APD/GBA (Belgium) - 165/2023
APD/GBA - 165/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 32(2) GDPR Article 35(1) GDPR Article 35(2) GDPR Article 35(3) GDPR Article 35(7) GDPR Article 38(1) GDPR Article 39(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 13.12.2023 |
Fine: | n/a |
Parties: | City of Antwerp MeldJeAan |
National Case Number/Name: | 165/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA reprimanded the city of Antwerp for several breaches of the GDPR due to its usage of a tool called 'MeldJeAan'. The tool, used by parents to claim a spot for their children in schools, had suffered a data breach as its database had been directly accessible without log-in.
English Summary
Facts
The Belgian DPA started an investigation into the usage of a tool called 'MeldJeAan' by the city of Antwerp.
The tool in question could be used by parents to claim a spot for their children in a school. To use the tool, specific personal data had to be provided, such as contact details, personal details of the child, and information on the parents. By logging in, schools could download the list of all the information of their students. However, due to a flaw in the system, the lists could be accessed directly without logging in. It had been noted that there had been a data breach as there was at least one confirmed download by an unauthorised party through this way.
Following the investigation, a report was produced, which flagged several breaches by the city of Antwerp. On 23 June 2023, the DPA held a hearing on the matter.
Holding
The DPA started by assessing the role of the city of Antwerp in the situation at hand. Since the purposes of the tool were decided by several parties, including the city of Antwerp, and Antwerp partly financed the usage of the tool, the DPA concluded that there was joint-controllership according to Article 26 GDPR.
The DPA noted that a controller has an obligation to take measures to ensure an appropriate level of security and compliance with the GDPR, as well as demonstrate the measures taken, according to Article 5(2) GDPR, Article 24(1) GDPR and Article 25(1) GDPR. In light of this, the DPA stated that the city of Antwerp did not provide any documentation showcasing compliance and regarding measures and decisions that were taken for the security of the processing of personal data, breaching the above-mentioned articles. Furthermore, after reviewing the documentation produced regarding the data breach, the DPA found the documentation abstract and lacking in follow-up planning, as well as non-compliant with Articles 32(1) and 32(2) GDPR.
The DPA also concluded a breach of Article 35(1), Article 35(2), Article 35(3) and Article 35(7) GDPR since, even though the tool predated the GDPR, the city of Antwerp should have proactively assessed if their processing aligned with the GDPR and adapt their processing if necessary, including conducting a correct DPIA. Meanwhile, the DPA noted that the DPIA provided by the city of Antwerp wrongfully designated it as a processor.
Lastly, the DPA found that although the DPO was involved in the data breach, it was not involved in a timely manner to ensure adequate security of processing according to Article 32(1) GDPR. The DPA stated that as soon as the city of Antwerp declared itself a joint-controller, the DPO should have become involved, not only after the data breach was discovered. As such, the DPA concluded a breach of Article 38(1) GDPR and Article 39(1) GDPR.
Based on the above, the DPA reprimanded the city of Antwerp.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/24 Dispute Chamber Decision on the merits 165/2023 of December 11, 2023 File number: DOS-2022-02499 Subject: Potential data breach regarding a registration system The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Mr Jelle Stassijns and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The defendant: City of Antwerp, with registered office in 2000 Antwerp, Grote Markt 1, with company number 0207.500.123, hereinafter “the defendant”. Decision on the merits 165/2023 – 2/24 I. Facts and procedure 1. The central registration system MeldJeAan (hereinafter: MeldJeAan) has been in use for several years In various cities, more social schools are used in the context of allocating schools to achieve mix within the schools. 2. To this end, the parents and, if applicable, the guardian submitted the following personal data to provide: identification data (name, address, date of birth, telephone number of both parents/guardian and children), electronic identification data (e-mail addresses of both parents/guardian as children), personal characteristics (age, gender of children), education and training (mother), national number (the child's national register number), the fact whether there are already brothers and/or sisters of the child in a particular school in that city being present, the fact that the parents are staff members of a school to which one registers, whether the family received a school allowance in the current school year or the previous one school year, the spoken language of the child and any special education report. In addition, other personal data were also processed within the application, namely: indicators regarding students: home language, mother's education level, neighborhood indicator and school allowance and preferences for a particular school. Based on this personal preferences and other data, the children were assigned a school. Subsequently Lists were drawn up per school of the children who were in favor of the school reported. An employee can log in to the back office of “MeldJeAan”. his school downloads a list with all personal data of the parents and their children who had registered at that school. Due to a possible defect in the online application Register as used for Ghent secondary education, it turned out that the URL with the link to the download list could also be accessed directly, without logging in to the back office. Each secondary school in the system receives a unique ID of 30 characters which is included in the URL, which, if one had that unique ID and could download the list with personal data of the parents without first logging in and their child who were registered at the school linked to the unique ID. There was at least one list downloaded in such a manner. The method of downloading was reported to the press, which also downloaded a list itself and, although pseudonymised, has published. 3. This online application MeldJeAan was also used in Antwerp, among others, for some concerns primary education. The GBA has not received any notification of this data breach related to the application due to the 1 No logs are kept of when or who downloads lists as this is not included in the program specification was included. See appendix 1, reporting form, point 4: prevention and management of it data breach. Decision on the merits 165/2023 – 3/24 controllers in Antwerp, although the security risk also applies of them existed. 4. In view of the above, the Management Committee of the The Data Protection Authority (hereinafter: “GBA”) will decide on June 20, 2022. to be taken on the basis of Article 63, 1°WOG because of a practice that may give rise to this to a violation of the basic principles of personal data protection. 5. The investigation by the Inspection Service will be completed on October 10, 2022 report is added to the file and the file is submitted to the Inspector General transferred to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG). The report contains findings relating to the subject of the decision management committee and decides that there has been a violation of: 1. Article 5.1.f) and 5.2 of the GDPR, Article 24.1 of the GDPR, Article 25.1 of the GDPR and Articles 32.1 and 32.2 GDPR; 2. Articles 35.1, 35.2, 35.3 and 35.7 GDPR; and 3. Article 38.1 and Article 39 GDPR. The report also contains additional findings in view of Article 72 of the WOG. The The Inspection Service determines, in broad terms, that there has been a violation of: 4. Article 30.1 GDPR. 6. On October 28, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for substantive treatment. 7. On October 28, 2022, the defendant will be notified by registered mail of the provisions stated in Article 95, § 2, as well as those in Article 98 WOG. Also she will be informed of the deadline in accordance with Article 99 of the WOG to submit defenses. The deadline for receipt of the defendant's response is: recorded on December 9, 2022. 8. On October 28, 2022, the defendant electronically accepts all communications regarding the case. 9. On November 2, 2022, the defendant requests a copy of the file (art. 95, § 2,3° WOG), which was transferred to her on November 9, 2022. 10. On December 9, 2022, the Disputes Chamber will receive the response statement defendant. Decision on the merits 165/2023 – 4/24 11. On May 8, 2023, the defendant will be notified that the hearing will take place on June 23, 2023. 12. On June 23, 2023, the defendant will be heard by the Disputes Chamber. 13. On June 28, 2023, the official report of the hearing will be sent to the defendant submitted. 14. On July 4, 2023, the Disputes Chamber will receive some comments from the defendant with regard to the official report, which it decides to include in its deliberations. II. Justification II.1. Identity of the controller II.1.1. Establishment of the Inspection Service 15. The Inspection Service identifies the defendant as the controller for what concerns the processing of personal data in the context of online registration system MeldJeAan. The inspection report refers on the one hand to the processing agreement with Z regarding the development of the online application Notify in which the defendant is referred to as the controller, and on the other hand, to the document called “measures taken in response to the data breach ReportJeAan” that the defendant has submitted to the Inspection Service. II.1.2. Position of the defendant 16. The defendant argued in her conclusions that she should not be regarded as controller for the processing of personal data via Sign In. In this context, the defendant referred to the decree of 25 February 1997 concerning primary education. Pursuant to this decree, the Local Education Platform Antwerp (hereinafter: LOP Antwerp) has been obliged since 2021 to use the registration system in the to organize primary education in Antwerp. Consequently, the LOPA Antwerp also serves as to be considered a controller in the context of MeldJeAan, it stated the defendant. 17. In confirmation of this statement, the defendant also referred to the letter of the Flemish Supervisory Commission (VTC) dated. October 25, 2022 in which this is the LOP Antwerp appears to be regarded as the controller with regard to the processing of personal data in the context of MeldJeAan. 18. However, at the hearing the defendant took a different position. First of all, she lights the evolution of the role of controller and processor. Until the end 2 B.S. April 14, 1997. Decision on the merits 165/2023 – 5/24 2022, the defendant was of the opinion that the LOP Antwerp controller in the context of Report Your Aanwas, in view of the above decretal obligation of the LOP Antwerp to organize the registration system. The documentation that was provided to the Inspection Service in August 2022 during the research in the context of this dossier, was drawn up on the basis of the advice provided by the defendant had received from the VTC, namely that the LOP as should be considered a controller. In January 2023 it made Agency for Educational Services of the Flemish Government (hereinafter: AGODI). position has been announced regarding who will take on the role of controller in this regard. This position states that from the 2023-2024 school year, the schools will be considered jointly should be considered a controller since the LOP Antwerp itself is not a legal entity, but consists of the school boards involved. Since it registration system a fairer and more transparent way to register registrations intended and in view of, among other things, the limited operating budgets of the LOP Antwerp the defendant has decided to allocate financial resources and thus the to assume joint processing responsibility, together with the school boards. This position was taken subject to the outcome of the Flemish policy discussion. As a result of this position, the defendant has changed its approach adjusted to ensure compliance with the GDPR. II.1.3. Assessment of the Disputes Chamber 19. The Disputes Chamber notes that in recent years several authorities have taken different positions and advice has been provided regarding the processing responsibility for Log in, but that is the most recent position of the defendant is that it considers itself as joint controller. 20. In this context, the Disputes Chamber refers to Article 26 GDPR. This article determines that when two or more controllers jointly determine the purposes and means of determine the processing, they are joint controllers. Two important elements of the cited Article 26 GDPR are, on the one hand, 'the purpose and the means of the processing' and, on the other hand, 'jointly'. 21. As regards the determination of the purposes and means of the processing referred to Article 4.7 GDPR which contains the definition of controller as follows: the “natural or legal person, public authority, service or other body which, alone or together with others, determines the purpose and means of the processing of personal data”. As with the concept of decision on the merits 165/2023 – 6/24 controller requires the analysis of a joint controller makes a factual assessment. 3 22. As for the 'joint' character, is the overarching criterion for existence of joint responsibility for processing the joint participation of two or more entities to determine the purposes and means of one processing activity. Joint participation can take the form of a joint decision of two or more entities or are the result of convergent decisions of two or more entities, when the decisions are complementary and necessary to achieve the to have processing take place in such a way that they have a tangible effect on the determination of the purposes and means of the processing. The processing is important would not be possible without the participation of both parties, in the sense that the processing by each party is inseparable, i.e. inextricably linked to that of the other. 4 23. The Disputes Chamber determines that the purpose of the processing of personal data via MeldJeAan is fourfold. Firstly, guaranteeing the free choice of school for all parents and students, by avoiding camping lines in front of the school gate, objectification of enrollments in schools with capacity pressure, drawing up a central timeline and uniformity in function of the parents; secondly, achieving optimal learning outcomes development opportunities for all students and this for primary education, as far as possible, in a school in their neighborhood; thirdly, promoting social cohesion, and fourthly avoiding exclusion, segregation and discrimination. These objectives became determined by AGODI and the LOP Antwerp, decree 5 is mandatory within its scope to implement this. AGODI states this on its own website that the school boards and AGODI act as joint controller are: “[for] the registration system of the Flemish government, the school boards and AGODI are joint controllers. Which means that the school boards and AGODI jointly determine the purpose and means for the processing of 3EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021, https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 52. 4 EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021, https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58 e.v. 5 Primary education decree of February 25, 1997, Belgian Official Gazette 17 April 1997. - https://codex.vlaanderen.be/Portals/Codex/documents/1005384.html Article 37vices semel. (01/09/2022- ...) Notwithstanding the first paragraph, the school boards that govern a school, with the exception of schools for special education, must have set up a registration procedure within the operating area of LOPA Antwerp, Brussels-Capital or Ghent which applies to all schools, with the exception of schools for special education, located within that respective school scope. Decision on the merits 165/2023 – 7/24 determine personal data. Both are responsible for orderly maintenance and processing personal data in the context of the General Data Regulation”. 6 24. The defendant explains that the LOP Antwerp does not have the necessary resources has to finance this registration system. Accordingly, the defendant has the decision to determine and allocate the necessary financial resources to it LOP Antwerp to be able to implement this decree obligation. 25. The Disputes Chamber establishes that the defendant has taken the decision to terminate the on the one hand to determine the necessary financial resources and on the other hand to allocate these financial resources in the context of MeldJeAan. In addition, the defendant has processing agreement has been concluded with Z in which the scope of the processing is specified determined by the defendant as controller with regard to the processor. In view of the above, the Disputes Chamber finds that the defendant, is the joint controller together with AGODI and the school boards since the decisions of AGODI and the LOP Antwerp regarding the organization of the central registration system and the decisions of the defendant to take the necessary to provide financial resources and conclude the processing agreement convergent decisions have a tangible effect on the definition of the purpose and the means of the processing and that complement each other and are necessary for the processing to take place in such a way. 26. In view of the above, the defendant serves as joint to be considered a controller within the meaning of Article 26 GDPR it must fulfill the obligations under the joint controllers as determined in the GDPR. II.2. Article 5.1.f), 5.2, Article 24. 1, Article 25. 1 and Article 32. 1 and 32.2 GDPR II.2.1. Findings in the Inspection Report 27. During the inspection investigation, the Inspection Service asked about the security of the processing of personal data in the context of the online registration system "Sign In". In answering these questions, the defendant referred to the following documents: the processing agreement with Z on the one hand and the overview of the measures taken in response to the MeldJeAan data breach on the other hand. 28. Firstly, the Inspection Service notes that the aforementioned processing agreement with Z does not contain signatures of the defendant and the processor. 6 https://onderwijs.vlaanderen.be/nl/directies-administraties-en-beleidingen/studentadministration-basic-en-secondary- education/students-register-in-primary-and-secondary-education/students-register-in-normal- education/registration-and-registration/registration system-normal Decision on the merits 165/2023 – 8/24 29. Secondly, the Inspection Service refers to the document entitled “Measures taken around the data breach MeldJeAan” of the defendant in which a list is included of three categories of measures: software, access and environment. However, it is in the the aforementioned document does not indicate when exactly those measures were discussed, approved and implemented and which managers and employees of the defendant and processor Z were involved. 30. Finally, the Inspection Service notes that it is unclear how and when the officer for data protection of the defendant was involved in the context of the security of the processing of personal data in the context of MeldJeAan. 31. Based on the above findings, the Inspectorate concludes that this is the case of an infringement of articles 5.1.f), 5.2, 24.1, 25.1, 32.1 and 32.2 GDPR. II.2.2. Position of the defendant 32. The defendant disputes the findings of the Inspection Service. As for the findings regarding the lack of signatures in the processing agreement the defendant argues that in accordance with Article 28.3 GDPR it is sufficient that the processing by a processor is regulated in an agreement or otherwise legal act under Union or Member State law which the processors vis-à-vis the controller. The defendant states that there is no discussion exists between the parties to the processing agreement about the binding nature of this processing agreement. Moreover, the defendant points out that contractual framework between the parties is currently being revised so that the Inspection service transferred processing agreement will soon be outdated. The If desired, a new signed agreement can be submitted to the Disputes Chamber be transferred. 33. The defendant then refers to the determination of the Inspection Service as to how and when compliance with the processing agreement between the defendant and the processor is checked by it. In this context, the defendant states that the GDPR nowhere, not even as part of accountability, does it provide for an obligation to systematically check compliance with each processor agreement, at least not when there is no indication or report of any risk. 34. Finally, the defendant formulates an answer regarding the determination of the Inspection service on how and when the data protection officer is involved was made in the context of the security of the processing of personal data from MeldJeAan. The defendant clarifies that the official for data protection was not initially involved with MeldJeAan since the creation of this platform was established before the entry into force of the GDPR. Decision on the merits 165/2023 – 9/24 In the meantime, the data protection officer was called in and involved in (among other things) the data protection impact assessment that was carried out. II.2.3. Assessment by the Disputes Chamber 35. Article 5.1.f) of the GDPR requires that “[personal data] by taking appropriate technical or organizational measures in such a way processes that appropriate security is guaranteed, and that they, among other things, are protected against unauthorized or unlawful processing and against accidental processing loss, destruction or damage”. 36. In further elaboration of Article 5.1.f) GDPR, Article 32.1 GDPR states that the defendant as controller takes appropriate technical and organizational measures must take steps to ensure a level of security appropriate to the risk the state of the art, the implementation costs, as well as the nature, scope, context, processing purposes and likelihood and severity of the varying risks to the rights and freedoms of individuals. 37. Article 32.2 of the GDPR provides that when assessing the appropriate level of security processing risks must be taken into account, especially as a result of destruction, loss, alteration or unauthorized disclosure of access to data transmitted, stored or otherwise processed, either by accident or unlawful. 38. The Disputes Chamber points out that the accountability obligation under Article 5.2 GDPR, Article 24.1 and Article 25.1 GDPR means that the controller has an obligation to: on the one hand, taking proactive measures to ensure compliance with the regulations of the GDPR and, on the other hand, to be able to demonstrate that he has such has taken measures. 39. In short: the defendant is obliged to take appropriate technical and organizational measures to ensure an appropriate level of security and this too to be able to demonstrate. 40. With regard to the above-mentioned accountability obligation, the Disputes Chamber states established that the Inspection Service asked the defendant the following: “A copy of [defendant's] documents regarding the measures and decisions taken were taken for the security of the processing of data in the context of the online registration system 'Register' and its accountability in accordance with Article 1 (1) (f) and (2) of the GDPR, Article 24 (1) of the GDPR, Article 25, paragraph 1 of the GDPR and article 32 of the GDPR. Please also provide a copy of the information and advice provided by the data protection officer of [defendant] in Decision on the merits 165/2023 – 10/24 has provided that connection and to provide a document-substantiated explanation of his/her position involvement in that context in accordance with Article 38(1) read in conjunction with Article 39(1) GDPR”. 41. The Disputes Chamber notes that the defendant does not submit any documents, or in any way shows in another way how and when compliance with the processor agreement was achieved checked, neither at the start nor during the execution of the processing agreement. However, Article 28(1) prescribes that when and processing is carried out on behalf of a controller, this controller may only rely on processors who: provide adequate guarantees with regard to the application of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR. The controller can check this by, for example, requesting a description of the processor's security measures and the method used by the processor processor, with the involvement of the official for data protection. In the context of the already mentioned accountability obligation, it is of importance of properly documenting these assessments. 42. The Disputes Chamber then determines that the document “Measures taken regarding the data breachReport” provides a series of measures, together with a clarification as to what the purpose of each measure and the status of the implementation. An additional one document indicates when the meetings regarding these measures take place took place and who participated. The Disputes Chamber notes that this document is little concrete about the approval of these measures and about the further timing of the implementation of certain measures and follow-up of those already in place security measures introduced/still to be introduced. The defendant shows with this documents therefore do not indicate that the status of the technology, the implementation costs, nature, scope and context of the processing, nor does it show indicate that these measures are sufficiently tailored to the security risk and account take into account the processing risks, as prescribed by Article 32.1 and 32.2 GDPR. 43. With regard to the Inspection Service's determination regarding the involvement of the data protection officer, the Dispute Chamber determines that the defendant does not submit any documentation, such as advice, showing that the official for data protection was consulted in the context of the security of MeldJeAan. The defendant points out that MeldJeAan was created before the GDPR was introduced was applicable. However, it is up to each controller to, after the when the GDPR comes into effect, to proactively check whether the processing of personal data meet the requirements of the GDPR and, if necessary, to take the necessary make adjustments and document this accordingly. Decision on the merits 165/2023 – 11/24 44. In view of the above, the Disputes Chamber rules that there is an infringement Article 5.1.f), Article 32.1 and 32.2 j ° Article 5.2, Article 24.1 and Article 25.1 GDPR, namely accountability regarding the security of the processing of personal data in the context of MeldJeAan. 45. The Inspection Service also established a violation of the above-mentioned articles in view of the fact that the processing agreement between the defendant and Z has not been signed The Disputes Chamber pointed out that the processing agreement was executed by the parties, as agreed, regardless of the signature. The Dispute Chamber rules that the lack of signature does not constitute a violation of Article 5.1.f), Article 32.1 and 32.2 j° Article 5.2, Article 24.1 and Article 25.1 GDPR. 46. To the extent necessary, the Disputes Chamber reminds that, although Articles 5.1 and 5.2 of the GDPR are closely related to each other, a violation of the accountability obligation of Article 5.2 GDPR does not automatically mean a violation of Article 5.1 GDPR. The accountability concerns the formal delivery externalization through documents Will demonstrate compliance with the material basic principles of the GDPR. The Disputes Chamber notes that the Inspection Report does not contain any elements that indicate a violation in in connection with specific processing of personal data on behalf of the defendant. II.3. Articles 35.1, 35.2, 35.3 and 35.7 GDPR II.3.1. Findings of the Inspection Service 47. During the Inspection Investigation, the Inspection Service asked the defendant for this whether or not a data protection impact assessment (hereinafter: GEB) has been carried out for the processing that takes place with regard to MeldJeAan. 48. As indicated above in paragraph 27 et seq., on the basis of the answers provided of the defendant, the Inspection Service concluded that the defendant was not merely can be considered a processor, but as a controller, given the processing agreement with Z in which the defendant acts as controller is indicated and the measures taken following the data breach. So it rests on her obligation to carry out a GEB. 49. The Inspection Service points out that this case involves an evaluation or scoring within the meaning of Article 35.3.a) GDPR, namely characteristics of professional performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements of the data subject. In addition, data relating to vulnerable data subjects, namely: children, processed. Decision on the merits 165/2023 – 12/24 50. The Inspection Service then refers to the Guidelines for WP29 data protection impact assessments stating that the requirement to execute a GEB applies to existing processes and which is probably a pose a high risk to the rights and freedoms of natural persons and for which the risks have changed, taking into account the nature, size, context and purposes of the processing. 51. In view of the above, the Inspection Service concludes that the defendant as controller for the processing of personal data in the context of MeldJeAan should have carried out a GEB. The fact that this didn't happen matters according to the Inspection Report, an infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR. II.3.2. Position of the defendant 52. In its conclusions, the defendant argued that it was not the controller had to be considered. As already explained, the defendant during the hearing, however, took the position that they, together with AGODI and the local school boards acts as joint controller for what the processing of personal data in the context of MeldJeAan. 53. The defendant has taken various measures and actions in response to this position taken to act in accordance with the GDPR. For example, she has drawn up a GEB, which has received a favorable opinion from the data protection officer. DeGEB was then submitted to the school boards as a joint effort controllers. No comments were made on the GEB by the school boards, which means it is considered final. The defendant subsequently transferred this GEB to the Disputes Chamber. II.3.3. Assessment by the Disputes Chamber 54. The Disputes Chamber refers to part II.1.3 in which the defendant as a joint controller has been qualified. Article 26.1 of the GDPR states stipulates that joint controllers must transparently disclose their respective responsibilities for the fulfillment of the obligations under determine and agree on the regulation. Joint controllers must therefore determine “who does what” by mutually deciding who will have which tasks to ensure that the processing complies with applicable regulations 7WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to be a high risk" within the meaning of Regulation 2016/679. 8Working Party 29, predecessor of the EDPB. Decision on the merits 165/2023 – 13/24 9 obligations under the GDPR with regard to the joint processing in question. A of these obligations, which, if necessary, must be included in this division of tasks drawing up a GEB (Article 35 GDPR). 55. In line with the risk-based approach set out in the GDPR, a GEB is not obliged for any processing. A GEB is only mandatory if the processing "is likely to pose a high risk to natural rights and freedoms persons" (Article 35(1) GDPR). When joint controllers at involved in the processing, they must determine precisely their respective obligations. In the GEB must describe which party is responsible for the different measures designed to address risks affecting the rights and freedoms of the protect those involved. Each controller must explain what his needs are and he must share useful information without giving away secrets (e.g. protection of trade secrets, intellectual property, confidential 10 company information) or vulnerable points. 56. Although in other circumstances a data protection impact assessment is required may be, Article 35.3 GDPR gives some examples of when a processing "likely to involve a high risk": “(a)asystematicandcomprehensiveassessmentofpersonalaspectsofnatural persons, which is based on automated processing, including profiling, and on which decisions are based that have legal consequences for the natural person are connected or which significantly affect the natural person in a similar manner; b) large-scale processing of special categories of personal data as referred to in Article 9(1) or of data relating to criminal convictions and criminal offenses as referred to in Article 10; or (c) systematic and large-scale monitoring of publicly accessible areas". 57. When assessing whether a GEB is required for processing and on the basis of their inherently high risk, nine criteria must be taken into account, namely: (1) the evaluation of scoring, (2) automated decision-making with legal effect or similar substantial consequence, (3) systematic monitoring, (4) sensitive data or data of the very kind personal nature, (5) data processed on a large scale, (6) matching or merging of datasets, (7) data relating to vulnerable data subjects, (8) innovative use or innovative application of new technological or organizational 9 EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021, https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58 e.v. 10WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to have a involves a high risk" within the meaning of Regulation 2016/679, p.9. Decision on the merits 165/2023 – 14/24 solutions and (9) when as a result of the processing itself "data subjects [...] have a right cannot exercise or rely on a service or an agreement" (Article 22 and recital 91). 58. The WP29 states in its guidelines on the GEB that in most cases a controller can assume that for a processing operation that involves two of 11 the above criteria is met, a GEB must be carried out. The Disputes Chamber states It is clear that this is the case for MeldJeAan. The Disputes Chamber recalls that the following personal data were processed: identification data (name, address, date of birth, telephone number of both parents and children), electronic identification data (email addresses of both parents and children), personal characteristics (age, gender of children), education and training (mother), national number (the national register number of the child), the fact whether there are already brothers and/or sisters the child is present in a certain Antwerp school, the fact of whether the parents are a staff member being from a school where one applies, the fact whether the family received a school allowance in the current school year or the previous school year and the spoken language of the child. In addition, the following personal data were also processed within the application: various indicators regarding students such as home language, mother's education level, neighborhood indicator and school allowance and preferences for a particular school. There is therefore there is an evaluation or scoring, including profile determination and prediction, in particular of “characteristics concerning occupational performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements of the data subject" (recitals 71 and 91 GDPR). 59. This data is also processed on a large scale, as the personal data of thousands of children in Antwerp and their parents are processed in the context of the assignmentofaschool. These children are vulnerable data subjects (recital 75GDPR). In addition, sensitive data is also processed, such as the national register number of the registered children and whether or not a student is regarded as an indicator student must be. 1WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to involve a high risk" within the meaning of Regulation 2016/679, p.12. 12WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to have a high risk" within the meaning of Regulation 2016/679, p.12. 13 https://meldjeaansecondary.gent.be/faq: An indicator student is a student of whom: • The mother does not have a secondary education diploma or a study certificate for the second year has completed the third grade of secondary education (or equivalent); and/or • The family receives a school allowance in the current school year or the previous school year. The other children are non-indicator students. We use a short questionnaire to determine whether a child is an indicator student or a non-indicator student. Decision on the merits 165/2023 – 15/24 60. In view of the above, the Disputes Chamber is of the opinion that a GEB was appropriate to be drawn up for the processing of personal data in the context of Sign In. 61. Article 35.7 GDPR determines what a GEB must at least contain: a) a systematic description of the intended processing operations and the processing purposes, including, where appropriate, the legitimate ones interests pursued by the controller; b) an assessment of the necessity and proportionality of the processing operations regarding the purposes; (c) an assessment of the risks to the rights and freedoms referred to in paragraph 1 those involved; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect data guarantee and to demonstrate compliance with this Regulation of the rights and legitimate interests of data subjects and other persons in question 62. On December 9, 2022, the defendant submitted the GEB that it drew up with regarding the processing of personal data in the context of MeldJeAan. The Dispute Chamber determines that the GEB designates the defendant as the processor, which is not the case is consistent with the position set out by the defendant during the hearing. 63. The controller must also obtain the advice of the officer at the GEB obtain data protection, if this has been designated (Article 35.2 GDPR). The the defendant also presents the official's positive advice data protection regarding the GEB. 64. The Disputes Chamber notes that the registration system was already in place before the GDPR came into force and that various (sometimes contradictory) advice regarding the processing responsibility were provided by, among others, VTC and AGODI. This means However, this does not mean that the obligations arising from the GDPR should not be complied with become. As soon as the defendant has made the decision to grant the financing to the LOP Antwerp to implement its decree obligations, the defendant should have evaluated whether, in the facts, they were considered (joint) controller and whether it complied with all obligations arising from this qualification, such as drawing up a GEB. Decision on the merits 165/2023 – 16/24 65. The Disputes Chamber notes that the defendant does not comply with the above regulations since the GEB still designates the defendant as processor. The Disputes Chamber points out that the GEB is in accordance with the above regulations from Article 35GDPR must be applied, also taking into account the capacity of joint controller of the defendant. Accordingly, the Disputes Chamber also states that there is a violation of Articles 35.1, 35.2, 35.3 and 35.7 GDPR II.4. Article 38.1 and Article 39 GDPR II.4.1. Findings of the Inspection Service 66. During the investigation, the Inspection Service asked the defendant to provide copies providing the information and advice to the data protection officer has provided in the context of (i) the security of the processing of personal data, (ii) the register of processing activities and (iii) the data protection impact assessment. 67. The defendant answered during the investigation that the MeldJeAan application in has been in use since 2014. Since this is before the entry into force of the GDPR, no advice was sought from the data protection officer at that time. The processing was included in the register for processing activities and the data protection officer was informed about the data breach in Ghent and the steps taken as a result. At the time of writing this response, a GEB was created to which the data protection officer would provide advice. 68. Based on the above answer from the defendant, the Inspection Service determines that defendant does not demonstrate that the data protection officer was effective and timely was involved in: - the security of the processing of personal data in the context of MeldJeAan; - the register of processing activities; and - the assessment of the need for and, where appropriate, the implementation of a data protection impact assessment. II.4.2. Position of the defendant 69. In her conclusions, the defendant argues that the data protection officer was initially not involved in MeldJeAan given the creation of this platform came into effect well before the GDPR came into effect and there was therefore no question of one data protection officer and the obligation to involve him. Decision on the merits 165/2023 – 17/24 In addition, the defendant reiterates in its conclusions that the processing was recorded in the register of processing activities, that the officer was informed about it data breach in Ghent and that a new GEB is in the making that will be submitted for advice to the data protection officer; II.4.3. Assessment by the Disputes Chamber 70. It is important to note that the MeldJeAan platform predates the entry into force of the GDPR. The GDPR has been applicable since May 25, 2018 controller must therefore proactively check whether the requirements of have been met the GDPR, and not to adopt a wait-and-see attitude. As soon as the defendant submits the had made the decision to award the financing to the LOP Antwerp to implement its decree obligations, the defendant should have evaluate whether, in fact, it should be regarded as a controller whether it met all obligations arising from this qualification. 71. These obligations include, among other things, the provisions regarding the position and tasks of the data protection officer as defined in Article 38 and Article 39.1 of the GDPR. After all, the GDPR recognizes that the data protection officer is a is a key figure with regard to the protection of personal data whose appointment, position and tasks are subject to rules. These rules help the controller to comply with its obligations under the GDPR, but also help the Data Protection Officer to properly perform his duties to practice. 72. The Disputes Chamber recalls that Article 38.1 GDPR prescribes that the controller ensures that the official for data protection is involved in a timely and appropriate manner in all matters related to the protection of personal data. 73. Pursuant to Article 39.1 GDPR, the Data Protection Officer must (a) the inform and advise the controller about his obligations pursuant to the GDPR and other Union or Member State law data protection provisions and (b) monitor compliance with the GDPR, other Union or Member State data protection provisions and policies of the controller or processor with regard to protection of personal data, including the allocation of responsibilities, awareness and training of the staff involved in the processing and the regarding audits. 74. The defendant's documents do not show that the data protection officer was involved in the obligations under Articles 32.1 and 32.2 (see part II.2). The official Decision on the merits 165/2023 – 18/24 for data protection was involved after a potential was mentioned incident with MeldJeAan regarding Ghent secondary education. 75. The defendant also submits the positive advice regarding the aforementioned GEB to the Dispute Chamber which shows that they have, since their qualification as joint controller, involves the data protection officer processing of personal data relating to MeldJeAan. The Dispute Chamber rules that there is a historical violation of Article 38.1 and Article 39.1 GDPR, but that the defendant has already taken sufficient steps for something concerns the tasks, role and position of the data protection officer. II.5. Article 30.1 GDPR II.5.1. Findings in the Inspection Report 76. The Inspection Service does this regarding the register of processing activities of the defendant concludes that this does not meet the minimum requirements as imposed by Article 30.1 GDPR. In concrete terms, the Inspection Service states the following in this regard infringements established: - the description of the categories of data subjects and of the categories of personal data is incomplete (Article 30.1.c) GDPR) as in the “Export processing register” of the register of the processing activities of the defendant only briefly describes the categories of data subjects and personal data are listed rather than described. That is the case for the columns “categories of data subjects (whose processing the application personal data?)”, “data categories: basic data” and “data categories: sensitive data”. It is therefore not clear what exactly is meant there; - the defendant does not demonstrate that its register of processing activities is up to date is. In that context, the Inspection Service refers to the fact that the defendant is stated “see export processing register (date: 30/08/2022)” while the register was delivered to the Inspection Service via email on 19/09/2022. Consequently the Inspection Service received the register of processing activities on 19/09/2022 of the defendant that was last supplemented on 30/08/2022. II.5.2. Position of the defendant 77. The defendant submits that the GDPR states that the controller and processor is obliged to (i) keep a register to ensure compliance with the regulation to be able to demonstrate and (ii) to cooperate with the supervisory authority and to provide this register upon request. Furthermore, the GDPR does not provide any further explanation Decision on the merits 165/2023 – 19/24 about the realization, design and/or content of a register of processing activities. 78. Consequently, the defendant argues, the GDPR nowhere describes the level at which the entries in the register of processing activities must be described. The GDPR leaves the controller, in this case the defendant, largely free in this regard, provided that: the register (i) is sufficiently transparent by specifying a number of mandatory elements determines which processing activities are carried out and (ii) is set up accordingly that the GBA can use it to carry out checks on compliance (or non-compliance). GDPR. The defendant therefore believes that the register is indeed so detailed that little more can be described/clarified regarding the categories of data subjects and personal data. All terms used, be sure to read in connection with all other categories mentioned, are sufficiently clear whether who is which processes personal data. 79. As regards the topicality of the register, the defendant confirms that the information provided to the Inspection service concerned export indeed dated August 30, 2022, despite the fact that this was only transferred on September 19, 2022. After all, it was not asked about an export that could not exceed a certain age and moreover, this was indeed the current version of the register, due to lack of need adjustment thereof in the period from August 30, 2022 to September 19, 2022. II.5.3. Assessment by the Disputes Chamber 80. Article 30 GDPR requires each controller to keep a record of the processing activities carried out under his responsibility. Article 30.1.a) to g) GDPR stipulates that, with regard to the controller carried out processing operations, the following information is available must be: a) the name and contact details of the controller and, if applicable joint controllers and, where appropriate, of the representative of the controller and of the official for data protection; b) the purposes of processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be received provided, including to recipients in third countries or international organizations; Decision on the merits 165/2023 – 20/24 e) where applicable, transfers of personal data to a third country or a international organisation, including the indication of the third country or countries international organization and, in the case of the GDPR referred to in Article 49.1, second paragraph, said transfers, the documents regarding the appropriate safeguards; f) if possible, the intended deadlines within which the different categories of data must be deleted; g) if possible, a general description of the technical and organizational aspects security measures as referred to in Article 32.1 GDPR. 81. The Disputes Chamber establishes the defendant in its register of processing activities provides a summary for: - The categories of data subjects (Article 30.1.c) GDPR), namely residents, are not residents, internal employees, external employees, children. - The categories of personal data (Article 30.1.c) GDPR) namely, on the one hand basic data such as name and first name, address details (street, house number, bus, municipality, country), telephone number, identification codes (national register number), birth details (date of birth and place of birth), vehicle details, login details and sensitive data such as health data, legal data facts 82. The Disputes Chamber - with reference to previous decisions - must pronounce itself on whether Article 30.1.c) GDPR requires a description of the categories of personal data and the categories of data subjects in the register of processing activities, or whether a summary is sufficient. 83. The Disputes Chamber notes that Article 30.1.c) GDPR requires a description of the categories of data subjects and categories of personal data are included in the register of processing activities. 84. The Disputes Chamber recalls the purpose of the register of processing activities. To effectively fulfill the obligations contained in the GDPR apply, it is essential that the controller (and the processors) have an overview of the processing of personal data that they to carry out. This register is therefore primarily an instrument to to assist the controller in complying with the GDPR for the various data processing that it carries out, because the register has the most important characteristics makes it visible. The Disputes Chamber is of the opinion that this processing register is a 14 See, among others; decision 149/2022 dated. October 18, 2022, can be consulted via https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-149-2022.pdf Decision on the merits 165/2023 – 21/24 is an essential instrument in the context of the already mentioned accountability obligation (Article 5(2) and Article 24 GDPR) and that this register underlies all obligations under which the GDPR imposes on the controller. 85. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the GDPR require more than a list of the categories of personal data and the categories of data subjects are included in the register processing activities and that a more detailed description would therefore be necessary. 86. With regard to the categories of recipients, the Disputes Chamber refers to a 15 recommendation of the Commission for the protection of privacy and 16 the doctrine stating that although it is not necessary the individual recipients of the data, but that these can be grouped per category of recipients. Mutatis mutandis, this statement can also be applied to the categories of personal data and data subjects. 87. However, the Disputes Chamber points out that the completion of the register of processing activities must always be evaluated on a case-by-case basis to determine whether the description or summary contained herein is sufficiently clear and concrete. 88. In the present case, the Disputes Chamber notes that the lists included in the register of processing activities were sufficiently specific. According to the Dispute Chamber there is little doubt about the meaning of the above elements in the context of the processing activities listed in the register processing activities. 89. With regard to the second finding of the Inspection Service regarding the topicality of the register of processing activities, the Disputes Chamber points out that the register of processing activities should also be updated in accordance with developments and evolution of the activities of the company or organization concerned. If the controller starts a new processing activity or a existing processing activity changes, the register of processing activities must be kept to be adjusted accordingly. 90. Since the period between the export of the register of processing activities and the transfer is limited to just under 3 weeks, and since there are no elements which shows that the register of processing activities would not have been up to date, is the Disputes Chamber is of the opinion that no infringement has been proven. 15Available at: https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-06-2017.pdf 16W. Kotschy, “Article 30: recordsof processing activities,” in Ch. KunerThe EU General Data Protection Regulation (GDPR), a commentary, 2020, pg. 621. Decision on the merits 165/2023 – 22/24 91. Consequently, the Disputes Chamber concludes that there is no infringement of article 30.1 GDPR. III. Sanctions 92. Based on the documents from the file, the Disputes Chamber determines that this is the case multiple violations of the GDPR. Firstly, the infringement of Article 5.1.f), Article 32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article 25.1 GDPR, secondly these on the articles 35.1, 35.2, 35.3 and 35.7 GDPR, and finally Article 38.1 and Article 39.1 GDPR. 93. Having the necessary processes in place to achieve and demonstrate the Compliance with the GDPR is one of the fundamental principles of the GDPR. The data protection impact assessment is an important accountability tool because it not only helps controllers to meet the requirements of the GDPR to comply, but also to demonstrate that appropriate measures have been taken ensure compliance with the GDPR. Also the official for data protection plays a crucial role in data protection at a controller. 94. The Disputes Chamber is of the opinion that there are sufficient elements to justify a reprimand which is a light sanction and is sufficient in the light of the facts in this file established violations of the GDPR. When determining the sanction, the Disputes Chamber takes into account the fact that the defendant has (incorrect) advice obtained regarding his qualification as controller but after internal analysis has taken the necessary steps to meet its obligations such as prescribed by the GDPR. The defendant has already corrected the infringements and provides evidence of this. For the sake of completeness, the Dispute Chamber points out that this is not the case is authorized to impose an administrative fine on government bodies, in accordance with Article 221, § 2 of the Data Protection Act. 17 95. The Disputes Chamber proceeds with a dismissal with regard to the other grievances and findings of the Inspection Service because they are based on the facts and documents from the file cannot conclude that there have been violations of the GDPR. These grievances and findings of the Inspection Service are therefore considered apparent considered unfounded within the meaning of Article 57(4) GDPR. 18 17 Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, B.S., September 5, 2018. 18 See point 3.A.2 of the Dismissal Chamber's dismissal policy. June 18, 2021, available via https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 165/2023 – 23/24 IV. Publication of the decision 96. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority, stating the identification details of the defendant, given the inevitable re-identification of the defendant in the event of pseudonymization. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - to formulate a reprimand on the basis of Article 100, §1, 5° WOG with regard to the defendant as regards; o the infringement of Article 5.1.f), Article 32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article 25.1 GDPR; o the infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR; o the infringement of articles 38.1 and 39.1 GDPR; - on the basis of Article 100, §1, 1° WOG with regard to all other determinations dismiss. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition 19 must contain information listed in Article 1034ter of the Judicial Code. It an objection petition must be submitted to the registry of the Market Court 19The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. Decision on the merits 165/2023 – 24/24 20 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (get). Hielke H IJMANS Chairman of the Disputes Chamber 20The petition with its appendix will be sent by registered letter in as many copies as there are parties involved sent to the registrar of the court or deposited at the registry.