APD/GBA (Belgium) - 158/2022
APD/GBA - 158/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6 GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1) GDPR Article 24 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.09.2022 |
Decided: | 07.11.2022 |
Published: | 07.11.2022 |
Fine: | n/a |
Parties: | X (the data subject) Y (the controller) |
National Case Number/Name: | 158/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) (in FR) |
Initial Contributor: | n/a |
The Belgian DPA warned a controller for publishing an invoice with personal data on Facebook. The controller did not have a legal basis (Article 6 GDPR) and did not delete the invoice after the data subject requested erasure.
English Summary
Facts
A service provider (controller) published an invoice on its Facebook page which it contained last name, first name and address of the data subject. On 28 June 2022, the data subject filed a complaint with the Conseil Régional Francophone and a complaint with the police for invasion of privacy and a violation of the GDPR. Following the complaint to the police, the controller only removed the postal address on the invoice, but did not delete the last name and first name. The controller also blocked the data subject from accessing the Facebook page of the controller.
On 19 July 2022, the data subject filed a complaint with the Belgian DPA to order the controller to comply with her erasure request.
Holding
The DPA stated that an invoice obliges the controller to collect certain basic information about the data subject. The invoice has to include first names, surnames, e-mail, billing address, delivery address as well as the content of the purchases and/or the service. include first names, surnames and postal address were personal data according to the DPA (Article 4(1) GDPR). It also stated that the controller was a service provider and had to comply with requests made by data subjects under Articles 15 to 22 GDPR.
The DPA also determined that even after the data subject filed the two complaints, one at the police and one at the Conseil Régional Francophone, the first name and last name of the data subject were still visible on the Facebook page on 3 October 2022. The invoice itself was still published on the controller’s Facebook page. The name of the data subject also still appeared in some of controller’s commentary included with this Facebook post.
The DPA considered that for the processing in question (the publication of the invoice with the name of the data subject) the controller did not meet any of the conditions for lawfulness of processing (Article 6 GDPR). For the sake of completeness, the DPA examined whether the processing could have been based on ‘Legitimate interest (Article 6(1)(f) GDPR), The controller needed to meet 3 cumulative conditions to use this legal basis: the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed, the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued and the condition that the fundamental rights and freedoms of the data subject do not prevail (Balancing test)
Legitimate interest?
Firstly, the DPA determined that the publication of a price list of the controller’s services (in the form of an invoice) could be considered a legitimate interest for reasons of price-transparency and in order to gain customers' trust.
Necessary?
However, publishing the names and address of the data subject to fulfil this aim was not considered necessary. The DPA stated that for this necessity test, it had to be analyzed whether the same result could be achieved by other means, without processing personal data at all or without unnecessary substantial processing.
In this case, the processing only helped in labelling the data subject as someone who did not fulfill his financial obligations, which was also an attack on her person and dignity. It did not offer any added value for the purpose of price transparency. This purpose could also have been achieved without publishing an invoice with personal data. Instead, a brochure or a leaflet could have been published.
Balancing test
The DPA held that for the balancing test, the reasonable expectations of the data subject should have been taken into account regarding the processing of personal data for a particular purpose. (Recital 47 GDPR) The DPA stated that the data subject could not have foreseen the controller posting her invoice with her personal information on Facebook to provide transparency regarding its pricing. The data subject could also not have foreseen the intention of the controller to publicly settle a dispute in this way. The controller also did not seek the data subject's consent before posting the invoice on Facebook (Article 6(1)(a) GDPR). Thus, the DPA held that the controller could not rely on legitimate interest (Article 6(1)(f) GDPR) did not meet any of the conditions of lawfulness set out in Article 6 GDPR and was obliged to the delete the personal data of the data subject as soon as possible (Article 17(1) GDPR).
Moreover, the DPA stated that the means chosen by the controller (i.e., publishing an invoice on Facebook to settle a dispute and display prices) put the responsibility principle into question (Article 24 GDPR). These measures did not seem to ensure that processing was carried out in a way compliant with the GDPR and other data protection laws.
Thus, the DPA held that the controller failed to comply with Articles 12(3) and 12(4) and 17(1) GDPR and ordered the controller to comply with the data subject’s request to data erasure. (Article 95(1)(5) LCA) The controller did prima facie failed to comply with Article 6 GDPR and Article 24 GDPR. Therefore, the DPA issued a warning (pursuant to Article 95(1)(4) LCA and Article 58(2)(a) GDPR) for the controller to respect the data subjects’ erasure request and the responsibility principle in the future.
This preliminary decision on the basis of Article 95 LCA was aimed to inform the controller of the different articles she possibly breached and to enable her to comply with the data subject’s erasure request under 30 days of receiving this decision ((Article 58(2)(c)) GDPR).
Comment
It is most likely that the controller was some kind of medical service provider. Although the nature of the controller was not explicitly specified in the decision. This can be deducted from the wording in paragraph 25, which stated that the controller “treated”.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/13 Litigation Chamber Decision 158/2022 of November 7, 2022 File number: DOS-2022-03009 Subject: Complaint for publication on social networks (Facebook) of an invoice with mentionofthelastname/firstnameofthecustomerandpartialresponseoftheprocessingresponsible on request for erasure The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Ms. X, hereinafter “the complainant”; . . The defendant: Y , hereinafter: “the defendant”. . Decision 158/2022 - 2/13 I. Facts and procedure 1. On July 19, 2022, the complainant filed a complaint with the Authority for the Protection of data (hereinafter “ODA”). 2. The subject of the complaint concerns the publication, on June 23, 2022, of an invoice addressed to the name of the plaintiff by the defendant on the professional Facebook page (public page) of the latter. This invoice contained the following personal information: the names and first names as well as the postal address of the complainant. 3. On July 17, 2022, the complainant contacted the DPA to obtain information following the publication of his invoice on the defendant's professional Facebook page. 18 July 2022, the APD provides response elements and communicates the various procedures available to the complainant. 4. On July 19, 2022, the complainant replies to the email from the DPA and attaches the complaint form supplemented by appendices to support her comments: she indicates that she has exercised her rights with the data controller (the defendant); having filed a complaint, on June 28, 2022, to the Francophone Regional Council of […] (hereinafter “Z”) and, on July 1, 2022, to the police for invasion of his privacy and violation of the GDPR (PV number (...)). The complainant explains also that, following the complaint lodged with the police, the defendant, on the one hand, withdrew the July 12, 2022 from his professional Facebook page some of the information personal data appearing on the invoice, except for his first and last names, and on the other hand, blocked his access to said Facebook page. 5. On September 5, 2022, the Service de Première Ligne (hereinafter “SPL”) declares the complaint inadmissible "on the ground that the processing complained of has ceased" because the defendant deleted the identification data of the complainant. On the same date, the complainant informed the SPL that his surnames/first names are always mentioned on the professional Facebook page of the defendant. 6. On September 9, 2022, the SPL claimed proof of the facts invoked, namely "copy/capture screenshot of the invoice which is always present on the professional Facebook page of the […] containing [the] name [of the complainant] and the details of the services performed on [her] (...)”. the September 12, 2022, the complainant sends a screenshot of the disputed publication. 7. On September 13, 2022, the SPL asked the complainant to send it a copy of the publication in another format because the screenshot received is not readable and does not allow not to read the information published by the defendant. The Complainant sends by email two documents in PDF format containing the screenshots of the contentious publication. Decision 158/2022 - 3/13 8. On September 15, 2022, the DPA SPL declares the complaint admissible on the basis of Articles 58 and 60 of the LCA, and sends it to the Litigation Chamber in accordance with article 62, § 1 of the ACL. II. Motivation 9. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the principles of data protection contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data. 10. Pursuant to Article 33, §1 of the LCA, the Litigation Chamber is the body for ODA administrative litigation. It receives complaints that the SPL forwards to it in application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with Article 60 paragraph 2 of the LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and which fall within the competence of the ODA. 11. Pursuant to articles 51 and s. of the GDPR and Article 4, § 1 of the LCA, it is up to the Litigation Chamber as an administrative litigation body of the DPA, to exercise effective control of the application of the GDPR and to protect the freedoms and rights fundamental rights of natural persons with regard to processing and to facilitate the free flow personal data within the Union. 12. On the basis of the facts described in the complaint file as summarized above, and on the er powers attributed to it by the legislator under Article 95, §1 of the the LCA, the Litigation Chamber decides to proceed, on the one hand, to take a decision er in accordance with Article 95, § 1, 5° of the LCA, more specifically to order the controller to comply with the complainant's request to exercise its right to erasure (Art. 17.1 GDPR), on the other hand, to a warning in accordance with Article 95, § 1, 4° of the LCA; for the reasons set out below. 13. The Litigation Chamber notes that the complainant raises the refusal by the head of the processing to follow up on the request to exercise their right to erasure. 14. Firstly, it appears from the documents in the file that the complainant does not provide proof of the exercise of his rights with the controller as stipulated in the complaint form; filed a complaint on June 28, 2022 with the Francophone Regional Council […] (hereinafter “Z”)and July 1, 2022 to the police for invasion of his privacy and violation of the GDPR (PV number: (...)). Decision 158/2022 - 4/13 15. The Litigation Chamber also notes that the complaints filed with Z and the police relate to the publication of an invoice – mentioning the surnames and first names as well as the postal address – of the complainant on the professional Facebook page of the manager of the treatment: “therefore, I wish to lodge a complaint against this […] for […] having published 1 in public mode my personal data on his Facebook page. " or " [...] file a complaint of injury to life and violation of the GDPR against named Y 2 [...] » . 16. The Litigation Chamber understands that the complainant has had to exercise her right to erasure (Art. 17.1.c of the GDPR), especially since she filed a complaint with the Z and the police; but that the controller has only partially responded to his request in deleting only the postal address appearing on the invoice published on the page Professional Facebook. 17. The Litigation Chamber recalls that Article 4(1) of the GDPR defines “data to be personal character” as “any information relating to a natural person identified or identifiable (hereinafter referred to as the "data subject"); is deemed to be a "identifiable natural person" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, an online identifier, or to one or several specific elements specific to its physical, physiological, genetic, psychological, economic, cultural or social. 3 18. A “processing” of personal data means, according to the GDPR, “any operation or any set of operations whether or not carried out using processes automated and applied to personal data or sets of data personnel, such as collecting, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of making available, the 4 reconciliation or interconnection, limitation, erasure or destruction”. 5 19. GDPR Article 4(7) defines “controller” as “the person physical or legal entity, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing”. 20. As the EDPB pointed out in Guidelines 07/2020 on the notions of controller and processor, the controller may be 1 2A reproduction of the complaint filed with Z. 3A reproduction of the complaint lodged with the police (report number: (..)). GDPR, art. 4.1).; Opinion 4/2007 of the “article 29” working group on data protection on the concept of personal data, adopted on June 20, 2007, available at https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp136_fr.pdf. ; Cf. the Nowak judgments 4CJUE, 20 December 2017, C-434/16, ECLI:EU:C:2017:994) and Breyer (CUJE, 19 October 2016, C-582/14, ECLI:EU:C:2016:779). 5GDPR, Art. 4, 2). GDPR, recitals 74, 79 and 81; GDPR, art. 4. 7), 4.8), 24, 26, 28, 29. Decision 158/2022 - 5/13 designated by a legislative or regulatory text. Otherwise, to identify it, it should analyze the factual elements or circumstances of the case, in particular determine its legal and organizational capacity, as well as its autonomy in the definition of the purposes, i.e. the objectives pursued, and the means of processing. 21. The Litigation Chamber recalls that the data controller must follow up on the request made pursuant to Articles 15 to 22 of the GDPR by the complainant, in this case a request for erasure provided for in Article 17 of the GDPR (exercise of the right to deletion), in compliance with the conditions set out in Article 12 of the GDPR .7 22. The Litigation Chamber also emphasizes that it is the responsibility of the controller to provide the complainant with information on the measures taken following a request formulated in application of Articles 15 to 22 of the GDPR, as soon as possible 8 cause within one month of receipt of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months, taking into account the complexity and number of requests. In such a case, the controller inform the complainant of this extension and the reasons for the postponement within one month from receipt of the request. 10 23. In the event that the data controller does not respond to the request made 11 by the complainant, he shall inform the latter without delay and at the latest within one month from from receipt of the request, the reasons for its inaction and the possibility to lodge a complaint with a supervisory authority and to lodge an appeal jurisdictional. 24. In this case, the Litigation Chamber recalls that the invoice, whatever its format, obliges the data controller to collect certain basic information concerning the customer (in this case, an individual). The invoice will include at least: first names, names, e-mail, billing address, delivery address as well as the content of the purchases and/or the service. In accordance with article 4.1) of the GDPR, the surnames, first names and address postal correspond to personal data. 25. The Litigation Chamber understands that the defendant is at the origin of the provision of service (in this case, she treated […]) but also invoicing; and, as such, it must, as data controller, respond to the request made in application of Articles 15 to 22 of the GDPR by the complainant. 6EDPB, “Guidelines 07/2020 concerning the notions of controller and processor in the GDPR”, adopted on 7 July 2021. 7GDPR, Art. 12. 8 GDPR, Art. 12.2 and 12.3. 9GDPR, Art. 12.3. 1 GDPR, Art. 12.3. 1 GDPR, Art. 12.4. Decision 158/2022 - 6/13 26. Secondly, it is apparent from the documents in the file that the publication at issue – the invoice mentioning the surnames/first names of the complainant – is always published on the Facebook page of the controller on October 3, 2022 at 10:56 a.m. (time er Belgium), despite the complaints lodged with the Z (June 28, 2022) and the police (July 1 2022). It also notes that the complainant's surname/first name still appears in the comment from the controller. 27. In addition, the Litigation Division notes that the controller indicates in his comment published on his professional Facebook page the following sentence: “having no worries about exposing my rates, I attach your invoice to this comment”. Figure 1 - Screenshot of October 03, 2022 at 10:56 a.m. (Belgian time - following URL address […]) Figure 2 - Screenshot of 03 October 2022 at 10:56 (Belgian time - following URL address […]) Decision 158/2022 - 7/13 28. The Litigation Chamber recalls that the GDPR clearly sets out the principle of responsibility, according to which the data controller is obliged to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR and other laws of protection of personal data. 12 29. The Court of Justice of the European Union in its judgment of 13 May 2014, Google Spain and Google, also recalls that "the data controller must ensure, within the framework of its responsibilities, competences and possibilities, that the processing of data in question satisfies the requirements of Directive 95/46 so that the guarantees provided for by it can develop their full effect and that effective and of the persons concerned, in particular their right to respect for private life, can actually be carried out”.3 30. The Litigation Chamber also emphasizes that the processing is "lawful only if, and in provided that at least one of the following conditions is met: a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is party or the execution of pre-contractual measures taken at the latter's request; c) processing is necessary for compliance with a legal obligation to which the controller treatment is submitted; d) the processing is necessary to safeguard the vital interests of the data subject or another natural person; e) processing is necessary for the performance of a task carried out in the public interest or falling within the the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller processing or by a third party, unless the interests or freedoms and rights fundamentals of the data subject which require data protection to be 14 personal nature, in particular when the person concerned is a child. [...] » . 31. In the present case, the Litigation Division finds that the publication as a whole, apart from know the publication of the invoice with the surname/first name of the complainant as well as the mention in the comment of his name/first name on the professional Facebook page of the controller, constitutes processing of personal data at the meaning of Article 4, 1) of the GDPR, in the context of which the principles of data protection 1GDPR, recital 74. ; GDPR, art. 5, §2 and 24. 13 Conclusions of Advocate General Y. Bot, 24 October 2017, in the case ULD c. Wirtschaftakademie Schleswig-Holstein, item 44; see also C.J.U.E., 13 May 2014, Google Spain SL and Google Inc v. Spanish Agency for the Protection of Datos and Gonzales, case. C-131/12, points 38 and 83. 1 GDPR, Art. 6, §1. Decision 158/2022 - 8/13 must apply to any data relating to an identified natural person or identifiable. 32. The Litigation Chamber questions the publication of an invoice from a client (a particular) with mention of the surname/first name on social networks, in this case the page professional Facebook (public page) of the controller, and the lawfulness of this treatment. The Litigation Chamber considers that the controller does not respond to none of the conditions of lawfulness provided for in Article 6 of the GDPR. For the sake of completeness, the Chamber nevertheless examines whether the processing of data could be based on the basis 15 of lawfulness of the “legitimate interest” provided for in Article 6.1, f) of the GDPR. 33. In accordance with Article 6.1, f) of the GDPR and the case law of the Court of Justice of the Union European Union (hereinafter “the Court”), three cumulative conditions must be met in order to that a data controller can validly invoke this basis of lawfulness, "to namely, firstly, the pursuit of a legitimate interest by the controller or by or third parties to whom the data is communicated, secondly, the need for the processing of personal data for the fulfillment of the legitimate interest pursued and, thirdly, the condition that the fundamental rights and freedoms of the person concerned by data protection do not prevail” 34. In other words, in order to be able to invoke the basis of lawfulness of “legitimate interest” in accordance with Article 6, §1, f) of the GDPR, the controller must demonstrate that: 1) the interests it pursues with the processing can be recognized as legitimate (the “ finality test”); 2) the envisaged processing is necessary to achieve those interests (the “necessity test”); and 3) the weighing of these interests against the fundamental interests, freedoms and rights data subjects weighs in favor of the data controller (the “test of weighting”). 35. With regard to the first condition (the "finality test"), the Litigation Chamber considers that the purpose of publishing the rates applied by the person responsible for the treatment during its services (transparency on prices) to gain the confidence of customers, must be considered as having been carried out with a view to a legitimate interest. 15CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA „Rīgas satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK c/ Asociaţia de Proprietari bloc M5AScaraA, recital 40.; Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§68), available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. 16Data Protection Authority, Litigation Chamber, 30 October 2020, substantive decision 71/2020 (§69), available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 9/13 In accordance with recital 47 of the GDPR, the interest that the defendant was pursuing as controller can in itself be considered legitimate. The first one condition set out in Article 6.1.f) of the GDPR is therefore fulfilled. 36. With respect to the second condition (the “necessity test”), the head of the processing must demonstrate that the processing is necessary for the achievement of the purposes pursued. This means more precisely that one must ask oneself if the same result not be achieved by other means, without processing personal data or without unnecessary substantial processing for data subjects. 37. Starting from the purpose, namely the publication on social networks of the tariffs applied by the controller, it should therefore be checked whether the publication of the invoice with the indication of the surname/first name of the complainant supported by a comment which resumes new name/first name may or may not contribute to the transparency of the prices applied by the controller. 38. However, the publication of the invoice with the indication of the surname/first name of the complainant supported by a comment which again takes up his surname/first name is not the only consequence of the person concerned being described online as a bad payer or even a injure his person and his dignity in the event of a dispute. More importantly, this method does not offer any added value in the display of the prices charged by the person in charge of the processing (price transparency). If the controller's intention is to allow potential customers, through this practice, to know the rates, the Room Litigation argues that this purpose can also be achieved without publication an invoice with the complainant's identification data but rather with a brochure or prospectus which only mentions the prices per service The second condition is not met. 39. With regard to the third condition (the "weighting test"), one must first take account of the reasonable expectations of the person concerned, in accordance with recital 47 GDPR. In particular, it must be assessed whether "the data subject can reasonably expect, at the time and in the context of data collection, to personal character, that they are processed for a given purpose”. 40. The Litigation Chamber finds that the Complainant could at no time expect that his invoice is published with his surname/first name to meet a principle of transparency of the prices applied by the data controller, even less in the intention to publicly settle a dispute arising from a dispute. Moreover, the 17 https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf.au fond 71/2020 (§70 to 72), available at 1GDPR, Recital 47. ; CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari blocM5A-ScaraA, recital 58.; authority of data protection, Litigation Chamber, 30 October 2020, decision on the merits 71/2020 (§73 to 75), available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-71-2020.pdf. Decision 158/2022 - 10/13 controller does not appear to have requested, under Article 6, §1, a) of the GDPR, the consent of the complainant to publish the invoice with his name/surname on social networks, in this case “Facebook”. The third condition is therefore not met. no more. 41. The Litigation Division considers that all of the elements set out above demonstrate that the controller cannot invoke article 6.1, f) of the GDPR to qualify the publication of the invoice with mention of the surname/first name of the complainant on its page Facebook professional lawful. Therefore, the data controller seems not to comply with the requirements of article 6 of the GDPR and must respond favorably to the complainant's request to exercise the right to erasure: he has the obligation to erase, in as soon as possible, the personal data of the complainant (art. 17.1. of the GDPR). 42. Finally, the Litigation Division points out that the means chosen by the head of the processing (in this case, posting on the defendant’s professional Facebook page the invoice of a customer with mention of his name / first name to illustrate the rates applied and / or settle a dispute) make it difficult for the principle of liability provided for in Article 24 of the GDPR. These measures defined by the data controller do not seem to be of to ensure that the processing is carried out in accordance with the GDPR and other laws of Protection of personal data. 43. Ultimately, in view of the aforementioned examination, the Litigation Chamber concludes that the controller has not, prima facie, complied with Articles 12.3 and 12.4 of the GDPR, as well as Article 17.1 of the GDPR, which in this case justifies taking a decision on the basis of Article 95, § 1, 5° of the LCA, more specifically to order the controller to comply with the complainant's request to exercise its right to erasure (Art. 17.1 of the GDPR) and to erase data from personal character in question (i.e. the invoice with the indication of the surname/first name of the plaintiff supported by a comment that again includes his name/first name). 44. The Litigation Chamber also concludes that the controller did not, prima facie, complied with Articles 6 and 24 of the GDPR, which in this case justifies carrying out the er takingadecisiononthebasisofarticle95,§1,4°oftheLCA,morespecificallytoaddress has responsible for processing a warning within the meaning of Article 58.2.a) of the GDPR so that the latter ensures, in the future, to respond to requests for the exercise of human rights concerned and to respect the principle of responsibility. 1GDPR, recital 74. ; GDPR, art. 5, §2 and 24. Decision 158/2022 - 11/13 45. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant, within the framework of the “procedure prior to the substantive decision” 20 and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 46. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 47. If, however, the controller does not agree with the content of this prima facie decision and believes that he can make factual and/or legal arguments which could lead to another decision, the latter may address to the House Litigation a request for processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, within 30 days of notification of the this decision. If necessary, the execution of this decision will be suspended. during the aforementioned period. 48. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they deem useful. If applicable, the this decision is permanently suspended. 49. In the interests of transparency, the Litigation Chamber finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL .1 20Section 3, Subsection 2 of the LCA (arts. 94 to 97 inclusive). 2Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the Public Prosecutor's Office of Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 158/2022 - 12/13 III. Publication of the decision 50. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the data controller for substantive processing, in accordance with articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the controller to comply with the data subject's request to exercise their rights, within 30 days of notification of the this decision; - pursuant to Article 58.2.a) of the GDPR and Article 95, §1, 4° of the LCA, to pronounce on against the data controller a warning; - to order the data controller to inform the Data Protection Authority by e-mail data (Litigation Chamber) of the follow-up given to this decision, in the same deadline, via the e-mail address litigationchamber@apd-gba.be; and - if the data controller does not comply in good time with what is requested above, to deal ex officio with the case on the merits, in accordance with Articles 98 p.s. of the ACL. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be 2The request contains under penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or number business; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the application; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. Decision 158/2022 - 13/13 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 23 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (se). Hielke H IJMANS President of the Litigation Chamber 23 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to court clerk or filed at the court office.