APD/GBA (Belgium) - 34/2020
APD/GBA - DOS-2019-02426 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 23.06.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | DOS-2019-02426 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | n/a |
GBA found that the use of personal data obtained from the national data-bank of vehicles by insurance companies for the purpose of creating personalized price offers constitutes violation of Articles 5, 6, 12, 13 and 14 of GDPR. The agency that maintains this data base, the Federal Public Service Mobility and Transportation, was ordered to bring its data processing in compliance with Articles 5 and 6 within 6 months and Articles 12, 13 and 14 within 3 months. GBA has also issued a reprimand for the violation of Articles 12-14. No fines were issued because the predecessor of GBA had reviewed and issued conditions under which this processing could be approved back in 2017 under the previous data protection law.
English Summary
Facts
In May 2019 the Inspection service of the GBA started an investigation into the Federal Public Service Mobility and Transportation. GBA wanted to know about the information portal NV Informex, its access to the national data-bank of vehicles and the fact that data from this data-bank was shared with insurance companies for the purposes of creating personalized price offers to its potential customers. The report of the Inspection service found the following violations: 1. Breach of the principles of purpose limitation (Article 5) and lawfulness (Article 6) of processing; 2. Breach of the responsibilities of a controller (Article 24), security of processing (Article 32) and violation of the obligation to notify supervisory authority of the personal data breach (Article 33); 3. Breach of the requirements for designation (Article 37) and position (Article 38) of data protection officer; 4. Breach of the obligation to cooperate with the supervisory authority (Article 31); 5. Breach of transparency (Article 12) and information provision (Article 13) obligations.
Dispute
Holding
The Dispute Chamber of the GBA found that the use of personal data obtained via the data-bank of vehicles by customers of NV Informex, in particular insurance companies, for the purpose of creating personalized price offers constitutes direct marketing and violates Articles 5 and 6 of the GDPR and Article 25 of the Royal Decree of 8th of July 2013. The Federal Public Service Mobility and Transportation was ordered to bring this personal data processing in compliance with GDPR within 6 months.
The Dispute Chamber also issued a reprimand against the Federal Public Service Mobility and Transportation for violating Articles 12, 13, 14 of GDPR and ordered to bring the relevant information provisions in compliance with GDPR within 3 months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Page 1 1/35 Litigation room Substance decision 34/2020 of 23 June 2020 File number: DOS-2019-02426 Subject: Processing of personal data entered in the Crossroads Bank of the vehicles The Litigation Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Page 2 Substance decision 34/2020 - 2/35 has taken the following decision on: - the Federal Public Service for Mobility and Transport, City Atrium, Vooruitgangstraat 56 - 1210 Brussels, with company number 0308.357.852, hereinafter “the defendant”. 1. Facts and procedure 1. On 3 April 2019, the Executive Committee of the Data Protection Authority shall decide on the basis of Article 63, 1 ° WOG to file a file with the Inspection Service as it found serious indications that certain insurance companies are gaining access to the personal data contained in the Crossroads Bank for the vehicles and that this access would be used for the commercial reuse of this personal data. More specifically, these insurance companies would have this access available through the information platform Informex NV. 2. On 3 May 2019, the Inspection Service will send a letter to the respondent, who is the controller of the personal data included in the Crossroads Bank for Vehicles, in which it asks a number of questions to the latter: 1. “Since when have you been aware of the aforementioned practice of NV Informex (please with copy of correspondence and supporting documents added)? Since when is your data protection officer (please add copy of supporting documents)? 2. What specific measures have been taken since you became aware of the aforementioned practice of NV Informex (please add relevant documents hereby supporting your approach)? What was the advice of your official before data protection (please include a copy of that advice)? 3. How do you appreciate the purpose limitation and legality of the practice that exists in it systematic reuse of personal data from the KBV by Informex NV through it platform www.audagarage.com on behalf of various insurers for the online determining a premium proposal in accordance with the KBV Act 1 and its implementing decrees and having regard to the privacy statement of the Federal Public Service for Mobility and Transport on the webpage https.//mobilit.belgium.be/en/privacy? 1 Law of 19 May 2010 establishing the Crossroads Bank for Vehicles, BS 28 June 2010. Page 3 Substance decision 34/2020 - 3/35 4. Who is since when you became your data protection officer and how that choice actually justified? Became your data protection officer registered with the GBA? You may have tasks, including any tasks that are unrelated with data protection, and its precise position in your organization chart document organization based on relevant documents? 5. Is the aforementioned practice of NV Informex qualified by you as an infringement? in connection with personal data: why or not? And why was that made if necessary, have not yet reported to the GBA? ” 3. The respondent replied to these questions from the Inspection Service by letter of 29 May 2019. 4. By letter of 6 June 2019, the Inspection Service makes its preliminary findings and one number of additional questions to the defendant. 5. On 19 August 2019, the Inspection Service will be in accordance with Article 91, §2 WOG inspection report to the chairman of the Disputes Chamber, as a result of which the Disputes Chamber is based on Article 92, 3 ° WOG. In its report, the inspection service does within the scope of the serious indications observations related to: • compliance with the purpose limitation (Article 5.1 b) GDPR) and the legality of the processing (Article 6.1 GDPR); as well • compliance with the responsibility of the controller (Article 24 GDPR), security of processing (Article 32 GDPR) and notification of a personal data breach to the supervisory authority government (Article 33 GDPR). The Inspection Service also makes a number of additional findings, outside the scope of the serious indications, in particular concerning: • compliance with the provisions regarding the appointment of an official for data protection (Article 37 GDPR) and the position of the official for data protection (Article 38 GDPR); • compliance with the obligation to cooperate (Article 31 GDPR and Article 66.2 WOG); and • compliance with the transparency obligations (Article 12 GDPR) and the te provide information (Article 13 GDPR). Page 4 Substance decision 34/2020 - 4/35 6. On 24 September 2019, the Disputes Chamber will decide on the basis of Articles 95, §1, 1 °, and 98 WOG that the complaint is ready for substantive treatment. 7. The respondent will be informed of the registered letter of 24 September 2019 fact that the complaint is ready for substantive treatment and it will also be processed on the basis of Article 99 WOG notified of the deadline to submit his defenses. 8. On 28 October 2019, the defendant lodges and requests its reply under Article 98, 2 ° WOG to be heard. 9. On 4 May 2020, the defendant will become, in accordance with Article 53 of the Internal Rules of Procedure order heard by the Disputes Chamber. 10. On 6 May 2020, in accordance with Article 54 of the Rules of Procedure official report of the hearing to the defendant. 11. On 15 May 2020, the defendant submits his observations, which, in accordance with Article 54, Paragraph 2 of the Internal Rules of Procedure as an appendix to the minutes of questioning attached. 2. Legal basis Article 5.1 b) GDPR 1. Personal data must: (…) (a) processed in a manner that is lawful, proper and is transparent ('lawfulness, fairness and transparency'); b) for specific, express defined and legitimate purposes are collected and may not continue further processed in a manner incompatible with those purposes; the further processing with a view to archiving in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original in accordance with Article 89 (1) purposes considered ('purpose limitation'); Article 6.1 GDPR Page 5 Substance decision 34/2020 - 5/35 1. Processing is lawful only if and to the extent that at least one of the following is provided conditions are met: (a) the data subject has consented to the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of an agreement involving the data subject or, at the request of the person concerned, to take measures before concluding an agreement take; c) the processing is necessary to comply with a legal obligation imposed on the controller responsible for rest; d) the processing is necessary for the vital interests of the data subject or of another protect natural person; (e) the processing is necessary for the performance of a task carried out in the public interest or a task as part of the exercise of official authority vested in the controller ordered; (f) the processing is necessary for the defense of the legitimate interests of the controller or of a third party, except where interests or fundamental rights and the fundamental freedoms of the data subject requiring the protection of personal data, outweigh those interests, especially when the data subject is a child. Point (f) of the first subparagraph shall not apply to processing by public authorities under the performing their duties. Article 12 GDPR 1. The controller shall take appropriate measures to ensure that the data subject in the Articles 13 and 14 and the information referred to in Articles 15 to 22 and 34 communication related to the processing in a concise, transparent, understandable and easily accessible form and in plain and simple language, especially when the information is specific to a child. The information is provided in writing or with others resources, including, where appropriate, electronic resources. If the the person concerned so requests, the information may be provided orally, provided that the person's identity has been proved by other means. (…) 5. The provision of the information referred to in Articles 13 and 14 and the provision of the communication and taking the measures referred to in Articles 15 to 22 and Article 34 are provided free of charge. When requests from a data subject are manifestly unfounded or excessive Due in particular to their repetitive nature, the controller may either: (a) a charge a reasonable fee in light of the administrative costs involved in providing it of the requested information or communication and taking the requested measures Page 6 Substance decision 34/2020 - 6/35 to go; or b) refuse to act on the request. It is up to the controller to demonstrate the manifestly unfounded or excessive nature of the request. 6. Without prejudice to Article 11, the controller may, where he has reasons to question the identity of the natural person making the request as referred to in the Articles 15 to 21, request additional information necessary to confirm the identity of the data subject. 7. Information to be provided to data subjects under Articles 13 and 14 may be provided using standardized icons, to give the data subject a useful overview, in one clearly visible, understandable and clearly legible form of the intended processing. When the icons are displayed electronically, they are machine-readable. 8. The Commission is empowered to adopt delegated acts in accordance with Article 92 to determine which information the icons should display and through which procedures the standardized icons should be created. Article 13 GDPR 1. When personal data concerning a data subject is collected from that person, the controller shall provide the data subject with the acquisition of the personal data all the following information: (a) the identity and contact details of the controller and, where applicable, from the controller's controller; (b) where applicable, the contact details of the data protection officer; c) the processing purposes for which the personal data are intended, as well as the legal basis for processing; (d) the legitimate interests of the controller or of a third party, if the processing is based on Article 6 (1) (f); (d) where appropriate, the recipients or categories of recipients of the personal data; (e) where applicable, the controller intends to do the transfer personal data to a third country or an international organization; whether or not there there is no adequacy decision by the Commission; or, in the case of Article 46, Article 47 or transfers referred to in the second subparagraph of Article 49 (1), which provide the appropriate or appropriate safeguards how to get a copy of it or where to get it. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with obtaining the personal data the following additional information to ensure proper and ensure transparent processing: a) the period during which the personal data will be stored, or if not is possible, the criteria for determining that period; Page 7 Substance decision 34/2020 - 7/35 (b) that the data subject has the right to request the controller to inspect and rectification or erasure of the personal data or limitation of the processing concerning him, as well as the right to object to the processing and the right to data portability; (c) where the processing is based on Article 6 (1) (a) or Article 9 (2) (a), that the data subject has the right to withdraw consent at any time, without prejudice to this the lawfulness of the processing based on the consent before its withdrawal; (d) that the data subject has the right to lodge a complaint with a supervisory authority; e) whether the provision of personal data is a legal or contractual obligation or a necessary condition to conclude an agreement and whether the data subject is obliged to provide personal data and the possible consequences if this data is not be provided; (f) the existence of automated decision-making, including those referred to in Article 22 (1) and (4), referred profiling, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject. 3. If the controller intends to proceed with the personal data for a purpose other than that for which the personal data was collected, the controller before further processing information about the other purpose and any relevant further information referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply if and insofar as the data subject already has information on the information. Article 14 GDPR 1. Where personal data has not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and contact details of the controller and, where applicable, from the controller's controller; (b) where applicable, the contact details of the data protection officer; (c) the processing purposes for which the personal data are intended, and the legal basis for the processing; (d) the categories of personal data concerned; (e) where applicable, the recipients or categories of recipients of the personal data; (f) where applicable, the controller has the intention to process the transfer personal data to a recipient in a third country or an international organization; whether or not there is an adequacy decision by the Commission; or, in the case of the transfers referred to in Articles 46, 47 or 49 (1), second subparagraph, which are the appropriate ones Page 8 Substance decision 34/2020 - 8/35 whether there are appropriate safeguards, how to obtain a copy or where to get them consulted. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information to ensure that the data subject is properly and transparently processed to ensure: a) the period during which the personal data will be stored, or if not the criteria for determining that period are possible; (b) the legitimate interests of the controller or of a third party, if the processing is based on Article 6 (1) (f); (c) that the data subject has the right to request the controller to inspect and rectification or deletion of personal data or limitation of the processing concerning him, as well as the right to object to processing and the right to data portability; (d) where processing is based on Article 6 (1) (a) or Article 9 (2) (a), that the data subject has the right to withdraw consent at any time, without prejudice to this the lawfulness of the processing based on the consent before its withdrawal; (e) that the data subject has the right to lodge a complaint with a supervisory authority; (f) the source of the personal data and, where appropriate, whether they originate from public sources; (g) the existence of automated decision-making, including those referred to in Article 22 (1) and (4), referred profiling, and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject. 3. The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period of time, but no later than one month after the acquisition of the personal data, depending on the concrete circumstances in which the personal data are processed; b) if the personal data will be used for communication with the data subject, at the latest at the time of the first contact with the data subject; or (c) if communication of the data to another recipient is envisaged, at the latest time when the personal data is first provided. (…) Article 24 GDPR 1. Taking into account the nature, scope, context and purpose of the processing, as well as the likelihood and severity of the various risks to the rights and freedoms of natural life persons, the controller will find appropriate technical and organizational measures to ensure and demonstrate that processing is in accordance with Page 9 Substance decision 34/2020 - 9/35 this Regulation is being implemented. Those measures are evaluated and if necessary updated. 2. Where proportionate to the processing activities, include those referred to in paragraph 1 measures an appropriate data protection policy established by the controller is carried out. 3. Joining approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element to demonstrate that the obligations of the controller have been fulfilled. Article 31 GDPR The controller and the processor and, where applicable, their representatives, cooperate with the supervisory authority, when requested, in carrying out its duties. Article 66, §2 WOG The persons who are the subject of an inspection must cooperate to that end grant . Article 33 GDPR 1. If a personal data breach has occurred, the controller without unreasonable delay and, if possible, no later than 72 hours after having taken cognizance of it, to the supervisory body competent in accordance with Article 55 authority, unless it is unlikely that the personal data breach is a risk means for the rights and freedoms of natural persons. If the notification to the supervisory authority does not take place within 72 hours, it shall be accompanied by a statement of reasons the delay. 2. The processor shall inform the controller without unreasonable delay as soon as he has taken cognizance of a personal data breach. 3. The notification referred to in paragraph 1 shall at least describe or communicate: (a) the nature of the personal data breach, indicating, where possible, the categories of data subjects and personal data registers concerned and, approximately, the number data subjects and personal data registers concerned; (b) the name and contact details of the data protection officer or other person contact point where more information can be obtained; (c) the likely consequences of the personal data breach; Page 10 Substance decision 34/2020 - 10/35 (d) the measures proposed or taken by the controller to remedy the infringement related to personal data, including, where appropriate, measures to limit any adverse effects thereof. 4. If and insofar as it is not possible to provide all information simultaneously, the information is provided in steps without unreasonable delay. 5. The controller shall document all personal data breaches, including the facts regarding the personal data breach, the consequences thereof and the corrective measures taken. That documentation establishes the supervisory authority authority to verify compliance with this Article. Article 37 GDPR 1. The controller and processor shall appoint an official data protection in any case where: (a) the processing is carried out by a public authority or agency, except in the case courts in the exercise of their judicial functions; (b) a controller or the processor is primarily responsible for processing that due to their nature, their size and / or their purposes, regular and systematic observation on require large scale of stakeholders; or (c) the controller or processor is mainly responsible for large-scale operations processing of special categories of data under Article 9 and of personal data related to criminal convictions and offenses as referred to in Article 10. 2. A group may appoint one data protection officer, subject to the official for data protection is easy to contact from any location. 3. Where the controller or processor is a public authority or governmental authority, one data protection officer may be appointed for various such bodies or bodies, taking into account their organizational structure and size. 4. In cases other than those referred to in paragraph 1, it may or, where appropriate, be governed by Union or Member State law is mandatory, the controller or processor or associations and others bodies representing categories of controllers or processors, a appoint a data protection officer. The data protection officer may to act for such associations and other bodies carrying categories of represent controllers or processors. 5. The data protection officer shall be appointed on the basis of his professional duties qualities and, in particular, expertise in the field of legislation and practice on data protection and its ability to perform the tasks referred to in Article 39. Page 11 Substance decision 34/2020 - 11/35 6. The data protection officer may employ a staff member of the controller or processor, or may perform the tasks under a provide service agreement. 7. The controller or processor shall provide the contact details of the official for data protection and inform the supervisory authority. Article 38 GDPR 1. The controller and the processor shall ensure that the official for data protection is properly and timely involved in all matters related with the protection of personal data. 2. The controller and processor shall support the officer data protection in the performance of the tasks referred to in Article 39 by accessing it provision of personal data and processing activities and the necessary means by him to make available for the fulfillment of these tasks and the maintenance of them expertise. 3. The controller and the processor shall ensure that the official before data protection does not receive instructions regarding the performance of those tasks. He shall not be fired or punished by the controller or processor for the performance of his duties. The data protection officer reports directly to the senior manager of the controller or processor. 4. Data subjects can contact the data protection officer about all matters related to the processing of their data and to the exercise of their rights under this Regulation. 5. The data protection officer is in the performance of his duties in accordance with Union or Member State law on confidentiality or confidentiality kept. 6. The data protection officer may perform other duties and obligations. The controller or the processor ensures that these tasks or duties do not become one conflict of interest. Page 12 Substance decision 34/2020 - 12/35 3. Justification 3.1.1. Regarding the purpose limitation findings (Article 5.1 b) GDPR) and the lawfulness of processing (Article 6.1 GDPR) 12. In its report 2, the Inspection Service essentially determines that from the documents in the file it appears that the defendant had been aware since 2017 that Informex NV had previously ensures that insurance companies can make use of certain personal data from the Crossroads Bank for the vehicles, so that these companies can provide a personalized price offer based on this information drafting for potential policyholders. 13. The Inspection Service points out in this respect that Article 5 of the Law of 19 May 2010 establishing the Crossroads Bank for Vehicles (hereinafter “KBV Act”) what the personal data contained in this Crossroads Bank concerns a limited number of purposes lists the general interest and that the personal data obtained through the Crossroads Bank should not be used for other purposes. The Inspection Service states that a confirmation of this can be found in article 25 of the Royal Decree of 8 July 2013 pursuant to the Act of 19 May 2010 establishing the Crossroads Bank for Vehicles (hereinafter “KB KBV”) that prohibits personal data obtained through the Crossroads Bank of the vehicles would be used for direct marketing purposes . 3.1.2. The situation before May 25, 2018: the advice of the CPP dated May 11, 2017 14. In his response, the defendant puts forward the first charge of the Inspection Service have indeed been aware of the Informex NV's intention to introduce new activities, the so-called IRES activities, based on a vehicle registration plate, to vehicle identification can do. The defendant clarifies that NV Informex is in the context of the aforementioned activities wished to offer a service to insurance companies based on the from the license plate would obtain technical data from the vehicle to them allow online precise pricing for car insurance immediately to feed. 2 In response to a serious instruction from the Executive Committee. Page 13 Substance decision 34/2020 - 13/35 15. It is apparent from the documents in the file that this practice consists in practice of the insurers, customers of NV Informex, via an online form to potential policyholders are able to offer a personalized price calculation requesting data subjects to choose their vehicle data manually or provide their number plate, on the basis of which the the insurer involved then provides the vehicle data of the person concerned from the Crossroads Bank. This practice ensures, among other things, that under- or overinsurance is excluded. 16. The defendant points out that, in this respect, NV Informex requested access to the Crossroads bank of the vehicles to the defendant, but the latter this request rejected as he believed that the intended activities were not part of the project within the objectives of.. listed by Article 4, 4 ° Royal Decree KBV public interest with which NV Informex, as an information platform with regard to vehicles that are the subject of an accident 3 are charged, in particular: "- security, and improving consumer protection (eg through provide services on the budget for damage to vehicles after an accident, the compilation of vehicle accident statistics, communication of information on vehicles after an accident to the government, and the fight against fraud to the vehicle insurance and the protection of vehicle safety); - enable global fleet management, including disused vehicles (for example, by providing services for the damage assessment to vehicles after an accident, the provision of methods to vehicles carrying it subject to an expertise to sell publicly, compiling statistics of vehicle accidents, and communication of vehicle information after an accident to the government); - enabling the technical inspection of vehicles after an accident (eg by providing services related to the budget for damage to vehicles after an accident, and communication of information about vehicles after an accident to the government); - the control by the competent authorities of the regulations governing the management of vehicles scrapped due to an accident; - avoiding fraud in vehicle insurance. " 17. The defendant therefore considered that Informex NV could not appeal in this matter to the exemption for obtaining an authorization from the Sectoral Committee in accordance with 3 Cf. www.informex.be . Page 14 Substance decision 34/2020 - 14/35 Article 5 of the Royal Decree that states: “ The natural and legal persons listed in Article 4 are… also exempt from prior authorization from the Sectoral Committee for the information they need to achieve the information set out in Article 4 purposes ”. 18. The defendant claims that he consequently referred Informex NV to the competent court Sectoral Committee established at the Commission for the Protection of Personal Rights Privacy (hereinafter “CPP”) in order to obtain an authorization in accordance with article 18 KB KBV. 19. It appears from the documents in the file that NV Informex had various contacts thereon with the CBPL, which was finally delivered in an opinion of 11 May 2017 to NV Informex confirmed that the IRES activities under the exemption of Article 4 of the Royal Decree in conjunction with Article 5 of the Royal Decree on KBV. The CBPL states that although these activities are not specific relate to vehicles which were the subject of an accident, these nevertheless fall within the scope of the purposes of Article 4 of the Royal Decree since they stem from a preventive use of Informex's damage platform NV. 20. However, the CPP attached a number of conditions to the use of this data in the context of the above-mentioned activities, in particular: 1. Obtaining the license plate of the vehicle from the person concerned by the customers of NV Informex can only take place on the basis of the permission of data subject. 2. Informex NV must conclude a contract with its customers, the latter of which guarantee that the purposes of the processing will be stated in the RBFA respected. 3. Informex NV must ensure that those involved are informed in advance regarding the use of their license plate. 4. Informex NV must ensure access logging and ensure that it lawful use of its services by its customers. 5. The contracts with Informex NV's customers must provide for provisions concerning the use of the registration plate as an access key for the technical vehicle data. 6. Informex NV and its customers must comply with the provisions of the (applicable at the time being) Act of 8 December 1992 on the protection of privacy to comply with the processing of personal data (hereinafter “WPV”), especially regarding the retention periods and the security of the processing. Page 15 Substance decision 34/2020 - 15/35 21. The defendant points out that, on the basis of this advice from the CPP, the defendant subsequently NV Informex provided access to the data of the Crossroads Bank of the vehicles. 22. However, he adds that he has access to it before it is granted supervised that the conditions imposed by the CBPL were set by NV Informex adhered to. 23. With regard to the above, the Disputes Chamber points out that the advice is provided by the CBPL predates the application of the GDPR and that the CBPL as well as its sectoral committees were abolished by the law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter “the Framework Act ”). 4 The processing involved personal data in the context of the IRES activities of NV Informex consequently, to be assessed under the new legal framework since 25 May 2018, in particular the provisions of the GDPR. The GDPR assumes an accountability of one controller and does not provide prior consultation and authorization by an external body with public authority. 5 3.1.3. The situation after May 25, 2018: assessment against the GDPR A. Identification of the controllers involved (Article 4.7 GDPR) 24. In accordance with Article 4.7 GDPR, it must be the controller considered: the “ natural or legal person, government agency, service or other body that, alone or together with others, the purpose and means of the processing of personal data ”. 25. In its case-law, the Court of Justice has the concept of “controller” has been widely interpreted several times in order to ensure effective and complete protection of the insure those involved. The Court also pointed out that this notion “ does not necessarily refers to a single body and can refer to several 4 Cf. Article 280 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. 5 Subject to Article 36 GDPR, not relevant here. Page 16 Substance decision 34/2020 - 16/35 participants in this processing, each of which is subject to the provisions in the field of data protection ”. 6 26. In accordance with Group Opinion 1/2010 29, the Disputes Chamber assesses the status of the controller (s) concerned in concrete terms . 7 27. In the present case , the Disputes Chamber finds that, in the processing of personal data obtained through the Crossroads Bank for vehicles in the context of the IRES activities, both the defendant and NV Informex as well as its customers (the insurance companies) should become controllers qualified as they each have the purpose and means of their respective determine processing processes. 28. For the defendant, this role arises as controller of the personal data concerned derives from Article 6 of the KBV Act in conjunction with Article 30 of the KBV KBV determine that these are administrators of the Crossroads Bank for vehicles is the controller of the personal data stored in this Crossroads Bank are located. 29. With regard to NV Informex, Article 5 of the KBV Act in conjunction with Article 4, 4 ° of the KBV stipulates that it processes the personal data contained in the Crossroads Bank for the vehicles in the in the context of the fulfillment of the general objectives stated in Article 5 of the Royal Decree interest with which it was entrusted (see marginal 16 above ). 30. In addition to the defendant and NV Informex, the customers of the latter serve, in particular the insurance companies, also as controllers within the meaning of Article 4.7 GDPR to be qualified for the processing processes they , in particular the processing of the personal data in the context of the prepare their personalized quotes. 31. Accordingly, each of the aforementioned parties is in its capacity of controller in accordance with the provisions of Articles 5.2 and 24 GDPR 6 See, inter alia, CJEU, 5 June 2018, C-210/16 - Wirtschaftsakademie Schleswig-Holstein, ECLI: EU: C: 2018: 388, recitals 27-29. 7 See Group 29, Opinion 1/2010 on the terms “controller” and “processor”, 16 February 2010 (WP 169), as clarified by the GBA in a note “Overview of the concepts of controller / processor in light of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection of natural persons in connection with the processing of personal data (GDPR) and some specific applications for liberal professions such as lawyers ”. Page 17 Substance decision 34/2020 - 17/35 accountability for its processing process responsible for compliance with the principles of the GDPR and its demonstration. B. Lawfulness grounds for processing (Article 6.1 GDPR) 32. According to Article 6.1 GDPR, processing of personal data is only lawfully if and insofar as this occurs under one of the provisions of this article listed grounds for legality. 33. The processing of personal data contained in the Crossroads Bank for vehicles is done by each of the controllers identified above on on the basis of another lawfulness ground. 34. However, the question arises whether these legitimacy grounds can be used for the processing under discussion in the present proceedings, whereby, in the context of the IRES activities of NV Informex, data obtained via the Crossroads Bank of the vehicles are passed on to third parties (especially the insurers that customer the latter). 35. The defendant processes the data from the Crossroads Bank of the vehicles on land of Article 6 of the KBV Act in conjunction with Article 30 of the KBV KBV, which stipulate that these is responsible for the processing of personal data held in the Crossroads Bank are located. In this capacity, the defendant is therefore responsible for the processing of this data and serves it on the basis of the provisions in Articles 5.2 and 24 GDPR contained an accountability obligation to ensure that it complied with the principles regarding the processing of personal data of Article 5.1 GDPR. 36. NV Informex uses for the processing of the personal data obtained via the Crossroads bank of the vehicles as processing ground the tasks of general interest which are granted to it by the RBFA (see marginal 16 above ). 37. It appears from the documents in the file that NV Informex communicates the data from the Crossroads Bank for vehicles to insurers under the IRES activities - with a view to drawing up personalized quotes for insurance - specifically based on the public interest objectives contained in Article 4, 4 °, points 1 and 5 of the KBV, in particular: “ the security and the improvement of the Page 18 Substance decision 34/2020 - 18/35 consumer protection (…) ”and“ avoiding fraud to the vehicle insurance ”. 8 38. The customers of NV Informex - the insurers - process the personal data pursuant to Article 6.1 a) GDPR based on the consent of the data subjects. 39. In particular, it is apparent from the documents in the file that, within the framework of the IRES activities, the clients of NV Informex potential policyholders who online an request price calculation for a vehicle insurance, offer them the opportunity license plate, which is subsequently issued by NV Informex customers as identification key is used to retrieve the vehicle data in the Crossroads Bank for the Vehicles. 40. The consent of those involved is requested by means of a pop-up message that must answer the question “ Do you accept that we are your use number plate to make you an offer? With " I accept " or " I. refuse ”. 41. With regard to this ground of legality, the Disputes Chamber notes that the permission can only be legally valid if it meets the conditions contained in it in Article 4.11 and recital 32 GDPR 9 and if it relates to a processing which is not prohibited by law (cf. infra under C.2.). C. Purpose limitation (Article 5.1 b) GDPR) C.1. General 42. In accordance with Article 5.1 b) of the GDPR, personal data is used “ for specific, explicitly defined and legitimate purposes [to] be collected and allowed [these] subsequently no longer become incompatible with those purposes processed; further processing for archiving in the public interest, 8 Section 7 respondent's file. 9 Article 4.11 GDPR defines consent as: “any free, specific, informed and unambiguous expression of will with which the data subject by means of a statement or unequivocal active act concerning him processing accepts personal data ”. Recital 32 of the GDPR states that “consent must be given by means of a clear active action, for example a written statement, including by electronic means, or an oral one statement, which shows that the data subject is free, specific, informed and unambiguous with the processing of personal data. This could include clicking a box when visiting an Internet website, it selecting technical bodies for information society services or another statement or another act clearly demonstrating in this context that the data subject agrees to the proposed processing of his data personal data". Page 19 Substance decision 34/2020 - 19/35 scientific or historical research or statistical purposes shall be in accordance Article 89 (1) not considered incompatible with the original objectives. " This article defines one of the basic principles concerning the processing of personal data, in particular the so-called “purpose limitation”. 43. As regards the processing of personal data contained in the Crossroads Bank of the vehicles, in the light of this provision of the GDPR, reference should be made to Article 5 of the KBV Act in conjunction with Article 4 of the KBV KBV, which is an exhaustive list contain the legal persons who have access to the Crossroads Bank and the purposes for which they may process the aforementioned data ( see above ). 44. It is on the basis of these legal provisions (and more specifically article 4, 4 ° Royal Decree KBV) that NV Informex, as controller, also processes the data from the Crossroads Bank processed for the realization of its allocated by the Royal Decree powers and purposes. 45. As mentioned above, NV bases Informex as an information platform concerning vehicles subject to an accident the person concerned processing in particular for the purposes of general interest contained in Article 4, 4 °, points 1 and 5 RBFA, in particular: “ security, and improving the protection of the consumer (…) ”and“ avoiding fraud in vehicle insurance ”. 46. However, the Disputes Chamber considers that the service offered by insurers, where on the basis of the registration plate the data of the vehicle in the Crossroads Bank of vehicles are called up in order to prepare personalized quotes, not can be classified under these general interest purposes of the RBFA. After all, this service concerns the commercial relationship between the insurer and its customers and not the realization by NV Informex of the tasks assigned to it by this Royal Decree (among other things) consumer protection and the fight against fraud. 47. The Disputes Chamber therefore considers that this processing complies with Article 5.1 b) GDPR violates the purpose limitation principle . C.2. "Direct Marketing Purposes" 48. Second, it should be noted that, in accordance with Article 25 of the Royal Decree of the Royal Decree, the 'via personal data obtained at the crossroads bank may not be used for purposes of 'direct marketing' ”. Page 20 Substance decision 34/2020 - 20/35 49. The question therefore arises whether or not it can be considered in this case that the processing of the number plate by the customers of NV Informex and in particular the use of this personal data as identification key with a view to drawing up personalized quotes for potential policyholders (those involved) as "direct marketing" the meaning of Article 25 of the Royal Decree must be considered. 50. Although the RBFA contains an express prohibition on the use of the data contained in the Crossroads Bank for direct marketing purposes, the KB itself does not define this understanding. 51. In the report to the King to the Royal Decree, this ban is explained as follows: “ Because not only public services and non-profit organizations that offer adequate guarantees of independence with regard to the commercial sector and application of the WFP, but also associations with a private law capacity, should be able to transfer certain data via to consult the Crossroads Bank, it is expressly provided that through the Crossroads Bank personal data obtained may not be used for purposes of 'direct marketing '”. 52. The GDPR also uses the term “direct marketing” in its article 21 on the right of objection, but does not contain a definition of this concept either. 53. Partly for this reason, the Data Protection Authority notified it on 17 January 2020 Recommendation 1/2020, in which it builds on the definition included in the proposal of Regulation of the European Parliament and of the Council on respect for the privacy and the protection of personal data in electronic communications and up to repeal of Directive 2002/58 / EC 10, "Direct marketing" defines as follows: “ Any communication, in whatever form, requested or unsolicited, from a organization or person and aimed at the promotion or sale of services, products (whether or not not for payment), as well as brands or ideas addressed by an organization or person acting in a commercial or non-commercial context directly addressed to one or more natural persons in a private or professional context and who handle the processing of personal data entails ”. 11 10 COM (2017) 10. Art. 4 of the proposal defines "direct marketing messages": "Any form of advertising, both written as oral, addressed to one or more identified or identifiable electronic end users communication services, including the use of automatic calling and communication systems with or without human interaction, e-mail, SMS, etc. ”. 11 Recommendation Data Protection Authority No. 01/2020 of 17 January 2020 on the processing of personal data for direct marketing purposes, marg. 14. Page 21 Substance decision 34/2020 - 21/35 54. It follows from this definition, first, that not only unsolicited but also solicited communication should be regarded as direct marketing, if and insofar as this is aimed at the promotion and / or sale of goods or services, is directly aimed at to one or more natural persons and involves the processing of personal data. 55. Recommendation 01/2020 specifies in this regard that “ messages addressed to a interested or to a customer / affiliate / subscriber / member equally under direct marketing communication [falling] ”and that a prospect or interested person stands out from a customer in the sense that it concerns a potential customer who has information about the products whether has requested services from the organization concerned but is not yet an undertaking contracted with the latter. 56. In view of the above, the Disputes Chamber is of the opinion that the present practice, whereby the customers of NV Informex - being car insurers and consequently trading in a private law capacity - personal data obtained “ via the Crossroads Bank of indeed process the vehicles ” 12 with a view to drawing up individual price offers should be regarded as direct marketing and thus under the prohibition of article 25 KB KBV falls. 57. The relevant processing of personal data from the Crossroads Bank concerns: i. " A requested or unsolicited communication ", in this case in particular the transfer of a personalized quote to potential policyholders; ii. " Originating from an organization acting for commercial purposes ", in particular the insurance company, customer of NV Informex; iii. " Aimed at the sale of products or services ", in this case the sale of a vehicle insurance; iv. " Which is addressed directly to one or more natural persons ", in particular the data subjects who are applicants for an insurance offer; and v. " Which involves the processing of personal data ", in this case the license plate as identification key for retrieving data from the Crossroads bank of the vehicles, as well as the identification data of those involved. 58. The Disputes Chamber considers that the fact that the processing of the relevant data by the customers of NV Informex is based on the consent of involved in this case does not mean that this process is valid, since it 12 Cf. article 25 KBV KBV. Page 22 Substance decision 34/2020 - 22/35 use of the personal data concerned for this processing purpose - especially direct marketing - absolutely and explicitly prohibited by law (Article 25 of the KBV). The consent can never be legally valid if it relates to a processing which is prohibited by law. 59. Moreover, this practice requires the processing of personal data by various actors, including NV Informex, which - at the request of its customers and on the basis of the license plate as identification key - the necessary data from the Crossroads Bank of the requests vehicles. In the present case , Informex NV processes this data for the purpose of it allow its customers a personalized price offer for a vehicle insurance policy to set. As mentioned above, the aforementioned purpose does not appear in the exhaustive list of purposes of Article 4, 4 ° RBFA, making such processing a violation implies the principle of purpose limitation of Article 5.1 b) GDPR on behalf of the NV Informex. 3.1.4. Conclusion 60. The Disputes Chamber points out with regard to the findings of the Inspection Service on the lawfulness of processing and purpose limitation, on that a processing is not lawful when the lawfulness ground is based on of which a controller processes certain personal data used for the processing of those personal data for purposes other than those that are determined in an exhaustive manner by the legal basis used. 61. In the present case , the Disputes Chamber is of the opinion that the processing involving personal data from the Crossroads Bank of the vehicles are transferred by NV Informex to its customers in order to allow the latter to provide personalized quotes cannot fall under the general interest objectives of Article 4 of the Royal Decree and therefore violates Articles 5.1 (b) (principle of the purpose limitation) and 6.1 GDPR (lawfulness of processing). This processing concerns after all, the commercial relationship between the insurers and their (potential) customers is not necessary for the fulfillment of the information supplied by NV KBV to NV Informex assigned tasks of general interest. 62. In addition, the Disputes Chamber points out that under the terms of Article 25 of the Royal Decree KBV via the Crossroads Bank for vehicles may not be personal data obtained used for direct marketing purposes. The present practice, whereby the customers of Page 23 Substance decision 34/2020 - 23/35 NV Informex - being car insurers acting in a private law capacity - personal data obtained " via the Crossroads of the vehicles ' 13 handle with an eye on drawing up individual price offers should indeed be considered as direct marketing considered and thus falls under the prohibition of Article 25 of the Royal Decree. 63. The Disputes Chamber states that the GDPR carries out the processing in question by the insurance companies under the consent of those involved as does not stand in the way of this, under the conditions set in the GDPR, but that it current legal framework - in particular the RBFA - does not allow this processing. If the however, the legislator considers that this practice serves the public interest if necessary, the statutory regulation should be amended. The Dispute Chamber gives the defendant a longer period than usual in this respect (viz six months) to reconcile processing. 64. The Disputes Chamber emphasizes that the defendant, in his capacity as administrator of the Crossroads Bank for the vehicles and controller of the personal data, should ensure that it complies with the principles of the processing of personal data and in accordance with the applicable legal framework are processed. 65. However, the Disputes Chamber finds on the basis of the documents in the file that the the respondent in this case in good faith and in accordance with the advice of the former CPPL acted, and in his capacity as controller also supervised exercised on compliance with this advice. The Dispute Chamber therefore considers that in accordance with the principle of legal certainty, it is aroused by the opinion of the CPP trust should not be betrayed 14 and therefore the defendant for the past should not be can be sanctioned for violation of the principle of purpose limitation under article 5.1 b) GDPR and the requirement of the lawfulness of the processing of Article 6.1 GDPR. 66. The Disputes Chamber therefore considers that an infringement of Articles 5.1 b) and 6.1 GDPR can be ascertained, however - having regard to the principle of legal certainty and the confidence generated by the CPP's advice of 11 May 2017 defendant - no penalty can be imposed on the latter. 13 Cf. article 25 KBV KBV. 14 A. MAST, J. DUJARDIN, M. VAN DAMME, J. VANDE LANOTTE, Overview of Belgian administrative law, Mechelen, Wolters Kluwer, 2014, 53-54. Page 24 Substance decision 34/2020 - 24/35 3.1.5. The deliberations of the Information Security Committee 67. Further to the findings of the Inspection Service in the present case concerning the lawfulness of processing and purpose limitation, the defendant explained a number deliberations of the Information Security Committee (hereinafter “IVC”) for the Data protection authority with a view to assessing it against the higher legal standards. 15 By means of this application, the defendant seeks to provide legal certainty to find out whether the deliberations concerned by the deliberations allowed communication of personal data is in accordance with the GDPR. The defendant requested the Data protection authority in this regard also confirm that, despite this deliberations to authorize the transfer of personal data from the IVC capacity of controller can still decide not to transfer to the transfer of this data. 68. The above deliberations are of particular relevance to the present case as the IVC allows the communication of data from the Intersection of vehicles - in particular the registration plate - to the applicant controllers for processing purposes with a commercial aspect. 16 This is despite the defendant's reasoned position on the matter, which is in both cases ruled that such processing would not be in accordance with the principles of the GDPR. The in the first case, the defendant stated more specifically that there is no valid ground for admissibility is available as the registration plate processing is not necessary to comply with a legal obligation imposed on the controller concerned tranquility, nor is it necessary for the performance of a task carried out in the public interest assigned to the same controller. 17 In the second case, the respondent that the processing of the registration plate is not in accordance with the principle of minimum data processing of Article 5.1 c) is GDPR, since it can fulfill the intended purpose are realized by processing the chassis number. 18 19 69. In other words, the content of these IVC deliberations creates potential expectations with regard to the defendant that go against the view that this - in his capacity as controller of the personal data concerned and 15 Documents 32A and 32B file defendant. 16 Deliberation No. 19/027 of 3 September 2019, amended on 14 January 2020 and Deliberation No. 20/005 of 4 February 2019 2020, both from the Federal Government Chamber of the IVC. 17 Deliberation No. 19/027, Edge No. 5. 18 Deliberation No. 20/005, marg. 6. 19 The Disputes Chamber emphasizes, however, that in the context of the present file where Informex NV personal data passes from the Crossroads Bank for vehicles to insurance companies, no deliberation has been granted by the IVC. Page 25 Substance decision 34/2020 - 25/35 based on the accountability principle laid down in the GDPR - initial intake for the relevant communications of personal data. 70. Within the current legal framework, and more specifically on the basis of Article 35/1 of the Law of August 15, 2012 establishing and organizing a federal services integrator and the law of 5 September 2018 establishing the Information Security Committee is the IVC in particular, authorized to deliberate on certain communications from personal data, including also the communication of data contained in the Crossroads Bank for the Vehicles. 20 71. Article 35/1, § 4 of the Federal Services Integrator Act states that “ the deliberations of the Information Security Committee, the reasons [and] a general one binding scope [have] between the parties and towards third parties ”. 21 72. The preparatory works of the Law of September 5, 2018 state that “ it crucial [is] that decisions can become of general binding scope issued in the form of deliberations [so that] all actors have legal certainty about the fact that a data sharing is legally permitted if it contains the conditions contained in the deliberation correctly observe ” 2 2 . 73. The Disputes Chamber understands the importance of obtaining legal certainty from actors prior to processing personal data. However, she believes it issue binding decisions regarding the processing of personal data in is contrary to the philosophy and provisions of the GDPR. This is particularly important as these decisions directly affect the rights of third parties to the protection of their personal data. 74. In particular, the Dispute Chamber refers to the one introduced by the GDPR accountability contained in Article 5.2 in conjunction with Article 24 GDPR, which is one of the central pillars of the GDPR and according to which controllers must state can demonstrate that they process personal data in accordance with the principles of the processing of personal data contained in Article 5.1 GDPR. 75. The Litigation Chamber emphasizes that such a system is therefore an ambiguous situation creates for controllers, such as the defendant in the present case , of whom, on the one hand, 20 Law of August 15, 2012 establishing and organizing a federal services integrator, BS August 29, 2012. 21 Own underline. 22 Cf. Parl. St. Kamer, 2017-2018, no. 3185/001, p. 6; own underline. Page 26 Substance decision 34/2020 - 26/35 is expected to provide access to the affected personal data by the deliberations granted by the IVC, but on the other hand, pursuant to the accountability is bound to take proactive action itself in order to ensure that the principles on the processing of personal data have been respected and must be able to demonstrate this 23 . All this carries a risk up to the responsiveness of controllers, which is incompatible with the principles of the GDPR and is contrary to Articles 5.2 in conjunction with 24 GDPR. 24 76. It is not up to the Disputes Chamber to question the role of the IVC - this is on the legislator - nor about the appropriateness of judgments by a body such as the IVC for the questioning practice. However, the Disputes Chamber finds that the deliberations of the IVC cannot in itself form the basis for the processing. Obviously have these deliberations have an important significance within the current legal framework, having regard to a possible appeal by controllers to the principle of the protection of legitimate expectations. 77. The Disputes Chamber emphasizes that the delivery of a deliberation by the IVC never has an obligation to notify the controller concerned of personal data may imply. After all, the latter retains complete freedom to act to make an opportunity assessment yourself. 25 26 78. Furthermore, the Disputes Chamber emphasizes that after a deliberation of the IVC all principles of the GDPR, of course, continue to apply, including the principle of accountability (Articles 5.2 in conjunction with 24 GDPR). However, the opinion of the IVC can play an important role in this the fulfillment of the accountability by a controller. After all, when assessing whether a controller complies with the accountability in a specific case, the Disputes Chamber will be based on the presumption that a judgment of an expert government body such as the IVC may be used familiar. 25 Opinion no. 34/2018 of 11 April 2018 of the Commission for the Protection of Privacy (CBPL) on the preliminary draft law establishing the Information Security Committee and amending various laws on the implementation of Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on free movement of that data and repealing Directive 95/46 / EC (CO-A-2018-017), marginal 13. 26 Explanatory Memorandum to Article 18 of the Law of 5 September 2018 establishing the Information Security Committee. Page 27 Substance decision 34/2020 - 27/35 3.2. As regards the findings on compliance with the responsibility of the controller (Article 24 GDPR), security of processing (Article 32 GDPR) and reporting a personal data breach to the supervisory authority (Article 33 GDPR) 79. In its report, the Inspection Service states that “ documents 4, 5 and 13 show that [the defendant] to write to the Commission for the Protection of Privacy of 11/05/2017 (…) uses to substantiate its position that (1) the fact that Informex NV ensures that insurance companies can make use of certain personal data from the Crossroads Bank of the vehicles so that it insurance companies can provide a personalized price offer to data subjects are justified and (2) that Informex NV must take measures to better protect the personal data concerned ”. The Inspection Service further states that the defendant “ does not [demonstrate] that [he] took appropriate security measures and reported them to the GBA of a personal data breach ”. 80. With regard to this charge, the defendant states in its reply that his original position was that the so - called "IRES activities" of the NV Informex did not fall under the exemption from authorization in accordance with Article 4 in conjunction article 5 Royal Decree KBV, and points out that he changed this position in response to the advice from the CPP dated 11 May 2017. 81. The defendant adds that, prior to the provision of the access to the Crossroads Bank for vehicles, supervised by those imposed by the CPP conditions were complied with by NV Informex (see above ). 27 82. Finally, the defendant maintains that there can be no question of unauthorized disclosure of data and no breach related to personal data may have occurred as he could legitimately rely on the above-mentioned CPP advice. 83. The Disputes Chamber determines on the basis of the documents in the file that the defendant has acted in accordance with the advice given by the CPP to NV Informex on 11 May 2017. After all, the defendant appends the exchange of letters with the NV in his reply Informex where the defendant is the latter in his capacity of 27 See above. Page 28 Substance decision 34/2020 - 28/35 controller requests to provide all information and documentation on the processing of registration plates in the framework of the IRES activities of the NV Informex. 84. Although the Disputes Chamber considers that the processing in question is an infringement related to personal data within the meaning of Article 33 GDPR, it repeats in this respect in accordance with the principle of legal certainty, it is aroused by the opinion of the CPP trust should not be betrayed 28 and the defendant should therefore not be put to the past can be sanctioned for providing access to the Crossroads Bank of the vehicles to NV Informex as part of the so-called “IRES activities”. The Dispute Chamber therefore considers that an infringement of Articles 24, 32 and 33 GDPR can be established, but that - having regard to the principle of legal certainty and the confidence generated by the CBPL dated 11 May 2017 defendant - no penalty can be imposed on the latter. 3.3. As regards the findings concerning the appointment of the official for data protection (Article 37 GDPR) and its position (Article 38 GDPR) 86. In its report, the Inspection Service finds that “[the defendant] did not [demonstrate] how the choice of Mr Y to exercise the function of data protection officer is concretely justified ”and that“ [the defendant] is not a copy of documents [submitted] demonstrating that Mr Y was notified to the GBA as an official for data protection ”. Finally, the Inspection Service states that “[the defendant] does not demonstrate that as a data protection officer, Mr Y will be properly and timely involved in all matters related to the protection of personal data and that he can carry out his assignments independently ”. 87. With regard to this charge, the defendant states in its reply that Mr Y was chosen on the basis of his in-depth knowledge of the organization knowledge of ICT as well as his strong analytical and synthetic thinking. The defendant points it out further note that Mr. Y successfully completed the training to become a “certified Data Protection Officer” and obtained ISO 27005 ('Risk Manager') and ISO 27001 ('Lead Implementer') and attach proof of this. 29 28 A. MAST, J. DUJARDIN, M. VAN DAMME, J. VANDE LANOTTE, Overview of Belgian administrative law, Mechelen, Wolters Kluwer, 2014, 53-54. 29 Document 23 respondent's file. Page 29 Substance decision 34/2020 - 29/35 88. As regards the registration of Mr Y as a data protection officer with the Data protection authority, the defendant states that it was on September 24, 2019 informed about the fact that apparently something was technical failed to register his data protection officer as the Inspection service could not find its registration in the database of the Data protection authority. The defendant maintains that after taking note of this fact, he re-registered online and received confirmation of this. 89. The Disputes Chamber points out that the defendant - in view of the fact that he is a public authority is - pursuant to Article 37.1 (a) GDPR the obligation rests with an official for data protection which must comply with the provisions of Articles 37 to 39 GDPR listed requirements. 90. On the basis of the documents submitted, the Disputes Chamber finds that the data protection officer designated as defendant in accordance with Article 37.5 AVG was designated on the basis of its professional qualities and expertise on in the field of data protection law and practice. This appears to be more specific from the supporting documents relating to the training to “Certified DPO” and the certificates obtained by the person concerned. 91. The Disputes Chamber is of the opinion that no infringement of Articles 37 and 38 GDPR is possible be determined. 3.4. As regards the findings concerning compliance with the obligation to cooperate (Article 31 GDPR and Article 66, §2 WOG) 92. In its report, the Inspection Service states with regard to compliance by the defendant with the obligation to cooperate pursuant to Articles 31 GDPR and 66, § 2 of the WOG that the latter does not replied to the questions asked by her within the imposed period of one month. Second, the Inspection Service claims that the defendant did not provide a copy of the documents that indicate the choice for Mr. Y as a data protection officer account. 93. With regard to the first part of this indictment, the defendant states in its conclusion of reply that this non-compliance with the inspection imposed by the Inspection Service Page 30 Substance decision 34/2020 - 30/35 term was caused by a situation of force majeure, in particular the death of a family member of the employee responsible for answering these questions and the short absence of the latter as a result of this. The defendant further points out that this was done by another employee on 2 July 2019 (in particular four days before the expiry of the imposed term) was reported to Data Protection Authority and that became it was announced that the reply letter would therefore be delayed by a few days sent. Finally, the defendant adds that the answer is ultimately only three days after the expiry of the reply period. 94. The Disputes Chamber considers that, with regard to the first indictment, the defendant's force majeure situation justifies a delay of three days and that this does not can be considered as an infringement of the obligation to cooperate within the meaning of Article 31 GDPR under the latter. 95. With regard to the second part of this indictment, it should be noted The defendant sent a copy of the documents that support the choice of Mr Y as a data protection officer. More specifically, this concerns the job description for the position as well as the person concerned obtained ISO certificates. 30 96. The Disputes Chamber is of the opinion that there is no infringement of Articles 31 GDPR and 66.2 WOG can be determined. 3.5. As regards the findings on compliance with the transparency obligations (Article 12 GDPR) and information to be provided (Articles 13 and 14 GDPR) 97. In its report, the Inspection Service states with regard to compliance with the transparency obligations and the information to be provided pursuant to Article 13 GDPR that some elements required by the GDPR are not mentioned in the defendant's privacy statement, in particular: - “the indication of the processing purposes for which the personal data are intended (as expressed in the sentence “The purposes for which we hold your personal data mainly relate to compliance with legal requirements obligations and the performance of our public interest missions or those related to the exercise of official authority ”), as well as the legal basis 30 Documents 23 and 24 of the respondent's file. Page 31 Substance decision 34/2020 - 31/35 for processing (as expressed as “the applicable legislation”) [are] general and vaguely worded so that they are not transparent and accessible to those involved; - the indication of the recipients of the personal data (as expressed as "Administrative services of the state", "Countries with which conventions or Belgium has entered into agreements ”,“ […] ”and“ Third Parties ”) is worded in a general and vague manner such that without additional information the list of recipients is not clear to the data subjects; (…) ” 98. The defendant states in its reply and at the hearing on 4 May 2020 with regard to this indictment that already during the procedure an initial correction has been implemented, but that the new version of the privacy statement is still in draft. The The defendant adds that this was put on the agenda of a meeting of the management committee that could not continue because of the corona crisis and says that soon is on the agenda. 99. The Disputes Chamber points out that, in accordance with Article 12.1 GDPR, the controller “ should take appropriate measures to ensure that the data subject the information referred to in Articles 13 and 14 and the information referred to in Articles 15 to 22 and communication referred to in Article 34 in connection with the processing in a summary, transparent, understandable and easily accessible form and in clear and simple language receives (…) ”. 100. Recitals 58 and 60 GDPR specify that “in accordance with the principles of due diligence and transparent processing [must be] notified to the data subject that processing is taking place and its purposes ”and that“ in accordance with the transparency principle information intended for the public or the data subject be concise, simple, accessible and understandable (…) ”. 101. The Disputes Chamber first establishes that the defendant's privacy statement is incomplete as regards the personal data collected and processed by the latter. After all, the defendant states under point 6 of its privacy statement that it Can process " personal data of various kinds " and that it " may [in particular] be about identification data (name, first name, date of birth, ...), contact details (address, telephone number, ...) ”. Section 6 of the privacy statement repeats again: “ The categories of personal data processed by the FPS Mobility and Transport are more determined: • identification data (name, first name, date of birth,…) Page 32 Substance decision 34/2020 - 32/35 • contact details (address, telephone number,…) • [...] ” 102. If and insofar as personal data are processed that are not of the data subjects However, in accordance with Article 14.1, d) GDPR, the data subjects must be informed categories of personal data to be specified. More generally, one privacy statement do not contain any impediments as this indicates the inaccuracy and incompleteness. 103. Second, it should be noted that the privacy statement is not sufficient details the legal basis of Article 6.1 GDPR on the basis of which the respondent processes the personal data collected by him. 104. In connection with this, thirdly, the Disputes Chamber finds that the defendant also does not sufficiently describe the processing purposes for which the personal data is collected. Under point 6, §2 of the privacy statement, the legal ground and the purposes of the processing become confused and is stated: “ The purposes for which we process your personal data, relate mainly to compliance with legal obligations and to the exercising our public interest missions or relating to the exercise of official authority ”. 105. The information thus provided to data subjects is too succinct and vague and does not allow the latter the lawfulness ground or the purposes of the adequately understand processing. 106. In accordance with the Guidelines on Transparency drawn up by the Group 29, the information provided on the basis of Articles 13 and / or 14 GDPR to be concrete and final and it must not contain abstract or ambivalent formulations. The Group 29 states more determined that “ constructions or words such as“ can ”,“ could ”,“ certain ”,“ often ”and “Possible” (…) should be avoided ”and that,“ when controllers choose to use indefinite language, in accordance with the principle of accountability should demonstrate why using such language could not be avoided and how the language used did not ensure the proper processing undercut ”. 31 The Group 29 emphasizes that this applies in particular for the purposes of and the legal basis for the processing. 31 “Guidelines on transparency in accordance with Regulation (EU) 2016/679” adopted on 29 November 2017 by the Group 29, p. 9-10. Page 33 Substance decision 34/2020 - 33/35 107. Fourth, it should be noted that the retention period of the personal data is insufficiently specified to meet the requirements of Articles 13.2 and 14.2, a) GDPR. After all, point 6, §3 of the privacy statement only states that the personal data concerned “are not kept longer than is necessary for the purposes what they are processed for. " However, the Group Guidelines 29 show that such wording is not sufficient. In this respect Group 29 points out that the (mention of the) retention period is related to the principle of minimal data processing contained in Article 5.1, c) GDPR as well as the requirement of storage limitation of Article 5.1, e) GDPR. She states that “ the storage period (or the criteria for determining it) may become dictated by factors such as legal requirements or sectoral guidelines, but always such should be worded that the data subject can, based on his or her own situation assess the retention period for specific data / purposes ”. 32 108. Fifth, the Disputes Chamber finds that the defendant's privacy statement does not contains an exhaustive list of the (categories of) recipients of the data collected by him personal data as required by Articles 13.1 and 14.1, e) GDPR. Point 9 of the privacy statement states in this respect the following: “Your data may be passed on to third parties based on our legal and regulatory obligations, but also in the context of the performance of our assignments in the public interest or the exercise of public authority. (…) [The defendant] is sometimes obliged to perform his statutory assignments receive or communicate your personal data, in particular to the following recipients: • Yourself • Other recipients subject to legal obligations and permissions for information and exchange of information, such as: o Other FPS services o State administrative services o Countries with which Belgium has concluded conventions or agreements o […] • Third parties • […] ” 32 “Guidelines on transparency in accordance with Regulation (EU) 2016/679” adopted on 29 November 2017 by the Group 29, p. 45. Page 34 Substance decision 34/2020 - 34/35 109. Also on this point, the privacy statement contains conditional wording and impediments, which indicates that those involved are not fully informed of any transfer of their personal data. 110. The Disputes Chamber emphasizes the importance of compliance with the transparency obligations on behalf of a controller in view of its impact on the exercise of the rights of data subjects contained in Articles 15 to 22 GDPR, such as illustrated by the case law of the Court of Justice. 33 111. In addition, the Disputes Chamber points out that as a public authority the defendant is a sets an example in terms of compliance with protection legislation of personal data and also processes a large amount of personal data and that it should therefore always do so in accordance with the “ lead by example ” principle to act in accordance with this legislation and in particular the above mentioned GDPR essential provisions on transparency. 34 112. The Disputes Chamber considers, for the reasons set out above, an infringement Articles 12, 13 and 14 GDPR should be established. 3.6. Publication of the decision 113. Having regard to the importance of transparency in the decision-making process of the Disputes Chamber, this decision will be published in accordance with Article 95, §1, 8 ° WOG on the website of the Data Protection Authority indicating the defendant's identification data 35, and this because of the specificity of the present decision - leading to the fact that even in case of omission of the identification data the re-identification is inevitable - as is the public interest of this decision. 33 CJEU 1 October 2015, Bara, C-201/14. 34 Data Protection Authority, “Strategic Plan 2020-2025”, https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/GBA_Strategisch_Plan_28012020.p df , p. 22. 35 However, omitting the name of the defendant's data protection officer. Page 35 Substance decision 34/2020 - 35/35 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority, after deliberation: - that the use of personal data obtained through the Crossroads Bank of the vehicles by customers of NV Informex, in particular insurance companies, with a view to drafting of personalized quotations violates Articles 5.1 b) and 6.1 GDPR as well as Article 25 of the Royal Decree of 8 July 2013 implementing the Law of May 19, 2010 establishing the Crossroads Bank for Vehicles . The Dispute Chamber accordingly orders the defendant pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG , in his capacity as controller of the aforementioned personal data, the to conform processing within six months of notification of this inform the decision and the Disputes Chamber within the same period; - based on article 100, §1, 5 ° WOG to formulate a reprimand with regard to the respondent for violation of Articles 12, 13 and 14 GDPR ; and - pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG to order the defendant to to align information it provides about its processing operations with Articles 12 to 14 GDPR within three months of notification of this decision and to inform the Disputes Chamber within the same period. * Pursuant to Article 108, §1 WOG, an appeal can be lodged against a period of thirty days, from the notification, at the Marktenhof, with the Data protection authority as defendant. (get.) Hielke Hijmans Chairman of the Disputes Chamber