APD/GBA (Belgium) - 162/2022

From GDPRhub
Revision as of 08:21, 23 November 2022 by Kv (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 162/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(3) GDPR
Article 7(1) GDPR
Article 7(3) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 38(1) GDPR
Article 39(1) GDPR
Decreet houdende het toeristische logies
Decreet tot oprichting van het intern verzelfstandigd agentschap met rechtspersoonlijkheid "Toerisme Vlaanderen"
Type: Investigation
Outcome: Violation Found
Started: 14.01.2022
Decided: 16.11.2022
Published:
Fine: n/a
Parties: Toerisme Vlaanderen
National Case Number/Name: 162/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA reprimands a government agency for not proactively involving its DPO in a processing activity relying on Article 6(1)(c) GDPR. All processing activities must be in line with the GDPR, even those mandated by legislation predating the GDPR.

English Summary

Facts

The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on Article 6(1)(c) GDPR, the controller interprets its legal obligations too broadly.

On top of that, the Inspection Service held that the controller breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR because the information in their privacy policy was not concise, transparent, nor easily accessible, as well as containing wrong and missing information. The controller admits that this used to be the case, but that this issue has now been resolved.

Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices.

Lastly, the Inspection Service held that the DPO was not proactively involved nor consulted, resulting in a breach of Article 38(1) GDPR and Article 39(1) GDPR. For the processing as described above, the controller stated that the DPO did not need to be consulted as the Logiesdecreet provided the legal basis to process data. However, the DPO did provide a positive advice afters the first contact of the Inspection Service.

Holding

First, the Belgian DPA checks whether the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts. This processing can only happen if it is necessary to fulfill a legal obligation. The GDPR does not require each separate processing to have its exclusive norm. The norm must be sufficiently clear and precise, its application must be foreseeable by data subjects.

The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of Article 6(1)(c) GDPR.

Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR but that the shortcomings have been resolved in the meantime.

The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.

Lastly, the DPA assesses whether the DPO should be been proactively involved. The DPA holds that the DPO is a key-figure regarding data protection. As such, a DPO must be involved for all matters concerning personal data, in a proper and timely manner. The fact that the Logiesdecreet predates the GDPR does not absolve the organisation from applying the GDPR and thus involving the DPO to check whether all processing of personal data is compliant. The DPA holds that the controller breached Article 38(1) GDPR and Article 39(1) GDPR.

The DPA reprimands the controller for its (past) breaches and dismisses the parts which did not lead to GDPR infractions. The DPA also reaffirms that it cannot impose a fine on a governmental agency.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/23




                                                                            Litigation room


                                   Decision on the basis of 162/2022 of 16 November 2022



File number : DOS-2021-05803


Subject : Research on the sharing of accommodation data via the Airbnb platform



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Frank De Smet and Jelle Stassijns, members.


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The defendant: VISITFLANDERS, with registered office at 1000 Brussels, Grasmarkt

                   61, with company number 0225.944.375, hereinafter “the defendant”. Decision on the substance 162/2022 - 2/23


Fact procedure


 1. On 14 January 2022, the Executive Committee of the Data Protection Authority will decide

      (hereinafter: “GBA”) to catch the Inspection Service on the basis of Article 63, 1° WOG because of

      a practice that may give rise to a violation of the fundamental principles of the
      protection of personal data.


      The object of the proceedings concerns the broad way in which personal data of

      operators of accommodation via the Airbnb platform in the context of "random sampling".
      requested by the defendant from various intermediaries. This practice lasted

      following a judgment of the Court of First Instance which held that this

      sampling can only take place in very limited cases. This procedure has

      also relates to the fact that hereby no advice from the officer for this

      data protection was requested.

 2. On 27 January 2022 the investigation will be completed by the Inspection Service, the report will be

      appended to the file and the file is transferred by the Inspector General to

      the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

       The report contains findings regarding the subject matter of the decision

       Management Committee and decides that there is:

       a. a breach of article 5, paragraph 1, a) and c) and paragraph 2 of the GDPR, article 6, paragraph 1 of the GDPR, article

           24 (1) GDPR and Article 25 (1) and (2) GDPR;


       b. a breach of Article 12(1) and (6) GDPR, Article 13(1) and (2) GDPR and
           Article 14(1) and (2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR

           and Article 25(1) of the GDPR; and


       c. a violation of Article 38(1) and (3) of the GDPR.

       d. an infringement of Article 4, 11) of the GDPR, Article 5, paragraph 1, a) and paragraph 2 of the GDPR, Article 6, paragraph

           1, a) of the GDPR and Article 7, paragraphs 1 and 3 of the GDPR for the use of non-strict

           necessary cookies.

  3. On 4 February 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

      WOG that the file is ready for treatment on the merits.

 4. On 4 February 2022, the defendant will be notified by e-mail of the provisions such as

      mentioned in article 95, § 2, as well as in article 98 WOG. They are also based on

      Article 99 WOG of the time limits for submitting their defences.

       With regard to the findings within and outside the subject matter of the decision of the

       Management Committee became the deadline for receipt of the statement of reply of

       recorded by the defendant on 18 March 2022. Decision on the substance 162/2022 - 3/23


5. On February 8, 2022, the defendant electronically accepts all communications regarding the

     matter.

6. On 25 February 2022, the defendant requests a copy of the file (Article 95, §2, 3 ° WOG),

     which was transferred to him on February 25, 2022.


7. On March 17, 2022, the Disputes Chamber will receive the statement of defense from the

     defendant with regard to the findings with regard to the object of the
     decision of the Executive Committee. This conclusion also contains the reaction of the

     defendant about the findings made by the Inspectorate outside the

     scope of the complaint. The defendant argues, first, that the processing on its part is a

     lawful data processing. Second, the defendant argues that the

     data processing in question constitutes correct and permitted data processing,

     whereby the basic principle of data minimization from Article 5, paragraph 1, c) GDPR is respected
     and that he can also demonstrate this

     transparent and understandable, that it contains complete information, and that it can do this

     demonstrate. Fourth, the defendant argues that it was not obliged to

     to seek advice from the Data Protection Officer in relation to it

     Memorandum of Understanding. Finally, the defendant argues that on its website only

     Strictly necessary or functional cookies are employed for which there is no permission
     is required. According to him, no non-necessary cookies were active. Consequently it was

     providing (transparent) information about such cookies according to the defendant

     irrelevant. Nor is this a legal obligation, according to the defendant.

8. On September 14, 2022, the parties will be notified that the hearing will

     take place on October 21, 2022.


9. On 21 October 2022, the party appearing will be heard by the Disputes Chamber. During the day

     the hearing has explained to the defendant what steps it has already taken on the matter
     of data protection since the submission of the complaint and the Inspectorate investigation. So

     the Litigation Chamber could determine during the hearing that virtually all grievances

     from the complaint and areas of concern from the Inspection Report were addressed by the defendant.


10. On October 25, 2022, the minutes of the hearing will be sent to the parties
     transferred.


11. On October 29, 2022, the Disputes Chamber will receive some from the defendant

     remarks with regard to the official report, which it decides to include in
     her deliberation. Decision on the substance 162/2022 - 4/23


Motivation


  12. The Disputes Chamber then assesses each of the findings included in the

      Inspection report in the light of the pleas put forward by the defendant in this regard.


    I.1. Article 5, paragraph 1, a) and c) and paragraph 2 GDPR, Article 6, paragraph 1 GDPR, Article 24, paragraph 1 and Article 25, paragraph
         1 en 2 GDPR.


        I.1.1. Article 5 paragraph 1 a) and c) and Article 6 paragraph 1 GDPR


 13. The Litigation Chamber recalls that the starting point of Article 5(1)(a) GDPR is that

       personal data may only be processed lawfully. This means that

       a legal basis for the processing of personal data as referred to in Article 6(1) of
       the GDPR must be present. Article 6(1) states in further elaboration of this basic principle

       GDPR that personal data may only be processed on the basis of one of the

       Article listed legal bases.


 14. During the Inspection investigation, the defendant admits that he has complied with article 6, paragraph 1c) of the

       AVG invokes, with regard to the request to Airbnb for operator and accommodation data
       to be delivered to the defendant. The Inspectorate establishes that the defendant assumes

       a too broad interpretation of his legal obligations that he does not show why it

       processing of personal data in the context of a sample is necessary. On base

       of these elements, the Inspectorate declares an infringement of article 5, paragraph 1, a) and c) and article

       6 (1) GDPR.

 15. The Litigation Chamber recalls that in order to be able to rely lawfully on the

       legal basis from article 6, paragraph 1, c) AVG, personal data may only be processed

       if this is necessary for the fulfillment of a legal obligation on the

       controller rest. In these cases, the processing must always be a

       have a basis in the law of the European Union or that of the Member State concerned,

       which must also state the purpose of the processing. It should therefore be checked whether

       in this case the conditions set out in that article have been met.

 16. In accordance with Article 6.3 GDPR, read in conjunction with Article 22 of the Constitution and

       Article 7 and 8 of the Charter, a legislative standard should contain the essential features of

       to record data processing that is necessary for the fulfillment of a

       legal obligation, regardless of whether it is in the law of the European Union or in the law
                                   1
       of the Member States. In the aforementioned provisions it is hereby emphasized that the

       processing involved should be framed by a standard that is sufficiently clear and
       is accurate, the application of which is foreseeable for the persons concerned. The GDPR

       however, does not prescribe specific legislation for each individual processing



1See e.g. decision 149/2022 dd. October 18, 2022 and 48/2022 dated April 4, 2022. Substantive decision 162/2022 - 5/23


       is. Legislation that serves as a basis for several will suffice

       processing based on a legal obligation on the

       controller rest.


 17. The Litigation Chamber will determine the terms of legal basis and necessity below

       judge.

       A clear, precise and predictable legal basis


 18. According to Recital 41 of the GDPR, this legal basis or legislative measure

       be clear and precise and its application must be for the litigants
       be foreseeable, in accordance with the jurisprudence of the Court of Justice of the

       European Union and the European Court of Human Rights.


 19. Recital 41 GDPR specifies in this regard: “When in this regulation to a

       referenced to a legal basis or a legislative measure does not require this

       necessarily require a legislative act enacted by a parliament,

       without prejudice to the requirements in accordance with the constitutional order of the Member State

       matter. However, this legal basis or legislative measure must be clear and precise
       and its application must be predictable for those to whom it applies

       applies, as required by the case law of the European Court of Justice

       Union (“Court of Justice”) and the European Court of Human Rights”.

       In accordance with Article 22 of the Belgian Constitution, essential elements of

       the processing in addition by means of a formal legal standard (law, decree or

       ordinance) to be adopted.2

 20. In this context, the Disputes Chamber refers more specifically to the Privacy judgment

       International of the Court of Justice dated October 6, 2020, in which the Court states that the

       relevant legislation should contain clear and precise rules “about the scope and

       the application of the measure concerned, so that those whose personal data

       at issue, have sufficient guarantees that those data are effective

       be protected against the risk of abuse”. The Court adds: “That arrangement

       must be legally binding under domestic law and in particular indicate in which

       circumstances and under what conditions a measure provides for the processing

       of such data can be taken, thus ensuring that the interference to

       what is strictly necessary is limited. (...) These considerations apply in particular






2“Everyone has the right to respect for his private and family life, except in the cases and under the

conditions set by law. The law, decree or rule referred to in Article 134 guarantees protection
of that right.”
3 ECJ, C-623/17, 6 October 2020, Privacy International t. Secretary of State for Foreign and Commonwealth Affairs and others Decision on the substance 162/2022 - 6/23



       when it comes to the protection of a special category of personal data, te

       know sensitive data”

 21. The defendant's mission is, among other things, to increase the attractiveness of

       Flanders as a destination. To fulfill this mission, article 5 of the decree lays down

       establishing the internal independent agency with legal personality

       “ToerismeVlaanderen” tasks on the defendant that he must fulfill, including tasks

       on integral quality assurance. This includes: responsible for the development and

       the promotion of integral quality assurance within the framework of the powers that are

       granted by current and future legal and regulatory provisions

       regarding the following matters: (a) tourism infrastructure, subsidies, participations and

       other initiatives and (b) provision of information, services, training and labelling. In

       implementation of the above is determined by the decree on tourist accommodation
                                                        6
       of 5 February 2016 (hereinafter: Accommodation Decree) (and its implementing decrees)

       different conditions that every tourist accommodation in the Flemish Region must meet
       sufficient for it to be recognized as tourist accommodation and subsequently to be operated in this way

       become. The defendant is charged with the implementation of this Accommodation Decree, including the

       recognition as tourist accommodation and monitoring compliance with this

       recognition conditions.


 22. In order to be recognized as tourist accommodation, the accommodation must therefore comply with the

       conditions as stipulated in Article 6 of the Accommodation Decree. The research into it

       meeting the conditions for recognition is regulated in chapter 5 of the

       Accommodation Decree. Article 10 of the Accommodation Decree prescribes that the Flemish Government

       designate persons authorized to supervise and control the

       compliance with the provisions of the Accommodation Decree (i.e. inspectors at VISITFLANDERS

       which can be designated by the Flemish Government).

 23. In the context of this supervisory and control power, Article 11 of the

       Accommodation Decree as follows:


        “Art. 11. The intermediaries, referred to in Article 2, 5°, must provide tourist accommodation

        located in the Flemish Region for which they mediate or promote, op

        written request, the details of the operator and the address details of the
        communicate tourist accommodation to the agents of the federal and local police and to the

        authorized persons, stated in Article 10. These details can be requested

        in the context of a random check, if in doubt on the tourist accommodation comply with the




4Article 4 of the decree establishing the internal independent agency with legal personality “Tourism
Flanders”, BS 29 April 2004 (hereinafter: Establishment Decree).
5
 BS April 29, 2004.
6BS 8 March 2016. Substantive decision 162/2022 - 7/23


        conditions of this decree or its implementing decrees, or in the context of a complaint about

        a tourist accommodation.”

                                                                            7
 24. Article 11 of the Accommodation Decree therefore prescribes that intermediaries, such as Airbnb in this case,

       the details of the operator and the address details of the tourist accommodation must

       inform the officials authorized by the Flemish Government when they do so

       be requested. In view of the above, the defendant argues that, through the
       the aforementioned authorized officials, can request specific data from a

       intermediary such as Airbnb in at least three cases:


        - in the context of a clearly defined random check;


        - in case of doubt whether the tourist accommodation meets the conditions of the

            Accommodation Decree and its implementing decrees;

        - in the context of a complaint about tourist accommodation.


 25. Contrary to the finding of the Inspectorate, the defendant believes that he

       does not interpret Article 11 too broadly. The defendant refers in this regard to the

       parliamentary preparation of the Accommodation Decree, which states in this regard:

       “ [t]he written request referred to must be made with reasonableness and proportionality

       are used. The data must be requested specifically, it is too

       say in the context of a clearly defined sample (e.g. one or more

       accommodation in the same city, municipality or region), in case of doubt whether these tourist accommodations are sufficient

       to the conditions of this decree and its implementing decrees or within the framework of a

       complaint about these tourist accommodations.”

 26. This position, according to the defendant, is also consistent with the report

       on behalf of the Committee on Foreign Policy, European Affairs, International

       Cooperation, Tourism and Real Estate which reads as follows:


       “[…] Every tourist accommodation can be checked at all times for basic standards.

       Inspection is done at the request of a hotel manager (with the possibility of recognition) or on

       government initiative (randomly, in case of doubt or complaint)[…]”. In an opinion
       the Commission for the Protection of Privacy (CBPL) the same

       position taken: “The data should be requested specifically, within the framework

       of a clearly defined sample, in case of doubt or in case of a complaint”.








7Article 2,5°Accommodation Decree: “5°intermediary: any natural or legal person who in any way against payment
mediates in offering tourist accommodation on the tourist market, promotes tourist accommodation
or offers services through which operators and tourists can interact directly.' Decision on the substance 162/2022 - 8/23


 27. However, the Inspectorate argues that this is an incorrect reading of Article 11 of the Accommodation Decree and

      refers in this regard to a judgment of the Court of First Instance in Brussels . In this

      verdict, the court concluded that there are only two cases in which the data can be

      be requested from the intermediaries: (1) in case of doubt as to whether the accommodation is satisfactory

      to the conditions of the decree, and (2) in the case of a complaint about a tourist

      accommodation.According to the court, the sample is not a substantive situation that meets the conditions
      which may or may not be satisfied, but merely a particular method or procedure which

      prescribed by the legislature to be in either hypothesis

      used when requesting information.


 28. Following this judgment of the Brussels Court of First Instance, the defendant
      withAirbnbeenagreement("MemorandumofUnderstanding",hereinafter:"MoU")

      being voluntary and in good will to a workable application of this

      provision is coming. The MoU regulates a number of modalities about the delivery of operators

      accommodation data in the context of a request by the defendant pursuant to Article 11 of

      the Accommodation Decree. This includes the data that the defendant will request

      specifically named, as well as the number of applications and the geographical demarcation of one

      request are specified.

 29. The Disputes Chamber notes that the text of Article 11 of the Accommodation Decree has been

      established that uncertainty may exist about the cases in which the personal data

      may be requested by the defendant from intermediaries. This becomes

      illustrated by the fact that the defendant gives a different interpretation to Article 11
      of the Accommodation Decree than the Court of First Instance in Brussels in the above

      stated verdict. To find out the intention of the legislator, the

      Litigation Chamber to the preparatory works of the Accommodation Decree.


 30. The preparatory works of the Accommodation Decree state that in practice
      it is found that more and more intermediaries such as tourist rental offices and

      Internet platforms, such as Airbnb, offer tourist accommodation on the market without

      mention of the concrete (address) details of the tourist accommodation or

      contact details of the operator. This makes (or even prevents) locating difficult

      or checking these accommodations, even in case of complaints. Article 11 of the

      Accommodation Decree tries to meet this problem and offers the competent authorities

      persons responsible for the supervision and control of the accommodation decree (in addition to the
      authorized officials mentioned above, including federal and local agents

      police) the possibility to request the operator data and the

      address details of tourist accommodation located in the Flemish Region at te

      ask these intermediaries such as Airbnb. The written request that applies


8
 Court of first instance in Brussels, case A.R. 2018/3527/A. Decision on the substance 162/2022 - 9/23


       to be used with fairness and proportionality. The data should be purposeful

       to be requested, that is to say, in the context of a demarcated sample

       (for example, one or more accommodations in the same city, municipality or region), in case of doubt whether this

       tourist accommodation meets the conditions of the accommodation decree and are

       implementing decrees or in the context of a complaint about these tourist accommodations.


 31. In view of the above, the Disputes Chamber concludes that the intention of the

       legislature was to provide for at least three distinct cases in which the

       personal data could be specifically requested from an intermediary:

        - in the context of a clearly defined sample;


        - in case of doubt whether these accommodations meet the conditions of the Accommodation Decree;

        - in the context of a complaint about tourist accommodation.


 32. This interpretation also satisfies the requirement of foreseeability as defined

       in Article 6.3 GDPR. As already explained, Article 6 of the Accommodation Decree determines the

       conditions for recognition of a tourist accommodation. These conditions have under

       others relate to the safety of the users of the accommodation, such as fire safety.

       As soon as these conditions are no longer met, in accordance with Article 12 of

       the Accommodation Decree, an administrative fine may be imposed. In addition, can also be ordered
       to stop the operation of tourist accommodation (article of the decree).

       Based on the above, it is therefore predictable for those involved that the

       compliance with the registration conditions must be verifiable by the

       authorized officials, both during the recognition and afterwards.


 33. The Litigation Chamber finds that this interpretation also allows the defendant to be proactive

       to act in the context of its enforcement activity through clearly defined

       samples. If the defendant could only act in the event of a complaint

       or doubt, the defendant would not have the necessary tools to enforce his decree
       audit duty properly. Sampling is therefore absolutely necessary

       defendant to be able to implement a sound enforcement policy and thus to comply with

       its legal obligation.


 34. To the extent necessary, and also as cited by the defendant, the
                                                                          10
       Litigation Chamber that the Amendment Decree was adopted on 9 February 2021

       Article 11 of the Accommodation Decree referred to above changes as follows:






9Proposed decree on tourist accommodation, Vl. Parl. 2015-16 499/1 p. 13.
10 In full: Decree amending the Decree of 5 February 2016 concerning tourist accommodation and the abolition of the
Decree of 18 July 2003 on accommodation and associations that practice a week in the context of tourism for
Allen, Parl.St. Vl. Parl., 2021-22, no. 1028/6, p.3. Decision on the substance 162/2022 - 10/23


     “Art. 11. The intermediaries share for tourist accommodation in Flanders

     Region for which they mediate or promote, upon written request, the

     details of the operator and the address details of the tourist accommodation

     to federal and local police officers and authorized persons,
     mentioned in Article 10.

     The data, stated in the first paragraph, can be requested in the following cases:

     1° as part of a random check to verify whether tourist accommodation

     for which the intermediary mediates or promotes, are registered with

     Tourism Flanders. In a sample, at most, the data

     requested from all operators and tourist accommodations in the same city or
     Township. Multiple samples can be taken at the same intermediate

     person;

     2° in case of doubt whether a tourist accommodation for which the intermediary mediates or

     promotes, meets the conditions stated in this decree, and the

     its implementing decrees;

     3° in the context of a complaint about tourist accommodation.”

     The Litigation Chamber notes in this context that this new legislation has been published

     after the data processing at issue and therefore does not apply to the processing in

     present case. Consequently, the Litigation Chamber has not relied on this new one

     legislation to reach this decision.

     Necessity

35. Pursuant to Article 6(1)(c) GDPR, the processing is lawful if and to the extent

     the processing is necessary for the fulfillment of the legal obligation on the

     controller rest. When personal data is processed

     they must be adequate and relevant for the purpose. There are no more allowed

     personal data are processed than necessary for the purpose (article 5.1, c) GDPR).

36. According to the Inspection Report, the defendant does not demonstrate why the processing of

     personal data in the context of a sample is necessary as imposed by

     Article 5(1)(c) in the context of its supervision and audit mission.

37. The defendant argues that the necessity of requesting the data

     regarding the tourist accommodation is evident from the fact that without requesting this

     the defendant details the tourist accommodation, which is sold on the market through intermediaries

     offered (1) cannot verify and (2) cannot contact their operators. The

     The defendant only requests the minimum of information that it needs to make a claim

     to be able to identify tourist accommodation and to contact its operator so that the
     the defendant can check whether the conditions of the accommodation decree and the implementing decrees

     are complied with. Without this control and contact option, the defendant cannot


     check whether the above-mentioned conditions of the Accommodation Decree and the

     implementing decrees are complied with. The defendant hereby points out that this is specifically in

     thecaseofAirbnbthemoreisnecessary.Airbnbparttimesinrulenoaddressdata

     of the accommodation and no name or contact details of the operator on its website.

38. Based on the conclusion of the defendant, the Litigation Chamber establishes that the following

     data is requested:

      - The name of the tourist accommodation (accommodation name on Airbnb)


      - The address of the tourist accommodation (street, house number,…)


      - Capacity of the tourist accommodation (in the context of fire safety);

      - The name of the operator of the tourist accommodation (the first and last name of the

          operator, where available to Airbnb) and the online host name;


      - The contact details of the operator of the tourist accommodation (the e-mail address of

          the operator).

39. The Disputes Chamber is of the opinion that this information is necessary with a view to the

     correct identification of tourist accommodation and to contact the operator to go

     or the conditions of the Accommodation Decree and its implementing decrees

     complied.

   I.1.2. Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR


40. The controller must comply with the basic principles of Article 5 GDPR and dat

     can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j°

     Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every

     controller takes appropriate technical and organizational measures

     to ensure and be able to demonstrate that the processing takes place
     in accordance with the GDPR. As already explained, this case concerns the transfer of

     operator and accommodation data by Airbnb (as an intermediary) to the defendant. This one

     transmission was made at the request of the defendant.

41. In the context of its investigation, the Inspectorate assessed to what extent the

     the defendant has taken the necessary technical and organizational measures to

     comply with the principle of lawfulness and data minimization within the scope of this

     request for transfer. In this respect, the Inspectorate decides that the defendant does not

     has sufficiently demonstrated that he has taken the necessary measures to ensure that the

     disputed processing takes place in accordance with Article 5(1) a) and c) and

     Article 6 (1) GDPR, since the Inspection Service has come to the conclusion that the
     processing operations were not in accordance with these principles. Decision on the substance 162/2022 - 12/23


 42. The Litigation Chamber has in section I.1.1. no infringements detected of Article 5(1)(a)

       and c) and Article 6 (1) GDPR. Consequently, there is also no reason to infringe the

       accountability. The Disputes Chamber therefore rules that the

       Defendant has sufficiently demonstrated that it does indeed comply with its obligations

       accountability there is therefore no breach of Article 5(2), Article 24(1) and Article 25,

       paragraphs 1 and 2 GDPR was committed by the defendant, in connection with the legality of the

       processing.

    I.2. Article 12(1) and (2), Article 13(1) and (2), Article 14(1) and (2), Article 5(2),
         Article 24 (1) and Article 25 (1) GDPR


        I.2.1. Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and paragraph 2, Article 14, paragraph 1 and paragraph 2


  43. In implementation of the transparency principle from Article 5, paragraph 1, a) GDPR, based on Article

      12 (1), Article 13 (1) and Article 14 (1) and (2) GDPR, it is necessary that the

      controller, in this case the defendant, to the data subjects concise,

      provides transparent and understandable information about the personal data that is processed

      become. In its capacity as controller, the defendant must

      implement Articles 12, 13 and 14 of the GDPR.

  44. In the present case, the Inspectorate concludes that the defendant has committed an infringement

      committed on Article 12 Paragraph 1 and Paragraph 2 GDPR, Article 13 Paragraph 1 and Paragraph 2 GDPR, Article 12 Paragraph 1 and Paragraph 2,

      Art. 5(2), Art. 24(1) GDPR and Art. 25(2) GDPR as the privacy statement

      Operator's portal would contain incorrect information and would be incomplete.


  45. Pursuant to Article 12(1) of the GDPR, the defendant is responsible for the
      take appropriate measures to comply with Articles 13 and 14 of the GDPR

      information in a concise, transparent, comprehensible and easily accessible manner

      plain language and in writing or by other means, including electronic means

      provide.


  46. As regards the content of this information, data subjects were provided with the information referred to in paragraphs 1 and 2
      listed points of both Articles 13 and 14 to be communicated because not all

      information was obtained directly from them. 11


  47. First of all, the Inspection Report concludes that the “Operator Portal Privacy Statement” of

      the defendant is not transparent and understandable, as required by Article 12 (1) GDPR and

      contains incorrect information from a data protection point of view, because of the
      following observations:





11 Article 29 Working Party, Guidelines on Transparency under Regulation (EU) 2016/679, WP 260,
revised version of 11 April 2018 (adopted by the European Data Protection Board
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23). Decision on the substance 162/2022 - 13/23


          a. ThePrivacy StatementOperator Portalcontainsirrelevantandconfusinginformation,

              such as a reference to the “Privacy Act of 1992”, the mention of hyperlinks

              without any explanation and clear connection to the text, and a reference to

              ‘part 9’ of the Operator Portal privacy statement that does not contain part 9.

          b. The defendant's Operator Portal privacy statement incorrectly creates the

              perception towards data subjects that the GDPR is being complied with. This would

              be misleading as the Inspection Service has reported several breaches of the GDPR

              has established.

          c. The defendant's Operator Portal privacy statement erroneously does not make any

              notification of the possibility for data subjects to submit a complaint to the

              GBA. However, there is mention of the possibility to file a complaint

              serve at the Flemish Supervisory Commission (VTC).

          d. Finally, the Inspectorate concludes that the Privacy Statement

              Operator portal is not clear and therefore not transparent with regard to:

                   i. the purposes and legal bases of the processing: there is no

                      clarifies which legal obligations the defendant must meet

                      requirements that require the processing of personal data;

                  ii. the exercise of the rights of data subjects: there is no

                      clarifies what a data subject may specifically do with the defendant

                      expect if he exercises his rights; and

                  iii. the adjustments that were made: it is not specified when

                      adjustments were made, water was precisely adjusted and via

                      which “common communication channels” are involved in this regard

                      to be informed.

48. Secondly, the Inspectorate also notes that the privacy statement for the Operators Portal of

     the defendant is incomplete because not all are required according to Articles 13 and 14 GDPR

     information is effectively stated, as no information is given

     about:


          a. the processing purposes and the legal basis for the processing;

          b. the fact that data subjects have the right to a given consent at all

              time to withdraw;


          c. that the data subjects have the right to submit a complaint to the GBA; and

          d. the source from which the personal data originates, and where applicable, or they

              come from public sources. Decision on the substance 162/2022 - 14/23


 49. Since the defendant carries out a large number of data processing operations, resulting in a

      large amount of information must be provided to the data subjects, is the

      Litigation Chamber considers that a
                                                                                         12
      controller such as the defendant must adopt a multi-layered approach:

       - On the one hand, the data subject must have clear and

           accessible information about the fact that there are information about the processing of

           personal data exists (privacy policy) and where he will be able to do it in full

           find.

       - On the other hand, without prejudice to the accessibility of the

           privacy policy in its entirety, from the first communication of the

           controller with him be informed of the

           details of the purpose of the processing in question, the identity of the

           controller and the rights available to him.

 50. The importance of providing this multi-layered information arises in particular from

      recital 39 of the GDPR. Any additional information necessary to identify the data subject

      on the basis of the information provided at this first level to understand what

      the consequences of the processing concerned will be for him should be added.


 51. The defendant is of the opinion that the information he provided to the concerned
      provided meets the requirements of Articles 12, 13 and 14 of the GDPR. In this connection

      emphasizes the defendant that he has strict compliance with the legislation concerning

      pursues data protection and works closely with its data protection officer for this purpose

      data protection. The defendant argues that since the drafting of the

      Inspection report has adjusted the privacy statement Uitbatersportaal in consultation with the

      data protection officer. In his conclusions, the defendant explains which

      how the new privacy statement for the Operators Portal has been amended.

 52. With regard to the transparency and comprehensibility of the privacy statement, the

      defendant tohehasadjustedtheprivacystatementOperator's portalsince it was drawn up

      of the Inspection Report where the following adjustments were made: there is none

      reference more to the abolished Privacy Act, only to the GDPR. The confusing

      reference to a non-existent part 9 was also removed. The reference to the
      contact options of the defendant were also adjusted. As for the

      possible confusion around the hyperlinks without further explanation, argues the

      defendant that in the passage above the hyperlinks it is indeed explained why the

      defendant processes the personal data with explicit reference to it



12
 In the same sense: decision no. 81/2020 of the Litigation Chamber (points 53 et seq.) and decision 76/2021 (points 58
et seq.), can be consulted via https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the substance 162/2022 - 15/23


      Accommodation decrees and the basic register of Flemish accommodation

      he has not yet received any question or comment in this regard, which means that he

      raises the question of whether there is any confusion at all. Under the title “What are your

      rights and how you can exercise them”, the new privacy statement now also provides the

      mention (in addition to the VTC) of the GBA in the context of exercising the rights of

      data subjects. 13


 53. As far as necessary and in accordance with its previous decisions, the

      Litigation chamber that the GBA as federal supervisory authority is competent in any case
                                                           14
      is to monitor compliance with the GDPR. This is also the case if the

      data processing relates to a matter covered by the

      competence of the communities or the regions (state authorities) and/or

      if the controller is a public authority that falls under the
      communities or regions, even if the federal state itself has one

      supervisory authority within the meaning of the GDPR.


 54. Subsequently, the defendant sets out the following arguments in its claims

      show that the determination of the Inspectorate regarding the alleged incompleteness of

      the Privacy Statement is incorrect.


 55. As regards the determination of the purposes and legal bases for the processing

      the defendant refers that this has been dealt with earlier [see section II.1]. Then the

      defendant that the possibility to submit a complaint and therefore also an objection is explicitly stated in the
      privacy statement Operators portal was included. In the new privacy statement

      The operator portal contains the following passage:


               “Right to object: If you believe that your personal data is not

               may be processed longer because of your specific situation, you can

               object to such processing, in the context of our products

               and services we offer in the public interest.”


 56. The Disputes Chamber notes that under part 6 of the previous privacy statement

      Operator portal the data subject has been informed about his rights that he can exercise

      against the defendant. The Litigation Chamber refers to the relevant passage that
      read as follows: “With regard to your personal data, you always have the right to […] a

      submit a complaint regarding the processing of your personal data[…].All

      requests for the exercise of the above rights can be delivered through the channels provided

      are listed in section 9 of this privacy statement. If you don't join us in one



13See e.g. Marktenhof judgment, 2022/AR/457, dd. October 26, 2022, and also the following decisions of the Litigation Chamber:
decision 62/2022 of April 29, 2022, decision 31/2022 of March 4, 2022, decision 15/2020 of April 15, 2020.
14The judgment of the Marktenhof dd. October 26, 2022 (2022/AR/457) confirms the jurisdiction of the DPA regarding
of Flemish authorities. Decision on the substance 162/2022 - 16/23


    If a solution is found, you also have the right to submit a complaint to the Flemish

    Supervisory Committee […]”.


57. The Disputes Chamber finds that the defendant in the old privacy statement
    Operator portal has not used the correct terminology, which can cause confusion

    to care. As far as necessary, the Disputes Chamber reminds that a complaint and a

    objection (both mentioned in the privacy statement Uitbatersportaal) do not have the same meaning

    cover under the GDPR and every controller must use the correct terminology

    handling. A data subject has the right to inform a controller

    request that his/her personal data is no longer used. This is called the right of
    objection. The right to object can be exercised in accordance with Art. 21 GDPR

    when the processing is based on one of the following legal grounds: the justified

    interest and the performance of a task of public interest or public authority. In others

    cases, the data subject cannot object because of the other legal grounds

    alternatives exist to achieve the same goal: with consent, the data subject can do this

    moving in; the data subject cannot object to processing imposed by law.
    If the data subject does not agree with how a controller with

    handles his/her personal data and there is no agreement with the controller

    solution can be found, the person concerned can submit a complaint to the GBA. In the

    originalprivacy statementOperator portal should also have been clarified

    that the data subject has the right to lodge an objection with the defendant, and

    if necessary, then has the right to submit a complaint to the GBA. In the new
    privacy statement Operators portal, this distinction is correctly used, despite the

    fact that both terms are used incorrectly in the conclusion.


58. The Defendant also believes that the Privacy Statement of the Operator Portal expressly identifies the source of

    mentions the personal data as well as that the public data becomes available

    made via the basic register of Flemish accommodation offerings, stating a link to it
    base register. The new privacy statement Operators Portal explicitly states under the

    title “Why do we process your personal data” following text:


              “Toerisme Vlaanderen can obtain the following personal data at three (3)

              ways, namely: on paper, via the operator portal or via the web service

              Crossroads Bank for Holiday Homes (CIB Vlaanderen is freely available and
              accessible via the website of VISITFLANDERS (click here).”


59. In conclusion, the defendant concludes that the new privacy statement

    The operator portal is transparent and understandable, and that this information is correct and complete

    at least that the determination of the Inspection Service has become meaningless

    in view of the changes made to the new privacy statement for the Operators Portal. Decision on the substance 162/2022 - 17/23


60. The Disputes Chamber is of the opinion that the new privacy statement for the Operator Portal contains the

     Articles 13 and 14 of the GDPR requirement now contain elements

     believes that the defendant, as required by Article 12(1) of the GDPR, in its privacy policy

     has mainly used simple, clear and straightforward wording to convey the
     to inform data subjects about the data processing operations it carries out.


61. However, the Disputes Chamber also finds that the defendant was negligent in the past

     acted, as was also established in the Inspection Report. More specifically contained

     the privacy statement Operator portal irrelevant and confusing information, such as a

     reference to a non-existent Part 9 and a reference to the Privacy Act of 1992.
     In addition, the operator portal privacy statement was incomplete and not transparent, among other things due to

     the lack of reference to the possibility to file a complaint with the GBA, by

     unclear reference to the purposes and legal bases of the processing and

     exercising the rights of the data subject, and by using incorrect terminology.


62. The Disputes Chamber does point out that the defendant has made efforts
     to update the information to be provided under Articles 12, 13 and 14 GDPR,

     albeit after receipt of the Inspectorate's comments.


63. The Disputes Chamber therefore establishes that the Privacy Statement for the Operators Portal initially does not

     met the requirements of Articles 12, 13 and 14 GDPR, resulting in a

     violation of Articles 12, 13 and 14 GDPR. This does not alter the fact that this has been rectified in the meantime.

      I.2.2. Article 5 (2), Article 24 (1) and Article 25 (1) GDPR


64. With regard to accountability (as defined above in section I.1.2) with

     with regard to the transparency obligations, the Inspectorate notes that these are not

     was complied with by the defendant with regard to the transparency obligations of the

     defendant. This follows from the breach of Articles 12, 13 and 14 mentioned above
     AVG.


65. The Litigation Chamber ruled in part I.2.1 that there was indeed a

     breach of the principles of transparency as understood in these articles. The Dispute Chamber

     notes, therefore, that the defendant failed to demonstrate that it had the necessary technical and

     has taken organizational measures to comply with the obligations regarding
     transparency as stipulated in Articles 12, 13 and 14 GDPR. Consequently, the decision

     Litigation Chamber that there was a violation of Articles 12, 13 and 14 GDPR.

     This does not alter the fact that this has been rectified in the meantime. Decision on the substance 162/2022 - 18/23


  I.3. Article 38 (1) GDPR and Article 39 (1) GDPR


66. The Inspectorate's report finds that the defendant has complied with the requirements regarding the

    position of the data protection officer under Article 38 (1) GDPR and the
    tasks of the data protection officer under Article 39 (1) GDPR

    complied.


67. The Inspectorate does the following with regard to the data protection officer

    findings, as summarized below:

          a. The defendant states in his answer to the Inspection Service during the

              investigation he received no advice from his data protection officer

              inquired about the data processing between Airbnb and the defendant.

              According to the defendant, this was not necessary because the legal basis was already established in article

              11 of the Accommodation Decree.

          b. In the same answer, the defendant states that he is of his official for

              data protection has not sought advice on the interpretation of the

              term “random sample” from Article 11 of the Accommodation Decree.

68. The Inspectorate therefore decides that the data protection officer should not go to

    was properly and timely involved in the context of this file. The advice of October 11, 2021

    that was provided following the letter from the GBA on September 10, 2020 is not sufficient to

    to be able to speak of proper and timely (documented) involvement.

    Consequently, the Inspection Service claims an infringement of Article 38(1) GDPR and Article 39(1) GDPR

    fixed.

69. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the

    controller ensures that the officer for

    data protection is timely and properly involved in all matters

    related to the protection of personal data. Based on Article 39(1).
    AVG must be the data protection officer (a) the controller

    informing and advising on its obligations under the GDPR and others

    Union or Member State data protection provisions and (b) monitor

    compliance with the GDPR, other Union or Member State law

    data protection provisions and of the policy of the controller
    or the processor with regard to the protection of personal data, including

    of the allocation of responsibilities, awareness raising and training of the

    processing of personnel involved and the relevant audits.


70. The defendant emphasizes regarding the position of the official for
    data protection under Article 38(1) GDPR that, in his view, there was no need Decision on the substance 162/2022 - 19/23


    to involve the data protection officer in the conclusion of the MoU.

    Like all other intermediaries, Airbnb is obliged to provide operator and accommodation data

    to the defendant since the entry into force of the Accommodation Decree on 1 April

    2017. The legal basis for communicating this information to the defendant is
    therefore based on Article 11 of the Accommodation Decree, and not on the MoU

    Inspectorate refers to. In any case, the defendant is ahead of the official

    data protection involved immediately after the letter dd. September 10, 2020 from the GBA.

    The data protection officer subsequently issued a favorable opinion.

    In addition, the defendant argues that it has applied the term 'sample' in the way that

    is in line with the intention of the legislator of Article 11 of the Accommodation Decree. Finally
    the defendant argues that the accommodation decree predates the AVG, since it

    accommodation decree entered into force on 1 April 2017, while the GDPR applies with effect from

    May 25, 2018. Consequently, according to the defendant, there can be no question of a

    infringement of Article 38 (1) GDPR and Article 39 (1) GDPR.


71. The Litigation Chamber recalls that the GDPR recognizes that the officer for
    data protection is a key figure in terms of the protection of

    personal data whose designation, position and tasks are subject to rules. This one

    rules help the controller to comply with its obligations under

    the GDPR, but also help the data protection officer to fulfill his duties

    should exercise. The data protection officer should be involved

    in all matters related to the protection of personal data.
    The fact that the legal basis has been laid down in a legal standard does not constitute this

    exception to.


72. Based on the defence, the Disputes Chamber establishes that this is precisely the intention of

    the MoU to determine between the parties in which cases the transfer of

    personal data can take place and under what modalities. Consequently, it concerns
    conclusion of the MoU the defendant's policy regarding compliance with the GDPR in the

    framework of its enforcement powers.Article 11Logies decree provides that the data

    can be requested by the defendant from Airbnb at clearly defined

    samples, but the MoU further elaborates what is clearly defined below

    samples is understood by the parties. Consequently, the official submitted

    data protection to be properly and timely involved in the preparation and
    approving the MoU. With regard to the fact that the Accommodation Decree of

    was applicable since 2017, the Litigation Chamber points out that it has been applicable since

    of the GDPR, each controller is obliged to comply with it

    compliance with imposed obligations. Thus, the defendant served this legal basis upon which

    he wishes to test himself against the higher legal standard in order to verify whether the decision on the merits 162/2022 - 20/23


    requesting the personal data is in accordance with the GDPR. This is also one

    matter in which the data protection officer should be involved

    become.

73. In view of the above, the Disputes Chamber has determined with regard to Article 38, paragraph 1 GDPR

    that the data protection officer was not sufficiently involved with some

    data protection matters. Defendant's documents show that the

    data protection officer for the purposes of the present case

    investigated data processing was only involved after the first writing of the

    Inspection Service.

74. In view of the above, the Disputes Chamber rules that there has been a violation of article

    38 (1) and Article 39 (1) GDPR.


  I.4. Infringement of Articles 4, 11, Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and
        paragraph 3 GDPR.


75. The Inspection Report notes that no legally valid permission within the meaning of Article 4.11

    of the GDPR, website visitors are asked to use non-strict
    necessary cookies. After all, the parties involved would not have a free choice on the part of the defendant

    about the use of cookies that are not strictly necessary. The Inspection Report determines

    in this regard the following: “The two options for the use of not strict

    necessary cookies offered by the defendant to data subjects in the

    cookie window (namely “no, give me more info” and “ok, I agree”) are not placed on a

    displayed in a similar way. The option “ok, I agree” says nothing
    more information for those involved. In addition, there is no choice

    the cookie window that allows data subjects to opt out of the use of not strictly necessary

    refuse cookies immediately.” In addition, the Inspectorate has established that no

    transparent information is given on how a given consent to it

    use of unnecessary cookies must be withdrawn.

76. In his conclusions, the defendant argues that the additional finding is not legal

    basis on which it should be excluded from the proceedings. The Inspection Service

    after all, refers to Article 72 WOG to make this determination. The decision of it

    Management Committee to comprehend the Inspection Service in accordance with Article 63, 1° WOG

    howevertheobjectoftheinvestigationthusthescopeoftheinvestigationmustaccordingto

    defendant are limited to the scope resulting from the decision of the
    Executive Committee.


77. In subordinate order, the defendant proceeds to refute the finding of

    the Inspection Service. The defendant emphasizes that on its website only strictly necessary

    cookies or functional cookies were active for which no permission was required. Decision on the substance 162/2022 - 21/23



      This is also not refuted by the Inspectorate, which does not demonstrate that there are also non-

      necessary cookies were active on the website at the time of the determination. At 25

      February 2022, the defendant launched its new website with a new

      cookie window that provides the user with the necessary information and choices on the moment

      used cookies. According to the defendant, the new website uses a

      new cookie statement transparently informed the data subjects about the use of

      cookies. Since no non-strictly necessary cookies were active on the website

      at the time of the investigation by the Inspectorate, the provision of information about

      or asking permission for such cookies was not an issue at that time.


  78. In response to the defendant's statements, the Litigation Chamber first of all refers to article

      72 WOG which reads as follows:

      “Without prejudice to the provisions of this chapter, the Inspector General and the

      inspectors proceed to every investigation, every check and every interview, as well as all information

      such as they deem necessary to satisfy themselves that the basic principles of the

      protection of personal data, within the framework of this law and of the laws that

      contain provisions on the protection of the processing of personal data,

      that they supervise are actually complied with.”


  79. This provision shows that the Inspectorate is not bound by the scope of the complaint

      nor by the scope of the decisions of the Executive Committee. The Inspection Service determines

      itself the scope and method of the investigation, taking into account the proportionality

      and principle of necessity as described in the Charter of the Inspection Service. 15


  80. On the basis of the Inspection Report, the Litigation Chamber concludes that the determination of the

      Inspection service regarding the effective use of cookies that are not strictly necessary

      is sufficiently substantiated by evidence 16 to allow further processing of this file in this

      frame is impossible.


      Consequently, the Litigation Chamber will make a filing with regard to the determination

      of the Inspectorate regarding Articles 4, 11, Article 5, paragraph 1, a), and paragraph 2, Article 6, paragraph 1, a) and

      Article 7, paragraph 1 and paragraph 3 GDPR.


II. Sanctions


 81. On the basis of the documents in the file, the Disputes Chamber establishes that there is

       two breaches of the GDPR: On the one hand, the breach of Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and

       paragraph 2, article 14, paragraph 1 and paragraph 2, article 5, paragraph 2, article 24, paragraph 1 and article 25, paragraph 1 GDPR, and on the other hand



15 Charter of the Inspection Service, August 2022, available at

https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf.
16Cf. Section A.1 of the dismissal policy of the Litigation Chamber. Decision on the substance 162/2022 - 22/23


       this on Article 38 (1) and Article 39 (1) GDPR. Although the defendant these infringements

       has been remedied, it is clear that there have been breaches of the right to data protection

       have taken place. As already explained, the principle of transparency is one of them

       the fundamental principles of the GDPR. Also the data protection officer

       plays a crucial role in data protection at a controller


 82. The Disputes Chamber is of the opinion that there are sufficient elements to issue a reprimand

       which constitutes a light sanction and is sufficient in the light of the circumstances in this file

       identified violations of the GDPR. When determining the sanction, the

       Litigation Chamber takes into account the fact that the defendant has already rectified these infringements
       and provide supporting documents. Needless to say, the Disputes Chamber points this out

       that it is not competent to impose an administrative fine on

       government bodies, in accordance with Article 221, § 2 of the Data Protection Act. 17


 83. The Disputes Chamber proceeds to dismiss the other grievances and

       findings of the Inspectorate because they based on the facts and the documents from the

       file cannot come to the conclusion that the GDPR has been breached.

       These grievances and findings of the Inspectorate are therefore deemed to be obvious
                                                                      18
       considered unfounded within the meaning of Article 57(4) GDPR.



Publication of the decision


 84. Given the importance of transparency with regard to decision-making by the

       Litigation Chamber, this decision will be published on the website of the
       Data Protection Authority, stating the identification data of the

       defendant. This mention is justified by the public interest of

       present decision in the context of the exemplary function of the defendant as

       public service, on the one hand, and by the unavoidable re-identification of the defendant

       case of pseudonymization, on the other hand.


















17Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
18 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 162/2022 - 23/23






     FOR THESE REASONS,


     the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


     - on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the

         defendant with regard to the infringement of article 12, paragraph 1 and paragraph 2, article 13, paragraph 1 and paragraph 2, article

         14 (1) and (2), Article 5 (2), Article 24 (1) and Article 25 (1) GDPR;

     - on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the

         defendant as regards the infringement of Article 38(1) and Article 39(1) GDPR;


     - pursuant to article 100, §1, 1° WOG with regard to all other determinations in

         dismiss.






Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the


notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.

Such an appeal may be made by means of an inter partes petition

listed in Article 1034ter of the Judicial Code. It 19

a contradictory petition must be submitted to the Registry of the Market Court

in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).









(get). Hielke HIJMANS

Chairman of the Litigation Chamber







19 The petition states, under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
     summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.
20
  The petition with its appendix shall be sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.