Court of Appeal of Brussels - 2020/AR/1333
From GDPRhub
| Cour d'Appel Bruxelles - 2020/AR/1333 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 32(1) GDPR Article 32(4) GDPR |
| Decided: | 27.01.2021 |
| Published: | |
| Parties: | X APD/GBA (Belgium) |
| National Case Number/Name: | 2020/AR/1333 |
| European Case Law Identifier: | |
| Appeal from: | APD/GBA (Belgium) n ° 53/2020 |
| Appeal to: | |
| Original Language(s): | French |
| Original Source: | Cour d'Appel des Marchés (in French) |
| Initial Contributor: | TaraTb |
The Court of Appeal overruled the DPA's decision to fine €5,000 for mistakenly sending an email to 150 recipients whose email addresses is wrongfully disclosed, because it considered the decision to be disproportionate.
English Summary
Facts
On 1 September 2020, the Belgium DPA imposed a fine of €5,000 on a controller for sending unsolicited emails for electoral message and disclosure of emails (via CC). The controller did not agree with the fine and filed for appeal.
Dispute
Proportionality of the administrative fee
Holding
The Court of Appeal overruled the DPA's decision for lack of justification as required by Article 83 GDPR, and lack of proportionality. The decision was sent back to the authority who is additionally required to pay back legal cost for €1,400, since the Court could not itself reform, or amend the decision.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Court of Appeal Brussels -2020 / AR / 1333 p. 2
X, [...], represented [...],
Requiring partner,
Against Decision No. 53/2020 pronounced by the Contentious Chamber of the Authority for the Protection of
Data as of September 1, 2020 (DOS-2019-02974)
Vs:
THE DATA PROTECTION AUTHORITY, BCE 0694.679.950, with its registered office at
the press35 in 1000 Brussels,
represented by Me CROISANT Guillaume (guillaume.croisant@linklaters.com) and Me SERON Carine
(carine.seron@linklaters.com) lawyer in BRUSSELS,
Defendant,
****
1.The referral to the Market Court.
°
The Markets Court is seized by an appeal from X against decision no.53 / 2020
pronounced by the Contentious Chamber of the Data Protection Authority (ei-after the
C ontentious chamber ”) in September 2020 which imposes a fine of 5,000 € on him
(DOS-2019-02974).
Pursuant to article 108 § 1 of the law of 3 December 2017 establishing the Protection Authority
data (hereinafter “APD law”), the contentious chamber informs the parties of its decision and of
the possibility of appealing to the Procurement Court within thirty days, from the date of
notification of the decision. The appeal brought by a request lodged with the registry of the court of appeal
de Bruxelles dated September 29, 2020 is therefore admissible. The admissibility of the appeal is
not contested.
The case was argued at the hearing on January 13, 2021 in the form of a video conference (Webex).
By email from the registry of January 3, 2021, the parties were invited to participate in a
video conference. By emails of January 11, 2021, counsel for the parties indicated their agreement to
replace the face-to-face public hearing with a virtual public hearing.
On the date of the hearing, the registry is at the disposal of any litigant and any person wishing to
attend the debates, the link and the password allowing him to participate in the videoconference.
2.The Attagged Decision.
The Contested Decision states the following:
"PARCES REASONS, LACHAMBRE LITIGATION,
Decides, after deliberation, to impose a fine of 5000EUR on the data controller
on the basis of articles 100, 13t 101 of the LCA as well as 83 of the GDPR, for / 'all
breaches identified, namely for breach of Article 5, 1., b) of the GDPR, and
1 PAGE □ 1- □ valid farfetched 1942078-0002-0025- □ 5- □ 1-i; -J
L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 3
breach of articles 5.1.a} and 5.1.b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the GDPR read
together.
This decision may be appealed against within thirty days, from
notification, to the Procurement Court15 (Article 108, § 1 of the LCA), with the Authority
data protection as a defendant. "
3. The parties' demands.
In summary conclusions filed on December 15, 2020, X requests:
"PRINCIPLE / PAL
Declare the appeal admissible and well founded,
Reform the decision appealed from,
In doing so, pronounce the suspension of the pronouncement.
IN THE ALTERNATIVE
Dec / arer / 'appelrecevab / eet founded,
Reform the decision appealed from,
In doing so, considerably reduce the fine imposed by the contentious chamber of
the Data Protection Authority.
INFINITELY SUBSIDIARY
Declare / 'appelrecevab / eet founded,
Reform the decision appealed from,
In doing so, refer the complaint to the Contentious Chamber so that it adopts a
new decision which would take into account the grounds for annulment retained.
IN ALL CASES
Order the respondent to pay the entire costs and expenses of this liquidated procedure
as follows with regard to X:
Appeal request fee: 20.00 euros
procedural indemnity: 1,440.00 euros
Total: 1,460.00 euros ”
The Data Protection Authority (APD} requests summary conclusions, filed with
Registry of the Brussels Court of Appeal Ie 07/01/2021
"PLAISEÀ THE COURT DESMARCHES OF THE COURT OF APPEAL OF BRUSSELS
- As a principal /, to declare the appeal of X unfounded and to condemn it to the entire
costs of the proceedings, including the procedural indemnity fixed at the basic amount of
€ 1,440;
-In the alternative, if Your Court were to accept a ground for annulment (quad no), to refer
the complaint before the Contentious Chamber so that it adopts a new decision
in accordance with the judgment of Your Court. "
4. The means.
4.1.
X makes the following arguments:
the means: / 'amended inflicted does not respect /' article 83 of the GDPR
(a) The nature, gravity and duration of the violation, taking into account the nature, of
the scope or purpose of the processing concerned, as well as the number of people
affected and the level of damage they have suffered (article 83.2.4 of the GDPR)
r PAGE 01-00001942078-0003-0025-05-01-�
L _J Brussels-2020 Court of Appeal / AR / 1333 p. 4
b) The fact that the violation was committed willfully or negligently {article
83.2.b of the GDPR)
c) Measures taken by the controller and the processor to
mitigate the damage suffered by the data subject (art / e83.2.c of the GDPR}
d) Any violation committed by the controller or processor
(article 83.2.e of the GDPR}
e) The degree of cooperation established with the supervisory authority with a view to
violation and mitigate any negative effects (article / e83.2.f of the GDPR)
f) Any other aggravating or mitigating circumstance applicable to
circumstances of the case, you / Ie that the financial advantages obtained or the losses
avoided, directly or indirectly, as a result of the violation (article 83.2.k of the GDPR)
2nd plea: / the fine is disproportionate
SUBSCRIBE: REDUCTION OF THE FINE
IN AN INFINITE SUBSIDIARY: REFERRAL TO LACHAMBRE LITIGATION
4.2.
The ODA, for its part, raises the following means:
Means 1: / the fine imposed by the Contested Decision is proportionate and complies with the article
83 of the GDPR. The Litigation Chamber fully complied with article 83.1 of the GDPR and
principle of proportionality in its choice to impose an administrative fine on
X only in determining the amount thereof.
It has taken into consideration the criteria listed in article 83.2 of the GDPR to assess and
guarantee the proportionate and dissuasive nature of this fine. On the other hand, she discarded the
mitigating circumstances alleged by X, because cel / es-ei were either not
relevant or unfounded.
In addition, the fine imposed on X is in line with the case law of the
Litigation Chamber relating to the il / here processing of personal data
to electoral / ins.
X's sole plea, having regard to which administrative fine imposed on it by the
Decision attacked would be disproportionate, must therefore be rejected for lack of
foundation.
Means 2: in the alternative, the Court cannot substitute its decision for that of the Chamber
Litigation. In the alternative, even if the Court were to annul the Contested Decision (quad
no), it cannot substitute its assessment for that of the Contentious Chamber as the
solicitX.
Indeed, when X so / lawful of the Court that it decides in full jurisdiction by reforming the
Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber
Litigation, he asks the Court to decide on an aspect that falls within the power of
discretionary judgment of / 'APO. A solution cannot be adopted. The courtyard
should therefore refer the matter back to the contentious chamber for the latter to adopt
a new decision which would take into account the grounds for annulment retained by the Court.
r PAGE 01-00 □□ 1942078- □□□ 4- □ 025- □ 5- □ 1-; i
L _J Brussels Court of Appeal -2020 / AR / 1333p. 5
5. The facts.
The Attacked Decision relates the facts as follows:
“On 25 May 2019, the complainant submitted a request for information to the Autorité de
protection of data concerning the use by the defendant of his / her e-mail address
personal for / 'sending an electoral message received on May 22, 2019, addressed to his / her name by
his secretary. The complainant emphasizes that he never gave his consent to have his address
be used for this purpose by the defendant. The complainant also denounces the fact that this
message was sent to many recipients p / aced in copy, which favored Ja
diffusiononsol / icitéedesourelectronicaddress tothispeople.
2. The letter read as follows: “Ladies and Gentlemen, Dear Friends, Dear Friends, I
am proud to be the [Xth] candidate of the [Y] list for our borough [list of
communes concerned..J. Allow me to ask for your suffrage. A good result to me
will allow our team at the College and the Provincial Council to be even more efficient. I
wishes to do everything in its power to also support our local representatives and their projects.
3. By letter of July 2, 2019, the Frontline Service of the Protection Authority
of the data invited the complainant to exercise his rights with the defendant, in this case,
his right to object to the processing of his personal data. At the same time, by letter
On July 2, 2019, the Frontline Service contacted the defendant for him
ask in particular how he / she had obtained the duplicating e-mail address, if he
had lodged a data breach notification with / 'APO and that / the measures
been taken so that this type of incident does not happen again.
4. Responses that the Respondent addressed to the complainant and to the Primary Care Service.
sign, it appears that the complainant's email address was collected on the occasion of a
request for information sent in March 2014 by the p / aignant to the secretariat of the
bourgmestre of the city of X., to sign a public cleanliness problem.
more particularly an e-mail addressed to "secretariat.bourgmestre@X.be"
concerning an illegal dump near the old city walls
which the parent requested cleaning. On July 4, and in fact, in his letter to
at the front line service, co-signed by the defendant, the defendant's secretary writes
the following explanation regarding the collection of the e-mail address reads "g
come from a "hotlines" file organized by the defendant when he was
»Bourgmestre of the city. The p / aignant therefore appears in this / ui to have, at a time
or another, had contact with the defendant ”The Litigation Chamber cannot therefore
follow the defendant in his subsequent explanations (July 2020)
which / 'disputed email address (and others) would have been collected via emails to him
being addressed personally and not via an administrative or other service of
the municipal administration The contentious chamber understands as soon as the
collected by the burgomaster are not only the result of contacts with citizens
with the city administration but also, according to the statements of the defendant, emails to him
having been addressed personally, which was not the case with regard to
e-mail of the complainant who was indeed collected via the bourgmestre's secretariat.
5. With regard to the modus operandi for sending the disputed email, the Respondent replied
to questions from the Data Protection Authority by co-signing the following exp / ication
provided by the municipal employee who was his secretary when he was mayor:
IPAGE 01-00001942078-0005-0025-05-01- �
L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 8
personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation
general data protection or GDPR)
"1. Each supervisory authority shall ensure that the administrative fines imposed in
under this article for violations of this Regulation referred to in paragraphs 4, 5
and 6 are, in each case, effective, proportionate and dissuasive.
2. Based on the characteristics of each case, the administrative fines imposed
in addition to instead of the measures referred to in Article 58 (2) (a) to (h), and
j). To decide whether to impose an administrative fine and to decide on the amount
administrative fine, due account shall be taken, in each individual case, of the
following items
a) the nature, severity and duration of the viofation, taking into account the nature, of
the scope of the purpose of the processing concerned, as well as the number of people
affected parties and the level of damage they suffered;
(b) the fact that the violation was committed willfully or negatively;
c) any action taken by the controller to the processor to
to mitigate the damage suffered by the persons concerned;
d) the degree of responsibility of the controller to the processor,
taking into account the technical and organizational measures they have implemented
by virtue of Articles 25 and 32;
e) any relevant violation previously committed by the responsible
processing to the subcontractor;
f) the degree of cooperation established with the supervisory authority in order to remedy
violation and mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the violation,
in particular if, and to the extent that the processor is responsible for the processing
notified the violation;
i) / where measures referred to in Article 58 (2) have been
previously ordered against the controller at the
treating concerned for the same oj and, the respect of these measures;
} the application of codes of conduct approved in application of / 'article 40 to the
certification mechanisms approved in application of article / e42; and
k) any other aggravating or mitigating circumstance applicable to
circumstances of the case, you / Ie that the financial advantages obtained or the losses
avoided, directly or indirectly, as a result of the violation ”(underlined by us).
7. Motivation.
7.1. The infractions.
X does not dispute the infractions. There is therefore no need to examine the merits of the Decision.
Attacked in that it declares the infringements as proven.
7.2. The scope of the jurisdiction of the Market Court.
The parties disagree on the scope of the jurisdiction / jurisdiction of the Market Court, in
particularly the question of the extent of the full jurisdiction of the Market Court, or more
concretely on the question of whether the Court - after having set aside a decision - can substitute
its own decision to the decision of the APD and can therefore impose a sanction "different" from that
1 PAGE 01- □ 0 □□ 1942078-0008-0025- □ 5- □ 1-; i
L _J Brussels Court of Appeal -2020 / AR / 1333 p. 14
decisions, some of which have a scope equivalent to that of the courts and tribunals of the order
judicial process, it is imperative that a judicial remedy be instituted by the legislator in order to guarantee
aujusticiable an appeal before a court forming part of the judicial order.
It follows that the Market Court cannot therefore substitute its decision for that of the authority
administrative only when the Court finds that this decision is illegal or irregular (for
example when any principle of good administration would be violated by the decision
administrative attack).
A manifest error "may" result in the decision being overturned. It follows that it belongs to the
applicant to prove the manifest error of assessment allegedly committed by the board
litigation of the APO, the illegality of the Contested Decision or the disregard of the principles
general matters of good administrative management
The motivation required by the law of July 29, 1991 on the explicit motivation of administrative acts
must include a statement of the legal and factual considerations which form the basis of the
decision. It follows from these provisions that, in the event that a decision is legal
administrative process is based on the taking into account of a certain number of considerations, the respect of
the requirement of motivation which they foresee only leads its author to have to state only those on
which is the basis for the decision he has taken. It follows from this that the plea alleging insufficient
motivation of the Attacked Decision which did not have to rule on all the criteria provided for
in Article 83 of the aforementioned GDPR and the error of law that this insufficient reasoning would reveal,
should be discarded.
7.4. Does the fine imposed comply with Article 83 of the GDPR?
(first plea of the applicant and the APD)
Insofar as the applicant criticizes the content of the answers provided by the Chamber
APO litigation, the plea cannot be accepted.
The applicant claims:
"4.1.3.
In this case, the Contentious Chamber of the Data Protection Authority imposed a
fine in the amount of 5,000.00 euros without taking into account all the elements
thus invoked by / 'artic / e83 of the GDPR Regulation.
a) The nature, severity and duration of the viofation, taking into account the nature, of fa
scope or purpose of the processing concerned, as well as the number of people
affected and the level of damage the elves suffered (article 83.2.4 of the GDPR)
4.1.4.
The Data Protection Authority should have taken into account the nature, the seriousness
and the duration of the breach as well as the number of affected persons affected and
The level of damage that the elves suffered (article 83.2 a)
In this case, X sent a single courrief to the complainant, Z, and immediately
excused for this handling error so that there was only one person
affected and the GDPR violation has not lasted.
18Cour des marchés June 12, 2019, 2019 AR 113.
r PAGE □ 1- □ valid fares 1942 □ 78- □ valid 14-0025-05- □ 1-�
L _J Brussels-2020 Court of Appeal / AR / 1333 p. 15
This handling error did not, moreover, cause significant damage to Z, which
that the contentious chamber did not take into account in the assessment of / 'fine
inflicted on X.
4.1.5.
In terms of main conclusions, the Data Protection Authority recognizes that a
only elitigious email but indicates that it is wrong to consider that only one person has
was affected as soon as the email in question was sent to 150 people.
This does not mean, however, that these 150 people are "affected people" in the
meaning of section 83.2. of the GDPR as soon as it is not established that X did not have
authorization to use the personal data of some of these people.
Moreover, apart from Z, no one has issued any p / aints, neither to X, nor to the Protection Authority.
Datas.
b) The fact that the violation was committed willfully or negligently (article
83.2.b of the GDPR)
4.1.6.
The Data Protection Authority should also have taken into account that the
violation was not willful and took place, on the contrary, by neg / igence (article 83.2 b).
As X was able to explain through his secretary, the latter sent
election advertising from his private mailbox, omitting to hide the list of
recipients.
There was therefore no intention to misuse these addresses, nor to harm anyone else.
either.This is a simple handling error for the excused.
4.1.7.
In its decision, the Litigation Chamber recognizes "that no element of the file attests
that the infringement was committed deliberately, on the instructions of the defendant ”(page
11 of the decision).
The Contentious Chamber thus agreed to retain the unintentional nature of the
under mitigating circumstances.
However, at the level of the sanction, the Contentious Chamber did not, in reality, take any
consideration of this attenuating circumstance as soon as, and as will be explained below
below, the sanction imposed on X is a very severe sanction compared to the sanctions
usually applied by the contentious chamber.
4.1.8.
In terms of main conclusions, the Data Protection Authority alleges that “Ie
unintentional nature of the infringement which was retained by the Litigation Chamber as
attenuating circumstance (Contested Decision paragraph 35} concerns only the
third violation (article 32.1 of the GDPR) ”(page 15 of the main conclusions of
the Data Protection Authority).
In other words, the Data Protection Authority estimates, in terms of conclusions
principa / es, that this mitigating circumstance was not retained for the violations of
articles 5.1.a, 5.1.b, 6.1 as well as articles 25.1 and 25.2 of the GDPR.
It is clear that this statement is in total contradiction with the decision
rendered by the Contentious Chamber of the Data Protection Authority.
1 PAGE 01-00001942078-0015-0025-05-01-�
�
L __J Brussels Court of Appeal -2020 / AR / 1333 p. 16
The latter admitted, under Title 3 of its 'Corrective Measure' decision, that
mitigating circumstance without making any distinction and without specifying that it only applied
either violation.
Point 35 of the contested decision is, in fact, worded as follows:
"In its response to the reaction form to I meet a proposed fine, I
the defendant is mainly going to believe that the sending of this mail results from his point of
view of a handling error. In this regard, the Litigation Chamber notes / Ie
that a handling error, I if applicable, constitutes a security breach and
as such a data breach within the meaning of J'artic / e 4.10 of the GDPR which results in Ja
responsibility of the defendant with regard to the prior implementation of
adequate security measures to avoid such errors. Bedroom
litigation notes, however, that nothing in the file attests that the infringement
was allegedly committed on the instruction of the defendant. Bedroom
contentious therefore retains the unintentional nature of the infringement as a
mitigating circumstance ”(page 11 of the contested decision).
In addition, to the extent that the Litigation Chamber of the Data Protection Authority
imposed a global fine for the various violations, the mitigating circumstance
recognized by the latter had to be taken into consideration with regard to the assessment of Ja
sanction and this even though this mitigating circumstance has been recognized only
for rune violations, quad no.
c) Measures taken by the controller or the processor to mitigate
Damage suffered by the data subject (article 83.2.c of the GDPR)
4.1.9.
In addition, the Data Protection Authority should still have taken into
consideration of the measures taken by X to mitigate the damage suffered by the
persons concerned (article 83.2 c).
In his letter of October 14, 2019, X informed the Contentious Chamber that he
had "solicited / 'opinion of a specialist in the news / aegis" to help him to supervise
his team "in order to avoid any new errors of the kind in the future". Protection Authority
data are refused to take these elements into consideration.
d) Any violation committed previously by the controller or
The subcontractor (article 83.2.e of the RGPG)
4.1.10.
In estimating the fine imposed on X, the Contentious Chamber also did not judge
useful to take into account / 'total absence of previous viofation in the head of X and this in
annoyance with article 83.2. e).
4.1.11.
In terms of main conclusions, the Data Protection Authority claims that the
GDPR considers recidivism to be an aggravating circumstance.
Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance.
mitigating.
This does not detract from the fact that in determining the sanction to be imposed on X, the
Data Protection should have taken into consideration I made that the latter was not
customary for GDPR violations and that no sanction had ever been applied to it
previously.
1 PAGE □ 1-00001942078- □ 016-0025- □ 5- □ 1-�
L __J Brussels Court of Appeal -2020 / AR / 1333 p. 17
If the absence of previous violations does not constitute a mitigating circumstance, quod
no, this constitutes an objective criterion at all times which must be taken into account in the
determination of the sanction.
e) The degree of cooperation established with the supervisory authority in order to remedy
violation and mitigate any negative effects (article 83.2.f of the GDPR)
4.1.12.
Likewise, the Contentious Chamber did not take into consideration the cooperation of X (article
83.2 f). From October 14, 2019, X indicated to the Litigation Chamber that he was in his
available to be heard if she so wished.
This perfectly demonstrates that X wanted to cooperate in this case, which
the Chmbrecontentieu did not take it into account.
f) Any other aggravating or mitigating circumstance applicable to the circumstances
of the species, you / Ie that the financial advantages obtained or the losses avoided,
directly or indirectly, due to the violation (article 83.2.k of the GDPR}
4.1.13.
Finally, the Contentious Chamber did not consider it useful to take into account other
extenuating circumstances such as the fact that X did not derive any benefit from this violation.
In terms of main designs, the Data Protection Authority considers that there is no
no reason to uphold this argument on the grounds that X does not add any element which
would make it possible to determine whether or not the use of the permanent file influenced
favorably the result of the elections.
It is impossible for X to prove this negative fact. Nevertheless, it is
not unreasonable to admit that the 150 people allegedly targeted by the email
litigation alone could not influence the final outcome of the elections. In addition, there
a / ieu to note that the fines imposed by the Data Protection Authority
constitute penalties of a criminal nature.
Indeed, since the judgment of the European Court of Rights of Hamme Engel v. Netherlands from 8
June 1976, it is accepted that the concept of "criminal charge" referred to in Article 6 of
the Convention is an “autonomous concept”, endowed with a European meaning
potentially distinct from that attributed to homonymous terms in national
High Contracting Porties.
To determine whether an administrative sanction is of a criminal nature, it is necessary that three
criteria are met: the qualification of the sanction in domestic law, the nature of the
repressed behavior and, finally, the nature and degree of severity of the sanction concerned.
The second and third criteria are alternative and not necessarily cumulative. For
that Article 6 of the ECHR applies, it is sufficient that the offense in question is of a criminal nature
with regard to the Convention, or has exposed the person concerned to a sanction which, by its nature and
degree of seriousness, generally pertains to criminal matters.
In this case, it must be noted that the sanction applied by the Authority for the Protection of
Data does indeed constitute an administrative sanction of a criminal nature:
The fine thus imposed is qualified as an administrative sanction;
- The GDPR protects / 'general / societal interest and the fines imposed due to
a violation of the GDPR have both a deterrent and a repressive purpose;
The fine imposed is of undeniable severity.
rPAGE 01-00001942078-0017-0025-05-01-�
L _J Brussels-2020 Court of Appeal / AR / 1333 p. 18
This is all the more true as the European Court of Human Rights has already had the opportunity
to apply the "Engel criteria" to an administrative fine pronounced by the authority of
control of the Italian financial markets and to recognize its criminal character.
The Court of Justice of the European Union, after having endorsed the development of the "criteria
d'Engel ”, also applied this reasoning to administrative fines.
The criminal nature of the administrative sanctions provided for by the GDPR must therefore
clearly recognized, in particular with regard to the content of article 83 of the GDPR
providing that the administrative fines provided for by the supervisory authorities must be
effective, proportionate and dissuasive, and setting particularly high thresholds.
Being of a criminal nature, the administrative fines applied by the Protection Authority
Data must apply the procedural guarantees specific to the "matter
criminal law ”that owing to the right to a fair trial, the legality of the incriminations and penalties and
The principle non bis in idem.
These procedural guarantees in criminal matters lead, in particular, to a reversal of the
burden of proof, which means that it is the prosecution, in this case the Authority of
Data Protection, which must bear the burden of proof.
Thus, the Data Protection Authority cannot content itself with invoking that X would have
gained an advantage from the GDPR violation but must prove it, quad no.
4.1.14.
Likewise, the Litigation Chamber did not consider it useful to take the situation into account.
financial situation of X a / ors that the latter had informed the Chamber of this and had
added that a fine of 5,000.00 euros would result in
to worsen this already de / icate financial situation.
Indeed, X has to face important debts which prevent him from assuming a
fine in the amount of 5,000.00 euros.
For example, X is being claimed for nearly 16,000.00 euros per administration
fiscal.
In addition, the building he owns and in which he resides is having problems.
stability. X therefore has no choice but to carry out large-scale work to
that / s his home insurance refuses to intervene, which / 'obliges to assume some alone
cost.
Finally, X was the subject of criminal proceedings in the context of the so-called "..." case.
This procedure, initiated on November 3, 1999, lasted thirteen years and was completed by a
judgment of the 6th chamber of the Court of Appeal of [...] of [...] in which the Court of Appeal / a
confirmed in all respects the judgment of the Criminal Court of [...], of [...] by virtue of
from which X was acquitted of all charges.
The counsel who assisted X in this procedure have recently returned to him, as
costs and fees, the total sum of 465,488.82 euros.
These amounts were the subject of disputes by X, which led to a
legal proceedings before the Court of First Instance of [...] (Exhibit 13 of the file
inventoried of the conc / uant).
This procedure is currently still in progress so that no final judgment has been made.
could be returned.
g) Design
IPAGE 01-00001942078-0018-0025-05-01- �
��
L � ..J Court of Appeal Brussels - 2020 / AR / 1333 p. 19
4.1.15.
The Contentious Chamber of the Data Protection Authority did not take into
consideration / 'all the elements that must be taken into account to determine the
amount of the penalty prescribed by article 83 of the GDPR Regulation. "
All of these criticisms relate to the factual assessment that the APD's contentious chamber
carried out in this case.
As it is not for the Market Court to "re-examine" the facts of the case, and that the
plea does not claim that there was a manifest error of assessment, it cannot be
welcomed.
7.5. Is the fine imposed disproportionate?
(second plea of the applicant, first plea of the DPA)
Article 83 of the GDPR provides in its first point that each supervisory authority ensures that
administrative fines imposed for breaches of the rules are, in each case,
effective, proportionate and dissuasive.
In its article 100, the law of 3 December 2017 establishing the Authority for the protection of
data (APD law) lists the possible penalties.
The contentious chamber has the power to dismiss the complaint; to order the dismissal; of
pronounce the suspension of the pronouncement; to propose a transaction; to issue warnings
and reprimands; to order compliance with the requests of the data subject to exercise
these rights; to order that the person concerned be informed of the safety problem; to order the freezing,
temporary or permanent limitation or prohibition of processing; to order a setting
compliance of processing; to order the rectification, restriction or erasure of data and the
notification of these to data recipients; order the withdrawal of the accreditation of
certification bodies; to give periodic penalty payments; to issue administrative fines;
order the suspension of transborder data flows to another State or an organization
international; to send the file to the public prosecutor's office in Brussels, who informs them
follow-up given to the case; decide on a case-by-case basis to publish its decisions on the website
of the Data Protection Authority.
The ability to impose an administrative fine is only the thirteenth sanction in the list
legal.
The fundamental aim of European legislation is not to sanction in the form of inflicting
fines for the slightest breach of regulations, the real goal is data protection. The
the aim is therefore to protect data, not to punish the slightest infringement at all costs.
In this case:
“On May 22, 2019, X sent a letter / on his behalf, through / 'adress
emails from his secretary, [...], to these terms: "Ladies and Gentlemen, Dear friends,
Dear friends, I am proud to be the 10th candidate on the list [...] for our
borough of [...]. May I be allowed to sol / icite your suf / anger. A good result
will allow me with our team at the College and the Provincial Council to be even more
effective. I want to do everything in my power to also support our
1 PAGE □ 1- □ validated 01942078- □□ 19- □regon 25- □ 5- □ 1-; i
L __J Brussels Court of Appeal -2020 / AR / 1333 p. 20
local representatives and their projects. My warmest regards ”(Exhibit 1 of the dossier
inventory of the appellant).
On May 23, 2019, Z sent an email to X's secretary in order to
to indicate that he had not given his consent for the use of his personal data
and that the e-mail mentioned above should not have been sent to him from then on.
From the next day, that is May 24, 2019, X, through his secretary, presented his
apologies to Z in these terms: "We know the law on the RGPD: we apologize for
this mistake. We realized this at the time of / 'sending but it was
trap late We therefore ask you not to lodge a complaint for a gesture totally
beyond our control. Our apologies again. Best regards ”(Exhibit 2 of
appellant's inventory).
On May 25, 2019, Z submitted a request for information to the Autorité de
protection of data concerning the use by X of his e-mail address
personal. He also denounced the fact that this message was sent to many
addressees placed in copy (Exhibit 3 of the inventoried file of the appellant). "
"From July 4/2019, the secretary of X, [...] answered this question in these
and: terms: "The addresses come from a" permanence "file organized by X / orsqu'il
was Mayor of [...]. Z is therefore in this one to have, at one time or another,
had contact with X ”.
The secretary added: “In fact, from my private messaging system, I sent a
election advertising for X, in order to prevent him from using his personal messaging system in his capacity
of provincial deputy (...). And this email was sent spontaneously, omitting to put
in CC / the recipients. There is therefore no intention to misuse these addresses, nor
to harm anyone. It is just a mishandling that we regret.
We apologized to Z as you may have read it ”.
On August 6, 2019, the Frontline Service of the Data Protection Authority declared
Z's complaint admissible and forwarded it to the Litigation Chamber.
By registered letter of September 25, 2019, the President of the Litigation Chamber
informed X and Z that the case was ready for treatment on the merits and invited the parties to
introduce their conclusions according to the fixed timetable.
By letter of October 14, 2019, X indicated to the Litigation Chamber: “I have received
your new e-mail concerning the distribution of e-mail addresses to a series of contacts
during the last election campaign. If you wish, I am at your disposal
to be heard on this. I already want to confirm or "reconfirm" that
file to / 'all people was a simple handling error at the time
of / 'sending of the document which had to be individualized. I myself solicited / 'opinion of a
specialist in the new legislation to help me supervise my team in order to avoid
the future any new error of the genre. The question still being analyzed with the
resource person I have chosen is to know that the health precautions for
take with e-mail addresses that people did not send spontaneously. For
r PAGE 01-00001942078-0 □ 20-0025- □ 5- □ 1- �
_JBrussels-2020 Court of Appeal / AR / 1333 p. 22
citizen, has the right to be treated individually and according to the elements of his file and without
elements from other files may interfere.
When a decision has to be taken on a case-by-case basis, based on the principle of good faith,
! 'absence of a prior warning, in the absence of any precedent and confronted with
immediate apology (the day after the date on which the applicant was informed of the problem which
he was not aware), the sanction of immediately imposing an administrative fine in addition to the
fact of fixing it from the outset at a large sum of 5,000 euros, is of a
disproportionate.
In addition, the following grounds:
"34. The defendant did not follow the procedure communicated to him by mail
recommended and by email. His answer is laced, he would not have been informed of the obstruction
to send conclusions to the complainant is contrary to the facts. The contentious chamber
considers that by this omission and erroneous denials of the facts, the Respondent has not provided
all its cooperation in the procedure, which constitutes an aggravating circumstance "
show a manifest error of assessment in the head of the contentious chamber of the APD.
There is no binding procedure and in any event, a breach of the rules of
procedure may result in the authority disregarding writings or documents which
are used in violation of the rules of procedure, but such a fact - even if it is established quad not in
! the absence of binding rules which are enforceable against litigants - can never constitute
an aggravating circumstance. reason for the litigation chamber mixes form and substance and is
perfectly illegal and invalidates the decision by this fact alone.
The Cour des marchés does not criticize the policy of the contentious chamber of the APD but the fact of
not to consider the possibilities of achieving the goal pursued by European legislation (such as
implemented in Belgian law) by another decision (explicitly provided for in Article 100 points 3 to
12 of the APD Act) while noting a series of elements which show that the applicant did not
in no way expressed his intention to disregard the principles of data protection
personal but on the contrary the violation he committed was the result of negligence
or inadvertently and immediately rectified the situation while apologizing (see
above) cannot be interpreted other than as a misuse of powers, the use
by an administrative authority within its power for a purpose other than that for which it was
granted, in the head of the contentious chamber of the APD.
An attitude, tending to impose fines from the first inadvertent offense,
does not correspond to the principles that govern matter. As far as the room
AD litigation has a complete repressive chain enabling it to carry out
controls, the consequences of which (if the infringement is established) can range from a warning to a sanction
financial or not. In some cases, an advertisement can even be decided based on the severity
cases. The Procurement Court wonders whether in X's case a warning might not have been sufficient. The
disputed chamber fails to take into account the presumption of good faith. By inflicting
immediately an administrative fine - very substantial against an individual who has
sent e-mails mentioning the e-mail address of all the persons to whom the e-mail
was addressed - the litigation chamber disregards the fundamental principles of the
proportionality of the sanction.
1 PAGE □ 1-00 □□ 1942078- □□ 22- □regon 25- □ 5- □ 1-�
L _JCourt of AppealBrussels-2020 AR / 1333p. 23
7.6. Punishment.
(second means of ODA)
The applicant requests the "reformation" of the decision so that the sanction of inflicting a
a fine of € 5,000.00 would be reformed into a stay of proceedings. The APD argues on this subject
“78. In the alternative, even if Your Court were to set aside the Contested Decision (quod
no}, it cannot substitute its assessment for that of the contentious Chamber as the
asks X.
Indeed, when X asks Your Court to rule in full jurisdiction by reforming
the Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber
Litigation, he asks Your Court to decide on an aspect that falls within the power of
discretionary judgment of / 'APO. A solution cannot be adopted.
Your Court should therefore refer the complaint to the Contentious Chamber so that it
adopt a new decision which would take into account the grounds for cancellation retained by Your
Court. "
The Markets Court cannot "reform" a decision as an appellate judge could.
The Market Court can only annul or not the contested decision.
To the extent that a decision is quashed, the Markets Court may - on the basis of the full
jurisdiction - make a new decision that will replace the annulled decision. The "reformation
factual ”of the Contested Decision is therefore carried out in two phases, first the annulment of the decision and
then the replacement of the annulled decision by a new decision.
The Markets Court therefore considers that when the applicant requests the "reform" of a
Contested Decision, which he ultimately requests that the Procurement Court annul the Contested Decision and
replaces this decision with a new decision. 19
The Court endorses the following considerations of the judgment of 28 September 2012 Court of
cassation:
"The judge is bound to settle the dispute in accordance with the rules of law which are applicable to him.
applicable. He is required to examine the legal nature of the facts and acts referred to by the porties
and may, whatever the legal qualification given to them by the porties, complete
ex officio the reasons they invoked on the condition that it does not raise any dispute
of which the porties have exc / u the existence in their conclusions, that it relies exclusively on
elements which have been regularly submitted to him, which he does not modify / 'subject of the request
and that it does not violate the rights of defense of the porties. "
In the present case, the applicant requests that the decision be replaced and the DPA defended himself on this
request (see the extract from the conclusions cited above). When the Market Court interprets the
request of the applicant to "reform" the Contested Decision into a request to annul the decision
and replace it with a new decision on the extent of which the parties have taken
conclusions, the Markets Court does not rule ultra petita.
In the present case, the Impugned Decision must be annulled for misuse of power, the use by the
contentious chamber of the APD of its power to sanction by imposing a fine
administrative without considering that the other sanctions of article 100 of the ODA law may reach
19Cass. September 28, 2012, http://www.cass.be at its date, judgment n C.12.0049.N; J.T. 2013, 497; J.L.M.B. 2013, 1297, note
VAN DROOGHENBROECK, J.
1 PAGE 01-00001942078-0023-0025-05-01-�
�
L �� _J Brussels Court of Appeal -2020 / AR / 1333 p. 24
The result envisaged by the legislator0and on the ground that in this case the contentious chamber did not
taken into account the presumption of good faith, nor the attitude of the applicant as soon as he was informed of
the offense, and that it took into account aggravating circumstances in an unlawful manner, violating
thus the principle of proportionality of the sanction.
Since the applicant does not dispute the infringements and has never done so, it is appropriate to
consider the offenses as established and reconsidering - by virtue of the full jurisdiction of which
provides the Procurement Court - the proportionality of the sanction, the applicant should be imposed
sanction of the suspension of the pronouncement.
8. Decision and costs
The appeal is admissible and well founded.
Decision No. 53/2020 pronounced by the contentious chamber of the Authority for the Protection of
Data Ie September 1, 2020 which imposes a fine of 5,000 € (DOS-2019-02974) on X is
canceled, the sanction is that of the suspension of the pronouncement.
The Data Protection Authority is ordered to pay the costs, liquidated at 1,440 € in compensation
procedure for X.
FOR THESE REASONS,
THE COURTYARD,
Having regard to articles 24 and 43 bis § 3 in fine of the law of June 15, 1935 on the use of languages in
judicial,
Ruling contradictorily,
Holds X's appeal admissible and well founded;
°
Annuls Decree no.53 / 2020 pronounced by the contentious chamber of the Authority for the Protection of
Data September 1, 2020 (DOS-2019-02974) in which it imposes a fine of 5,000 euros on
X on the basis of articles 100, 13 and 101 of the law of 3 December 2017 on the creation of
the Data Protection Authority (“LCA”) as well as article 83 of the GDPR;
Deciding with full jurisdiction, pronounces the sanction of suspension of the pronouncement on the basis of
Articles 100 and 101 of the LCA as well as Article 83 of the GDPR;
Orders the Data Protection Authority to pay the costs, liquidate to .... right to roll and
€ 1,440 in procedural compensation for X.
Pursuant to article 2692 of the Code of registration, mortgage and graft rights,
condemns the Data Protection Authority to pay to the Belgian State, SPF Finances, the right to
on the call roll (400 €}.
20 namely to modernize the European regulations on the protection of personal data due to
of the advancement of new technologies and to ensure that personal data is processed in a
new way and that all citizens benefit from high-quality protection when processing their data
of a personal nature.
rPAGE 01-00 □primer 1942078- □ 024-0025-05- □ 1-i: -i
L ... J
