APD/GBA (Belgium) - 48/2021
From GDPRhub
| APD/GBA - 48/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 3 of the Belgian law for organizing a national register of natural persons |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 08.04.2021 |
| Published: | 08.04.2021 |
| Fine: | None |
| Parties: | A private individual (plaintiff) A notary (defendant) |
| National Case Number/Name: | 48/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Website of the Belgian DPA (in FR) |
| Initial Contributor: | Maïlys Lemaître |
The Belgian DPA held that, for lack of a legal basis pursuant to Article 6 GDPR, a notary cannot consult the national register for natural persons in order to obtain personal data for other purposes than those defined by the law and within the scope of their profession.
English Summary
Facts
The plaintiff lodged a complaint with the Belgian DPA after their former employer, the defendant, sent them the remaining money they were owed to an address obtained by consulting the national register for natural persons. The plaintiff argued that the defendant had not processed the data lawfully, since they had not consulted the register within its defined purposes.
To this the defendant replied that they were unsure of their former employees' address and thought that the national register could be consulted in any case, because they had access to it within the scope of their profession.
Dispute
Can the collection by a notary of personal data contained in the national register for natural persons be justified by the sole fact that within the scope of their work they can already access said register?
Holding
The Belgian DPA reminded the defendant that, notwithstanding the fact that notary was one of the professions allowed to consult the national register for natural persons, they should, pursuant to Article 3 of the Belgian law for organising a national register for natural persons, always do so for tasks that fall within their competence and are specific to the performance of their notary assignments.
The register should therefore not be used for tasks that are common to any employer, such as sending mail to their employees or former employees. By consulting the national register for that purpose, the defendant processed data unlawfully, thus going against Article 6 combined with Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision on the merits 48 / 2021- 1/15
Litigation Chamber
Decision on the merits 48/2021 of 08 April 2021
File No .: DOS-2020-02322
Subject: Complaint against a notary for unlawful consultation of the National Register
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this
composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of individuals with regard to the processing of personal data and the
free movement of these data, and repealing Directive 95/46 / EC (General Regulation on the
Data Protection), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);
Considering the Law of August 8, 1983 organizing a National Register of Natural Persons (hereinafter the RN Law);
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20
2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
Took the following decision regarding:
The complainant: Mrs X. Hereinafter "the complainant".
The defendant: Mrs Y, Advised by Maître Sari Depreeuw, lawyer, whose firm is
established avenue Louise, 81 in 1050 Brussels. Hereinafter "the defendant".
1. Feedback from the procedure
Having regard to the complaint lodged by the complainant with the Data Protection Authority (APD) on May 14
2020; Decision on the merits 48 / 2021- 2/15
Considering the decision of 11 June 2020 of the Front Line Service (SPL) of the APD declaring the complaint admissible
and its transmission to the Litigation Chamber;
Having regard to the letters of July 14 and August 19, 2020 from the Litigation Chamber informing the parties of
its decision to consider the case as ready for treatment on the merits on the basis of the article
98 LCA and providing them with a timetable for exchanging conclusions;
Having regard to the conclusions filed by the defendant on October 1, 2020;
Considering the conclusions filed by the complainant on October 21, 2020;
Having regard to the final submissions filed by the defendant on November 13, 2020;
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on January 20, 2021;
Having regard to the hearing during the session of the Contentious Chamber of March 2, 2021 in the presence of Maître S.
DEPREEUW and Maître O. BELLEFLAMME representing the defendant;
Having regard to the minutes of the hearing and the observations made thereon by the counsel of the
defendant which were attached to these minutes.
2. The facts and the subject of the request
1. The defendant is a notary in Flanders.
2. The defendant, in the course of 2019, hired the plaintiff as a notarial lawyer
in his study under an open-ended contract which began in August 2019. Under the terms of
contract, the complainant is identified as being domiciled in Wallonia. A second relative contract
the allocation of ecocheques was also signed between the parties. According to the latter, the
complainant is also identified as being domiciled in Wallonia. This contract provides in its
Article 4 that the ecocheques will be credited monthly to the ecocheque account of the
complainant. During the hearing (see below), however, the defendant indicated that there has always been
sending ecocheques by post during the term of the contract with the complainant.
3. The defendant states that the plaintiff had settled in Flanders near the study for
that she was working with her to limit the travel time between her place of work and her place of
residence, while retaining its domicile in Wallonia.
4. This employment relationship ended in February 2020 following the resignation of the complainant in
a climate that the defendant describes as tense, all trust being broken between the parties. Decision on the merits 48 / 2021- 3/15
5. At the end of this employment relationship, the defendant remained liable for an amount of 56.07
euros in ecocheques vis-à-vis the complainant. After a first reminder, the complainant sent a
second reminder to the defendant by email on March 16, 2020.
6. These eco-checks were sent by the defendant to the address of the plaintiff's domicile, namely
in Wallonia, by registered letter of March 16, 2020. Beforehand, the defendant indicates
have verified the complainant's address in the National Register.
7. On April 19, 2020, the Complainant sent an email to the Respondent complaining of this
consultation of its National Register on March 14th.
8. In response, the defendant explained to the complainant the reasons for this consultation. The
defendant thus indicated that she had wanted to verify the exact address to which she was to
send the ecocheques to the complainant as soon as she knew that the complainant had several
addresses, in Flanders and Wallonia. The defendant stated that at the end of the relationship
contract, she was uncertain as to which address it was suitable for, on the eve of
the entry into force of the containment measures, send the eco-checks to the complainant.
9. On May 14, 2020, the complainant filed a complaint with the APD.
Subject of the Complainant's Complaint
10. According to her complaint, the complainant complains "of a consultation of her national register by
the defendant without any consent on its part and any legal framework ”as well as
"The use of access to the population register outside of the specific regulations
to obtaining information from population registers ".
11. According to her conclusions, the complainant also raises a lack of information in the
defendant in violation of Article 14 of the GDPR. More specifically the complainant
asks the Litigation Chamber:
- declare their complaint admissible and well founded;
- to note the violation of the Law of August 8, 1983 organizing a National Register of Persons
physical (RN Law) and the Royal Decree of 11 September 1986 authorizing access by notaries to
national register of natural persons;
- to find the violation of the fundamental principles of data protection
personal;
- to pronounce a sanction. Decision on the merits 48 / 2021- 4/15
Defendant's position
12. Mainly, the defendant asks the Litigation Chamber to declare itself incompetent
to process the complainant's complaint and dismiss it as inadmissible.
13. In the alternative, the defendant asks the Contentious Chamber to declare the complaint
unfounded, considering that it did not violate the fundamental principles of data protection
personal and consequently, order a dismissal.
14. In the alternative, if the Contentious Chamber were to find a violation of the principles
fundamental principles of the protection of personal data, the defendant seeks the
suspension of the delivery.
15. Finally, in the very alternative, the defendant requests that account be taken of
extenuating circumstances to limit the corrective action pronounced to a warning or even to
a reprimand.
3. The hearing on March 2, 2021
16. During the hearing, the minutes of which were drawn up, the following elements were brought to light
light by the defendant, the complainant not being present at the hearing:
- the incompetence of the Litigation Chamber to deal with the complaint;
- the relational difficulties encountered from the outset with the complainant and the loss of confidence
gradual progress of the defendant with regard to the plaintiff, this rupture finding its climax
at the time of termination of the contract;
- the fact that it is incorrect to claim that notaries would have access to all the data at
personal character contained in the National Register, their consultation being limited to
data referred to in the Royal Decree of 11 September 1986 on the one hand and the mention that
the application available to notaries does not allow consultation targeting the only data
"Address" to the exclusion of any other on the other hand;
- the good faith of the defendant who, faced with a conflictual situation, acted out of concern for
protect against any reproach sending to an address that would not have been the right one;
- the implementation of a series of measures adopted by the defendant aimed at putting
compliance with the obligations of the GDPR resulting from his capacity as person responsible for
processing: security policy, register of processing activities, designation of a delegate
data protection etc. Decision on the merits 48 / 2021- 5/15
PLACE
4. As to the jurisdiction of the APD, in particular its Litigation Chamber
17. The DPA is the Belgian authority, in particular responsible for monitoring compliance with the GDPR in application
of Article 8 of the Charter of Fundamental Rights of the European Union (EU), of Article 16 of
Treaty on the Functioning of the European Union (TFEU) and article 51 of the GDPR. Regarding
of Article 51 of the GDPR in particular, it requires each EU member state to
set up one or more independent public authorities, responsible for monitoring
the application of the GDPR in order to protect the fundamental rights and freedoms of individuals
with regard to the processing of their data. The GDPR adds to this effect that each authority must
benefit from a number of missions (listed in Article 57 of the GDPR) including that of dealing with
complaints (article 57.1.f) of the GDPR) as well as a number of powers (article 58 of the GDPR).
18. Pursuant to Article 3 LCA, the Belgian legislator has instituted the DPA, the Litigation Chamber of which is
the administrative litigation body (Article 32 LCA).
19. This control by the DPA, via its Litigation Chamber in particular, is an essential element of
protection of individuals during the processing of personal data concerning them.
20. As the Contentious Chamber has already had the opportunity to express it in its decisions 17/2020 and 1
80/2020 among others, supervisory authorities - such as ODA - must exercise their powers
for the effective application of European data protection law. To guarantee
the effectiveness of European law is one of the major tasks of data protection authorities
member states under EU law. Control by the contentious chamber constitutes
In this regard, one of the instruments available to ODA to ensure compliance with the rules relating to
data protection, in accordance with the provisions of the European treaties, the GDPR and
of the LCA.
21. In Article 4 LCA, it is provided that the ODA is "responsible for monitoring compliance with the principles
fundamentals of the protection of personal data, within the framework of this law
and laws containing provisions relating to the protection of the processing of personal data
staff ".
22. The explanatory memorandum to the LCA has clearly and unequivocally clarified the interpretation to be
give Article 4 LCA in the following terms: "Art. 4: The Authority for the Protection of
1https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf
2https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf Decision on the merits 48 / 2021- 6/15
data is competent to exercise the missions and mandates of monitoring compliance with the principles
fundamental protection of personal data as established in the Regulation
2016/679. The Data Protection Authority acts with regard to the regulations which
contains provisions relating to the processing of personal data such as, for example,
example, the law establishing a national register, the law relating to the crossroads bank for security
3
social, the law relating to the crossroads bank for enterprises, etc. (...) "(This is the Chamber
Litigation which underlines).
23. Under these “laws containing provisions relating to the protection of data processing
of a personal nature ”, the RN Law is therefore explicitly mentioned.
24. In conclusion, the oversight mission of the ODA encompasses compliance with the GDPR in its entirety.
This reading is the only one which gives a useful effect to articles 3 and 4 LCA, which must be read in
in combination with Article 51 of the GDPR. The competence of the APD (and its litigation body
administrative - the Litigation Chamber) is therefore, in support of the foregoing, in no way limited
by the concept of "fundamental principles of data protection" read in isolation, whatever
either the content that some would seek to give to this notion for the needs of one or
the other cause or attempting to escape the control of the ODA (see point 26 below). Likewise, it is certain
that the competence of the DPA also encompasses monitoring compliance with the protective provisions
data contained in specific legislation such as the RN Law or the "Law
Cameras ”to name just these two examples. Here again, all of these provisions are
intended and not only those which would participate in "fundamental principles of the protection
Datas ".
3
Explanatory memorandum to the Law of 3 December 2017 establishing the Data Protection Authority (DPA),
House of Representatives, DOC 54 2648/001, page 13 under article 4.
4
Ibidem
5
Law of March 21, 2007 regulating the installation and use of surveillance cameras (hereinafter the Cameras Law),
M.B., May 31, 2007.
6
Decision 19/2020 regarding the consultation of the National Register within a city:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf
Decision 16/2020 with regard to surveillance cameras installed at the entrance of a store:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-16-2020.pdf;
Decision 61/2020 relating to a complaint for unlawful processing of personal data after
consultation in the National Register by a public interest body:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf
Decision 80/2020 relating to camera surveillance in a car wash:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf
. Decision on the merits 48 / 2021- 7/15
25. The Contentious Chamber finally draws attention to the fact that Article 4.2 LCA excludes jurisdiction
of ODA in a very limited number of cases, specifically provided for by the LCA itself or by
other legislation. The APD is the data protection supervisory authority responsible for
default, any legal void, any lack of supervisory jurisdiction over one or the other processing
of personal data to be avoided.
Application to the present case - the issue of access to the National Register (rather than another
database)
26. While admitting the competence of the DPA under the RN Law, the defendant nevertheless indicates
than to avoid conflicts of jurisdiction (with regard to the Minister of the Interior with regard to the
RN in the present case), the legislature would have limited the competence of the DPA to monitoring compliance with "
fundamental principles of data protection ”. These "fundamental principles of
data protection "not being defined by the national legislator, it would be appropriate according to the
defendant to understand them as being limited to the principles set out in Article 8 of the Charter
fundamental rights of the Union and, having regard to the structure of the GDPR, the content of Chapter II
GDPR and the rights of data subjects.
27. In this regard, the defendant puts forward the fact that “If Me Y, [read the defendant], as
that a notary had access to the National Register and, as an employer, to the Banque-Carrefour de la
Social Security (BCSS) and whether the National Register and the BCSS both contain the same
information relating to Ms. X's address [read complainant], the relevant question before the DPA
is not that of the legitimacy of the processing of personal data but that of access to
respective databases ”. The defendant adds in conclusion that "what remains to be verified
is compliance with the conditions for access to the national register resp. the BCSS ”. This verification would fall under
according to the defendant the competence of the Minister of the Interior, the ODA not having the competence
decide on the preference for access to one or the other database. The defendant
indeed considers that this access preference does not participate in the "fundamental principles of
data protection ”.
28. The Contentious Chamber refutes the arguments developed by the defendant with regard to its
skill. As it has explained above in paragraphs 21-24, its competence is not at all
limited to monitoring compliance with "fundamental principles of data protection" such as
that restrictively interpreted by the defendant.
29. The Litigation Chamber will also demonstrate that there is not, and cannot be, a conflict of
competence with the Minister of the Interior (point 35). Decision on the merits 48 / 2021- 8/15
30. The Litigation Chamber is therefore of the opinion that the complaint was rightly declared
admissible by the SPL on the basis of Article 60.1. LCA for the following reasons.
31. The Chamber notes on the one hand that, according to the terms of its complaint, the Complainant accuses the Respondent
to have consulted his data in the National Register outside any legal framework and in the absence
basis of legality. Access to the National Register being strictly regulated as will be detailed
below, its consultation (which constitutes processing within the meaning of Article 4.2. of the GDPR) must,
in order to be qualified as lawful, meet all the conditions required by both the GDPR and
7
by the RN Law (see point 35 and title 5 below).
32. The Litigation Chamber recalls Article 5.1 of the RN Law which lists in paragraph 4 the notaries
among professionals authorized to access data in the National Register, including the address,
with permission. This authorization, now issued by the Minister of the Interior, was
in the past either by the Sectorial Committee of the National Register (CSRN) or by way of an order
royal.9
33. The Contentious Chamber underlines that in this case, the Royal Decree of 11 September 1986 specifies in
its Article 1 that it is for the accomplishment of the tasks which fall within their competence that
notaries are authorized to access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and
paragraph 2, of the RN Law among which appears the data "address" (M.B., October 2, 1986).
34. Therefore, it is not indifferent to consult the National Register rather than another database
although both contain partly similar data. Legally regulated access
to a database such as the National Register cannot be diverted from its purpose under the pretext of
that the person who consults it has, in any event, authorized access to the data consulted
7 In the same sense see. Decision 16/2020: "The processing of images filmed by surveillance cameras
is in fact, as soon as these images constitute personal data, subject to the GDPR at
apply in parallel with the Cameras Act ”.
8 Art. 5 § 1. Authorization to access or obtain the information referred to in Article 3, paragraphs 1 to 3]
communication, and authorization to access information on foreigners entered in the register
waiting period referred to in article 1, § 1, paragraph 1, 2 °, of the law of 19 July 1991 on population registers,
identity cards, foreigner's cards and residence documents and amending the law of 8 August 1983
organizing a National Register of Natural Persons, are granted by the Minister of the Interior in
its attributions: (…) 4 ° to notaries and bailiffs for the information they are authorized to provide
know by law, decree or ordinance;
9
See. Article 5 of the RN law before its amendment by the law of 25 November 2018 (M.B. 13 December 2018) which
granted authorization competence to the Sectoral Committee of the National Register. See. also article 5 of the
initial law of August 8, 1983 (M.B. April 21, 1984) which granted the King the power to authorize access to the Register
national before this competence is entrusted to the Sectorial Committee of the National Register. Decision on the merits 48 / 2021- 9/15
(the address of the complainant in this case) via another database (the BCSS in this case). In
this, the consultation of the National Register by the defendant must be examined from the point of view of its
legality, an examination which is unquestionably within the competence of the DPA.
35. As to the division of jurisdiction with the Ministry of the Interior invoked by the defendant,
the Contentious Chamber notes that since the abolition of the CSRN in application of Article 109
LCA, it is indeed the Minister of the Interior who is responsible for issuing access permits
in the National Register. This authorization competence in no way excludes the control competence
of ODA. Access to the National Register constitutes, as already mentioned in point 31 below
above, processing within the meaning of Article 4.2. of the GDPR, by definition subject to the control of a
independent authority within the meaning of Article 8 of the EU Charter of Fundamental Rights, Article
16 of the TFEU and article 51 of the GDPR (see above). This control competence, in addition to the fact
10
that it is not, in concreto, granted by law to the Minister of the Interior, cannot in any case
hypothesis be exercised by a Minister who, by definition, does not meet the required conditions
to perform the duties of an independent data protection authority within the meaning of Article
51 of the GDPR (and which more generally must meet all the conditions set out in Chapter
VI of the GDPR). There is therefore no question here of "conflict of jurisdiction with the Ministry of
the interior "contrary to what the defendant claims. On the contrary, Article 17 of the Law
RN itself refers to the competence of the DPA.
36. Thus, article 17 requires that each public authority, public or private body having obtained
authorization to access information in the National Register is able to justify the
consultations carried out and that for this purpose, in order to ensure the traceability of the consultations, each
user keeps a log of consultations.
37. This article 17 further specifies that this register must contain: (1) the identification of the user
individual (or process or system) that accessed the data, (2) the data that was
consulted, (3) the way in which they were consulted, namely in reading or for modification, (4)
the date and time of the consultation as well as (5) the purpose for which the data were
consulted.
38. Finally, the same Article 17 also provides that this register of consultations is to be made available
of the Data Protection Authority (APD) and this, in the opinion of the Litigation Chamber, for him
10 See. also in this regard Decision 61/2020 of the Contentious Chamber, point 40: “By virtue of Article
4 of the LCA, the Data Protection Authority is competent to monitor compliance with "laws containing
provisions relating to the protection of the processing of personal data ".
the case, no other supervisory authority is competent under the legislation in force, and no
jurisdiction has not been withdrawn from the Data Protection Authority in this specific context, it is
the competent supervisory authority (article 4.2. paragraph 2 LCA) ”.
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf Decision on the merits 48 / 2021- 10/15
allow the exercise of its control mission. It is indeed up to the data controllers
authorized to consult the National Register to implement the conditions of the authorization in
compliance with the requirements thereof and in accordance with the principle of accountability set out in
articles 5.2. and 24 of the GDPR, whose compliance rests with the DPA. 11
39. In conclusion of the above, the Contentious Chamber rejects the argument of inadmissibility
invoked primarily by the Respondent and continues to examine the merits of the complaint below.
5. As to the breaches on the part of the defendant
40. As the Litigation Chamber pointed out in point 32 above, Article 5.1 of the RN Law lists
in paragraph 4 the notaries among the professionals authorized to access the data of the Register
national, including address, with permission.
41. The Royal Decree of 11 September 1986 specifies in its article 1 that it is for
the performance of the tasks that fall within their competence that notaries are authorized to
access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and paragraph 2, of the RN Law among
which contains the data "address" (M.B., 2 October 1986) (paragraph 33).
42. The Litigation Chamber is of the opinion that by consulting the "address" data of the complainant, either
of an employee, the defendant did not consult in the context of
the performance of a task that falls within his competence as a notary. These tasks must indeed
be understood as being limited to what falls within the specific performance of the profession of
notary and not tasks that are common to any employer, whatever it is, such as sending
one or the other mail to its employees.
43. By virtue of his function, and for the sole accomplishment of the tasks relating to him, the notary has
access to certain data in the National Register. It is incumbent upon him to scrupulously respect
the purposes of this access which he prefers because of his profession. The circumstance that in all
hypothesis, the defendant would have had access to the address data via another source (i.e. the BCSS
in this case) is irrelevant in this regard. Indeed, the bases of legitimacy authorizing, under
of Article 6 of the GDPR, access to these databases are separate as are the data
to which access is therefore permitted are different. This is how the complainant rightly
highlights the fact that the data contained in the BCSS and in the National Register (article
3 RN Law) are not identical - even if there are data common to the two databases
data and that notaries do not have access to all of the data contained in the Register
national - and that the basis of legitimacy to access it is their own. At most, the fact that the Decision on the Merits 48 / 2021-11 / 15
defendant would, in any event, have had access to the "address" data via another source
could it be taken into account in the assessment of the sanction that the Contentious Chamber
would decide to impose (see. infra).
44. By failing to respect the purpose of the access granted to it, the defendant consulted
the National Register without an adequate legal basis. Therefore, she proceeded to a treatment of
data in relation to which it is unable to validly invoke any basis of lawfulness
required by Article 6 GDPR. In doing so, the defendant was guilty of a
breach of Article 6 of the GDPR. This breach is combined with a breach of
Article 5.1.a) of the GDPR according to which the processing of personal data must,
in particular, to be lawful. This requirement, while not limited to compliance with Article 6, encompasses
undoubtedly.
45. Nor does it appear to the Contentious Chamber that consultation of the National Register or of
the BCSS, on the other hand, would have been necessary in this case. Indeed, the official address of the complainant
appeared in the two contracts which bound it to the defendant. This address had been recalled by
twice by email on January 23 and February 2, 2020 by the complainant. On the day of dispatch
ecocheques in the mail on March 16, 2020, the complainant wrote to the respondent. This
In response, the latter could have inquired about the address to which to send the requested ecocheques.
In view of the context described by the defendant, the Contentious Chamber limits itself here to recalling
that the principle of minimization expressed in Article 5.1.c) of the GDPR under which only the
data processing necessary to achieve the purpose pursued must be respected.
6. As to corrective measures and sanctions
46. Under Article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity; Decision on the merits 48 / 2021- 12/15
10 ° order the rectification, restriction or erasure of the data and the notification thereof
data recipients;
11 ° order the withdrawal of accreditation of certification bodies;
12 ° give periodic penalty payments;
13 ° issue administrative fines;
14 ° order the suspension of transborder data flows to another State or an organization
international;
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences
data on file;
16 ° decide on a case-by-case basis to publish its decisions on the website of the
data.
47. It is important to contextualize the breaches for which the defendant has been held responsible with a view to
to identify the most appropriate corrective measures and sanctions.
48. In this context, the Litigation Chamber will take into account all the circumstances of
the species.
49. The Litigation Chamber found a breach of Article 6 combined with Article 5.1.a) of the GDPR
on the part of the defendant, or a breach of one of the founding principles of protection
data devoted to Chapter II "Principles" of the GDPR: the principle of lawfulness (article 5. 1. a)
of the GDPR. In the absence of a legal basis, the data processing simply cannot have
place (article 6 of the GDPR).
50. Without this circumstance alone establishing the seriousness of the breach, the Chamber
Litigation recalls that the violation of the provisions listed in Article 83.5 of the GDPR (including
Articles 5 and 6 of the GDPR) may result in a fine of up to 20,000,000
euros or in the case of a company, up to 4% of the total worldwide annual turnover of
the previous exercise. The maximum amounts of fine that may be applied in the event of violation of
these provisions are superior to those provided for other types of breaches listed in article
83.4. of the GDPR.
51. The quality of the defendant is a factor which contributes to the seriousness of the breach. Indeed,
as the Litigation Chamber explained above, access to the National Register is strictly
regulated and limited to certain professions in particular. Indeed, the National Register is not a
innocuous database. As the Litigation Chamber had the opportunity to point out in its Decision on the merits 48 / 2021- 13/15
Decision 19/2020, this database including a certain amount of information - admittedly
limited - relating to more than 11 million people, it requires, by its very nature,
particularly rigorous, not only given its scope, but also due to its
the very purpose of recording, storing and communicating information relating to
(unique) identification of natural persons. It is therefore quite essential that those who
benefit from access to the National Register, in strict compliance with its conditions. The notary
is a public officer, appointed by the King. He exercises this public function within the framework of a
strictly regulated liberal profession. He exercises public power by establishing acts
authentic which have the force of a judgment in particular. The notary is also subject to a
Code of ethics. All these elements require him to adopt an exemplary attitude towards
compliance with the law, including data protection rules. The Litigation Chamber
has already had the opportunity to underline this requirement with regard to public officials such as
mayors and aldermen, but also companies benefiting from public concessions of
parking lot or with regard to bailiffs. The same goes for notaries.
52. The Litigation Chamber further notes that this is a priori isolated breach, committed
by a notary as part of the activities of his office, which can be qualified as an SME. Said
breaches only concern an employee in a specific, punctual context, marked by
loss of confidence and fears. These fears were linked both to the tense climate between the parties
and the potential difficulties of movement in the event of a shipment to an incorrect address in the
context of emerging confinement following the covid-19 pandemic. Nothing allows the
Litigation Chamber to believe that the disputed processing is structurally part of the
professional practice of the defendant.
53. The fact that the data "address" is relatively innocuous, not considered particularly
sensitive by the defendant as well as the fact that it was already in the possession of the defendant and
that this data was in any event accessible to him via the BCSS are also taken into account,
12 See. the Decision 19/2020 of the Contentious Chamber, page 13:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf In the same
sense, see. with regard to the Vehicle Registration Directorate (DIV) database, access to which
is also regulated, Decision 81/2020 of the Contentious Chamber (point 82):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf
13 See. Decision 10/2019 of the Contentious Chamber:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as the
Decision 11/2019: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-11-
2019.pdf and Decision 53/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-
fond-n-53-2020.pdf
14
See. Decision 81/2020 of the Contentious Chamber:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 48 / 2021- 14/15
to a certain extent, by the Litigation Chamber in its assessment of the sanction
adequate. Indeed, by consulting the National Register, the defendant also has
access to a number of other data - admittedly limited by the Royal Decree of 11 September
1986 already cited - relating to the complainant. The defendant further states in this regard that it
has no other choice but to access all of this data, the available application cannot
do not allow you to target your consultation on the single "address" data. The Litigation Chamber
takes note of this double consideration.
54. The Litigation Chamber wishes to emphasize that, however, one should not be mistaken about the scope
of this decision as to the substance and as to the breach sanctioned. It is, as it has been
described above, access to a datum X (in this case the address) contained in a database
data for strictly reserved access outside the legal conditions which is at the heart
of this decision and here sanctioned; and this, much more than knowledge of the data
"Address" as such. However, the Litigation Chamber is no less sensitive to the
fact that in this case, the impact of this consultation on the complainant is low and possible prejudice
in its head not demonstrated.
55. Finally, the Litigation Chamber also takes into account the measures put in place by the
defendant to comply with the obligations incumbent on him in his capacity as
processing: appointment of a data protection officer (article 37-39 of the GDPR),
establishment of a register of processing activities (Article 30 of the GDPR), adoption of a policy
protection of personal data intended for citizens, adoption of a security policy
information accompanied by a procedure in the event of a data breach as well as the establishment
a procedure for managing the rights of data subjects.
56. In conclusion of the foregoing, and in view of all the circumstances of the case, now
aggravating, sometimes mitigating, the Litigation Chamber considers that the reprimand (i.e. the
call to order referred to in Article 58.2.b) of the GDPR) 15 is in this case, the effective sanction,
proportionate and dissuasive which is imposed on the defendant.
57. Finally, with regard to the breach of Article 14 of the GDPR invoked by the complainant by way of
conclusions, the Contentious Chamber decides to dismiss the complaint with regard to this grievance.
The Contentious Chamber is in fact of the opinion that this grievance came to be grafted on that of the absence of
basis of lawfulness of the consultation of the National Register is not such as to modify its decision. The
defendant explained in terms of its conclusions that the work regulations signed by the
15
As it has already had the opportunity to specify in several decisions, the Litigation Chamber recalls here
that the warning punishes a breach that is likely to occur: see. Article 58.2.a) of the RPD
in this regard. Decision on the merits 48 / 2021- 15/15
complainant contains a certain amount of information relating to the data processing carried out
by the defendant with regard to its employees (Title VIII). The defendant specifies in this regard that
this regulation dates from 2016 and is currently being updated. The Litigation Chamber recalls
here the necessary compliance with the obligation of transparency and articles 12, 13 and 14 of the GDPR in
terms of information to the persons concerned, including by an employer to its employees.
7. Regarding publicity and transparency
58. Considering the importance of transparency with regard to the decision-making process and
decisions of the Litigation Chamber, this decision will be published on the website of the APD
by deleting the direct identification data of parties and persons
physical cited.
FOR THESE REASONS,
THE LITIGATION CHAMBER
Decided
- To issue a reprimand against the defendant on the basis of Article 100.1, 5 °
LCA given the breach noted in Article 6 of the GDPR combined with Article 5.1.a) of
GDPR;
- To dismiss the remainder of the complaint on the basis of Article 100.1.1 ° LCA.
Under Article 108.1 LCA, this decision can be appealed to the Court of
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(Sé) Hielke Hijmans
President of the Litigation Chamber
