APD/GBA (Belgium) - 137/2023
APD/GBA - 137/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(1) GDPR Article 14 GDPR Article 14(5)(c) GDPR Article 28(1) GDPR Article 28(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.09.2020 |
Decided: | 29.10.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 137/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA held that retroactivity clauses in a data processing agreement are invalid as they would allow for the circumvention of Article 28(3) GDPR. Moreover, the DPA clarified that both the controller and processor are responsible for concluding the data processing agreement.
English Summary
Facts
In 2020 the data subject received a parking fee from a municipality, the controller.
The data subject requested to receive evidence of the parking violation in question and received several photographs of their vehicle. They also sought information on how their personal data was being processed and wanted to obtain the agreement concluded between the municipality and a third-party service used in the establishment and collection of the fee requested from them.
Following their request, the data subject found that there was no data processing agreement in place at the time of the events. It was only later that month that such agreement was concluded between the municipality acting as the controller and the third-party service acting as a processor.
The data subject submitted a complaint against both for violation of Article 28(3) GDPR.
Holding
The Belgian DPA stated that Article 28(1) mandates a processor to provide sufficient guarantees to protect the rights of data subjects. In the application of Article 28(3), a data processing agreement shall be put into place.
The DPA held that including a retro-activity clause in the agreement does not remedy the absence of the contract at the time of the event. Such an admission would allow for the circumvention of the application of the obligation of Article 28(3) which aims to ensure the protection of the rights and freedoms of the data subjects.
On top of that, the DPA concluded that both the controller, as well the processor, are responsible to ensure a proper data processing agreement is timely put into place. As such, both the municipality and third-party were reprimanded for breach of Article 28(3).
The DPA also scrutinised the municipality for lack of transparency under Article 12(1) and Article 14. However, the municipality stated that the exception of Article 14(5)(c) applied, referencing several laws on vehicle registration and parking fees.
However, the DPA recalled that exceptions must be interpreted restrictively. The legislation referred to must be very clear, and the obtaining or disclosure in question must be binding on the controller. It must also provide appropriate measures to protect the legitimate interests of the data subject.
As such, the DPA held that the legislation invoked by the municipality is insufficiently concrete and appropriate measures to protect the legitimate interests of the data subject is included. The DPA added that even if the exemption were to apply, the controller is still required to inform the data subject about the obtaining and disclosing of their personal data unless legally prohibited.
The DPA thus reprimanded the municipality for violation of Article 14 in combination with Article 12(1) for failure to take appropriate measures to fully inform the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/16 ChamberLitigation Decision on merits 137/2023 of September 29, 2023 File number: DOS-2020-04511 Subject: Complaint relating to the absence of a subcontracting contract (article 28.3. of the GDPR) and the absence of sufficient information by a public authority (article 14 of the GDPR) The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, president, and gentlemen Romain Robert and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter ACL); Considering the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: Mr. The defendants: Municipality Y1, hereinafter: “the first defendant”; The company Y2, represented by Maître Louis Leurquin, lawyer, whose firm is established avenue Brugmann, 435 à 1180 Brussels (Uccle), hereinafter: “the second defendant”; Hereinafter referred to together as “the Defendants”. Decision on merits 137/2023 – 2/16 I. Facts and procedure 1. On September 4, 2020, the complainant lodged a complaint with the Protection Authority data (APD) against the defendants. 2. The subject of his complaint concerns, on the one hand, the absence of a subcontracting contract between the first and second defendants in relation to the processing of the complainant's data as well as, on the other hand, the manner in which the complainant's data were processed within the framework of the establishment and collection by the first defendant of a royalty parking due by the complainant. 3. The facts giving rise to the complaint can be summarized as follows. 4. The plaintiff states that he received a royalty from the first defendant for a parking dated May 20, 2020 on the Place (...). This parking fee was sent to his home and includes his first and last name, his address and the license plate registration of his vehicle. 5. On July 6, 2020, the complainant contacted the Tax department of the first defendant to obtain proof of the parking violation attributed to him. In response, the complainant was sent several photographs of his vehicle. He has then questioned the said Tax department of the first respondent on the manner in which the personal data concerning him were processed within the framework of the establishment and collection of the fee claimed from him. 6. Informed in response that the first defendant would use the services of third parties, including second defendant, the plaintiff requested to obtain the agreement concluded with this last. It is, by the first defendant’s own admission, proven that the subcontract contract which was to link it to the second defendant did not exist at the time of the facts concerning the complainant. 7. The Litigation Chamber mentions here from the outset that it was on July 27, 2020 that a “Personal data processing agreement” (CTDCP) was signed between the defendants. Article 2 of this CTDCP defines the role of each party. The second defendant is described there as a computer engineering company which develops and markets software, which manages IT infrastructures and provides its expertise intended for both public and private clients. As part of its activities, it may be required to carry out processing of personal data belonging to its client such as the first defendant in this case, particularly in the context of the exercise of its installation, support and/or maintenance and hosting activities. The contract continues by indicating that in the context of the treatments carried out, the second defendant Decision on the merits 137/2023 – 3/16 acts as a subcontractor while its client, the first defendant in the species, acts as controller. 8. On October 23, 2020, the complaint was declared admissible by the First Line Service (SPL) of the ODA on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber Litigation under article 62, § 1 of the LCA. 9. On November 20, 2020, in accordance with article 96, § 1 of LCA, the request of the Chamber Contentious to carry out an investigation is transmitted to the Inspection Service (IS). 10. On May 11, 2021, the IS investigation was closed, the report was attached to the file and it was transmitted by the Inspector General to the President of the Litigation Chamber (art. 91, § 1 and § er 2 of the LCA). 11. This inspection report makes the following findings: has. Violation of article 28.3. of the GDPR by the first defendant: the SI establishes that the subcontracting contract between the first defendant in its capacity as data controller and the second defendant in its capacity as sub-processor contract was concluded on July 27, 2020. The SI therefore notes that at the time of the facts denounced and the processing of the complainant's data within the framework of the establishment and collection of the parking fee for May 20, 2020, such a contract did not exist, in violation of article 28.3 of the GDPR. The SI adds that the retroactivity clause contained in said subcontracting contract cannot be prejudice the rights of third parties, in particular those of the complainant. b. Violation of articles 12.1 and 14 of the GDPR by the first defendant: the IS establishes that the exemption from information provided for in (article 14.5. c) of the GDPR invoked by the first defendant cannot be accepted in this case. In support of the Lines guidelines on transparency of the European Committee for the Protection of data (EDPS), the SI concludes that the texts 2 invoked by the first defendant, if they establish the lawfulness of the processing, do not require it to obtain (or to receive communication) of the data that it processes within the framework of the collection of the royalty in question and above all, do not contain 1 European Data Protection Board (EDPS), Guidelines on transparency under the UIE Regulation) 2016/679 of April 11, 2018. These guidelines adopted by Group 29 (WP 260) were adopted by the EDPS during its inaugural session on May 25, 2018: https://ec.europa.eu/newsroom/article29/items/622227. 2The first defendant invokes the following texts: article 6 of the royal decree of July 20, 2001 relating to the registration of vehicles which provides that the investigation and criminal prosecution of crimes, misdemeanors and contraventions are the purposes for which which personal data in the directory may be processed; the law of February 22, 1065 allowing municipalities to establish parking fees applicable to vehicles engine ; the fee regulation relating to its municipal parking policy voted by the Municipal Council on the date of [….] which allows parking fees to be established when a vehicle does not comply with the relevant legislation and the order of January 22, 2019 (chapter VII) – parking fees and monitoring of compliance with the rules of parking. Decision on merits 137/2023 – 4/16 appropriate measures to protect the legitimate interests of the person concerned as required by article 14.5.c) of the GDPR in order to be mobilized. The SI notes that the first defendant also invokes the AF deliberation 23/2013 of July 25, 2013 of the Federal Authority Sector Committee (CSAF) of the 3 Commission for the Protection of Private Life (CPVP) providing single authorization and amending with regard to private concessionaires of municipalities Brussels, the autonomous Brussels municipal rules and the Brussels Agency parking of the Brussels-Capital Region deliberation AF 12/2009 bearing a single authorization for access to the DIV directory for purposes identification of persons who are debtors, due to the use of a vehicle, of remuneration, which according to it retains its validity in accordance with section 111 of the LCA. The SI notes that this deliberation specifically requires provide information to the person concerned via the website of the data controller as well as on payment requests. The IS notes that such information is neither provided on the website of the first defendant nor on the payment requests sent (2nd reminder). The IS also points out that the fact of the first respondent being authorized to access the DIV (Vehicle Registration Department - directory of vehicles) does not exempt it from the information obligation. er 12. On July 9, 2021, the Litigation Chamber decides, under Article 95, § 1, 1° and article 98 of the LCA, that the file can be processed on its merits. 13. On the same date, the parties are informed by registered mail of the provisions such as set out in article 95, § 2 and article 98 of the LCA. They are also informed, in under section 99 of the LCA, deadlines for transmitting their conclusions. The deadline for receipt of submissions in response from the defendants was set for September 6 2021, that for the conclusions in the complainant's reply as of September 28, 2021 and that for the defendants' reply submissions as of October 20, 2021. 14. Still under the terms of this letter of July 9, 2021, the Litigation Chamber specifies that the first respondent is invited to put forward its arguments in light of the findings carried out in his regard by the IS. In addition, she invites him to put forward his arguments with regard to the compliance with articles 5.2. and 24 of the GDPR as soon as a proven breach of one or the other 3The Commission for the Protection of Private Life (CPVP) was the Belgian data protection authority within the meaning of the article 28 of Directive 95/46/EC. The Data Protection Authority (DPA) succeeded it on May 25, 2018 in execution of article 3 of the LCA. 4 Article 36bis of the LVP provided that any electronic communication of personal data by a public service federal or by a public body with legal personality which comes under the federal authority requires authorization from principle of the CSAF unless the communication has already been the subject of authorization in principle from another committee sector created within the CPVP. The mission of the CSAF is to check whether the communication complies with the provisions legal and regulatory. Decision on merits 137/2023 – 5/16 of articles 28, 12.1 and/or 14 of the GDPR retained by the IS is likely to constitute, by as a result, a breach of these provisions (articles 5.2. and 24 of the GDPR) consecrating the principle of accountability. 15. At the start of the complaint filed by the complainant (which also denounces a potential breach of its obligations arising from the GDPR by the second defendant – see point 1), the Litigation Chamber also invites the latter to present its arguments to the with regard to article 28 of the GDPR and the obligation to supervise its relationship with the first defendant by a subcontracting contract compliant with article 28.3. of the GDPR. 16. On September 2, 2021, the Litigation Chamber receives the conclusions in response from the first defendant: - As for the complaint based on a violation of article 28.3. of the GDPR, the first defendant does not deny that there was in fact no contract or other legal act linking it to the second defendant at the time of the facts giving rise to the complaint. The first one defendant, however, emphasizes that this contract - the signature of which had not been judged priority, particularly in the absence of high risk for the people concerned and given the context of the covid 19 pandemic requiring priority - a was concluded on July 27, 2020 and that the situation is now regularized, including for the past, taking into account the retroactivity clause to May 25, 2018 provided for by article 3 of the said contract (article 3). - As for the complaint based on a violation of articles 12.1 and 14 of the GDPR, the first defendant declares, based on the conclusions of the SI on this point, to take note of what article 14.5. c) of the GDPR would not apply and indicates having modified its website by adding a text containing the elements of information required by article 14 of the GDPR and adapted payment request letters within the framework of parking fees by adding an informative clause. 17. On September 3, 2021, the second defendant notified the Litigation Chamber that she refers and adheres to the arguments developed by the first defendant in its conclusions in response of September 2, 2021 (point 16), which conclusions can be considered to be filed in his name and on his behalf as well. 18. On September 4, 2021, the Litigation Chamber receives the conclusions in response to the complainant: - The complainant welcomes the fact that the first defendant recognizes the breaches what to blame her for while doubting her good faith when she invokes “the excuse too easy” according to him of the epidemic of the covid 19 virus to explain his delay in signing of a subcontracting contract. It notes in this regard that the GDPR was in Decision on the merits 137/2023 – 6/16 in force since May 25, 2016, i.e. even before the award of the public contract by the first respondent to the second respondent in late 2016. - The plaintiff also points out that the first defendant minimizes the data personal information which it communicates to the second defendant. Only the plate registration of offenders would be sent to him while the IS report mentions that other personal data concerning him (such as photographs of his vehicle) are also communicated. Generally speaking, the complainant denounces the lack of exemplarity and transparency of the first defendant as a public administration. - Finally, the complainant wishes to be made aware of the harm he has suffered as a result of his non- respect for personal data both morally and financially evaluating its shortfall at €1,500.00 ex aequo et bono with regard to time and energy devoted to this matter. 19. On September 30, 2021, the Litigation Chamber receives the conclusions in response to the first defendant. As for the compensation claimed by the plaintiff for damage suffered, the first defendant argues that the plaintiff's data was not used to purposes not provided for by law and that he cannot have suffered damage due to improper use of these. It also emphasizes that public authorities are exempt from administrative fines. 20. Also on September 30, the Litigation Chamber received a final reaction from the complainant. This reaction is submitted out of time, the complainant having already had the opportunity to conclude (point 18) and the last word goes to the defendants. The complainant insists in particular on the fact that the fee could only be established through communication contrary to the GDPR of data concerning him which, from his point of view, invalidates the royalty as such. He also recalls that if the public authorities are exempt from administrative fines, non-pecuniary administrative sanctions may be imposed on them as well as criminal sanctions. The complainant finally recalls his claim for compensation. II. Motivation II.1. As for the breach of article 28.3. of the GDPR by the first and second defendants 21. Article 28.1. of the GDPR provides that when processing must be carried out on behalf of a data controller, the latter only uses subcontractors who present sufficient guarantees regarding the implementation of technical measures and Decision on the merits 137/2023 – 7/16 appropriate organizational measures to ensure that the processing meets the requirements of the GDPR and guarantees the protection of the rights of the data subject. 22. Pursuant to article 28.3. of the GDPR, such processing must be governed by a contract or by another legal act under Union law or the law of a Member State, which binds the subcontractor with regard to the controller, defines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects as well as the obligations and rights of the person responsible of treatment. This contract or other legal act must also provide in particular for burden of the subcontractor the series of obligations listed in letters a) to h) of article 28.3. of the GDPR. 23. In this case, the Litigation Chamber characterizes the first defendant as “responsible for processing” within the meaning of Article 4.7. of the GDPR. It is the entity that defines the purposes and means of the processing complained of (i.e. the processing of personal data relating to the complainant for the purposes of establishing and collecting a payment fee parking), as part of the exercise of a competence which has been legally granted to him entrusted. This characterization is not contested by the defendants. 24. The Litigation Chamber qualifies the second defendant as a “subcontractor” within the meaning of Article 4.8. of the GDPR in that it acts on instructions from the defendant. This qualification is also not contested by the defendants. 25. The Litigation Chamber decides that both the first and second defendants were required to conclude a subcontracting contract or to bind themselves by an act legally binding regarding the exercise of the subcontracting mission that they had established between them, in accordance with article 28.3. of the GDPR. 26. The Litigation Chamber endorses in this regard the position of the EDPS according to which “being given that the Regulation establishes a clear obligation to conclude a written contract, where no other relevant legal act is in force, its absence constitutes a GDPR violation. Both the controller and the processor are responsible for ensure that a contract or other legal act governs the processing. Subject to provisions of Article 83 of the GDPR, the competent supervisory authority will be able to 5European Data Protection Committee (EDPS), Guidelines 07/2020 concerning the notions of responsibility of processing and subcontractor in the GDPR, version 2.0. from July 7, 2021 https://edpb.europa.eu/system/files/2022- 02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf 6It is the Litigation Chamber which underlines. Article 28, paragraph 3, does not apply only to those responsible for treatment. When only the subcontractor is covered by the territorial scope of the GDPR (article 3), the obligation is only directly applicable to the subcontractor. See. also in this sense the Guidelines 3/2018 of the Committee European Data Protection Authority (EDPS) relating to the territorial scope of the GDPR, p. 12. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_fr.pdf. Decision on merits 137/2023 – 8/16 to impose an administrative fine on both the controller and the subcontractor, taking into account the circumstances specific to each situation. 7 27. In other words, the obligation to conclude a contract or to be bound by a legal act binding weighs both on the data controller (here the first defendant) and on the subcontractor (hereinafter the second defendant) and not on the sole person responsible for treatment. This is particularly important when, as is the case in this case, a subcontractor offers its specialized services to a large number of managers separate treatments. It would not comply with the GDPR (nor with the reality on the ground) to consider that the initiative for concluding the contract (and its proposed content) does not should only come from the data controller. 28. In the present case, the first and second defendants do not dispute that the contract of subcontracting which was to bind them did not exist at the time of the facts reported. This contract has was concluded on July 27, 2020, i.e. on a date subsequent to these facts and the processing of subsequent data which, as a reminder, finds its origin in a parking lot at 20 May 2020. In the explanations she gave to try to justify this signature late (point 16), the first defendant (followed by the second defendant – point 17) indicates that at the time of the award of the public contract to the second defendant by a deliberation at the end of 2016, the GDPR did not yet exist. On this point, the Contention Chamber reminds the defendants that in reality, the GDPR was in force since May 25, 2016 (article 99.1. of the GDPR), i.e. for more than 6 months already at the time of the deliberation award of the contract mentioned by the first defendant. Consequently, from the award of the public contract by the first defendant to the second defendant, these The latter had to comply with the GDPR and therefore sign as quickly as possible and in any event, no later than May 24, 2018, a subcontracting contract in accordance with Article 28.3. of the GDPR. The legislator had in fact expressly provided for a period transitional period of 2 years to enable compliance with the GDPR, including the regard to pre-existing situations following the application of the GDPR but which would persist beyond this one. 29. With the SI (point 10), the Litigation Chamber is of the opinion that the retroactivity clause provided for by the contract of July 27, 2020 is not likely to compensate for the absence of a contract in time of the facts. If such retroactivity were to be admitted, it would de facto allow circumvent the application over time of the obligation of article 28.3 of the GDPR which weighs thus that it was developed in points 26 and 27 above, both on the data controller and on the subcontractor. However, as has just been explained in point 28, the GDPR itself has provided a period of 2 years separating its entry into force from its entry into force for implementation in progressive compliance by all entities concerned (article 99 of the GDPR). 7It is the Litigation Chamber which underlines. Decision on merits 137/2023 – 9/16 The obligation to conclude such a contract is also intended to clearly distribute the responsibilities of each of the defendants in their respective capacity as responsible for processing on the one hand and the subcontractor on the other. As highlighted in recital 79 of GDPR, this obligation also pursues the objective of guaranteeing the protection of rights and freedoms of the persons concerned including the data which will be processed within the framework of the relationship that the data controller chooses to create between them (here the first defendant) and the subcontractor (here the second defendant) are thus protected. This absence of protection - while it is required by the GDPR - cannot be covered by a contractual retroactivity clause agreed solely by the defendants in disregard of the rights of the persons concerned - who are not parties to the contract – enshrined in a standard, of European rank in addition. 30. In light of the above, the Litigation Chamber concludes that both the first and the second The second defendants were guilty of a breach of Article 28.3. of GDPR. For all useful purposes, the Litigation Chamber specifies that it is empowered to retain a breach of this provision by the second respondent notwithstanding the absence of breach pointed out in the head of the latter by the IS and this, in execution of its own skills. The second defendant implicated under the terms of the complaint filed (point 1) was also invited to defend itself with regard to this breach in respect for the contradictory debate (point 15) and does not deny the absence of a contract at the time facts. 31. The defendants also claim that in any event, they respected the obligations arising from the Law of December 8, 1992 relating to the protection of private life with regard to data processing (LVP) previously applicable (article 16 devoted to 9 obligations of the subcontractor) and that taking into account other emergencies particularly linked to the covid-19 virus pandemic, compliance with the GDPR has not been seen as a priority from 2018 given the few risks incurred by the taxpayer in the context concerned. The defendants also argue that the rights of the plaintiff have always been respected, even before the conclusion of the contract on July 27, 2020 and that the data concerning him have not been used for purposes other than those related to the royalty parking. 8The LCA does not require the Litigation Chamber to use the Inspection Service. Indeed, the Litigation Chamber decides sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63.2° of the LCA and art. 94, 1° of the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber may process the complaint without resorting to the Inspection Service. It thus has a power of appreciation of the complaint which is independent of the inspection (Cour des Marches (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Court of markets (19th ch. A), December 7, 2022, 2022/AR/556). 9It should be noted that the obligations of the subcontractor were very limited compared to the requirements required by article 28 of the GDPR. Article 16 of the LVP was in fact limited to providing that the subcontractor could only act on instructions from the data controller and must present sufficient guarantees to ensure the security of the processing which it were subcontracted. Decision on merits 137/2023 – 10/16 32. For the Litigation Chamber, the circumstances invoked by the defendants - even if they prove to be true, they are not likely to eliminate the existence of a failure in their boss. They could, however, at most be taken into account by the Chamber Contentious in the assessment of the appropriate sanction with regard to all of the circumstances of the case. II.2. As for the breach of article 12.1. and 14 of the GDPR by the first defendant 33. The Litigation Chamber takes note of what the first defendant has now provided for information reflecting the elements required in execution of article 14 of the GDPR to destination of the persons concerned on its website on the one hand and has also committed to providing information to the persons concerned when sending requests payment of royalties on the other hand. 34. The Litigation Chamber nevertheless concludes that for the past, the first defendant was guilty of a breach of articles 12.1 and 14 of the GDPR in not providing adequate information for the attention of the persons concerned. There In this regard, the Litigation Chamber shares the analysis of the SI which rules out the applicability of Article 14.5.c) of the GDPR. 35. Under the terms of this article 14.5.c), the data controller is exempt from his obligation information when and to the extent that “obtaining or communicating information information is expressly provided for by Union or Member State law to which the controller is subject and which provides for appropriate measures aimed at protecting the legitimate interests of the data subject. 36. The Litigation Chamber notes a difference in language between the French version and, by example, the Dutch and English versions of this provision. Indeed, while the French version of article 14.5.c) of the GDPR mentions “when and to the extent that obtaining or communicating information is expressly provided for by law of the Union or the Member State", the Dutch and English versions of the text retain respectively the following terms: “wanneer en voor zover het verkrijgen de verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of lidstaatelijk recht” and “ where and insofar obtaining or disclosure is expressly laid down by Union or Member State law”. (read: obtaining or disclosure of data in accordance with the terms of recital 62). The Litigation Chamber is of the opinion that it is indeed the obtaining and communication of data which must be provided for by national law (or, where applicable, by Union law European) and notwithstanding the terms of the French version of article 14.5.c) of the GDPR. 37. What is provided for in article 14.5. c) of the GDPR constitutes an exception to the right to information. Failing to be informed that data processing concerning it is being carried out, the Decision on the merits 137/2023 – 11/16 data subject is deprived of information which is in principle spontaneously available to him provided by the data controller and which facilitates the exercise of his other rights including it is also informed of the existence and methods of exercise through this means (article 13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR). 38. This exemption must be interpreted restrictively since it constitutes a exception to the information obligation provided for by the fundamental right to the protection of data and the corollary information obligation imposed on the data controller. It also deprives, as already mentioned, the person concerned of information on the existence and methods of exercising their other rights which are, for their part, not subject to the same exception “in the event of obtaining or communication expressly provided for by the law”. As an example, the right of access (article 15 of the GDPR) - which in turn opens the way to exercise other rights such as the right to rectification, opposition or even erasure – does not know this exception (article 15.4. of the GDPR). 39. The ratio legis of this exception in Article 14.5.c) of the GDPR is based on the fact that the national legislation would require the obtaining or communication of said data. He imports provided that this legislation is particularly clear and complies with the qualities that must adopt any data protection legislation and that this obtaining/communication is binding on the data controller which he must be able to demonstrate. Said legislation must also provide for appropriate measures to guarantee the legitimate interests of the data subject. 40. The Litigation Chamber adds that finally, the obligation to obtain or communicate of said data must, in order to trigger the exception of article 14.5.c) of the GDPR, logically cover all the data which would have been processed by the person responsible for processing which would invoke exemption from information. 41. The SI report notes that the first defendant relies on the following texts: has. Article 6 of the royal decree of July 20, 2001 relating to vehicle registration which provides that the search and criminal prosecution of crimes, misdemeanors and contraventions are the purposes for which personal data from the DIV directory (Directorate of Vehicle Registration) can make the subject of treatment. The Litigation Chamber notes that this provision specifies the purposes of the DIV consultation of which is authorized for the benefit of the first defendant for these purposes, including that of establishing the fee. b. The law of February 22, 1965 allowing municipalities to establish royalties parking applicable to motor vehicles. Decision on merits 137/2023 – 12/16 Here too the Litigation Chamber notes that this is a text which allows the first respondent to establish the parking fee. When examining the text, the Litigation Chamber notes that article 2 of the legislation provides that “ for the collection of remunerations, taxes or royalties from parking referred to in Article 1, the towns and municipalities and their concessionaires and autonomous municipal authorities are authorized to request identity of the holder of the number of the registration mark to the responsible authority of vehicle registration, in accordance with the law on the protection of private life ". The text thus provides the right for municipalities such as the first defendant to consult the DIV for the purposes of establishing the fee. vs. The fee regulation relating to the municipal parking policy voted by the municipal council dated […] which makes it possible to establish the royalties of parking when a vehicle does not comply with the relevant legislation. Upon analysis of this text communicated by the first defendant SI, the Chamber Litigation notes (i) that it organizes the modalities according to which the parking is regulated, subdivided (paid zone, blue zone etc.) and according to what rate, (ii) that it details the terms of amicable recovery and amicable complaint as well as (iii) the terms of forced recovery and recourse against the procedure forced recovery. The text further details the exemption cards existing. The Litigation Chamber, however, does not identify any provision which specifies what data the first defendant would be required to obtain in the context of the establishment and collection of a parking fee. d. The order of January 22, 2009 10 – chapter VII – royalties parking and monitoring compliance with parking rules. The text organizes the parking policy in the Brussels-Capital region, creates the Parking Agency, sets the amount of fees and addresses the issue of the control and collection of these royalties as well as their cost for the municipalities etc. Here too, the Litigation Chamber does not identify any provision relating to the compulsory obtaining/communication of data including the first defendant could rely on it to found the exemption from information that it invoked. 10Read the Order of January 22, 2009 on the organization of parking policy and creation of the Parking Agency parking lot of the Brussels-Capital Region, M.B., January 30, 2009. Decision on the merits 137/2023 – 13/16 42. In support of the above, the Litigation Chamber concludes that if we understand that the first respondent certainly needs certain data to establish a fee parking and collect it (and be authorized to consult a source such as theDIV at this effect), the texts that it invokes in support of its competence do not provide for obtaining or mandatory communication of the data it has processed in this case (including photographs). As the SI also points out, none of these texts provides for additional appropriate measures intended to protect the interests of individuals concerned in this context where no information would therefore be provided to them in the sense proactive that the GDPR gives to this obligation. Consequently, the Litigation Chamber notes that the conditions for application of article 14.5.c) of the GDPR are not met and that the first defendant was, therefore, not authorized to invoke this exception. 43. In this sense, the deliberation of the CSAF to which the first respondent refers enjoined to inform the people concerned, which the first defendant failed to do TO DO. 44. Finally, for cases where the data controller would be entitled to rely on article 14.5.c of the GDPR, the Litigation Chamber recalls as highlighted by the EDPS in its Transparency guidelines already cited, this exemption does not require them less than “the controller should clearly notify individuals concerned that it obtains or communicates personal data in accordance with the right in question, unless there is a legal prohibition preventing it from doing so. This This provision complies with recital 41 of the GDPR, which provides that a legal basis or a legislative measure should be clear and precise and its application should be foreseeable for litigants, in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights”. This obligation is in line with that which the data controller has to identify - in execution of articles 13.1.c) and 14.1.c) of the GDPR - the legal bases of its processing and this, prior to their operationalization. In this regard, it is not enough to indicate that data processing will take place in execution of a legal obligation or to refer purely and simply to the application of article 6.1. c) of the DPR. It is the responsibility of the person responsible of processing to identify the relevant legislation which underlies the processing it carries out. 45. In conclusion, the Litigation Chamber notes a breach of Article 14 of the GDPR on the part of the first defendant combined with a breach of article 12.1 of the GDPR. Indeed, failing to provide the information listed in Article 14 of the GDPR to the persons concerned, the first respondent also fails to comply with this provision which requires the data controller to take appropriate measures to provide any information referred to in Articles 13 and 14 in a concise, transparent, understandable and easily accessible, in clear and simple terms. Decision on merits 137/2023 – 14/16 II.3. As for corrective measures and sanctions 46. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to: 1° close the complaint without further action; 2° order the dismissal of the case; 3° pronounce a suspension of the sentence; 4° propose a transaction; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise their rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or definitive ban on processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of data and notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of certification bodies; 12° give fines; 13° issue administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Authority of Data protection. 47. It is important to contextualize the failings of which each of the defendants committed made responsible in order to identify the most corrective measures and/or sanctions adapted. 48. The Litigation Chamber wishes to point out that it is sovereignly its responsibility independent administrative authority - in compliance with the relevant articles of the GDPR and of the LCA - to determine the corrective measure(s) and/or sanction(s) appropriate(s) with regard to all the circumstances of the file. Thus, it does not belong for the complainant to ask the Litigation Chamber to order this or that measure corrective or sanction (exemplary) and even less that it takes measures which do not would not appear among those that the Litigation Chamber is authorized to impose. If, notwithstanding the above, the complainant had to make such a request, it is not the responsibility not for the Contentious Chamber to justify why it would not retain one or the other request thus formulated by the complainant. These considerations leave the obligation intact for the Litigation Chamber to provide reasons for the choice of measure and/or sanction for which Decision on the merits 137/2023 – 15/16 judge, (among the list of measures and sanctions made available to him by articles 58 of the RGPD and 95.1 and 100.1 of the LCA) appropriate to condemn the party(ies) involved. 49. Still in this regard, the Litigation Chamber specifies that it does not have jurisdiction to grant damages or compensation for possible harm suffered or to invalidate a parking fee. These skills are not provided for by the article 58 of the aforementioned GDPR nor by article 100.1. of the LCA cited above. The imposition of such Measures are reserved, if necessary, to the competent courts and tribunals. 50. In view of the failings noted on the part of the first respondent in the Articles 28.3. (point 30), 14 and 12.1. of the GDPR (point 45) in its capacity as a public authority, the Litigation Chamber decides that the reprimand constitutes the appropriate sanction. 51. The Contentious Chamber also notes that it emerges from the recognition of the facts by the first defendant, the signing of a subcontracting contract in July 2020 and commitments made in terms of information to the people concerned, that the first The defendant took stock of the breaches denounced in articles 28.3., 14 and 12.1. of GDPR already mentioned. 52. Concerning the second defendant, the Litigation Chamber also decides to send a reprimand with regard to the breach noted in article 28.3 of the GDPR (point 30) in his head as well. Considering all the circumstances of the case, this In the eyes of the Litigation Chamber, this measure constitutes the appropriate sanction for the past breach noted. III. Publication of the decision 53. Given the importance of transparency regarding the decision-making process of the Chamber Contentious, this decision is published on the APD website. However, it is not not necessary for this purpose that the identification data of the parties be directly mentioned. Decision on merits 137/2023 – 16/16 FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation: - Under article 100.5° of the LCA, to send a reprimand to the first defendant for breaches of articles 28.3, 14 and 12.1. of the GDPR. - Under article 100.5° of the LCA, to send a reprimand to the second defendant for the breach of article 28.3. GDPR In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (court of Appeal of Brussels), with the Data Protection Authority (DPA) as a party defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory request must be 12 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber 11The request contains barely any nullity: 1° indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 6° the signature of the applicant or his lawyer. 12 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.