APD/GBA (Belgium) - 188/2022
From GDPRhub
| APD/GBA - 188/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 5(1) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 12(1) GDPR Article 12(4) GDPR Article 17 GDPR Article 17(1) GDPR Article 17(1)(c) GDPR Article 17(3) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 38 GDPR Article 38(1) GDPR Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 22.02.2022 |
| Decided: | 18.12.2022 |
| Published: | 21.12.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 188/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA determined that the creator of a Television series did not have to erase scenes in which a personalised license plate of a car was shown. The data subject had a similair personalised licence plate and requested the controller to erase the licence-plate from the series, which the creator had refused because of its artistic freedom and the freedom of expression.
English Summary
Facts
The data subject used a personalised license plate for his car, which he used for his business. The data subject was the sole owner of his comapny and did not have any employees. The personalised license plate he was using referred to Galatasaray, a well known Turkish football club. The producer of a television show (controller) used a similair licence plate on a similar looking car displayed in certain scenes of the series. This car in the series belonged to a fictional character, who was part of a fictional criminal organisation. The son of this fictonal character was a fan of Galatasaray. (48)
In Belgium, the registration of (personalised) licence plates is conducted by a federal institution. Using the webiste of this institution, people could verify if a licence plate was already in use by someone else, without disclosing the identity of the user.
The data subject asked the controller to remove this license plate from the TV show, because people recognised the licence plate of the data subject as the one appearing in the TV show Because of this, people also associated the data subject with the fictional criminal organisation from the show, according to the data subject. The controller refused to remove the licence plate because the license plate did not constitute personal data. In case that the licence plate was personal data, the controller stated that it was allowed to use this licence plate because of the freedom of (artistic) expression. The controller also claimed that the similarities between the data subject's licence plate and the one in the TV show were purely incidental.
The data subject filed a complaint on 22 February 2022. Among other things, the data subject stated that he had not received a general privacy policy after the refusal to remove the licence plate from the show. The controller stated that it had not provided the policy because it determined that there was no processing of personal data. The controller also stated that the data subject never requested this privacy policy in his erasure request.
Holding
Is a licence plate personal data (Article 4(1) GDPR)? (15 - 25)
The Belgian DPA determined that the licence plate was personal data (Article 4(1) GDPR). The DPA considered the 4 cumulative elements that consititute personal data: any information which (1) relates to, a (2) an identified or (3) identifiable (4) natural person.
The DPA started by acknowliging that a licence plate could constitute indireclty identifiable data. (20) In order to determine if a data subject was identifiable, the DPA stated that it should consider all resources which are likely to be used by the controller to identify data subjects. For this assessment, all objective factros should be taken into account, such as costs and time required for the controller for identification of the data subject. (21)
The DPA determined that the controller could have navigated to the website of the Federal institution to check if this licence plate was already in use, without knowing the identity of the data subject. However, for family, neighbours and aquitances, the licence plate could have been used to identify the data subject. The DPA concluded that the data subject was identificable, also looking at the purpose of the processing, which was the appearance of the vehicle in the TV show. The DPA also considered the way the processing took place, which was the publication of the TV series on one of the biggest TV networks of Belgium, as well as the availabillity of of this show on streaming services.
The DPA also determined that that the license plate was data relating to a natural person even though the licence plate was registered to a company car. Since the company was a one person business belonging to the data subject, and other people could not determine whether the licence plate was registred on the company name on the the name of the data subject, the DPA determined that the licence plate belonged to a natural person. (25)
Did the controller violate Articles 5(2), 24(1), 25(1) and 25(2) GDPR.
The DPA confirmed that the controller did not know the identity of the data subject while making the TV show. (39) The DPA also determined that the erasure request of the data subject did not contain a request to recieve a privacy policy. The controller did therefore not violate Article 5(1)(a) GDPR because it did not have to provide a privacy policy.
The DPA also concluded that that there was no evdence provided the investiagtion service to support the claim that the controller had also violated the other principles under Article 5 and Articles 24 and 25 GDPR. The DPA therefore concluded that there was no violation of Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 24(1) GDPR, Article 25(1) GDPR and Article 25(2) GDPR.
Was the controller's processing lawfull? (Articles 5(1)(a) and 6 GDPR)
The DPA also assessed if the controller could rely Article 6(1)(f) GDPR for its processing. This processing had to be based on a (1) legitimate and (2) necessary purpose. Also, a (3) balancing test between the legitimate interest and the rights and freedoms of the data subject had to be conducted. The controller would have to show that it's interests outweighed those of the data subject.
The DPA noted that the controller fulfilled the first and second criterium. (1) The interest of the controller was the creation of the TV - show, which is based on the freedom of artistic expression protected by the constitutional right of freedom of expression. The use of this fictional licence plate was purely an artistic expression. (2) The second criterium was also fulfilled, looking at the artistic goal to emphasise the connection with Galatasary and the artistic freedom to choose a suitable manner for this goal. (3) When conducting the balancing test, the DPA detrmined that the risk to the data subject is very minimal. Only his personal and business contacts link the license plate to the data subject. There is no link between the fictional character of the TV show and the data subject. On top of that, the TV show contained a disclaimer at the end that any link between the production and reality is purely incidental. The controller also had no knowledge of the existence of the license plate of the data subject. It should have been clear to the personal and business contacts of the data subjects that there was no link between the data subject and the TV show. Lastly, the data subject chose to create a personalised license plate based on a well-known Turkish football club. It was foreseeable that this data could also be used for artistic purposes. The fact that the controller could have used a different license plate did not make the present processing unlawful, since It fell under the freedom of artistic expression. In this case, the freedom to artistic expression outweighed the protection of personal data of the data subject. Therefore, the DPA determined that there was no breach of Article 5(1) GDPR and Article 6(1)(f) GDPR.
Did the controller violate Article 17 GDPR?
The DPA then assessed whether the right to erasure under Article 17 GDPR should have been executed by the controller. The DPA referred to Article 85 GDPR, which allowed the national regulator to reconcile the right to data protection and freedom of artistic expression. The Belgian law of 30 juli 2018 did not include exceptions for among others, artistic purposes. However, the DPA held that Article 17(3) GDPR explicitly foresees in this exception. These exceptions do not have to be translated into national law to be applicable.
The DPA stated that Article 17(1) GDPR grants the right to erasure, unless, as specified in Article 17(1)(c) GDPR, there is an overriding interest of the controller. This overriding interest is linked to the compelling legitimate interest of Article 21(1) GDPR. However, Article 17(3)(a) GDPR foresees in an exception for freedom of expression. A balancing between these rights must thus be made. The DPA determined that freedom of expression is granted by Article 10(1) ECHR and Article 11(2) CFR. Freedom of expression also includes artistic expression (ECHR, 25 May 1998, 10737/83, Müller and Others v. Switzerland, § 27 and ECJ, C-460/20, § 62).
The DPA held that the car and its license plate constituted an artistic expression of the controller. The football club Galatasaray well known. As such, it was not impossible to image the license plate being used for a fictional character. It was also plausible that both the controller and data subject have followed the same reasoning to choose the license plate (i.e. showing affinity and association with the football club). There was no link between the data subject and the controller, nor was there a link between the data subject and the fictional character. And while identification of the data subject wass possible through the national registry of license plates, this registry was not freely available. Thus, it was impossible for the controller to identify the data subject. And even though the controller is free to chose another license plate, it was her freedom of expression to chose this specific one. The data subject could have reasonable foreseen that others could have used the license plate as well. The DPA held that the usage of both license plates is purely coincidental and that there is no breach of Article 17 GDPR.
Then, the DPA assesses whether the controller did not adequately inform the data subject as stipulated in Article 12(1) GDPR and Article 12(4) GDPR. The controller states that even though she did not refer to the specific grounds of [[Article 17 GDPR#3a|Article 17(3)(a) GDPR], she did clearly state in her reply on which grounds she decided to not erase the license plate. The DPA holds that the controller should have been more comprehensive in her answer, and included the specific legal grounds. The fact that the data subject was being represented by legal council and thus up to date regarding the applicable legislation was deemed irrelevant. The principle of transparency remained applicable to the controller. As such, the DPA concluded a breach of Article 17(1) GDPR, but it only being a minor one. The DPA warned the controller to pay more attention to this in the future.
The DPA then assessed whether the controller is able to demonstrate its compliance with the GDPR as described in Article 5(2) GDPR. The Inspection Service asked the controller a general question to demonstrate compliance. The controller answered this question in a general sense, without explaining their procedures in depth. The Inspection Service thus stated that the controller couldn't demonstrate its compliance sufficiently and was thus in breach of Article 5(2) GDPR, Article 24(1) GDPR, Article 25(1) GDPR and Article 25(2) GDPR.
The DPA states that the Inspection Service should conduct its inspection in a loyal manner. If a response by a controller is not sufficiently concrete, it comes to the Inspection Service to specifically ask for clarification. It is not easy for a controller to answer in a comprehensive way to a general question. The DPA holds that the inspection conducted by the Inspection Service was not sufficiently concrete and thus it would be disproportional to conclude a breach of the GDPR based on this research. The DPA assesses independently if the GDPR is breached. The DPA also clarifies that a breach of Article 5(2) GDPR does not automatically lead to a breach of Article 5(1) GDPR
The DPA confirms that the controller does not fall under one of the three categories under Article 37(1) GDPR and it is not mandatory for the controller to appoint a DPO. However, this does not exonerate the controller from the responsibilities under the GDPR. The DPA holds that the controller proved that it did take the necessary measures to ensure compliance with the GDPR. The DPA holds that Article 38(1) GDPR and Article 39 GDPR have not been breached.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/29
Litigation room
Decision on the substance 188/2022 of 21 December
2022
File number : DOS-2022-00944
Subject: Publication of a number plate without permission
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The complainant: Mr X, represented by Mr. Hans Leyssen, office in
2000 Antwerp, Franselei 104, hereinafter “the complainant”
The defendant: Y, represented by Mr. Bob Les, Mr. George Report and Mr. Elizabeth Van
Nerum, office at 3000 Leuven, Sint-Maartenstraat 61 bus 2, hereinafter
“the defendant” Decision on the substance 188/2022 - 2/29
I. Factual Procedure
1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority
against the defendant.
The complainant owns a car with a personalized number plate through his BV,
of which he is the sole business manager. In an audiovisual production of the defendant
a similar car with the same personalized license plate portrayed as
the car of a criminal organization dealing in narcotics. The license plate
according to the complainant, clearly legible, recognizable and can be found in the
episode. The complainant is approached very regularly about this, both by business and
private relationships. However, the complainant says he is a carpenter and does not want to be associated
with the criminal environment. He also did not give permission to the defendant to
use his license plate. The complainant asked the defendant for the
license plate from the mounting, but the defendant refused to do so
based on her right to artistic expression.
2. On March 10, 2022, the First Line Service declares the complaint admissible on the basis
of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG
submitted to the Disputes Chamber.
3. On March 22, 2022, in accordance with Article 96, § 1 WOG, the request of the
Disputes Chamber to carry out an investigation transferred to the Inspectorate,
together with the complaint and the inventory of the documents.
4. The investigation by the Inspectorate will be completed on 26 April 2022, the report reads
appended to the file and the file is transferred by the Inspector General to
the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject of the complaint and decision
that there is:
1. a breach of Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1)
paragraph 2 of the GDPR; and
2. a breach of Article 12 paragraph 1 and paragraph 4 of the GDPR, Article 17 of the GDPR, Article 24 paragraph
1 of the GDPR and Article 25(1) of the GDPR.
The report also contains findings that go beyond the subject of the complaint.
In general terms, the Inspectorate also notes:
3. Violation of Article 38(1) and Article 39 of the GDPR.
5. On 29 April 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for treatment on the merits. Decision on the substance 188/2022 - 3/29
6. On 29 April 2022, the parties involved will be notified by registered mail
of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.
they are informed of the time limits for their
to file defenses.
As regards the findings relating to the subject matter of the complaint, the
deadline for receipt of the statement of defense from the defendant
recorded on 10 June 2022, those for the complainant's reply on 1 July 2022
and finally those for the defendant's statement of reply on 22 July 2022.
The deadline for receipt of the statement of defense from the defendant with
regarding the findings outside the subject of the complaint was set at 10
June 2022.
7. On June 10, 2022, the Disputes Chamber will receive the statement of defense from the
defendant with regard to the findings relating to the subject matter of the
complaint. This statement also contains the response of the defendant regarding the
findings made by the Inspectorate outside the scope of the complaint.
With regard to the first infringement, the defendant argues that in the present case the
fictitious license plate does not constitute personal data as it is a reference
refers to a very well-known Turkish football club, which means that there can be at most
of a coincidental resemblance to the complainant's license plate without this being one
processing of one of his personal data. If there were anyway
a processing of personal data of the complainant, the defendant is of the opinion that it
did not have to comply with his request for data erasure, since the license plate
which is used on the carriage in the fiction series was created by one's own
artistic choices of the complainant pursuant to Article 17(3)(a) GDPR. With respect to
the second finding is that the defendant does indeed not have a privacy policy
since the defendant was not aware that the complainant had a car
with the same number plate, and therefore did not know that she had the personal data of the
complainant would handle. Finally, the defendant argues that Article 37(1) GDPR does not apply to her
applies, which means that no data protection officer has been appointed.
However, five (one per department) privacy managers have been appointed.
8. On 4 July 2022, the Dispute Chamber receives the conclusion of the reply from the complainant, for which
concerns the findings with regard to the object of the complaint
that the use of the personalized license plate in the fiction series is indeed a
processing of personal data within the meaning of the GDPR and that this processing
unlawfully occurred without the defendant being able to rely on the
exception for the right to freedom of expression and information
including artistic expression. Decision on the substance 188/2022 - 4/29
9. On 22 July 2022, the Litigation Chamber receives the defendant's statement of rejoinder
with regard to the findings relating to the subject-matter of the complaint in which they
re-explains its arguments from the first statement of reply. In addition
the defendant formulates replies to the complainant's arguments. Thus states the
defendant that the method of identification proposed by the complainant is cumbersome
and would therefore constitute a breach of the GDPR. Then argues the
the defendant in what way the exception from article 17, paragraph 3, a) GDPR applies to her
is.
II. Motivation
II.1. Definition of “personal data”
Findings in the Inspection Report
10. In the course of the Inspectorate investigation, the defendant raised the situation
of the complainant does not involve the processing of his personal data. The Inspection Service
concludes, however, that in this case there is indeed the processing of personal data
In this context, the Inspectorate refers to one of the defendant's documents in which it
itself states that “a registration plate constitutes a personal data”. In addition, the GBA
on its website explicitly states the following: “also information that does not allow a
identify a person directly (e.g. a name), but indirectly (e.g.) a
number plate is personal data.” The Inspectorate makes a decision based on this
elements that the defendant does indeed have the personal data of the complainant
incorporated. The defendant disputes this conclusion.
Defendant's position
11. The defendant disputes the finding of the Inspectorate that it would have acknowledged that
the number plate constitutes personal data. This finding is according to the
defendant incorrect. Although it certainly does not deny that a number plate is one
constitute personal data, it argues that this is not the case in the present case.
The defendant argues that the license plate in question was created on the basis of artistic
choices that were made in the context of the relevant audiovisual production
fictional character to whom the license plate belongs is a member of a family of
enthusiastic supporters of a great Turkish football team. The license plate was through
designed by the defendant itself on the basis of the data of this football team (i.e. the
name and year of establishment). The fact that this fictitious license plate corresponds to the
the license plate of the complainant, according to the defendant, is purely coincidental
not know that this license plate already existed and to whom the license plate was assigned
used to be. For the sake of completeness, the defendant points out that at the end of each episode the
The following disclaimer is included: “The program is completely fictional. Any Substantive Decision 188/2022 - 5/29
agreement with actual persons, companies or events is based on pure
coincidence".
Position of the complainant.
12. The complainant argues that the license plate in question is indeed his personal data
matters, as it is far from fictional, invented or specially designed by the
defendant. The registration plate was issued by the Vehicle Registration Service
assigned to the complainant. In addition, the complainant argues that the complainant's car and the
car from the audiovisual production are similar.
13. The complainant refers to the definition of “personal data” and “processing” in Article 4
AVG and states that these definitions in no way imply the existence of any intentional element
on the part of the controller. The complainant claims that a
vehicle registration plate is an essential information carrier on the basis of which the
natural person who always drives the vehicle indirectly
identified. This is even more the case when personalizing these
license plate is based on the ethnicity and the favorite football club of the
person concerned. According to the complainant, this view is confirmed by the first-line services
the Inspection Service of the GBA.
14. Contrary to what the defendant claims, it is very simple, according to the complainant
identify him by his license plate. The complainant alleges that use
must be made from the online publicly available application of the Belgian
Common Guarantee Fund, where after entering a specific
number plate the insurance data (such as the BA insurers and the policy number) is possible
find out a vehicle that has the relevant number plate on a certain date
wore. Subsequently, you can contact the third-party liability insurer concerned
statement of the policy number and the date of a self-invented accident or another
excuse to find out the identity of the insured, being the BV Arisol. Then can
one can check via the Crossroads Bank for Enterprises who is the manager of this BV.
Since the BV Arisol is a sole proprietorship, the defendant can verify the identity of the
easily identify the complainant. The complainant therefore argues that the defendant has done so in advance
investigation could and should have been carried out to determine the identity of the complainant.
Review by the Litigation Chamber
15. The Litigation Chamber reminds that the GDPR does not apply to the processing of
all types of data, but only on the processing of personal data.
According to Article 4(1) GDPR, personal data is “any information about a
identified or identifiable natural person (“the data subject”); if
identifiable is a natural person who can become directly or indirectly Decision on the substance 188/2022 - 6/29
identified, in particular by an identifier such as a name, a
identification number, location data, an online identifier or one or more
elements characteristic of the physical, physiological, genetic, psychological,
economic, cultural or social identity of that natural person”.
16. There are 4 elements in the definition of personal data:
1) relate to
2) an identified or
3) identifiable
4) natural person.
17. If there is to be personal data, the data must, in principle, relate
have on a natural person. Data refers only to a natural
person when identified or identifiable. A person is
identified when it is unique from all other individuals within a group
is distinguished. A person is identifiable when it has not yet been identified,
but it can be done without disproportionate effort.
18. To establish the identity of a person is generally used
data that has a unique, personal relationship to that person, so-called
'identifiers'. Identifiers can include data such as a name, address
and date of birth. These data, in combination with each other, are so unique for one
certain person, date a person on the basis of it with certainty or high probability
can be identified. This is called directly identifying data.
Persons can also be identified on the basis of other, less direct
identifiers, such as appearance, social and economic characteristics and online
identifiers. Although this data in itself usually does not lead to the identification
of a person, they can be through their interrelationship or through linkage to others
data lead to this. This is called indirectly identifying data.
19. In short, whether a data is also a personal data within the meaning of Article 4(1) GDPR for a
controller, therefore depends on whether the data or the
data that the controller processes enable him to inform someone
directly or indirectly identified. When the person is not yet identified (if there is
no directly identifying data are processed) the
controller determine whether the person is not still identifiable.
20. As already mentioned, the data in question concerns a registration plate, which is a
indirectly identifying information. When assessing whether there is
identifiability in this case, the Litigation Chamber refers to Recital 26 of the
AVG. Decision on the substance 188/2022 - 7/29
21. Recital 26 of the GDPR explains that to determine whether a natural person
is identifiable, all means of which must be taken into account
can reasonably be expected to be used by the
controller or by another person (a third party) for the natural
person directly or indirectly. To determine whether of means reasonably
it is to be expected that they will be used to identify the natural person,
account must be taken of all objective factors, such as the cost of time
necessary for identification, taking into account the technology available on it
time of processing and technological developments.
22. The Opinion 4/2007 on the concept of personal data of the Working Party on Data Processing
states the following in this regard: “[i]f, taking into account "all means of which
it can reasonably be assumed that they are processed by the controller or
another person", whose possibility of identification does not exist or is negligible,
the person should not be considered "identifiable", and the information should not be considered
"personal data" are considered. The criterion of "all means of which
it can reasonably be assumed that they are processed by the controller or
byanotherperson"shouldtakeparticularaccountofallinvolvedfactors.The
Cost of identification is one factor, but not the only one. It must be taken into account
with the intended purpose, the way in which the processing is structured, the by
the controller expected benefit, the risk of organizational
dysfunction and technical malfunctions.” (free translation)
23. The registration and allocation of number plates is done by the Registration Service
of Vehicles, of the Federal Public Service Mobility. The Disputes Chamber determines
that via the website of the Federal Public Service Mobility the availability of a
personalized license plate can be verified. If the defendant
website would have consulted, it could have determined that the intended
registration plate was already in use, without, however, revealing the identity of its holder
However, for family, neighbors and acquaintances, that personalized license plate is
a means that can be used to identify the complainant (for further justification
read marginals 24 and 25 below). The Litigation Chamber reminds that, such as
set out by the Data Processing Group 29, when analyzing whether a piece of data is also a
personal data, the intended purpose and manner must be taken into account
on which the processing is structured. By the purpose of the processing in question
(prominently appearing in a well-known audiovisual production) and the manner in which this
processing has taken place (a well-known audiovisual production, the broadcast op
1 Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 20 June 2007.
2https://www.mobilit.fgov.be/WebdivPub/wmvpstv1?SUBSESSIONID=3228997. Decision on the substance 188/2022 - 8/29
one of the largest TV channels in Flanders as well as the availability of this
production on streaming services), the Disputes Chamber concludes that the complainant
is identifiable.
24. With regard to the fourth element ("natural person"), this means that data about
partnerships, partnerships and other legal/legal entities
individuals are not protected as such by the GDPR. The Court of Justice has
nevertheless held that "insofar as the official title of the juridical person is one or more
natural persons", the legal person under Articles 7 and 8 of
the Charter of Fundamental Rights of the European Union can claim the
protection of data related to him. 5 Since the GDPR is a
is an elaboration of the overarching safeguards contained in these Charter provisions
laid down, such protection for legal entities can also be provided by the GDPR
arise, although this protection does not concern the legal person as such, but the
natural person(s) who form it, and probably mainly occurs in
cases where the legal entity is in fact a sole proprietorship or a small family business with
6
a transparent "company veil".
25. The Litigation Chamber determines that the vehicle and registration plate are registered in the name
of BV Arisol as a legal person, and not in the name of the complainant as a natural person.
However, this BV is a sole proprietorship that does not have a fleet of vehicles,
so that there is a direct link between the license plate and the complainant. Since
the complainant, as a natural person, uses the car with this specific number plate,
he is associated by his environment with this car with license plate without it
this environment is aware of whether the car is registered in the name of his sole proprietorship,
or in the name of the complainant as a private person. In view of the above, the
Litigation Chamber that the license plate in the specific circumstances of the present
case constitutes a license plate.
II.2. Article 5 of the GDPR, Article 24(1) of the GDPR and Article 25(1) and (2) of the
AVG
3 Article 7: Everyone has the right to respect for his private and family life, his home and his
communication.
4
Article 8:
1. Everyone has the right to the protection of his personal data.
2. These data must be processed fairly, for specified purposes and with the consent of the data subject or
on the basis of any other legitimate basis provided for by law. Everyone has the right to inspect the information
data collected and rectification thereof.
3. An independent authority monitors compliance with these rules.
5 In this regard, see CJEU, Cases C-92/09 and 93/09, Schecke, § 53, Case C-419/14, WebMindLicenses, § 79 ; Case T-670 /
16, Digital Rights Ireland, §25.
6
L.A. BYGRAVE and L. TOSONI, « Article 4(1) Personal Data » in C. KUNER et.al. « EU General Data Protection Regulation, a
commentary, Oxford University Press, 2020, p. 111. Decision on the substance 188/2022 - 9/29
Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR
26. Since the Disputes Chamber has come to the conclusion that the license plate under the
circumstances of this case constitutes personal data, means that it is displayed
of this personal data in the audiovisual production constitutes processing. The
The defendant argues that she was not aware that she was processing personal data. The
Litigation Chamber draws attention to the presence or absence of an intention
does not constitute a criterion for the processing of personal data within the meaning of Article 4(2)
AVG. Regardless of whether it was the defendant's intention to use the personal data
process, is the mere fact that the license plate was indeed displayed in the
audiovisual production is sufficient to classify this as processing that in
accordance with the basic principles of data protection as understood
in Article 5 GDPR must be done.
27. As controller, the defendant is obliged to provide the
to observe data protection principles and must be able to demonstrate that these
principles are adhered to (accountability - Article 5(2) GDPR).
28. In addition, also in its capacity as controller, it must:
take necessary measures to ensure and be able to demonstrate that the processing is in
is carried out in accordance with the GDPR (Articles 24 and 25 GDPR).
29. In the context of its investigation into accountability, the Inspectorate
sent the following to the defendant to provide the following documents:
“A copy of [the defendant's] documents on the measures and decisions
that were taken to ensure compliance with the processing principles
to safeguard personal data with regard to the complainant on the basis of Article 5, Article
24(1) and Article 25 of the GDPR.”
30. The defendant has formulated an answer to this but, according to the
Inspectorate, no documents showing what measures and decisions were taken
taken to safeguard the principles governing the processing of personal data
specific to the complainant based on Article 5, Article 24(1) and Article 25(1)
and paragraph 2 of the GDPR. The Inspectorate notes in its report that the transferred
documents relate to the principle of transparency in Article 5(1)(a) GDPR, but
that the defendant does not clarify how the other principles of Article 5 (1) GDPR
7 Article 4 GDPR: “For the purposes of this regulation:
[…]
2) “processing” means any operation or set of operations relating to personal data or set of
personal data, whether or not carried out through automated processes, such as collecting, recording, organizing,
structure, store, update or modify, retrieve, consult, use, provide by transmission,
distribute or otherwise make available, align or combine, block, erase or destroy
data” Decision on the substance 188/2022 - 10/29
are guaranteed. Moreover, the Inspectorate concludes that certain elements
not concretely explained by the defendant, such as or the complainant, whose
personal data were processed by the defendant, effectively has a copy
received from its general privacy policy. During the investigation, the defendant states that
it has not processed any personal data. The Inspectorate does not follow this view and states
that the defendant does process personal data. The Inspectorate refers here
to the webpage of the Data Protection Authority
(https://www.dataprotectionauthority.be/burger/privacy/lexicon) on which stated
states that “even information that does not allow to identify a person directly (e.g.
a name), but indirectly (e.g. a number plate) is personal data”.
As a result, the Inspection Service concludes that there is an infringement of article 5, article
24 (1) and Article 25 (1) GDPR.
31. In its conclusions, the defendant disputes this finding. The defendant clarifies that
it considered that it was not processing any personal data in this case. Furthermore, the
the defendant on what steps it will take in the event of similar processing operations
of personal data, namely the processing of number plates in other audiovisual
8
productions when it is of the opinion that it is processing personal data.
32. The Disputes Chamber states that the Inspectorate is charged as an investigative body of the GBA
investigating complaints about and serious indications of violations of the
European and Belgian legislation on personal data, including the AVG. One of
the ways in which the investigation is conducted is free of all useful information and
provide documents. This possibility leaves the controllers
and/or processors to explain and demonstrate what measures have been taken to protect the
comply with applicable law.9
33. In the context of examining compliance with the Fundamental Principles and the
accountability, as understood in Article 5 of the GDPR, the Inspection Service has a
general request addressed to the controller to transfer the following
to make:
“A copy of [the defendant's] documents on the measures and decisions
that were taken to ensure compliance with the processing principles
to safeguard personal data with regard to the complainant on the basis of Article 5, Article
24(1) and Article 25 of the GDPR.”
34. The Disputes Chamber notes that the Inspectorate's question relates to processing
of the complainant's personal data, namely the publication of a registration plate
8
see infra.
9 Charter of the Inspection Service, August 2022, available online at
https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf Substantive decision 188/2022 - 11/29
an audiovisual production. The defendant claims that she has no such document in this case
previously transferred to the complainant because it was of the opinion that no
personal data was processed, and moreover, that it also does not dispute that this registration plate
was assigned to a person and certainly not to whom this license plate
had been granted. Furthermore, the defendant prepares the documents that it uses
when it does – consciously – process personal data of data subjects. As above
explained, the Inspectorate is of the opinion in this case that certain information, which is for the
Inspection service is essential to arrive at a good assessment, is missing. Consequently
the Inspectorate ruled that there had been a violation of article 5,
Article 24 (1) and Article 25 (1) and (2) GDPR.
35. The Disputes Chamber recalls that an investigation by the Inspectorate on a
must be done in a loyal manner. If the answer of the controller
is not sufficient for the Inspectorate, it normally falls to the
Inspection service to clarify on which points more information is requested. This
this can be done, for example, by asking more specific questions about a certain subject or by
to request specific documents or information. After all, it is for the
controller is not always easy to apply in such a general and broad way
ask to formulate a comprehensive answer or provide the exact documents that the
Inspectorate wishes to investigate. If the Inspectorate should ask more specific questions
stated or requested concrete documents and the
controller and has not been able to provide the requested information
it to the Inspectorate to report a violation of accountability such as
understood in Article 5, paragraph 2 and Article 24, paragraph 1 and Article 25, paragraph 1 and paragraph 2 GDPR. The
The Disputes Chamber notes that the Inspectorate did not ask any additional questions
on specific subjects and that no specific documents were produced
requested in order to arrive at a proper assessment of the case. The
The Litigation Chamber therefore concludes that the Inspectorate's investigation is not sufficiently specific
conducted with regard to this finding. Consequently, the Litigation Chamber comes to the
conclusion that it is disproportionate in this case for a violation of Articles 5, 24, paragraph 1 and
25 (1) and (2) GDPR on the basis of a general question in the context of the
accountability, which was answered by the defendant, without further notice
follow-up questions from the Inspectorate. It is up to the Inspectorate to determine on the basis of
due diligence investigation any shortcoming of Article 5, Article 2(1) and Article 25,
Paragraphs 1 and 2 GDPR to be demonstrated by the defendant.
Article 5 (1) GDPR
36. The Disputes Chamber finds that, based on the answer provided by the
defendant in the context of the investigation, the Inspectorate comes to the conclusion that Decision on the substance 188/2022 - 12/29
there is a breach of all fundamental principles relating to the protection of
personal data as stipulated in Article 5 (1) GDPR. Although Article 5(1) and (2) GDPR
are closely related means any violation of the
accountability of Article 5 (2) GDPR is not automatically also a violation of
Article 5, paragraph 1 GDPR
document compliance with the substantive principles of the GDPR
to show. Both elements must therefore be assessed separately.
37. The Litigation Chamber notes that the Inspection Report only contains findings regarding
the principle of transparency as understood in Article 5(1)(a). The Disputes Chamber will then
also address this finding. As already explained above, the
Inspectorate finds that certain elements are not explained in concrete terms by the
the defendant, such as or the complainant, whose personal data were processed by the
the defendant has actually received a copy of its general privacy policy.
38. In its conclusions, the defendant disputes the findings of the Inspection report. Side pose
that within its organization various privacy responsibles have been appointed per
department, also for the fiction department. When the defendant's writing the
the complainant received via the info address (so not via a specific e-mail address intended for
privacy matters) it has made every effort to be accurate and timely
answer. Furthermore, the defendant reiterates that it does not deny that a license plate is a
personal data may matter, but that this is not the case in this case. Then the light
to the defendant what appropriate and technical organizational measures it takes to
to ensure that, in relation to audiovisual productions, the personal data of
data subjects are processed in accordance with the GDPR. So it ensures that in cases
in which there could be the processing of personal data in her
audiovisual productions by filming and subsequently displaying a
existing number plate of a data subject who does not have permission for this
given, these relevant scenes are deleted, trimmed or the license plate
is made illegible (for example by means of blurring). In addition, in other cases where
personal data of data subjects are processed in the context of an audiovisual
production (and that is mainly the case in non-fiction productions), is the common one
working method within the organization of the defendant that either, for those involved who have a
play a greater role in production, in the agreements with them the necessary
provisions on data protection are included, either, for data subjects who
fulfill a smaller role or a short-lived participation within the production, a shortened
'quit claim' is signed. Include both aforementioned contracts and quit claims
clauses related to the processing of personal data. These documents
are provided to the parties involved and explained prior to the collaboration
between the defendant and the data subject, together with the General Privacy Policy. In the Decision on the substance 188/2022 - 13/29
In the case of the complainant, there is no signed contract or quit claim, since
the defendant did not assume at all that any personal data was being processed, late
that she knew at all whose personal data it concerned. It is also true after that
the writing of the complainant's counsel of the General Privacy Policy was not addressed to him
transferred by the defendant. This reflex was not created for the sake of that
the defendant was first of all convinced that this was not about the
processing of personal data. The defendant argues that if the
Litigation Chamber would nevertheless be held that a processing of personal data
of the complainant has taken place, she wishes to emphasize that this situation, where there
an alleged processing of personal data has taken place without the
data subject was informed about this and without having read the General Privacy Policy
received, constitutes a one-off and isolated case that is inconsistent with the
common practice regarding the policy on the protection of personal data
on behalf of the defendant.
39. The Litigation Chamber finds that the defendant, in the creation of the audiovisual
production was not aware of the identity of the complainant, as holder of the
personalized license plate.
40. The Inspection Report then finds that the Respondent has failed to
General Privacy Policy to be passed on to the complainant after he has had contact with her
taken with a request that his license plate be removed from production. The
The defendant argues that she did not make this reflex because she believed that there was no question
was of processing of personal data. The Disputes Chamber notes that in this letter
only the data erasure request is included. The defendant could not
reasonably expect that the complainant also wanted to receive the General Privacy Policy
when the letter from the complainant requesting the erasure, none
request or reference to the General Privacy Policy.
41. In view of the above, the Disputes Chamber rules that there is no question of a
violation of the principle of transparency as understood in Article 5 (1) a) GDPR for what
concerns not transmitting the General Privacy Policy.
42. The Litigation Chamber finds that the Inspection Report constitutes a violation of all
basic principles of Article 5. This violation arises from the alleged non-
compliance with the above accountability obligation. The Disputes Chamber points out that
the determination of an alleged breach of all fundamental principles regarding
data processing based on an alleged determination of the
accountability is disproportionate. Consequently, the Litigation Chamber concludes that the
determination of the Inspectorate regarding these principles is not sufficiently substantiated by Decision on the substance 188/2022 - 14/29
evidence that makes further treatment of these findings impossible
the Disputes Chamber is of the opinion that there is no infringement of the above
Articles 5, 24 (1) and 25 (1) and 2 GDPR.
II.3. Article 5(1)(a) and Article 6 of the GDPR regarding legality
43. In its conclusions, the complainant argues that the contested processing took place without
consent and is therefore unlawful within the meaning of Article 5, paragraph 1, a) GDPR. Deklagerstel
that he did not give permission to the defendant for worldwide exhibition
of his personalized number plate, so that the processing of his personal data
is unlawful under Article 6 GDPR.
44. The complainant argues that a weighing of interests between, on the one hand, the right of the complainant to
protection of his personal data and, on the other hand, the legitimate interest of the
defendant, namely freedom of expression and information (including freedom of
artistic expression) also results in a rating against
latter.
The Litigation Chamber recalls that, in order to rely on this legal basis from Article 6(1)(f)
GDPR to be able to rely on the processing of personal data, it must
legitimate interest of the controller or third parties
balanced against the interests or fundamental rights and freedoms of the
data subjects. The legitimate interest is closely related to – but different from – it
concept of processing purpose, which must be specific pursuant to Article 5(1)(b) GDPR. While it
'purpose' relates to the specific reason why the data is being processed, i.e.
the purpose or intention of the data processing, the concept of 'interest' is related to
the wider interest that a controller may have in the processing, or
the benefit to the controller — or a third party, which is not necessarily as
co-controller needs to be qualified — from the processing
11
fetches.
45. In accordance with article 6, paragraph 1, f) of the GDPR, the case law of the Court of Justice should
three cumulative conditions must be met for a
controller can validly rely on this
ground of legitimacy, “namely, in the first place, the defense of a
legitimate interest of the controller or of the third party(ies)
to whom the data are provided, secondly, the need for the processing
of the personal data for the purposes of the legitimate interest, and, in the
10
cf. Section A.1 of the dismissal policy of the Litigation Chamber.
1 CJEU Judgment of 11 December 2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064,
para. 44. See also decision 21/2022 of 2 February 2022. Decision on the substance 188/2022 - 15/29
third, the condition that the fundamental rights and freedoms of the
data protection of the person concerned does not prevail” (judgment “Rigas”) .12
46. In other words, in order to rely on Article 6(1)(f) of the GDPR
the legal ground of the “legitimate interest”, the
to demonstrate to the controller that:
1) the interests it pursues with the processing can be justified
be recognized (the “goal test”);
2) the intended processing is necessary for the fulfillment of these interests
(the “necessity test”); and
3) the balancing of these interests against the interests, fundamental
freedoms and fundamental rights of data subjects in favor of the
controller or a third party (the “balancing test”).
47. In the present case, the Disputes Chamber finds that the interest of the defendant consists of
creating audiovisual productions as an exercise of her artistic expression, which becomes
enshrined in the constitutionally protected freedom of expression. In view of this
personal data of the complainant are processed.
48. Artistic expression includes creating fictional characters and their
living world. In doing so, the defendant can use public data, as in the present case
the case is. The license plate matches the fictional character, whose son is a fan of the
Turkish football club Galatasaray S.K., which was founded in 1905. Consequently, the use of
this license plate under the design of a fictional character a
exclusively artistic expression. In the opinion of the Disputes Chamber there is none
doubt that the purpose test from the case law of the Court of Justice is met. Having
on the artistic aim of emphasizing the link with the football club and the freedom for the
defendant in this context to choose a suitable remedy, the
Litigation Chamber that the necessity test is also met.
49. With regard to the balancing test, the interest of the complainant consists in the protection of his
personal data and the related fact that he is addressed about
the similarity between his license plate and the fictional license plate.
50. As far as the interests of the complainant are concerned, the Disputes Chamber states that it has little
it is plausible that the bearing is greatly hindered by the similarity
only personal and/or business relationships are the agreement between the two
discover number plates and confront the complainant with this. The audiovisual
1 CJEU Judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rigas pašvaldības SIA
'Rīgas satiksme', C-13/16; ECLI:EU:C:2017:336, para. 28-31. See also CJEU Judgment of 11 December 2019, TK v/ Asociaţia
de Proprietari bloc M5A-ScaraA,C-708/18, ECLI:EU:C:2019:1064,para. 40.
13While the concept of “purpose” should be read in the light of the previous points of this decision. Decision on the substance 188/2022 - 16/29
production is fictitious and, moreover, there is no other link between the complainant and the fictitious
character. In addition, each episode indicates that it concerns a fictional production
and that any similarity with persons is purely coincidental. In this regard, the
Litigation Chamber that, despite the matching license plates, there are no others
resemblance, similarity or any other link exists between the fictional character and
the complainer. In this context, the Disputes Chamber also points out that the defendant has no
knew of the existence of the complainant's license plate, so
inspiration. The creation was therefore independently created by the defendant.
51. Consequently, the Disputes Chamber concludes that it is for this personal or business
relations it should be clear that the complainant has no connection whatsoever with milieus
in which the fictional character from the audiovisual productions moves.
52. The Disputes Chamber also points out that the complainant has opted for a
license plate, consisting of public data linked to a
football club known worldwide. It could therefore have been foreseen by the complainant that
this data could be used for artistic purposes. The
circumstance that the defendant as a program maker does not necessarily have this
number plate could have used does not make the disputed processing unlawful
would be on the basis of Article 6(1)(f) GDPR. The choice to shape a character
the hand of a certain cultural background with reference to a very
meaningful football club within this culture, falls under the freedom of the artistic
form of expression.
53. In view of the above, the Disputes Chamber concludes that in this case the interest of the
artistic expression of the defendant outweighs the right to protection
personal data of the complainant. Therefore, the defendant complies with the
balancing test. The data was therefore allowed to be processed. The question to what extent the
possible adverse consequences for the bearing could have been limited by used
exercising the right to erasure is discussed below in Section II.4.
54. The Disputes Chamber therefore concludes that there is no infringement of Article 5,
paragraph 1, a) and Article 6, paragraph 1, f) GDPR.
II.4. Violation of Article 12(1) and (4) of the GDPR, Article 17 of the GDPR, Article 24(1)
of the GDPR and Article 25 (1) of the GDPR
55. The Inspectorate finds that the defendant has fulfilled the obligations imposed by Article 12,
has not complied with paragraphs 1 and 4, Article 17, Article 24 paragraph 1 and Article 25 paragraph 1 of the GDPR. The
In this context, the Inspectorate first of all points to the fact that the complainant's request for
to erase his personalized license plate from the audiovisual production
rejected because of the “right to artistic expression”, without clarifying the substance Decision 188/2022 - 17/29
which provision of Article 17 (3) GDPR is invoked. Second, according to the
Inspectorate does not make this explanation transparent in accordance with Article 12, paragraph 1 and paragraph 4
AVG since it is not clear to the complainant on what exact basis his investigation
was refused and, furthermore, no mention was made of the possibility of lodging a complaint
serve at the GBA. The Disputes Chamber will first reject the refusal to proceed to
assess data erasure and subsequently the resulting transparency obligations
from Article 12 GDPR.
II.4.1. Article 17 of the GDPR, Article 24 (1) of the GDPR and Article 25 (1) of the GDPR
56. The Disputes Chamber points out that on 5 January 2022 the complainant submitted its request for
performed data erasure with regard to the defendant, which refused
was made by the defendant on the basis of her freedom of artistic expression.
57. The Inspection Service establishes in its Inspection Report that the erasure of data is unlawful
was refused by the defendant. The Inspectorate hereby refers to the law of30
July 2018 on the protection of natural persons with regard to the
processing of personal data 14 (hereinafter: Law of 30 July 2018). This law provides
exceptions to the rights of the data subjects for processing of
personal data for, among other things, "artistic forms of expression". The
However, the Inspectorate emphasizes that those exceptions do not apply to the
Articles 12, 17, 24 and 25 of the GDPR. In addition, those exceptions must be read
in view of article 85, paragraph 2 of the GDPR and thus effectively “necessary for the right to
to reconcile the protection of personal data with the freedom of
expression and information”. The complainant endorses this view in its conclusions.
58. The defendant disputes this finding of the Inspectorate. She leads in her
conclusions that the law of July 30, 2018 in article 24 indeed provides that a number
provisions of the GDPR do not apply “to processing of personal data
for journalistic purposes and for academic, artistic or literary purposes
forms of expression”. The defendant first enters into the determination of the
Inspectorate that Article 17 of the GDPR does indeed not appear in the enumeration of
the articles of the GDPR to which the exceptions from the law apply.
59. In this regard, the defendant refers to the Explanatory Memorandum accompanying the bill
of the Law of 30 July 2018 clarifying the following: “[t]he draft law
informs the controller for journalistic, academic, artistic or
literary purposes are not exempt from the obligation to exercise the right to be forgotten
to the person concerned (Article 17 of the Regulation). Article 17.3 of the GDPR
14
Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, BS 5 September 2018. Substantive decision 188/2022 - 18/29
itself states that the right to be forgotten does not apply to processing
purposes of free expression and free information. The regulation is therefore direct
applies and it is therefore not necessary for the law to recreate that exemption.”15
60. This position was also followed by the Council of State, stating:
“Article 29 (current Article 24) rightly does not state that it does not apply to
the processing of data for journalistic, academic, artistic or literary purposes
purposes, as that exclusion is already provided for in paragraph 3(a) itself of that
article 17”.
61. The Litigation Chamber refers to the structure of Article 85 GDPR that the general assignment
formulates to the (national) legislator to watch over the reconciliation of the relationship
between freedom of expression and the protection of personal data. The
The Belgian legislator has regulated this relationship in the law of 30 July 2018. Article 24
of this law states that for processing for journalistic, academic, artistic or
literary purposes, certain rights of the data subject do not apply. The law
refers in this context to Articles 7 to 10, Article 11(2), Articles 13 to 16, 18 to
20 and 21 (1) GDPR. After all, there is no such exception for these articles in the GDPR
provided for processing of personal data for journalistic, academic,
artistic or literary purposes. Article 24 of the law of 30 July 2018 states the
controller for journalistic, academic, artistic or literary
purposes, however, are not expressly exempt from the obligation to exercise the right to erasure
(“right to be forgotten”) to the data subject (Article 17 GDPR). A
such explicit exemption is also not necessary since, as rightly so
noted by the defendant, Article 17(3) GDPR is directly applicable in the
Belgian law.
62. Based on the above, the Disputes Chamber adopts the position of the
the defendant and is of the opinion that Article 17(3) GDPR itself provides the possible grounds for exception
provides for the right to erasure, without having to read them again in the
law of 30 July 2018.
63. The Litigation Chamber refers to Article 17(1) of the GDPR, which stipulates that the data subject
has the right to obtain from the controller without unreasonable delay
to obtain the deletion of the personal data concerning him. Based on the same
point c), the controller is obliged to process the personal data
15
Draft law of 11 June 2018 on the protection of natural persons with regard to processing
of personal data, Parl.St. Room No. 54-3216/001, 54.
16Advice of 19 April 2018 of the Council of State, Legislation Division on a draft law 'regarding the
protection of natural persons with regard to the processing of personal data”, Parl.St. Senate No.
63.192/2, 80, No. 4.4; Draft law of 11 June 2018 on the protection of natural persons with regard to
to the processing of personal data, Parl.St. Chamber no. 54-3216/001, 54. Decision on the substance 188/2022 - 19/29
without undue delay, including when the data subject
object to the processing in accordance with Article 21 (1) GDPR and does not object
prevailing legitimate grounds for the processing. Such as
set out above, the complainant has a request pursuant to Article 17(1)(c) GDPR
addressed to the defendant.
64. However, Article 17(3)(a) GDPR states that Article 17(1) GDPR does not apply when
such processing is necessary for exercising the right to freedom of
expressions information. This article provides an exception rule right away
balancing of interests between two fundamental rights, namely the balance between the right to
freedom of expression and information on the one hand and the right to protection of
personal data on the other. It is on this ground that the defendant refused
to implement the request for erasure of the complainant.
65. In the context of the present file, the Litigation Chamber will thus verify whether the request for
data deletion in accordance with 17 (1) c) GDPR rightly refused by the defendant
became pursuant to Article 17 (3) (a) GDPR and in particular whether the right to freedom of
information, on the one hand, and the right to the protection of personal data,
on the other hand, are properly balanced against each other.
66. The Disputes Chamber points out that in this case the complaint was lodged against the
defendant as a production house, which, among other things, makes fictional audiovisual productions.
First of all, the Disputes Chamber reminds that the right to freedom of expression
and information is protected by Article 10(1) of the European Convention on the
Human Rights (hereinafter: “ECHR”). “This right includes the freedom to hold an opinion
and freedom to receive or impart information or ideas, without
interference by any public authority […]" and the equivalent Article 11 of the
Charter of Fundamental Rights of the European Union (hereinafter: “Charter”), paragraph 2 of which
in particular guarantees respect for freedom and pluralism of the media.
67. As also cited by the defendant, the right to freedom of expression is true
Article 17(3)(a) GDPR refers to does not only apply to certain species
information, ideas or forms of expression such as of a political nature, it also includes artistic
18
expressions. The European Court of Human Rights (ECtHR) also stated: “[d]e
confirmation, to the extent still necessary, that this interpretation is correct is provided by the
second sentence of paragraph 1 of Article 10 (Art. 10-1), which refers to "broadcasting, television or
cinema companies", media whose activities extend to the field of
the art. A confirmation that the concept of freedom of expression also includes artistic expressions
can also be found in Article 19(2) of the International Convention on
17See CJEU judgment of 24 September 2019, G.C et al. v CNIL, ECLI:EU:C:2019:773, § 56 et seq.
18 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. Decision on the substance 188/2022 - 20/29
civil and political rights, that information and ideas "in the form of art"
19
expressly includes the right to freedom of expression. ” Consequently, resort
expressions of art expression under the protection of Article 10 ECHR and Article 11 of the
charter.
68. As already mentioned, the present case is about the trade-off between the right to liberty of
expression and information, and in particular freedom of artistic expression, of the
defendant (Article 10 ECHR and Article 11 Charter) and the right to protection of
personal data of the complainant (Article 8 of the Charter). So it is one
balance of fundamental rights.
69. In this context, the Disputes Chamber refers to the case law of the Court of Justice in the
under the takedown requests to search engines, most recently the judgment
Google, C-460/20. 20 In this, the Court states: “The circumstance that Article 17(3)(a)
AVG expressly stipulates that the right to erasure of data belongs to the data subject
excluded when the processing is necessary for the exercise of the activities referred to in Article 11
the right to, inter alia, freedom of information guaranteed by the Charter
expression of the fact that the right to the protection of personal data is not absolute
right, but, as has been emphasized in recital 4 of this Regulation, needs to be considered
in relation to its function in society and in accordance with it
The principle of proportionality must be balanced against other fundamental rights. [..]In the GDPR,
and more specifically in Article 17(3)(a), there is thus an explicit requirement that there
a trade-off must be made between those set out in Articles 7 and 8 of the Charter
enshrined fundamental rights to respect for private life and to the protection of
personal data on the one hand, and what is guaranteed by Article 11 of the Charter
fundamental right to freedom of information on the other.”
70. The answer to the question which of these two rights is heavier in the specific case
weighs, must be found by weighing up all relevant
circumstances of the case. This assessment must be done in one go
considers that either right, having regard to all relevant circumstances,
outweighs the other right, entails that the other right is infringed
law satisfies the necessity test of the relevant paragraph 2 of Article 8 and
Article 10 ECHR, as specified in Article 52 of the Charter.
71. The judgment in Karatas v. Turkey of the ECtHR that the freedom of artistic
expression includes the following: “particularly within the freedom to share information and ideals
receiving and transmitting, which provides the opportunity to participate in the public
19 ECtHR, 25 May 1988, 10737/83, Müller and Others v. Switzerland, § 27. See also CJEU, C-460/20, § 62.
20
CJEU, 8 December 2022, ECLI:EU:C:2022:962, §§ 60-62.
21 ECtHR, VGT Verein gegen Tierfabriken v. Switzerland, 28 June 2001, § 68. Decision on the substance 188/2022 - 21/29
exchange of cultural, political and social information and ideals of all kinds. They who
creating, performing, distributing or exhibiting works of art contribute to the exchange
of ideas and opinions that are essential for a democratic society. Hence the
obligation on the state not to unnecessarily infringe on their freedom of
22
expression” (free translation).
72. The defendant argues that the choices made to select the characters of the
to shape audiovisual production under the freedom of artistic expression
fall. The Defendant has made the creative choice to select certain of her characters
a Turkish background, with a family passionately supporting the
Galatasaray football club with a car with a personalized number plate that refers to this one
club refers. The defendant clarifies in this regard that the letters and numbers of the
number plate refer to the name of the club itself and the founding year 1905.
73. On the other hand, the complainant argues that this license plate was assigned to him, as a result of which this
his personal data. With the publication of this license plate, he is recognized by his
contacts (both private and business) about possible ties with a criminal
gang, as the fictional character with this license plate would have ties to it
criminal environment.
74. The Litigation Chamber finds that the conception of the character in question, with his
car and license plate, is an expression of the defendant's artistic freedom.
Galatasaray is a very well-known club with a very large fan following, especially in the
Turkish community. Consequently, it is not inconceivable that, when creating a fictional
Turkish character and his background and world references to one of the greatest
and most popular Turkish football clubs are included. The defendant made one
choice, partly in view of the limited space on a license plate, for public data
from which it is immediately clear that it concerns that football team, namely the abbreviation of the
name and the year of establishment. These are data that the Turkish community immediately
associates with the football team in question.
75. It is therefore plausible that an identical
license plate was chosen by the complainant. The Disputes Chamber notes that,
apart from the corresponding license plate, there is no link between the complainant and
defendant. The personal data was not collected or obtained from the complainant and there is
also no other link between the complainant and the fictional character and the milieu in which they find themselves
are located.
76. That the combination of these data through the assignment of the registration plate by the
Vehicle Registration Service has been given a personal character for the complainant
22 ECtHR, Karatas v. Turkey, 8 July 1999, § 49. Decision on the substance 188/2022 - 22/29
according to the Disputes Chamber, this does not detract from the public character of the club and the
artistic thought process based on which the character with his car with
registration plate has been established.
77. The Disputes Chamber notes in this regard that the information relating to the allocation
number plates is also not freely available. The aforementioned website of the Service
Registration Vehicles allows you to check whether a particular vehicle has been personalized
license plate is still available. It was also impossible for the defendant to
identity of the holder of this particular number plate.
78. The complainant argues that publishing the number plate is not necessary in a
democratic society. When assessing the condition of necessity goes
the ECtHR takes a global approach. One has to look at the tension between
both rights in the context of the entire case.23 The Disputes Chamber notes that the
the defendant could have checked whether this personalized license plate was still available via
the aforementioned website of the Vehicle Registration Service. The circumstance
that the defendant, as a program maker, could not necessarily have used this number plate
using,but could have chosen another,doesn't prevent this creative choice from being made
under the artistic expression as protected in Article 10 ECHR.
79. With regard to the complainant's grievances regarding the fact that he is being treated in this regard
addressed by family, friends and business relations, the Disputes Chamber notes that
only people from the complainant's environment can make the link between the car and the car
person of the complainant, assuming that these relations enter the audiovisual production
have seen the issue and noticed the similarity between the license plates.
In addition, it is also explicitly stated with each delivery that any agreement with
persons or organizations is purely coincidental. In addition to using the
matching license plate in the fiction series also does not become one at any point
link made to or focused on the person of the complainant, or elements quoted that
refer to him personally or to his private sphere. This is also explained by the fact
that the defendant was not, or could not be, aware of the identity of the complainant on the
moment of the creation of the audiovisual production. The Disputes Chamber notes
finally notes that the complainant has made the choice to obtain public data from a very
known club to be mentioned on a license plate. So he could reasonably expect
that this data could also be devised by other persons.
80. The Disputes Chamber therefore decides that the agreement between the two license plates
coincidentally based on a parallel thinking process of the complainant and the defendant to
have come about, namely expressing an identity as a staunch supporter of
23 ECtHR VGT Verein gegen Tierfabriken t. Switzerland, 28 June 2001, § 68 and ECtHR, Feldek v. Slovakia, July 12, 2001, §77. Decision on the substance 188/2022 - 23/29
Galatasaray. Both parties have used the name and the
founding year of the club, being known public data with a direct association
with the club. In view of the foregoing, the circumstances on the side of the complainant of
insufficient weight, to the right to freedom of expression, including the right to
artistic expression of the defendant, as guaranteed by Article 10 ECHR te
restrict or remove it. The Disputes Chamber concludes that there is no question
an infringement of Article 17 GDPR.
II.4.2. Article 12 (1) and (4) GDPR
81. Based on Article 12 of the GDPR, the controller must inform the data subjects
provide transparent information and, in principle, reply to them free of charge within 1 month
to request. It is essential that the information provided is understandable and easy
accessible to those involved. It is also important that the
controller the exercise of the rights of the data subjects on the basis
of Articles 15 to 22 of the GDPR. Finally, the
inform the data subjects of the rejection of their request
why that request was rejected and inform those concerned about the possibility
to lodge a complaint with a supervisory authority as well as appeal to the courts
configure.
82. The defendant argues that, although in its letter of reply to the complainant dated. 21
January 2022 has not explicitly referred to the specific legal basis of Article 17,
paragraph 3, a) of the GDPR, she has very clearly indicated in her letter of reply to
the grounds on which it decided not to comply with the request
until the erasing of the number plate in question from the fiction sequence, causing them to submit
the Disputes Chamber would nevertheless be ruled that a processing of
personal data of the complainant has taken place, still complies with her
obligation under Article 12(1) of the GDPR imposed by the controller
to, if it does not comply with the request of the data subject, the latter
“without delay and at the latest within one month of receipt of the request [to be communicated]
why the request has not been acted upon”.
83. The Disputes Chamber notes that the defendant in the aforementioned letter dd. 21st of January
2022 has explained that it believes that it should not comply with the request
erasure of data because it believes that there is no processing of
personal data. In a subordinate order, if there would nevertheless be processing
of personal data, it invokes its right to artistic expression, part
of the right of expression, in order not to erase the number plate.
In this context, the Disputes Chamber points out that the defendant must state the reasons for the refusal
to delete, without specifying the relevant decision on the substance 188/2022 - 24/29
articles of law in this regard. The Disputes Chamber rules that in this case the explanation regarding the
refusal to erase data could have been formulated more clearly
of the complainant. The additional mention of the legal articles and a more detailed
explanation could also have contributed to the clarity of the refusal.
84. In addition, the defendant argues that the complainant was represented by counsel
who was aware of the applicable legislation and therefore the possibility to collect a complaint
to the GBA, since it had already indicated that it might file a complaint
at the GBA. The Disputes Chamber takes note of this explanation, but does not consider it
convincing. As far as necessary, the Disputes Chamber reminds that this
transparency principles from Article 12 (4) GDPR apply regardless of whether the complainant
whether his counsel is aware of the complaints procedure at the GBA.
85. In view of the above, the Disputes Chamber is of the opinion that the defendant on a
could have handled the transparency obligation in a more careful manner. There is talk
of an infringement of article 12, paragraph 1 GDPR, but this infringement is not of such a serious nature
that a penalty should be imposed. It is sufficient for the defendant to
warn for the future that the transparency principles from Article 12 (4) GDPR
apply regardless of whether the complainant or his council is aware of this or not
are.
II.5. Article 38(1) and Article 39 of the GDPR
86. The Inspectorate finds that the defendant's obligations imposed by Article 38,
paragraph 1 of the GDPR and has not complied with Article 39, paragraph 1 of the GDPR. The Inspection Service
refers in this context to the following elements:
87. “For the purpose of informing and sensitizing the personnel concerned with
with regard to the processing of personal data by (employees of) [de
[respondent] was organized by the client for the necessary consultations between its employees
and its legal advisers for the purpose of preparing and implementing the necessary
documentation to comply with its obligations under the GDPR and were internally de
necessary information moments are organized to explain this. In addition, a
“Privacy and Confidentiality Policy” for Defendant's employees
drawn up and implemented, which the employees of [the defendant] must comply with
life and explaining the policy for handling confidential information,
including personal data, by these employees. You will find a copy of this policy here
attachment 3".
88. However, the Inspectorate argues that the defendant fails to demonstrate:
- what the aforementioned “necessary consultation” and “the necessary information moments” mean in practice
mean (no supporting evidence was provided for these aspects); Decision on the substance 188/2022 - 25/29
- whether and, if applicable, how its data protection officer is involved
and/or was in the creation and follow-up of the foregoing;
- whether and, if applicable, how its data protection officer is involved
and/or was involved in the creation and follow-up of the “Privacy and
Confidentiality Policy” (e.g. using supporting documents such as internal
emails);
- how compliance with the “Privacy and Confidentiality Policy” is put into practice
guaranteed. After all, imposing data protection directives is in itself
insufficient if compliance is not effectively guaranteed by the defendant
with the cooperation of its data protection officer.
89. The GDPR recognizes that the data protection officer is a key figure for what
concerns the protection of personal data whose designation, position and duties to
rules are subject. These rules help the controller to
comply with its obligations under the GDPR, but also assist the officer
data protection to properly perform its tasks.
90. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the
controller ensures that the officer for
data protection is timely and properly involved in all matters
related to the protection of personal data. Based on Article 39(1).
GDPR, the data protection officer (a) must be the controller
informing and advising on its obligations under the GDPR and others
Union or Member State data protection provisions and (b) monitor
compliance with the GDPR, other Union or Member State law
data protection provisions and of the policy of the controller
or the processor with regard to the protection of personal data, including
of the allocation of responsibilities, awareness raising and training of the
processing of personnel involved and the relevant audits.
91. The defendant emphasizes in its conclusions that, however, at the time of the
introduction of the GDPR in mid-2018 has made a well-considered decision not to appoint an official for this
establish data protection. In this respect she refers to Article 37(1) of the
GDPR in which the designation of a data protection officer becomes mandatory
made in three cases:
“1. The controller and the processor designate an officer
data protection in any case where:
a) the processing is carried out by a public authority or body, except in
the case of courts in the exercise of their judicial functions; Decision on the substance 188/2022 - 26/29
b) a controller or processor is principally entrusted with
processing which, due to its nature, its scope and/or its purposes, is regular and
require systematic surveillance of data subjects on a large scale; or
c) the controller or processor is mainly responsible for
large-scale processing of special categories of data under Article 9
and of personal data related to criminal convictions and offences
facts as referred to in Article 10.”
92. The defendant considers that none of these three cases applies to her. She is not
government agency or body, nor as a producer of audiovisual works
a large-scale processor of special categories of data, nor of
personal data relating to criminal convictions and offences.
93. The defendant's main activity is the production of audiovisual works
admittedly, the defendant regularly processed (and processes) personal data in the context
of (part of) its activities (i.e. for part of its non-fiction activities), but
on the other hand, its main activity does not focus on processing operations that are “regular and
systematic observation of data subjects” required “on a large scale”, Article 37(1) became
of the GDPR was not considered applicable and it was therefore decided not to appoint an official for
establish data protection. The defendant did consider it more useful and practical –
as is still the case today – to work with some
data controllers (five to be precise), one per department. aforementioned
considerations and decision – not to have a data protection officer, but to have one
to appoint privacy officers per department – were announced in 2018 at the time
explicitly included in the summary overview of all measures taken by the
the defendant then took to make the business activities GDPR-compliant.
94. As stated by the controller, Article 37(1) of the GDPR makes that
the designation of a data protection officer is made mandatory in
three cases (see marginal 92). The Disputes Chamber adopts the position of the
defendant and notes that none of these three cases from Article 37 GDPR of
applies to the controller, which means that it is not obliged to provide a
appoint a data protection officer. Consequently, obligations for
neither does the data protection officer as defined in Articles 38 and 39 GDPR
applicable in this case.
95. However, this does not mean that the defendant has not taken measures to
process personal data in accordance with the GDPR. Based on concrete examples
In its conclusions, the defendant refutes the findings of the Inspectorate. For
with regard to the Inspectorate's finding that the defendant would not demonstrate what
the "above-mentioned consultation" and "the necessary information moments" mean in practice, makes decision on the merits 188/2022 - 27/29
the defendant a report on the main concrete measures and steps taken
it has performed since the entry into force of the GDPR. The defendant does so
emails about information sessions that were given, as well as attendance lists with
signature. With regard to the journey towards transformation to GDPR compliance
the defendant makes several email conversations about which it appears that there is a direct
and close cooperation appears between the defendant's lawyers and some of the
data controllers of the defendant. The defendant also makes e-
correspondence about which it appears that the council members on the one hand and the
data controllers, on the other hand, have close consultations about the Privacy and
Confidentiality Policy. As far as the further follow-up is concerned, the defendant refers
to its documents, including a document on the procedure to be followed in the event of
a data breach. New employees are also systematically informed
regarding the privacy and confidentiality policy and submit to it through their
agreement with the defendant.
96. Finally, the Inspectorate states that the defendant does not demonstrate how compliance with the
privacy and confidentiality policy is guaranteed in practice. First of all, you can
It should be noted that the defendant has taken a lot of organizational and technical measures
provides, among other things, for access by unauthorized persons and/or unwanted or unintentional
secure distribution. In the first instance, reference can be made to the list
with the most important IT security measures. The defendant is also light
its data breach procedures in its conclusions. Furthermore, the
defendant to the use of the quit claims (see section II.2). Production employees
know that they also always have enough copies of the necessary
consent forms regarding the processing of personal data
take them to the shooting locations (and do so), so that the candidate participants
sufficiently informed to be able to confirm whether or not they agree with the processing
of their personal data. Also when concluding the agreements with new ones
employees (permanently employed or freelance) are provided with sufficient information. Further
they consistently receive the necessary explanation – including through delivery of the text of
the “Privacy and Confidentiality Policy” – before committing to signing
agree to their agreement with the privacy rules. Finally, the
the defendant again to the complaint that gave rise to the current one
procedure. As soon as the letter from the complainant's counsel has been received by the
defendant, the complaint was immediately forwarded to Mr
for the fiction department and the defendant's lawyers requesting the
defendant in this regard. The data protection officer then took the matter further
followed up with the defendant's counsel, which again shows that the defendant
does take its privacy policy seriously and does not limit it to the mere Substance decision 188/2022 - 28/29
"imposing guidelines" by means of the necessary texts, as the Inspectorate incorrectly
thought to determine.
97. The Disputes Chamber argues that it is disproportionate in this case to declare a violation of the
Articles 38 (1) and 39 GDPR. Since the defendant is not obliged to
to appoint a data protection officer are the obligations
not applicable to the defendant pursuant to Articles 38 and 39 GDPR. Consequently
the Litigation Chamber concludes that there is no infringement of Articles 38(1) and 39 GDPR
was committed by the defendant.
III. Publication of the decision
98. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for the
identification data of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- to dismiss on the basis of Article 100, §1, 1° WOG with regard to the violations of:
o Articles 5, 24 (1) and 25 (1) and (2) GDPR
o Articles 5(1)(a) and 6 GDPR,
o Articles 17 of the GDPR, Article 24(1) of the GDPR and Article 25(1) of the
GDPR; and
o Articles 38(1) and 39 GDPR.
- on the basis of article 100, §1, 2° WOG order the external prosecution with regard to the
violation of Article 12 (1) GDPR.
- pursuant to Article 100, §1, 5° WOG, to warn the defendant for the future
that the transparency obligations in Article 12 (4) GDPR must be complied with.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
appeal in Brussels), with the Data Protection Authority as defendant. Decision on the substance 188/2022 - 29/29
Such an appeal may be made by means of an inter partes petition
the entries listed in article 1034ter of the Judicial Code must contain .The 24
a contradictory petition must be submitted to the Registry of the Market Court
25
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). Hielke HIJMANS
Chairman of the Litigation Chamber
24
The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.
25 The petition with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.
Categories:
- APD/GBA (Belgium)
- Belgium
- Article 4(1) GDPR
- Article 5(1) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 6 GDPR
- Article 6(1)(f) GDPR
- Article 12(1) GDPR
- Article 12(4) GDPR
- Article 17 GDPR
- Article 17(1) GDPR
- Article 17(1)(c) GDPR
- Article 17(3) GDPR
- Article 24(1) GDPR
- Article 25(1) GDPR
- Article 25(2) GDPR
- Article 38 GDPR
- Article 38(1) GDPR
- 2022
- Dutch
