APD/GBA (Belgium) - 158/2022: Difference between revisions
From GDPRhub
mNo edit summary |
No edit summary |
||
| Line 80: | Line 80: | ||
=== Facts === | === Facts === | ||
A service provider (controller) published an invoice on its Facebook page which contained the data subject's first, last name, and address. Although it was not clearly specified in this preliminary decision, it seemed like there was a dispute between the data subject and the controller regarding payment(s), where the controller published the invoice to illustrate the | A service provider (controller) published an invoice on its Facebook page which contained the data subject's first, last name, and address. Although it was not clearly specified in this preliminary decision, it seemed like there was a dispute between the data subject and the controller regarding payment(s), where the controller published the invoice to illustrate the tariffs it applied. The data subject filed, among the others, a complaint with the local police office claiming GDPR violations. Following this, the controller only removed the postal address on the invoice, but did not delete the last name and first name. The controller also blocked the data subject from accessing the Facebook page of the controller. On 19 July 2022, the data subject filed a complaint with the Belgian DPA to raise the refusal of the controller to comply with her erasure request. | ||
=== Holding === | === Holding === | ||
| Line 87: | Line 87: | ||
The DPA also determined that even after the data subject previous complaint, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post. | The DPA also determined that even after the data subject previous complaint, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post. | ||
The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing ([[Article 6 GDPR]]). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail ( | The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing ([[Article 6 GDPR]]). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail (balancing test). | ||
Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and a way to gain customers' trust. Secondly, the processing (publication) was not considered necessary to reach the purpose. The DPA stated that for this necessity test, it had to be analysed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing. In this case, the processing only helped in labelling the data subject as someone who did not fulfil her financial obligations, which was also an attack on her person and dignity in the event of a dispute. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published. Thirdly, the DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook. The controller also did not ask for consent to publish the invoice on Facebook ([[Article 6 GDPR|Article 6(1)(a) GDPR]]). The controller therefore | Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and a way to gain customers' trust. Secondly, the processing (publication) was not considered necessary to reach the purpose. The DPA stated that for this necessity test, it had to be analysed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing. In this case, the processing only helped in labelling the data subject as someone who did not fulfil her financial obligations, which was also an attack on her person and dignity in the event of a dispute. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published. Thirdly, the DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook. The controller also did not ask for consent to publish the invoice on Facebook ([[Article 6 GDPR|Article 6(1)(a) GDPR]]). The controller therefore failed the balancing test. The DPA held that the controller could not rely on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) and stated that the controller did not seem to comply with [[Article 6 GDPR]]. The controller was obliged to the delete the personal data of the data subject as soon as possible ([[Article 17 GDPR|Article 17(1) GDPR]]). The DPA also determined that the controller seemed to fail to comply with [[Article 24 GDPR]], because it had published the invoice to illustrate the tariffs it applied and/or to settle a dispute. This did not seem to ensure that processing was carried out in compliance with the GDPR and other data protection laws. | ||
Thus, the DPA held that the controller seemed to fail to comply with [[Article 12 GDPR|Articles 12(3)]] [[Article 12 GDPR|and 12(4)]] [[Article 17 GDPR|and 17(1) GDPR]] and ordered the controller to comply with the data subject’s request to data erasure. The DPA also issued a warning (pursuant to Article 95(1)(4) LCA and [[Article 58 GDPR|Article 58(2)(a) GDPR]]) for the controller because it seemed to fail to comply with [[Article 6 GDPR|Articles 6]] [[Article 24 GDPR|and 24 GDPR]]. The DPA warned the controller to respect data subject requests in the future. The DPA also emphasised that this was a ''prima facie'' decision and part of the ''procedure'' ''prior to the decision on the merits''. | Thus, the DPA held that the controller seemed to fail to comply with [[Article 12 GDPR|Articles 12(3)]] [[Article 12 GDPR|and 12(4)]] [[Article 17 GDPR|and 17(1) GDPR]] and ordered the controller to comply with the data subject’s request to data erasure (Article 95(1)(5) LCA). The DPA also issued a warning (pursuant to Article 95(1)(4) LCA and [[Article 58 GDPR|Article 58(2)(a) GDPR]]) for the controller because it seemed to fail to comply with [[Article 6 GDPR|Articles 6]] [[Article 24 GDPR|and 24 GDPR]]. The DPA warned the controller to respect data subject requests in the future. The DPA also emphasised that this was a ''prima facie'' decision and part of the ''procedure'' ''prior to the decision on the merits''. | ||
== Comment == | == Comment == | ||
It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deduced from the wording in paragraph 25, which stated that the controller “treated”. | It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deduced from the wording in paragraph 25, which stated that the controller “treated”. | ||
Although it was not clearly specified, it is most likely that there was a dispute between the data subject and the controller, which resulted in the publication of the invoice on the controller's Facebook page. This dispute seemed to be about the lack of payment by the data subject. This can be deduced from paragraph 38, which stated that the publication of the name of the data subject only results in the data subject being labelled online as a bad payer or even results in an attack on his person and dignity in the event of a dispute. Another indication can be found in paragraph 42, were the DPA stated that the controller had published the invoice to illustrate applied | Although it was not clearly specified, it is most likely that there was a dispute between the data subject and the controller, which resulted in the publication of the invoice on the controller's Facebook page. This dispute seemed to be about the lack of payment by the data subject. This can be deduced from paragraph 38, which stated that the publication of the name of the data subject only results in the data subject being labelled online as a bad payer or even results in an attack on his person and dignity in the event of a dispute. Another indication can be found in paragraph 42, were the DPA stated that the controller had published the invoice to illustrate applied tariffs and/or settle a dispute. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 12:47, 16 November 2022
| APD/GBA - 158/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 6 GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1) GDPR Article 24 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 15.09.2022 |
| Decided: | 07.11.2022 |
| Published: | 07.11.2022 |
| Fine: | n/a |
| Parties: | X (the data subject) Y (the controller) |
| National Case Number/Name: | 158/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA warned a controller for publishing an invoice with personal data on Facebook. The controller did not have a legal basis (Article 6 GDPR) and did not delete the invoice after the data subject requested erasure.
English Summary
Facts
A service provider (controller) published an invoice on its Facebook page which contained the data subject's first, last name, and address. Although it was not clearly specified in this preliminary decision, it seemed like there was a dispute between the data subject and the controller regarding payment(s), where the controller published the invoice to illustrate the tariffs it applied. The data subject filed, among the others, a complaint with the local police office claiming GDPR violations. Following this, the controller only removed the postal address on the invoice, but did not delete the last name and first name. The controller also blocked the data subject from accessing the Facebook page of the controller. On 19 July 2022, the data subject filed a complaint with the Belgian DPA to raise the refusal of the controller to comply with her erasure request.
Holding
The DPA stated that an invoice obliges the controller to collect certain basic information about the data subject. The invoice has to include first names, surnames, e-mail, billing address, delivery address as well as the content of the purchases and/or the service (Article 4(1) GDPR). It also stated that the controller was a service provider and had to comply with requests made by data subjects under Articles 15 to 22 GDPR.
The DPA also determined that even after the data subject previous complaint, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post.
The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing (Article 6 GDPR). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest (Article 6(1)(f) GDPR), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail (balancing test).
Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and a way to gain customers' trust. Secondly, the processing (publication) was not considered necessary to reach the purpose. The DPA stated that for this necessity test, it had to be analysed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing. In this case, the processing only helped in labelling the data subject as someone who did not fulfil her financial obligations, which was also an attack on her person and dignity in the event of a dispute. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published. Thirdly, the DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook. The controller also did not ask for consent to publish the invoice on Facebook (Article 6(1)(a) GDPR). The controller therefore failed the balancing test. The DPA held that the controller could not rely on legitimate interest (Article 6(1)(f) GDPR) and stated that the controller did not seem to comply with Article 6 GDPR. The controller was obliged to the delete the personal data of the data subject as soon as possible (Article 17(1) GDPR). The DPA also determined that the controller seemed to fail to comply with Article 24 GDPR, because it had published the invoice to illustrate the tariffs it applied and/or to settle a dispute. This did not seem to ensure that processing was carried out in compliance with the GDPR and other data protection laws.
Thus, the DPA held that the controller seemed to fail to comply with Articles 12(3) and 12(4) and 17(1) GDPR and ordered the controller to comply with the data subject’s request to data erasure (Article 95(1)(5) LCA). The DPA also issued a warning (pursuant to Article 95(1)(4) LCA and Article 58(2)(a) GDPR) for the controller because it seemed to fail to comply with Articles 6 and 24 GDPR. The DPA warned the controller to respect data subject requests in the future. The DPA also emphasised that this was a prima facie decision and part of the procedure prior to the decision on the merits.
Comment
It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deduced from the wording in paragraph 25, which stated that the controller “treated”.
Although it was not clearly specified, it is most likely that there was a dispute between the data subject and the controller, which resulted in the publication of the invoice on the controller's Facebook page. This dispute seemed to be about the lack of payment by the data subject. This can be deduced from paragraph 38, which stated that the publication of the name of the data subject only results in the data subject being labelled online as a bad payer or even results in an attack on his person and dignity in the event of a dispute. Another indication can be found in paragraph 42, were the DPA stated that the controller had published the invoice to illustrate applied tariffs and/or settle a dispute.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/13
Litigation Chamber
Decision 158/2022 of November 7, 2022
File number: DOS-2022-03009
Subject: Complaint for publication on social networks (Facebook) of an invoice with
mentionofthelastname/firstnameofthecustomerandpartialresponseoftheprocessingresponsible
on request for erasure
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The complainant: Ms. X, hereinafter “the complainant”; .
.
The defendant: Y , hereinafter: “the defendant”.
. Decision 158/2022 - 2/13
I. Facts and procedure
1. On July 19, 2022, the complainant filed a complaint with the Authority for the Protection of
data (hereinafter “ODA”).
2. The subject of the complaint concerns the publication, on June 23, 2022, of an invoice addressed to the name
of the plaintiff by the defendant on the professional Facebook page (public page)
of the latter. This invoice contained the following personal information: the names
and first names as well as the postal address of the complainant.
3. On July 17, 2022, the complainant contacted the DPA to obtain information following the
publication of his invoice on the defendant's professional Facebook page. 18
July 2022, the APD provides response elements and communicates the various
procedures available to the complainant.
4. On July 19, 2022, the complainant replies to the email from the DPA and attaches the complaint form
supplemented by appendices to support her comments: she indicates that she has exercised her rights
with the data controller (the defendant); having filed a complaint, on June 28, 2022,
to the Francophone Regional Council of […] (hereinafter “Z”) and, on July 1, 2022, to the police for
invasion of his privacy and violation of the GDPR (PV number (...)). The complainant explains
also that, following the complaint lodged with the police, the defendant, on the one hand, withdrew the
July 12, 2022 from his professional Facebook page some of the information
personal data appearing on the invoice, except for his first and last names, and on the other hand, blocked
his access to said Facebook page.
5. On September 5, 2022, the Service de Première Ligne (hereinafter “SPL”) declares the complaint
inadmissible "on the ground that the processing complained of has ceased" because the defendant deleted
the identification data of the complainant. On the same date, the complainant informed the SPL
that his surnames/first names are always mentioned on the professional Facebook page of
the defendant.
6. On September 9, 2022, the SPL claimed proof of the facts invoked, namely "copy/capture
screenshot of the invoice which is always present on the professional Facebook page of the […]
containing [the] name [of the complainant] and the details of the services performed on [her] (...)”. the
September 12, 2022, the complainant sends a screenshot of the disputed publication.
7. On September 13, 2022, the SPL asked the complainant to send it a copy of the
publication in another format because the screenshot received is not readable and does not allow
not to read the information published by the defendant. The Complainant
sends by email two documents in PDF format containing the screenshots of the
contentious publication. Decision 158/2022 - 3/13
8. On September 15, 2022, the DPA SPL declares the complaint admissible on the basis of Articles
58 and 60 of the LCA, and sends it to the Litigation Chamber in accordance with article
62, § 1 of the ACL.
II. Motivation
9. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the principles
of data protection contained in the GDPR and other laws containing
provisions relating to the protection of the processing of personal data.
10. Pursuant to Article 33, §1 of the LCA, the Litigation Chamber is the body for
ODA administrative litigation. It receives complaints that the SPL forwards to it in
application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with
Article 60 paragraph 2 of the LCA, complaints are admissible if they are written in one of the
national languages, contain a statement of the facts and the information necessary to
identify the processing of personal data to which they relate and which
fall within the competence of the ODA.
11. Pursuant to articles 51 and s. of the GDPR and Article 4, § 1 of the LCA, it is up to the
Litigation Chamber as an administrative litigation body of the DPA, to exercise
effective control of the application of the GDPR and to protect the freedoms and rights
fundamental rights of natural persons with regard to processing and to facilitate the free flow
personal data within the Union.
12. On the basis of the facts described in the complaint file as summarized above, and on the
er
powers attributed to it by the legislator under Article 95, §1 of the
the LCA, the Litigation Chamber decides to proceed, on the one hand, to take a decision
er
in accordance with Article 95, § 1, 5° of the LCA, more specifically to order the
controller to comply with the complainant's request to exercise its
right to erasure (Art. 17.1 GDPR), on the other hand, to a warning in accordance with
Article 95, § 1, 4° of the LCA; for the reasons set out below.
13. The Litigation Chamber notes that the complainant raises the refusal by the head of the
processing to follow up on the request to exercise their right to erasure.
14. Firstly, it appears from the documents in the file that the complainant does not provide proof of
the exercise of his rights with the controller as stipulated in the
complaint form; filed a complaint on June 28, 2022 with the Francophone Regional Council […]
(hereinafter “Z”)and July 1, 2022 to the police for invasion of his privacy and violation of the GDPR
(PV number: (...)). Decision 158/2022 - 4/13
15. The Litigation Chamber also notes that the complaints filed with Z and the police
relate to the publication of an invoice – mentioning the surnames and first names as well as
the postal address – of the complainant on the professional Facebook page of the manager of the
treatment: “therefore, I wish to lodge a complaint against this […] for […] having published
1
in public mode my personal data on his Facebook page. " or " [...]
file a complaint of injury to life and violation of the GDPR against named Y
2
[...] » .
16. The Litigation Chamber understands that the complainant has had to exercise her right to erasure
(Art. 17.1.c of the GDPR), especially since she filed a complaint with the Z and the police; but
that the controller has only partially responded to his request in
deleting only the postal address appearing on the invoice published on the page
Professional Facebook.
17. The Litigation Chamber recalls that Article 4(1) of the GDPR defines “data to be
personal character” as “any information relating to a natural person
identified or identifiable (hereinafter referred to as the "data subject"); is deemed to be a
"identifiable natural person" means a natural person who can be identified,
directly or indirectly, in particular by reference to an identifier, such as a name,
identification number, location data, an online identifier, or to one or
several specific elements specific to its physical, physiological, genetic,
psychological, economic, cultural or social. 3
18. A “processing” of personal data means, according to the GDPR, “any
operation or any set of operations whether or not carried out using processes
automated and applied to personal data or sets of data
personnel, such as collecting, recording, organizing, structuring,
storage, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of making available, the
4
reconciliation or interconnection, limitation, erasure or destruction”.
5
19. GDPR Article 4(7) defines “controller” as “the person
physical or legal entity, public authority, service or other body which, alone or
jointly with others, determines the purposes and means of the processing”.
20. As the EDPB pointed out in Guidelines 07/2020 on the notions of
controller and processor, the controller may be
1
2A reproduction of the complaint filed with Z.
3A reproduction of the complaint lodged with the police (report number: (..)).
GDPR, art. 4.1).; Opinion 4/2007 of the “article 29” working group on data protection on the concept of personal data,
adopted on June 20, 2007, available at https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp136_fr.pdf. ; Cf. the Nowak judgments
4CJUE, 20 December 2017, C-434/16, ECLI:EU:C:2017:994) and Breyer (CUJE, 19 October 2016, C-582/14, ECLI:EU:C:2016:779).
5GDPR, Art. 4, 2).
GDPR, recitals 74, 79 and 81; GDPR, art. 4. 7), 4.8), 24, 26, 28, 29. Decision 158/2022 - 5/13
designated by a legislative or regulatory text. Otherwise, to identify it, it
should analyze the factual elements or circumstances of the case, in particular
determine its legal and organizational capacity, as well as its autonomy in the
definition of the purposes, i.e. the objectives pursued, and the means of processing.
21. The Litigation Chamber recalls that the data controller must follow up on the
request made pursuant to Articles 15 to 22 of the GDPR by the complainant, in this case
a request for erasure provided for in Article 17 of the GDPR (exercise of the right to
deletion), in compliance with the conditions set out in Article 12 of the GDPR .7
22. The Litigation Chamber also emphasizes that it is the responsibility of the controller
to provide the complainant with information on the measures taken following a request
formulated in application of Articles 15 to 22 of the GDPR, as soon as possible
8
cause within one month of receipt of the request. Article 12.3 of the
GDPR provides that this period may, if necessary, be extended by two months, taking into account the
complexity and number of requests. In such a case, the controller
inform the complainant of this extension and the reasons for the postponement within one month
from receipt of the request. 10
23. In the event that the data controller does not respond to the request made
11
by the complainant, he shall inform the latter without delay and at the latest within one month from
from receipt of the request, the reasons for its inaction and the possibility
to lodge a complaint with a supervisory authority and to lodge an appeal
jurisdictional.
24. In this case, the Litigation Chamber recalls that the invoice, whatever its format,
obliges the data controller to collect certain basic information
concerning the customer (in this case, an individual). The invoice will include at least: first names,
names, e-mail, billing address, delivery address as well as the content of the purchases
and/or the service. In accordance with article 4.1) of the GDPR, the surnames, first names and address
postal correspond to personal data.
25. The Litigation Chamber understands that the defendant is at the origin of the provision of
service (in this case, she treated […]) but also invoicing; and, as such, it must,
as data controller, respond to the request made in application
of Articles 15 to 22 of the GDPR by the complainant.
6EDPB, “Guidelines 07/2020 concerning the notions of controller and processor in the GDPR”, adopted on 7
July 2021.
7GDPR, Art. 12.
8 GDPR, Art. 12.2 and 12.3.
9GDPR, Art. 12.3.
1 GDPR, Art. 12.3.
1 GDPR, Art. 12.4. Decision 158/2022 - 6/13
26. Secondly, it is apparent from the documents in the file that the publication at issue – the invoice
mentioning the surnames/first names of the complainant – is always published on the Facebook page
of the controller on October 3, 2022 at 10:56 a.m. (time
er
Belgium), despite the complaints lodged with the Z (June 28, 2022) and the police (July 1
2022). It also notes that the complainant's surname/first name still appears in the
comment from the controller.
27. In addition, the Litigation Division notes that the controller indicates in his
comment published on his professional Facebook page the following sentence: “having
no worries about exposing my rates, I attach your invoice to this comment”.
Figure 1 - Screenshot of October 03, 2022 at 10:56 a.m. (Belgian time - following URL address […])
Figure 2 - Screenshot of 03 October 2022 at 10:56 (Belgian time - following URL address […]) Decision 158/2022 - 7/13
28. The Litigation Chamber recalls that the GDPR clearly sets out the principle of
responsibility, according to which the data controller is obliged to implement
appropriate technical and organizational measures to ensure and be able to
demonstrate that the processing is carried out in accordance with the GDPR and other laws of
protection of personal data. 12
29. The Court of Justice of the European Union in its judgment of 13 May 2014, Google Spain and
Google, also recalls that "the data controller must ensure, within the framework
of its responsibilities, competences and possibilities, that the processing of
data in question satisfies the requirements of Directive 95/46 so that the guarantees
provided for by it can develop their full effect and that effective and
of the persons concerned, in particular their right to respect for private life,
can actually be carried out”.3
30. The Litigation Chamber also emphasizes that the processing is "lawful only if, and in
provided that at least one of the following conditions is met:
a) the data subject has consented to the processing of his or her personal data
for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is
party or the execution of pre-contractual measures taken at the latter's request;
c) processing is necessary for compliance with a legal obligation to which the controller
treatment is submitted;
d) the processing is necessary to safeguard the vital interests of the data subject
or another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or falling within the
the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller
processing or by a third party, unless the interests or freedoms and rights
fundamentals of the data subject which require data protection to be
14
personal nature, in particular when the person concerned is a child. [...] » .
31. In the present case, the Litigation Division finds that the publication as a whole, apart from
know the publication of the invoice with the surname/first name of the complainant as well as the mention
in the comment of his name/first name on the professional Facebook page of the
controller, constitutes processing of personal data at the
meaning of Article 4, 1) of the GDPR, in the context of which the principles of data protection
1GDPR, recital 74. ; GDPR, art. 5, §2 and 24.
13 Conclusions of Advocate General Y. Bot, 24 October 2017, in the case ULD c. Wirtschaftakademie Schleswig-Holstein, item 44; see
also C.J.U.E., 13 May 2014, Google Spain SL and Google Inc v. Spanish Agency for the Protection of Datos and Gonzales, case. C-131/12, points
38 and 83.
1 GDPR, Art. 6, §1. Decision 158/2022 - 8/13
must apply to any data relating to an identified natural person or
identifiable.
32. The Litigation Chamber questions the publication of an invoice from a client (a
particular) with mention of the surname/first name on social networks, in this case the page
professional Facebook (public page) of the controller, and the lawfulness of this
treatment. The Litigation Chamber considers that the controller does not respond to
none of the conditions of lawfulness provided for in Article 6 of the GDPR. For the sake of completeness, the
Chamber nevertheless examines whether the processing of data could be based on the basis
15
of lawfulness of the “legitimate interest” provided for in Article 6.1, f) of the GDPR.
33. In accordance with Article 6.1, f) of the GDPR and the case law of the Court of Justice of the Union
European Union (hereinafter “the Court”), three cumulative conditions must be met in order to
that a data controller can validly invoke this basis of lawfulness, "to
namely, firstly, the pursuit of a legitimate interest by the controller or
by or third parties to whom the data is communicated, secondly, the need for the
processing of personal data for the fulfillment of the legitimate interest
pursued and, thirdly, the condition that the fundamental rights and freedoms of the
person concerned by data protection do not prevail”
34. In other words, in order to be able to invoke the basis of lawfulness of “legitimate interest”
in accordance with Article 6, §1, f) of the GDPR, the controller must demonstrate that:
1) the interests it pursues with the processing can be recognized as legitimate (the “
finality test”);
2) the envisaged processing is necessary to achieve those interests (the “necessity test”);
and
3) the weighing of these interests against the fundamental interests, freedoms and rights
data subjects weighs in favor of the data controller (the “test of
weighting”).
35. With regard to the first condition (the "finality test"), the Litigation Chamber
considers that the purpose of publishing the rates applied by the person responsible for the
treatment during its services (transparency on prices) to gain the confidence of
customers, must be considered as having been carried out with a view to a legitimate interest.
15CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA „Rīgas
satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK c/ Asociaţia de Proprietari bloc M5AScaraA, recital
40.; Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§68), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf.
16Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§69), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 9/13
In accordance with recital 47 of the GDPR, the interest that the defendant was pursuing
as controller can in itself be considered legitimate. The first one
condition set out in Article 6.1.f) of the GDPR is therefore fulfilled.
36. With respect to the second condition (the “necessity test”), the head of the
processing must demonstrate that the processing is necessary for the achievement of the purposes
pursued. This means more precisely that one must ask oneself if the same result
not be achieved by other means, without processing personal data or
without unnecessary substantial processing for data subjects.
37. Starting from the purpose, namely the publication on social networks of the tariffs applied by
the controller, it should therefore be checked whether the publication of the invoice with
the indication of the surname/first name of the complainant supported by a comment which resumes
new name/first name may or may not contribute to the transparency of the prices applied by
the controller.
38. However, the publication of the invoice with the indication of the surname/first name of the complainant
supported by a comment which again takes up his surname/first name is not the only
consequence of the person concerned being described online as a bad payer or even a
injure his person and his dignity in the event of a dispute. More importantly, this
method does not offer any added value in the display of the prices charged by the person in charge of the
processing (price transparency). If the controller's intention is to
allow potential customers, through this practice, to know the rates, the Room
Litigation argues that this purpose can also be achieved without publication
an invoice with the complainant's identification data but rather with a
brochure or prospectus which only mentions the prices per service The second
condition is not met.
39. With regard to the third condition (the "weighting test"), one must first take
account of the reasonable expectations of the person concerned, in accordance with recital
47 GDPR. In particular, it must be assessed whether "the data subject can
reasonably expect, at the time and in the context of data collection, to
personal character, that they are processed for a given purpose”.
40. The Litigation Chamber finds that the Complainant could at no time expect
that his invoice is published with his surname/first name to meet a principle of
transparency of the prices applied by the data controller, even less in
the intention to publicly settle a dispute arising from a dispute. Moreover, the
17
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf.au fond 71/2020 (§70 to 72), available at
1GDPR, Recital 47. ; CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari blocM5A-ScaraA, recital 58.; authority of
data protection, Litigation Chamber, 30 October 2020, decision on the merits 71/2020 (§73 to 75), available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 10/13
controller does not appear to have requested, under Article 6, §1, a) of the
GDPR, the consent of the complainant to publish the invoice with his name/surname on
social networks, in this case “Facebook”. The third condition is therefore not met.
no more.
41. The Litigation Division considers that all of the elements set out above demonstrate
that the controller cannot invoke article 6.1, f) of the GDPR to qualify
the publication of the invoice with mention of the surname/first name of the complainant on its page
Facebook professional lawful. Therefore, the data controller seems not to
comply with the requirements of article 6 of the GDPR and must respond favorably to the
complainant's request to exercise the right to erasure: he has the obligation to erase, in
as soon as possible, the personal data of the complainant (art. 17.1. of the GDPR).
42. Finally, the Litigation Division points out that the means chosen by the head of the
processing (in this case, posting on the defendant’s professional Facebook page the
invoice of a customer with mention of his name / first name to illustrate the rates applied and / or
settle a dispute) make it difficult for the principle of liability provided for in Article 24 of the
GDPR. These measures defined by the data controller do not seem to be of
to ensure that the processing is carried out in accordance with the GDPR and other laws of
Protection of personal data.
43. Ultimately, in view of the aforementioned examination, the Litigation Chamber concludes that the
controller has not, prima facie, complied with Articles 12.3 and 12.4 of the GDPR,
as well as Article 17.1 of the GDPR, which in this case justifies taking a
decision on the basis of Article 95, § 1, 5° of the LCA, more specifically to order the
controller to comply with the complainant's request to exercise its
right to erasure (Art. 17.1 of the GDPR) and to erase data from
personal character in question (i.e. the invoice with the indication of the surname/first name of the
plaintiff supported by a comment that again includes his name/first name).
44. The Litigation Chamber also concludes that the controller did not,
prima facie, complied with Articles 6 and 24 of the GDPR, which in this case justifies carrying out the
er
takingadecisiononthebasisofarticle95,§1,4°oftheLCA,morespecificallytoaddress
has responsible for processing a warning within the meaning of Article 58.2.a) of the GDPR so that
the latter ensures, in the future, to respond to requests for the exercise of human rights
concerned and to respect the principle of responsibility.
1GDPR, recital 74. ; GDPR, art. 5, §2 and 24. Decision 158/2022 - 11/13
45. This decision is a prima facie decision taken by the Litigation Chamber
pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant,
within the framework of the “procedure prior to the substantive decision” 20 and not a decision on the
merits of the Litigation Chamber within the meaning of Article 100 of the LCA.
46. The purpose of this decision is to inform the defendant, allegedly responsible for the
processing, because it may have violated the provisions of the GDPR,
in order to enable it to still comply with the aforementioned provisions.
47. If, however, the controller does not agree with the content of this
prima facie decision and believes that he can make factual and/or legal arguments
which could lead to another decision, the latter may address to the House
Litigation a request for processing on the merits of the case via the e-mail address
litigationchamber@apd-gba.be, within 30 days of notification of the
this decision. If necessary, the execution of this decision will be suspended.
during the aforementioned period.
48. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°
juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their
conclusions and attach to the file all the documents they deem useful. If applicable, the
this decision is permanently suspended.
49. In the interests of transparency, the Litigation Chamber finally emphasizes that a
dealing with the case on the merits may lead to the imposition of the measures mentioned in
section 100 of the ACL .1
20Section 3, Subsection 2 of the LCA (arts. 94 to 97 inclusive).
2Art. 100. § 1. The litigation chamber has the power to
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° pronouncing the suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings and reprimands;
6° order to comply with requests from the data subject to exercise his or her rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
11° order the withdrawal of accreditation from certification bodies;
12° to issue periodic penalty payments;
13° to issue administrative fines;
14° order the suspension of cross-border data flows to another State or an international body;
15° forward the file to the Public Prosecutor's Office of Brussels, who informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 158/2022 - 12/13
III. Publication of the decision
50. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Protection Authority
Datas. However, it is not necessary for this purpose that the identification data
of the parties are communicated directly.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, subject to
the introduction of a request by the data controller for substantive processing,
in accordance with articles 98 e.s. of the ACL:
- pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the
controller to comply with the data subject's request
to exercise their rights, within 30 days of notification of the
this decision;
- pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to pronounce on
against the data controller a warning;
- to order the data controller to inform the Data Protection Authority by e-mail
data (Litigation Chamber) of the follow-up given to this decision, in
the same deadline, via the e-mail address litigationchamber@apd-gba.be; and
- if the data controller does not comply in good time with what is
requested above, to deal ex officio with the case on the merits, in accordance with Articles
98 p.s. of the ACL.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
2The request contains under penalty of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or number
business;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the application;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer. Decision 158/2022 - 13/13
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 23
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(se). Hielke H IJMANS
President of the Litigation Chamber
23
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to
court clerk or filed at the court office.
