APD/GBA (Belgium) - 110/2023

From GDPRhub
Revision as of 10:13, 13 September 2023 by Aa (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 110/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 13 GDPR
Article 37(1)(a) GDPR
Article 37(7) GDPR
Article 39(1) GDPR
Type: Complaint
Outcome: Rejected
Started: 15.06.2018
Decided: 09.08.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 110/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA found violations of Articles 5(2), 13(1)(a), 37(1)(a), 37(7), and 39 GDPR by a municipal school because it had failed to assign a data protection officer and correctly document compliance with the GDPR.

English Summary

Facts

On 15 June 2018, a complaint was brought jointly by two data subjects, employed at a municipal school as teachers, against the municipal authority which acted as the governing body of the school.

The complaint concerned two alleged infringements of the GDPR:

  1. The publication of a series of Board reports on the school's online platform on 23 November 2017. The reports contained incriminating statements made against the first data subject.
  2. The publication of the results of a student survey concerning the second data subject. This survey was published on the school's platform on 22 January 2018.

Both the reports and the survey were removed from the online platform before the data subject's had filed the complaint. The reports were taken down on 9 May 2018, and the survey was removed on the same day as its publication (22 January 2018).

On 4 July 2018, the complaint was declared admissible by the Belgian DPA and a formal investigation of the matter was commenced on 11 October 2019.

Holding

The DPA issued a dismissal of the orginial complaint as the processing (the publishing and removing of the reports and survey) took place prior to the GDPR's entry into force on 25 May 2018. However, the DPA found several violations outside of the scope of the complaint.

Firstly, prior to assessing the violations, the DPA clarified the data processing roles of the school and the municipality. In particulary, the Belgian DPA found that the municipal body was the controller for the purposes of Article 4(7) GDPR, as the management of the school was under the administrative authority of the municipality. The DPA acknowledged that the school held high levels of autonomous decision-making powers regarding educational decisions, but adopted the EDPB's reading of Article 4(7) GDPR. The EDPB on this matter, notes that "an organisation can still be the controller even if it does not make all the decisions about the ends and the means."

Secondly, the DPA found a breach of Article 37 GDPR. As a public body, the school was obliged to designate a data protection officer under Article 37(1)(a) GDPR, as well as to publish the contact details of the DPO and communicate them to the DPA under Article 37(7) GDPR. The municipal body had a DPO whose functions extended to the school, but the school did not have its own separate DPO. Moreover, the controller failed to publish their DPO's contact details. Consequently, the DPA found a violation of Article 37(1)(a) GDPR as the school acted as a public body in its own right and should have had a seperate DPO. Moreover, the failure to publish the municipal DPO's contact details was a breach of Article 37(7) GDPR.

Thirdly, the DPA found a breach of Article 39 GDPR, which establishes the tasks of the DPO. The municipality's DPO was employed for 120 hours annually, to fulfill its tasks for the municipality, the school in the current case, and another school under the municipality's administration. The DPA held that 120 hours was wholly inadequate. The DPO was not systematically involved in the operations of the school and municipality at all. Resultantly, the DPA found a breach of Article 39(1) GDPR.

Fourthly, the DPA found that no register of data breaches were being kept, as required by Article 33(5) GDPR. The controller stated that "no data breaches had taken place since the last one which was registered," as the DPA could not verify whether another data breach took place or not, the DPA found a breach of the principle of accountability under Article 5(2) GDPR and Article 33(5) GDPR. Article 5(2) GDPR establishes the principle of accountability which obliges controllers to demonstrate compliance with the GDPR.

Lastly, the DPA found a violation of the disclosure obligations under Article 13(1)(a) GDPR. This provision obliges the controller to publish the controller's contact details. The DPA found that the controller did not adequately provide the information, and the information that was provided was unclear. Thus the controller was in breach of Article 13(1)(a).

In conclusion, the DPA found violations of Articles 5(2), 13(1)(a), 37(1)(a), 37(7), and 39 GDPR. The DPA issued no fine, but ordered the controller to create an action plan within 3 months to comply with the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/21






                                                                                  Litigation room



                                          Decision on the substance 110/2023 of August 9, 2023






File number : DOS-2018-03496



Subject: Complaint against a municipal secondary school because of the publication of

disciplinary reports on the one hand and a student inquiry on the other



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman, and Messrs. Frank De Smet and Christophe Boeraeve, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (general

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;
                                                                                                 .

has taken the following decision regarding: .
                                                                                                 .


The complainants: Mr. X1, hereinafter referred to as “the first complainant”; Ms. X2 hereinafter referred to as “the second complainant”; .
                                                                                                  .
                   both represented by Mr. Stijn BUTENAERTS, with offices in Leopold
                                                                                                  .
                   II-laan 180, 1080 Brussels;


The defendant: The Municipality of Y, represented by its Board of Mayors and
                   Aldermen, hereinafter referred to as “the defendant”; represented by Mr. Alain BOUTEILLA

                   mr. Stephanie NGAY-KATALAY, Decision on the substance 110/2021 - 2/21



I. Factual Procedure


    1. The defendant is a municipality that acts as the organizing body of the school concerned in the

        present file. In some cases, the documents in the file specifically stated the

        municipal school as an entity, without being specifically identified as a part

        of the defendant as a municipality. As an educational institution, the school has a number of autonomous ones
        decision-making powers, which are important during the course of the facts giving rise to it

        gave to this procedure. In those cases, where the educational institution on file as

        separate entity occurs or is referred to, it is referred to as “school of the

        defendant”.

    I.1. The complaint


    2. On 15 June 2018, the complainants jointly lodge a complaint with the Data Protection Authority

        against the defendant. Both complainants are at the time of the facts described in the complaint

        employed at the defendant's school.

    3. The object of the complaint concerns two alleged infringements of the

        provisions of the GDPR, which would involve personal data of the complainants:

        - The first alleged infringement concerns the publication on Smartschool of a series of

           Board reports, including two reports from the Board of Mayor and Aldermen

           dated 12 February 2015 and 30 March 2015 concerning the first complainant, in connection with a

           incident that led to his temporary suspension. The reports contain incriminating

           statements from two teachers and a student regarding the named first
           complainer. At a later stage, an appeal body would decide on temporary suspension

           have destroyed. However, the document containing this decision was not published on

           Smart school.


        - The second alleged infringement concerns the publication of a student survey concerning

           the second complainant at Smartschool. The student survey was completed by 48 students and
           was created on December 15, 2017. The publication of the student survey took place

           on January 22, 2018.


    4. Prior to this complaint, the complainants exercised their rights through a lawyer by

        to turn to the defendant, and more specifically the defendant's school concerned, per
        registered letter of 8 May 2018. The complainants formulated their grievances in this regard

        to the facts set forth above. The complainants also requested that the reports

        of the first alleged infringement relating to the first complainant within 5

        working days would be removed

        injury. Decision on the substance 110/2021 - 3/21



5. The defendant's school replied to this registered letter on 22 May 2018. It stated

    that the Board of Mayor and Aldermen took note of the

    letter from the complainants, and subsequently decided to reserve all rights and without

    any detrimental acknowledgment to remove Smartschool's reports (with regard to the

    first alleged infringement).

6. The complainants did not consider this answer to be sufficient and subsequently proceeded to submit a

    complaint to the GBA. In parallel with this complaint procedure, the complainants wrote on September 5, 2018

    again a letter to the defendant asking in particular a number of additional questions.

    They first asked whether the then director of the school was obliged by the organizing body

    power to put the reports of the college of mayors and aldermen and on Smartschool.
    Secondly, the complainants refer to the defendant's regulations, where in the context of the

    openness of the board a written request has been made before the

    right of inspection (in particular to the reports on disciplinary law) can be exercised. The inspection would

    according to these regulations, can also be refused when the protection of the personal

    privacy of a person involved in the conduct.

7. The defendant replied to this letter on 18 September 2018 by stating that there was no

    order was given to place the lecture reports on Smartschool. The college reports

    would only serve as an “internal” working document to the principals of the municipal schools

    provided for notice.

8. The complainants finally wrote a final letter to the defendant on 15 October 2018. In here

    they argue that it appears from the letter of 18 September 2018 by the defendant that the

    lecture reports are sent directly to the principals of all municipal schools,

    even if the report has no relevance whatsoever for a municipal school. Cover bearings
    emphasize that college reports could contain sensitive information (in this case the

    disciplinary proceedings concerning the first complainant), and would therefore be protected under

    the privacy legislation and the rules on open government. The complainants then ask

    to the defendant how the facts – linked to the two alleged infringements in the complaint to the

    GBA – compatible with those last two. Finally, they also ask what the reason is for the

    to (systematically) transfer lecture reports that concern one school to all
    municipal schools.


9. On 4 July 2018, the complaint was declared admissible by the Data Protection Authority on

    pursuant to Articles 58 and 60 WOG. Subsequently, the complaint pursuant to art. 62, §1 WOG

    transferred by the First Line Service to the Disputes Chamber.

I.2. The Inspectorate's investigation


10. On 14 November 2018, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG

    to request an investigation from the Inspectorate. Decision on the substance 110/2021 - 4/21



11. On November 21, 2018, in accordance with art.96, §1 WOG, the request of the Disputes Chamber

    to conduct an investigation submitted to the Inspection Service, together with the complaint and

    the inventory of the items.

12. Prior to the Inspection Report, questions were asked by the Inspection Service of the GBA

    to both the complainant and the defendant.


13. On October 11, 2019, the investigation will be completed by the Inspectorate, the report will be

    attached to the file and the file is transferred by the Inspector General to the
    Chairman of the Litigation Chamber (art. 91, §1 and §2 WOG).

    The report first contains findings with regard to the subject of the complaint (within

    scope). The Inspectorate supports the position of the defendant that the GDPR is impossible

    may apply to the first incident, as the facts predate 25 May 2018.

14. The report also contains findings that go beyond the subject of the complaint. The

    In general, the Inspectorate determines the following matters.


15. First, with regard to the obligation to document incidents in Article 33(5) GDPR and the

    risk-based approach in accordance with Article 32 GDPR, the Inspection Service examined the
    manner of handling of both incidents by the defendant. This is how the defendant replies

    the question from the Inspectorate whether incidents have been registered in the meantime, that there are “none

    incidents have been more”. The Inspectorate states that this is not an answer to the question and that

    it cannot therefore be concluded that the school and/or the municipality involved have meanwhile

    have initiated an incident registration as required by Article 33(5) GDPR

16. Secondly, with regard to the investigation of incidents within the meaning of Article 33(5) GDPR,

    the Inspectorate states that appropriate investigation is necessary in the interests of those involved. The

    The Inspectorate, however, states that it has no indications that the incidents were proper

    were investigated.

17. Thirdly, with regard to the reporting obligation to the supervisory authority within the meaning of

    Article 33 GDPR, the Inspection Service states that the incidents were not reported to the

    Data Protection Authority.

18. Fourth, with regard to the obligation to provide information within the meaning of Article 13 (specific paragraph 1 point a)

    The AVG first suggests to the Inspectorate that the municipality acts as the controller

    identifies in its communication to the GBA. The Inspectorate states that there is no

    consistent reference to one data controller and one point of contact

    (for example, for the position of data protection officer). Now the defendant for
    data protection law aspects appeals to an “external e-gov support center” (this

    is the company Z ) and the references to the defendant and this support not always clear

    were displayed, according to the Inspectorate, this leads to a breach of the information obligation. Decision on the substance 110/2021 - 5/21




    19. Fifth, with regard to the designation of a data protection officer

        (“DPO”) and the disclosure of his contact details within the meaning of Article 37, paragraph respectively

        1, point a) and Article 37, paragraph 7 GDPR, the Inspection Service states as follows: In the privacy statement of the

        Defendant's school was referred to a privacy email address of the Defendant (de

        municipality), without a specific clarification as to which person or service it concerns. The
        The Inspectorate did find out that the position of DPO is performed by the external e-mail

        gov support to which the defendant is affiliated.




    20. Sixth, with regard to the registration of the DPO with the DPA within the meaning of Article 37(7)

        AVG informs the Inspection Service that no DPO has been registered for the defendant.

    21. Seventh, in relation to the tasks performed by the DPO within the meaning of Article 39(1) GDPR

        the defendant had submitted a number of documents to the Inspectorate. The inspection report

        states:


                “The Inspection Service has no indication whatsoever that the aforementioned employee of [the

                external e-gov support] performs the tasks provided for in Article 39 1. b), d) and e) GDPR

                (tasks of supervising compliance with the GDPR, cooperation with the GBA, acting as
                contact point for the GBA). . .

                In no correspondence between the [defendant] . . . and GBA was indicated as a single

                contact with the DPO. If the DPO has already been appointed, the Inspectorate determines that at least the

                tasks under Article 39.1 d) and e) were not completed by the DPO.” 1


    22. Eighth, with regard to accountability, documentation, and record keeping

        of and the investigation of incidents within the meaning of Articles 5(2) and 33(5) GDPR has

        In its investigation, the Inspectorate can first determine that the ICT manager of

        the municipality was informed about the two incidents. In this regard, the
        Inspectorate: “However, it cannot be proven when this happened and in what way, there

        according to the [defendant] the notification was made orally . . .” In addition, the defendant could

        not explain agreements with regard to the Inspectorate regarding timely reporting and further

        following up (or “handling”) incidents that affect personal data protection. Until

        finally, there is also no “no evidence of registration, investigation and follow-up of the incidents that have occurred

        the director, ICT manager and/or DPO were reported”, according to the Inspectorate.











1
 Inspection report, page 12.
2Inspection report, p. 13. Decision on the substance 110/2021 - 6/21



I.3. The conclusions of the parties


23. On 14 October 2019, the Inspectorate's investigation report will be finalized and the

    file submitted to the Disputes Chamber. The Disputes Chamber will decide on 12 November 2019

    on the basis of art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits.

    The Disputes Chamber decides to divide the file on the basis of the report of the Inspectorate

    in two separate cases:


        1. On the one hand, the Disputes Chamber will make a substantive decision with regard to the
            object of the complaint;


        2. On the other hand, the Disputes Chamber will take a decision on the merits in response to the

            findings made by the Inspectorate outside the scope of the complaint.

24. On November 13, 2019, the parties involved will be notified by registered mail

    of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. also become

    they pursuant to art. 99 WOG of the deadlines to file their defences

    serve.

    With regard to the findings relating to the subject matter of the complaint, the ultimate

    date for receipt of the defendant's statement of defense set at 13

    December 2019, those for the complainant's reply of 31 December 2019 and at

    finally these for the statement of defense of the defendant on 17 January 2020.

    With regard to the findings that go beyond the object of the complaint, the ultimate

    date for receipt of the defendant's statement of defense set at 17 January

    2020.

25. On December 16, 2019, the Disputes Chamber will receive the statement of defense from the

    defendant as regards the findings relating to the subject-matter of the complaint.

26. The defendant argues, first, as regards the facts, that it is only aware of the former

    incident. According to the defendant, it was never informed about the second incident (except for the

    notification of the complaint and start of the investigation by the GBA). The resources cited

    of the defendant are:

    • The incidents fall outside the scope of the GDPR as they are both

        took place before the date of entry into force (25 May 2018). The complaint is related

        on facts prior to May 25, 2018; so these facts will have to be examined in light

        of the privacy law. Therefore, no administrative fine can be imposed for this

        according to the defendant;

    • The defendant also explains the circumstances surrounding both incidents, as well

        its presumed (legal) qualification. Decision on the substance 110/2021 - 7/21



    • In conclusion, the defendant states that if the GBA were of the opinion that the complaint was well founded

        it requests the favor of the suspension on the basis of Article 100, § 1, 3° WOG.


27. On 30 November 2019, the Litigation Chamber receives the statement of reply from the complainants,

    in which with regard to the findings relating to the subject of the complaint alone
    means is concluded regarding the applicable law. The complaining party argues

    hereby that the GDPR applies to all pertinent facts, and that the defendant does not

    makes it plausible that there are legitimate purposes for which the publications on Smartschool are used

    account for both incidents. In addition, the complaining party points to, among other things, the lack of

    rectification of the elements relating to the disciplinary procedure (the first incident), the

    missing pseudonymization measures, as well as the consequences of the events and the
    according to them, damage suffered as a result (according to the complainants, “intangible or reputational damage”). Finally

    the complainants also ask for compensation and the imposition of “the necessary administrative

    fines and sanctions”.

28. On 17 January 2020, the Litigation Chamber will receive the conclusion of the reply from the defendant for

    with regard to the findings relating to the subject of the complaint:


    • Respondent reiterates with regard to applicable legislation that the GDPR does not apply

        may be based on the facts that took place before 25 May 2018. The facts fall under it
        scope of the privacy law;


    • With regard to the first and second incident, the defendant raises the same arguments as

        set out in its Opinion of 16 December 2019;


    • With regard to the authority of the GBA to award compensation, the

        Respondent reserves all rights and without any prejudicial acknowledgment in this
        because it is not up to the GBA to rule on civil (or criminal)

        liability of the defendant.


29. On the same date, the Disputes Chamber also receives the statement of reply from the

defendant with regard to the findings of the Inspectorate outside the scope of the complaint. The

the defendant first of all states in general terms that it can be qualified as a controller
for a variety of "public services", including the provision of education.

The defendant states that privacy and personal data protection are a “priority” subject

forms for her. With regard to the specific findings of the Inspectorate, the

defendant the following:

    • With regard to the registration of the incidents (documentation obligation Article 33, paragraph 5 GDPR and

        risk-based approach Article 32 GDPR) and the obligation to report to the GBA (Article 33 GDPR):

        the defendant points out that she was only confronted with one incident on 15 October

        2019, regarding hacking an email box. According to the defendant, this incident was 110/2021 - 8/21



    immediately registered in the incident register and within the statutory period to the GBA

    reported. A solution was also found and the passwords of all involved

    users as well as the passwords of the servers were changed.


• Regarding the investigation of incidents (Article 33, paragraph 5 GDPR): the defendant states that she
    documents all personal data breaches in accordance with Article 33 (5) GDPR.

    The defendant states that she uses an incident register and that she reports incidents

    informs the GBA in a detailed manner. The defendant states: “This shows that

    the defendant has implemented an effective procedure that enables it to

    quickly detect incidents and respond in the event of a data breach.” In addition, the

    the defendant have also developed an information security plant, grafted onto the activities
    of the school concerned.


• With regard to the obligation to provide information regarding the name and address of the

    controller (Article 13(1)(a) GDPR): the defendant acknowledges in her

    concluded that “the original privacy statement was not clear and incomplete”. The
    The defendant states that it has made the necessary adjustments – in consultation with the court

    external e-gov support point that also provides the DPO – so that the privacy statement can also be improved

    being reached. The website of the defendant's school states, according to the defendant,

    from now on clearly designate the municipal administration as the controller.

• With regard to the findings regarding the data protection officer: In

    In 2015, the defendant approved the award to the e-gov support centre. The award

    states the assignment for appointing a service provider for the preparation of a

    risk analysis with regard to information security. As for the tasks and functions of

    the DPO for (the relevant school of) the defendant, the latter refers to by way of illustration

    the advice and presentations prepared and submitted by the e-gov support centre.

• Regarding the accountability / Documentation obligation / Registration and investigation of

    incidents (Article 5(2) and 33(5) GDPR): the defendant refers to the previous one

    argumentation regarding this finding. The Defendant also adds the extracts from the

    register of processing activities in accordance with Article 30 GDPR.

• In conclusion, the defendant states that it has taken numerous actions and important ones

    has mobilized financial and technical resources to meet the increased duties of the

    to comply with GDPR. The defendant argues that if the GBA were of the opinion that

    the defendant does not adequately comply with the obligations of the AVG, albeit in any case the
    requests favor of the suspension and this on the basis of Article 100, § 1 3° GDPR. Decision on the substance 110/2021 - 9/21



    I.4. The hearing before the Litigation Chamber


    29. On April 21, 2023, the Disputes Chamber decides ex officio to organize a hearing in the

       present file. This on the basis of Article 52 of the Rules of Internal Order of the

       Data Protection Authority.

    30. The hearing will take place on 6 June 2023. At the hearing, the two complainants will be in person

       present, as is their lawyer. For the defendant, the two lawyers of the defendant are

       present, the DPO of the defendant (from the external gov support center), as well as the current director

       of the defendant's school in question.

    31. At the hearing, the complaining party again explains the grievances. The complaining party points it out

       lack of apologies and rectifications.

    32. Subsequently, the defendant's lawyer further explains the claims. The lawyer offers

       I hereby apologize on behalf of his client.

    33. The members of the Litigation Chamber then address a number of questions to the defendant. Here light

       the DPO of the defendant admits, among other things, that a pool of privacy experts from the support center

       is offered, and that the support center also includes an information security cell. The DPO

       also states that for the performance of the tasks there is mainly contact with an IT

       employee of the defendant, and that 120 scheduled hours per year are offered for
       all activities of the defendant. However, it is emphasized that a number of aspects –

       for example knowledge aspects related to municipal privacy statements and the

       writing–happen at “group level”. In addition, the DPO admits no direct

       contact has taken place with the municipal council itself for DPO-related activities,

       and that it is the practice in the case of the Respondent to act as DPO directly to the IT

       report employee.



II. Motivation



    II.1. The qualification of the defendant as a controller


    34. Throughout the proceedings, the defendant identified herself as

       controller, and is also always in that capacity regarding the facts
       addressed (including by the Inspection Service). This also applies to all processing activities

       which runs the school.However, this does not mean that it is absolutely clear that the defendant

       as the municipality is in any case the controller in all cases that the

       municipal school. Decision on the substance 110/2021 - 10/21



    35. In accordance with the law (specifically the Article 4(7) of the GDPR), and to established

                                              3 4
        case law of the Court of Justice ,should be assessed factually or a certain

        actor (this can be a natural or legal person, but also a public authority, a

        agency or other body) the purposes and means of the processing of personal data

        determines. The European Data Protection Board (“EDPB”) has clarified this

        that the factual control of this actor over the personal data processing is possible, among other things

        be derived from a legal provision, but also from a factual influence that the actor has on the
                                          5
        processing activity(ies).


    36. With regard to the facts that fall within the scope of the complaint, it appears that the director of the

        school of the defendant itself - whether or not after consultation within the school and with instructions that

        were limited to employees of the school – has decided to provide certain documents containing these

        person was delivered by the defendant, of his own accord at the Smartschool-

        platform. The principal of the defendant's school acted in that sense

        without instruction to publish the documents on the part of the defendant. More so, implicitly had

        the director can deduce from the contents of the documents that the defendant

        documents would rather not be published on Smartschool.


    37. None of this in any way implies that the Respondent may not have any processing responsibility

        about the facts that occurred within the scope of the complaint. Article 4(7) of

        after all, the GDPR stipulates that the purpose and means can be used alone or together with others

        be established. This could also be the case if the director does not have an explicit mandate

        had to publish the documents and acted on its own initiative, as did the EDPB

        confirmed: “Accordingly, an organization can still be controller

        even if it does not make all the decisions about the ends and the means.” After all, the fact that a

        organization if the defendant did not give general or concrete instructions to protect the integrity of the

        to guarantee the documents it supplied, (part of) the

        place responsibility for processing on the defendant.


    38. Hic et nunc, however, it is not appropriate to define the exact roles and responsibilities in this

        to analyze and determine, now that the Disputes Chamber will proceed to a dismissal of the




3 CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat – uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:55;CJEUJudgementof13May2014,GoogleSpainSLt.AgenciaEspañola deproteccióndeDatos(AEPD) and Others,C-131/12,
ECLI:EU:C:2014:317, in particular par.34;CJEUJudgementof5June2018,UnabhängigesLandeszentrumfürDatenschutzSchleswig-
Holstein v
Wirtschaftsakademie Schleswig-HolsteinGmbH, C-210/16, ECLI: EU:C:2017:796, in particular para. 35.

4 L. A. BYGRAVE & L. TOSONI, “Article 4(7). Controller” in The EU General Data Protection Regulation. A Commentary, Oxford
University Press, 2020, 14.
5
 EDPB, Guidance 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0),
available in Dutch at: https://edpb.europa.eu/system/files/2022-
02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 25 et seq.
6EDPB, Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021 (version 2.0),
available in Dutch at: https://edpb.europa.eu/system/files/2022-

02/eppb_guidelines_202007_controllerprocessor_final_en.pdf, par. 31. Substantive decision 110/2021 - 11/21



    elements within the scope of the complaint. However, outside the scope of the complaint there are

    determinations made by the Inspectorate that expressly relate to the

    the defendant as controller.For that reasonthere is no doubt that

    the defendant acts as controller for those elements, including for

    activities related to her school.

II.2. With regard to the findings within the scope of the complaint


39. Based on the elements in the file known to the Litigation Chamber and on the basis of the

    powers assigned to it by the legislator pursuant to Article 100§1 WOG

    the Litigation Chamber about the further follow-up of the file; in this case, the Disputes Chamber

    about to dismiss part of the complaint in accordance with Article 100, §1, 5° WOG,
    based on the following justification.


40. In the event of a dismissal, the Litigation Chamber must gradually investigate and substantiate:

        - Whether there is insufficient prospect of a conviction, followed by a technical dismissal;


        - Whether a successful conviction would be technically feasible but on grounds, up to it

            general interest, a (further) follow-up is undesirable, after which a
            policy follows.


    In the event that more than one ground is dismissed, the grounds for dismissal (resp. technical

    dismissal and policy dismissal) should be dealt with in order of importance.

41. In the present case, the Disputes Chamber considered it technically impossible to follow up

    to certain elements of the file that are based on the complaint, and decides to proceed

    to a technical dismissal based on the motives set out below.

42. Based on the findings in the investigation by the Inspectorate in this case (cf. appendix), it appears that

    the Litigation Chamber has no jurisdiction ratione temporis, there on the basis of the facts and the in the complaint

    The grievances put forward show that the complaint relates to processing operations that started before

    May 25, 2018 (the date on which the GDPR came into effect), and the processing involved as well

    ended before that date.

43. It is true that the complaint was initially admissible by the GBA's First Line Service

    declared, and that an investigation by the Inspectorate subsequently also took place with

    regarding the facts. This does not alter the fact that the Disputes Chamber has always ruled that

    are not authorized to act for acts that only take place before 25 May
    2018.


44. In order for the Disputes Chamber to be competent, it is necessary that the GDPR applies to

    the processing operations that are the subject of the complaint. According to art. 4 (2) GDPR means it
    processing of personal data: “any operation or set of operations relating to Decision on the substance 110/2021 - 12/21




        to personal data or a set of personal data, whether or not carried out via

        automated procedures, such as collecting, recording, organizing, structuring,

        store, update or change, retrieve, consult, use, provide by means of

        forwarding, distributing or otherwise making available, aligning or combining,

        blocking, erasing or destroying data”.

    45. The processing operations in this case and their timing can be summarized as follows:


            - Heteersteincident: a publication of personal data on Smartschool on 23 November

               2017 at 10:58 am. It concerns a publication of a series of college reports, including

               two reports dated 12 February 2015 and 30 March 2015 and that the first complainant

               concern. The report dd. February 12, 2015 concerns information about the disciplinary investigation that

               was initiated in the head of the first plaintiff and contains incriminating statements. Inquiry from

               the complainant to remove the reports, they were removed from Smartschool at 9

               May 2018;

            - The second incident: a publication of a student survey dated. December 15, 2017 on

               Smartschool (date of publication: January 22, 2018). Second complainant would be the publication

               that same day and immediately sent an e-mail to the

               then director. This is apparent from communication between the Inspectorate and the complainants

               that same day the published student survey was removed.


    46. The Disputes Chamber establishes that the aforementioned processing took place before the
        entry into force of the GDPR on May 25, 2018. In addition, the findings of the

        Inspectorate that the processing of personal data related to both incidents is not

        more took place after the entry into force of the GDPR on May 25, 2018. The publications became

        after all, removed from Smartschool on May 9, 2018 and January 22, 2018. Based on the

        The inspection report and the documents cannot be determined by the Disputes Chamber that after 25 May 2018

        processing has taken place that relates to the subject of this complaint.

                                                                                         8
    47. In view of the foregoing, the Disputes Chamber proceeds to a technical dismissal as a result of which

        no further action can be taken on this complaint as there is no infringement

        on the GDPR. For the sake of completeness, the Disputes Chamber states that it does not fall within its powers

        should award damages.











7See Article 99 GDPR.

8 See point 3.1.1.4 of the Dispute Chamber's Dismissal Policy, published on its website on 16 June 2021,
(https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-19-2020.pdf). Decision on the substance 110/2021 - 13/21




    II.3. With regard to the findings outside the scope of the complaint



    48. Notwithstanding the technical dismissal with regard to the subject matter of the complaint, the

        Litigation Chamber the findings of the Inspectorate outside the scope of the complaint.

    49. After all, it cannot be ruled out that a complaint will give rise to a more integral and

        substantial control by the Inspectorate in the event of a complaint, it also confirmed

        Markthof. 9


    50. In this context, the Disputes Chamber acknowledges – in a positive sense – the cooperation of the

        defendant during the entire procedure before the Data Protection Authority, whereby
        the defendant acknowledges in a constructive manner on the one hand that certain errors occurred in

        the past or that certain aspects (for example, with regard to the privacy policy and

        the privacy statement) were not fully compliant with the law, and on the other hand

        indicates how it has adjusted this or would adjust it for the future.

        Reference is made here, among other things, to the incident registration and the investigation of incidents (see also

        infrastructure).


    51. Nevertheless, the Disputes Chamber generally notes that there are a number of elements in the
        file point to a structural lack of attention and resources for

        data protection law safeguards. Although an external e-gov support is necessary

        expertise (in this respect using pools of experts) for the exercise of the

        DPO-related tasks and an external DPO provides, the available time and (personnel)

        resources needed to properly perform the tasks are too limited.




        II.3.1. The designation of the DPO and the performance of the duties of the DPO provided for by law
           DPO (article 37 and article 39 GDPR)


           II.3.1.1. With regard to the appointment of an officer for
               data protection in accordance with Art. 37 GDPR



    52. In its report, the Inspectorate pointed out a number of ambiguities regarding the identity of

        the DPO:


               - The complainants' lawyer stated that there is no data protection officer

                 was appointed;






9“Companies . . . however, should be aware that one particular incident . . . may lead to an integral inspection and
substantial control of a company or organization's GDPR compliance, which in turn can lead to sanctions
due to non-compliance with certain GDPR obligations that were not initially the trigger of the inspection.” Cf. Judgment of 14 June
2023, Brussels Court of Appeal (Chamber 19A, Section Marktenhof), no. 2023/4583, 29-30. Decision on the substance 110/2021 - 14/21



           - Article 4.2.6. of the school regulations stated that the municipal council has an extra

             consultant to act as information security consultant and

             data protection officer;

             After June 2, 2019, this provision was deleted from the regulations, without clarification

             why this deletion was necessary;


           - Reference was also made to an employee of Z who would have been referred to as DPO.

       Z. It provides “objective advice” through its DPOs, according to its website.

       According to the Inspectorate, there were a number of remaining ambiguities regarding the

       appointment of an employee of the external e-gov support center as DPO:


           - No appointment decision was made by the Board of Mayor and Aldermen

               provided so that the GBA can verify from what date the defendant gave an order
               to Z, whether this assignment is temporary, and which tasks were or were not included in the

               services;


           - No registration code was provided for the registration of the DPO;

           - The GBA received no further information about the competences of the aforementioned

               employee of the e-gov support center as required by Article 37(5) GDPR;

           - According to Article 37(3) GDPR, a controller can be a DPO

               to various agencies and bodies. The GDPR does require that the

               controller hereby enter the “organizational structure and size”.

               takes into account. The question is whether in this concrete case the DPO of a municipality with

               15,000 to 20,000 inhabitants can also be sufficiently independent and competent

               function as DPO of both two municipal schools and the municipal council. The
               processing is carried out within the context of a comprehensive school

               3,000 to 4,000 students that exceeds the municipality, which may have consequences for

               the handling of incidents and the more efficient use of resources, including the

               teachers' affection;

53. With regard to the appointment of the DPO, the defendant refers to the award contract for the e-

    govsupport(piece5piecesbundleofrespondent).piece6ofdefendantprovesconcretethe

    appointment of a DPO for the defendant, as approved at a hearing held by her

    City Council of 25 November 2019. Document 7 shows that the defendant has an application
    filed for female worker approval at the e-gov support center as

    security consultant at the Flemish supervisory committee for the electronic administrative

    data traffic (hereinafter “VTC”).


54. The Litigation Chamber refers to Article 37(1)(a) GDPR which states that
    controllers are obliged to notify a data protection officer Decision on the substance 110/2021 - 15/21




        to indicate in the event that the processing is carried out by a public authority or

        public authority, which is the case here. From the documents submitted by the defendant

        be deduced that the defendant had not appointed a DPO before 25 November 2019 . Since there

        was already an obligation for the appointment of a DPO since the entry into force of the GDPR

        (May 25, 2018), it is therefore not acceptable that the defendant only a year later a DPO

        appoints.

    55. Regarding the disclosure of the contact details and the sharing of these contact details

        with the supervisory authority, the Disputes Chamber states that at the time of the

        investigation of the Inspectorate failed to provide any evidence of a registration of the DPO with

        the GBA.


    56. For all these reasons, the Litigation Chamber finds a violation of both Article 37 paragraph 1, point a) and

        Article 37 (7) GDPR, as the mandatory designation of the actual DPO was not done correctly

        (according to the missing designation decision or other administrative decision in this regard), and also
        was not correctly reported to the Data Protection Authority.



            II.3.1.2. With regard to the duties of the data protection officer

                in accordance with Art. 39 GDPR



    57. The Disputes Chamber notes that a number of problems existed and continue to exist with

        with regard to the data protection officer and (the possibility of) exercising it

        of certain tasks by that person.

    58. The core of several problems that the Inspectorate was able to identify, therefore, seems to be

        back to the fact that the DPO – or at least the service that carries out the DPO tasks de facto

        - in this case does not receive sufficient resources to inform the controller

        advise to take the necessary data protection law safeguards that serve

        to be provided to support and strengthen those concerned in their rights, on the one hand, and infringements

        on data protection related legislation on the other hand.


    59. It appears from the findings of the Inspectorate in this matter that the Inspectorate has not found any

        finds or receives instructions that indicate that the tasks within the meaning of more specific article

        39 (1) points b), d) and e) GDPR are correctly observed. There is also a lack of clarity

        to find agreements, according to the Inspectorate, between the board of the defendant and the


10
  For the definition of "government", see Article 5 of the framework law of 30 July 2018 on the protection of natural
persons with regard to the processing of personal data whereby government is defined as 1° the Federal State, the
federated states and local authorities, 2° the legal entities under public law belonging to the Federal State, the federated states or local
depending on governments, 3° the persons, whatever their form and nature, who have been established for the specific purpose of meeting needs
of general interest that are not of an industrial or commercial nature; and have legal personality; and of which either the
activities are mainly financed by the authorities or institutions referred to in the provisions under 1° or 2°, either the
management is subject to supervision by these governments or institutions, or the members of the governing body, executive
body or supervisory body are designated for more than half by these governments or institutions. 4° the associations
consisting of one or more authorities as referred to in the provisions under 10, 2° or 3°. Decision on the substance 110/2021 - 16/21



        external e-gov support. What's more, it appears from the file that there is no direct contact whatsoever

        between the defendant's board and the external e-gov support centre. Only with the IT

        responsible of the defendant, there would be structural contact.


    60. Superfluously - but without this having any impact on the assessment of the determination of

        theInspectionserviceoutsidescope–maybeadjustedthateventhefactswhicharewithinthescope
        of the complaint took place indicate situations with a suboptimal structural approach and care

        for data protection.


    61. Although the defendant rightly stated at the hearing that the file had a long lead time

        knows, her statements – and those of her DPO – at the hearing show that the structural
        data protection deficiencies still exist:


           a. The number of hours that the external DPO has available to perform the tasks that the

               GDPR provides is completely insufficient to meet the requirements of the GDPR.

               It is said to be 120 hours on an annual basis for the entire municipality and
               all its services.

           b. The DPO (still) has little or no contact with the municipal council of the

               defendant, let alone that the municipal council structurally consults or invites her

               to provide advice. However, the defendant is a public authority,

               where the legislator in the Article 37 (1) point a) GDPR explicitly designates a

               data protection officer, which indicates that the legislator has the

               function is paramount in the context of government services, and a DPO should access
               have access to the highest level of management so that the tasks can be properly carried out

               become.

           c. In addition, the defendant itself states in its conclusion that, as a municipality, it can do much more

               offers more than just education, which means that they have a large number

               processes personal data of a large number of data subjects. She refers to

               social and cultural services, but also sports, youth, housing and
                      11
               environment. This may also concern sensitive personal data. The limited
               time commitment and limited access to governance for the DPO is in this context

               problematic.

           d. The defendant acts as a controller for the activities of the

               involved school (and other educational institutions), but in principle only offers access

               by the DPO to its IT manager. In case of incidents there would be

               consultation with the employees or responsible persons involved. A whole

               number of data protection aspects are ignored
               IT-related aspects, whereby incidents must be dealt with at a more structural level




1 Reply statement of the defendant, p. 5. Decision on the substance 110/2021 - 17/21



           investigated, analyzed and rectified. This is how a DPO who has no access

           to certain institutions (which are the responsibility of the defendant)

           due to a lack of contact points at those institutions and a lack of time to act on their own

           initiative to establish contacts with such institutions, it is difficult for the

           data protection law related risks of such institutions on a

           adequately identify and address (and help mitigate where necessary).



62. Each of the elements listed in the preceding paragraph gives rise to an infringement

    to be set at Article 39(1) GDPR, given that these points show that the

    controller insufficient the adequate performance of tasks by the DPO

    guarantees. The Disputes Chamber therefore argues - partly on the basis of the findings of the
    Inspectorate on this point – note that the defendant has set out in this provision

    has not fulfilled its obligations, and that it does not sufficiently guarantee that its DPO fulfills its tasks

    can properly perform, as these tasks are listed in Article 39(1).

63. For that reason, the Litigation Chamber orders that the defendant draw up an action plan within three months

    (infra), whereby the defendant takes into account the infringements in the present case

    decision, taking into account, in particular, the specific

    aspects of its services as well as specific contact points in this regard.




    II.3.2. Findings of the Inspectorate regarding the follow-up, documentation and
       reporting incidents (Articles 5 (2), Article 32 and Article 33 GDPR)


64. The obligation to take security measures - with attention to the risks involved

    –which a controller should assume for certain processing activities

    contained in Article 32 GDPR. The registration and reporting obligation of incidents related to
    personal data is contained in Article 33 of the GDPR. Accountability for a

    controller is contained in Article 5(2) of the GDPR.


65. In its inspection report, the Inspection Service describes the way in which both incidents were handled

    by (the school of) the defendant. Taking into account the fact that the Litigation Chamber rationale
    temporis is not authorized to rule on facts that took place before May 25, 2018, can

    they make no statement about the way in which the two incidents that took place before were handled

    the date of entry into force of the GDPR.


    The Litigation Chamber is aware of the fact that the legal predecessor of the GBA (the Commission
    for the protection of privacy, hereinafter referred to as “CPPL”), since June 10, 2014, provided

    in a report form via which personal data breaches (outside the

    telecom sector because there was already a statutory notification obligation for this) could be Decision on the substance 110/2021 - 18/21




        reported. The CBPL had also stated in a press release that it is “more than advisable” to

        using this report form. However, the Litigation Chamber points to the optional character

        of the notification obligation before the entry into force of the GDPR.


    66. The Inspectorate also stated that the communication with the defendant shows that she

        during a certain period after 25 May 2018 still did not register any incidents.

        The Disputes Chamber considers itself competent to rule on this, since the GDPR does
        finds application. Proper registration of incidents is of great importance, especially in the light

        of the size of the educational institution (with 3,500 to 4,000 pupils), but also in the light

        of the risk-based approach under Article 32 GDPR. In this case, there is also one

        processing of sensitive personal data within the meaning of Article 9 GDPR (e.g. data about

        (mental) health and sexually transgressive behaviour,…). The processing also concerns

        data of vulnerable natural persons (particularly minors) 14 and it concerns a

        processing of data the processing of which involves a higher risk in view of the

        rights and freedoms of the persons concerned (performance, evaluations and any

        disciplinary assessments of teachers,…).


    67. The defendant clarifies in its Opinion dd. January 17, 2020 that they have been since the entry into force

        of the GDPR has only had to deal with one incident. This was a case of

        hacking of one email address, where the data of possibly 500 people could have been leaked.

        The defendant states that this incident was immediately registered in the incident register and became

        reported to the GBA within the legal term. She hereby submits evidence to this effect

        to substantiate the argument. This shows the registration of the incident in the incident register, the

        reporting this incident on October 16, 2019 and the solution found (namely the change of

        the passwords of all affected users before October 17, 2019).

    68. Due to a lack of evidence, the Litigation Chamber cannot verify whether the defendant has effectively but too

        experienced one incident since the entry into force of the GDPR. In addition, the

        Litigation Chamber also cannot verify since when the defendant actually uses one

        incident register. The Disputes Chamber can only rule that the defendant with regard to the one

        incident that took place after the entry into force of the GDPR, the obligations in Article

        33 GDPR has correctly complied.


    69. This does not alter the fact that the defendant had answered the Inspectorate's question incorrectly

        of 6 September 2019 when she asked whether incidents have been registered with

        with a view to the notification obligation under the GDPR. The defendant replied that “there is none

        incidents have been more”. This may indeed be correct since the defendant in its conclusion




12https://www.dataprotectionauthority.be/citizen/authority-lancet-notification forms-for-data leaks.
13See Appendix 6 to the Inspection Report.

14Recital 75 GDPR. Decision on the substance 110/2021 - 19/21




        of January 17, 2019 indicates that there was only one incident after the entry into force of the GDPR
        (namely on October 16, 2019). However, it could not be deduced from this answer that the defendant

        now has an incident registration that meets the requirements of Article 33, paragraph

        5 GDPR. Because the defendant cannot adequately justify that it has fulfilled the obligation to

        has complied with adequate registration of incidents, the Disputes Chamber establishes a breach

        to accountability within the meaning of Article 5 (2) GDPR. However, there are not enough

        elements present in the file to establish an infringement of either Article 32 or Article

        33 GDPR.




        II.3.3. Findings of the Inspectorate regarding the obligation to provide information (Article 13(1)
           point a) GDPR)


    70. Article 13(1)(a) of the GDPR requires the controller to provide information

        provided to the data subject about the identity and contact details of the

        controller and, where applicable, of the representative of the

        controller.Instructionsofthedataprotectiongrouparticle29about
        the information requirement was stated that this information serves for easy identification

        of the controller and preferably also other forms of communication with

        enable the controller. 15


    71. The Inspectorate points out to the Disputes Chamber a combination of indications from which the

        At the time of the Inspectorate's investigation, it appears that the defendant has fulfilled its obligation to provide information
        violates regarding the designation of the controller:


               - For example, there are different provisions in different documents that each time

                 refer to other people and services.

               - The school regulations of the school at issue do not contain any clarifications as such.


               - The “Privacy Policy” link on the website of the school at issue: The user becomes

                 automatically redirected to the “privacy statement [municipality]” on the website of the

                 defendant.

               - Point 2 in the privacy statement “who can you turn to for questions” refers to the

                 municipal government . However, this privacy statement also states “With questions about it

                 The privacy policy and the measures taken can be found at the general

                 director V via the e-mail address […] for both the municipality and the OCMW and/or at our

                 data protection officer at the email address […]”.





15Data Protection Working Party Article 29, Guidelines on Transparency under Regulation (EU) 2016/679, 11 April
2018, p. 41. Decision on the substance 110/2021 - 20/21



72. The defendant admits in its conclusion that the original privacy statement was unclear and

    was incomplete with regard to the information obligation under Article 13(1)(a) GDPR. On 22

    however, this was rectified in November 2019 with the publication of a new privacy policy on the

    website of the defendant's school. In this new privacy policy it is now made clear in Article 2

    the municipality of the defendant is appointed as the controller. It

    rectifying the infringement of Article 13 (1) point a) GDPR, however, does not alter the fact that in the
    an infringement may have occurred in the past.


73. In view of the foregoing considerations, the Disputes Chamber states that the defendant before 22

    November 2019 did not comply with the information obligations with regard to article 13, paragraph 1, pointa) of

    the GDPR. Consequently, the Litigation Chamber establishes a breach of the information obligation
    Article 13(1)(a) GDPR.




II.4. Action plan


74. By means of this decision, the Disputes Chamber orders the defendant to draw up an action plan

    in order to bring its processing operations into line with the General

    Data Protection Regulation. This action plan should be submitted to the

    Data Protection Authority within three months of notification of this decision.

75. The Litigation Chamber has identified a number of infringements of the GDPR above. An action plan

    that brings processing operations into line with the law, following this decision,

    should therefore cover at least the following aspects:

        a. With regard to the violations of article 37, paragraph 1, pointa) and article 37, paragraph 7 GDPR: the way

            when the DPO is appointed, how this appointment is monitored, and the like

            allocation of responsibility for the notification of this DPO to the GBA;

        b. With regard to the infringement of Article 39 (1) GDPR: the analysis of an adequate and

            adequate working framework for the DPO, with regard to the performance of her duties for the

            defendant, taking into account in particular the time commitment of

            this DPO for the specific activities of the defendant and its services. In addition

            it should also be examined how adequate direct access can be achieved
            be granted for the DPO to the highest level of decision, where appropriate within the framework

            of reporting or advice so that these tasks can be properly performed;


        c. With regard to the infringement of Article 5 (2) GDPR: the preparation of internal

            policy measures in order to provide adequate access to the
            Data Protection Authority and its services, when required by law

            and with particular attention to cooperation in case of breaches related

            with personal data; Decision on the substance 110/2021 - 21/21



        d. With regard to the breach of Article 13 GDPR: drafting policies that

           to properly implement the duty of information, with structural policy measures

           with regard to the periodic monitoring of (data protection or privacy)

           )declarations and other relevant documents, as well as ensuring the content

           quality of statements and other documents.




II.5. Publication of the decision


    Given the importance of transparency with regard to decision-making by the
    Litigation Chamber, this decision will be published on the website of the

    Data Protection Authority. However, it is not necessary for this to include the identification data

    of the parties are disclosed directly.



   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

   - Pursuant to article of art. 100, §1, 1° WOG, the elements that are part of the complaint te

      dismiss .



   - Pursuant to Article 100, §1, 9° WOG, in view of the violations of Article 5, paragraph 2; 13; 37, member
      1, point a); 37 (7) and 39 (1) GDPR, the defendant to order its processing

      to bring it into line with the GDPR, and to submit an action plan to the GBA for this purpose

      within three months of notification of this decision.







    Against this decision, pursuant to Art. 108, §1 WOG, appeals are lodged within one

    term of thirty days, from the notification, at the Marktenhof, with the

    Data Protection Authority as defendant.






    (Get). Hilke Hijmans

    Chairman of the Litigation Chamber