C. A. - 2024/AR/1615
From GDPRhub
| Court of Appeal of Brussels (Belgium) - 2024/AR/1615 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 15 GDPR |
| Decided: | 22.01.2025 |
| Published: | 01.04.2025 |
| Parties: | An unnamed telecom provider APD/GBA (Belgium) |
| National Case Number/Name: | 2024/AR/1615 |
| European Case Law Identifier: | |
| Appeal from: | APD/GBA (Belgium) Décision quant au fond 107/2024 du 23 août 2024 |
| Appeal to: | Unknown |
| Original Language(s): | French |
| Original Source: | Brussels Court of Appeal (in French) |
| Initial Contributor: | cci |
A court reduced a fine against a telecom provider from €100,000 to €5,000. The fine related to the late response to a data subject’s access request.
English Summary
Facts
A customer (the data subject) filed a complaint against their telecom provider (the controller) after it failed to respond to their access request under Article 15 GDPR. The controller eventually responded to the request 14 months later, when the complaint was already pending. The Belgian DPA fined the controller €100,000 for violating Article 15 GDPR.
The controller challenged the fine before the Belgian Court of Appeals.
Holding
The Court reformed the DPAs decision and reduced the amount of the fine to €5,000. The Court found that the original €100,000 fine was disproportionate for a number of reasons:
- the infraction was an isolated incident, affected a single data subject, and did not involve special categories of data;
- the controller had no history of violating the GDPR;
- the infraction caused no damage to the data subject but only mere inconvenience:
- the infraction was not intentional;
- the controller collaborated with the DPA during the investigation and implemented better procedures for handling access requests after the complaint was filed.
Comment
The summary for the original decision is available here.
In its access request, the data subject also required the name of the controller’s employees who accessed their data. However, the controller refused to provide this information. The DPA did not consider the controller’s refusal to be a violation of the GDPR. This aspect of the DPA’s decision was not appealed by either party and was not dealt with by the Court of Appeals.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Directory number Delivrae Delivrea Delivrea
2025/
Date of judgment
€e
January 22, 2025 CIV
Roll number
2024/AR/1615
D Registrable
D Not Registrable
I
r I
II
Section, Cour des Marches
19th Chamber A
Chamber of Marches
Judgment
Presented on
Not Registrable, Court of Appeal, Brussels - 2024/AR/1615-p. 2
1. Y, BCE [number], whose registered office is located at [address],
applicant, hereinafter also referred to as "Y",
represented by Valentine QUERTON and Bastiaan BRUYNDONCKX, lawyers at
[address]
vs.
1. DATA PROTECTION AUTHORITY, BCE 0694.679.950, whose registered office is located at 35 Rue de la Presse, 1000 BRUSSELS,
Opposing party, hereinafter also referred to as "the DPA",
represented by Gregoire RYELANDT, Evrard DE LOPHEM, and Estelle VOLCANSEK, lawyers at [address]
***
Having considered the documents in the proceedings, and in particular:
-
Decision no. 107/2024 issued on August 23, 2024, by the Litigation Chamber of the Data Protection Authority (hereinafter "the DPA"), in case DOS2022-0240 (hereinafter the "Impaired Decision" or the "Decision");
- the action for annulment of said Decision filed with the registry by the Applicant on September 20, 2024;
- the additional and summary submissions filed for the Applicant on November 13, 2024;
- the summary submissions filed for the DPA on November 27, 2024;
-
the documents filed by the parties; Brussels Court of Appeal - 2024/AR/1615 - p. 3
I. Facts and Procedural Background
1. The facts and procedural background can be summarized as follows.
The Applicant, Y (hereinafter "Y"), is a telephone operator offering services throughout Belgium. As part of its services, Y offers its residential customers prepaid mobile services and subscriptions, as well as numerous other innovative telecom services.
Mr. X (hereinafter the "Complainant") had been a residential customer of Y since 2019.
On January 27, 2021, according to Y, through an error by one of its employees, billing for the "[name of service]" service was activated at the Complainant's premises without the latter's consent.
On February 18, 2021, the Complainant's internet subscription was terminated without the Complainant having requested it, also by mistake, according to Y. While attempting to deactivate the '[service name]' service, an employee made a mistake and completely terminated the Complainant's internet subscription. While making every effort to reactivate the Complainant's internet service, an employee also mistakenly activated the Complainant's 'Y TV' service on February 26, 2021.
On June 26, 2021, the Complainant filed a complaint with the Telecommunications Ombudsman Service. On August 27, 2021, the Telecommunications Ombudsman Service closed the file.
On January 25, 2022, the Complainant contacted Y via Facebook Messenger, requesting the email address of his Data Protection Officer (DPO) in order to exercise his right of access under Article 15 of the GDPR.
The chat message replied, "We do not have an email address" and that he "is not able to do that" (provide the DPO's contact details), but that he could handle the request via the chat.
The Complainant then sent the following message:
"In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, Article 15, I would like to be informed about access to my personal data (account, personal data, options activated on my Y account, etc.) during 2021 (January 1, 2021 - December 31, 2021) by Y employees/collaborators."
He was asked to clarify his request, which he reiterated, describing it as very clear and simple. Brussels Court of Appeal - 2024/AR/1615 - p. 4
On March 13, 2022, the Complainant contacted Y again via Facebook Messenger and reiterated his request, without receiving a reply. response; he indicated that if he did not receive a response by the end of March, he would contact the APD.
On June 3, 2022, the Complainant filed a complaint with the APD.
On June 9, 2022, the complaint was declared admissible by the APD's Frontline Service and the complaint was forwarded to the Litigation Division pursuant to Article 62, § 1 of the LCA.
On February 27, 2023, the Litigation Division decided that the case could be considered on the merits.
On March 28, 2023, Y responded to the access request by providing the activity logs relating to his contract covering the entire year 2021, with anonymized logins (Exhibit 3 of Y's file).
On May 31, 2024, the parties were heard by the Litigation Division, and the minutes of the hearing were submitted to them on June 10, 2024.
On June 12 and 17, 2024, the Litigation Division received comments on the minutes from Y and the Complainant, respectively.
On July 3, 2024, the Litigation Division informed Y of its intention to impose an administrative fine, in order to give it the opportunity to defend itself before the penalty was actually imposed. On July 22, 2024, Y sent its reaction to the Litigation Division.
II. The Impugned Decision
2. On August 23, 2024, the Litigation Division of the APD issued the Impugned Decision. It notes a violation by Y of Articles 12.2, 12.3, and 15 of the GDPR (response to the Complainant's access request 14 months late), while stating that "However, the finding relating to Articles 12.2 and 12.3 is not taken into account in determining the penalty" (§ 55 of the Decision).
The operative part of the Decision reads as follows:
95. Given the importance of transparency regarding the decision-making process of the Litigation Chamber, this decision is published on the Data Protection Authority's website. However, it is not necessary for this purpose for the parties' identifying data to be directly communicated. Brussels Court of Appeal - 2024/AR/1615 - p. 5
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
- Pursuant to Article 58.2.i) of the GDPR and Article 100, §1, 13° of the LCA, read
in conjunction with Article 101 of the same Law, to impose an administrative fine of EUR 100,000 on the defendant for the violation of
Article 15 of the GDPR;
- To order the defendant to inform the DPA (Litigation Chamber) of the outcome
of this injunction.
Ill. Subject of the appeal
3. Y's appeal seeks the annulment of the contested decision. She requests the Court to:
• declare this appeal admissible and well-founded;
• to annul Decision 107/2024 of the Litigation Chamber of the APO of August 23, 2024, and, sitting again, to reform the decision under appeal;
• primarily:
•
declare the Complainant's complaint filed with the Data Protection Authority on June 3, 2022 unfounded;
• alternatively:
• if, by any means impossible, Your Court were to consider that Y violated Article 15 of the GDPR or any other article of the GDPR or any other data protection legislation, not to sanction Y and only issue a warning;
• In the further alternative:
• If, by some impossibility, your Court were to consider that an administrative fine should be imposed against Y (although certainly not), reduce this fine to the amount of EUR 5,000.00;
• In any event:
• Order the Data Protection Authority to pay all the costs and expenses of these proceedings, including the procedural compensation awarded in the amount of EUR 1,800.00. Brussels Court of Appeal - 2024/AR/1615 - p. 6
The Data Protection Authority requests:
Declare the appeal admissible but unfounded,
Order the applicant to pay all the costs of the proceedings, including the procedural compensation of EUR 1,800.00 (basic amount).
IV. Legal Framework
4. The applicable (or potentially applicable) legal framework consists in particular of the following provisions (without being exhaustive).
- The applicable European legal framework
The General Data Protection Regulation (GDPR) (highlighted by the Court of Justice):
Article 12 - Transparency of information and communications and modalities for exercising the data subject's rights
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14, as well as any communication under Articles 15 to 22 and Article 34 concerning the processing, to the data subject in a concise, transparent, comprehensible, and easily accessible manner, in clear and plain language, in particular for any information specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, electronically. Upon request from the data subject, the information may be provided orally, provided that the data subject's identity is established by other means.2. The controller shall facilitate the exercise of the rights granted to the data subject under Articles 1 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to comply with the data subject's request to exercise the rights conferred by Articles 1 to 522, unless the controller demonstrates that it is unable to identify the data subject. 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EEC, L119, 4 May 2016. Brussels Court of Appeal - 2024/AR/1615 - p. 7
3. The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. When the data subject submits their request in electronic form, the information shall be provided electronically (where possible), unless the data subject requests otherwise.
4. If the controller does not comply with the request made by the data subject, they shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for their inaction and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Article 15 - Right of access of the data subject
1. The data subject has the right to obtain from the controller confirmation
as to whether or not personal data concerning him or her are being processed and,
where they are, access to those personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in
third countries or international organizations;
d) Where possible, the envisaged period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or
erasure of personal data, or restriction of processing of personal data
relating to the data subject, or the right to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, meaningful information about the underlying logic, as well as the significance and the envisaged consequences of such processing for the data subject. Brussels Court of Appeal - 2024/AR/1615 p. 8
1. When personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards, pursuant to Article 46, relating to that transfer.
3. The controller shall provide a copy of the personal data being processed. The controller may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Art. 58 - Powers
(...)
2. Each supervisory authority shall have the power to adopt any of the following corrective measures:
(...)
i. Impose an administrative fine pursuant to Article 83, in addition to or
( )
in place of the measures referred to in this paragraph, depending on the
specific characteristics of each case."
Law of December 3, 2017 establishing the Data Protection Authority (hereinafter "LCA"):
In the version applicable to the dispute, prior to its amendment by the Law of December 25, 2023, amending the Law of December 3, 2017 establishing the Data Protection Authority (MB, March 1, 2024, effective June 1, 2024), the LCA includes the following provisions:
Article 100:
§ 1. The litigation chamber has the power to:
1° dismiss the complaint;
2° order a dismissal of the case;
3° suspend the decision;
4° propose a settlement;
5° issue warnings and reprimands; 6° Order compliance with the data subject's requests to exercise these rights; Brussels Court of Appeal - 2024/AR/1615 - p. 9
r Order that the data subject be informed of the security issue;
8 Order the freezing, limitation, or temporary or permanent prohibition of processing;
°
9 Order the processing to be brought into compliance;
10° Order the rectification, restriction, or erasure of data and notification of these to data recipients;
11° Order the withdrawal of accreditation of certification bodies;
12° Impose periodic penalty payments;
°
13 Impose administrative fines;
14° Order the suspension of transborder data flows to another State or an international organization; 15. Forward the file to the Brussels Public Prosecutor's Office, which shall inform the public prosecutor of the
follow-up to the file;
16. Decide, on a case-by-case basis, to publish its decisions on the Data Protection Authority's website.
§ 2. When, after applying § 1, 15, the public prosecutor waives the right to initiate criminal proceedings, propose an amicable resolution, or criminal mediation within the meaning of
Article 216ter of the Code of Criminal Procedure, or when the public prosecutor has not made a
decision within a period of six months from the date of receipt of the file, the Data Protection Authority shall determine whether the administrative procedure should be resumed. V. Discussion by the Court of Appeal
V.A. CONCERNING ADMISSIBILITY
5. The contested decision was delivered by the Litigation Chamber of the APD on August 23, 2024.
It is not disputed that the application, filed with the court registry on September 20, 2024, was filed within the 30-day period referred to in Article 108 of the LCA.
The appeal is admissible.
V.B. CONCERNING THE MERITS
AS A PRELIMINARY STATEMENT AND AS TO THE FIRST GROUND OF ACTION (Violation of the principles of good administration)
Discussion and decision of the Court of Appeal, Brussels Court of Appeal - 2024/AR/1615 - p. 10
6. In accordance with Article 744 of the Judicial Code: "The submissions shall also contain,
°
successively and expressly: (...) 3 the arguments invoked in support of the claim or the defense, where applicable, numbering the various arguments and indicating their principal or subsidiary nature." Article 780 of the Judicial Code provides that:
"The judgment shall contain, under penalty of nullity, in addition to the grounds and the operative part:
3° the subject of the claim and the response to the arguments of the parties presented in accordance with Article
744, paragraph 1; (...)."
In judicial law, a plea can be defined as the statement of "legal reasoning from which the party intends to deduce the merits of a claim or defense" and is distinct from an argument, which is what supports the plea: a fact or an exhibit (C. Parmentier, Comprendre
°
la technique de cassation, Brussels, Larder, 2017, p. 97, n. 93).
It is therefore not a simple "heading" in the submissions, but a legal reasoning that
justifies the merits of a claim or defense. The amendments made to Articles 744 and 780 of the Judicial Code by the "Pot-Pourri I" Law (Law of October 19, 2015 amending the law of civil procedure and containing various provisions relating to justice, which came into force on November 15, 2015) aim to facilitate the judge's task by identifying the remedies to which he or she must respond, with a view to ensuring faster and more efficient justice, in accordance with the public interest. The Court notes that the heading "Primarily: the Litigation Chamber of the APO disregarded Y's rights of defense and the principles of good administration" in Y's submissions does not constitute a ground of appeal in the sense defined above: it is rather an introduction or prelude to the grounds of appeal, each of which is developed in the following headings, which was acknowledged by Y's counsel before the Court.
Therefore, this introduction does not require a response. (Vay Cass. September 14, 2020, C.19.0607.F, on
juportal.be)
7. With regard to the following grounds, they are subject to headings that identify the violation
of a legal provision or a general principle of law, but without indicating how the contested Decision
results in said violation.
The Court will endeavor to identify the true grounds (namely: the legal reasoning in its entirety) in order to satisfy the general obligation to provide reasons (Article 149 of the Constitution),
but without being criticized for not having fully considered them, as they were not
clearly identified and presented. Brussels Court of Appeal - 2024/AR/1615 - p. 11
Y's "SECOND GROUND": Violation of Y's rights of defense. First ground of the APO.
Summary of the parties' positions
8. Y appears to criticize the Disputes Chamber for broadening the scope of the complaint, even though it only sought a right of access within the meaning of Article 15 of the GDPR, and that, in its notification of the complaint on February 23, 2023, it also only sought a possible violation of Article 15 of the GDPR.
Subsequently, in a response dated March 22, 2023 (Exhibit 14 of the APD file), the Complainant broadened his complaint by alleging a violation of new provisions of the GDPR, in particular Articles 12.2 and 12.3 of the GDPR, which created confusion. Y responded by questioning the Disputes Chamber on whether it should defend itself against these new grievances, and the latter refused to respond, without justification.
This created a situation of legal uncertainty for Y.
The Decision contains multiple references to Articles 12.2 and 3 of the GDPR and concludes that Y violated these provisions, even though it then adds that it allegedly did not take these violations into account when setting the amount of the fine, which is implausible.
In doing so, the Disputes Chamber violated Y's rights of defense.
9. The APD alleges that it clearly stated in its letter of February 27, 2023, that the complaint concerned the follow-up given to the Complainant's exercise of his right of access and clarified the context. In this letter, it clearly identifies the observed breaches, the potentially violated standards, as well as the facts alleged. It had access to all the documents in the case file, which allowed it to understand the nature of the allegations and the evidentiary elements on which the Litigation Division would rely to support its decision.
It does not specify what new elements, which were not disclosed before the conclusion of the proceedings, were discovered by it in the Impugned Decision. Regarding the additional elements disclosed by the Complainant on March 22, 2023, the Litigation Division allows each party to express its views but assesses the relevance of the facts and their classification alone. It is not up to the Complainant to define the scope of the proceedings. The Decision was issued on the basis of the grievances formally communicated to Y in the letter of
February 27, 2023, and on the facts that the Litigation Chamber deemed relevant after its own review. Court of Appeal Brussels-2024/AR/1615. 12
Y had multiple opportunities to present its defense throughout the proceedings.
Furthermore, the fact that the Complainant stated during the hearing that he was satisfied with the response to his request for access (regarding the principle, but not its modalities) did not create any legal uncertainty for Y. Just because a complaint becomes moot does not mean that the Litigation Chamber loses its power to verify Y's compliance with the GDPR in connection with said complaint, which is part of its mission as a supervisory authority.
Article 12.2. of the GDPR requires the data controller to facilitate the exercise of the rights granted to the data subject, and therefore the right of access referred to in Article 15 of the GDPR, and Article 12.3 of the GDPR requires the data controller to inform the data subject of the measures taken following such a request, as soon as possible, and in any case within one month. These are therefore intrinsically linked provisions. Y was well aware of these provisions and defended itself in this regard.
Furthermore, the finding relating to Articles 12.2 and 12.3 of the GDPR was not taken into account in the Decision for determining the penalty.
Discussion and Decision of the Procurement Court
10. The Litigation Chamber of the APD is an administrative authority to which the general principles of good administration apply, including the principle relating to respect for the rights of defense. This principle requires the administrative authority to allow the administrator to defend themselves
effectively when considering taking a punitive measure, such as an administrative fine (see by analogy Cass. 6 November 2023, C.23.0092.N; Goffaux, P.,
Dictionnaire de droit administrative, 3rd edition, Brussels, Larder, 2022, pp. 327 et seq.). As this author states: "This principle requires the administration to bring to the attention of the person concerned, in a timely manner, the grievances raised against them, to grant them access to the entire file on which the proceedings are based, to allow them to be assisted by a lawyer and to have sufficient time to effectively organize their defense and, of course, to allow them to present their defense against the allegations and the proposed sanction, as well as to hear, where appropriate, witnesses useful for their defense and the uncovering of the truth." (ibid., p. 328).
It is important that the person concerned understands the behavior they are accused of. This does not, however, necessarily mean that the authority must specify the possible classifications of the facts or indicate the statutory provisions that may have been violated during their commission (C.E., March 22, 2016, no. 234.217, Sizaire, cited by P. Goffaux, note 835). Brussels Court of Appeal - 2024/AR/1615 - p. 13.
11. The Litigation Chamber of the APD must therefore, when notifying the data controller that it will handle a complaint concerning them, communicate this complaint to them and indicate the breaches they must defend themselves against, in principle with a statement of the legal provisions alleged to have been violated.
In the present case, the notification of February 27, 2023, from the Litigation Chamber refers only to Article 15 of the GDPR, without reference to Article 12. However, it clearly states that: "The complaint lodged (...) concerns the follow-up given to the exercise of his right of access," and therefore the lack
of response from Y to the Complainant's request of January 25, 2022.
The Complainant himself referred to other provisions in his written submission of March 22, 2023, in particular
Articles 12.2 and 12.3.
Y was therefore able to defend himself against a possible violation of these provisions, which were in any case
closely linked to Article 15 of the GDPR: the provisions must be read together, since, in particular, it is Article 12.3. of the GDPR, which defines the time limit within which the data controller
must respond to a request made "pursuant to Articles 15 to 22," namely
"as soon as possible and in any event within one month of receipt of the request." Article 12.2. provides, in particular, for the data controller's obligation to facilitate the exercise of the same rights by the data subject (Articles 15 to 22).
As Terwangne and Rosier note, this is an "organizational peculiarity of the GDPR: the modalities for exercising this right of access are not contained in Article 15 of the GDPR relating to this right, but in Article 12, which commonly governs the modalities for exercising all the rights of the data subject" (C. de Terwangne and K. Rosier, "The General Data Protection Regulation (RGPD / GDPR)", Larcier, 2018, p. 446, no. 50).
In her submissions filed before the Litigation Chamber of the APD, Y has indeed
extended her arguments with respect to Article 12 of the GDPR, in particular with respect to the violation of
the obligation to respond within one month (see point 3.2., p. 9 of her two sets of submissions before the Litigation Chamber, exhibits 15 and 24 APD).
Therefore, she has not established any violation of her rights of defense.
Her argument is unfounded. Brussels Court of Appeal - 2024/AR/1615 - p. 14
Y'S THIRD and FOURTH GROUNDS: The Decision wrongly finds a violation of Articles 12.2 and 12.3. and 15 of the GDPR because the Complainant had already received all the relevant information, and failure to comply with the deadline provided for in Article 12.3 of the GDPR cannot give rise to a sanction.
Second ground of appeal of the DPA.
Summary of the parties' positions
12. In its third ground of appeal, Y alleges that the Disputes Chamber wrongly criticized it for responding more than 14 months late to the Complainant's request for access and for not facilitating the exercise of its rights.
First, it was easy for the Complainant to identify the email address of Y's DPO on Y's website, in its privacy policy: Y therefore did what was necessary to facilitate the exercise of the complainants' rights.
Furthermore, the Complainant already had the requested information, having obtained all the requested information on the 2021 incidents through his complaint to the Telecommunications Ombudsman Service.
Therefore, the Decision must be annulled and reformed by the Procurement Court.
In its fourth ground of appeal, Y argues that failure to comply with the deadlines referred to in Articles 12.3 and 12.4 of the GDPR is not punishable by a rule of law (it refers to two decisions of the Procurement Court dated October 9, 2019 and October 23, 2019) and therefore exceeding these deadlines is not liable to give rise to a penalty, such as a fine in this case.
Therefore, the Decision must be annulled.
13. The DPA argues that Y cannot escape the criticism of not having facilitated the exercise of the Complainant's rights by the fact that the address of its DPO appears somewhere on its website. Under the provisions of the GDPR, the data controller must respond proactively to requests from data subjects: once it received the Complainant's request, it was obliged to redirect them to their DPO or respond to their request.
It also matters little that the Complainant received a response to their request via the procedure before the Communications Mediation Service. Such a service is not intended to rule on compliance with the GDPR.
Furthermore, it is incorrect to state that failure to comply with the deadline provided for in Article 12.3. of the GDPR would not be sanctioned: it is one of the provisions referred to in Article 83.5.b of the GDPR ("the rights enjoyed by data subjects under Articles 12 to 22"), which provides for the most severe sanctions.
The violation of Articles 12.3 and 15 of the GDPR is undeniable, given that Y does not dispute having responded to the Complainant's access request 14 months late, well beyond the deadline set by Article 12.3 of the GDPR. Y's argument that the sanction is based solely on failure to comply with the one-month deadline set by Article 12.3 is based on an incorrect interpretation of the Decision. Not only was the response to the Complainant's request excessively late, but it also appears that Y failed to facilitate the exercise of this right, in particular by failing to implement clear and accessible mechanisms to respond to the request within the required timeframe. Consequently, it violated Articles 12.2, 12.3, and 15 of the GDPR. However, the finding relating to Articles 12.2 and 12.3 is not taken into account in determining the penalty, given that these two provisions were not included in the letter by which the Disputes Chamber invited the parties to conclude.
Discussion and Decision of the Market Court
14. It is the responsibility of the data controller to whom a request for access is made to process it and provide a satisfactory response. It is naturally the responsibility of the customer service department from which a customer requests the DPO's contact information to provide it immediately. Y cannot shirk its obligations on the grounds that these contact details were accessible on its website. They must not have been so easy to find, since its chat operator was unable to provide this information to the Complainant.
Similarly, it was Y's responsibility to respond to the request for access by providing the information requested by the Complainant. It cannot justify its failure to respond by believing that the Complainant already had this information through the mediation process conducted by the Telecommunications Mediation Service. This mediation concerned Y's commercial relationship and services. The Complainant's access request filed on January 25, 2022, had a different purpose, since it was filed to obtain access to his personal data. In any event, if Y had wished to refuse the access request for this reason, it should have notified the Complainant (Article 12.4 of the GDPR). 15. A violation of Articles 12.3 and 15 of the GDPR has been established, since Y did not respond to the Complainant's request for access filed on January 25, 2022, until March 28, 2023, by providing him with the activity logs relating to his contract for the entire year 2021, i.e., after 14 months, well beyond the deadline set by Article 12.3 of the GDPR (one-month deadline, possibly extendable by two months). Brussels Court of Appeal, 24/AR/1615 - p. 16
Failure to respond to the request for access for such a long period constitutes a violation of Article 15, taken in conjunction with Article 12.3 of the GDPR. A violation of Article 12.2. of the GDPR is also established, as Y did not facilitate the exercise of the Complainant's rights, in particular through the non-response of its customer service, which was unable to even provide the Complainant with the contact details of the DPO.
Such violations are naturally subject to sanctions. Pursuant to Article 83.5. b), violations of data subjects' rights under Articles 12 to 22 - which includes the present case - may (along with the other violations referred to) be subject to the highest administrative fines, thus constituting violations deemed particularly significant by the European legislature. In vain does the Applicant believe she can invoke the authority of the decisions of the Cour des marchés (Markets Court) of October 9, 2019 (RG 2019/AR/1006, point 5.5.3) and October 23, 2019 (RG 2019/AR/1234, point 6.6). Belgian law does not recognize the system of precedent, which is even prohibited by Article 6 of the Judicial Code. Moreover, these decisions do not have the scope it assigns them. In the first decision, the Court overturned the finding of a violation of Article 12.3 of the GDPR made by the Litigation Chamber on the grounds that the data controller had already responded to the request just before the GDPR came into force; In the second, the sentence invoked appears redundant, insofar as the Court had already found a lack of reasoning and an excess of powers, leading to the annulment of the decision in question by the Disputes Chamber.
16. In view of the foregoing, the Applicant's third and fourth grounds are unfounded. Indeed, insofar as the Decision found a violation of Articles 12.2, 12.3, and 15, it is legally justified.
FIFTH AND SIXTH GROUNDS OF Y (AS A SUBSIDIARY): The impugned Decision is not legally justified and violates Article 100, §1 of the Civil Code by failing to justify the need to impose an administrative fine instead of other possible sanctions - the sanction imposed is disproportionate.
Fourth and fifth grounds of the Administrative Decision.
Summary of the parties' positions
17. Y argues, as a subsidiary argument, that even if violations of Articles 12.2, 12.3, and 15 are established, the sanction imposed by the Decision is still not justified. In her fifth plea, she complains that the Decision failed to justify the need to impose an administrative fine instead of other, lighter sanctions (including a warning or reprimand). Brussels Court of Appeal - 2024/AR/1615 - p. 17
In her response to the proposed sanction, the Applicant highlighted the particular circumstances of the case: a one-off, isolated violation, which only concerns the Complainant; the harm suffered by the Complainant is extremely limited (mere inconvenience); the violation of the GDPR concerns simple identification data and not sensitive data; the violation is due to simple negligence on the part of a member of Y's customer service staff; The violation has since been corrected, and the Complainant received a response to his request for access to his personal data, and additional measures were taken within Y to prevent a similar situation from recurring.
The Disputes Division does not explain or provide any reasons why an administrative fine would be the (only) possible sanction in this case and why other sanctions would not be appropriate. The reasoning of the Market Court in its judgment of January 27, 2021 (RG 2020/AR/1333, point 7.5) applies; the imposition of a fine constitutes an abuse of powers.
The Decision is therefore not legally justified in that it imposes a fine and violates Article 100, §1, LCA. Y argues, in the alternative, in its sixth ground of appeal, that the €100,000 fine constitutes a disproportionate penalty.
It invokes the particularities of the present case (see above), the specific and isolated nature of the violation, and the fact that it resulted from simple negligence. It criticizes the Disputes Chamber for not applying all the criteria set out in Article 83(2) of the GDPR. Furthermore, the human and financial resources available to Y and the fact that the processing of personal data constitutes a core activity of Y, given its activity in telecommunications services, are not such as to confer on the (alleged) violation by negligence a "serious" character.
In the further alternative, it requests a reduction of the fine to €5,000.
18. The APO maintains that the administrative fine imposed on Y is fully justified and reasoned, both factually and legally. The Decision is indeed based on the criteria set out in Article 83.2 of the GDPR, as the Disputes Chamber is not required to detail or quantify each of these criteria in its reasoning. The contested Decision is based on a complete and nuanced assessment of the circumstances of the case. The Applicant violated Article 15 of the GDPR (right of access) for an extended period of 14 months,
which reveals serious negligence in the management of data subjects' rights, all the more unacceptable given that Y, due to the nature of its activity, is supposed to have robust procedures in place to process requests made to it. The delayed response cannot excuse the initial violation or mitigate the seriousness of the violation found. The duration of the violation and
the lack of immediate diligence in processing the Complainant's request alone justify the imposition of an administrative fine, as a proportionate and dissuasive sanction. The DPA also maintains that the amount of the fine is proportionate to the nature, severity, and duration of the violation. The fine is not intended to compensate the Complainant for the inconvenience, but to punish a violation of the GDPR, in accordance with Article 83 of the GDPR. Given the Applicant's financial and human resources capabilities, as well as the fact that the processing of personal data constitutes one of its core activities, the negligence committed must be considered serious. This is all the more true since the inability to respond to an access request made by the Complainant was manifested by two of its employees. The fact that there was no malicious intent on the part of Y is irrelevant. As for the additional measures and internal policies invoked by Y, these, while potentially useful, do not guarantee full compliance, nor do they erase the violation already committed.
Furthermore, the DPA is not required to rule on all the criteria set out in Article 83 of the GDPR. All elements were therefore duly considered by the Disputes Chamber, contrary to Y's assertions. Regarding Y's degree of responsibility, taking into account the technical and organizational measures implemented, the Disputes Chamber notes that Y is entirely responsible for managing the requests it receives from data subjects, including the right of access. Finally, the comparison with other sanctions imposed by the DPA's Disputes Chamber is irrelevant.
Discussion and Decision of the Procurement Court
19. Under Article 58.2. of the GDPR, the national supervisory authority may adopt
various corrective measures, including a warning, a reminder, a compliance order, or an administrative fine "in addition to or instead of
[other] measures."
Under Article 83.1. of the GDPR - General Conditions for Imposing Administrative Fines, "Each supervisory authority shall ensure that administrative fines imposed
under this Article for violations of this Regulation referred to in paragraphs 4, 5, and 6
are, in each case, effective, proportionate, and dissuasive."
Under Article 100 of the LCA, the Litigation Chamber of the DPA has the power to take a series of measures, including "5. Issue warnings and reprimands," and "impose administrative fines." Pursuant to Article 101 of the LCA, the litigation chamber may decide to impose an administrative fine in accordance with the general principles referred to in Article 83 of the GDPR; pursuant to Article 102 of the LCA, the decision to impose a fine must be justified. The general structure of the GDPR indicates that the legislator intended to offer the authority a range of sanctions to be applied according to each specific case, including the imposition of administrative fines pursuant to Article 83 of this regulation, "in addition to or instead of" the other corrective measures listed in Article 58, paragraph 2 (warnings, reminders, injunctions).
Recital 148 of the GDPR also states that supervisory authorities are permitted, when the violation is minor or if the administrative fine that may be imposed constitutes a disproportionate burden for a natural person, to refrain from imposing an administrative fine and, instead, to issue a warning. The fundamental purpose of both European and Belgian legislation is not to impose fines for the slightest breach of legal requirements. The objective is to ensure the effectiveness of data protection law.
It is up to the Disputes Chamber to justify its decision to impose an administrative fine
in light of the preceding provisions and based on a concrete assessment of the circumstances of the case.
20. The Impugned Decision finds violations of the following provisions of the GDPR: 12.2, 12.3, and
15. It states that it only considers the violation of Article 15 to justify the fine.
In any event, the findings of violations of Articles 12.2 and 12.3 were closely linked to these provisions. The Applicant violated Article 15 of the GDPR by failing to respond adequately to the Complainant's request for access filed on January 25, 2022, since it did not respond until March 28, 2023. There was still a debate until the hearing before the Disputes Chamber as to whether the response of March 28, 2023, was adequate—since the Complainant criticized the fact that the Applicant had anonymized the names of its employees who had access to the Complainant's data—but the Impugned Decision considered this response satisfactory under Article 15 of the GDPR, as the rights and freedoms of the Applicant's employees must prevail over the Complainant's right to access their identity. This point is not contested before the Court. The Applicant therefore only responded to the request for access after 14 months, and after the start of the proceedings before the Litigation Chamber. Brussels Court of Appeal - 2024/AR/1615 - p. 20
The Litigation Chamber provided the following reasons for its decision to impose an administrative fine:
"In this case, the administrative fine is justified by the fact that the defendant, whose turnover is established (EUR) for the year 2023, violated Article 15 of the GDPR for a period of 14 months. This violation was caused by the failure of two of the defendant's employees to properly process the complainant's access request, thus demonstrating gross negligence - despite the fact that the processing of personal data constitutes one of its core activities. Furthermore, the Litigation Chamber takes into account the fact that although the defendant eventually provided a satisfactory response to the complainant's access request, this response was not finalized until the parties' exchange of submissions. These elements - further developed below -
justify the imposition of an administrative fine, rather than a lesser sanction such
as a warning or a reprimand" (Imputed Decision, § 63).
The decision to impose a fine is therefore reasoned. It is also legally justified. The
Applicant has not established that, while the Disputes Division enjoys a margin of discretion
in the choice of measures it can take in the event of a violation of the GDPR, it committed a manifest error of assessment by choosing to impose a fine, taking into account
in particular the duration of the violation, the fact that the violation concerns the right of access, and that it was only ultimately upheld during the proceedings.
In doing so, the Disputes Division remained within the scope of its discretion.
Imposing a fine constitutes an effective sanction and of prevention.
The Applicant invokes in vain the authority of a decision of the Cour des Marchés dated January 27, 2021 (RG 2020/AR/1333). In addition to the fact that, as previously stated, decisions do not have precedent (see above and Article 6 of the Judicial Code), the decision in question rejects the argument criticizing the decision to impose a fine, and only upholds the argument alleging a disproportionate amount of the fine.
In any event, the fine must be justified each time by the authority based on the specific circumstances of the case, which makes it difficult to compare the decisions of the authority or the Cour des Marchés regarding the amount of a fine. It is therefore difficult to
compare the situation of the Applicant, a large telecommunications company, with
that of the natural person responsible for data processing in the case that gave rise to the aforementioned
Market Court judgment of 27 January 2021.
21. It remains to be examined whether the amount of the fine is justified, taking into account the applicable principles and
rules recalled above, in particular the principle that the fine must be effective,
proportionate, and dissuasive. Brussels Court of Appeal - 2024/AR/1615 - p. 21
The principle of proportionality requires that the measure adopted does not exceed the limits of what is
necessary to achieve the legitimate objectives pursued by the regulation. Since compliance with these principles is a condition for the legality of the fine, the Court has full power to assess compliance with these principles and, more broadly, with the conditions of Article 83 of the GDPR. This right of review must, in particular, allow the Court to examine whether the penalty is disproportionate to the violation, so that the Court can examine whether the Litigation Chamber of the APD could reasonably impose an administrative penalty of such magnitude.
22. With regard to the nature, seriousness, and duration of the violation, this is a prolonged violation (more than one year) of the right of access referred to in Article 15 of the GDPR, since the Decision maintains that the penalty is based on this violation alone.
A violation was found only in relation to a single complainant.
Regarding the damage suffered, the Complainant did not report any specific damage. It is assumed that this is the inconvenience caused by the failure to respond to his request for access in a timely manner. Once this request was responded to, the Complainant did not, based on the evidence submitted to the Court, make a new request based on the GDPR.
There is no evidence that the violations were deliberately committed by the Applicant.
As recognized in the Decision, these violations resulted from negligence committed by two of the Applicant's employees (who responded to the chat room it organizes). This can be considered simple negligence; The "serious" nature of the negligence has not been established, even if the negligence cannot be considered trivial.
The Applicant did not take any specific measures to mitigate the damage, but it was limited, as indicated above.
It has not been established that the Applicant has previously committed other violations of the GDPR.
The personal data concerned does not fall within a category of data enjoying special protection.
The Applicant adequately cooperated with the DPA and responded to the Complainant's request during the proceedings, prior to the hearing.
As noted in the Decision, the Applicant raised additional internal measures as new evidence in its response to the proposed sanction, including the Brussels Court of Appeal - 2024/AR/1615-p. 22
internal measures, in particular the organization of adequate training for its staff, to prevent similar negligence from recurring. It also argued that this was a truly isolated incident, given that it receives an average of 150 access requests per year.These factors must be taken into account.
In light of all these factors, the amount of €100,000 imposed by the Decision is manifestly disproportionate: the amount exceeds what was necessary to ensure the objectives of prevention and punishment, particularly as it concerns an isolated violation of a GDPR provision, resulting from negligence and not an intentional act.
Therefore, the plea is well-founded and justifies the annulment of the Decision insofar as it imposes a fine of €100,000.
23. Pursuant to its power of unlimited jurisdiction, the Court of Appeal may, after annulling the
Decision due to the disproportionate nature of the fine (see above), conduct a new review
to determine the amount of the fine itself, by applying the applicable legal provisions, in particular Articles 100 to 102 of the LCA and Article 83 of the GDPR.
The Decision rightly classified the degree of seriousness of the violation as "low," according to the classification
proposed by the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR (version of May 24, 2023), with the consequence that, according to these Guidelines, the starting amount for calculating the fine is between 0 and 10% of the maximum applicable legal amount.
The maximum amount of the fine in this case, according to Article 83.5 of the GDPR, is the greater of €20,000,000 or 4% of the total worldwide annual turnover for the previous financial year, i.e., €[amount] (4% of €[amount], according to the figures used in the Decision, which are not critical in this regard).
For a minor violation, the amount of the fine range is therefore, according to the aforementioned Guidelines, between 0 and 10% of this maximum amount, i.e., between €0 and €[amount].
Given that this is an isolated violation of a provision of the GDPR (Article 15), committed through simple negligence, and taking into account the other elements noted above, in particular the fact that the Applicant put an end to the violation during the proceedings and before the hearing before the Litigation Chamber, it is appropriate to remain at the lower end of the range outlined above, it being understood that the intrinsic seriousness of any violation of the GDPR is already taken into account in the decision to set a fine. Brussels Court of Appeal - 2024/AR/1615 - p. 23
It does not appear, in the circumstances of this case, that the level of the Applicant's turnover or the nature of its telecommunications activities, which involve data processing, justifies a different decision. Taking into account all the circumstances of the case as noted above, as well as the effective, proportionate, and dissuasive nature of the fine, the Court sets the amount of the fine at €5,000.
VI. Costs
24. Should each party fail on any claim, the costs shall be compensated.
FOR THESE REASONS,
THE COURT OF MARKETS,
Having regard to the provisions of the Law of June 15, 1935, on the use of languages in judicial matters,
Ruling in an adversarial manner,
Allows the appeal,
This is partially well-founded, as follows,
Quashes the impugned Decision No. 107/2024 issued on August 23, 2024, by the Litigation Chamber of the
Data Protection Authority (hereinafter "DPA"), in case DOS-2022-0240, imposing an administrative fine of €100,000 on Y for the violation
of Article 15 of the GDPR.
Using its power of review, sets the amount of the administrative fine at €5,000
for the violation of Article 15 of the GDPR.
Dismisses Y's remaining claim.
Compensates the costs between the parties in full, each party bearing its own costs.
Orders Y to pay to the FPS Finance half of the registration fees due on appeal, i.e., €200, in accordance with Article 269 § 1st of the Code of Registration, Mortgage and Court Fees; Brussels Court of Appeal - 2024/AR/1615 - p. 24
States that the other half is the responsibility of the APD, but notes that the latter is exempt from this obligation by virtue of Articles 2791, 1° and 161, 1°bis of the Code of Registration, Mortgage and Court Fees.
Thus judged and pronounced at the public civil hearing of the 19th Chamber A of the Brussels Court of Appeal,
Market Court section, on January 22, 2025.
Present:
C. VERBRUGGEN, Counsellor, Acting President
A.-M. WITTERS, Counsellor
A. BOSSUYT, Counsellor
D. GEULETTE, Clerk
C. VERBRUGGEN
