Court of Appeal of Brussels - 2019/AR/1600

From GDPRhub
Revision as of 19:19, 11 November 2020 by Mh (talk | contribs)
Hof van beroep Brussel - 2019/AR/1600
Court: Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR

Article 6(1) GDPR

Article 13(1)(c) GDPR

Article 13(1)(e) GDPR

Article 13(2)(a) GDPR

Decided: 19. 2. 2020
Published: n/a
Parties: Liquor store v. Belgian DPA
Case Number: 2019/AR/1600
European Case Law Identifier: n/a
Language:

Dutch

Original Source: Hof van beroep Brussel (in NL)

The Court of Appeal of Brussels annulled Belgian DPA's decision which had lead to a 10,000 EUR fine against a liquor store. The Court ruled that the DPA's decision was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint. The DPA was ordered to pay back the fine.

English Summary

Facts

In August 2018, the DPA received a complaint from a customer of a liquor store. According to the complaint, the store had required this person to let them scan her electronic ID in order to issue a customer card. The investigated the complaint and concluded that the complainant had breached the GDPR. More specifically, according to the DPA the liquor store: 1. Did not have a valid legal basis for processing: consent was not freely given because no alternative was offered to the complainant (Article 6(1) GDPR); 2. Did not provide the complainant with enough information prior to the processing (Article 13 GDPR); 3. Processed more personal data than necessary, including national ID number, date of birth and gender (Article 5(1)(c) GDPR).

Dispute

The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated Articles 52(1), 54(2) and 82(2) of the GDPR (independence of the DPA, professional secrecy and damage liability for controllers). Most importantly, the appellant challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.

Holding

The Court annulled the DPA’s decision as insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. The Court did not have the power to order the DPA to pay back the fine, as that falls outside of its jurisdiction, but it did quash the decision imposing the fine.

As for the breach of the data minimization principle: 1. The DPA had no evidence to support the finding that the Appellant was actually processing the national ID number of the complainant; 2. The appellant was not obliged to give the complainant an alternative way of creating a discount card: the relevant provision of the e-ID law was not applicable at the time; 3. No personal data processing took place because the complainant had refused to have her e-ID scanned; 4. The DPA’s finding that the complainant’s birth date was not used to verify her age is a mere assumption; 5. The DPA should not have assumed that the complainant would suffer an undeniable disadvantage by missing out on discounts available via the client card. This is not a disadvantage because only potential benefit was lost in this case.

The Court upheld the appeal against the DPA’s decision also as regards the absence of legal basis for processing: the legislation that requires giving people alternatives to the processing of the e-ID was not applicable at the time of complaint.

Comment

Analyses of the judgment:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.




Court of Appeal Brussels - 2019/A R/1600 - p. 2 ON APPELLANT, represented by its director Mr _________________ with KBO No ___________________, having its registered office at ______________________, hereinafter 'the appellant', represented by its counsel Mr VANDENDRIESSCHE Gerrit and Mr VanDENDRIESSCHE Gerrit. CLINC:K Jan, lawyers, both with offices in ____________________________, against decision 06/2019 of 17 September 2019 of the Geschillenkamer van de Gegevensbescher m i ngsa u tor itieit; TEGEN De GEGEVENSBESCHERMINGSAUTORITY, independent public institution (supervisory authority) with legal personality, with KBO nr.   04694.679.950, with registered office at 1000 BRUSSELS, Drukpersstraat 35, hereinafter "GBA" intimate, represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETS Joos, lawyers, alien office at 2018 ANTWERPEN, Oostenstraat 38 bus 201 1. Jurisdiction of the Court of Appeal The Court of Appeal derives its jurisdiction from an appeal lodged by the appellant on 18 October 2019 at the Registry of the Court of Appeal against the decision of 17 September 2019 (notification dated 19 September 2019) taken by the Disputes Chamber of the Data Protection Authority (hereinafter 'GBA') on the merits in accordance with Article 108 § 1 of the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter 'GBA Act'). 2. The Arbitration Chamber ruled: to impose sanctions in relation to the violation of Article 5(1)(c); 6.1. 
Court of Appeal Brussels - 2019/AR/1600 -p. 3 -in grand of art. 100, Si, 9° WOG, order the defendant to bring the processing into conformity with art. 5.1. c}, art. 6.1.; art. 13.1. c), art. 13.1. e)and 13.2. a) impose on AVG-in grand of art. 101 WOG an administrative fine of 10.000EUR pursuant to the infringement of art. 5.1. c) and art. 6.1. AVG. grand of Sections 100, 51 and 16 of the WOG, to publish this decision on the website of the Data Protection Authority, albeit anonymously. The appellant gives the following factual account: 1. the appellant, the applicant, is a drinks business established in______________. It is a family business with more than 40 years of experience. It has branches in ______, _____and ______.2. In the past, the Appellant used paper loyalty cards to sign benefits to customers. Recently, the appellant switched to an electronic cash register software system that also allows a customer's electronic identity card (elD card) to be read in electronically using the barcode and, based on this barcode, to grant benefits on purchases. The present case concerns the administrative procedure initiated by the GBA against the appellant following a complaint lodged by a (1) client of the appellant. The name of this customer is otherwise irrelevant and is therefore not mentioned. The client is hereinafter referred to as "Complainant". 3. On 28 August 2018, the Complainant filed a complaint with the Data Protection Authority because she did not want her elD card to be read in order to grant discounts on her purchases (Section A.1}. The complaint was as follows: Explaining the facts On Friday 8 June, I went to buy drinks from the drinks trade appellant,_________________________. With a few bottles of liquor it was a high amount. At the checkout - arrived they asked me if I did not like a loyalty card. I said ia. I answered that I did not want to give my identity card, but that I would like to write down the data needed to create a loyalty card. I was refused my loyalty card - they only create loyalty cards by reading the identity card. This/this scenario happened again on Saturday 30 June - this time at the liquor store appellant in ____________________. Because we had a BBQ with a grate group that day, the bill for drinks was again a hefty amount. When we arrived at the checkout they asked me if I didn't want a loyalty card. IPAGE 01-00001582885-0003-0033-01-01-�L _J 
Court of Appeal Brussels - 2019/ AR/1600 -p. 4 I said "Yes". I answered that I didn't want to give my identity card, but that I wanted to write down the data needed to create a loyalty card. The loyalty card was refused to me - one creates enke/ k/anten cards by middle/ of reading the identity card. At that moment there were several people behind me at the cash register. One of them also made the remark dot it can't dot for a - loyalty card the identity card must have been read in/ read. The lady at the cash register said dot she had nothing to do with this and dot this now was their way of working. Maybe a k/eine remark: I am 51 years old and really don't look like a/s someone of 16 years old:) In other words, the person concerned agreed to her personal data being processed by the appellant in order to receive a loyalty card. However, she did not wish this processing to take place by reading her elD card. 4.On 26 September 2018, the person concerned received a message from Mr Willem De Beuckelaere of the GBA that her complaint had been 'declared admissible/ verified and referred to the relevant department, which will inform you of the further progress of your case' (section B.2). The First Line Service apparently decided not to start mediation. 5.On 29 October 2018, Mr Van Der l<elen, in his capacity as chairman of the Disputes Chamber of the GBA, informed the Inspector General of the lnspection Service of the GBA as follows: In accordance with Article 96, §1 of the Act of 3 December 2017 establishing the Data Protection Authority, you are hereby informed of the request of the Disputes Chamber from today to conduct an investigation, together with the k/eacht and the proces-verbaa/ of that decision. (document B.3) The Disputes Chamber did not provide any further details on we Ike aspects of the processing the lnspection Service had to investigate. That same day, Mr Van der Kelen also informed the person involved of the decision of the Disputes Settlement Chamber to have the Inspection Service carry out further investigation into the complaint (document B.4). 6.On 7 February 2019, the appellant received a letter from Mr FrankSchuermans, Inspector-General of the Inspectorate of the GBA (document B.6). On 7 February 2019, Mr FrankSchuermans, inspector general of the Inspectorate of the GBA, received a letter from Mr FrankSchuermans, inspector general of the Inspectorate of the GBA (document B.6), requesting the Inspectorate to provide the appellant with information and documents in order to 'gain a better understanding of your procedure for the acquisition of personal data from your IPAGE □1-00001582885-□□4-0033-□1-□1-;iL _J 
Court of Appeal Brussels - 2019/ AR/1600 -p. 5 customers, the internal use of these personal data in your company and the possible distribution of these obtained personal data to third parties in accordance with the recalled AVG obligations (... )". 7.On 12 April 2019, the appellant's counsel provided the answers to the questionnaire of the Inspectorate, together with additional documents (document B.7).8 On 10 May 2019, the inspector-general of the GBA's Inspectorate, now Mr Van den Eynde, submitted his report of the investigation to the chairman of the Disputes Settlement Chamber, now Mr Hielke Hijmans (document B.8). This report contained, on the one hand, 'findings (within the scope of the k/acht or serious indications)' and, on the other hand, 'additional findings (outside the scope of the k/acht or serious indications)'.9. On 28 May 2019, the Disputes Chamber decided to deal with the substance of the case (document B.9).10. On 3 June 2019, the Disputes Chamber informed the appellant of its decision to deal with the substance of the case (document 8.10). The Appellant was also informed of its options, such as requesting a copy of the case file and submitting a defence. It was only at this point that the Appellant was given the opportunity to become aware of the content of the Complainant's complaint against the processing of personal data by the Appellant.On the same day, the GBA Oak sent a registered letter to the Complainant. On the same day, the GBA sent a registered letter to the Complainant, who immediately received a copy of the inspection report (Section B.11). 11.On 27 July 2019, the Appellant submitted his defences (documents C.1 and C.2).On 17 September 2019, the Disputes Committee issued a decision on the merits, hereinafter referred to as the 'Challenged Decision' (document D.1). For its part, the Data Protection Authority (hereinafter referred to as the 'GBA') explained the facts as follows: 1.On _28 August 2018, the GBA received a complaint from a person (hereinafter referred to as "the Complainant" or "the Complainant") who is a customer of the Appellant, a beverage company with various establishments in _________________. In the complaint form, the person concerned stated that, in order to obtain a customer card from the liquor trade, she was required to have her electronic identity card read into the liquor trade's computer system. However, the person concerned did not wish to have her identity card read electronically. The data subject did not wish to have her identity card read electronically, however. -Her suggestion was made, as an alternative, that the personal data necessary to obtain aIPAGE 01-00001582885-0005-0033-01-01-�L _J 
Brussels Court of Appeal -2019/ AR/1600 -p. 6 customer card to be issued in any other way was rejected. Consequently, the person concerned was refused a loyalty card from the beverage trade, although she wished to obtain one. This was done twice, both at the _________ branch (on 8 June 2018) and at the ____ branch (on 30 June 2018). The person concerned described the facts as follows in particular in the complaint form that she submitted to the GBA (document 1): On Friday 8 June, I went to buy drinks from the liquor trade appellant,_______________ ______________________--appella,t address appellant adresss________. With a few bottles of spirits it was a high amount. At the checkout they asked me if I didn't want a loyalty card. I said ia. I answered that I did not want to give my identity card, but that I would like to write down the data needed to create a loyalty card. I was refused the loyalty card - they only create loyalty cards by reading the identity card. This/this scenario happened again on Saturday 30 June - this time in the liquor store appellant in _____addressaddressaddress. Because we had a BBQ with a grate group that day, the bill for drinks was again a hefty amount. At the checkout they asked me if I didn't want a loyalty card. I said 'la'. They asked my identity card to read it in. I answered that I didn't want to give my identity card, but that I wanted to write down the data needed to create a loyalty card. I was refused the loyalty card - they only create loyalty cards by reading the identity card.  At that moment there were several people behind me at the checkout. One of them made the remark that it is not possible for a loyalty card to have to read the identity card. The lady at the cash register said that she had nothing to do with this and that this was their way of working. Maybe a small remark: I am 51 years old and really don't look like a 16 year old @." 2.On 26 September 2018, the GBA declared the complaint admissible on grand of articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter: "GBA Act")1 (piece 2). The complaint was subsequently submitted to the Disputes Chamber of the GBA in accordance with Article 62, § 1, of the GBA Act. The admissibility decision was also notified to the complainant on 26 September 2018' in accordance with Article 61 GBA Act (document 3). On 23 October 2018, the Disputes Settlement Chamber decided, on the basis of Article 63, 2°, and Article 94, 1°, of the GBA Act, to request an investigation from the Inspection Service of the GBA (document 4).4 On 29 October 2018, the request of the Disputes Settlement Chamber to conduct an investigation was submitted to the Inspection Service, in accordance with Article 96, § 1, GBA-1 Act 3 December 2017 establishing the Data Protection Authority, BOJ 10 January 2018. IPAGE 01-00001582885-0006-0033-01-01-�L _J 
Brussels Court of Appeal -2019/ AR/1600 -p. 7 law.  The complaint and the minutes of the decision of the Disputes Chamber of 23 October 2018 were attached to this request. By letter dated 29 October 2018, the Chamber of Disputes informed the person concerned of the transfer to the Inspectorate (document 5). 5. In order to examine the file, the Inspection Service sent a written inquiry to the data controller on 7 February 2019 (document 6). As this written questionnaire was not initially answered, the Inspectorate sent a reminder by registered letter on 4 April 2019 (document 7). On 12 April 2019, the appellant, through her counsel, finally sent a reply to the Inspection Service (document 8).6. After completing its investigation, the Inspection Service drew up a report on 10 May 2019 and attached it to the file, in accordance with Section 91(1) of the GBA Act (document 9).The inspection report noted in particular the following findings (p. 1-2): " -De k/acht [ ... ] concerns the automatic /healing of the e-/D for the creation of a loyalty card for a drinkhande/. The barcode is linked to the customer's data during the successive visits to the k/ant [ ... ]. -The customer data thus stored are: name, first names, address, date of birth, etc., from when the person concerned is a customer, amount of purchases. -The dispute/en-room did not provide any additional indications to be examined by the inspection service [ ... ], soa/s concerning an examination of the declaration of deprivacy of the processing party responsible for processing [ ... ].Rather, the Commission accepted that some traders can identify their customers if these customers register in a strictly personal loyalty system that allows them to benefit from a price reduction or to receive a price reduction in the Gout of the purchases made (marginal number 17 recommendation03/2011).-However, the Committee also considered it belong dot the consent of the customer to be obtained when /reading the e / D in the context of a loyalty system, and dot the customer 'an a/ternative for the use of his identity card (is) proposed' (recommendation 6 at the end of recommendation 03/2011). The e / D legislation has been amended by article 27 of the Act of 25 November 2018 containing various provisions relating to the National Register and debevo /kingsregisters. Article 6(4) of the Act of 19 July 1991 provides a new framework for the use of the data on the e-D dot as from 23 December 2018 must be checked/implemented by the data controller. The electronic identity card may only be read or used with the free, specific and informed consent of the holder of the electronic identity card.Where a benefit or service is offered to a citizen by means of his electronic identity card in the context of an IT application, an alternative that does not require the use of the electronic identity card must also be proposed to the person concerned.'r PAGE □1-□□□1582885-0007-0033-□1-□1-i;-iL _J