APD/GBA (Belgium) - 146/24

From GDPRhub
Revision as of 08:43, 11 December 2024 by Elu (talk | contribs)
APD/GBA - 146/24
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 7 GDPR
Article 7(3) GDPR
Article 24 GDPR
Article 25 GDPR
Article 25(1) GDPR
Article 26 GDPR
Article 100 of the Belgian LCA
Type: Investigation
Outcome: Violation Found
Started:
Decided: 28.11.2024
Published:
Fine: n/a
Parties: Freedelity
National Case Number/Name: 146/24
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: elu

The DPA reprimanded a tech company for the centralised storage and disclosure of end-customers’ data to different retail companies. This practice violated the principles of data minimization, storage limitation, accountability, as well as data protection by default and by design.

English Summary

Facts

After a Belgian journal published an article on the data sharing from Freedelity to other brands, the Belgian DPA started an investigation.

Freedelity, the controller, is a company offering technological means to simplify the shopping experience of consumers, by collecting and storing the personal data present in Belgian electronic ID cards. This allows to centralise the commercial information and offers from different brands to consumers, such as loyalty cards and background log information of previous purchases. The data processed is stored in a central filing system, accessible to other brands other than only the controller.

Three main points were raised in the investigation. First, the collection of personal data, more specifically identification data and contact data. Second, the sharing of such personal data. Third, the transfer of personal data stored in the central filing system to third parties.

Holding

The DPA started its decision by explaining which type of data processing happened. First, there was a collection of personal data, not only directly from the clients through the scanning of their electronic ID, but also by the controller, both through its application and website, including its cookies, and by subscriptions to the central filing system. Second, there has been sharing of personal data between the controller and other companies, where the controller shared and updated all personal data of customers subscribed to the controller´s service, in exchange for advertisement of the controller´s website.

The court found that the data collection and sharing are two inextricably linked practices as the purpose of data collection from electronic IDs is to allow the constant growth of the central filing system.

Therefore, the DPA considered it appropriate to examine whether or not the controller and the companies providing the other brands acted as joint controllers in the context of this decision. The DPA considered the determination of, first, the purposes of processing; and, second, of the means of processing. The purpose was found to be the data collection and processing, which is shared between the controller and the other brands. Similarly, the means are shared, with the controller collecting personal data from their website and app, and the other brands advertising this service. In light of this, the controller and the other brands were considered joint controllers as per Article 26 GDPR.

Violation of Articles 5(2) and 7 GDPR

With regards to the lawfulness of the legal basis, the DPA found that a violation of Article 5(2) and 7 GDPR existed as the consent collected by the joint controllers was not “collected for specified, explicit and legitimate purposes”.

Violation of Articles 5(2), 7(3), 24 and 25 GDPR

Additionally, the DPA considers that the joint controllers did not respect the documentation requirements and liability arising from Articles 24 and 5(2) GDPR in matter of withdrawal of consent, as current mechanisms do not allow for a withdrawal of consent that is both simple and direct as required by Article 7(3) GDPR, in accordance with the principle of data protection by design under Article 25 GDPR.

Violation of Articles 5(1)(c) and 25(1) GDPR

A violation of the principle of data minimization under Article 5(1)(c) GDPR and of data protection by default under Article 25(1) GDPR was found as data concerning the municipality of issue of the identity card, the date of validity of the identity card and the history of this data has been collected, even if the DPA finds that it has no relevance in the framework of the processing carried out by the joint controllers.

Violation of Articles 5(1)(e), 5(2), 24 and 25(1) GDPR

Finally, the DPA found that a violation of Article 5(1)(e) GDPR, namely the storage limitation principle, as it established a data storage period of 8 years, which is too long, and also does not have in place a good storage system to keep the data subject´s data safe from third party interventions.

Reprimand

In the case at hand, as per Article 100 of the Belgian LCA, the DPA considered it sufficient to reprimand the controller, but also imposed a deadline of 4 months to correct these GDPR violations. After those 4 months, a €5,000 daily fine will be imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/67

Contentious Chamber

Decision on the merits 146/2024 of 28 November 2024

Case number: DOS-2019-04308

Subject: Investigation concerning two processing operations implemented by Freedelity

The Contentious Chamber of the Data Protection Authority, consisting of Mr. Hielke

Hijmans, President, and Messrs. Yves Poullet and Romain Robert, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";

1
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter the "LCA");

Having regard to the internal regulations as approved by the Chamber of Representatives on 20

December 2
2018 and published in the Belgian Official Gazette on 15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The defendant: Freedelity, whose registered office is established at Rue Altiero Spinelli7, 1401 Nivelles,

registered under company number 0818.399.886, represented by Maîtres

Christian Defauw, Alexandre Cassart, Etienne Wéry, Victoria Ruelle and Fanny

Cotton, hereinafter: "the defendant"

1The DPA recalls that the revised organic law entered into force on 01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024, such as this case, are subject to the provisions of the old version of the LCA accessible here: https://www.autoriteprotectiondonnees.be/publications/loi-organique-de-l-apd.pdf
2
The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023 amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA), came into force on
01/06/2024. It only applies to complaints, mediation files, requests, inspections and proceedings before the Litigation Chamber initiated from that date. Cases initiated before 01/06/2024 are subject to the
provisions of the internal regulations as they existed before that date. Decision on the merits 146/2024 – 2/67

I. Facts and procedure

1. On 8 July 2019, the newspaper l’Echo published an article entitled “Freedelity proposes to

pool customer data management”. On 2 August 2019, a member of the

Management Committee proposed to the Chairman of the Management Committee to examine this service.

2. This discussion was put on the agenda of the Management Committee meeting of 20
August 2019. At this meeting, the Management Committee decided to send a letter to the

defendant to inquire about the operation of the service described in the article in l’Echo.

3. On 30 August 2019, the Director of the General Secretariat sent a letter containing a

series of approximately 10 questions to the defendant. On 9 October 2019, the defendant

forwarded its answers to the General Secretariat.

4. On the basis of these answers, the General Secretariat drafted a letter to the

Management Committee entitled “DIRCO Report – Preliminary Information Letter –

Freedelity”. On 6 December 2019, on the basis of the latter, the Management Committee of

the Data Protection Authority (hereinafter “DPA”) decided to request an investigation

from the Inspection Service, pursuant to Article 63.1° of the LCA.

5. On 20 April 2022, the Inspection Service's investigation was closed, the report was attached to the

file and the latter was forwarded by the Inspector General to the President of the

Litigation Chamber (Art. 91, § 1 and § 2 of the LCA).

The Inspection Service notes, broadly, that:

- Finding 1: Freedelity was unable to demonstrate the collection of

valid consent (in accordance with Article 4.11 of the GDPR) in violation of Articles

5.1.a., 6.1.a., 7 and 5.2. of the GDPR.

- Finding 2: Freedelity was unable to demonstrate that appropriate measures

had been put in place to facilitate the withdrawal of consent

in violation of Article 7.3. of the GDPR, read in light of the principle of

accountability (Articles 5.2., 24 and 25 of the GDPR).

- Finding 3: Freedelity was unable to demonstrate that it has implemented

appropriate measures to ensure the validity and collection of consent

(within the meaning of Article 4.11. of the GDPR) for the processing operations for which Freedelity

acts as data controller, in violation of Articles 5.2., 24 and 25 of the GDPR.

- Finding 4: Freedelity has violated the principle of data minimization set out in

Article 5.1.c. of the GDPR and Article 25.1 of the GDPR.

3 This article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de-
mutualiser-la-gestion-des-donnees-clients/10143718.html Decision on the merits 146/2024 – 3/67

- Finding 5: Freedelity failed to justify the data retention periods

determined in violation of Articles 5.1.e., 5.2., 24 and 25.1. of the GDPR.

6. On 6 July 2022, the Litigation Chamber decided, pursuant to Article 95, § 1, 1° and

Article 98 of the LCA, that the case could be dealt with on the merits.

7. On the same day, the defendant is informed by registered mail of the provisions as

set out in Articles 95§2 and 98 of the LCA. It is also informed, pursuant to
Article 99 of the LCA, of the deadlines for submitting its submissions.

8. The deadline for receipt of the submissions in response from the defendant

was set at 31 August 2022

9. On 7 July 2022, the defendant requests a copy of the file (Art. 95, §2, 3° LCA),

which is sent to it on 12 July 2022.

10. On 18 July 2022, the defendant agrees to receive all communications relating

to the case by electronic means and expresses its intention to use the possibility of being

heard, in accordance with Article 98 of the LCA. She also requests an extension of the

deadline for submitting submissions to 30 October 2022.

11. On 2 August 2022, the Litigation Chamber accepts an extension of the deadline to 21

September 2022.

12. On 15 September 2022, the defendant requests to be able to consult the paper version of the

administrative file. She also requests an extension of the deadline for submitting

submissions to 21 October 2022.

13. On 21 September 2022, the Litigation Chamber agrees to extend the deadline for

filing submissions by two weeks, until 5 October 2022. It reminds the

defendant that, at her request, she had already obtained a complete digital copy of the

administrative file on 12 July 2022. However, she adds that she can consult the file by

contacting the registry.

14. On 28 September 2022, the consultation of the paper administrative file took place in the premises

of the APD.

15. On 5 October 2022, the Litigation Chamber received the submissions from the

defendant. When sending its submissions, the defendant also requested,
before ruling on the matter, documents that it considered necessary for the exercise of the

rights of the defence. It also requested to be granted a new deadline for submissions

after receipt of these documents.

16. On 2 May 2023, the Litigation Chamber sent the defendant numerous

documents and also authorised the defendant to conclude on these elements until 17

May 2023. Decision on the merits 146/2024 – 4/67

17. On 3 May 2023, the defendant requested that the deadline for submission of

conclusions be extended to 15 June.

18. On 8 May 2023, the Litigation Chamber agreed to extend the deadline by one week,

until 24 May 2023.

19. On 9 May 2023, the parties were informed that the hearing would take place on 14 June 2023.

20. On 23 May 2023, the defendant informed the Litigation Chamber that it wished

to receive a full copy of the minutes of the Management Committee meeting of 6

December 2019. It requested a copy of the decision to lift the mandate of the President of

the APD in 2022 and, in the event that the APD did not have it, it demanded that the

latter take steps to obtain it. It considers that the deadlines for submitting the

submissions granted to it are unreasonable, that the hearing is premature and that

the file is not ready.

21. On 24 May 2023, the Litigation Chamber receives the additional submissions from

the defendant.

22. On 2 June 2023, the Litigation Chamber responds to the defendant, stating that the

extracts from the minutes of the Management Committee meeting contain all the

information relating to this file. It adds that it has provided all the documents

at its disposal and that it is up to the defendant to present in support of its

submissions all the documents it considers useful. The Litigation Chamber concludes

that the file is ready and that the hearing can take place.

23. On 12 June 2023, the defendant informed the Litigation Chamber that it had filed

a request with the Commission for Access to Administrative Documents (hereinafter, “CADA”)

against the Litigation Chamber. It requested a further postponement of the hearing.

24. On 12 June 2023, the Litigation Chamber reiterated the position expressed on 2 June 2023. It

added that the APD did not currently consider itself subject to the law of 11 April 1994 on

the publicity of the administration.

25. On 12 June 2023, the defendant informed the Litigation Chamber that one of its

counsel was unavailable due to illness and that it was therefore unable

to argue the case on the scheduled hearing date.

26. On 13 June 2023, the Litigation Chamber informed the defendant that

the hearing had been postponed to 29 June 2023.

27. On 15 June 2023, the defendant sent the Litigation Chamber a request for
4
disqualification of its president on the basis of Article 828, 1° of the Judicial Code.

4 Art. 828 of the Judicial Code: "Any judge may be challenged for the following reasons: 1° if there is legitimate suspicion (…)" Decision on the merits 146/2024 – 5/67

28. On June 19, 2023, the President of the Litigation Chamber dismissed the challenge request

recalling in particular that the Judicial Code is not applicable to him, and that the

defendant's arguments concerning the lack of impartiality of the President of the

Litigation Chamber are unfounded.

29. On 20 June 2023, the defendant filed a challenge application with the Market Court, which informed the Litigation Division on 22 June 2023.

30. On 26 June 2023, the registry of the Litigation Division informed the defendant that

the hearing scheduled for 29 June 2023 was postponed to a date to be determined.

31. On 27 June 2023, the defendant sent an email to the President of the Data Protection Authority. In this email, the defendant recalled its various requests

concerning the documents and indicated that it considered that this issue should be

dealt with by the President of the DPA or the DPA Management Committee and not by the President

of the Litigation Division.

32. On 4 July 2023, the APD received Opinion No. 2023-95 from the CADA. The latter considered itself

competent to give an opinion on a request for access to a document made to

the APD. It also considered that the defendant's request was admissible.

33. In its opinion, the CADA indicated that the APD was not required to guarantee access to a

document that it did not possess, but that it must designate, if it was aware of it, the

authority that held the requested document. Following this opinion, the defendant again requested

access to documents that it considered necessary for the exercise of the rights of the defense.

34. On 11 July 2023, the Litigation Division responded to the defendant, informing it

that it was forwarding its request to the APD's Management Committee.

35. On 18 July 2023, the Management Committee, through the Chair of the APD, responded to the

defendant. She first stated that the CADA’s position constituted a reversal

of its previous position. She added that she was not taking a position at this stage

on the applicability of the law of 11 April 1994 to the APD, but she saw no objection to the

fact that, in this case, the agenda and minutes of the Management Committee meeting of 6
December 2019 were provided to the defendant, with the removal of information

concerning other data controllers.

36. On 31 October 2023, the Market Court issued a judgment 2023/7566 concerning the application for

disqualification filed by the defendant against the President of the Contentious

Chamber. In this judgment, the Market Court declared itself without jurisdiction and without

competence to hear the application for disqualification filed by the defendant against

the President of the Contentious Chamber.

5Judgment of the Market Court of 31 October 2023, No. 2023/AR/821 (judgment not registrable) Decision on the merits 146/2024 – 6/67

37. On 28 November 2023, the defendant was informed that the hearing would take place on 15

January 2024.

38. On 22 December 2023, the defendant filed a summons for interim relief with the

Interim Relief Chamber of the Brussels Court of First Instance requesting the production

of all documents relating to Freedelity under penalty of a penalty payment.

39. The Chamber of Interim Relief issued a first order on 12 February 2024 in which it

declared Freedelity’s application unfounded with regard to the production of the

decision to lift the mandate of the former president of the APD and the

documents that are not linked to the decision of the Management Committee of 6

December 2019. It ordered the APD to produce several of the

documents requested by the defendant.

40. On 20 March 2024, the Chamber of Interim Relief issued an order in which it

found Freedelity’s application to be partially founded and ordered the APD to produce

several additional documents, including internal emails between APD

employees that were included in the inventory of exhibits.

41. On 22 March 2024, the APD provided the additional exhibits to Freedelity. In accordance with the

second order of the Chamber of Interim Relief, it grants a period of 15 days to

Freedelity to conclude on all the documents provided by the APD and invites it to the hearing which

will take place on April 11.

42. On April 9, Freedelity files its additional submissions.

43. On April 11, 2024, the defendant is heard by the Litigation Chamber.

44. On April 29, 2024, the minutes of the hearing are submitted to the defendant.

45. On May 3, 2024, the defendant informs the Litigation Chamber that it does not

wish to comment on the minutes of the hearing and that it sticks to its procedural

writings and pleadings.

II. Reasons

II.1. Background

46. Since its creation in 2010, Freedelity has offered technology aimed at simplifying the

collection and updating of personal data, in particular by using data
contained in the chip of the Belgian electronic identity card (hereinafter, "eID").

47. Freedelity's services make it possible to centralise commercial advantages offered

by different brands to consumers, as well as the latter's loyalty cards or proofs of

purchase. These services are offered both (i) by Freedelity to its customers of the

"brand" type (according to a B2B model, as part of the CustoCentrix service), and (ii) by

Freedelity to consumers (according to a B2C model). Decision on the merits 146/2024 – 7/67

48. While the article in the aforementioned Echo focused on the presentation of CustoCentrix, from

the inspection phase, the investigation focused on the “Freedelity file”, maintained

by Freedelity as data controller, this file remaining largely

supplied by data collected by the brands.

49. As Freedelity explains in its responses to the inspection service (Exhibit 5 of the file),

“the Freedelity file allows the personal identification of each consumer,

access to the Myfreedelity portal as well as the management of the process of pooling the

maintenance of consumer data between Freedelity customers”.

50. The Inspection Service has only analysed the conformity of the processing operations relating to the

Freedelity file, and consequently (1) the collection of personal

identification and contact data, (2) the pooling of these personal

data, and (3) the transfer of identity data contained in the Freedelity

file to third parties such as Z1 and Z2.

51. The Litigation Chamber will successively analyse the legality of the processing operations (1) and (2)
referred to above in section II.5. However, it notes that the

Inspection Service’s investigation report does not contain sufficient elements to allow

an in-depth examination of the processing operation (3), in particular

concerning the possible legal bases and the roles of the actors involved. Consequently, this

decision will not concern this processing operation (3).

II.2. Preliminary question: Deportation of the President of the Litigation Division

52. As a preliminary point, the defendant requests the President of the Litigation Division to

withdraw due to the legitimate doubt that exists as to his impartiality. For the purposes of

readability and clarity of this decision, the response of the Litigation Division to this

argument will be examined later in the decision, in the section devoted to

respect for the rights of the defence, and more particularly to the impartiality of the members of

the Management Committee, including the President of the Litigation Division (section II.4.1.1).

II.3. Procedure: Stages of the procedure

53. The Litigation Division notes that the defendant has raised a significant

number of arguments relating to all stages of the procedure. However, without prejudging

its jurisdiction and the extent of its duty to provide reasons with regard to the arguments

raised - questions which have not been decided by the Markets Court -, the

Litigation Chamber wishes to respond to them below for the proper understanding of the decision.

6Freedelity’s role as the data controller of this file is not contested. Decision on the merits 146/2024 – 8/67

II.3.1. The questioning of the Director of the General Secretariat (at the time also
Chairman of the Management Committee) by the Director of the Knowledge Centre

54. The defendant considers that the Director of the Knowledge Centre at the time had

no authority to question the Director of the General Secretariat, either in her

capacity as a member of the Management Committee or as Director of the Knowledge Centre.

55. For all practical purposes, the Litigation Chamber recalls that the Management Committee is

composed of the five directors of the APD (Article 12 of the LCA). In this capacity, the Director of the

Knowledge Centre was, along with this function, a member of the

Steering Committee at the time of the questioning of the Director of the

General Secretariat. Furthermore, the Director of the

General Secretariat at the time was also the President of the

Data Protection Authority, and therefore, in this capacity, chaired the

Steering Committee in accordance with Article 13§1 of the

LCA.

56. Article 10§1 of the LCA provides that “The Steering Committee shall monitor

developments in the technological, commercial and other

fields that have an impact on the protection of personal data” (emphasis added).

57. It is clear from the documents in the case that the Director of the Knowledge Center (member of the

Management Committee) proposed to the Chairman of the Management Committee to examine a Freedelity

service whose operation was described as innovative in an article in

L’Echo published on 8 July 2019, entitled “Freedelity proposes to pool the management of

customer data”.

58. The APD, through its predecessor the Commission for the Protection of

Privacy (hereinafter “CPVP”), was aware of the existence of the service offered by Freedelity, consisting of

an innovative technology allowing access from one’s identity card to

economic advantages (e.g. points accumulated on a loyalty card). However,

the L’Echo article presented an evolution of the technological service in question:

“Today, the Nivelles company is going a step further. With Custocentrix, it is launching a

cloud platform enabling retailers to better organise and keep up to date

all of their customers' personal and behavioural data".

59. It should be noted that an evolution of a technological service offered by a private company

requiring the use of the Belgian identity card, which contains a unique identifier of

a highly sensitive and regulated nature (the national register number), has an

impact on the protection of personal data in Belgium. If the members of the

APD Management Committee were not able to understand the extent of

7As of 1 June 2024, this service is called the "Authorisation and Advice Service".
8The Echo article is available at the following link: https://www.lecho.be/entreprises/technologie/freedelity-propose-de-

mutualiser-la-gestion-des-donnees-clients/10143718.html
9Without however being considered as a special category of personal data within the meaning of Article 9 of the GDPR. Decision on the merits 146/2024 – 9/67

the impact of this development on the basis of a simple newspaper article, nor whether the processing of the

national register number was involved in this development, the latter have fully assumed

their responsibility by deciding to analyse said development on the basis of Article

10 of the LCA. Any contrary interpretation of this article would amount to limiting this monitoring power

conferred specifically on the members of the Management Committee 10 and to emptying it of its

meaning. The Director of the Knowledge Center was therefore entitled to formally request

the Chairman of the Management Committee that this discussion be placed on the agenda

of the Management Committee meeting of 20 August 2019.

60. Under the conditions mentioned in the two preceding paragraphs, any member of the

Management Committee is authorized to formally request the Chairman of the

Management Committee to place a discussion concerning such monitoring on the agenda of

Management Committee meetings. For the Litigation Chamber, this interpellation comes within the

framework of this obligation to monitor developments in technological fields,

falling to the APD and therefore, first and foremost, to the members of the Management

Committee. Such monitoring requires the possibility of an internal interpellation between members of the

Management Committee and is therefore perfectly justified.

61. A member of the Management Committee wished to put on the agenda a discussion

concerning the new service proposed by Freedelity, in order to allow the

Management Committee to monitor this development in the technological field. This

legitimate questioning occurs within the framework of Article 10§1 of the LCA and is

therefore in accordance with the law.

II.3.2. Sending of a letter requesting information to the defendant by the

Chairman of the General Secretariat (at the time, also Chairman of the Management

Committee)

62. First, the defendant considers that following the decision of the

Management Committee to monitor the Freedelity service, the General

Secretariat exceeded its powers by sending a letter requesting information to the

defendant (Exhibit 2 of the file). It relies in particular on a report from the Court of Auditors which, according to it,

criticises the fact that the General Secretariat grants itself a "role of filtering files".

Secondly, the defendant argues that sending this letter requesting

information in Dutch to the defendant is contrary to the law on the use of

languages in administrative matters and that by application of Article 58 of the

Law of 18 July 1966, the nullity of this act must be established and, by extension, that of the

entire procedure.

10It should be noted that the members of the Management Committee make particularly moderate use of this monitoring power conferred
by Article 10 of the LCA. This power is included in the new version of the LCA, as applicable to files initiated
after 01/06/2024. Decision on the merits 146/2024 – 10/67

63. First, the Litigation Chamber points out that during the meeting of the

Management Committee, its members decided that a letter could be sent on the basis of Article

20§1,1° of the LCA, after consulting the files that had previously been opened

concerning the defendant with the Front Line Service (“FLS”). The first

letter was drafted by the General Secretariat and sent to the defendant on 30 August 2019.

64. The President of the APD (and therefore of the Management Committee) was assisted in the

performance of his tasks by the General Secretariat (Article 13§3 of the LCA). In addition, the General

Secretariat has its own mission of “monitoring” technological developments, which

have an impact on the protection of personal data (Article 20§1,1° of the

LCA). This mission presents a certain redundancy with that of the Management Committee,

consisting of “monitoring” developments in the technological field having an impact

on the protection of personal data (Article 10 of the LCA). However, the

“monitoring” mission11 of the General Secretariat implies a priori an active control of a higher

degree than that implied by the notion of “monitoring” incumbent on the Management Committee. Furthermore,

the Management Committee does not have its own department and cannot ensure its

monitoring without going through another body of the APD to assist it, which was in this case the

General Secretariat, whose director chaired the Management Committee.

65. The Litigation Chamber does not share the defendant’s reading according to which the

General Secretariat arrogated to itself in this case “investigative” powers (a mission

incumbent solely on the Inspection Service) or “filtering of files”. In the

present case, the General Secretariat sent about ten neutral questions

concerning the operation of the new Freedelity service, in order to

understand how it works. The General Secretariat is in fact

authorized to exercise such surveillance

under Article 20§1,1° of the LCA), which is distinct in all respects

from the power of investigation reserved for the Inspection Service (Article 28 of the LCA).

66. Thus, the criticisms of the Court of Auditors concerning the fact that the General Secretariat

would play a role of filtering files are not relevant to the present case,

since in this case, the file was opened at the request of a member of the

Management Committee and the Management Committee decided to send a letter on 20 August 2019. The

General Secretariat merely assisted the Chairman of the Management Committee while

remaining within the limits of its legal powers, and, in this way, enabled the Management

Committee to monitor developments in the technological field in question.

1According to the Larousse dictionary, the primary meaning of the term "surveillance" is defined as: "Action of monitoring, of controlling
something, someone". See in this sense the online version available on the following link:
https://www.larousse.fr/dictionnaires/francais/surveillance/75897
12
According to the Larousse dictionary, the primary meaning of the term "monitoring" is defined as: "Set of operations consisting of
monitoring and controlling a process to achieve the desired result in the best conditions". See in this sense the
online version available at the following link: https://www.larousse.fr/dictionnaires/francais/suivi/75313 Decision on the merits 146/2024 – 11/67

67. Prohibiting the General Secretariat from contacting the stakeholders concerned regarding

technological developments in order to fully assume its “monitoring” mission,

would amount for the APD to requesting the intervention of another body (for example the

Inspection Service) to ensure this monitoring. This mode of operation would be completely

contrary to the spirit of the LCA, and to the logic of the distribution of internal powers between

the bodies of the APD, as explained above: it is not only provided in the text that

the General Secretariat follows technological developments, but it is also logical that

the General Secretariat assists the Management Committee in the performance of its tasks,

particularly when Article 13§3 of the LCA provides that the President of the APD – therefore the

President of the Management Committee – is assisted in the performance of his tasks by the
General Secretariat. Furthermore, the Inspection Service could not be contacted at this stage,

since its referral cannot come from a request from the General Secretariat (Article 63 of the

LCA) and no procedure justifies the sharing of an investigation by the Inspection Service

with the General Secretariat, which must remain secret as a matter of principle (Article 28 of the LCA).

68. For these reasons, the General Secretariat remained within the limits of its powers by

contacting Freedelity, as part of its monitoring mission, in order to measure

itself the impact of a technological development on data protection, as provided

for by Article 20§1,1° of the LCA, to inquire about the technological

development that constitutes the new service offered by Freedelity, a service whose

impact was certain due to the sensitive nature of the processing in question requiring the use of the

identity card.

Sending a letter requesting information concerning the processing of

personal data in the context of the new Freedelity service therefore constitutes a

proportionate measure in the context of the monitoring mission of the General

Secretary and of monitoring technological developments within the remit of the Management

Committee.

69. Secondly, regarding the use of language, as the Market Court has already decided, "Despite its public policy nature, an illegality relating to the language of a decision cannot give rise to annulment if it is not such as to affect the meaning of the decision, if it has not deprived the interested parties of any guarantee or if it has not had the effect of influencing the competence of the author of the decision" (free translation). In this case,

Exhibit 2 of the file was processed by the defendant without difficulty, and it was sent at a stage

prior to the investigation by the Inspection Service.

70. In this case, the Litigation Chamber recalls the chronology of the facts:

- Sending of a letter requesting information in Dutch (Exhibit 2) - 30.08.2019;

13Judgment of the Market Court, of September 4, 2019, 2018/AR/1446 and others, original version: “Ondanks zijn karakter van de
open order, kan een eventuale onwettigheid in verband met de taal van een beslissing, een aanleiding geven tot
vernietiging indian deze onwettigheid niet van aard is om, te dezen, een invloed hebben op de richting van de beslissing, zij
de belanghebbende partijen geen waarborg heeft ontzegd de zij niet het effect heeft gehad om van invloed te zijn op de
bevoegdheid van de auteur van het besluit”.                                                                    Decision on the merits 146/2024 – 12/67

- Freedelity requests to be able to respond in French – 10.09.2019;

- APD agrees that the file be handled in French – 20.09.2019;

- Freedelity sends its responses in French – 09.10.2019

- The rest of the file is handled in its entirety in French.

71. The responses provided by the defendant to the letter requesting information in

Dutch were written in French by the defendant, who was therefore perfectly able

to understand the questions addressed to it.

72. In accordance with the defendant’s request, the rest of the procedure was conducted

in its entirety in French. The defendant was therefore in no way deprived of procedural

guarantees that could affect the present procedure.

73. Consequently, the Disputes Chamber considers that the sending of a letter requesting

information to the defendant by the President of the General Secretariat (at the

time, also President of the Management Committee) complies with Articles 10 and

20§1,1° of the LCA. The fact that this letter was written in Dutch is not such as

to taint the proceedings with nullity since the rights of the defence were not

affected.

II.3.3. Sending of a note to the Management Committee by the

General Secretariat (“DIRCO Report – Preliminary Information Letter –

Freedelity”)

74. First, the defendant criticises the fact that the General Secretariat drafted a

note (“Preliminary Information Letter”) for the Management Committee on the basis

of the responses provided by the defendant (document 6 of the file). It also criticises that

this note uses elements from the contacts between the CPVP and the

responses provided by Freedelity to the questions of the General Secretariat. Secondly, the

defendant claims that the document entitled “probe letter” which is attached to the

decision of the Management Committee of 6 December 2019 is not produced in the file. It adds that

the use of the terminology “probe” demonstrates the implementation of
exploratory, abusive, unfair and arbitrary procedures. It concludes that in this case, the APD

had no serious evidence at the time it contacted Freedelity.

75. Firstly, the Litigation Chamber notes that following the

defendant’s response to the letter requesting information, an opinion was drawn up by the

General Secretariat for the Management Committee on the basis of the

responses provided (document 6 of the file).

On this basis, the Management Committee decided on 6 December 2019 to ask the

Inspection Service to open an investigation.

76. As stated above, the Litigation Chamber recalls that the General

Secretariat has a monitoring mission (Article 20§1, 1° of the LCA). When this Decision on the merits 146/2024 – 13/67

monitoring mission follows a request for monitoring from the Management Committee (Article 10

of the LCA), it is logical that a document be drawn up on the basis of the answers provided to the

questions asked, to enable the Management Committee to ensure the continuity of its

monitoring (Article 10 of the LCA).

77. Indeed, in order to pursue “developments in the technological field” (emphasis added)

within the meaning of Article 10 of the LCA, it is necessary for the Management Committee to take into

account all information relevant to understanding such developments. The

Management Committee has therefore legitimately cross-checked and used the information made

available by Freedelity during its contacts with the CPVP, of which the APD is the

continuation.

78. The provision of information necessary for monitoring cannot be carried out by the

Management Committee itself since it does not have a department - as already

indicated previously - and must therefore necessarily be carried out by a body of the APD. In

this case, the General Secretariat was the natural APD department to do this: the

request for information already came from the General Secretariat, which logically

followed up on its letter, not to mention that this body is entrusted by

Article 10 of the LCA with a mission to monitor technological development.

79. The Litigation Chamber concludes that the General Secretariat was perfectly justified in

drafting an opinion for the Management Committee by gathering the information made available to

it so that the Management Committee could decide to open an investigation at a later

stage. Moreover, it was only on the basis of the information reported by the

General Secretariat that the Management Committee was able to assess the follow-up to be given to the procedure. No opinion or

recommendation is binding on the Management Committee, which is sovereign in its assessment.

In this case, the Management Committee decided that the next step in the procedure would be the implementation

of Article 63.1° of the LCA.

80. Secondly, the document entitled “probe letter” whose legality the defendant is contesting

is indeed document 6 of the inventory which has been part of the file since the beginning of the case and

which was provided to the defendant when it requested a copy of the file.

81. Furthermore, the term "probe" on which Freedelity's complaint is based is used only once by a legal adviser who wrote the opinion to the Management Committee on which the latter ruled on 6 December 2019. The term is never used again subsequently and the

letter is officially entitled ("DIRCO Report - Preliminary Information Letter -

Freedelity").

82. In its internal communications, the APD alternately uses the terms "monitoring" or

"system surveillance procedure" in relation to this letter. The unfair nature of the APD cannot be deduced from the

simple use of these terms. Indeed, these terms are taken from the very letter of the LCA, at most they are translated into English. The Litigation Chamber

recognises at most the use of different terms in the

internal communications to identify the procedure in question, which

has no legal consequences on the procedure.

83. The actions taken by the General Secretariat constitute a

necessary step in order to be able to provide a complete file to the

Management Committee so that it can make an informed decision. The

defendant wrongly confuses on the one hand (i) the preparatory

actions for the follow-up of a file as well as the decision of the

Management Committee, and on the other hand (ii) the investigation

itself.

84. The Litigation Chamber firmly reaffirms that an investigation can only be

carried out by the Inspection Service (Article 28 of the

LCA). Unlike the latter, neither the

General Secretariat nor the Management Committee have the power to note

infringements or violations of the GDPR before submitting their findings to the

Litigation Chamber.

85. The sending by the General Secretariat to the Management Committee of the contested note (the “DIRCO

Report – Preliminary Information Letter – Freedelity”) was done legally, on the basis

of Articles 10 and 20§1, 1° of the LCA.

II.3.4. Finding of serious evidence by the Management Committee

86. First, the defendant maintains that it was the General Secretariat that referred the

Management Committee, with reference to Article 63.1 of the LCA, when it did not have
serious evidence to do so and that it therefore illegally decided to ask

questions of the defendant. It considers that the article in L’Echo was not sufficient

in itself to trigger the opening of a file. Secondly, it adds that the

Management Committee did not find serious evidence in its decision of 6 December 2019 since

it merely repeated the report made by the General Secretariat. It refers in particular
14
to the judgment of the Court of Markets of 22 February 2023 to argue that the

Management Committee’s reasoning is deficient. Third, the defendant considers that the DPA has

undermined the defendant’s legitimate expectations by using information

present in files from 2014 to 2016, while the DPA’s predecessor, the CPVP

had closed these files.

87. First, with regard to the question of the General Secretariat’s jurisdiction, the

Litigation Chamber refers to section II.3.3 above, in which no illegality

is established. Furthermore, the Litigation Chamber notes a reading error on the part of the
defendant. The General Secretariat did not assist the Management Committee on the basis of

14 Judgment of the Court of Markets, dated 22 February 2023, No. 2022/AR/253, available at the following link:

https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf Decision on the merits 146/2024 – 15/67

Article 63.1° of the LCA, but rather on the basis of Article 20§1,1° of the LCA, as it clearly emerges

from the documents in the file.

88. The Litigation Chamber recalls that, by virtue of the powers conferred on the Management Committee, it is up to it to ask the Inspection Service to open an investigation if serious evidence reveals the existence of practices that could give rise to a violation of the fundamental principles of data protection (Article 63.1° of the LCA). As recalled by the Markets Court, this is a discretionary power of the APD.15

89. The elements covered by the report comply with the letter of the LCA, insofar as the object of the monitoring or surveillance is precisely the impact or incidence on the

protection of personal data as required by Articles 10 and 20§1, 1° of the LCA).

The elements retained by the General Secretariat were indeed focused on such an object:

a) Article 10 of the LCA concerns technological areas that have

an “impact on the protection of personal data”

b) Article 20§1, 1° of the LCA requires the monitoring of technological

developments having an “impact on the protection of personal data”

90. A report on a technology having an impact or an impact on the protection of

personal data, may reveal serious indications of the existence of a practice

likely to give rise to an infringement of the fundamental principles of the protection of

personal data (Article 63.1 of the LCA).

91. Secondly, concerning the reference by reference, the Litigation Chamber recalls that

the Council of State accepts the motivation by reference, provided that the document to which reference is made is part of the

file. This is the case here since document number 6, which constitutes the opinion of the General Secretariat (“DIRCO Report – Preliminary

Information Letter – Freedelity”), is annexed to the decision of the Management Committee and has always been

part of the file. The decision of the Management Committee is formulated as follows:

“The conclusions of the attached annex contain indications of non-compliance with the

following principles: obtaining consent, profiling and sharing of data,

minimisation of data, retention period and recipients of data”

(free translation).

15
Judgment of the Market Court of 22 February 2023, No. 2023/1527, p. 40., available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-22-fevrier-2023-de-la-cour-des-marches-ar-953.pdf.
16Decision of the Council of State of 7 May 2013, No. 223.440
17
Extract from the minutes of the Management Committee of 6 December 2019. Exhibit 7 of the file. Original version: "The extensive statements in
bijlage gevoegd bevatten aanwijzingen betreffende do not comply with the following principles: as per Décision sur le fond 146/2024 – 16/67

92. The decision of the Management Committee therefore justifies its decision by referring to the note
provided to it, and relies on it to identify serious indications of

breaches of the following principles:

- obtaining consent,

- profiling and sharing of data,

- minimisation of data,

- retention period,

- and recipients of the data.

93. Thirdly, with regard to the defendant’s argument that the consultation and

use of the information in the files opened within the CPVP, the predecessor of the

APD, violated the principle of legitimate expectations, the Litigation Chamber recalls that, like any public

authority, it is subject to the duty of thoroughness which requires it to “conduct a meticulous

research into the facts, to gather the information necessary for decision-making and to take into account

all the elements of the file in order to make its decision in full knowledge of the

facts and after having reasonably assessed all the elements useful for resolving the

specific case”. 18

94. This duty requires the APD, when it wishes to make a decision concerning

an individual, to check whether and to what extent files have already been opened

against that individual. This research is also essential in order to be able to

ensure compliance with the principle of non bis in idem. The Litigation Chamber

therefore considers that the General Secretariat was perfectly entitled to consult all

the files concerning the defendant, including the closed files, to enable

the Management Committee to make an informed decision.

95. The Litigation Chamber recalls that, according to the Council of State, the principle of

legitimate trust, "means that the person administered must be able to count on a clear and

well-defined line of conduct from the authority or, in principle, on promises made to him by

the authority in a specific case. The violation of the general principle of legitimate

trust requires three conditions, namely an error by the administration, a legitimate

expectation raised following this error and the absence of a reason to go back on this

recognition. This principle cannot be invoked on the basis of acts emanating from an

authority distinct from that which adopted the contested act. »





of toestemming, profiling in delen van gegevens, gegevensminimalisatie, bewaartermijn en ontvangers van de
gegevens. »

18Judgment of the Council of State, of December 6, 2021, No. 252.324, p. 13.
19Judgment of the Council of State of 8 May 2024, No. 259.704. Decision on the merits 146/2024 – 17/67

96. The Litigation Chamber notes that in its analysis, the General Secretariat

found five indications of non-compliance. Two of these indications (indications 3 and 5) are based

solely on the responses provided by the defendant in its letter of 9 October 2019.

These indicators are not based on elements of older files. The three other

indicators of non-compliance are based on a comparison between the elements contained

in a letter from the defendant to the CPVP dated 26 November 2015 and the

response of 9 October 2019. The General Secretariat noted in its three instances a

change in the defendant's practice which, according to it, could

constitute a breach of the principles of personal data protection. The General

Secretariat had to carry out this verification to allow the Management Committee to

"monitor developments", as explained previously, and decide to refer the

matter to the Inspection Service.

97. Thus, in its analysis, the General Secretariat claims that between 2015 and 2019, the duration of
data retention by the defendant increased from 5 to 8 years. It also writes

that the defendant would now carry out profiling based on the data collected,

which it had indicated that it did not do before.

98. For the Litigation Chamber, the General Secretariat's analysis does not reveal

any change in the position of the APD or an erroneous interpretation on its part. It therefore has

no impact on the procedure. Indeed, it emerges from the Chamber's analysis that

when the General Secretariat uses information from past cases, it is to compare

them with the current practices that the defendant has informed it of. This

comparison allowed the Management Committee to ensure its follow-up (Article 10 of the LCA).

99. For the Litigation Chamber, even if the CPVP had authorised the processing in question

by the defendant, quod non, the principle of legitimate expectation does not mean that in the face of
new facts and changes in practices, the public authority must maintain a

line of conduct that it would have expressed in the past on facts that were

significantly different. The defendant is therefore wrong to invoke a violation of the

principle of legitimate expectation.

100. In view of the foregoing, the Litigation Chamber concludes that the decision of the
Management Committee complies with the requirements of Article 63.1 of the LCA.

II.3.5. Referral to the Inspection Service by the Management Committee (validity of the minutes)

101. First, the defendant explains that the versions of the minutes sent to it

do not allow it to be established whether the President of the Litigation Division, who abstained

during the Management Committee’s vote on this point, participated in the discussion. In addition, it

considers that it has not been demonstrated that the majority of the members of the

Management Committee were present, nor that a majority of the members voted in favour under

Article 3 of the ROI. Finally, the defendant considers that there are doubts that a record of the

Management Committee’s decision was drawn up and signed by the President of the

Management Committee, which would constitute a violation of Article 16 of the LCA.

102. Secondly, the defendant also argues that since this decision was taken

in Dutch, it would be contrary to the law on the use of languages in administrative

matters, since the defendant is based in a French-speaking region.

103. Firstly, the Litigation Chamber recalls that the minutes of the

Management Committee cover many topics, including strategic decisions of the APD and

that they contain personal data. In accordance with the principle of data minimisation

(Article 5.1.c of the GDPR), and compliance with the principle of confidentiality

applying to the members of the Management Committee (Art. 48 LCA), the Litigation

Chamber does not transmit the minutes of the Management Committee in their entirety to the

parties concerned by a procedure, but only an extract of said minutes in order to

enable the parties to a procedure to assess their existence for the part that

concerns them.

104. The defendant had at the outset of the proceedings on the merits an extract from the minutes

of the Management Committee concerning the activation of Article 63.1° against it. At its

request, a broader extract was provided to it on 2 May 2023. A full version of the minutes

was provided to it on 18 July 2023 by the President of the APD.

105. The defendant was able to note from the minutes, firstly, that all the

members of the Management Committee were present at the meeting of the Management

Committee, but that the President of the Litigation Chamber recused himself for this item on the agenda,

secondly, that no objection from any of the members of the Management

Committee was noted, thirdly, that the minutes were indeed signed by the President of the

Management Committee, and fourthly, that the Management Committee decided to refer the

Inspection Service on the basis of Article 63.1° of the LCA. The conditions of Articles 15 and

16 of the LCA are therefore met. The defendant’s argument contesting

the existence of a report and compliance with its formalism is therefore unfounded.

106. With regard to the complaint concerning the bias of the members, the Disputes Chamber

refers to its examination in section II.4.1 below.

107. Therefore, neither the validity of the minutes of the Management Committee nor the participation of the
directors can be called into question. The procedure complied with the legal

requirements, and no evidence of bias has been provided. Decision on the merits 146/2024 – 19/67

21
108. Secondly, in a judgment of 7 July 2021, the Procurement Court recalled that the APD

must be considered a central service within the meaning of the Act on the use of languages in

administrative matters and that as such, it must comply with Articles 40 et seq. of that

Act.

109. However, the decision to refer the matter to the Inspection Service by the Management Committee does not constitute

communication with individuals, within the meaning of Article 41 of the Act on the Use of

Languages in Administrative Matters, but rather internal communication; the use of

French by the Management Committee was therefore not required.

110. The referral to the Inspection Service by the minutes of the Management

Committee is therefore valid and complies with the requirements of Articles 15 and 16 of the

LCA, as well as Article 3 of the ROI.

II.3.6. Procedure before the Inspection Service

111. The defendant argues that the file reference used by the APD has been the same

since the first letter sent by the General Secretariat, which tends to prove that there was a

well-established “pre-inspection” procedure within the APD. It adds that the Inspection Service

has taken up the exchanges between the General Secretariat and Freedelity

under the name “Surveillance of the General Secretariat”. The defendant also considers

that there is no evidence of the taking of an oath by an inspector who worked on the

case (“inspector concerned”), even though the latter contributed to the investigation.

112. The Litigation Chamber notes that the defendant draws no conclusions from the first two

arguments mentioned and linked to the reference and title of the case. Insofar as

necessary, it refers in this regard to the previous developments on this point (see

paragraph 8282).

113. With regard to the taking of an oath, at the defendant’s request, the Litigation

Chamber provided it with a document on 2 May 2023, the subject of which is “designation of

inspectors of the inspection service”. This document signed by the Inspector General and the

Director of the General Secretariat is dated June 25, 2019. It states that "Only the names

of the agents of the Data Protection Authority below who took the oath

on November 19, 2018 retain the status of inspector of the inspection service." This is followed

by a list of agents whose names have been redacted by the Litigation Chamber for

reasons of privacy, with the exception of the name of the inspector concerned which appears in the

list.

114. For the Litigation Chamber, this document demonstrates that the inspector concerned took the

oath on 19 November 2018 and that on 25 June 2019, the APD considered that he retained

21 Judgment of the Market Court of 7 July 2021, No. 2021/AR/320 available at the following link:

https://www.autoriteprotectiondonnees.be/publications/arret-du-7-juillet-2021-de-la-cour-des-marches-ar-320-
disponible-en-neerlandais.pdf Decision on the merits 146/2024 – 20/67

the quality of inspector of the inspection service. At the date of the referral to the Inspection Service

by the Management Committee on 6 December 2019, the inspector concerned had indeed taken the

oath and was still an inspector.

115. The Litigation Chamber also recalls that this type of request is not based on

any legal basis. Indeed, the law provides that inspectors take an oath (Article 30

§1 of the LCA), which must be considered as an established fact, except in cases of serious doubt

which must be proven by the defendant. The defendant cannot therefore rely on any legal basis to demand the transmission of these documents.

116. The Litigation Division concludes that the procedure before the Inspection Service

is not flawed.

II.3.7. Referral to the Litigation Division by the Inspection Service

117. The defendant argues that the Litigation Division could not have been validly referred to

given that the Inspection Service itself was not validly referred to.

118. The Litigation Division did not find any irregularity in the referral to the

Inspection Service. Consequently, it considers itself legally referred to on the basis of Article 92.3°

of the LCA.

119. The referral to the Litigation Division was made legally on the basis of Article
92.3° of the LCA.

II.4. Procedure: respect for the rights of the defence

II.4.1. Impartiality of the members of the Management Committee and of the Committee itself

120. The grievances raised by the defendant must be distinguished according to whether they concern the

members of the Management Committee or the Management Committee itself.

II.4.1.1. The President of the Litigation Chamber

Position of the defendant

121. As a preliminary matter, and as stated in Section II.2, the defendant requests the President

of the Litigation Chamber to withdraw on the grounds of the legitimate doubts that exist

regarding his impartiality. In the absence of a specific procedure established by the

LCA, the defendant argues that Article 828, 1° of the Judicial Code should apply by analogy.

122. According to the defendant, the possibility of requesting the recusal of a judge is an integral part

of Article 6 of the European Convention on Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union. These same guarantees

of independence and impartiality are contained in Article 52 of the GDPR, which has been transposed

into Belgian law by Article 36 of the LCA. Decision on the merits 146/2024 – 21/67

123. In the event that the Contentious Chamber considers that the absence of an explicit

provision in the law would mean that recusal is not possible, the defendant

requests that a prejudicial question be submitted to the Constitutional Court. 124. It considers that this bias or appearance of bias arises from the following elements:

a) First, the President of the Litigation Chamber was aware of

several documents concerning Freedelity that led to the decision of the

Management Committee of 6 December 2019 and that despite his disqualification

during the examination of this point, it is impossible to know what his role was at this

meeting.

b) Second, the President of the General Secretariat was allegedly dismissed from his

mandate, in particular due to “pre-inspection” procedures such as those carried

out in this case. However, the President of the Litigation Chamber testified

before the Justice Commission on the occasion of the lifting of the mandate of the

President of the APD before the House of Representatives and also constituted himself

an intervener in the appeal for extremely urgent suspension brought by the

President of the APD before the Council of State against the decision to lift the

mandate.

He himself filed an appeal for suspension of the decision to lift the mandate

before the Council of State. For the defendant, the president of the Litigation

Chamber would defend the conduct of the president of the APD which was allegedly the

cause of his lifting of his mandate.

c) Thirdly, the president of the Litigation Chamber could not refuse access

to the request made by the defendant to access the decision to lift the

mandate of the president of the APD on the grounds that he did not have this document, since

he intervened in various proceedings before the Council of State on the subject

of this decision and therefore necessarily had access to it.

d) Fourthly, the fact that the president of the Litigation Chamber refused to

provide certain documents requested by the defendant and that he took a position

on the competence of the CADA with regard to requests for access

concerning documents held by the APD.

(e) Fifth, the defendant also considers that being a creditor is

a ground for challenge, which would be the case for the President of the Litigation Chamber

in this case since in the context of the challenge proceedings brought by

Freedelity before the Market Court, the President requested and obtained

a procedural indemnity, the payment of which he has not yet demanded.

Review by the Litigation Chamber Decision on the merits 146/2024 – 22/67

125. As a preliminary point, the Litigation Chamber does not dispute that the principle of impartiality

applies to administrative authorities. It should be stressed, however, that the principle
22
of impartiality “must be reconciled with the structure of the active administration”, as

described below, in paragraph 127.

126. The Litigation Chamber of the APD is chaired by Mr Hijmans. The proper functioning of

the Litigation Chamber and the APD requires that the president be available, and be able

to sit during decisions on the merits (Articles 33§1 and 92 to 107 of the LCA), as well as within the

Management Committee, as is apparent from the dual competence of the directors of the

organs of the APD established by Article 12 of the LCA.

127. According to consistent case law of the Council of State:

“the general principle of impartiality must be applied to all organs of the active administration.

It is sufficient that an appearance of bias could have raised legitimate doubts in the applicant

as to the ability to approach his case with complete impartiality. However, this principle

only applies to the extent that it is compatible with the specific nature, and in particular

with the structure of the active administration. Furthermore, the impartiality of a collegiate body

can only be called into question if, on the one hand, specific facts which raise suspicions of bias

on one or more members of that college can be legally established and

on the other hand, it is clear from the circumstances that the bias of that

member or members could have influenced the entire college. It is up to the person alleging that the authority did not act

with independence, impartiality and thoroughness to provide proof of this. 23

128. It is therefore up to the party invoking the breach of the principle of impartiality to

demonstrate the existence of specific facts from which it should be concluded that the

principle of impartiality has been breached. If the facts concern a member of a collegiate body, it

is appropriate for the party invoking the breach of the principle of impartiality to demonstrate

that the facts it identifies are likely to have affected the impartiality not only

of their author, but also of at least a majority of the members of the collegiate body

in question.24

- The bias of the president of the Litigation Division as a member either of the

management committee or of the Litigation Division sitting with three members.

129. First, the criticism concerns the fact that the President of the Litigation Chamber had received

documents concerning the defendant prior to the meeting of the Management Committee

of 6 December 2019. The defendant has not demonstrated why the fact of receiving

22
C.E., 25 April 2023, 256.341, Di Livio.
23 C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX.

24 See in particular Cour des marchés, 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-.r-556.pdf Decision on the merits 146/2024 – 23/67

these documents would demonstrate indications of bias on the part of the President of the Chamber

Contentious, especially since the latter did not, at any time, react to these documents and
that he recused himself during the discussion on this point as proven by the minutes of the meeting. It

is also not demonstrated how this bias, if it were demonstrated, could have

influenced the other members of the Management Committee.

130. Secondly, the Disputes Chamber considers that the impartiality of the President of the

Disputes Chamber cannot be called into question by the fact that he

filed in his own name an appeal to suspend the decision to lift the request of the

President of the APD, since this appeal was filed because he considered that this

decision posed a risk to his personal independence as President of the
25
Disputes Chamber. Furthermore, the President of the APD did not conduct

any “pre-inspections” in the present case (see section II.3.2 of the

decision) and the defendant presents evidence without proof of what it claims, nor

an explanation allowing the Disputes Chamber to follow its reasoning.

- The bias of the President of the Litigation Chamber sitting alone

131. Third, the fact that the President of the Litigation Chamber responded to the

defendant that the APD does not have the decision to lift the mandate of the President of

the APD is a factual observation that does not reveal any bias. This assertion was

further corroborated by the President of the APD in her letter dated 18 July 2023.

132. The fact that the President of the Litigation Chamber could have had knowledge of this

document is irrelevant since this took place in the context of his

private activities, since he was appearing before the Council of State

"on his own initiative, without being

authorised to do so by the data protection authority" (free

translation). It cannot be reasonably argued that the request for access to

documents that the defendant made to the APD would also extend to

documents that could be held by the directors outside their function within the

APD.

133. The Litigation Chamber also emphasises that access to this document was

also refused by the Chamber of Representatives when the defendant requested

access.

In its order of 12 February 2024, the Interim Relief Chamber of the Court of First Instance

also dismissed the defendant’s request for production of this

document.

134. Fourthly, the fact that the President of the Litigation Chamber granted access to

certain documents and not to others requested by the applicant does not mean

25
C.E. No. 256,827 of 19 June 2023, § 8.

26 C.E. of 17 August 2022, No. 254,326. Original version: “on its own title, without prejudice to the

Gegevensbeschesmingsauthority”. Decision on the merits 146/2024 – 24/67

that he thereby lacked impartiality. The President of the Litigation Chamber

is required to take a number of actions in the context of the organisation of the

procedure, actions that he considers legitimate and these do not prejudge his personal assessment

of the merits of the case.

135. Moreover, the bias of the President of the Litigation Chamber is not

demonstrated by the response to the request for production of documents made by the

defendant on the basis of the law of 11 April 1994 relating to the publicity of the

administration. Indeed, in its response, the Litigation Chamber states that the APD does not consider

itself currently subject to the law of 11 April 1994 relating to the publicity of the

administration.

This position does not demonstrate the bias of the President of the Contentious Division since

it concerns the position of the Management Committee as a whole and that the CADA itself

shared this position in the past.

136. In this regard, the case-law of the European Court of Human Rights teaches that

a problem linked to a lack of judicial impartiality does not arise when the judge has

already rendered formal and procedural decisions at other stages of the proceedings. On the other hand,

this problem may arise if, at other stages of the proceedings, the judge has already ruled

on the guilt of the accused.

137. However, in the present case, what is being criticised against the President of the Contentious Division does not imply

any position whatsoever on the part of the latter as to the merits of the case and, in

particular, as to the conduct or responsibility of the applicant.

138. This teaching of the European Court of Human Rights concerns judges; it applies

even more so with regard to members of an administrative college.

139. Fifth, the President of the Litigation Chamber is not acting in his

personal capacity in this case. The procedural compensation in question was requested in the

context of the exercise of his functions within the APD, that is to say, as President of

the Litigation Chamber; he has no personal or financial interest in this claim.

140. The lack of impartiality of the President of the Litigation Chamber has therefore not

been demonstrated. No valid reason can justify his removal from the present case.

II.4.1.2. The Director of the Knowledge Centre

27
See in particular CADA, opinion 2018-14, available at:
https://www.ibz.rrn.fgov.be/fileadmin/user upload/fr/com/publicite/avis/2018/ADVIES-2018-14.pdf
28European Court of Human Rights (ECHR), George-Laviniu Ghiurău v. Romania, 16/06/2020, Application no.
15549/16, § 67

29Gómez de Liaño y Botella v. Spain, 22/07/2008, Application no. 21369/04, § 67-72. See also ECHR, Guide on
Article 6 of the European Convention on Human Rights, Right to a fair trial – criminal aspect,
https://www.echr.coe.int/documents/guide art 6 criminal eng.pdf. Decision on the merits 146/2024 – 25/67

141. The defendant claims that the then Director of the Knowledge Centre, in the context of her previous employment, had worked with Freedelity and validated their legal model. The defendant considers that these agreements were covered by professional secrecy, business secrecy and confidentiality agreements and that this information was shared with the DPA, which allegedly was complicit in the violation of this confidentiality.

142. The Disputes Chamber recalls that the members of the Management Committee are bound by the

principle of impartiality (Article 43 of the LCA), which prohibits them from being present during

a deliberation or decision on cases in which they have a personal and

direct interest. According to the doctrine, "The personal and direct interest may be of a moral

nature, in particular when one or more members of the decision-making authority have

already expressed a clear point of view or have formed a personal opinion and could not

go back on it without losing face." (free translation).

143. This principle means that no member of the Management Committee may have a personal

interest in the decision taking a certain direction (nemo iudex in causa

sua). In particular, being morally unable to revise a previous point of view

carries the risk that members of the administration, having already expressed

(publicly) their opinion, can no longer assess the case objectively. Furthermore, the

Litigation Chamber notes that the defendant does not justify how the

situation meets the definition of a conflict of interest provided for in Article 58 of the ROI.

144. In this case, the Director of the Knowledge Center has never worked

within Freedelity, and therefore was not in a situation where the demonstration of a personal and direct

interest in Freedelity, or a conflict of interest, could be inferred from her previous

position. The fact that the Director of the Knowledge Center was aware of the Freedelity

legal model and had “validated” it in the past does not demonstrate that she had a

personal and direct interest in the decisions of the Management Committee based on

Articles 10 and 63.1° of the LCA. The Director of the Knowledge Center has never expressed

any public negative opinion regarding Freedelity. At most, the Director of the

Knowledge Center has expressed a positive opinion in the context of her former

functions on Freedelity in the past. If the director of the Knowledge Center had

        actually used information collected in the course of their duties





30Wolters Kluwer – Tijdschrift voor Bestuurswetenschappen en Publiekrecht, “Partijdigheid en belangenconflicten bij het
actief bestuur: de sluipweg van het gelijkheidsbeginsel”, Lise Van den Eynde, 2024, paragraph 4. Original version: “De
This class in the well-known category is the person of subject matter. Het komt erop neer dat
Iemand met een personlijk en rechtstreeks belang zich moet onthouden van deelname aan het besluitvormingsproces » and
“Het personlijk en rechtstreeks belang kan van morele aard zijn, onder andere wanneer een de meer leden van de
be overheid eerder al een duidelijk standpunt hebben ingenomen de een eigen mening hebben gevormd en niet

zonder gezichtsverlies daarop zouden kunnen terugkomen”.
31See above Decision on the merits 146/2024 – 26/67



        previous, this should have led to the only conclusion that the Freedelity service

        was valid.

  145. Furthermore, contrary to what Freedelity claims, there is no evidence in the case file

that the Knowledge Centre Director used confidential information or shared it with the

APD. The only statement on which Freedelity relies is the following:

“When I analysed the Freedelity offer a year ago, it constituted a clear violation of

the Privacy Regulation in several respects.” 32

146. No other sentence or information from the Knowledge Centre Director

can be found in the subsequent exchanges, opinions and documents in the case file. The

Litigation Chamber cannot therefore conclude that this was confidential information cited

by the defendant and the entire procedure is based only on information

legitimately collected by the APD.

147. The Litigation Chamber concludes that the Director of the Knowledge Centre did not

breach the principle of impartiality applicable to members of the Management Committee

(Article 43 of the LCA).

II.4.1.3. The Director of the General Secretariat (Chairman of the Management Committee)

148. First, the defendant also criticises the APD for not having forwarded to it the

decision relating to the lifting of the mandate of the President of the APD. Second, the

defendant maintains that the Director of the General Secretariat was biased because he was

the initiator of the request for information to the defendant. Third, the

defendant claims that the type of procedure followed by the Management Committee

in this case was the cause of the lifting of his mandate. It justifies itself by

supporting press articles and judgments handed down by the Council of State in cases

concerning the decision to lift the mandate.

149. First, the Litigation Chamber maintains that the APD does not have the

decision to lift the mandate of its former president.

150. Second, the Litigation Chamber recalls that situations of bias cannot arise
33
from the normal application of the law. However, the law provides that the director of the

General Secretariat may be in a position to chair the Management Committee (Article 13§2

of the LCA), and that the Chairman of the Management Committee is assisted in the performance of his

32
Email from the President of the Knowledge Center of August 2, 2019
33See the decision of the Council of State of May 11, 2021, No. 250.571 Decision on the merits 146/2024 – 27/67

tasks by the General Secretariat (Article 13§3 of the LCA). For the remainder, the Litigation Chamber refers to the previous developments on this point (see section II.3.2).

151. Third, of the nine press articles provided by the defendant, only one (exhibit 28 of the defendant’s file) makes a brief reference (one sentence in a four-page article) to a possible excess of authority by the president of the APD.

The file in question concerned questions put to a school in Ghent on a possible use of biometric data. No other file is mentioned.

152. The defendant does not provide evidence that this element was actually, alone

or among others, the reason for the lifting of the mandate of the president of the APD. It also does not explain

how the finding of an excess of competence that was allegedly noted by

the House of Representatives in the case identified by the press could be transposed to

the present case or even relevant for its processing.

153. Nor does it appear from the extracts of the decisions of the Council of State that the president of the APD

had his mandate lifted for facts related to the present case, or to the procedures put

in place for the activation of Article 63.1 of the LCA. The elements emerging from the extracts

cited are in fact very general and report serious failings and incapacities that

are not specified. Furthermore, as demonstrated above, this case was

proposed to the Management Committee by a director other than the President of the APD. The sending

of the first letter to the defendant, as well as the request to open an investigation, were

decided by the Management Committee. These elements seem difficult to reconcile

with allegations of exceeding the powers of the President of the APD.

154. The Litigation Chamber concludes that none of the elements put forward by the

defendant allows it to conclude that the General Secretariat or its director

was in a situation of bias or exceeding the powers of the defendant.

II.4.1.4. The Director of the Inspection Service (the Inspector General)

155. First, the defendant claims that the Inspector General (also a member of the

Steering Committee) had met with Freedelity in the past when he was working

for the CPVP and, secondly, had participated in the preparation of the file and decided on his

own referral. It maintains that the involvement of the Inspector General at the stage of
preparing the file for examination by the Steering Committee impacts his own

referral and the admissibility of his work.

156. Second, it also maintains that the Inspector General cannot take a position

on the activation of Article 63.1 of the LCA by the Steering Committee without affecting his
impartiality. Decision on the merits 146/2024 – 28/67

157. First, regarding the arguments on the partiality of the Inspector General, the

Litigation Chamber refers to its previous developments regarding the analysis

of situations of partiality (see paragraphs 142-143) and recalls that a situation of

partiality cannot arise from the normal application of the law. The fact that the Inspector

General sits on the Management Committee during the decision-making phase of monitoring developments in

the technological field (Article 10 of the LCA) or the phase of establishing serious indications

(Article 63.1° of the LCA), is legally provided to be compatible with his function

as Inspector General (Article 12 of the LCA).

158. Furthermore, the activation of Article 63.1 of the LCA (or Article 63.6) cannot in any case be

equated with an indictment or investigation procedure as the defendant

maintains. This is a preliminary step to the opening of an investigation, which does not

entail any definitive finding and which in no way prevents the Inspection Service from

conducting its investigation impartially thereafter. As it has proven in the past, the

Inspection Service is perfectly capable of conducting an investigation concluding that there

were no violations despite the findings of serious indications by the

Management Committee.

159. The fact that a member of the Management Committee has

“met” one or more members of a company’s staff does not

put him in a position of bias towards that company on that sole basis. Bias must be concretely demonstrated, which requires highlighting

specific facts or behaviors. 35 This obviously does not depend on the fact

that he has worked on a case in the past or met a person on this occasion.

160. For the Litigation Chamber, the exchange of information within the APD is

a sine qua non condition for the proper execution of its mission to ensure compliance with data

protection. A partitioning of information between services only takes place when

it is provided for by law. This is the case of Article 64.3 of the LCA, which provides that the investigation is secret.

161. The LCA does not provide for any other restriction on the exchange of information within the APD

when this exchange is necessary for its operation. Informal exchanges between

directors when carrying out preparatory acts for the adoption of a decision are

normal and essential steps in the decision-making process. The files opened with

the SPL concerning the defendant and the information available to the Inspector

General who was involved in these files as a lawyer at the time are entirely relevant

to assess whether an investigation should be requested against the defendant. The APD

34See in particular the decision of the Litigation Chamber 77/2020, in which the Management Committee had requested
the opening of an investigation by the Inspection Service. The latter found that the incriminated activity did not

involve the processing of personal data. The case was therefore closed by a filing without further action.
35See in this sense the judgment of the Court of Markets, 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf,
p.21. What applies to collegiate bodies also applies to a member of an administrative body. Decision on the merits 146/2024 – 29/67

allegedly acted negligently by not using the information it had on

the defendant to inform its decision.

162. Indeed, if the latter could not handle cases in which he had been involved as a

lawyer before his appointment as Inspector General, this would de facto prevent the

Inspection Service from exercising its powers with regard to a large number of

data controllers. This is certainly not the intention of the House of

Representatives, which appointed the Inspector General while being fully

informed of the fact that he had been a lawyer within the CPVP. According to the

Litigation Chamber, this situation does not allow his impartiality to be called into

question.

163. Secondly, the argument that the Inspector General cannot take a position

on the activation of Article 63.1 of the LCA by the Management Committee without

affecting his impartiality is no more convincing to the Litigation Chamber. Indeed, the Management Committee

is not the only one that can request an investigation on the basis of serious evidence, since

Article 63.6° of the LCA provides that the Inspection Service may, on its own initiative,

open an investigation if there are serious indications of an offence. If the law provides that the

Inspection Service, and therefore the Inspector General, can decide alone that there are

serious indications of an offence, it can logically decide this collegially within the framework of the

Management Committee, without this affecting its impartiality in conducting the investigation.

164. The LCA also provides for a clear distinction between the investigative power, which is

devoted to the Inspection Service, and the sanctioning power, which is the prerogative of the

Litigation Chamber.

165. In this case, the Litigation Chamber concludes that no evidence of bias has been

demonstrated on the part of the Inspector General, who merely carried out

the tasks assigned to him under the LCA.

II.4.1.5. The Management Committee

166. The defendant argues that since the majority of the members of the

Management Committee were in a position of bias, the Management Committee was itself biased.

167. As already recalled by the Litigation Chamber on numerous occasions in this

decision, in accordance with the consistent case law of the Council of State, criticism of
36
bias cannot be based on a situation arising from the normal application of the law.

168. Furthermore, "the impartiality of a collegiate body can only be called into question if, on the one hand,

specific facts which raise suspicions of bias on the part of one or more members of

that college can be legally established and, on the other hand, it is clear from the

circumstances that the bias of that or those members could have influenced the entire

36 Decision of the Council of State of 11 May 2021, No. 250.571 Decision on the merits 146/2024 – 30/67

college. It is up to the person alleging that the authority did not act with independence, impartiality and thoroughness to provide proof of this." 

169. The Markets Court specifies that the alleged bias of a collegiate body must be

concretely demonstrated, which requires highlighting specific facts or
38
behaviors that concern this body, therefore committed by its members.

170. The Management Committee is composed of the directors of the APD (Article 12 LCA). Each

director ensures the management of a body, as is apparent from the powers established by the

LCA. The Management Committee is competent to refer the matter to the Inspection Service in the event

of finding serious evidence of the existence of a practice likely to violate the

fundamental principles of the protection of personal data (Article 63.1° of the

LCA).

171. For the Litigation Chamber, the defendant must therefore demonstrate for each of the

members of the Management Committee against whom it makes this reproach, that on the one hand, he

showed bias, and that on the other hand, he was able to influence the other members of the college. The

Litigation Chamber adds, moreover, that the fact that a member of the

Management Committee allegedly showed a lack of bias – quod non in the present case – is not sufficient in

itself to invalidate a decision of the Management Committee. 39

172. However, as explained in sections II.4.1.1, II.4.1.2, II.4.1.3 and II.4.1.4, the bias of the

members has not been demonstrated. Furthermore, even if the bias of a member of the

Management Committee were demonstrated, this is not such as to taint the decisions

taken by the Management Committee, which are valid on condition that the “majority”

of the members were present (Article 15 of the LCA).

173. Therefore, neither the bias of the members of the Management

Committee nor that of the Management Committee itself has been demonstrated. The Litigation

Chamber concludes that the arguments of the defence on the issue of bias are not valid.

II.4.2. Processing within a reasonable time and adequate time to prepare its defence

174. The defendant argues that the proceedings lasted almost five years after the first

disputed letter, which exceeds the reasonable time and that it did not have the opportunity to

properly defend itself. She accuses the APD of deliberately soliciting

written contributions from the defendant during periods of leave. She cites

37
C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684.
38 Judgment of the Market Court of 7 December 2022, 2022/AR/556, available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf .

39 Judgment of the Market Court of 7 December 2022, 2022/AR/556, , available from the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-7-decembre-2022-de-la-cour-des-marches-ar-556.pdf. Decision on the merits 146/2024 – 31/67

including a judgment of the Brussels Court of Appeal which provides that a file which had
experienced a period of inertia of two years exceeded the reasonable time limit.

175. The defendant invokes unreferenced case law to argue that the rights of

the defence from the perspective of the useful time limit and the right to a reasonable time limit apply to the APD.

176. The Litigation Chamber confirms that it is indeed subject to respect for the rights of

the defence, including the right to a reasonable time, protected by Article 48 of the

Charter of Fundamental Rights of the European Union and

Article 6 of the European Convention on Human Rights.

177. Concerning the reasonable time, the defendant mentions a judgment of the

Brussels Court of Appeal in which it allegedly found that the reasonable time had been exceeded in

a case that had experienced a period of inertia of two years. This judgment is not provided to the

Litigation Chamber. It cannot therefore take it into account.

178. The Litigation Chamber recalls that, according to the case law of the Council of

State, "the principle of a reasonable time, which is derived from the general

principles of good administration and legal certainty, is capable of being applied to all

administrative decisions. The reasonable period within which any administrative authority

must ensure that it takes a decision only begins to run from the moment it is

able to do so. The assessment of whether or not the duration of a procedure is

reasonable is a question of the individual case which depends, in particular, on the

circumstances of the case, and more particularly on the respective

conduct of the authority and the person concerned. » 40

179. The Inspection Service sent letters containing questions to the

defendant in June and October 2020. It subsequently carried out technical

findings and asked Freedelity new questions in October 2021. It carried out new

technical findings between December 2021 and February 2022. In April 2022, it sent its report to the

Litigation Chamber.

180. The Litigation Chamber considers that an investigation that lasted approximately two years does not exceed

the reasonable period since numerous investigative acts were carried out during

these two years, which is the case here. Furthermore, in the present case, the

Litigation Chamber does not note any period of inertia that would be close to two years.

181. For its part, the Litigation Chamber notified the defendant of its intention to deal

with the case on the merits in July 2022, three months after it was referred to it. The period between
this decision to deal with the case on the merits and the adoption of the present decision was

marked successively by requests for the production of documents, by a 41

40Judgment of the Council of State, 13 September 2022, no. 254.469, p. 16.
41See exhibit 94 of the file Decision on the merits 146/2024 – 32/67

request to the CADA, by an application for recusal followed by proceedings before the

Court of Procurement and a summons for interim relief, by requests for postponement of the hearing, and by

multiple requests for a stay of proceedings, in particular pending the publication of a

judgment of the Court of Justice of the European Union, requests which were all made by the

defendant. In view of these very numerous procedures which led to several

postponements of the hearing, it cannot be reasonably argued that the case was the subject

of an abnormally long period of inertia or that the Litigation Division was

able to adopt a decision more quickly.

182. As regards the right to a time limit for the defence, the Market Court ruled in a

judgment of 12 June 2019 that "The establishment of a timetable for submissions where each

party has approximately one month and where the defendant is granted the final deadline is

consistent with the rules on the rights of the defence." (free translation) 44

183. The Litigation Chamber notes that during the investigation by the Inspection Service, the

defendant always had a response period of at least 30 calendar days and

a maximum of 45 days, which is consistent with the case law of the Market Court. The

Litigation Chamber cannot therefore conclude that there was a violation of the right to a time limit for the

defence at the investigation stage.

184. As regards the time limits granted to the defendant during the proceedings on the merits, the

Litigation Chamber recalls that these are identical in all the cases it

deals with on the merits and that they are extended by two weeks during the

months of July and August. The defendant therefore had a period of 8 weeks, which is

identical to that which would have been granted to any other defendant in

proceedings based on an investigation report. This period was subsequently

extended by three weeks at the request of the defendant. It was again

extended by two weeks at its request, bringing the total to 13 weeks.

185. When additional documents were provided to the defendant following its

requests, it was given a period of two weeks 45 to adapt its conclusions (period

extended by one week at its request). The defendant cannot therefore reasonably

maintain that the time limits granted to it by the Litigation Chamber, and which were

42
See Exhibit 94 of the case file
43 See in particular Exhibits 87 and 136 of the case file, and the following pages of the defendant's additional submissions:
(i) page 163, "The Litigation Chamber must stay its decision on this point pending the outcome of case C154/21

pending before the Court of Justice",.
44 Judgment of the Market Court, of June 12, 2019, No. 2019/AR/741, available at the following link:
https://www.autoriteprotectiondonnees.be/publications/arret-du-12-juin-2019-de-la-cour-des-marches-available-en-
Dutch.pdfP.11.Original version:“Hetopstellenvaneenconclusiekalenderwaarbijelkepartijoverongeveeréénmaand

beschiktenwaarbijdeverwerendepartijdelaatstetermijnverkrijgtisconformaanderegelsvanderechtenvanverdediging”.
45The Litigation Chamber notes in this regard that when the Interim Relief Chamber of the Court of First Instance of Brussels ordered the APD to provide additional documents to the defendant, it also considered that a period of 15 days was sufficient for the defendant to be able to conclude on the documents (a period which was granted to the

defendant by the APD). Decision on the merits 146/2024 – 33/67

extended by his act on multiple occasions, did not allow him to have a useful period

to prepare his defense.

186. The Contentious Chamber in concludes that there has been no exceeding of the reasonable time limit

in this case, nor any failure concerning the right to a useful time limit.

II.4.3. The principle of adversarial proceedings

187. The defendant considers that by repeatedly and constantly refusing to provide

certain documents that it requested, the APD has violated the principle of adversarial proceedings and the

rights of the defence. The defendant considers that the APD has repeatedly refused to provide

decisive elements in the file and in its defence.

188. The The Contentious Chamber reminds that the LCA does not define the composition of the administrative

file. This is composed of all the official decisions and documents related to a

case (decisions of the SPL, investigation report of the SI, decisions of the CC, etc.). The Litigation Chamber

forwarded the entire administrative file to Freedelity when the

latter requested it to do so.

189. The defendant subsequently demanded the production of internal documents from the APD that are
not traditionally present in an administrative file.The defendant's requests have varied on numerous occasions and have been made on

varying grounds.

190. On 2 May 2023, the Litigation Chamber transmitted to Freedelity all the

additional documents that it requested, to the extent that the APD had these.

191. On 18 July 2023, APD again sent Freedelity certain documents following

the CADA's opinion, namely the agenda of the meeting of the Management Committee of the APD of 6

December 2019 as well as a more complete version of the minutes of the same

meeting.

192. It was only on 22 December 2023, by a first summary summons, that Freedelity

requested (from the Court) access wider than that previously requested and obtained.

193. The APD responded to this new request by sending Freedelity the most recent documents in the administrative file – these documents were all already known to Freedelity – since they were correspondence between Freedelity and the APD. 194. The APD again sent additional documents to Freedelity on its own initiative

dated 12 January 2024, which it considered could be relevant in the

46The Litigation Chamber recalls in this regard that the opinions of the CADA are not not binding at all. See C.E., 15
November 2002, 111.522, Poncin. Decision on the merits 146/2024 – 34/67

framework of the criticism that Freedelity intended to formulate concerning the way in which the APD was seized of the case concerning it .

195. Then, in the context of the interim relief proceedings, Freedelity and the APD agreed that

the APD would provide certain additional documents.

196. Finally, following the order of the Interim Relief Chamber, the APD provided additional

documents, including preparatory documents, such as internal

communications between APD employees.

197. It is clear from the chronological description above that the APD has, on several

occasions and voluntarily, provided additional documents to the defendant. It also
complied with the order of the Chamber of Interim Relief when it required it to

provide certain additional documents.

198. The fact that a party to a case requests the production of additional documents

to the case file administrative does not mean that the Litigation Chamber is obliged to follow it up without being able to contest the need for such production.

199. The fact that the APD contested, for certain documents, the need to produce them cannot

result in a violation of the principle of adversarial proceedings and the right of defence. It is

moreover right that the APD opposed the production of certain documents and
since both the CADA and the Chamber of Interim Relief refused Freedelity access to certain

documents .In addition, all the exhibits could have been the subject of an adversarial debate, in particular

during the hearing.

200. As regards more specifically the decision to lift the request of the former president

of the APD, the Litigation Chamber refers to the developments above (see

paragraphs 130-133 and section II.4.1.3).201. Furthermore, the Litigation Chamber notes that the defendant was ultimately able to obtain

all the documents necessary for its defence, since it was able to exhaustively

formulate the grievances it wished to make concerning the legality of the procedure.

202 . The Litigation Chamber cannot find a violation of the principles of

adversarial proceedings and the right of defense in this case.

II.4.4. Violations of the principles of good administration

203. The defendant considers that the duty of "fair play", the duty of " solicitude" and the duty

of motivation were not respected by the APD, without further details concerning
these complaints.

204. The Litigation Chamber notes that the defendant does not explain what it means

by "duty to do- play" and "solicitude", does not cite its sources, and does not justify in

why the duty of motivation was not respected by the APD. Decision on the merits 146/2024 – 35/67

205. With regard to the duties of “fair play” and “care”, the defendant’s complaints are

formulated as follows: “The Authority is seriously failing in its duty of fair play and

care, which constitute principles of good administration in their own right." The

Litigation Chamber can only note the absence of factual arguments which

should corroborate the lack of respect for such duties.

206. The Litigation Chamber cannot therefore respond to these arguments, and refers, as far as necessary, to its considerations concerning the principle of adversarial proceedings and

access to files above (see section II.4.3).

207. The Litigation Chamber considers that the principles of good administration have been
respected.

II. 5. On the merits

II.5.1. On the processing operations in question, the responsibility for the processing operations and the legal bases

1. On the processing operations in question

208. Article 4, 2) of the GDPR defines processing as “any operation or set of operations

whether or not performed using automated processes and applied to

personal data or sets of data, such as the collection,

recording, organization, structuring, storage, adaptation or

modification, extraction, consultation, 'use, communication by transmission,

diffusion or any other form of making available, the approximation or interconnection,

limitation, erasure or destruction'.

209. In this case, the Litigation Chamber notes, on the basis of the information provided by

Freedelity to the Inspection Service, that the following data processing operations are

implemented:

47
210. Firstly, the collection of personal data:

a) directly provided by customers through the reading of the eID card. The reading of

the eID card can be carried out, in particular via eID readers, via a terminal

installed at Freedelity customers' premises, or via any other type of terminal. For

people who do not have a Belgian eID card or who do not want to make use of, the

same data may be entered manually into the screen of a terminal

or via the partner's website by the person concerned or the staff of

Freedelity's customers, based on the information provided by the person

concerned.

47See page 24 of the additional submissions Decision on the merits 146/2024 – 36/67

b) by Freedelity:

- via its MyFreedelity platform or application, including cookies embedded in

emails and other digital interfaces, or

- by recording the data communicated by the person concerned as part of

their voluntary registration in the Freedelity file.

48
211. In its responses to the questions from the Inspection Service, Freedelity indicates that the
49
data collected is largely collected through Freedelity terminals , in

a less significant portion, the data is collected through a seller

authorized by the Freedelity customer, and very rarely, the data is collected through

the filling of an online form.

50
212. Secondly, the pooling of personal data consists of sharing and

automatically updating the information of a common consumer between

several brands that have subscribed to the Custocentrix service, with which

he has a relationship, while guaranteeing that those who already have his data

can access these updates if the consumer's personal data has changed. To understand

this processing, it is essential to remember that most of the electronic data

contained in the identity card are updated in the event of a change. Thus, as the defendant recalls in its submissions, if a brand A has more recent information on a consumer

in common with a brand B, then pooling allows for the transfer of this up-to-date data to brand B. Only companies that already have

a commercial relationship with the consumer (i.e. they have, prior to granting the card, this consumer in their database) can access the

updated data via this pooling.

213. The Litigation Chamber considers that the collection and pooling processes are

inextricably linked, insofar as the purpose of collecting data from the

electronic identity card is to allow the Freedelity file to be populated, which

is presented as a precise and constantly updated database. Indeed,

52
as Freedelity points out, "Saving in the Freedelity file does not entail

any particular purposes other than those related to the management of the Freedelity file. It is

one and the same processing. These data flows reach us through

48See page 11 of the responses provided by Freedelity to the Inspection Service on 29 October 2020.
49
Freedelity only collects information contained in the eID card through the terminals and readers
distributed through it (see page 14 of the responses provided by Freedelity to the Inspection Service on 29 October
2020)
50See page 14 of the defendant’s additional submissions

51For example, Belgian citizens have eight days to declare their new address to the population service of the municipality
into which they are moving. This new address is recorded by the municipality in their electronic identity card,
even if this data does not appear on the official (physical) document.
52
See page 3 of the responses provided by Freedelity to the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 37/67

different methods of data collection and consents as described

above”. These will be examined jointly in the following sections.

214. The Litigation Chamber notes that the defendant does not contest implementing

the processing described in the preceding paragraphs.

2. On the responsibility for processing

215. A controller is defined as "the natural or legal person, public

authority, agency or other body which, alone or jointly with

others, determines the purposes and means of processing" (Article 4.7 of the

GDPR) (emphasis added). This is an autonomous concept specific to

data protection regulation, which must be assessed according to the criteria it

establishes: determining the "purposes" and "means" of processing involves

deciding the "why" (the reason or objective of the

processing) and the "how" (the way in which this objective will be

achieved).

216. In some cases, responsibility is considered joint. For there to be

joint responsibility for data processing, it is necessary that two or more

entities participate together in determining the purposes and means of

processing. This participation may be manifested by a joint decision or by convergent

decisions that complement each other and are essential to the performance of the

processing. A key criterion is that the processing could not be carried out without the

contribution of each party, which means that the processing operations are inseparable and

inextricably linked.

217. The Litigation Chamber recalls that in the event of joint responsibility, Article 26 of the

GDPR requires joint controllers to ensure, by means of a contract,

that they mutually comply with the GDPR.

218. According to the EDPB Guidelines on the concepts of controller and processor, “Joint participation may take the form of a joint decision

taken by two or more entities or result from converging decisions adopted by two or more entities, where the decisions complement each other and are necessary for

the processing to be carried out in such a way that they have a concrete effect on determining the purposes

and means of the processing. An important criterion is that the processing would not be possible without the participation of both parties in the sense that the processing by

each party is inseparable from that of the other, i.e. inextricably linked.

53EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (v. 2), adopted on 7 July 2021, (hereinafter “Guidelines 07/2020”), section 35.
54
EDPB, Guidelines 07/2020, page 3.
55EDPB, Guidelines 07/2020, page 3. Decision on the merits 146/2024 – 38/67

Joint participation must encompass, on the one hand, the determination of the purposes and, on the other, the determination of the means” (emphasis added).

219. The Litigation Chamber will successively analyse situations of joint participation

in the context of the determination of the purposes (a) and the determination of the means

(b).

a) Determination of the purposes

220. First, the Litigation Chamber notes that the purpose of the collection and

pooling of personal data is to feed the pooled Freedelity file

to enable unique and up-to-date identification of consumers.

221. Freedelity considers that it exclusively controls this purpose, with the

brands only intervening in the collection methods and without making a decision

regarding the final objectives of the processing. In this sense, Freedelity considers that joint

liability does not apply.

222. Contrary to what the defendant maintains, the Litigation Chamber considers that

this purpose is common to Freedelity and the brands. Indeed, this purpose is

necessary to enable Freedelity to enrich its database to attract
brands interested in reliable and up-to-date identification of their consumers. It

is also essential for brands wishing to avoid any confusion between their

consumers and thus prevent the accumulation of obsolete data.

223. The fact that these treatments occur one after the other has no impact on the

qualification of joint controller. According to the CJEU, "the existence of
joint responsibility does not necessarily translate into equivalent

responsibility of the different operators concerned by the processing of personal

data. On the contrary, these operators may be involved at different stages of this

processing and to different degrees, such that the level of responsibility of

each of them must be assessed taking into account all the relevant

circumstances of the individual case." 6

224. In order to remove any ambiguity, the Litigation Chamber specifies that this

decision does not concern the processing purposes specific to the brands (such as

registration for consumer loyalty programs, sending digital invoices, etc.), for

which Freedelity does not have joint responsibility. It is

important not to confuse these purposes specific to the brands with the common

purpose in question, which is the collection and pooling of data to

update the Freedelity file. Confusing these different purposes, as the defendant does,

56Judgment of the CJEU of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C 210/16, EU:C:2018:388, paragraph 43. Decision on the merits 146/2024 – 39/67

leads to an incorrect characterisation of the roles of the parties. Furthermore, the

Contentious Chamber also does not dispute that when a brand ceases its collaboration

with Freedelity, Freedelity remains the sole data controller for future

processing, even if the data was initially collected by the brand that

terminated its contract with Freedelity.

(b) Determination of the means

225. Secondly, as regards the means, the Litigation Chamber recalls that according

to the EDPB guidelines, “It may also be the case that one of the entities concerned

provides the means of processing and makes them available for the personal data

processing activities carried out by other entities. The entity that

decides to use these means so that personal data can be processed for a

particular purpose also participates in determining the means of processing. This

scenario may occur in particular in the case of platforms, standardised

tools or other infrastructures that allow the parties to process the same personal

data and that have been created in a certain way by one of the

parties for use by other parties, who may also decide how to create them”.

226. In this case, the means of processing are also defined jointly: the collection is

carried out mainly by customers via devices provided by Freedelity and offered

by the brands (particularly via the terminals). In terms of means, Freedelity

centralises the data in a technical infrastructure that it has developed, but the

pooling is itself made possible by the continuous contributions of customers,

who regularly transfer identity data to make it possible

to update the information.

227. In addition, Freedelity explains that the content of the terminal varies between the

brands in order to take into account the multiple customer journeys and actions related to the

collection of personal data as well as the expectations of its customers regarding the

consideration of elements specific to them, in particular their identity and their graphic charters. Regarding

manual forms, Freedelity explains that forms can vary from one client

to another (i.e. the visual and text content). For some, it is even Freedelity

that does the formatting work on behalf of the client.

228. Regarding this last point, the Inspection Service requested further

clarification. Freedelity responded that: “The process is similar to that of the

57EDPB, Guidelines 07/2020, sections 64 and 65.
58
See page 8 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020.
59 See page 9 of Freedelity’s responses to the questions posed by the Inspection Service on 29 October 2020. Decision on the merits 146/2024 – 40/67

design of the forms used in the Kiosks when the implementation of the form is entrusted to us. We do not reinvent the wheel for each customer, which explains why the underlying logic remains similar.”60

229. In a document intended for retailers, although after excluding joint liability, Freedelity reveals a non-exhaustive list of cases where collaboration is evident

must take place between Freedelity and the brands, which reinforces the analysis of the
61
Litigation Chamber that this is a case of joint liability. This non-exhaustive list refers, among other things, to:

- the validation of forms and processes for collecting personal data via

terminals, cash register systems or other digital interfaces,

- the production and delivery of leaflets intended to inform consumers,

- informing consumers when collecting their consent to the

processing of their data by providing oral explanations supported by the

delivery of the explanatory information leaflet,

- the provision of alternative solutions to reading the identity card in order

to benefit from the advantages or the loyalty program.

- explicit mention of the use of Freedelity's services in the terms and privacy policy,

- validation of the robustness of the processing of data flows between customers'

applications and CustoCentrix,

- mandatory and immediate coordination in the event of a personal data

leak,

- coordination in response to requests for deletion of their data by

certain consumers,

- the implementation of IT systems ensuring the required IT security.

230. In conclusion, if the collection is mainly the responsibility of the brands, while the

pooling is carried out by Freedelity, these operations are inseparable and

inextricably linked, since the second could not happen without the first. In other

words, pooling by Freedelity is only possible through the collaboration of the

brands in the process of collecting identity data.

60See page 15 of the responses provided by Freedelity to the additional questions posed by the Inspection Service on
29 October 2021
61“White Paper” by Freedelity, 2020 edition. Decision on the merits 146/2024 – 41/67

231. This technical infrastructure, configured by Freedelity but integrated mainly

in the customers’ environment, shows a convergence of the means of processing and

the purposes implemented to carry it out. The Litigation Chamber considers, like

the Inspection Service, that this is a case of joint liability.

232. Freedelity is joint data controller with its customers for the collection and

pooling of identity data.

3. On the legal bases of processing

233. Article 5.1.a of the GDPR requires that data be processed lawfully, fairly and

transparently, which requires in particular securing a legal basis to implement

the data processing.

234. Under Article 6.1 of the GDPR, several legal bases may be invoked by

the data controller, including consent: "processing is lawful only if, and

to the extent that, at least one of the following conditions is met:

235. a) the data subject has consented to the processing of his or her personal data

for one or more specific purposes;

236. […]".

237. The collection and sharing of personal data must take place in accordance

with applicable law, in particular Article 6, §4 of the 1991 law 62 and the GDPR. This article

of the 1991 law requires the prior obtaining of "free, specific and informed" consent

for the electronic reading of data appearing on the identity card. The CPVP

(predecessor of the APD) issued a recommendation on 25 May 2011 63 in which

it recommended: "The prior obtaining of the free, specific and informed consent

of the customer to proceed with the electronic reading of his identity card as part of a

loyalty system. An alternative to the use of his identity card must also be offered to him" (emphasis added).

238. These criteria directly echo the criteria for valid consent within the meaning of the GDPR 64

and must meet the conditions for consent of Article 6.1.a) of the GDPR, provided for in

Article 4.11) of the GDPR, and explained in the EDPB Guidelines 5/2020 on

consent within the meaning of Regulation (EU) 2016/679.

62 Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf
63
CPVP, recommendation No. 03/2011 of 25 May 2011, on taking copies of identity cards, as well as their use and electronic reading, the link to which is available opposite:
https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf (page 7)
64
Under Article 4.11) of the GDPR, consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she accepts, by a declaration or by a clear affirmative act, that
personal data concerning him/her are processed" (emphasis added). Decision on the merits 146/2024 – 42/67

239. These criteria ensure that each individual retains full control over the use of

his/her personal data, particularly when it comes to reading his/her electronic

identity card, for which the Belgian legislator has provided a specific regime. In France, the

National Commission for Information Technology and Civil Liberties has even considered that

an electronic identity card contains information that can be considered as "highly personal

data". 65

240. Consent ensures that this control is exercised with full knowledge of the facts,

thus allowing the person concerned to decide freely whether or not

he/she accepts that his/her data is used in this specific context. This choice must be made freely and

specifically, i.e. relate to a clearly defined purpose. In addition,

the obligation to offer an alternative to the use of the eID card is essential to ensure

that the use of this card remains an option, and not an obligation.

241. In this sense, Article 6§4 of the 1991 law protects citizens by ensuring that the processing

of their identity data takes place in a transparent framework, respectful of their

privacy, and in accordance with the fundamental principles set out by the GDPR. The use

of consent, as provided for in Article 6.1.a of the GDPR, is therefore the appropriate legal

basis for the processing of personal data collection and pooling.

242. In conclusion, the collection and sharing of personal data must be based

on the consent of the persons concerned, namely the consumers of the

brands, in accordance with Article 6.1.a of the GDPR.

II.5.2. Finding 1: On the validity of consent (5.1.a., 6.1.a, 7 and 5.2. of the GDPR):

243. As a preliminary, some consent mechanisms implemented by

Freedelity and certain brands will be recalled. The brands whose processing has been examined

offer an alternative to data collection by identity card, i.e. by

66
filling out a manual form. This obligation is provided for by the 1991 law and is

applied – for example – as follows:

a) On the Freedelity website, to create a profile, the person concerned must

enter their identity card number and activate the toggle “I consent to

registering with Freedelity and agree to its privacy policy” (associated with a link).

b) At Enseigne A, a terminal associated with a home screen offers the

consumer to enter their identity card to give their consent,

65See the doctrine of the French data protection authority (the Commission Nationale de l’Informatique et
des Libertés), which considers that the NIR [personal registration number] is “highly personal data”: https://www.cnil.fr/fr/tout-savoir-sur-le-decret-cadre-nir-dans-le-champ-de-la-sante

66Article 6§4 of the Law of 19 July 1991 relating to population registers, identity cards, foreigners’ cards
and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 43/67

which must be deemed to have been obtained, according to the defendant, when the person inserts

his card into the card reader and continues to browse the pages of the

terminal:

“By using your identity card, you agree that Enseigne A and Freedelity

use the identity data to inform you of actions that correspond to your

profile and interests and to update the databases of Freedelity’s commercial

partners. Find out more”.

By clicking on "Learn more", a page opens on which EnseigneA presents

three distinct purposes for which this consent is obtained:

(i) To update the information of the persons concerned in the

databases of Enseigne A and other Freedelity partners,

(ii) To allow Enseigne A to carry out its marketing actions based on

the registration of the telephone number and email address,

(iii) To allow Enseigne A to send a digital proof of guarantee

(proof of purchase) in replacement of the receipt.

c) At Enseigne B, two consent mechanisms are offered through the

terminals: 1) “I agree that Enseigne B uses my data to inform me

of future actions based on my interests”, and 2) “I agree that Freedelity,

Enseigne B’s partner designated to manage my loyalty card, manages my data

in this context, informs me of actions based on my interests and updates the
databases of Freedelity’s partners”. However, on the

Enseigne B website, three consent mechanisms are present: 1) “I consent

to registering with Enseigne B and agreeing to its privacy policy [link]”, 2) “I consent

to registering with Freedelity and agreeing to its privacy policy [link]”, 3) “I consent

to receiving offers by SMS and email from Enseigne B”.

d) On the Enseigne C website, three consent mechanisms are offered during manual

registration: 1) “I accept the registration, the general terms and conditions [link]

and privacy policy [link] of Freedelity”, 2) “I accept the registration and the

general terms and conditions of Enseigne C [link]”, 3) “I agree to receive offers by

SMS and email from Enseigne C”.

244. The defendant maintains that the various consent-obtaining

mechanisms set up by the brands for the collection and sharing of personal

data are all compliant with the GDPR. With regard to its three aforementioned partners, it

successively analyses the characteristics of consent in an attempt to demonstrate

that they meet the requirements of Article 4.11 of the GDPR. While it is not possible to

present the defendant’s arguments in detail in this section, which extends over Decision on the merits 146/2024 – 44/67

50 pages of conclusions, the Litigation Chamber will respond to the defendant’s

arguments in its analysis below.

245. The Litigation Chamber refers to its previous paragraphs concerning the

need to obtain a legal basis for processing within the meaning of Article 5.1.a of the GDPR (see

paragraph 233), and consent as a possible legal basis within the meaning of

Article 6.1.a of the GDPR (see paragraph 234234).

246. It recalls that under Article 4.11) of the GDPR, consent is defined as

"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which

the data subject signifies agreement, by a statement or by a clear affirmative action, to the processing of

personal data relating to him or her".

247. Article 7.1 of the GDPR relating to the conditions applicable to consent provides that:

"where processing is based on consent, the controller

shall be able to demonstrate that the data subject has given his or her consent to the

processing of personal data relating to him or her". In addition, the controller

shall be able to demonstrate that valid consent has been given

(Article 5.2 of the GDPR).

248. It emerges from the Inspection Service's investigation and the observations

sent by Freedelity that the brands are contractually designated as separate

data controllers. The clauses of the contract subject them to general obligations of

cooperation with Freedelity, to collect valid consent and provide

information to the persons concerned. The Litigation Chamber recalls that it is

not bound by a qualification of the role of the parties as it results from the agreements concluded

between them.

249. The Litigation Chamber notes that the different mechanisms presented in
paragraph 243243 are significantly different, and each fails in its own way,

to meet the essential criteria of consent. The defendant uses as a general argument

that the EDPB guidelines on consent, used to support the analysis made

by the Inspection Service, are not enforceable against Freedelity because they were

adopted after the investigation. This argument is irrelevant, since these guidelines

essentially take up the achievements of the guidelines on consent

adopted in 2017 by the Article 29 Working Party ("WP29") 68:

A) Free nature of consent: For consent to be considered

free within the meaning of Article 4.11 of the GDPR, the data subject must be able to consent

67
EDPB, Guidelines 07/2020, section 191
68G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017, and available on the following link:

https://ec.europa.eu/newsroom/article29/items/623051/en. Decision on the merits 146/2024 – 45/67

freely, i.e. without being subject to pressure or negative consequences if

they refuse the processing of their personal data. Consent must be given

without the obligation to adhere to other conditions, and the data subject must be able

to withdraw their consent without suffering any harm. In addition, the eID cardholder

may refuse to have their data read and/or recorded in the context of

loyalty, which means that they must be able to benefit from the possibility of subscribing to

a loyalty program outside of any eID card reading. In the

situations presented, several elements show that consent is not

free:

- At Enseigne C, the services offered require acceptance of the

Freedelity general conditions as consent within the meaning of Article 6.1.a of the GDPR.

The fact that the data subject must accept the general terms and conditions of

Freedelity in order to benefit from the commercial advantages offered by Enseigne C

demonstrates a lack of freedom offered to the data subjects. Such

consent, which combines both (i) the acceptance of the general terms and

conditions of Freedelity and (ii) the obtaining of consent (Article 6.1.a of the GDPR)

necessary for the processing of the collection and sharing of personal data, is to

the detriment of the data subject and is not free by nature. 71

- It is incorrect for the defendant to assert that when consent is

requested separately for the processing of data by (i) a brand and

(ii) by Freedelity, this circumstance makes the consent free. Indeed, assuming

that all the other conditions of consent are met, it is up to the

defendant to demonstrate that consent to processing operations by

Freedelity is completely optional, such that, by setting up

separate consent mechanisms, the data subject does not need to

consent to the pooling service offered by Freedelity and its partners in

order to benefit from the commercial advantages offered by the brand.

- Thus, in all cases where the persons concerned are forced to consent to the

processing of their personal data by Freedelity (in particular the

pooling), in order to obtain the desired commercial advantages, this consent is

vitiated because it is not free (see in particular the example of Enseigne A). Indeed,

consent can only be free if the person has the choice to accept or refuse

69EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 (v1.1), adopted on 4 May 2020,

(hereinafter, "Guidelines 5/2020"), section 13 et seq., and available at the following link:

https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf
70Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards
and residence documents, available at the following link :
https://www.ejustice.just.fgov.be/img_l/pdf/1991/07/19/1991000380_F.pdf

71EDPB, Guidelines 5/2020, section 13 et seq. Decision on the merits 146/2024 – 46/67

the pooling of his personal data, envisaged as a service that would benefit him

distinctly from the commercial advantages offered by the brand in question.

B) Specific nature of consent: To be considered specific within the meaning

of Article 4.11 of the GDPR, consent must relate to precise and

distinct purposes. Each purpose must be clearly separated from the others in order to avoid any use

of the data collected that has not been previously and clearly announced to the person

concerned. In all the cases presented, the consent is not specific:

- On the Freedelity website, the request for consent related to the creation of a

profile includes the obligation to provide one's identity card number and to accept the

privacy charter. Contrary to the defendant's allegations, the presence

of a link to the privacy charter containing more information on the

processing does not make the consent specific. Indeed, the

Litigation Chamber notes that the request is global, not distinguishing

between consents (i) to the creation of an account, and (ii) to the subsequent use of the

data in order to feed the shared Freedelity file using data collected by

other partners. The absence of specification of each purpose prevents the

data subject from understanding and consenting separately to the

different uses of their personal data.

- At Enseigne A, the terminal does not allow specific consent: by inserting

their identity card, the person concerned generally accepts the use of their

data for three separate purposes (updating Freedelity’s databases,

marketing actions, and sending proof of digital guarantee). However, each

purpose should be presented as requiring a separate request for consent to

ensure control of the user’s data, which is not the case in this instance. The

Litigation Chamber disputes the defendant’s claims that the

EDPB’s guidelines on consent do not prohibit several

purposes from being linked. The Litigation Chamber refers to the version of these guidelines

adopted in 2017 by the G29.73

- Retailer B and Retailer C offer different consent mechanisms

through a system of terminals (Retailer B only) and their websites, but the
structure of these options creates confusion. In Retailer B, consent

to Freedelity's processing operations groups together several distinct purposes. On

72
EDPB, Guidelines 5/2020, section 55 et seq.
73 See Guidelines 5/2020, section 58: "Without prejudice to the provisions relating to the compatibility of purposes,
consent must be specific to the purpose". "If a data controller processes data based on consent and wishes to process the data for another purpose, it must seek additional consent for that other purpose unless another legal basis better reflects the situation", which on this point echoes a well-established position since the publication of the 2017 G29 guidelines on consent also cited above (see page 12). Decision on the merits 146/2024 – 47/67

the websites of these brands, the consents are not specifically

linked to clear and distinct purposes. For example, it is not specified whether the data

collected are used only by Brand B or whether they will be shared in the

Freedelity file, accessible by other partners. Specific consent

would have required separating the purposes related to Enseigne B and those common to Enseigne

B and Freedelity, to obtain the explicit consent of the data subject for their

personal data to be shared and updated in the Freedelity file, using

the contributions of Freedelity’s partners.

250. C) Informed nature of consent: The GDPR requires that consent be informed,

i.e. allowing data subjects to understand precisely what
74
they are consenting to. In addition, the minimum requirements for informed consent are
75
included in the guidelines on consent and include in particular (i)

the identity of the data controller, (ii) the purpose of each of the

processing operations for which consent is requested, (iii) the (types of) data

collected and used, (iv) the existence of the right to withdraw consent (etc.).

Regarding points (i) and (iii), the EDPB points out that if the consent requested must serve as a basis

for several (joint) controllers or if the data must be transferred to, or processed by, other controllers who wish to rely on the

original consent, these organisations should all be named.

251. The 1991 law also requires that “informed” consent be provided in the event

of electronic reading of the information on the identity card. In the situations described,

the consent cannot be described as informed:

- On the websites of Freedelity, Enseigne B, and Enseigne C, the concept of

mutualisation, requiring the sharing of data with Freedelity’s partners, is not

explained at all to the data subject when obtaining their consent.

This information is nevertheless essential for the persons concerned

to understand the processing that will be done of their personal data, making the

consent uninformed. The fact that the categories of recipients are

included in Freedelity's privacy policy is not sufficient to make the consent

informed, as the defendant maintains, since this separate obligation is governed by the

transparency obligations of Articles 13 and 14 of the GDPR.

- On the terminals of Enseigne A and Enseigne B, if the concept of mutualisation is referred to in a more or less direct manner, the recipients of the personal data are not mentioned.

74
EDPB, Guidelines 5/2020, section 62 et seq.
75 EDPB, Guidelines 5/2020 , sections 64 and 65

76 Article 6§4 of the Law of 19 July 1991 on population registers, identity cards, foreigners' cards and residence documents, available at the following link:
https://www.ejustice.just.fgov.be/img l/pdf/1991/07/19/1991000380 F.pdf Decision on the merits 146/2024 – 48/67

However, since each recipient of the data acts as a (joint) data controller with Freedelity, and therefore as a potential recipient of the data collected by the other joint controllers of

Freedelity, it is essential to inform the person by announcing the identity of the

recipients of this data. It was therefore appropriate to name them individually, without

which the consent could not be considered informed, and therefore valid. The

Guidelines on consent, both in their previous version 77 and in their

current version, specifically mention this point. This omission, in violation of the

GDPR, is aggravated by the circumstances of the processing, which require the

electronic collection of particularly sensitive identity data, and their subsequent

automated exchange between data controllers in the event of an update of the latter.

D) Unambiguous nature of consent: For consent to be considered

unambiguous, it must result from a clear positive act by the data subject. This requirement

excludes any ambiguity: the action by which the person concerned consents must be

clearly distinguished from other possible actions, in particular the simple continuation of

navigation.The Litigation Chamber notes that the consent cannot be described as

unambiguous for the following reasons:

- In the case of Enseigne A, the defendant considers that the person who inserts his

identity card into a reader and clicks on a green button to continue

browsing, gives unambiguous consent. Contrary to what the

defendant maintains, the simple fact of navigating from page to page on a terminal by

pressing a green button to continue does not amount to a clear expression of

consent. For the Litigation Chamber, the simple click on the green button to

navigate from page to page does not meet the requirements of valid consent,

in accordance with Article 4.11) of the GDPR. 80

- Indeed, successive navigation from one page to another can just as well indicate

an exploration of options or an acknowledgement of information, rather than

an approval of a specific data processing. The fact of moving from page to page,

even with a return option (via a red button), remains ambiguous and can mean

several things: exploration, search for more information, or simple navigation,

without it being possible to unequivocally deduce the intention to consent. Thus,

for consent to be unequivocal, the terminal should include a mechanism

77G29, Guidelines on Consent under Regulation 2016/679, adopted on 28 November 2017: “With regard to item (i) and (iii),
WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be
transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be
named” (page 13).
78
EDPB, Guidelines 5/2020, section 65
79EDPB, Guidelines 5/2020, section 75 et seq.

80See also, EDPB, Guidelines 5/2020. Decision on the merits 146/2024 – 49/67

explicit request for consent, such as a specific and dedicated button,

formulated in such a way that the data subject understands unequivocally that by

clicking, he or she is giving his or her consent to the processing of his or her personal data.

252. The Litigation Chamber wishes to clarify that the examples mentioned above are

limited to three specific cases detailed by Freedelity, in which consent,

although not valid, was actually obtained. It notes, however, that Freedelity does not

provide proof of the very existence of any collection of consent

by Freedelity's other partner brands.

253. In conclusion, the Litigation Chamber argues that the mechanisms put in place by

the brands to ensure compliance with Articles 5.1.a and 6.1.a of the GDPR do not

allow valid consent to be considered to have been obtained, in violation

of Articles 5.2 and 7 of the GDPR.

II.5.3. Finding 2: Measures put in place to facilitate the right to withdraw

consent at any time (Arts. 7.3, 5.2, 24 and 25 of the GDPR)

254. According to the defendant, data subjects who wish to withdraw their

consent to the processing of their data by Freedelity can do so by going to the

“My profile” tab of the MyFreedelity portal and disabling the “Validation and updating

of my data with Freedelity customers” toggle. Concerning Brand A, Freedelity

indicates that the possibility for the person concerned to return to the previous page by

clicking on a red button associated with a cross constitutes a right to withdraw consent. It

considers that for certain brands: "The fact that the person concerned has the

possibility of simply not confirming their account is an additional way

made available to them by Freedelity to withdraw their consent to the

processing of their data".

255. It also explains that the person concerned can always send their

withdrawal request by email or by post, or make their request to the

seller of the brand. In this sense, Freedelity considers that it allows the persons

concerned to withdraw their consent at any time. Furthermore, and notwithstanding

these measures which it considers satisfactory, Freedelity admits that it is in the process of changing the

terminal screens in order to provide the possibility for the person concerned to delete their

accounts directly via the terminal.

256. The Litigation Chamber recalls that Article 7.3 of the GDPR provides that: "The data subject

has the right to withdraw his or her consent at any time. The withdrawal of

consent does not compromise the lawfulness of processing based on consent

81As of 12 November 2020, there were 5 customers who used terminals (page 8 of the responses provided by the

defendant to the questions from the inspection service asked on 29 October 2020). Decision on the merits 146/2024 – 50/67

made before this withdrawal. The data subject is informed of this before giving his/her

consent. It is as easy to withdraw as it is to give your

consent. Articles 24.1 and 5.2 of the GDPR impose

accountability obligations on the data controller, requiring it to be able to

demonstrate that the processing is carried out in accordance with the

GDPR.

257. Article 25.1 of the GDPR requires the data controller to

apply data protection measures by design and by default, depending in particular

on the nature, scope and risks of the processing for the rights and freedoms of

the data subjects. It requires the implementation of technical and

organisational measures to ensure compliance with the GDPR.

258. In this case, Freedelity is criticised for not having

implemented sufficiently simple and direct means to allow the withdrawal of

consent. Although

options exist via the MyFreedelity portal and in-store terminals, these methods do not

meet the simplicity requirement of Article 7.3 of the GDPR, according to which

withdrawing consent must be as simple as giving it. Indeed, the need for

data subjects to navigate through various tabs or interfaces, as well as

the absence of an explicit and immediate withdrawal option, may discourage

consumers from withdrawing their consent.

259. The principle of data protection by design and by default, as set out in

Article 25 of the GDPR, requires the data controller to implement adequate

technical and organizational measures to ensure the protection of personal

data, in particular with regard to the rights of data subjects. This

principle of protection by default should have led Freedelity to provide

withdrawal mechanisms directly at the terminals themselves, even before the

processing is set up. Having to revise the interfaces of the terminals to facilitate the withdrawal of

consent demonstrates a lack of anticipation regarding the requirements of data protection by

default, which should have guided the initial design of the device.

260. Freedelity has implemented a system where the right of

withdrawal, as currently proposed, does not fully meet the requirements of simplicity and

accessibility established by the GDPR. In accordance with the Guidelines on Consent, a

consent mechanism cannot be considered compliant with the GDPR if the conditions of the right of

withdrawal are not effectively respected. The fact that data subjects must go through

separate steps or interfaces to withdraw their consent, instead of a

withdrawal functionality directly integrated into the terminals, does not meet the conditions for

withdrawal of consent provided for in Article 7.3 of the GDPR.

82EDPB, Guidelines 5/2020, section 116 Decision on the merits 146/2024 – 51/67

261. In conclusion, the Litigation Chamber considers that Freedelity has not complied with the

documentation and accountability requirements arising from Articles 24 and 5.2 of the GDPR

regarding withdrawal of consent, as the current mechanisms do not allow for a

simple and direct withdrawal of consent (Art. 7.3 of the GDPR), in accordance with the

principle of data protection by design (Art. 25 of the GDPR).

II.5.4. Finding 3: Measures put in place to demonstrate that the consent

collected complies with the GDPR (Arts. 5.2, 24 and 25 of the GDPR)

262. The defendant maintains that its standard contract requires brands to collect

quality consent, combined with a clause providing that the brand will indemnify

Freedelity in the event of a failure to obtain consent or the quality of the

consent. It also states that its consent register includes important

information, such as the date of consent or the consent log and

the source of the consent.

263. The Litigation Chamber recalls that Article 5.2 enshrines the principle of

accountability and requires that the data controller be able to demonstrate

compliance with the principles of the GDPR in its data processing. Article 24 supplements

this obligation by requiring data controllers to implement

technical and organizational measures adapted to the nature, scope, context,

purposes of the processing as well as the risks to the rights of the data subjects, with

an obligation of continuous review to ensure compliance. Article 25.1, finally,

enshrines the obligation of data protection by design and by default, implying

the implementation of concrete measures that must be applied from the definition of the

processing means. This finding is limited to examining the measures put in

place to ensure the validity of the consent collected.

264. In this case, Freedelity, whose role as data controller is not

contested, must respect these principles of accountability, by demonstrating that the

consents collected comply with the requirements of the GDPR. Indeed, when

processing is based on consent, the data controller must be able to

demonstrate that the data subject has given consent to the processing of

personal data concerning him or her (Article 7.1 of the GDPR). Recital 42

provides that: “Where processing is based on the data subject’s consent, the

controller should be able to prove that the data subject has consented to the

processing operation.”

265. Freedelity explains in its answers to the questions of the Inspection Service 83 that “The

management of consent and its collection is tailored to each client. The IT aspect

83See page 12 of the responses provided by Freedelity to the questions asked by the inspection service on 29 October 2020. Decision on the merits 146/2024 – 52/67

of the management of this consent within the software is complex and is not

documented in itself”. To the extent that this consent can be adapted to each customer,

at least at the level of the Freedelity terminals, the Litigation Chamber questions

the reasons why Freedelity has not secured quality consent for the

collection and sharing of data at the terminals themselves.

266. In addition, the Litigation Chamber notes that the agreements concluded by Freedelity with the

brands do not allow Freedelity to demonstrate the collection of valid and systematically GDPR-compliant consent

for each person concerned. By limiting itself to requiring the implementation of "quality consent" on a case-by-case basis,

Freedelity takes the risk that certain consent forms are non-

compliant.

267. Without prejudging the compliance procedures that could have been

considered to enable compliance, the Litigation Chamber notes that the

following procedures seemed entirely feasible in this case to guarantee Freedelity's

compliance with the requirements of the GDPR in view of the risks presented by the processing in

question:

- Freedelity could have established a precise model for collecting valid consent,

relating to the collection and pooling of identification and contact data,

integrated directly into the Freedelity terminals.

- For brands wishing to implement the consent

mechanisms themselves (for example via their websites), Freedelity could have

established a precise model for collecting consent, described in its contracts with the

brands.

- As far as necessary, ask brands to provide proof that they

have put in place valid consent once the implementation is complete and

add to this obligation an audit clause allowing Freedelity to verify the

compliance of the consent mechanism in a timely manner.

268. The Litigation Chamber insists on the fact that a data controller, even in

a context of joint responsibility, cannot be exempted from this obligation to

demonstrate the collection of valid consent.

269. The sole obligation to compensate Freedelity in the event of collection of invalid consent is not sufficient in itself to demonstrate the sufficiency of the measures implemented

84See in this sense the IAB decision of the Litigation Chamber of 2 February 2022, No. 21/2022, available from the following link:

https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-en.pdf

And the deliberation of the restricted formation of the CNIL, the French data protection authority, No. SAN-2023-009 of
15 June 2023 concerning the company CRITEO, available from the following link:
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047707063. This decision is currently the subject of an appeal before
the French Council of State. Decision on the merits 146/2024 – 53/67

to ensure the collection of valid consent. Indeed, appropriate technical and

organizational measures should have supplemented such contractual measures. In

addition, the presence of a register that simply contains information on the

presence of a consent mechanism is also insufficient, as it only

allows one to note that consent has been obtained. Neither the quality of the

consent nor its specific nature to Freedelity can be deduced from such a

register.

270. In these circumstances, the Litigation Chamber considers that Freedelity has not

implemented the necessary measures to enable it to demonstrate that the consent

collected for the collection and pooling of data complies with the GDPR within the meaning

of Articles 5.2, 24 and 25 of the GDPR.

II.5.5. Finding 4: Principle of minimisation of personal data (Art. 5.1.c
of the GDPR), and principle of data protection by default (Art. 25.1 of the GDPR)

271. The defendant maintains that given the large amount of personal data processed

by Freedelity, a balance must be struck between the principle of minimisation (Art. 5.1.c of the GDPR) and

the principle of accuracy (Art. 5.1.d of the GDPR). It points out that in order

to carry out its missions, it must quickly limit the risk of confusion between

individuals, avoid duplication, and identify potential fraud, hence the large volume

of information collected. Finally, it maintains that the recording of changes

of postal or electronic address in order to allow consumers to receive
promotional offers, advertisements or any other

information and new tenants or purchasers not to receive

unwanted advertising.

272. The Litigation Chamber recalls that the principle of data minimisation, set

out in Article 5.1.c of the GDPR, requires that the personal data collected be adequate,

relevant and limited to what is strictly necessary in relation to the

purposes for which they are processed. In other words, only data that is

essential to achieve the objectives of the processing must be collected, thus

avoiding any excessive collection of information that would not be

directly useful or justified by the intended purposes. As stated above, Article 25.1 of the GDPR, enshrines the obligation of

data protection by design and by default, implying the implementation of
concrete measures that must be applied as soon as the processing means

are defined.

273. The Inspection Service indicated that with regard to the

processing carried out for the purposes of registration in the

"Freedelity file" as well as for the pooling of data

with Freedelity customers and partners, the following personal

data would be processed in particular: Decision on the merits 146/2024 - 54/67

- Identification data, namely: "surname, first name(s), gender, place and date of birth,

nationality, home address, identity card number, municipality of issue of the

identity card, validity date of the identity card and history of this data"; and

- Contact data: "your email address, telephone/mobile number and history of

this data".

274. In addition, the 2011 recommendation of the CPVP states: "Certain commercial

practices also lead the Commission to look into the use of the identity

card as a loyalty card. (…) This choice must be offered to customers in a

transparent and explicit manner as soon as a loyalty system is offered to them. In

addition, the principle of proportionality of the privacy law requires that only the

necessary data of the identity card can be read in this context. There can be no question

of processing and storing for this purpose either the photo of the cardholder,

nor the number of his identity card, his identification

number in the National Register, his nationality, his place of

birth" (emphasis added). The underlined data are nevertheless collected by

Freedelity. ". Therefore, contrary to what the defendant claims, the CPVP has not

only never approved this practice but has also limited in its opinion the

modalities of lawful processing of identity card data.

275. A fortiori, data such as the municipality where the identity card was issued, the

validity date of the identity card and the history of this data are of no relevance

in the context of the processing carried out by Freedelity and the brands. This data is

generally not included in the manual collection form set up by

certain brands, which shows that it is not useful, and therefore a fortiori not

necessary for the implementation of the processing.

276. As the Inspection Service rightly points out, only a few data items would have been

necessary for Freedelity to fully comply with the GDPR’s principles of minimisation and

accuracy when feeding the Freedelity file. The Litigation Chamber considers that the surname, first name and contact details (postal

address, email or telephone) are sufficient to provide a sufficiently precise indication of the

data subject in view of the purpose in question, which does not require irrefutable

identification of the data subject’s identity. These data items could have been the only

ones collected from the start of the processing, without the operation of the

Freedelity file being affected.

85The identity card number is an identifier distinct from the national register registration number (NIR), which Freedelity
assures that it does not collect.

86CPVP, recommendation No. 03/2011 of 25 May 2011, relating to the taking of copies of identity cards, as well as their
use and electronic reading, the link to which is available opposite:
https://www.dataprotectionauthority.be/publications/recommandation-n-03-2011.pdf. Decision on the merits 146/2024 – 55/67

277. The risk of having obsolete data in the Freedelity file does not justify the collection

of around ten additional and optional information. Furthermore, the greater the

number of personal data collected, the more difficult it is to comply with both the

principle of accuracy and the principle of minimisation. The defendant’s arguments on

this point cannot therefore convince. The Litigation Chamber is

particularly concerned about the impact on the persons concerned in the event of a data

breach, due to their quantity and precision. Indeed, the massive centralisation of data

of a large part of the population and their data collected directly on their

identity card poses a high risk to the privacy of millions of consumers.

278. For these reasons, the Litigation Chamber considers that Freedelity has failed to comply with the

principle of minimisation of personal data (art. 5.1.c of the GDPR), and with the principle of

data protection by default (art. 25.1 of the GDPR).

II.5.6. Finding 5: Principle of limitation of the retention of personal data (art. 5.1.e, 5.2, 24 and 25.1 of the GDPR)

279. The defendant claims that the retention of data for a period of 8 years in the

context of the management of the Freedelity file is appropriate. The starting point of this retention period is

calculated, according to the defendant, from the last "activity" of the person
concerned (e.g.: checkout).

280. It maintains that the data retention period of 8 years is justified first of all

by the specific purpose of the Freedelity file, which requires regular updating and immediate

accessibility of the data. Then, it underlines the legitimate economic interest

of retaining the data for a sufficient period to allow optimal operation

of its service. This retention period is also justified by

accounting and tax considerations, both for customers and for the company itself. It

highlights the fact that the legal guarantee of consumer goods of 2 years, 87

which can be extended by traders, requires a longer data retention period than the strict 2-year period proposed by the Inspection Service.

281. The Litigation Chamber recalls that within the meaning of Article 5.1.e of the GDPR, data

must be retained in a manner that guarantees that they are not kept in a form

that allows the identification of individuals for longer than is necessary for

the purposes for which they are processed. The data controller is

responsible for compliance with this principle and must be able to demonstrate that it is

87Article 1649quater of the Civil Code Decision on the merits 146/2024 – 56/67

complied with (Arts. 5.2 and 24 of the GDPR). The Litigation Chamber refers to its

previous findings concerning Art. 25 of the GDPR (see paragraph 263).

282. The Litigation Chamber notes that the defendant's arguments are

not sufficient to justify such a long retention period. Indeed, while regular updating of the

file and immediate accessibility of the data are necessary to ensure quality customer

service, it should be noted that these objectives can be achieved with a

retention period significantly shorter than 8 years.

283. Concerning the retention periods invoked by the defendant, the

Chamber notes that these apply mainly to purposes distinct from the management of the

Freedelity file, and for which Freedelity does not act as data controller. Indeed, the legal requirements relating to

guarantees essentially concern the relations between the consumer and the seller. Thus, the

legal obligations weighing on Freedelity in terms of data retention cannot be based

on these requirements alone.

284. Furthermore, the Freedelity file is not the appropriate medium for storing data based

on such requirements, specific to customers. Indeed, the CustoCentrix

database is the one that hosts, in the form of Silos, the data strictly

specific to each brand and the processing of which is subcontracted to Freedelity by

each of the brands. To this extent, and based on the responses provided by
89
Freedelity to the Inspection Service, the Silo specific to each customer could serve
90
as an intermediate archive of data whose retention in an active database, on the

Freedelity file, is no longer justified.

285. In this case, the Chamber considers that a retention period of maximum 3

years from the last activity would be sufficient to meet the needs of the defendant, while

respecting the rights of the persons concerned. This period is aligned with the

current practices recommended by the National Commission for Information Technology and
91
Liberties. The Chamber considers that a consumer who has not shown any

activity for a period of two to three years within the partner brands of

Freedelity can be presumed to no longer wish to benefit from the services associated with this file.

88As explained by Freedelity in its 2020 WhitePaper, (page 5): "the database specific to each client within
CustoCentrix containing consumer data that cannot be shared with other clients and
for which Freedelity acts as a subcontractor within the meaning of data protection regulations".

89See page 22 of the responses provided by Freedelity to the additional questions from the Inspection Service asked on 29 October 2021.
90
The concepts of “intermediate archiving” and “active base” are used by the CNIL in its reference documents on data retention. See for example this article from the CNIL on the determination of retention periods:
https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees
91
CNIL reference document on the processing of personal data – management of commercial activities.
https://www.cnil.fr/sites/cnil/files/atoms/files/referentiel traitement-donnees-caractere-personnel gestion-activites-
commerciales.pdf (page 5) Decision on the merits 146/2024 – 57/67

It is indeed reasonable to consider that such a consumer has lost all interest in

this type of loyalty program.

286. In this perspective, the defendant is free to set up a mechanism

for regular verification of the activity of the persons concerned to ensure that their

data - and their account - should not be deleted. For example, an

email could be sent to consumers who have not shown any activity

for 3 years, in order to ask them to confirm their wish to maintain their registration

in the Freedelity file. In the absence of a response from them within a reasonable time, the

defendant could consider that these persons have waived the benefit of this

service and proceed to the deletion of their data or their archiving, if applicable.

287. In view of all these elements, the Chamber considers that the retention period

of 8 years set by the defendant is disproportionate to the purpose pursued.

The principle of data minimization, enshrined in Article 5.1.e of the GDPR, requires the

data controller to limit the retention of data to a strictly

necessary period.

288. In conclusion, the Litigation Chamber finds a violation of the principle of

limitation of the retention of personal data (Art. 5.1.e, 5.2, 24 and 25.1 of the

GDPR) due to the excessive retention period of 8 years for the management of the Freedelity file.

III. Corrective measures and sanctions

289. Under Article 100§1 of the LCA, the Litigation Chamber has the power to:

1° dismiss the complaint;

2° order that there be no further action;

3° order a suspension of the decision;

4° propose a transaction;

5° issue warnings or reprimands;

6° order compliance with the requests of the person concerned to exercise these rights;

7° order that the person concerned be informed of the security problem;

8° order the freezing, limitation or temporary or permanent prohibition of the processing;

9° order that the processing be brought into compliance;

10° order the rectification, restriction or erasure of the data and the notification of

these to the recipients of the data;

11° order the withdrawal of the accreditation of the certification bodies; Decision on the merits 146/2024 – 58/67

12° impose periodic penalty payments;

13° impose administrative fines;

14° order the suspension of cross-border data flows to another State or an

international body;

15° forward the file to the Public Prosecutor's Office of the Brussels

King's Prosecutor, who shall inform him of the follow-up given to the file;

16° decide on a case-by-case basis to publish its decisions on the website of the

Data Protection Authority.

III.1. Choice of the appropriate corrective measure or sanction

290. In light of the above and on the basis of the powers assigned to it by

the legislator, the Litigation Chamber decides to order measures to bring

processing into compliance, pursuant to Article 100, §1, 9° of the LCA, as

well as the deletion of certain data, in accordance with Article 100, §1, 10° of the LCA. In order

to guarantee the effective execution of these measures, the Litigation Chamber considers it

necessary to combine them with periodic penalty payments, considering that this approach

constitutes the most appropriate response to the circumstances of the case.

291. The Litigation Chamber considers that a combination of such measures is

appropriate to achieve the effective, proportionate and dissuasive nature of the sanction. Indeed, it is

imperative that Freedelity implements this decision by bringing its

processing into compliance and deleting certain data. In this case, the planned penalty payment is

able to put sufficient pressure on Freedelity to achieve this end.

292. The Litigation Chamber could decide to impose an administrative fine under

its powers on the basis of Article 83 of the GDPR and Article 100, § 1, 13° of the
LCA, with regard to the violations found of Articles 4, 5, 6, 7, 24 and 25 of the GDPR.

293. Nevertheless, the Litigation Chamber considers that compliance orders accompanied

by a penalty payment do not require the imposition of a fine since the injunctions issued

require the company to significantly transform its business model in order to
comply with the requirements of the GDPR. This complex and demanding process will require

significant financial resources from the defendant.

294. The penalty payment, through its incentive mechanism, guarantees that the corrective measures will

be effectively implemented without unduly weakening the financial stability of the company. This approach, combined with the other sanctions adopted, ensures a response

that respects the principles of effectiveness, proportionality and dissuasion of the GDPR.

295. Therefore, pursuant to Article 100§ 1 of the LCA, the Litigation Chamber decides to:

a) in accordance with Article 100§ 1, 9° of the LCA, order compliance

of the processing operations within a period of 4 months, in accordance with injunctions 1 to 5;

b) in accordance with Article 100§ 1, 10° of the LCA, order the erasure of the data

in accordance with injunctions 4 and 5 within a period of 4 months;

c) in accordance with Article 100§ 1, 12° of the LCA, impose periodic penalty payments of EUR 5,000

per day of delay from the day on which the Litigation Chamber notifies it that it

has partially or not at all complied with the injunctions issued in

this decision, on the basis of the responses provided by the defendant to the

Litigation Chamber, which must have been received by the end of the

period allowed for compliance;

d) in accordance with Article 100§ 1, 16° of the LCA decide to publish the decision on the

website of the Data Protection Authority, with direct identification of

the defendant.

III.2. Order for compliance and erasure of data

296. The Litigation Chamber considers that it is appropriate to impose several injunctions for

compliance and erasure of data on the defendant, by virtue of the

breaches noted.

297. Injunction 1: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders

Freedelity to put in place consent collection mechanisms guaranteeing

that consent is free, specific, informed and unequivocal, in accordance with Article 4.11 of

the GDPR, and this for each processing of personal data that it carries out, including the

pooling of data with its commercial partners.

298. Freedelity must in particular:

- Ensure that access to the commercial advantages offered by a brand is not

conditioned on the acceptance of other non-essential processing or conditions, including the

pooling of data.

- Clearly and comprehensibly inform the persons concerned, at the time

of the collection of their data, on the specific purposes of each processing, the

categories of data concerned, and allow consumers to know the identity of the recipients with whom the data will be shared. Decision on the merits 146/2024 – 60/67

- Implement explicit mechanisms to obtain unambiguous consent, such as

a button that is not checked by default allowing data subjects to expressly confirm

their agreement for each processing purpose envisaged.

- Verify the existence of free, informed, unequivocal and specific consent for

all data subjects whose data is processed in the Freedelity file, in light of the above requirements and in the event of a negative finding, either

delete the data currently present in the Freedelity file without

valid consent, or renew the consent of the data subjects before the end of the period

allowed for compliance with this Injunction 1.

- Transmit to the Litigation Chamber evidence of compliance with this Injunction 1,

including a copy of the Freedelity-specific consent form template (or

consent forms) modified or implemented pursuant to Injunction 1 issued by the Litigation Chamber.

299. Injunction 2: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders

Freedelity to put in place simple, accessible and direct mechanisms to
allow data subjects to withdraw their consent, in accordance

with Article 7.3 of the GDPR.

300. Freedelity must in particular:

- Integrate on all physical terminals used by its partners an explicit

and immediate option allowing the withdrawal of consent, without the need to navigate

through complex menus or interfaces.

- Update the MyFreedelity portal to include a clearly visible and

directly accessible feature allowing data subjects to withdraw their

consent in as many steps as it takes them to give their consent.

- Inform the persons concerned, at the time of collecting consent, of the

means available to withdraw this consent, ensuring that this information

is clear, understandable and easily accessible.

- Adopt and document technical and organizational measures in accordance with

the principle of data protection by design and by default (Article 25 of the GDPR),

ensuring that withdrawal mechanisms are integrated from the design of any

new interface or terminal.

- Transmit to the Litigation Chamber evidence of compliance with this Injunction 2,

including screenshots of the new consent withdrawal mechanisms as

implemented or modified by Freedelity and the brands. Decision on the merits 146/2024 – 61/67

301. Injunction 3: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders

Freedelity to document precisely the consent collection process, in

such a way as to be able to demonstrate, at any time, that it was obtained in

accordance with the requirements of the GDPR, and this in order to ensure in particular

compliance with Articles 5.2, 24 and 25 of the GDPR. Freedelity shall provide the Litigation Chamber with evidence of

compliance with this Injunction 3.

302. Injunction 4: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders

Freedelity to immediately cease the collection and processing of personal data
from consumers’ identity cards, with the exception of data

strictly necessary for the stated purpose, namely, to take the example of a

classic loyalty program: the surname, first name and contact details

(postal address, email or telephone). Pursuant to Article 100§ 1, 10° of the

LCA, the Litigation Chamber also requires the deletion of any data that has been

collected beyond this information within a period of four months.

303. Freedelity shall in particular:

- Update, or order the updating of all collection interfaces and tools

used by Freedelity and its partners (in-store terminals, digital portals,

manual forms, etc.) in order to guarantee that only authorized data is

collected.

- Prohibit, with respect to third parties, any resale or transfer of

unnecessary data collected before the definitive deletion of this data, unless

valid consent from the persons concerned is obtained. This prohibition includes

data previously collected that does not comply with the principle of minimization.

- Notify the persons concerned of the deletion of unnecessary data

already collected, reminding them of their rights regarding the data that continues to be

processed by Freedelity, in particular the right to access, rectify, delete their data, as

well as their right to withdraw their consent.

- Freedelity must provide the Litigation Chamber with evidence of compliance with this

Injunction 4, in particular a copy of the template for the notification to the persons

concerned and proof of the effective deletion of the unnecessary personal data

identified in Finding 4 of this decision.

304. Injunction 5: Pursuant to Article 100§ 1, 9° of the LCA, the Litigation Chamber orders

Freedelity to reduce the retention period of personal data processed in the

context of the Freedelity file to a maximum of three years from the last activity of the

persons concerned. Pursuant to Article 100§ 1, 10° of the LCA, the Litigation Chamber

requires Freedelity to erase data that has been retained for a period of more than three years, unless a separate legal basis justifies their retention in an

intermediate archive such as Customer Silos (for example, specific legal obligations for

brands).

305. Freedelity must in particular:

- Delete all personal data retained beyond this period of three

years for persons who have not demonstrated any activity, unless a separate legal basis

justifies their retention (for example, specific legal obligations or ongoing disputes).

Apply this erasure to all data currently contained in the

Freedelity file and purge the Freedelity file of obsolete data.

- Ensure that when a separate legal basis justifies the retention of data for

more than 3 years, the data is archived on a medium separate from the Freedelity file and

that it is processed for no purpose other than that of storage justified by the legal

basis in question.

- Send a reminder by email or any other appropriate means to

consumers who have not shown any activity for three years or more, in order to

ask them to confirm their wish to maintain their registration. In the absence of a

response within a reasonable period (for example, one month), archive the data under

the conditions listed above, or delete them if applicable.

- Freedelity must provide the Litigation Chamber with evidence of compliance with this

Injunction 5, in particular documents demonstrating the effective erasure of

personal data beyond the authorized periods, in accordance with Finding 5 of

this decision.

III.3. Conditional sanction: the penalty payment

III.3.1. Preliminary considerations

306. The penalty payment is unique in that it is fully conditional. The amount to be paid

is indeed uncertain. The defendant first has a period of time to comply or to appeal the

decision. It is only in the event of non-compliance on its part

after a period of 4 months from notification of this decision that the penalty

payment will be implemented. Therefore, the amount of the penalty payment is variable, and it may even be zero,

where applicable.

92See on this point the recommendations of the CNIL (French data protection authority) regarding intermediate data archiving: https://www.cnil.fr/fr/passer-laction/les-durees-de-conservation-des-donnees Decision on the merits 146/2024 – 63/67

307. The penalty payment is distinguished from the administrative fine in that it constitutes an indirect means of enforcement of the main penalty(s) in order to comply

with the law in force, whereas the administrative fine is punitive in nature.

308. The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine are thus different both in nature and in the objectives they pursue.

309. In light of the reasons set out above, the Litigation Chamber decides to impose

periodic penalty payments on the defendant in this case, and does not consider that it must inform

the defendant in advance by means of a penalty form.

III.3.2. Practical arrangements for the periodic penalty payment

310. In order to give the defendant the time necessary to comply with the

injunctions issued in this decision, the periodic penalty payment will not be implemented

directly following the notification of this decision to the defendant. In this case, the

Litigation Chamber considers that a period of 4 months from the notification of this

decision is sufficient to allow the defendant to comply with the said

injunctions.

311. The time limit shall run from the day on which the defendant receives the registered letter notifying it

of this decision or from the day of expiry of the time limit during which the

defendant is, where applicable, required to collect said registered letter from

the post office.

312. From the expiry of the 4-month period from the notification of this

decision, and provided that it has received the evidence requested in the various

injunctions within the time limits, the Litigation Division shall notify the defendant, after

examining the documents:

1) That the latter has fully complied with the injunctions issued in

this decision; or

2) That the defendant has partially complied with the injunctions issued in

this decision; or

3) That the defendant has not complied with the injunctions issued in

this decision.

313. The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as the

notification in the second and third cases. In case of doubt, the APD may use

its powers derived from the LCA or the ROI in order to continue the procedure or open a

new file, if necessary.

93Decision on the merits of the Contentious Chamber, No. 131/2024 of 11 October 2024, paragraphs 113 to 116. Decision on the merits 146/2024 – 64/67

314. The amount of the periodic penalty payments is defined as follows:

a) Injunction 1: the defendant must pay EUR 1,000 per day of delay from the day on which

the Contentious Chamber notifies it that it has partially or not at all complied with

the injunctions issued in this decision;

b) Injunction 2: the defendant must pay EUR 1,000 per day of delay from the day on which

the Contentious Chamber notifies it that it has partially or not at all complied with

the injunctions issued in this decision.

(c) Injunction 3: The defendant shall pay EUR 1,000 for each day of delay from the day on which

the Litigation Chamber notifies it that it has complied partially or not at all with

the injunctions issued in this decision.

(d) Injunction 4: The defendant shall pay EUR 1,000 for each day of delay from the day on which

the Litigation Chamber notifies it that it has complied partially or not at all with

the injunctions issued in this decision.

(e) Injunction 5: The defendant shall pay EUR 1,000 for each day of delay from the day on which

the Litigation Chamber notifies it that it has complied partially or not at all with

the injunctions issued in this decision.

315. If the defendant fails to comply with the six injunctions, it must then pay EUR 5,000

for each day of delay from the day on which the Litigation Chamber notifies it that it has

partially or not at all complied with the injunctions issued in this

decision.

316. The Litigation Chamber recalls that the penalty payment is not punitive in nature. The

injunctions are each accompanied by a penalty payment to ensure their proper execution.

The amount of the penalty payments is reasonable in view of the infringement that the

defendant has caused to the rights of the plaintiff, and of users more generally, but also
in view of the financial capacity of the defendant, whose turnover is less

than [amount], and the profit that it can derive from the non-execution of the injunctions in question.

317. If the defendant considers that full execution of the injunctions is impossible

within the prescribed period despite all reasonable efforts, it may submit a
reasoned request for an extension of time to the Litigation Chamber within 45

days of notification of this decision to it.

318. The penalty payment is daily. The Litigation Chamber decides that the maximum
cumulative amount of the penalty payment may not exceed EUR 100,000. Decision on the merits 146/2024 – 67/67

In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, with the Market Court (Brussels Court of

Appeal), with the Data Protection Authority as the defendant.

Such an appeal may be filed by means of an interlocutory application which must contain the

information listed in Article 1034ter of the Judicial Code. The interlocutory application must be

filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or 95

via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code)

(sé). Hielke H IJMANS

President of the Litigation Chamber

94
The application contains, under penalty of nullity:
1° the indication of the day, month and year;
2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualities and his/her national register number or
company number;

3° the surname, first name, address and, where applicable, the quality of the person to be summoned;
4° the subject and summary statement of the grounds of the application;
5° the indication of the judge who is seized of the application;
the signature of the applicant or his lawyer.

95The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.