Court of Appeal of Brussels - 2020/AR/813
From GDPRhub
| Court of Appeal of Brussels - 2020/AR/813 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13(1)(b) GDPR Article 13(1)(c) GDPR |
| Decided: | 18.11.2020 |
| Published: | |
| Parties: | Insurance company Belgian DPA |
| National Case Number/Name: | 2020/AR/813 |
| European Case Law Identifier: | {{{ECLI}}} |
| Appeal from: | APD/GBA (Belgium) 24/2020 |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | Hof van beroep Brussel (in Dutch) |
| Initial Contributor: | Jette |
The Court of Appeal of Brussels held the Belgian DPA violated the principles of proper administration by only orally mentioned additional violations to the controller at the hearing, and later basing its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.
English Summary
Facts
This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed that its health data was used for a purpose to which he did not explicitly agree by the controller. The DPA upheld the complaint and stated that there was a lack of transparancy in the controller's privacy policy as it did not demontrate any legitimate interest. Therefore the controller violated Article 5(1)(a) and (2), Article 6(1), Article 12(1), Article 13(1)(b) and (c) GDPR. The DPA imposed a fine of €50.000.
The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas:
- The decision was void because of a lack of reasoning regarding the legal basis for
- the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement, and
- the transfers to third parties set out in Article 6 of its Privacy Statement.
- It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties.
- When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent.
- The decision violates its freedom of enterprise.
- The fine was disproportionate.
In response the DPA requested the Court to declare the appeal unfounded, as:
- the contested decision was properly reasoned in law and in fact. It was based the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller did not change this. (regarding the controllers's 1st to 4th plea)
- the decision did not unlawfully restrict the controller's ability to stop the violations found. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. (regarding the controller's 2th and 3th plea)
- the fine was not disproportionate in the light of the various violations found. Each of the violations established (including the uncontested ones) could justify the fine. (regarding the controller's 5th plea)
Holding
The Court of Appeal stated the DPA violated the principles of proper administration. The DPA orally mentioned additional violations to the controller at the hearing. The DPA later based its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.
The Court annulled the decision and ordered the DPA to pay the costs of proceedings. Furthermore, the Court noted that if an administrative fine would still be at issue, the DPA had to reduce the amount.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
,Brussels Court of Appeal -2020/AR/813 - p. 2
ON:
X. [...],
requesting party,
represented by [...] and [...]
against the decision of the Disputes Chamber of the GBA of 14 May 2020, number 24/2020
file DOS-2019-02902.
AGAINST:
The DATA PROTECTION AUTHORITY. public institution under Belgian law, ON 0694.679.950,
with registered office 1000 BRUSSELS, Drukpersstraat35,
defendant,
represented by mr. ROETS Joos, Mr. CLOOTS Elke and Mr VAN DIEST Thomas, lawyers,
all office in 2018 ANTWERP, Oostenstraat 38/201
***
1. Jurisdiction of the Market Court:
The Court of Appeal derives its jurisdiction from an application lodged with the registry of the Court of Appeal in
Brussels on June 12, 2020 by X against the DATA PROTECTION AUTHORITY (hereinafter
"GBA").
With this petition, X appeals to the Market Court against the decision of the
Dispute chamber of the GBA of 14 May 2020 number 24/2020 file DOS-2019-02902.
2. The claims before the Market Court:
By opinion lodged at the registry on September 9, 2020, X . claims
First to declare the (limited) appeal of X admissible and admissible and
therefore:
r PAGE 01-00001823325-0002-0040-02-01-�
L _J,Court of Appeal Brussels - 2020/AR/813 - p. 3
In main order:
• annul the Decision for lack of motivation;
In subordinate order:
• to rule that X did not infringe Article 6(1) of the GDPR, to the extent that the
processing of personal data for the following purposes (Article 4.3 of the
X}'s privacy statement can be made on the basis of another in Article 6 (1) GDPR
legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}:
► performing computer tests;
► monitoring the quality of the service;
► training staff;
► monitoring and reporting;
► the storage of video surveillance recordings during the legal period;
► and
► compiling statistics on encrypted data, including big data;
• to consider that X does not infringe Article 6(1) of the GDPR, to the extent that the transfer
transfers of personal data to the following third parties (Article 6 of the Privacy Statement
of X) can be made on the basis of another provided for in Article 6 (1) of the GDPR
legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}:
o the companies of the Zwaartoe Xbelongs group, for
► monitoring and reporting; and
► subcontractors in the European Union or beyond, responsible/verifiable for
► processing activities defined by X;
• to rule that X did not infringe the provisions of Article 5(2) of the GDPR
accountability, to the extent that X invokes its legitimate interest (Article 6, paragraph
1 lit. f) GDPR} as the legal basis for the processing operations referred to in the first two points
of personal data;
• to rule that X did not infringe Article 13(1)(c) and d) GDPR, to the extent that X
invokes its legitimate interest (Article 6(1)(f) GDPR} if
legal basis for the processing of personal data referred to in the first two points;
• to rule that X has not infringed Article 5(1)(a) GDPR, to the extent that X
invokes its legitimate interest (Article 6(1)(f) GDPR} if
legal basis for the processing of personal data referred to in the first two points;
and impose a warning on X.
In more subordinate order:
rPAGE □1- □□□□ 1823325-0003- □040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813 - p. 4
• should an administrative fine still arise, quad non, the amount
of the administrative fine.
In each case:
• order the GBA to pay the costs of the appeal proceedings, including the
court fee.
By decision lodged on September 30, 2020, the GBA claims:
- In main order; declare the applicant's application unfounded;
In any event, order the applicant to pay the costs of the proceedings, including the
basic amount of the legal compensation, estimated at 1,440 euros.
3. The facts:
The various parties provide their own facts.
The Marktenhof hereby only reiterates the factual account of the GBA.
The GBA summarizes as follows:
1. On June 14, 2019, Mr. V (hereinafter: 'the complainant') lodge a complaint with the
Data Protection Authority (DPA) against X (document 1).
The complaint concerns the use of health data
that X as
insurance company has obtained from the complainant in the context of a
hospitalization insurance- for certain other purposes, without the express
consent of the insured person. Deck bearing set (piece1):
"X acquires through coercion the right to process sensitive personal data
for the granting of his hospitalization insurance. The customer can only access through explicit
consent to agree to all processing, otherwise no coverage can be provided
be given for hospitalization insurance.
This is logical for processing essential for the performance of the obligations.
However, there are no legitimate interests for the processing operations listed in point 4.3.
The customer should be given the choice whether to agree to this and will not get it. Even
online on X one can only agree to everything and the customer only gets 1
single option.
Passing on to third parties is also not allowed without permission unless a
legal obligation exists. This is not the case for many transfers in [point 6],
the customer has no choice here either. We wish that the customer for this
matters in point 4.3 and [6] can give individual consent, that X are forms
r PAGE □1- □□□□ 1823325- □□□ 4-□□ 4□-□ 2- □1-�
L _J,Court of Appeal Brussels -2020/AR/813 -p. 5
and that all customers receive a new form with the
custom options."
In other words, the complaint is not aimed at the processing of health data
for the performance of obligations in the context of the hospitalization insurance that was
concluded with X. The complaint focuses on the fact that the same health data
be processed without further ado for the purposes listed in point 4.3. of the
privacy statement and with the transfer of that data to third parties as stated in point 6
of the same privacy statement.
More specifically, the privacy statement of X(document1, appendix) states:
"2. The following categories of personal data are processed by X:
identification data, Financial details, Personal characteristics, Physical
data, Lifestyles, Leisure activities and interests, Image recordings,
Sound recordings, Health data and Judicial data.
3. X mainly collects your personal data when:
• you take out X insurance for yourself or a third person, such as a member
of your family, by completing the necessary documents;
• you contact X for information about our products and
services;
• you the different services and tools (applications, personal platforms,
newsletters, etc.) that we make available to inform you or to
contact us to request information;
• you exercise a right established as part of our contractual relationship;
• you visit our websites or social networks;
• you visit our buildings: for security reasons your visit will be
video recorded and preserved by CCTV cameras;
• a third party authorized to do so provides us with your personal data
(professional service providers, your insurance intermediary, your employer as
part of a group insurance policy, a healthcare provider, etc.)
4. Personal data is processed for the following purposes:[...]
4.3. Based on the legitimate interest of X,, for:
• performing computer tests; [1]
• monitoring the quality of the service; [2]
• training staff; [3]
• monitoring and reporting; [4]
• preventing abuse and fraud; [5]
•
the storage of video surveillance recordings during the legal period;
[6]
• compiling statistics on coded data, including big data;
[7]
r PAGE 01-00001823325-0005-0040-02-01- �
L _J,Court of Appeal Brussels -2020/AR/813 - p. 6
• providing information, regardless of the means of communication, about the
commercial actions, products and services of X and of the group to which it
belongs. [B] [...]
6. The data will only be used for what is necessary for the above
purposes are communicated to the following third parties:
• Insurance intermediaries for the statistical purposes of coded
data that they will explain at the request of the person concerned and
produce; [1]
• Insurance intermediaries, for health data, in
compensation statements and in the copy of the insurance contract with
any exclusions and/or additional premiums, if the person concerned informs them beforehand
has given explicit and informed consent; [2]
• Health insurance funds, for facilitating reimbursements; {3}
• One or more insurance companies in case of co-insurance,
assistance and/or recovery of costs in the event of liability of a
third party at the occurrence of the damage; [4]
• The companies of the Z group to which X belongs, for monitoring and
reporting; [5}
• Subcontractors in the European Union or beyond, responsible/verifiable for
processing activities defined by X; {6]
• The insurance ombudsman in the event of a dispute; [7]
• Banking institutions; [B]
• Postal, transport and delivery companies to better send our mail;
{9]
• Tax and social administrations, due to legal obligations
from X; {10)
• The public supervisory and controlling authorities, because of the
legal obligations of X; [11)
• The IPT (Insurance Premium Tax) to which you are, if applicable
subject to the payment of the international tax.[12)"
In addition, X's consent form (document 1, appendix) provides:
"[...] I declare that I have read the attached X Privacy Statement (which
is also available on the X website [...] under 'Privacy' section or on paper
request to X).
I acknowledge that my personal health data may only be processed
with my permission. However, if I don't give permission, then it can close
and/or the proper execution of the insurance contract are prevented. I
further acknowledge that I have the right to withdraw my consent at any time. The
withdrawal of consent does not affect the lawfulness of the
processing based on consent before its withdrawal. [...]
I hereby give my express permission to X to use my
process health data (or that of the minor whose data I have
r PAGE □ 1-□□□ 01823325- □□□ 6- □□ 4□-□ 2-□ 1-�
L _J,Court of Appeal Brussels - 2020/AR/813 - p. 7
legal representative), if necessary by means of full
automated processing, without the intervention of a professional in the
healthcare, for risk assessment, management of (pre)contractual
relationships, the issuance and execution of insurance contracts, claims management,
possible dispute resolution, prevention, detection and investigation of
insurance fraud, and notification of an amendment to the insurance contract.,,
Finally, the complainant indicated that it wanted a data protection impact assessment
received from X as it involves the processing of high-risk data
for those involved.
2. On 26 June 2019, the complaint was declared admissible under Articles 58
and 60 of the law of December 3, 2017 establishing the
Data Protection Authority {WOG), the complainant was informed on the basis of
of Article 61 of the WOG and the complaint pursuant to Article 62, §1 of the WOG was forwarded to the
Dispute Chamber of the GBA.
3. On July 23, 2019, the Disputes Chamber decided on the basis of art. 95, §1, 1° and art. 98
WOG that the file was ready for treatment on the merits. On July 24, 2019, the
involved parties {complainant and X) were therefore notified of the
provisions as stated in art. 95, §2 WOG as well as those in art. 98 WOG.
In its notification to X, the Disputes Chamber stated, among other things (document 6):
"The complaint concerns the processing of sensitive personal data by X in the
under a hospitalization insurance, whereby the explicit consent of the
person concerned would be enforced. A copy of the complaint, as well as the inventory
of the documents in the file will be sent to you as an attachment.,,
The parties involved were also notified, pursuant to art. 99 WOG notified of the
time limits for submitting their defences. The latest date for receipt of the
conclusion of reply from X was recorded on September 6, 2019. Subsequently, the
complainant submit a statement of reply by 7 October 2019 at the latest and X could
submit statement of reply by no later than November 2019. Also, on 30 July 2019
sent a copy of the file to X.
4. On September 6, 2019, the Disputes Chamber received the statement of defense
because of X. Here X {piece 13 stated):
firstly, that processing special categories of
personal data, in this case health data, by health insurer X in a
lawfully done. The processing of these special categories of
personal data is in principle prohibited {art. 9 GDPR). X invokes the ·
processing of health data, however, on the exceptional ground of Article
9 para. 2 a) GDPR, in particular the ground for exception "explicit consent of the
r PAGE 01-00001823325-0007-0040-02-01- �
L _J,Court of Appeal Brussels - 2020/AR/813 - p. 8
person concerned'. X further emphasized (piece 13, p. 9): "In this case, the
consent is only requested for the processing of health data
necessary for insurance contracts concluded with
X. The data is necessarily processed for risk analyses,
claims handling and settlements."
X also argued (document 13, p. 10 et seq.) that we/definitely no
permission is requested for processing of data other than
health data, nor is consent sought for the
processing based on legitimate interest. With regard to point 4.3 of the
Privacy statement emphasizedX (piece 13, p. 10-11):
"In his complaint, the complainant points out that a 'separate consent'
would be necessary for the processing operations listed in Art. 4.3 of the
Privacy declaration. The complainant argues that X "forces" the person concerned to
to consent to the processing in Art. 4.3 and them to the point
gives no choice.
However, the complainant's assertion is based on a misreading of the
Privacy Statement and Consent Form. [...]
[X] invokes the legitimate interest to obtain certain
be able to process personal data (art. 4.3 Privacy statement). X
processes this data to perform tasks related to
its business activities For example, it is perfectly normal that
X processes personal data to prevent abuse and fraud. [...]
The complainant cites that the "customer [should] be given the choice whether to use [Art.
4.3 of the Privacy Statement].” However, this view is consistent
not with the structure of the Privacy Statement. For the processing that
are listed in Art. 4.3 (legitimate interest) is no consent
required, since [X] invokes the justified
interest. In this case, it concerns "ordinary" personal data,
where one can perfectly invoke the legitimate interest and
should not fall back on the permission as in the case of
health data.
[...] Nor does the Consent Form contain any consent for
such processing. A clear distinction should therefore be made
made between the Consent Form on the one hand and the
Privacy statement on the other hand.
The scope of the Consent Form is limited to the
health data of those involved. Although there is a message
made from the Privacy Statement, but this is at most proof of
acquaintance with the transparency obligations of Chapter II/GDPR
to fulfil. [...]
rPAGE □1- □□□□ 1823325- □□□ 8- □□4□-□ 2- □1-�
L _J,Court of Appeal Brussels -2020/AR/813 - p. 9
Therefore, no reference is made in this Consent Form to
other data, such as data processed on the basis of the
legitimate interest for the purposes set out in Art. 4.3 of the
Privacy declaration.
It can be concluded in conclusion that X in no way asks for permission
(and the data subject therefore in no way gives his consent) for the
processing operations listed in art. 4.3 of the Privacy Statement. [...]"
In addition, regarding point 6 of the Privacy Statement, X stated that X did not
must request separate consent for each of the transfers listed therein. X
emphasized, in line with what she stated regarding point 4.3 of the Privacy Statement
(piece 13, p. 12-13):
"To be able to pass on personal data (read: to process) is a legal requirement
basis needed. As discussed earlier, X does not only process personal data
by relying on consent as a legal basis. She also invokes
relies, as the case may be, on the performance of the agreement, the
legitimate interest and the legal obligation. [...]
For each of the persons mentioned in Art. 6 of the Privacy Statement is set out below
an overview on the basis of which legal basis the transfer takes place."
In the aforementioned overview, X stated, inter alia, with regard to the following two categories
of transfer:
"The companies of the Z group to which X belongs, for monitoring and
reporting.Legitimate interest
Subcontractors in the European Union or beyond, responsible for
processing activities defined by X. Legitimate interest."
XContinued: "It is clear from this that the difference/purposes stated in Art. 4
of the Privacy Statement, in particular the execution of the agreement, the
consent, the legitimate interest and the legal obligation as
legal basis for the transfer to specific persons."
Finally, X argued that a data protection impact assessment in
the present case was not necessary, as it involved pre-existing processing
concerned and he did not act on new processing operations that started after May 25, 2018.
5. The complainant, for its part, did not submit a reply. X reported on 7
November 2019 that it would therefore not submit an (additional) statement of reply.
However, in addition to its justification with regard to point 4.3 and point 9 of its
Privacy statement, an overview of case law and legal doctrine submitted to the Disputes Chamber,
in support of its first conclusion of 6 September 2019 (document 17, with 8 appendices).
IPAGE □1-□□□ 01823325- □□□ 9-□□ 4□-□ 2-□ 1-�
L _J,Court of Appeal Brussels -2020/AR/813 -p. 10
6. The Disputes Chamber subsequently organized a hearing on 28 January 2020,
where X was heard. The complainant, although duly summoned, did not appear on the
hearing.
During the hearing, the Disputes Chamber requested X to (among other things)
to provide justification for the legitimate interest on which X relies
for the processing of data other than health; where X as follows
replied (piece 23, p. 2):
"The Disputes Chamber asks what constitutes the legitimate interest in which X
invokes what would be the processing of non-health data
based. X argues that it is important to expand its economic activity. X
states that the complainant can object to this" (opt-out system). The
The Disputes Chamber asks how the exercise of this objection is facilitated. X
states that usually collective objections are submitted, mainly/primarily for direct
marketing purposes, through [...], but less individually. DPO of X answers
such requests for data, other than health data, should not be
process.
The Disputes Chamber states that it follows from the privacy statement (point 4.3.8} that for
direct marketing no consent is required. X states that she adheres to all
legal provisions on direct marketing, but direct marketing almost
is non-existent with X. It is only as a precaution (for
possible direct marketing in the future) that this purpose is included in the
privacy declaration."
7. On January 29, 2020, the minutes of the hearing was sent to the parties
transferred (pieces 24 and 25). On January 31, 2020, X, as requested during the
hearing, information on the annual turnover of the last three financial years to the
Dispute room. Over the years 2016-2018, this annual turnover always amounted to an amount between
[...] and [...] million euros (documents 26 and 27). On February 6, 2020, X also made some
comments on the official report to the Disputes Chamber (document 28), which will be
the Geschilenkamer were taken into consideration during the deliberations (document 38, p. 4).
With regard to the representation, in the PV, of the general question of the justified
interest that X invokes to process other than health data (as well as the
brief answer from X), X did not formulate any reservations or objections. Only
X made the following comment about direct marketing (piece 28, p. 2):
"With regard to the last paragraph on page 2, we point out that the complaint in
this file does not relate to the direct marketing policy of X. The
processing of personal data for the purpose of direct marketing was only allowed
raised as an example of how to exercise an objection to the
processing of personal data based on the legitimate interests of
X, is facilitated.
However, during the hearing we emphasized that the GDPR (more specifically
recital 47) confirms that direct marketing can be carried out on the basis of
its legitimate interest: "The processing of personal data for the benefit of
rPAGE 01-00001823325-0010-0040-02-01- �
L _J,Court of Appeal Brussels - 2020/AR/813 - p. 11
of direct marketing can be regarded as carried out with a view to
a legitimate interest."
Consent (opt-in) is required for certain forms of direct marketing, in
In other cases, however, personal data may be processed for direct
marketing purposes based on X's legitimate interests. This is
for example, the case when X sends direct marketing to existing customers
as the conditions of the Royal Decree of April 4, 2003 to
regulation of the sending of advertising by electronic mail has been complied with."
8. On 25 March 2020, the Disputes Chamber, with due observance of the judgment of 19
February 2020 of your Court, informed X of the intention to proceed with the
the imposition of an administrative fine, and the contemplated amount thereof,
in order to hear X about this, before the sanction would actually be imposed (document 30).
In addition to an announcement of the infringements that the Disputes Chamber intended to
t pose, the Disputes Chamber also reported (document 30):
"2. The Disputes Chamber intends to impose a fine of:
50,000 euros
3. The following circumstances in particular play a role:
• It concerns violations of essential principles of the General
Data Protection Regulation.
• Defendant is a company that collects personal data on a large scale, including
health data processed.
• A high degree of negligence has been established.
• The complaint and procedure at the Disputes Chamber did not lead to a
adaptation of practices.
4. The amount of this amount is based on the following considerations:
• Seriousness of the infringement
er
there is a serious violation of the GDPR by the defendant. First and foremost
there is a breach of fundamental data protection principles.
In addition, this infringement has a relatively large impact, as there is a large
number of persons involved have been affected by this infringement (all-insured persons who
have affiliated hospitalization insurance with X).
• The duration of the infringement:
From what the defendant has put forward in the proceedings before the
The Disputes Chamber does not show that the smell has ended and has therefore continued until
January 25, 2020. The Disputes Chamber does not take any adjustments into account
made after the debates on the findings have been concluded.
• The necessary deterrent effect to prevent further infringements.
The whole of the elements set out above justifies a
effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR,
taking into account the assessment criteria specified therein.
• The Disputes Chamber relies on the following annual figures of
defendant:
The documents you have submitted are based on an annual turnover of EUR [...] for 2018."
rPAGE 01-00001823325-0011-0040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813 - p. 12
9. On May 8, 2020, the Disputes Chamber received X's response to the intention to
the imposition of an administrative fine, as well as regarding the intended amount
thereof (piece 37). In its response, X argued that the alleged infringements, such as
included in the notification of the intention to impose an administrative
fine, would be completely new and that X was unable to take a position on this matter
to take. X also stated that it disagreed with the imposition of a fine, as well as
with the intended amount of the fine (document 37).
10. Subsequently, the Disputes Chamber took the contested decision No 24/2020 on 14 May
2020, which is currently being challenged in your Court (document 38).
In this decision, the Disputes Chamber established the following infringements of the GDPR (document 38,
p. 14}:
• "Breach of art. 6.1GDPR:
o the data processing for the purposes stated in parts 1, 2, 3,
4, 6 and 7 of point 4.3 of the privacy statement, without any evidence
legitimate interest, is wrongly not based on the consent of the
complainant in the absence of any other possibly applicable legal ground in art. 6.1 AVG.
o the data processing for transfers to third parties mentioned in section
5 and 6 included under 6. of the privacy statement, without any evidence
legitimate interest, is wrongly not based on the consent of the
complainant in the absence of any other possible applicable legal basis in art. 6.1
GDPR.
• Infringement of the provisions of article 5.2. GDPR enshrined accountability, in
to the extent that the defendant invokes its legitimate interest as a legal basis
•for the data processing specified above.
Infringement of art. 12.1, art. 13.1, c) and d) GDPR, as well as on Art. 13.2 b) GDPR, in
to the extent that the defendant has not provided the required information to the complainant and
has failed to take the appropriate measures to ensure that the complainant
Articles 13 and the information referred to in art. 21.2 GDPR referred to communication in
in connection with the processing, in particular:
o the points 4.3 and 6 of the privacy statement do not make a clear distinction
make between the processing of health data on the one hand, and the processing
of the other 'ordinary' data on the other.
o no information is provided to the data subject regarding his
legitimate interests.
o no appropriate measures have been taken to inform the data subject
regarding, among other things, the provisions in art. 21.2AVG guaranteed upright objection.
o the processing basis for all transfers not in the privacy statement
to be mentioned.
• Infringement of the in art. 5.1.a} enshrined basic principle that personal data must
are processed in a manner that is lawful, fair and
transparency."
r PAGE 01- 00001823325-0012-0040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813 - p. 13
The (most) relevant parts/motives of the decision in this case are set out below:
displayed.
With regard to point 4.3 of X's privacy statement, the Disputes Chamber considered
(among others) (document 38, p. 6 ff.):
1a} Purposes in 4.3 of the privacy statement - Processing ground (art. 6.1 AVG}
The Disputes Chamber establishes that the problem presented by the complainant relates to
has on point 4.3 of the defendant's privacy statement, which states that
personal data is processed on the basis of the legitimate interest of
X, for the following purposes:
• performing computer tests; [1 Y
• monitoring the quality of services;[2]
• training staff;[3}
• monitoring and reporting;[4]
• preventing abuse and fraud;[S]
• the storage of video surveillance recordings during the legal period
period;[6}
• compiling statistics on coded data, including big data;[?]
• providing information, regardless of the means of communication, about the
commercial actions, products and services of X and of the group to which it
belongs.[B]
[...] The defendant argues in this regard that for the processing operations listed in
4.3 of the privacy statement no consent is required, as the defendant
for the purposes stated therein, in accordance with Article 6.1f}GDPR, invokes
the legitimate interest as the legal basis for the processing. The defendant argues
that he can rely on that legal basis, since only 'ordinary'
personal data are processed for those purposes and no permission from the
data subject is required as in the case of health data as referred to in
article9GDPR.
The defendant argues that for the purposes set out in point 4.3 of the
privacy statement, although personal data are processed, but no
health data.
The Disputes Chamber has established that for the processing of personal data, other
than health data, the lawfulness of the processing should be
assessed in the light of art. 6.1 GDPR that six secondary processing grounds
including the legitimate interest (art. 6.1.f}GDPR} to which the defendant
appeals in this case.
The Disputes Chamber emphasizes, however, that when a
controller relies on a legitimate interest to
processing as lawful, in accordance with the jurisprudence of the
European Court of Justice three cumulative conditions [..] must be met
in order for the processing of personal data to be lawful, namely, first
rPAGE 01-00001823325-0013-0040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813 -p. 14
place, the representation of a legitimate interest of the data processing
controller or of the third party(s) to whom the data is provided, in the
secondly, the necessity of the processing of the personal data for
the representation of the legitimate interest and, thirdly, the fact that the
fundamental rights and freedoms of data subjects
person do not prevail.
This requires a balancing of the interests or fundamental rights and
fundamental freedoms of the data subject (Art. 6.1.f) GDPR) and in this balancing
the considerations of the GDPR related to Art. 6.1.f) GDPR eligible
[...] be taken, in particular Recital 47.
Thus, the Disputes Chamber is of the opinion that for each of the purposes stated in
point 4.3 of the privacy statement, it should be checked to what extent the
the defendant can invoke the legitimate interest as a legal ground on which
processing is based. Recital 47 of the GDPR focuses on the fact that a
careful assessment is required to determine whether a
legitimate interest, as well as to determine whether a data subject at the time and in
the context of the collection of the personal data may reasonably
expect that processing for that purpose can take place.
On the basis of the elements available to the Disputes Chamber, it is of the opinion
that the defendant can base the data processing on the justified
importance for the purpose/statement of "preventing abuse and fraud" as stated in
part 5 of point 4.3 of the privacy statement. After all, it is certain that the
processing of personal data for this purpose is necessary for the
representing the legitimate interest of the defendant and that this interest
outweighs the complainant's interest in protecting his/her
personal data. In this regard, the Disputes Chamber refers to recital 47
of the GDPR, which states that the processing of personal data that is strictly
is necessary for fraud prevention a legitimate interest of the
is the controller.
The Disputes Chamber adds that notwithstanding the claim of the
defendant that no health data is processed for the purposes in
4.3 of the privacy statement, including the purpose of "preventing misuse
and fraud", it is nevertheless clear from the consent form that the
explicit consent is requested to process health data
for, among other things, "prevention, detection and investigation of insurance fraud." The
The Disputes Chamber establishes here that there is an incoherence between what the defendant in
declares his conclusion and what determines the consent form and comes to this
back to the assessment of the obligation of transparency that rests on the defendant.
The purpose stated in section 8 of point 4.3 of the privacy statement "the
providing information, regardless of the means of communication, about the
commercial actions, products and services of X and of the group to which it
belongs" that should be qualified as direct marketing, is also possible
�
r PAGE 01-00001823325-0014-0040-02-01-
L _J,Court of Appeal Brussels- 2020/AR/813- p. 15
on the basis of the legitimate interest, but must be read in conjunction with Art.
21.2 GDPR, which provides that the data subject has the right at any time to
to object to the processing of personal data concerning him for
direct marketing, including profiling related to direct
marketing. The Disputes Chamber will also return to this when assessing the
transparency obligation on the part of the defendant.
For the other purposes included in art. 4.3 of the privacy statement is the
The Disputes Chamber is of the opinion that there is no legitimate interest in
on behalf of the defendant that would outweigh the interests and
fundamental rights of the complainant to the protection of his personal data.
Recital 47 stating that a legitimate interest may be present
when there is a relevant and appropriate relationship between the data subject
and the controller, in situations where the data subject is a customer,
according to the Disputes Chamber does not mean that in the context of that relationship in which
the complainant is acting as a customer of the defendant, a data processing would be possible
are for any purpose. The defendant does not demonstrate in any way
what his legitimate interest would consist of and also fails to demonstrate
to what extent his interest would outweigh the interests and fundamental rights
of the complainant, although he is obliged to do so by virtue of his
accountability (art. 5.2.GDPR}.
The Disputes Chamber is therefore of the opinion that the infringement of art. 6.1 GDPR is
proven, since the data processing for the purposes stated in the
parts 1, 2, 3, 4, 6 and 7 of point 4.3 of the privacy statement, without any
demonstrated legitimate interest, must be based on the consent of
the complainant in the absence of any other possibly applicable legal ground in art. 6.1
GDPR. The diversity of purposes listed in 4.3 of the privacy statement
brings the Disputes Chamber to the decision that for each of those purposes separately
the possibility should be given to the complainant, and by extension to all
data subjects who use the service offered by the defendant, in order to
not consent to the processing of his personal data. The
The Disputes Chamber refers in this regard to the Guidelines on consent
in accordance with Regulation 2016/679, which provides: a service
may include multiple processing activities for multiple purposes. In
In such cases, data subjects should be able to choose freely which purpose they
accept, instead of having to grant permission for a package from
processing purposes. In a particular case, according to the GDPR, it may be
be justified in having to obtain multiple consents for using the
provision of a service is commenced."
With regard to point 6 of X's privacy statement, the Disputes Chamber also considered
(among others) (document 38, p. 12 ff):
"In addition to 4.3 of the privacy statement, the complainant also states that with regard to point 6
of the privacy statement, which relates to the transfer of personal data
rPAGE 01-00001823325-0015-0040-02-01- �
L _J,Court of Appeal Brussels -2020/AR/813 -p. 16
to third parties, poses a problem because he is not given the choice here either
offered to decide whether or not to transfer his personal data to third parties
to agree. The complainant states that transfers to third parties are not allowed without permission
are permitted, unless there is a legal obligation to do so.
The defendant argues that it does not rely solely on the consent as
legal basis for the transfer of personal data to third parties, but
on the other hand, also, depending on the case, to rely on the implementation of the
agreement, the legitimate interest and the legal obligation and specifies
for each of the categories of third parties mentioned in 6. of the privacy statement,
each time on which legal basis the transfer is based.
[...] The Disputes Chamber notes, however, that for both the transfer to "De
companies of the Z group to which X belongs, for monitoring and
reporting", if the transfer to "Subcontractors in the European Union or
beyond, controller/verification for processing activities defined by X", de
defendant relies on his legitimate interest as the legal basis for the
processing.
However, the defendant does not demonstrate in any way what is justified
interest would exist and also fails to demonstrate to what extent his interest would prevail
outweigh the interests and fundamental rights of the complainant, even though he is
held on the basis of its accountability obligation (Art. 5.2 and 24 GDPR). The
The Disputes Chamber also refers to the requirements for the use of the
processing basis legitimate interest arising from the previously
cited case law of the European Court of Justice.
The Disputes Chamber is therefore of the opinion that also with regard to the transfer
of personal data to third parties the infringement of art. 6.1 GDPR is proven,
as the data processing for the transfers to third parties mentioned in
parts 5 and 6 included under 6. of the privacy statement, without
any demonstrated legitimate interest, should be based on the
consent of the complainant in the absence of any other possibly applicable
legal basis in art. 6.1AVG."
With regard to the requirement of transparent information (art. 5.1.a), art. 12.1 and art. 13.1 and 13.2
GDPR}, the Disputes Chamber observed (among other things) with regard to point 4.3 and point 6 of the
privacy declaration:
With regard to point 4.3 of the privacy statement (document 38, p. 9):
Under the GDPR, the controller is obliged to inform the data subject
a concise, transparent, comprehensible and easily accessible form and in
_clear and plain language to inform (art. 5.1.a), art. 12.1 and art. 13.1 GDPR}.
The Disputes Chamber notes that, with regard to 4.3 and 6 of the
privacy statement, the defendant falls short of that obligation.
;i
r PAGE 01-00 □□ 1823325-0016- □□4□-□ 2- □1-
L _J,Court of Appeal Brussels-2020/AR/813- p. 17 75 0
First, the defendant fails to make a clear distinction between the
processing of health data on the one hand, and the processing of the other
'ordinary' personal data on the other hand and this for each of the purposes of
4.3 of the privacy statement, as for each of the transfers of 6 of the
privacy declaration. Such a distinction is, however, of fundamental importance to
determine the legal basis on which the processing can be based for a
specific purpose or transfer to a third party (art. 13.1.c}GDPR}.
[...] In addition, the privacy statement only states that for the . mentioned in 4.3
purposes personal data are processed on the basis of the justifiable
interest of the defendant without indicating from which that legitimate interest
then exactly would exist, while art. 13.1.d) GDPR does require that the
controller is obliged to provide the data subject with information
about its legitimate interests, if the processing is based on Article
6, ld 1, point f), is based.
The Disputes Chamber also refers to the Guidelines on Transparency
in accordance with Regulation (EU) 2016/679, emphasizing that the specific
interest in question must be identified for the benefit of the data subject. [...]"
With regard to point 6. of the privacy statement (document 38, p. 11}:
"Also with regard to point 6. of the privacy statement, the defendant states in his
argumentation from which his legitimate interest, on which he relies,
would exist to process the complainant's personal data for the purpose of
transfer to "the companies of the Z group to which X belongs, for
monitoring and reporting", and "Subcontractors in the European Union or
beyond, responsible for processing activities defined by X".
However, art. 13.1.d) GDPR it is true that the controller
must provide the information concerned with regard to his legitimate
interests, if the processing is based on Article 6(1)(f). The
The Disputes Chamber refers again to the Guidelines on Transparency
in accordance with Regulation {EU) 2016/679 and the above mentioned."
Finally, with regard to the sanctions imposed (including the imposed administrative fine of
50,000 euros), the Disputes Chamber considered (among other things) (document 38; p. 13 et seq.):
"[...] The Disputes Chamber establishes that an infringement of art.5.1.a), art.5.2, art. 6.1, art.
12.1, art. 13.1.c} and d) and 13.2.b) AVG, has been proven and it is appropriate to recommend that the
processing is brought into line with these articles of the GDPR (Art.
58.2.d} GDPR and Art. 100, §1, 9 WOG}, as well as in addition to this corrective measure
impose an administrative fine (art. 83.2 GDPR; art. 100, §1, 13 WOG and
art. 101 WOG}.
[...] Taking into account Article 83 GDPR and the case law of the Market Court,
does the Disputes Chamber motivate the imposition of an administrative sanction in
concretely:
rPAGE 01-00001823325-0017-0040-02-01- �
L _J, 7S 1
Court of Appeal Brussels -2020/AR/813 - p. 18
The gravity of the infringement: the foregoing reasoning shows the seriousness of the infringement
infringement.
The duration of the infringement: from what the defendant has put forward in
the proceedings before the Disputes Chamber do not show that the infringement has ended and therefore
has lasted until January 25, 2020. In addition, the Disputes Chamber does not
take into account adjustments made after the debates on the findings have been
Closed.
The necessary deterrent effect to prevent further infringements.
With regard to the nature and seriousness of the infringement {Art. 83.2 a) GDPR} emphasizes 'the
Dispute chamber that compliance with the principles stipulated in art. 5 GDPR - in
in the present case, in particular the principle of transparency and legality, as well as
accountability - is essential, because it is the fundamental principles of
data protection. The Disputes Chamber considers the infringements of the
defendant on the principle of legality as specified in art. 6 GDPR and
the principle of transparency laid down in concrete terms in Articles 12 and 13 GDPR,
as a serious violation.
While no data subjects' health data is processed without
the express consent required for that purpose and the defendant invokes a
other processing ground with regard to the data not covered by a
special protection regime in the GDPR, the Disputes Chamber is of the opinion that the
relatively large impact of the identified infringements affecting all insured persons
who have joined X through hospitalization insurance, in
must be taken into account when determining the administrative
fine.
The whole of the elements set out above justifies a
effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR,
taking into account the assessment criteria laid down therein. The Dispute Room
points out that the other criteria of art. 83.2. GDPR in this case are not of a nature that
they lead to an administrative fine other than that imposed by the
Disputes Chamber under this decision."
4. The legal framework of the jurisdiction of the Market Court:
The matter is governed by the Belgian Law of December 3, 2017 establishing the
Data Protection Authority (hereinafter WOG).
With regard to the commencement and admissibility of a complaint or request, the articles
58 and next what follows.
Art. 58
Anyone can submit a complaint or request in writing, dated and signed to the
Data Protection Authority.
The Data Protection Authority will draw up a form for this purpose.
□1- □□□□ 1823325- □□ 18- □□4 □-□ 2-□ 1-;i
!PAGE
L _J,,,,,,,,,,Court of Appeal Brussels -2020/AR/813 - p. 28
kJ any other aggravating or mitigating action applicable to the circumstances of the case
factor, such as financial gains made or losses avoided, which may or may not be directly
arising out of the infringement.,,
Recital 47 reads as follows:
"The legitimate interests of a controller, including those of
a controller to whom the personal data may be disclosed, or
of a third party, may provide a legal basis for processing, provided that the interests or
fundamental rights and fundamental freedoms of the data subject do not outweigh,
taking into account the reasonable expectations of the data subject based on his
relationship with the controller. Such a legitimate interest may
be present, for example, when there is a relevant and appropriate relationship
between the data subject and the controller, in situations where the data subject
is a customer or is employed by the controller. In any case, a
careful assessment is required to determine whether there is a legitimate interest,
as well as to determine whether a data subject at the time and in the context of the collection
of the personal data can reasonably expect that processing for that purpose
take place. In particular, the interests and fundamental rights of the data subject may
outweigh the interests of the controller when
personal data is processed in circumstances in which the data subjects reasonably
do not expect further processing. Since it is up to the legislator to
legal basis for personal data processing by public authorities,
legal basis do not apply to the processing by public authorities in the context
of the performance of their duties. The processing of personal data that is strictly necessary
is for fraud prevention is also a legitimate interest of the
controller in question. The processing of personal data for the purpose of
of direct marketing can be regarded as carried out with a view to
legitimate interest."
5. The invoked pleas.
5.1.
X applies the following means:
First plea- In principal order- The Decision is null and void, as it is poorly motivated what
concerns the legal basis for the processing of personal data for purposes ex article
4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers
third parties exArticle6 of X's Privacy Statement.
Second plea - In subordinate order - X should be able to rely on her
legitimate interests in the processing of personal data for certain
purposes and transfers to third parties.
Third plea - In subordinate order - X should have the option, if she
could not rely on its legitimate interests, to rely on
legal grounds other than the consent of the data subject.
rPAGE 01-00001823325-0028-0040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813 - p. 29
Fourth plea- In minor order - The Decision constitutes an infringement of the liberty of
entrepreneurship of X.
Fifth plea- In minor order - The administrative fine of EUR 50,000 is
disproportionately.
5.2.
The GBAlaat apply:
3.1. First ground of defence: In the main proceedings - The appeal is unfounded, as the
contested decision of the Disputes Chamber is properly substantiated in fact and in law
The Disputes Chamber has, based on the active accountability that rests on the
controller, in its assessment, appropriately based on the
available data - The considerations of interests currently provided by X (post factum) are
not of a nature to jeopardize the regularity of the contested decision
(defence against the applicant's first to fourth complaints)
3.2. Second ground of defence: In the main proceedings - The appeal is unfounded, as the
contested decision does not unlawfully restrict X's ability to
to terminate established violations and to comply with the provisions of the
AVG - The fact that the GBA, in view of the available data, expresses a possible
adjustment on the basis of art. 6.1.a) GDPR is not intended to affect the regularity of the
contested decision (defense against the second and third complaints of
applicant)
3.3. Third ground of defence: In the main order - The . imposed by the Disputes Chamber
administrative fine is properly justified in fact and in law
fine is by no means disproportionate in light of the various
infringements - Any of the established infringements (including the uncontested infringements) may
justify the fine (defense against the applicant's fifth ground of appeal)
6. Assessment - the reasons for the decision as to the legal basis for the
processing of personal data for purposes pursuant to Article 4.3 of the
X's privacy statement, as well as regarding the legal basis for the transfers to
third parties ex Article 6 of the Privacy Statement of X.
(GBA's first plea of Xen's first defense)
6.1.
X allows, among other things, the following:
However, on the basis of the first conclusion on appeal from the GBA, X now learns that she is
convicted because the GBA believes that X should have proactively demonstrated from which her
legitimate interests exist, this on the basis of a so-called 'active'
accountability, in accordance with Article 5(2) of the GDPR.
1 PAGE □1- □0001823325-0029-0040-02-01- �
L _J,Court of Appeal Brussels - 2020/AR/813- p. 30
47. By stating that X should have provided the necessary information proactively
carry in the Joop of the proceedings, and by using the term 'active'
accountability, the DPA masks the fact that it had not requested the information and
that it consequently failed to provide sufficient reasons for the Decision. As mentioned before,
the complaint mainly related to the processing of medical data and the related
related consent.
48. Article 5, Jid 2 GDPR does indeed imply an accountability, which means that
controller/verify compliance with the principles of processing
personal data (Article 5(1) of the GDPR) must be able to demonstrate. One of these principles is
the principle of lawfulness/ (Article 5, Jid 1, point a) GDPR), which provides that
personal data must be processed in a manner that is appropriate for the data subject
is lawful, which means, among other things, that it is based on a legal basis (such as
included in Article 6 GDPR).
49. This duty of accountability implies that controllers/calibrators always
must be technically and organizationally capable of complying with the GDPR
demonstrate. On the other hand, it does not imply that controllers/gauges must always
assess whether and when they should be held accountable. The GBA
interprets this accountability in a way that suits it
justification of its inadequately motivated decision and encloses this duty in a role
in the context of the taking of evidence in legal proceedings that does not have.
50. It is therefore incomprehensible that the GBA is of the opinion that X in the context of the procedure
would have had sufficient opportunity for the Disputes Chamber to demonstrate
out of which its legitimate interests consist. That would have been the case, among other things
at the session of January 28, 2020, in the context of which the GBA asked X from which the
legitimate interests of X exist on which it relies for the processing of
other than medical information.
51. X replied that that interest consists in pursuing its economic
activities, which is also true. It is impossible to verbally
to give a comprehensive answer to a question that requires a bulky and nuanced answer
required, such as the extent of the weighing of interests that X has in the context of this procedure
teaches, oo demonstrates (see Papers 10, 11A, 118, 11C, 12, 13, and 14).
Nor did the GBA inquire into the weighing of interests during this session or allude to
the fact that it was advisable to add it anyway.
52. It is therefore not correct that the GBA alludes that X only has reservations or
should have formulated objections to the official report of the session of 28 January
2020 to demonstrate its legitimate interests. The main arguments went
about the permission and the case was after all considered after the hearing, which is also
is expressly confirmed by the record of the hearing: "The defendant was
heard and has had the opportunity to present his arguments.
The case is then taken into consideration and today the Disputes Chamber proceeds to:
making her decision." (self-emphasis).
r PAGE 01-00001823325-0030-0040-02-01-�
l
_J,Court of Appeal Brussels -2020/AR/813-p. 31
---�--->-��--------------------------
53. It cannot be denied that the GBA also has a responsibility to
to safeguard the rights of defense and due process, inter alia guaranteed in Article
6 of the European Convention on Human Rights.
54. All this means that at the time the GBA made the Decision, there was no
there had been a debate about the existence of legitimate interests under X and they
only X's Privacy Statement had to make a statement about this. However, a
privacy statement alone is not sufficient to verify whether
based on a legal basis for a particular processing. Moreover, as your Court has already pointed out
has judged, the motives invoked by the GBA can only make a decision
support if they appear from the documents in the file on which the GBA was able to consider
to beat.
55. More specifically, a privacy statement, identifying which legal basis of
applies to which processing purpose is only a reflection of the analysis that serves
have been carried out to determine whether the concrete processing carried out in practice by the
controller is assumed, actually complies with all
relevant legal requirements for the application of that legal basis. In this case, the
balancing of interests drawn up by X demonstrated that the processing operations in question
may indeed be based on its legitimate interests.
56. The foregoing partly explains why the statement of reasons for the Decision is flawed as to what
concerns the legal basis for the processing of personal data for purposes ex article
4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers
to third parties pursuant to article 6 of X's Privacy Statement.
57. However, there are other cases in which it was established that decisions of the
GBA are lacking motivation. Both in judgments of your Court of 23 October 2019; if that
of February 19, 2020, decisions of the GBA were quashed because of
motivational flaws. In yet another judgment, that of 9 October 2019, your Court held,
prima facie, that the contested decision "without any contradictory debate"
was conducted - does not seem to comply with the aforementioned law of July 29, 1991, but the
Marktenhof is not authorized to ex officio this decision, the validity of which and
conformity with the general principles of good administration, is not disputed, to
sanction".
58. However, Articles 2 and 3 of the Law of 29 July 1991 on the
explicit motivation of the administrative acts, the administrative authority (in this case
the GBA) to include the legal and factual considerations in the deed (in this case the Decision)
that underlie the Decisions and that in an 'adequate' way.
59. The adequacy of the statement of reasons means that it must be pertinent,
that is, it must clearly be related to the Decision, and that it
must be sound, i.e. the reasons cited must suffice to
Decision to wear.
r PAGE 01-00001823325-0031-0040-02-01-�
�!l�l!I
L oo-w. _J, Court of Appeal Brussels -2020/AR/813- p. 32
60. The main raison d'être of the obligation to state reasons, as imposed by
the aforementioned law of 29 July 1991, consists in the fact that the person concerned in the
Decision itself must be able to find the motives on the basis of which it was taken,
so that the person concerned can determine in full knowledge of the facts whether it is appropriate to
Fight decision.
61. The substantive obligation to state reasons means that every administrative legal act must
rely on motives whose actual existence has been duly argued and which are in law
accountable for that act.
62. Next, X will show on which points the reasoning of the Decision is not
is sufficient, which means that the Decision must be quashed. Given the
GBA has imposed an administrative sanction for all alleged infringements together and
not a separate sanction for each infringement, is the (defective) motivation
regarding the processing of personal data for the purposes of article 4.3 of the
X's privacy statement as well as regarding the legal basis for transfers to third parties
parties pursuant to Article 6 of X's Privacy Statement, not severable from the rest of the
Decision. As a result, the Decision must be annulled in its entirety."
6.2.
In the complaint2, as it was brought to the attention of X (document 1 file GBA), Mr
V is concerned that X proceeds through compulsion to process sensitive
personal data for the provision of his hospitalization insurance. If the customer does not
gives explicit permission for all processing, he will not be covered for the
hospitalization insurance. The complainant does not consider this a problem for the hospitalization insurance itself
but for the processing listed in point 4.3 of the privacy statement.
That point states that Xde processes data:
Based on X's legitimate interest, for:
• performing computer tests;
• monitoring the quality of the service;
• training staff;
• monitoring and reporting;
• preventing abuse and fraud;
• the storage of video surveillance recordings during the legal period;
• compiling statistics of coded data, including big data;
• providing information, regardless of the means of communication, about the
commercial actions, products and services of X and of the group to which it
belongs."
2 This is not a person who lodges a complaint in his capacity as a citizen, but in his
capacity of data protection officer of the association [...]. By mail
of 9 September 2019 (document 14 file GBA), Mr V complains · by the way
about that with regard to the proceedings before the Disputes Chamber as
private person was written to by X where his complaint emanates from his company.
1 PAGE 01-00001823325-0032-0040-02-01-�
L _J, Court of Appeal Brussels - 2020/AR/813- p. 33
By registered letter dated 24 July 2019 (document 6 GBA), the Disputes Chamber of the GBA indicates to X
knowledge of the complaint that is ready for substantive treatment.
The complaint itself is expressed in the electronically completed form (document 3, same file), in which the
the complainant states:
"X has been using this for a long time, more than a year after the entry into force of the Framework Protection Act
of personal data from July 30, 2018, they still have no adjustment for this
applied. Attached you will find the form for the customers as proof. As a citizen you do not have
choice and they process this from a lot of customers, by definition this is a high
risk, moreover I want to request the DPIA {GBEB) privacy analysis which is an obligation
for processing high-risk data for citizens".
As part of enabling the case, X has reached a detailed conclusion in which it
defends itself with regard to the issue of explicit consent (document 13
GBA).
The contested decision (document 39 GBA) is entitled "lack of transparency in the
privacy statement of an insurance company".
The GBA does not dispute that the question of legitimate interest was only raised orally on the
hearing where the complainant was not present.
The GBA concludes: "With regard to the representation, in the PV, of the general question regarding the
legitimate interest that X relies on to process data other than health
(as well as X's brief answer), X did not formulate any reservations or objections.,,
The GBA adds: "On March 25, 2020, the Disputes Chamber, with due observance of the judgment
of 19 February 2020 of your Court/to X of the intention to proceed with the
the imposition of an administrative fine, and communicated the contemplated amount thereof, in order to
Hear about this before the sanction was actually imposed (document 30). "
6.3.
In accordance with the WOG, the Disputes Chamber of the GBA is established in one of the following ways
caught (Article 92):
1° by the frontline service, in accordance with Article 62, §1, for the treatment of a
k°eight;
2 by a concerned party lodging an appeal pursuant to Articles 71 and 90
against measures taken by the inspection service;
3°by the inspection service after it has concluded an investigation in accordance with Article
91 §2.
3
Marktenhof, 19 February 2020, roll no. 2020/1471.
r PAGE □1- □□□ 01823325- □□33- □□ 4□-□ 2- □1-;i
L _J,,Court of Appeal Brussels -2020/AR/813 - p. 35
6.4.
The official report of the hearing of 28 January 2020 (document 25 GBA) shows that the members of the
The Disputes Chamber orally asked the question "what constitutes the legitimate interest
on which X invokes what would be the processing of non-health data
based".
The official report then mentions X's oral answer, after which the decision
followed from the Disputes Chamber that there was no reason to reopen the debates (see
for this).
6.5.
The GBA has opted to provide an exceptionally low-threshold system for the
submitting a complaint in particular filling out an online form. This method involves a
danger, namely that the complaint is (often) not formulated in a legally responsible manner
but rather in the terms of the complainant, who often limits himself to putting "in the picture" of
citing an alleged fact.
If the Disputes Chamber of the GBA then decides that the complaint can be handled, but the
does not adjust the formulation of the complaint and does not articulate the stated facts according to the
possible infringements of the privacy legislation sensu fata with indication of the relevant
articles of law, it can leave the data subject in the dark about the actual legal scope
and possible consequences of the complaint.
The Marktenhof is of the opinion that he/she with regard to whom a complaint is being handled (who
may give rise to a sanction, including an administrative fine) in clear,
in an ambiguous and transparent manner must have knowledge of the actual allegation both in
fact a Is in a right way that he/she can defend himself/herself in a correct manner.
The mention of the infringements (read: the articles of the privacy legislation sensu fata) is
primordial.
The sanctions that the legislator has permitted to the Disputes Chamber of the GBA requires that
the defender clearly knows what he has to defend against.
It certainly cannot be regarded as a bad thing for the complainant that he limits himself in his complaint to the
mentioning alleged facts that he believes are in conflict with privacy legislation,
but it cannot be the case that the person concerned who has to defend himself, more in the legal
is left in the dark other than the person posing for any criminal or administrative
infringement sensu fata to justify.
6.6.
It is the Disputes Chamber of the GBA - after it judges that the file is ready for handling
on the merits - of course allowed to sensu fata . the possible infringements of privacy legislation
(much) broader than the infringement(s) for which the initial complainant had turned to the GBA.
r PAGE 01-00001823325-0035-0040-02-01- �
L _J,, !no
Court of Appeal Brussels -2020/AR/813 - p. 37
It must be deduced from reading these articles together that the legislator in the administrative
procedure for handling complaints has wanted to introduce a kind of procedure that
has a form of comparability with legal proceedings (as regulated in the Ger.
W.).
The decisions of the litigation chamber of the GBA are purely administrative decisions, which
legal force cannot be equated with judicial decisions, but which are nevertheless in
to the extent that this is reasonably possible, should take the form of a judicial decision as much as possible
trying to approach. To this end, it is also required that the rules of procedure, which apply to ensure that a
valid decision could be reached, should be followed to the extent possible
become.
Even though the Disputes Chamber of the GBA is not a body that meets the requirements of the
independent and impartial judge, yet it must - in accordance with the rules of good administration that
it is obliged to comply - openly and with as much equality of arms as possible
communicate with the data subject against whom she is prosecuting a complaint.
It constitutes mismanagement not to inform the person concerned prior to the treatment of
to inform the file of the exact allegations or infringements to which he - according to °the
investigation conducted - could be guilty. It is for this reason that Article 95 § 2, 2 WOG
states that the person concerned must be informed of the complaint. The person concerned must be able to
defend "against the allegations of the complaint".
If the Disputes Chamber of the GBA is of the opinion that the infringement constitutes another fact or
object than that which is described in the complaint, then it belongs to at least 4
Dispute chamber of the GBA to make that clear and unambiguous in the convocation (provided
in Article 95 § 2 WOG) to make known to the person concerned so that he/she is informed in writing about this
can defend (through the conclusions drawn by him or his lawyer).
Whilst at the hearing, the person concerned may respond verbally to the
comments from the designated member or members of the Disputes Chamber, but, if
than the Disputes Chamber is of the opinion that the infringement(s) is (are) broader than what is stated in the
convocation was made, then it should be very transparent to communicate about this and the
to respect arms equality and the rights of defence.
The Disputes Chamber of the GBA states that X was given the opportunity to defend himself about the
fine that the litigation chamber intended to impose on her. Well, just in the same context and
for the same reasons, it belongs to the Disputes Chamber of the GBA to open the debate
reopen - with the possibility for the data subject to re-open in writing and orally
respond-to the amended allegations of infringement(s).
It appears from the present documents that the Disputes Chamber has adopted these principles of elementary
transparent good governance - in which the rights of defense are fully respected
- has not complied.
4Insofar as the Inspectorate should not (should) be caught.
1 PAGE 01-00001823325-0037-0040-02-01-�
L _J,Court of Appeal Brussels -2020/AR/813-p. 38
The statement of the Disputes Chamber of the GBA that X asked on the occasion of the hearing
was (which was stated in the record of the hearing) to take a position regarding
the general question of the legitimate interest on which X invokes other than
to process health data and that X only formulated a brief answer to this
without reservations or objections, the contested decision does not adequately justify.
X had to be given the opportunity - after the complaint was clearly and clearly formulated in writing -
to reach a written conclusion thereon. The reasoning of the Dispute Chamber of the
After all, GBA must be able to be tested by the Market Court in relation to the means or
arguments that the person concerned has developed in his conclusion.
In the letter of 14 April 2020 (document 37 GBA) it is stated that the term for reply by X
is determined by 8 May 2020 at the latest and adds "this term comes to the Disputes Chamber as
reasonable, given the rather limited scope of the Disputes Chamber's request to
respond to the proposed sanction, which moreover does not imply a reopening of the debates".
The circumstance that the Market Court in a judgment of 19 February 2020 (in another case)
has stated that the Disputes Chamber of the GBA, before imposing an administrative fine,
should inform the data subject of this intention and give him the opportunity
responding to this: does not have the consequence that the Disputes Chamber of the GBA for all other new
elements (other than the imposition of a fine) would have a safe conduct. It
The principle laid down by the Marktenhof naturally applies to all new elements that do not
have been the subject of the complaint and the accompanying file documents as they are submitted to the
person concerned were notified. That in the aforementioned judgment the Marktenhof only
mentioned administrative sanction is, of course (simply) due to the fact that the Court did not
pronounces judgment in general terms, but only judges in a specific dispute and at least
with regard to the specific points of dispute that are at issue in that dispute.
6.8.
The complainant requested a DPIA (= a data protection impact assessment). That is an instrument to
to map out the privacy risks of data processing in advance and to
to take measures to reduce the risks.
Now that the Disputes Chamber of the GBA has followed X's argument in this regard,
point not to be entered.
6.9.
It appears from the foregoing that the rules set out above (points 6.5 to 6.7) were not complied with.
The basic plea of lack of sufficient motivation is not made concrete by the GBA
refuted. The invoked motives can only support a decision if they appear
from the documents of the file that the authority (DPA) was able to observe.
Admittedly, the GBA establishes in an unassailable manner the existence of the facts on which it relies; the
consequences he deduces from this are left to his judgment and policy, but the Marktenhof
rPAGE 01-00001823325-0038-0040-02-01-�
L _J,Court of Appeal Brussels - 2020/AR/813- p. 39
checks whether the DPA has not drawn any conclusions from the facts established by it that
cannot be justified on the basis of those facts.
For those reasons, the contested decision disregards the rules of good administration and must
to be destroyed.
7. Decision.
The contested decision is annulled.
8. The court costs.
The GBA is the unsuccessful party. The costs are settled on the
legal compensation for disputes that cannot be valued in money, amounting to €1,440.00.
FOR THESE REASONS,
THE COURT,
Right to contradiction ;
Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court cases;
Declares the appeal admissible and well-founded;
Annuls the contested decision number 24/2020 file DOS-2019-02902 of 14 May 2020 of
the Dispute Chamber of the Data Protection Authority regarding X;
Orders the Data Protection Authority to pay the costs of the appeal, settled on
1,460 euros (€20.00Budgetary Fund + €1,440 court fee).
Condemns the Data Protection Authority, in accordance with Article 269/2 of the Code of
registration, mortgage and court fees to be paid to the Belgian State, FPS Finance, of the
right of appeal in the amount of 400.00 euros;
rPAGE 01-00001823325-0039-0040-02-01-�
L _J,
