigation the DPA | In its investigation the DPA established that the first allegation was not supported by evidence and that the email incident was not communicated to the DPA by the controller. The DPA also found that the newsletter is only received by the parents if they subscribe to it on the website of the controller and that it contains an unsubscribe button. | ||
=== Holding === | === Holding === | ||
The DPA issued reprimands to the controller for violating [[Article 6 GDPR]] by using CC instead of BCC as well as [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]] for not clearly informing the parents about the marketing content of the newsletter, and issued a warning to the controller regarding the notification of personal data breaches under [[Article 33 GDPR]]. | |||
Although the DPA found that the complaint did not provide sufficient evidence of a violation of the controller regarding the taking of pictures of the data subject, it discussed the hypothetical situation that visual material of juveniles would have been made public by the controller. The DPA decided that in such a case prior consent, or at least specific permission of the parents or legal guardian is indispensable in the absence of a legitimate interest or legal obligation for the publication of pictures. It further noted that the controller can as a public authority not invoke legitimate interest as a legal basis for the processing personal data. | |||
Regarding the use of CC instead of BCC, the DPA concluded that the controller violated [[Article 6 GDPR]] because it had no legal basis to disclose the email addresses. Furthermore, it concluded that the usage of CC amounted to a data breach but did not pose a risk to the rights and freedoms of the data subjects because the exposure was limited to e-mail addresses and to a small group of recipients (16 people). The DPA therefore found that the controller was not obliged to report the data breach to the DPA according to [[Article 33 GDPR#1|Article 33(1) GDPR.]] | |||
Regarding the newsletter, the DPA considered it partly as direct marketing for which the controller obtained consent as a legal basis. However, the DPA noted that the controller, when informing the data subjects about the purposes of the newsletter in its privacy policy, did not make a clear distinction between communications in relation to its core mission and marketing communciations. The DPA therefore found that the controller infringed [[Article 12 GDPR|Articles 12]] and [[Article 13 GDPR|13 GDPR]]. | |||
The DPA | |||
== Comment == | == Comment == |
Revision as of 11:11, 1 June 2022
APD/GBA - 62/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12 GDPR Article 13 GDPR Article 30 GDPR Article 33(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 23.07.2018 |
Decided: | 29.04.2022 |
Published: | 29.04.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 62/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 62/2022 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA held, among others, that a controller is not obliged to report a data breach which resulted from listing the recipients of an email in CC instead of BCC if the email is only received by a small group (16 people).
English Summary
Facts
The data subjects are a mother and her son. The controller is a public institution for youth care with a focus on children with a difficult family background. On 23 July 2018, the Belgian DPA received a complaint from the mother containing three alleged violations of the controller:
First, it was alleged that the controller took photographs of the complainant’s minor son for the purpose of external publication, without the necessary parental consent.
Second, it was alleged that the controller sent a group e-mail (16 recipients) and put all of them in CC instead of BCC. This revealed the e-mail addresses of all recipients to one another.
Third, it was alleged that the controller was sending out a newsletter which, among others, invited the recipients to donate to the controller without having a legal basis for such communications. The controller argued that the newsletter does not qualify as direct marketing but is an essential tool of the controller to keep the parents of the children involved, especially the ones whose children are staying in living groups of the controller.
In its investigation the DPA established that the first allegation was not supported by evidence and that the email incident was not communicated to the DPA by the controller. The DPA also found that the newsletter is only received by the parents if they subscribe to it on the website of the controller and that it contains an unsubscribe button.
Holding
The DPA issued reprimands to the controller for violating Article 6 GDPR by using CC instead of BCC as well as Articles 12 and 13 GDPR for not clearly informing the parents about the marketing content of the newsletter, and issued a warning to the controller regarding the notification of personal data breaches under Article 33 GDPR.
Although the DPA found that the complaint did not provide sufficient evidence of a violation of the controller regarding the taking of pictures of the data subject, it discussed the hypothetical situation that visual material of juveniles would have been made public by the controller. The DPA decided that in such a case prior consent, or at least specific permission of the parents or legal guardian is indispensable in the absence of a legitimate interest or legal obligation for the publication of pictures. It further noted that the controller can as a public authority not invoke legitimate interest as a legal basis for the processing personal data.
Regarding the use of CC instead of BCC, the DPA concluded that the controller violated Article 6 GDPR because it had no legal basis to disclose the email addresses. Furthermore, it concluded that the usage of CC amounted to a data breach but did not pose a risk to the rights and freedoms of the data subjects because the exposure was limited to e-mail addresses and to a small group of recipients (16 people). The DPA therefore found that the controller was not obliged to report the data breach to the DPA according to Article 33(1) GDPR.
Regarding the newsletter, the DPA considered it partly as direct marketing for which the controller obtained consent as a legal basis. However, the DPA noted that the controller, when informing the data subjects about the purposes of the newsletter in its privacy policy, did not make a clear distinction between communications in relation to its core mission and marketing communciations. The DPA therefore found that the controller infringed Articles 12 and 13 GDPR.
Comment
Note that in Belgium, the government and its institutions cannot be fined.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/21 Dispute Tribunal Decision on the merits 62/2022 of 29 April 2022 File number : DOS-2018-03944 Subject: Sending a global e-mail with all destinations visible, sending service messages without a legitimate basis and processing images of a minor without parental consent The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Mr Yves Poullet and Mr Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the Rules of Procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Moniteur Belge on 15 January 2019; Having regard to the documents in the file; has adopted the following decision on: The complainant: Ms X, hereinafter "the complainant"; The defendant: Y, hereinafter "the defendant" or "the controller Decision on the merits 62/2022 - 2/21 Facts and procedure On July 23, 2018, Ms. X filed a complaint with the Data Protection Authority (hereinafter 'GBA') against Y. The subject matter of the complaint relates to a grouped transmission of data by e-mail which allowed the recipients to identify the e-mail addresses of other data subjects and to the sending of communications (service messages) for which the legal basis was contested by the complainant. In addition, the complainant alleges that the defendant, without informing her in advance, allowed the complainant's minor son to participate in a project intended for external publication, which also involved taking photographs of the son, but without obtaining the complainant's parental consent. On 11 September 2018, the complaint was declared admissible by the First Aid Service on the basis of Articles 58 and 60 of the WOG and was transferred to the Disputes Chamber on the basis of Article 62, § 1 of the WOG. On 3 October 2018, the Dispute Tribunal decided to request an investigation from the Inspectorate on the basis of Articles 63, 2° and 94, 1° of the CPC. On 3 October 2018, pursuant to Article 96, § 1 of the WOG, the request of the Dispute Resolution Chamber to conduct an investigation is transmitted to the Inspectorate, together with the complaint and the inventory of documents. On 23 March 2021, the investigation is completed by the Inspectorate, the report is attached to the file and the file is handed over by the Inspector General to the President of the Dispute Settlement Chamber (Article 91, § 1 and § 2 of the WOG). The report contains findings with regard to the data controller as well as the subject of the complaint, and concludes first of all that the data controller is responsible for "integrated youth care with housing" and is considered to be a Flemish administrative authority as referred to in Article 2, 10° of the eGovernment Decree1 and described on the website of the Flemish Government2 , as the defendant meets the criteria of Article I, 3, 6° of the eGovernment Decree3. The Inspectorate then notes that the complainant distinguishes two processing activities in her complaint: the alleged data breach resulting from the email communication of 7 June 2018, on the one hand, and the unsolicited news email messages of 27 March 2019 and 29 May 2019, on the other. 1 Decree of 18 July 2008 on electronic administrative data exchange, B.S. , 29 October 2008. 2 https://overheid.vlaanderen.be/digitale-overheid/is-uw-organisatie-een-vlaamse-bestuursinstantie/. 3 Executive Decree of 7 December 2018, B.S. , 19 December 2018.http://www.jjgoldman.net/index/ Decision on the merits 62/2022 - 3/21 According to the Inspectorate, the first processing activity falls within the operation and core mission of the defendant. The Inspectorate also considers it sufficiently proven, on the basis of the documents submitted and the defendant's reply, that the principle of transparency has been complied with. Data subjects are adequately informed about the processing of their personal data in the context of the sending of newsletters and service communications, thanks to the information contained in the privacy statement, which can be easily found on the website of the controller. Moreover, the Inspectorate notes that, since April 2018, the defendant has indicated that it no longer automatically enrols the parents of young people staying at Y, but invites them to enrol via the website (opt-in system). The Inspectorate notes that data subjects are invited to subscribe to the newsletter by entering their e-mail address on the website independently, and that this subscription does not have a blocking effect on further visits to the website. Thus, the Inspectorate concludes that the consent of data subjects is sufficiently informed, specific, free and unambiguous. Moreover, although the complainant makes no reference to the opt-out possibility for service communications in her complaint, the Inspectorate notes that data subjects still have the possibility to withdraw their consent at any time by writing to the data protection officer of the defendant. Therefore, the Inspectorate considers the first processing operation to be in compliance with Articles 5, 6 and 4.11 in conjunction with Article 7.2 AVG, as well as with Articles 12.1 and 13 and 14 AVG. Furthermore, the Inspectorate notes that, although the recipients of the email message were able to learn the identity and email address of the other recipients, the content of the June 2018 communication does not contain any personal data. As regards the use of CC instead of BCC, which according to the complainant should be regarded as a data breach, the Inspectorate first confirms that the defendant failed to report the incident to the GBA within 72 hours. However, according to the Inspectorate, this breach of Article 33 AVG must be qualified somewhat, in the sense that the controller may have been able to rely on the likelihood that the data breach posed a low risk to the rights and freedoms of natural persons, in accordance with Article 33.1 AVG, in order to decide not to notify the GBA. Decision on the merits 62/2022 - 4/21 The Inspectorate stresses in particular that the data breach was limited both in the number of recipients (16 parents or guardians) and in the personal data exposed (the e- mail address from which the identity of the recipients could possibly be established), with the result that the e-mail in question may have caused only very limited damage to the complainant. The inspection report also refers to the fact that the complaint and infringement rather referred to a non-intentional, one-off and mainly human error, in view of the defendant's ICT Code of Conduct which states that staff should use BCC when necessary. Furthermore, according to the Inspectorate, the data leakage could be avoided in the future because the defendant learned from the situation and already has a procedure and form that can be used to report a data leakage. Finally, the Inspectorate refers to the internal awareness raising and training on the existing ICT Code of Conduct and Security Incident Procedure as well as the relevant reporting form, which the defendant has provided since the incident to the staff of the department where the incident occurred. In view of the above elements, the Inspectorate considers that the violation of Article 33.1 of the AVG could be closed. Notwithstanding this, the Inspectorate notes a series of concerns in relation to the defendant's internal procedure. More specifically, the Inspectorate notes that a notification to the GBA is not provided for in the security breach procedure, and that the aforementioned procedure could therefore be supplemented with specific instructions to always provide for a record of incidents in the defendant's own data breach register, to apologise to those concerned, and to send an e-mail to the recipients of e-mails sent in error, asking for the immediate deletion of the preceding e-mail. With regard to the second processing activity, namely the two e-mail communications of 27 March and 29 May 2019, the Inspectorate notes that it relates to the sending of news messages inter alia to the parents of adolescents staying in the controller's unit. The Inspectorate notes that these newsletters contain an unsubscribe option at the bottom of the email messages, and that data subjects are also offered the possibility to withdraw their consent by writing to the data protection officer of the defendant. Decision on the merits 62/2022 - 5/21 On the basis of these specific elements available in the file, the Inspectorate finds that the consent provided by the controller is free and unambiguous, and therefore meets the conditions provided for in Article 4.11 in conjunction with Article 7.3 AVG. The Inspectorate shall establish this processing activity on the basis of Article 6.1.a) AVG and notes that this processing activity can be considered as being in compliance with Article 5.1.a) AVG. As to whether the complainant was adequately informed of the processing of her personal data for the purpose of sending newsletters, the Inspectorate notes that data subjects are adequately informed by means of the privacy statement on the website of the controller. Therefore, the Inspectorate concludes that the sending of the disputed newsletters does not constitute a violation of Articles 12.1, 13 and 14 of the AVG. The report shall also contain findings which go beyond the subject matter of the complaint. In particular, the Inspectorate finds that the submitted register of processing activities is incomplete and unclear, and that the defendant has therefore infringed Article 30.1 of the AVG. On 23 September 2021, the Dispute Tribunal decides, on the basis of Article 95, § 1, 1° and Article 98 of the CPC, that the case is ready for examination on the merits. On 23 February 2022, the parties concerned shall be notified of the provisions referred to in Article 95 § 2 and those referred to in Article 98 of the CPC. They are also notified of the time limits for lodging their defences pursuant to Article 99 of the CPC. In view of the fact that the complainant was resident in the Dutch-speaking area at the time she lodged the complaint, and that according to the inspection report the defendant is considered to be a Flemish administrative authority4 , the Dispute Chamber also decided to conduct the proceedings in Dutch, in accordance with its language policy5. However, both parties are given 14 days to object. On 6 October 2021, the complainant objects to the use of Dutch as the language of the proceedings. Bearing in mind that, at the time when she lodged her complaint, the complainant, in French, was resident in the homogeneous Dutch-speaking area; that the defendant must be regarded as a Flemish administrative authority; and that, moreover, the complainant used Dutch on several occasions in the context of her exchanges with the defendant and with, inter alia, the services 4 Inspection report of 23 March 2021, p. 3. 5 Language policy note used by the Dispute Resolution Chamber, available on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/nota-talenbeleid-gehanteerd-door-de-geschillenkamer.pdf Decision on the merits 62/2022 - 6/21 of the Youth Welfare Agency, the Dispute Tribunal decides to propose to the parties by registered letter on 14 October 2021 the following agreement. a. The official language of the proceedings shall remain Dutch, it being understood that, in the proceedings before the Dispute Tribunal, the parties may express themselves in French or Dutch, both in writing in their submissions and orally at any hearing. b. The Dispute Tribunal undertakes to conduct its correspondence with the parties concerned in both French and Dutch at all times in future, in accordance with Article 41 § 1 and § 2 of the Laws of 18 July 1966 on the use of languages in administrative matters (hereinafter, 'SWT')6. The previously communicated deadlines will be replaced by new deadlines. The Dispute Tribunal will also provide the complainant with a French translation of the Dutch inspection report, without this French version replacing the inspection report. c. The Dispute Chamber will not translate the procedural documents submitted by a party for the benefit of the other party, nor will it cover the costs incurred by them in connection with the translation of these documents. The parties are also not required to provide translations of their procedural documents. d. The Dispute Resolution Chamber undertakes to take its final decision in Dutch, and simultaneously to communicate a French version to the complainant; both versions will be made available on the GBA website. In the absence of an objection within 7 days of the communication of the previous proposal, the Dispute Tribunal will send a new invitation to the parties to submit their defence. The deadline for receipt of the Respondent's Statement of Defence was set at 6 December 2021, that for the Complainant's Statement of Defence at 3 January 2022 and that for the Respondent's Statement of Defence at 24 January 2022. Pursuant to Articles 95 § 2, 98 and 99 WOG, the parties are notified both by e-mail and by registered mail that the scope of this case concerns the following alleged infringements by the defendant: 1) alleged breach of Articles 6 and 7 AVG, concerning the lack of parental consent for the alleged processing of image material of the 6 Laws of 18 July 1966 on the use of languages in administrative matters, B.S. , 2 August 1966. Decision on the merits 62/2022 - 7/21 complainant's minor son for the purpose of external publication, without her knowledge; 2) Alleged breach of Articles 5, 6 and 4(11) in conjunction with Article 7 AVG, concerning the email communication of 7 June 2018 between the defendant's "[...]" department and the parents; 3) Alleged violation of Article 12.1 and Articles 13 and 14 AVG, regarding the newsletter information in the defendant's privacy statement; 4) alleged breach of Article 30 of the AVG, due to an incomplete and unclear register of processing activities; 5) alleged violation of Article 33.1 of the AVG, due to insufficient internal procedures on security breaches, which provide that incidents are always recorded in a separate data breach register of the controller, and that incidents must be reported to the GBA, if applicable. On 25 October 2021, the defendant's data protection officer acknowledged receipt of the Dispute Tribunal's letter and its annexes by e-mail. On 3 December 2021, the Dispute Tribunal received the Respondent's Statement of Defence as regards the findings relating to the subject-matter of the complaint. This conclusion also contains the defendant's response concerning the findings made by the Inspectorate outside the scope of the complaint. With regard to infringement 1, the defendant points to the lack of any finding in that regard by the Inspectorate, as a result of which the defendant does not consider it possible to submit a defence in that regard. For the rest, the defendant states that its staff ask the competent minor, or the parents if the minor is deemed not to be competent (guide age 12), for permission to take and distribute photographs. This is also included in the defendant's reception brochure which has already been provided in the context of the inspection investigation. As regards infringements 2 and 3, the defendant refers to the Inspectorate's finding that the infringements were properly monitored and rectified by the controller. The defendant also states that no similar incident has occurred in the past and that it is therefore a one- off, human "beginner's mistake", given the recent entry into force of the AVG at the time of the incident. The defendant also stresses that it provides regular internal training and awareness-raising. Decision on the merits 62/2022 - 8/21 II. Motivation With regard to infringement 4, the defendant states that the recommendations made in the inspection report to complete the register of processing activities have now been incorporated in the abovementioned register. In particular, a tab on version control was added, as well as a tab on the organisation and the data protection officer. In addition, a tab explaining the technical and organisational measures was added, as well as a tab with the retention periods applied. Finally, the defendant states that the complaint dates from 6 months after the entry into force of the AVG, when the defendant focused on training its staff on the use of procedures. As regards infringement 5, where the Inspectorate notes that the internal procedure for reporting security incidents provides for the defendant to report data breaches to the Flemish Supervisory Commission (VTC), the defendant considers that it can rely on the information available on the Flemish Government's website7. Furthermore, the defendant states that data subjects are free to lodge a complaint with the GBA following data leaks, and that it is prepared to report its incidents to the GBA anyway. Finally, the defendant confirms that e-mails sent in error are now added to the incident register, and that employees should request the "wrong recipients" to delete the message immediately. The Dispute Tribunal did not receive a statement of reply from the complainant. II.1. Competence of the Data Protection Authority in relation to a Flemish administrative authority First of all, by analogy with its decision 15/2020 of 15 April 20208 and following on from the statement in the Inspectorate's report, the Dispute Tribunal clarifies that the GBA is competent to act in the present case. The AVG is a regulation which is directly applicable in the Union and cannot be transposed by Member States into national law. Nor may provisions of the AVG be specified in national legislation, except where the AVG expressly allows this. Data protection has thus become, in principle, a matter of European law9. 7 https://overheid.vlaanderen.be/digitale-overheid/is-uw-organisatie-een-vlaamse-bestuursinstantie. 8 Decision on the merits 15/2020 of 15 April 2020 of the Disputes Chamber of the GBA, para. 69-70 and 77 et seq. See also decision 23/2022 of 11 February 2022, para. 6, and decision 31/2022 of 4 March 2022, paras. 33-43, available on the GBA website: https://www.gegevensbeschermingsautoriteit.be/burger/publicaties/beslissingen. 9 See e.g. in C. KUNER, L.A. BYGRAVE and C. DOCKSEY (eds.),The EU General Data Protection Regulation: A Commentary, Oxford University Press, 2020, pp. 54-56. Decision on the merits 62/2022 - 9/21 The issuing of any regulatory provisions on personal data by the federal or state government must therefore be done within the framework established by the AVG. In this respect, the Court refers to Article 22 of the Constitution10 and the settled case law of the Constitutional Court, which states that the right to respect for private life, as guaranteed in Article 22 of the Constitution (as well as in treaties), has a broad scope and includes, inter alia, the protection of personal data and personal information11. The Constitutional Court and the Legislation Division of the Council of State have already ruled that the introduction of general restrictions on the rights guaranteed by a constitutional provision is a matter reserved to the federal legislator12. Consequently, the state authorities retain the possibility of providing, within their powers, for specific restrictions, only to the extent and on the condition that they respect the general federal legislation in this respect13. In short, the Court of Arbitration finds that the federal and regional authorities are empowered to issue general and specific rules respectively on the protection of private and family life, and only to the extent permitted by the AVG and within the rules of the AVG which are directly applicable in the Belgian legal order14. In its Opinion No 61.267/2/AV of 27 June 2017, issued in response to the preliminary draft that led to the WOG, the Legislation Section of the Council of State addressed in detail the competence-sharing rules on data protection supervision15. In the aforementioned opinion, the Council of State stated that the federal government may establish a supervisory authority with "a general competence [...] over all processing of personal data, including those carried out in matters for which the Communities and Regions are competent "16. "Such a regime does not affect the competence of the Communities and 10 "Everyone has the right to respect for his private and family life, except in the cases and under the conditions provided for by law. The law, the decree or the rule referred to in Article 134 shall guarantee the protection of that right." 11 See e.g. GwH, No 29/2018, 15 March 2018, B.11; No 104/2018, 19 July 2018, B.21; No 153/2018, 8 November 2018, B.9.1. See also A. ALEN and K. MUYLLE, Handboek van het Belgisch Staatsrecht, Mechelen, Kluwer 2011, pp. 917 ff. 12 A. ALEN and K. MUYLLE, Handboek van het Belgisch Staatsrecht, Mechelen, Kluwer, 2011, 918; K. REYBROUCK and S. SOTTIAUX, De federale bevoegdheden, Antwerpen, Intersentia, 2019, 122; J. VANDE LANOTTE, G. GOEDERTIER , Y. HAECK , J. GOOSSENS and T. DE PELSMAEKER, Belgisch Publiekrecht, Bruges, die Keure, 2015, p. 449. 13 Court of Arbitration, No 50/2003, 30 April 2003, B.8.10; No 51/2003, 30 April 2003, B.4.12; No 162/2004, 20 October 2004 and 16/2005, 19 January 2005; GwH, 20 October 2004, 14 February 2008; Adv. RvS nr. 37.288/3 of 15 July 2004, Parl. St. Vl. Parl. 2005-2006, no. 531/1: "[...] the Communities and the Regions [are] only competent [...] to authorise and regulate specific restrictions to the right to respect for private life in so far as, in so doing, they adapt or supplement the federally determined basic standards, but [...] they [are] not competent [...] to affect those federal basic standards". 14 J. VAN PRAET, De latente staatshervorming, Bruges, die Keure, 2011, pp. 249-250. 15 Adv.RvS no. 61.267/2 of 27 June 2017 on the preliminary draft law 'reforming the Commission for the Protection of Privacy', pp. 28-45. 16 Ibid, p. 12, para. 5. Decision on the merits 62/2022 - 10/21 Consequently, according to the Council of State, the federal supervisory authorities can only be empowered to monitor the specific rules they have issued for data processing in the context of activities falling within their competence, and this of course only to the extent that the AVG still allows Member States to adopt specific provisions and that the provisions of the WOG are not prejudiced. In short, the GBA, as the federal supervisory authority, is the competent authority to monitor the general rules, including the mandatory provisions of the AVG which do not require further national implementation, in accordance with Article 4 of the WOG18. This is also the case if the data processing relates to a matter falling within the competence of the Communities or Regions (federal authorities) and/or if the controller is a public body falling within the competence of the Communities or Regions, even if the federal authority itself has established a supervisory authority within the meaning of the DPA. In view of the above, the Court concludes that, in order for a federal supervisory authority to be competent, it is by no means sufficient that the data processing relates to a federal matter. Moreover, the federal State in question must also, within the scope left to the Member States by the AVG, have adopted specific rules for the processing of personal data in the context of that matter. It is only the monitoring of compliance with those specific federal rules that can be entrusted to the federal supervisory authority. The Court stresses that the notion of 'specific rules' should not be interpreted too broadly. It appears from the cited opinion of the Council of State that the notion of 'specific rules' refers to specific limitations or special safeguards, which derogate from or go beyond the general provisions, safeguards and limitations contained in, or deriving from, the AVG or federal legislation. In other words, the mere fact that the Länder implement or confirm (by decree or order) a general rule does not mean that this rule acquires the character of a 'specific rule'. A specific rule only exists when the federal states, using the scope left by the AVG, establish additional safeguards or restrictions. In addition, any limitations of powers of a data protection authority under the AVG would only be possible if, at the level 17 Ibid, p. 12, para. 6. 18 See also e.g. Adv.RvS, no. 66.033/1/AV of 3 June 2019 on a draft decree of the Flemish Government of 10 December 2010 'implementing the decree on private employment agencies, as regards the introduction of a registration obligation for sports agents', p. 5, para. 5.3; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decree of the Flemish Government 'containing the detailed rules for the processing, preservation and evidentiary value of the electronic data concerning the allowances in the framework of the family policy', p. 7, para. 5.3. Decision on the merits 62/2022 - 11/21 of a Land would have established a supervisory authority which meets all the requirements imposed on supervisory authorities by the European Treaties and which has also been given all the functions and powers of a supervisory authority. In this context, reference is made in particular to Articles 51 to 59 of the DPA. This is not the case for the Flemish Supervisory Commission. It follows from the above that the Flemish authorities are subject to the directly applicable provisions of the AVG and that the GBA is competent to act in n the present case. This competence also means that incidents relating to personal data, as defined in Article 4.12) AVG, must be reported to the competent supervisory authority, in this case the GBA, pursuant to Article 33.1 AVG. II.2. Lack of parental consent for taking and distributing photographs of a minors The Dispute Tribunal takes note of the fact that Mrs. X complains that the defendant had photographs taken of her minor son for external publication without her prior information and consent. However, the Dispute Tribunal notes that the complainant responded negatively to the Inspectorate's request to provide some evidence of this alleged processing. More specifically, the complainant notes that the defendant refused to provide her with more information about the project. Moreover, a member of the defendant's ombudsman service is alleged to have stated that participation in the project was proposed directly to the young people, that participation could also be anonymous and that for this reason the defendant "did not really [ask for] permission". The Dispute Chamber notes that the defendant does not dispute that the processing in question took place, but refers to its reception brochure in which a statement of consent provides for the possibility for educators or competent young people to give their consent to the taking and use of atmospheric photographs19. First of all, the Court stresses that the protection of personal data, which is covered by the AVG, must be dissociated from the "right to image", which is a personal right provided for in Article XI.174 of the Code of Economic Law. Therefore, the fact that a person agrees to be photographed or filmed does not necessarily mean that he or she consents to the publication or dissemination of 19 Welcome brochure of the non-profit organisation Sporen, p. 13. Decision on the merits 62/2022 - 12/21 these images. These two consents are separate and must therefore be requested separately20. The Dispute Chamber understands from the documents submitted that the complainant's son was 15 years old at the time of the facts. However, neither the AVG nor the Belgian Data Protection Act provide any clarification as to the age at which minors may themselves have access to their personal data, except in the specific context of a direct offer of information society services to a child21. Although all natural persons are holders of the right to representation, the exercise of that right is closely linked to the holder's capacity or incapacity to act.22 Legal doctrine therefore provides for a distinction between minors with capacity and minors without capacity, and it should also be stated that "current case law assesses the concept of capacity according to the concrete, factual circumstances of the case and not on the basis of a specific age".23 The right to representation is not limited to minors, but also includes the right to be represented by a legal person. In other words, in the absence of a conclusive answer as to whether the complainant still had parental authority over her son at the time of the judgment of the juvenile court and as to whether or not the latter had the capacity to distinguish, it is impossible for the Dispute Tribunal to ascertain whether the complainant's consent to the disputed processing in the present case was necessary. As a result, the provisions of ordinary law relating to the capacity of minors24 to exercise their right to image apply in principle, and the Dispute Chamber takes the prima facie view that parental consent - as well as the consent of the persons concerned if they have the capacity to distinguish - is necessary for the processing of image material of minors under the age of 18. However, the Dispute Tribunal finds that the complaint is not sufficiently substantiated with evidence of the existence of a breach of the AVG or of data protection laws, and it is clearly not possible to obtain such evidence25. Nor is the 20 https://www.gegevensbeschermingsautoriteit.be/burger/thema-s/recht-op-afbeelding/principes. 21 Article 8 of the AVG ; Article 7 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, B.S. , 5 September 2018. 22 E. GULDIX, The rights of personality, privacy and private life in their interrelationship, Doctoral thesis Faculty of Law, Brussels, 1986, pp. 246-247. 23 Kh. Brussels, 24 February 1995, Ing.-Cons. 1995, p. 333, note L. MULLER; Rb. Brussels, 17 May 2002, AM, 2003, p. 138. See also L. DIERICKX, The right to image, Intersentia, Antwerp-Oxford, 2005, pp. 39-42. 24 Articles 388, 488 and 1123 to 1125 of the Civil Code. Unauthorised minors are absolutely, generally and completely incapable of acting and are therefore represented. See also FR. SWENNEN, The law of persons and family law, Intersentia, Antwerp-Cambridge, 2012, para. 265 ff. 25 In this respect, the Dispute Tribunal refers to section 3.1, A.1 of its dismissal policy, as set out on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschillenkamer.pdf. Decision on the merits 62/2022 - 13/21 Dispute Tribunal able to establish that prior parental consent was required in the present case. Thus, on the basis of the facts and the legal complaints raised in the complaint, the Dispute Resolution Chamber cannot conclude that there has been a breach of data protection rules. In short, on the basis of the above elements, the Dispute Resolution Chamber considers that no breach of the AVG can be established; this complaint is therefore declared as manifestly unfounded26. However, on the assumption that in the present case there was in fact a publication of images of minors, the Dispute Chamber questions to what extent such a publication with photographs of minors on social media or communication platforms is necessary for the performance of a task in the public interest entrusted to the defendant or falls within a legal obligation incumbent on the defendant. The fact that the case in question concerns young people with a difficult family situation or background should, in the view of the Dispute Resolution Chamber, at least call for caution, and should even be a reason not to publish images in which those young people are identifiable, except where parental consent is obtained in advance for specific processing purposes. Since the defendant is to be regarded as a Flemish public authority27 , it cannot, in accordance with Article 6.1 in fine AVG, rely on the legitimate interest as a basis for processing personal data.28 In the absence of a legitimate interest or legal obligation for the publication of images depicting young people in a recognisable manner, the Dispute Chamber concludes that prior consent, or at least specific consent, from the parents or the legal guardian is indispensable. II.3.Lawfulness of the processing of the complainant's personal data in the context of the service notification dated 7 June 2018 It is established that the defendant has the contact details of the parents and guardians in order to communicate with them concerning information relevant to the defendant's relationship with the parents of the young people. The Dispute Chamber assumes that there is a legal basis for obtaining this data, as referred to in Article 6.1 of the AVG, more specifically the need for processing in order to comply with a legal obligation (Article 6.1.c) 26 Ibidem, section 3.1, A.2. 27 Inspectorate Investigation Report, p. 3. See also para. 7 in this decision. 28 Article 6.1.f) AVG : "Processing is lawful only if and insofar as at least one of the following conditions is met : [...] f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties." See also para. 67 in this decision. Decision on the merits 62/2022 - 14/21 AVG). For this reason, consent as a legal basis in accordance with the conditions of Articles 4.7 and 7 AVG is not conceivable for obtaining the data. After all, parents of young people do not have the free choice of whether or not to provide their contact details to the defendant. The Dispute Tribunal shall examine the extent to which the defendant may share the complainant's contact details with third parties, in this case the parents of other young people. Pursuant to Article 5(1)(b) of the AVG, the processing of personal data for purposes other than those for which the personal data were originally collected may be authorised only if the processing is compatible with the purposes for which the personal data were originally collected. Taking into account the criteria set out in Article 6.4 AVG and Recital 50 AVG29 , it should thus be assessed whether the purpose of the further processing, in this case the communication by e-mail of the complainant's contact details to the parents of other young people, is compatible or not with the purpose of the initial processing consisting in the collection of the complainant's contact details within the context of direct contact between the parents of young people and the respondent. The Dispute Resolution Chamber concludes that the complainant provided her contact details within the context of her relationship with the defendant and could not reasonably expect the defendant to share those same details with third parties who, although they have a personal relationship with the defendant, since they are parents of other young people, are outside the relationship between the complainant and the defendant. This leads to the conclusion that there is no compatible further processing, so that a separate legal basis is required for the communication of the complainant's contact details to the parents of other young people to be lawful. Processing of personal data, including incompatible further processing as in the present case, is only lawful if there is a legal basis for it. For incompatible further processing, reference should be made to Article 6(1) AVG and Recital 50 AVG. Recital 50 AVG30 states that a separate legal basis is required for the processing of personal data for other purposes which are incompatible with the 29 Recital 50 GDPR: [...] In order to assess whether a purpose of further processing is compatible with the purpose for which the personal data were originally collected, the controller should, after having complied with all the requirements of lawfulness of the original processing, take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the data were collected; in particular, the data subjects' reasonable expectations based on their relationship with the controller regarding their further use; the nature of the personal data; the impact of the intended further processing on the data subjects; and appropriate safeguards in both the initial and the intended further processing. 30 Recital 50 AVG: The processing of personal data for purposes other than those for which the personal data were originally collected should only be allowed if the processing is compatible with the purposes for which the personal data were originally collected. In that case, no separate legal basis other than the one on the basis of which the collection of personal data was authorised is required. [...] Decision on the merits 62/2022 - 15/21 purposes for which the personal data were originally collected. Those separate legal grounds on the basis of which a processing operation, including thus incompatible further processing operations, can be considered lawful are set out in Article 6(1) AVG. To that end, the Dispute Chamber shall examine the extent to which the legal grounds provided for in Article 6.1 of the AVG may be invoked by the defendant in order to justify the further processing of the personal data relating to the complainant. The defendant itself does not mention any legal basis which would allow it to carry out the processing of data which is the subject of the complaint, namely the communication of the complainant's e-mail address to the parents of other young people. Moreover, the defendant expressly admits that that communication was an error. The defendant does not therefore argue that the communication was authorised and does not therefore seek to justify it by expressly invoking any legal basis. On the basis of the factual elements available in the file, the Dispute Resolution Chamber examines, of its own motion, whether there is any legal basis which could allow the defendant to send the e-mail containing the complainant's e-mail address visible to all addressees, taking into account that there is a simple technical means of reaching the intended addressees of the e-mail in a single movement without everyone's e-mail addresses being visible, namely sending it in BCC instead of CC. Given the capacity of the defendant31 , it cannot, in principle, rely on its legitimate interest (Article 6(1)(f) AVG) or that of a third party for the communication of the complainant's e-mail address to other parents. The other legal grounds contained in Article 6.1.a) to 6.1.e) AVG are not applicable in the present case either, since ▪ the subject-matter of the complaint and the documents in the case file do not in any way show that the complainant gave her consent (Article 6(1)(a) AVG) to the processing in question, nor that the defendant intends to rely on consent; ▪ the Dispute Chamber does not find it plausible that the disclosure of the complainant's contact details to other parents is necessary for the performance of an agreement between the complainant and the respondent 31 See para. 60 in fine in this decision. Decision on the merits 62/2022 - 16/21 (Article 6(1)(b) AVG), nor that such disclosure would result from a legal obligation incumbent on the defendant (Article 6(1)(c) AVG); ▪ there can be no doubt that the communication of the complainant's e-mail address was not necessary in order to protect the vital interests of the parents concerned or of another natural person (Article 6(1)(d) AVG), and that the communication of the parents' contact details is necessary for the performance of a task carried out in the public interest which has been assigned to the respondent (Article 6(1)(e) AVG). The Dispute Tribunal considers that the foregoing elements sufficiently demonstrate that the defendant cannot rely on any legal basis showing the lawfulness of the data processing operation as initiated by it. Moreover, the defendant does not contest the facts and states itself that in the e-mail in question which is the subject of the complaint, the complainant's e-mail address was placed in the field 'CC', together with those of other parents, instead of 'BCC', contrary to what is provided for in the ICT Code of Conduct for staff. As a result, the defendant claims that the employee who sent out the communication committed a breach in relation to the complainant's personal data. Despite the fact that the documents produced by the defendant show that general guidelines have been drawn up within its organisation whereby global e-mails are to include destinations in BCC, the complainant shows that those guidelines were not applied in practice. In the service note dated 7 June 2018 attached by the complainant and to which the complaint relates, those guidelines are not complied with. The defendant does not deny this, but states that the incident occurred as a result of human error and was of a one- off and incidental nature. Notwithstanding the improvements made since then, according to the Respondent, the Dispute Chamber concludes, on the basis of the above elements, that the infringement of Articles 5, 6 and 4.11 in conjunction with Article 7 AVG has been proven with respect to the service notice of 7 June 2018, in which the contact details of all recipients remained visible. In line with the statement in the Inspectorate's report, the Dispute Chamber finds that, on the other hand, no breach of Article 33.1 AVG can be established, since it is not established that the data leak resulting from the service communication of 7 June 2018 posed a risk to the complainant's rights and freedoms, and the defendant was therefore not obliged to report the breach to the GBA. Decision on the merits 62/2022 - 17/21 II.4. Lawfulness of the processing of the complainant's personal data in the context of the sending of newsletters to parents and educators In its reply to the Inspectorate, the defendant states that it does not regard the newsletters as direct marketing, but as an essential means of keeping the parents of the young people staying in the living groups involved, of providing parents with food for thought in communicating with their children, and of keeping parents informed of activities such as parent contacts. The complainant notes, on the other hand, that the electronic newsletters also call on recipients to support, either by volunteering or financially, Y's initiatives and operations, as well as promoting external service providers such as travel organisations. The Dispute Chamber finds, on the basis of the submitted newsletters dated 27 March 2019 and 29 May 2019, that the recipients concerned are being invited to make voluntary deposits for the benefit of the Y, which does not fall within the Respondent's core mission as an Organisation for Special Youth Care. Therefore, the Dispute Resolution Chamber finds that the newsletters in this case do not fall exclusively within the scope of the decree on integrated youth care, but must also be considered in part as direct marketing communications. To this end, the Disputes Chamber examines which legal basis as provided for in Article 6.1 AVG is invoked by the controller. From the defendant's reply to the Inspectorate's questions32 , the Dispute Settlement Body understands that data subjects can subscribe to the electronic newsletter on its website via an opt-in. The defendant also states that consents given are kept in MailChimp, and recipients can unsubscribe via a "reply to newsletter" or via the "unsubscribe" button at the bottom of each newsletter. In the course of that investigation, the Respondent was further able to establish that MailChimp did not record any attempt by the Complainant to unsubscribe via the button provided for that purpose, nor did any email from the Complainant arrive via the "reply" functionality. The Dispute Tribunal finds that data subjects are informed in an appropriate manner of the processing of their personal data for the purpose of sending newsletters and that the defendant is justified in relying on their consent as the basis for that processing. The Court also finds that the defendant has taken appropriate measures to enable data subjects to withdraw their consent easily if they wish to unsubscribe. Notwithstanding the above, the Court notes that the lack of a clear distinction between service notices and electronic newsletters may, however, lead to confusion for data subjects as to the precise lawfulness ground. 32 Piece 12, pp. 1-2. Decision on the merits 62/2022 - 18/21 Indeed, the consent of data subjects does not constitute an appropriate basis for communications which must be considered necessary for the provision of services, such as communications on parental contacts, or communications which have their origin in a legal obligation incumbent on the controller, such as in this case the involvement of parents and guardians in the provision of youth care33. Nevertheless, it is not for the Dispute Tribunal to determine which specific legal obligation the defendant may or may not invoke as a basis for its service communications to parents and carers, in the context of its core tasks. Following the above findings, the Dispute Resolution Chamber concludes that the defendant in the present case did not sufficiently inform the parties concerned about the distinction between service announcements and communications directly related to its core mission, on the one hand, and communications to be qualified as direct marketing, on the other hand. In this respect, the Court stresses in particular the importance of an appropriate legal basis for both necessary service communications and electronic newsletters which voluntarily inform parents or guardians of the day-to-day functioning of the organisation. In the absence of clear information on the different categories of electronic communications to parents and carers, both in the online privacy notice and in the welcome brochure, the Dispute Chamber finds that the defendant has violated Articles 12 and 13 AVG. 33 The Dispute Tribunal refers in particular to the joint commitment envisaged by Article 8 of the Decree of 12 July 2013 on integrated youth care, B.S. , 13 September 2013, applicable to the defendant: "Integrated youth care" refers to cooperation and coordination in youth care with the aim of making a joint commitment on behalf of minors, their parents and, where appropriate, their carers and the persons involved in their environment and for th at purpose : 1° to work towards the socialisation of youth care; 2° to organise timely access to youth care; 3° to ensure the flexibility and continuity of youth care services, including the seamless transition to other forms of care; 4° to deal appropriately with situations of concern in youth care; 5° to provide a subsidiary offer of crisis youth care; 6° to enable them to participate as much as possible in youth care; 7° to achieve an integrated approach in the organisation and provision of youth care services." Decision on the merits 62/2022 - 19/21 II.5. Obligation to document security incidents and to notify the Data Protection Authority The Inspectorate notes in the course of its investigation that the defendant's internal procedure for dealing with security incidents does not explicitly provide for the systematic inclusion of erroneously sent e-mails as incidents in its own data leakage register, and that the form used for following up security incidents does not provide for mandatory reporting to the GBA. The Court recalls that a controller must document all breaches as interpreted in Article 33.5 of the AVG, regardless of whether the breach must be notified to the supervisory authority: "The controller shall document all personal data breaches, including the facts of the personal data breach, its consequences and the remedial measures taken. Such documentation shall enable the supervisory authority to monitor compliance with this Article. " In the absence of a determination by the Inspectorate regarding the inclusion of the data breach following the service notification dated 7 June 2018 in an internal incident register of the Respondent, the Dispute Chamber is unable to conclude that there has been a breach of the AVG and of data protection regulations. As a result, the Dispute Chamber decides to order the dismissal of the prosecution as regards this point. However, the Dispute Resolution Chamber takes note of the defendant's intention to have incident reports submitted via the Intranet in the future, which will be followed by an automatic email to the employee concerned with follow-up steps, a reference to the modified incident procedure and some examples of data breaches. As regards the additions to the internal procedure proposed by the Inspectorate, in particular the obligation to notify the GBA of personal data breaches, the Court refers to the explanation given above concerning the GBA's general competence for compliance with the AVG34. II.6. Register of processing operations The Dispute Settlement Body agrees with the Inspectorate's finding that the register of processing operations is incomplete and unclear. Article 30 of the AVG explicitly provides that the register shall contain, inter alia, the name and contact details of the controller and any joint processing 34 See para. 40-50 in this decision. Decision on the merits 62/2022 - 20/21 III. Publication. controller and, where applicable, of the representative of the controller and of the Data Protection Officer. In addition, the controller should describe the envisaged time limits within which the different categories of data are to be erased, taking into account that vague time limits such as "retention period unknown" or "lawful retention period" do not provide sufficient clarity. Finally, the description of the organisational and technical measures taken should allow for an understanding of the precise effect of the measures in order to assess the extent to which they adequately protect the personal data concerned. Given the absence of the aforementioned information in the register of processing activities of the defendant at the time of the investigation, the Dispute Chamber considers that the infringement of Article 30 AVG has been sufficiently proven. of the decision In view of the importance of transparency with regard to the decision-making of the Dispute Resolution Chamber, this decision is published on the GBA website. However, it is not necessary for the parties' identifying data to be published directly for this purpose. Decision on the merits 62/2022 - 21/21 FOR THESE REASONS, the Dispute Chamber of the Data Protection Authority shall, after deliberation, decide to: - pursuant to Article 100 § 1, 1° WOG, dismiss the complaint as regards the taking and publication of the image of the complainant's underage son, without her prior consent; - pursuant to Article 100, § 1, 2° WOG, to order the removal from the register of the data leak of 7 June 2018 in the internal incident register; - on the basis of Article 100 § 1, 5° WOG, issue a warning to the defendant with regard to the notification of personal data breaches to the Data Protection Authority, in accordance with Article 33 AVG; - on the basis of Article 100, § 1, 5° WOG, issue a reprimand against the defendant for the infringement of Articles 5, 6 and 4.11 in conjunction with Article 7 AVG in the context of the service announcement of 7 June 2018, in which the contact details of all addressees remained visible; - on the basis of Article 100 § 1, 5° WOG, issue a reprimand against the defendant for the infringement of Articles 12 and 13 AVG for the lack of transparency in the defendant's privacy statement regarding the processing grounds for the service communications to parents and educators, on the one hand, and the newsletters to be considered as direct marketing, on the other hand; - order the defendant, pursuant to Article 100 § 1, 9° WOG, to bring its privacy statement into compliance with Articles 12 and 13 AVG; - order the defendant, pursuant to Article 100 § 1, 9° WOG, to bring the register of processing activities into line with Article 30 AVG; Pursuant to Article 108, § 1 of the WOG, an appeal against this decision may be lodged with the Marktenhof, with the Data Protection Authority as defendant, within a period of thirty days from the notification. (Get). Hielke HIJMANS President of the Dispute Chamber