APD/GBA (Belgium) - 105/2022
APD/GBA - 105/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 2(1) GDPR Article 4(1) GDPR Article 4(6) GDPR Article 55(3) GDPR Article 57(1)(a) GDPR Article 57(1)(f) GDPR Article 57(1)(v) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 18.11.2019 |
Decided: | 17.06.2022 |
Published: | 17.06.2022 |
Fine: | n/a |
Parties: | FOD Financiën |
National Case Number/Name: | 105/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde 105/2022 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA held that it could not establish a breach of professional secrecy pursuant to Article 55(3) GDPR, as a judge has the competence to do so. Therefore the data obtained from the complainants criminal records could not be found to be unlawfully obtained.
English Summary
Facts
The controller is the Belgian tax authority (Algemene Administratie van de Bijzondere Belastinginspectie). The complainant provides tax advice services. The data subjects are (1) the complainant (hereinafter: Tax Advisor) and its (2) customers (hereinafter: Customers).
The Tax Advisor was involved in a criminal investigation into tax fraud, forgery of documents and the use of false documents. The investigation was still pending when the DPA issued the decision.
The controller used the Tax Advisor’s criminal records for an investigation into tax evasion of his Customers. These documents only contained personal data of the Customers. The controller’s notice to the Customers of the investigation contained the Tax Advisor’s personal data (full name; address; data of birth).
The Tax Advisor issued a complaint with the DPA for unlawful processing of personal data. He stated that it damaged his reputation and breaches his clients' confidentiality, which cost him customers.
Regarding the data from his criminal records, the Tax Advisor stated that it did relate to him because (1) he processed it in the context of his independent professional activity and (2) it was obtained from his criminal records. He further argued that customer data is covered by professional secrecy and thus cannot be processed for tax purposes.
The controller stated that the notice to the Customers, on its own, do not fall under the definition of 'filing system' under Article 4(6). Therefore the GDPR is not applicable.
Holding
The DPA noted that a complaint by someone other than the data subject can be admissible if they have a sufficient interest (Article 58 WOG). This is present if it in some way relates to the interest of the data subjects (mere commercial interest is not enough). The DPA found that the Tax Advisor only had a commercial interest, thus it was not sufficient.
The DPA also disregarded the Tax Advisers argument that the data obtained from his criminal records is covered by professional secrecy. The DPA noted that only the judge on the merits can decide on a breach of professional secrecy. As this did not happen (yet), it cannot examine whether the acquisition of data by the controller was in accordance with the GDPR.
Regarding the controller’s notice to the Customers, the DPA held that, contrary to the controllers argument, the GDPR was applicable. The notice is part of a tax file that is managed by controller, which makes it part of a filing system as described in Article Article 4(6). However, it refrained from ruling on the lawfulness of the processing of that data, as they were already the subject of pending legal proceedings as part of the main dispute.
The DPA therefore held that the complaint was inadmissible.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12 Dispute room Decision on the merits 105/2022 of 17 June 2022 File number : DOS-2019-05858 Subject : Use of personal data obtained through inspection of the criminal file at the expense of the complainant for the valuation of the complainant's customers The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: † The complainant: Mr X, hereinafter referred to as “the complainant”; † † The defendant: FPS Finance, General Administration of the Special Tax Inspectorate, King Boulevard Albert II 33 box 48, 1030 Brussels, hereinafter referred to as “the defendant”, Decision on the substance 105/2022 - 2/12 I. Facts procedure 1. On 18 November 2019, the complainant lodged a complaint with the Data Protection Authority against the defendant. The subject of the complaint concerns the use by the General Administration of the Special Tax Inspectorate (hereinafter: AABBI) of data obtained by viewing the criminal file charged by the complainant in which, in the context of a search of the house with abandonment and network search data would have been copied and taken, including personal data of customers of the complainant's companies. The AABBI would have used personal data to proceed with valuing those customers, as well as to accuse them of fraud. 2. On March 17, 2020, the complaint is declared admissible by the first-line service on the basis of the Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the Dispute room. 3. On August 12, 2020, the Disputes Chamber will decide on the basis of Article 95, §1, 1° and Article 98 WOG that the file is ready for treatment on the merits and the parties involved are informed made of the provisions as stated in article 95, §2, as well as of these in article 98 WOG. they are informed, pursuant to Article 99 of the WOG, of the time limits for their to file defences. The deadline for receipt of the defendant's statement of defense was thereby set laid down on September 25, 2020, this for the conclusion of the complainant's reply on October 16 2020 and this for the defendant's reply on November 6, 2020. 4. On August 18, 2020, the complainant electronically accepts all communication regarding the case, in accordance with article 98 WOG. 5. On September 22, 2020, the Disputes Chamber will receive the statement of defense from the defendant in which an overview is given of the proceedings previously conducted by the complainant with regard to the defendant and the pending proceedings concerning the complainant and the complainant's customers. The defendant contests the jurisdiction of the Disputes Chamber both for as regards the temporal, as the material scope. In the alternative, the the defendant that the processing on his behalf is a correct and permitted data processing respecting the principles of effectiveness and proportionality, as well as that they are processed within a secure framework and are protected against unauthorized access, unauthorized use, loss or unauthorized alteration., Judgment on the merits 105/2022 - 3/12 6. On 16 October 2020, the Disputes Chamber will receive the statement of reply from the complainant in which it is explained that the Disputes Chamber has both temporal and material jurisdiction. According to the complainant, the complaint is manifestly well-founded and has the defendant, in carrying out his legal mandate as a tax authority, the rules arising from Articles 5.1 a), 5.1 c) and 6. 1 c) not complied with. The complainant also once again acknowledges all communication regarding the case accept electronically and want to make use of the opportunity to be heard, in accordance with article 98 WOG. The complainant also requests an integral copy of the file (article 95, §2, 3° WOG). 7. On November 5, 2020, the Disputes Chamber will receive the statement of reply from the defendant in which the argumentation is resumed as set out in the statement of defense. 8. On 9 February 2022, the parties will be notified that the hearing will take place on May 9, 2022. 9. On 9 May 2022, the parties will be heard by the Disputes Chamber. 10. The minutes of the hearing will be submitted to the parties on 16 May 2022. 11. On May 23, 2022, the Disputes Chamber will receive comments from the complainant, which he/she requests to be attached to the minutes of the hearing. The Disputes Chamber decides to include it in its deliberations. II. Justification I. Jurisdiction of the Dispute Chamber a) Collection of personal data from the complainant on 15 May 2013 12. First of all, the Disputes Chamber emphasizes that it derives its competence from the GDPR, from 1 applicable from May 25, 2018 and the law of December 3, 2017 establishing the 2 Data Protection Authority, also entered into force on 25 May 2018, more specifically 1 Article 99 GDPR. 1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. 2. It shall apply from 25 May 2018. 2 art. 110 WOG. This Act shall enter into force on 25 May 2018, with the exception of Chapter III which shall enter into force on the date of publication of this Act published in the Belgian Official Gazette. The King may determine a date of entry into force for each provision thereof, with the exception of the provisions of Chapter III prior to the date stated in the first paragraph., Decision on the merits 105/2022 - 4/12 Article 4, §1 WOG . With regard to the facts that occurred before that date, i.e. the processing of the data provided by the judicial authorities as a result of a search of the complainant's house with disembarkation were copied and taken, which took place on May 15, 2013, the Disputes Chamber can only establish that it occurred well before the application of the GDPR have occurred and a complaint has only been lodged with the Data Protection Authority on November 18, 2019, when the GDPR is already fully was applicable. It follows from this that the Disputes Chamber is not authorized to decide on the 4 data collection dated 15 May 2013 to judge . The Disputes Chamber can face these facts nor declare competent under the transitional provision included in Article 112 WOG, 5 as the complaint was not pending at the time of the entry into force of the aforementioned Law of 3 December 2017. In this regard, the complainant specifies in his reply that his complaint does not target the original data processing by the Public Prosecution Service, but does the subsequent processing (see below margin numbers 15 et seq.). Because the complainant himself indicates that the original data collection by the Public Prosecution Service is not in dispute, constitutes this is not a point on which the Disputes Chamber should go further. 13. For the sake of completeness, the Disputes Chamber adds that the mere fact that the complaint was first-line service has been declared admissible, does not imply that the Disputes Chamber is authorized to assess the complaint in its entirety. In accordance with Article 60(2) of the WOG the Frontline Service only examines the formal admissibility conditions such as 6 included in this provision. Admittedly, the first-line service also globally assesses the competence of the Data Protection Authority, which relates to the complaint in its entirety, but this does not alter the fact that the Disputes Chamber itself determines the extent to which it is competent 3 art. 4. §1. The Data Protection Authority is responsible for supervising compliance with the fundamental principles of the protection of personal data, within the framework of this law and of the laws containing provisions on the protection of the processing of personal data. Without prejudice to the powers of the Community or Regional Governments, of the Community or Regional Parliaments, of the United College or of the United Assembly referred to in Article 60 of the special law of January 12, 1989 relating to the Brussels institutions, the Data Protection Authority exercises this mission on the territory of the entire Kingdom, regardless of which national law applies to the processing concerned. 4See in that regard: Decision on the merits 19/2020 of 29 April 2020, Decision on the merits 124/2021 of 10 November 2021. 5Art. 112 WOG. Chapter VI does not apply to complaints or requests pending with the Data Protection Authority at the moment of the entry into force of this law. The complaints or requests referred to in the first paragraph are handled by the Data Protection Authority, as the legal successor of the Commission for the protection of privacy, further handled according to the procedure applicable before the entry into force of this law. 6 Art. 60. The frontline service examines whether the complaint or request is admissible. A complaint is admissible when: - it is drawn up in one of the national languages; - contains a statement of the facts and the necessary indications for the identification of the processing to which it relates; - it falls under the competence of the Data Protection Authority. […], Decision on the substance 105/2022 - 5/12 can define concretely. Well, for the facts that occurred specifically on May 15th 2013, the Disputes Chamber is not competent for the reason set out above. b)Processing of data obtained by accessing the criminal file and use of it in the valuation procedure against clients of the complainant after 25 May 2018 14. The personal data that are the subject of the present complaint personal data that were collected in the context of a judicial investigation into tax fraud, tax forgery and use of false documents. Since the processing has carried out by a competent authority in the field of criminal law, here in principle 7 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 of 8 application. It follows from Article 9.1 of Directive 2016/680/EU and Recital 34 of this Directive that in case the personal data is collected for the purpose of prevention, investigation, investigation or prosecution of criminal offences, are passed on to a recipient, in this case the defendant, who processes the data in question for purposes other than those of the Directive, the GDPR applies to the transmission of personal data. This is done by the parties as such are not disputed. 15. Specific with regard to the defendant's argument that the GDPR does not apply to the processing of the data of the companies of the complainant's customers with referring to recital 14 of the GDPR, the Disputes Chamber points out that the argumentation ignores the definition of the term 'personal data' in Article 4.1) GDPR . 10 7 Articles 1 and 2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, and concerning the free movement of such data and repealing Council Framework Decision 2008/977/JHA. 8 Recital 34 Directive (EU) 2016/680. The processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of penalties, including protection against and prevention of dangers for public security must relate to an operation or set of operations on personal data or a set of personal data for those purposes, whether or not performed by automated means or otherwise, such as collecting, recording, organizing, structuring, storing, updating, modifying, retrieving, consulting, using, aligning, combine, subject to processing restrictions, delete or destroy data. In particular, the provisions of this Directive should apply to the transmission of personal data for the purposes of this Directive to a recipient not covered by this Directive. Recipient is understood to mean a natural or legal person, a public authority, agency or any other body to whom or to which the personal data is lawfully provided by the competent authority be published. Where the personal data was initially collected by a competent authority for one of the purposes of this Directive, Regulation (EU) 2016/679 should apply to the transmission of those data for other purposes other than those of this Directive, if such processing is permitted by Union or Member State law. More specifically to serve the provisions of Regulation (EU) 2016/679 to apply to the transfer of personal data for purposes not covered by fall under this Directive. Regulation (EU) 2016/679 should apply to the processing of personal data by a recipient which is not the competent authority or which does not act as a competent authority within the meaning of this Directive and to whom the personal data have been lawfully disclosed by a competent authority. When implementing this Directive, Member States should also apply may further specify the rules of Regulation (EU) 2016/679, provided that the conditions laid down therein are met. 9 Recital 14 GDPR. The protection afforded by this Regulation applies to natural persons, irrespective of their nationality or residence, in connection with the processing of their personal data. This Regulation does not concern the processing of data on legal persons and in particular companies established as legal persons, such as name and legal form of the legal person and the contact details of the legal person. 10 Article 4. For the purposes of this Regulation:, Decision on the substance 105/2022 - 6/12 Submit insofar as data concerning a legal person are so characteristic of the identity of a natural person, which makes them identifiable, do concern them personal data within the meaning of Article 4.1) GDPR. 16. The processing involved in the complaint concerns personal data of the complainant's customers which are processed by the defendant after 25 May 2018 in the context of instructions from tax evasion. Although this processing falls within the scope of the GDPR, but it should be emphasized that the personal data of the customers who rely on the complainant's services consisting of the provision of tax advice, cannot are qualified as personal data concerning the complainant himself. In that vision the Disputes Chamber then examines whether there is a sufficient interest in respect of the complainant in order to be able to submit a complaint in this regard. 17. With regard to the interest of the complainant, the Disputes Chamber refers to Article 58 WOG in which it is stated that: ”Anyone can submit a complaint or request in writing, dated and signed” submit to the Data Protection Authority”. In accordance with Article 60, paragraph 2 WOG “A complaint is admissible if it: - is drawn up in one of the national languages; - contains a statement of the facts, as well as the necessary indications for the identification of the processing to which it relates; - it falls under the competence of the Data Protection Authority”. 18. The preparatory work of the WOG determines: "The Data Protection Authority" can receive complaints or requests from anyone; natural persons but also legal persons, associations or institutions that commit an alleged infringement of the Regulation wish to sue. A complaint or request to the Data Protection Authority should be in writing, dated and signed by the authorized person. A request must be interpreted in the broad sense of the word (request for information or explanation, a request to mediate, ...)”. 1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); if identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to a identifier such as a name, an identification number, location data, an online identifier or of one or more elements that characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; † 11par. doc., Chamber of Representatives, 2016-2017, DOC 54 2648/001, p.40 (comment to article 58 of the original bill)., Decision on the substance 105/2022 - 7/12 19. The WOG thus does not exclude that a person other than the person concerned or the person designated by the the person concerned is authorized, as referred to in Article 220 of the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, can lodge a complaint with the Authority. 20. While the GDPR approaches the 'complaint' from the point of view of the data subject, by the impose obligations on supervisory authorities when a person makes a complaint (see the Articles 57.1., f) and 77 of the GDPR), the GDPR does not prevent national law from persons other than provides the person concerned with the opportunity to lodge a complaint with the national supervisory authority. The possibility of such a referral is also in accordance with the orders assigned to the supervisory authorities by the GDPR. In that regard and in general taken, each control authority shall ensure: the monitoring and enforcement of the application of the GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to the protection of personal data (Article 57, 1., v) GDPR) .2 21. In that regard, the Disputes Chamber rules that Article 58WOG gives every person the opportunity to make a complaint, provided that he has a sufficient interest in accordance with the aforementioned provisions of the GDPR . 13 22. The condition is therefore that the complainant demonstrates a sufficient interest. In this regard the Disputes Chamber to determine that the complainant merely mentions a commercial interest consisting of the loss of confidentiality of the customer data used by the defendant for valuation purposes aimed at the customers, with reputational damage on account of the resulting in the complainant stating that in certain cases customers have blocked him pointed out. 23. The complainant clearly appears to be pursuing a commercial interest which cannot be considered sufficient are considered. After all, the mere pursuit of a commercial interest is not sufficient to demonstrate a sufficient interest, this in the absence of any concrete element that can be distinct from this self-contained commercial interest, which the complainant would may affect the data processing by the defendant with regard to the personal data of the clientele. The factual elements of the file do not show that the the complainant has a data protection interest that corresponds to the interest of the customers against whom a legal dispute procedure is still pending. From the pure fact that the data processing by the defendant relates to personal data of after all, it does not automatically follow from the complainant's customers that the complainant has ipso facto any interest in that data processing by the defendant. Contrary to what the 12 In the same sentence: Decision on the merits 30/2020 of 8 June 2020 13See in the same sentence: Decision on the merits 80/2020 of 17 September 2020; Decision on the merits 63/2021 of 01 June 2021; Decision on the merits 117/2021 of October 22, 2021; Decision 49/2022 of 5 April 2022, Decision on the substance 105/2022 - 8/12 complainant argues, customer data does not in any way become data relating to the complainant solely and solely because the customer data is processed by him in the context of his independent professional activity and originate from the original file, being the criminal file at his own expense. The complainant does not sufficiently demonstrate that there is a question of an interest that coincides with the interest of these customers, so that he does not complain on his own initiative can submit regarding the data processing relating to the customers. Moreover nor does he have any power of representation in this area for the concerned customers. 24. In addition,customers specifically mention the complaint, especially the couple Z, already reached an agreement with the defendant on 8 May 2020, which led to the investigation into them was terminated. In that regard, the Z couple have no complaint themselves regarding possible infringement of protection of their personal data. 25. Consequently, the complainant has no interest in doing so, given the statement of approval from Mr and Mrs Z and the resulting lack of interest in on their behalf to lodge a complaint themselves with regard to the processing of their personal data by the defendant. 26. Because the complainant fails to demonstrate the existence of a sufficient interest on his part in order to have his complaint handled by the Data Protection Authority, the Disputes Chamber to determine the non-conformity with the procedural rules by the declaration of admissibility of the complaint and the subsequent handling of the complaint. 27. In view of the fact that the complainant does not demonstrate that he has an interest that is sufficient concretely to be able to file a complaint, the Disputes Chamber furthermore finds that the complainant also did not have the capacity to file a complaint and that the full procedure has therefore been affected by the absence not only of importance, but also of capacity on the part of the complainant. c) Processing of data concerning the complainant after 25 May 2018 28. The defendant agrees that the surname and first name of the complainant appear in the preceding notices of indications of tax evasion and the notice of amendment and in addition, his surname, first name, date of birth and address appear in the official reports from the criminal file attached to the messages from the defendant. 29. The aforementioned data fall under the notion of personal data as defined in Article 4.1) GDPR, which are processed within the meaning of Article 2. 1 GDPR. Not just any whole or in part automated data processing falls under the scope of the GDPR, but also any processing of personal data that is included in a file or is intended to to be included therein. Although the defendant attempts to demonstrate that these data are not, Decision on the merits 105/2022 - 9/12 be part of a file as defined in Article 4.6) GDPR by stating that the notifications extending the investigation period, the requests for information nor the neither the notification of change nor the attachments in themselves a structured set of personal data forms that are accessible via criteria, the Disputes Chamber must point out that the aforementioned documents are not only part of the initial criminal file against the complainant, but also are included in full in the valuation file managed by the defendant of which it is established that this is structured according to specific criteria, which therefore does constitute a file . 14 After all, a public service such as the defendant by definition manages several files, whereby these files as well as each file in itself must necessarily be structured in such a way that they are accessible according to certain criteria. From this follows that the GDPR applies to the data processing concerning the complainant. 30. However, the file containing the documents containing the complainant's personal data included, was submitted for assessment by the defendant as being a party to the pending tax proceeding in respect of some customers. The processing of the The complainant's personal data must be placed in a broader context, to which a tax dispute is based and of which the data processing is an integral part. After all, the documents submitted by the parties in the proceedings are currently being assessed to the court on the merits, which must thus be regarded as controller with regard to the file containing all supporting documents sent to him regarding the tax dispute between the parties, including the documents with personal data concerning the complainant. In that regard, the Disputes Chamber rules that it 15 16 pursuant to Article 55.3 of the GDPR in conjunction with Article 4, § 2 of the WOG, cannot rule on a sub-aspect that, although related to documents in which the personal data of the complainant are processed, but that as part of the main dispute is already the subject of pending legal proceedings . To judge otherwise would result in the 14Recital 15 GDPR: “In order to avoid a serious risk of circumvention, the protection of natural persons should be be technology neutral and not dependent on the technologies used. The protection of natural persons should apply to both automated processing of personal data and manual processing thereof if the personal data are stored or intended to be stored in a file. Files or a collection of files and their covers, which are not structured according to specific criteria should not fall within the scope of this Regulation.” A contrario, files or a collection of files that are structured according to specific criteria, do fall under the scope of the GDPR. See also the Judgment of the Council of State no. 91.531 of 11 December 2000 in the case A. 69.056/IX-2103, Dewinter v Belgian State: that, after all, almost all government documents are the subject of an automated or manual arrangement in "files" - in the French "fichier" - which refer to it; 15Article 55. 3 GDPR. Supervisory authorities are not competent to supervise processing by courts in the exercise of their judicial duties. 16 Article 4, § 2 WOG. The supervision organized by this law does not relate to the processing by the courts and courts as well as by the public prosecutor in the exercise of their judicial functions. 17See in that sense the judgment of 24 March 2022 CJEU - case C-245/20 against the Dutch Data Protection Authority: “32. As the Advocate General noted in points 80 and 81 of his Opinion, it is apparent from the wording of recital 20 of Regulation 2016/679 itself, and in particular from the use of the word 'including', which defines the scope of the of this Regulation to ensure the independence of the judiciary in the execution of its judicial power, Decision on the substance 105/2022 - 10/12 Litigation Chamber the independence of the judiciary in the exercise of its 18 would jeopardize judicial tasks, in particular in the area of decision-making . It goes without saying that this can by no means be the intention. d) Professional secrecy and use of the accounting program 31. The documents that the defendant has obtained from the criminal file charges against the complainant are according to the complainant obtained by the defendant with disregard of the professional secrecy to which the complainant is responsible held. 32. The complainant argues that the customer data is covered by his professional secrecy and thus cannot be are processed for valuation purposes with regard to the relevant customers. Based on this the complainant relied on the decision of the Council of the Institute of accountants and tax consultants (IAB) dated 17 May 2016 stating that: "[…] if the tax administration in the event of an audit by a tax or accounting adviser in principle secret should discover data that he could avoid to incriminate third parties, he must renounce. In principle, this data is covered by professional secrecy and can only be used with regard to the taxpayer, being the member of the IAB. The Council continues declare that the taxpayer, in this case the complainant, has cooperated with the request for cannot refuse information purely because of its professional secrecy, but has the right to do so in such a way that the identity of its clientele and the content of its protects work. According to the Council, the taxpayer may not fully invoke professional secrecy, but after anonymizing the client and the nature of the performance does indeed prove the probable nature of the publication, as requested by the AABBI, to be delivered. tasks cannot be limited to guaranteeing judicial independence in the establishment of a specific court decision. 33. In general, preserving the independence of the judiciary presupposes that the courts exercise judicial functions completely autonomously, without any hierarchical link and without being subordinate to or from anywhere receive orders or instructions, and thus be protected from outside interference or pressure that could affect the independence of the jeopardize the judgment of their members in disputes submitted to them. The respect for the rights under the Safeguards of independence and impartiality required by Union law presuppose that rules exist which are suitable for to dispel any legitimate doubt that the institution concerned is not influenced by external factors and impartial to the interests involved […]. 34. The reference in Article 55(3) of Regulation 2016/679 to processing by courts 'in the exercise of their judicial tasks' should therefore be understood in the context of this Regulation as meaning not only processing of personal data by courts in the context of concrete cases, but in a broader sense relates to all processing by courts in the exercise of their judicial activities, so that processing operations subject to supervision by the supervisory authority can directly or indirectly influence the independence of their members or their decisions, outside the competence of this authority.” 18Recital 20 GDPR. While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law should regulate the processing and processing procedures relating to the processing of personal data by courts and other judicial authorities can be further specified. The competence of the supervisory authorities should not extend to the processing of personal data by courts in the context of their judicial functions, in order to ensure the independence of the judiciary in the exercise of its judicial functions, including decision-making. It must be possible to entrust the supervision of such data processing to specific authorities within the judicial system of the Member State, which, in particular, are responsible for ensuring compliance with the rules of this Regulation ensure that members of the judiciary are made more aware of their obligations under this Regulation, and complaints with regard to those data processing operations.[Own underlining], Decision on the merits 105/2022 - 11/12 33. In this regard, the Disputes Chamber notes that the aforementioned decision of the Council of the IAB was taken in response to the request of the AABBI under Article 334 WIB to assess whether, and to what extent, the inquiry or production of books and modesty is compatible with the observance of professional secrecy. 34. Not only did the complainant refuse to itself provide the AABBI with the information requested, provide after anonymization of the client and the nature of the services, but also tries to decision of the Council of the IAB about continuing professional secrecy to the intelligence obtained by the AABBI by any means other than through the stated inquiry that was made to the complainant. It is undisputed that the defendant provided the data relating to the customers has not obtained through the request for information made by the defendant to the complainant and about which the defendant has obtained the advice of the IAB. The defendant is came into possession of information concerning the customers of the bearing through inspection of the criminal file on the basis of article 327, 1 WIB to then proceed to an appraisal of the concerning customers. The complainant uses the ILO's decision to argue that the professional secrecy was violated as a result of which the defendant would be unlawfully in possession information concerning the complainant's customers. The Disputes Chamber can only establish that the decision of the ILO on professional secrecy only relates to the request information from the defendant addressed to the complainant himself. There is no determination violation of professional secrecy regarding the way in which the defendant does obtained, namely by means of inspection of the criminal file. Since it is not up to the Litigation Chamber is due to rule on whether or not the violation of the professional secrecy following the inspection of the criminal file (Article 55.3 AVG in conjunction with Article 4, 19 § 2 WOG), it cannot assess whether or not the personal data thus obtained is be processed lawfully by the defendant. Only if the judges ground for violation of professional secrecy, the Disputes Chamber may in turn decide review data collection on behalf of the defendant against the principles of the GDPR regarding lawfulness and minimum data processing requested by the complainant. 35. The complainant further argues that the defendant obtained the customer data from the criminal file on the basis of a file created by the complainant himself accounting program to use accounting documents - of which the complainant exists disputed - to produce on the basis of which the concerned customers are accused of fraud. In this regard, the Disputes Chamber notes that the assessment of the evidential value of the the data obtained through inspection by the defendant, its reliability and any inferences that can be drawn on the basis of that data belong to the 19See margin no. 30., Decision on the substance 105/2022 - 12/12 main tax dispute and therefore revert to the court on the merits (Article 55, § 3 GDPR in conjunction with Article 4, § 2 WOG). 36. Finally, the Disputes Chamber notes that insofar as the complainant points out that the processing of data concerning his wife is targeted, the complainant does not contribute anything showing that he has powers of representation in this regard. Consequently the Disputes Chamber will not elaborate on this point. III. Publication of the decision 37. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is not necessary, however, that the identification data directly from the complainant. However, it follows from the nature of the complaint that ipso de facto that the identity of the defendant is known in such a way that it is identified as such stated in the decision. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decided, after deliberation, to of Article 100, §1, 1° WOG, to dismiss the complaint in view of the fact that there is no infringement in this regard can be determined on the basis of the GDPR. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (Get). Hielke Hijmans Chairman of the Disputes Chamber 20See margin no. 30.