APD/GBA (Belgium) - 37/2021
APD/GBA - 37/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 25 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.03.2021 |
Published: | |
Fine: | None |
Parties: | Mrs Y (The Complainant) Y representing Y1 (Defendant - Public body) |
National Case Number/Name: | 37/2021 |
European Case Law Identifier: | DOS-2020-00310 |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD (in FR) |
Initial Contributor: | Mathieu Desmet |
The Belgian DPA (APD/GBA) ordered the defendant ( a public institution) to comply with the principles of purpose limitation and data minimization, in removing the mention of the title of nobility from the identity card of the complainant.
English Summary
Facts
The complainant, a member of the nobility (countess) addressed her municipality in order to be able to have her identity card and passport drawn up without the mentioning of her title.
The defendant considered that the claim was not admissible to the extent that the title would, in her view, be an integral part of the name of the complainant and therefore should appear on the identity card as well as on the passeport for the purpose of identification.
Dispute
Does the mentionning of the title of a member of the nobility on his or her identity card comply with the principles of finality and data minimization and is there a legal basis (public interest mission ) justifying this ?
Holding
As for the respect of the principles of minimization and purpose limitation (article 5.1.c. and article 5.1.b of the GDPR) :
The Belgian DPA considers that the indication of the surname, first name, date and place of birth, as well as the complainant's national registry number are sufficient to identify her.
The fact that until 2011, the mention of the title of nobility on the passport was optional furthermore tends to show that the title is not necessary for the identification of the concerned person.
The Belgian DPA further considers that insofar as the identity card is called upon to be used regularly and on a daily basis, it is necessary to be all the more vigilant that only the information which is strictly necessary for identification should appear on it.
As for the legal basis for the exercise of a public interest mission (Article 6.1.e of the GDPR) :
In the current state of the law, the Belgian DPA notes that there is an uncertainty concerning the obligation or not to display the title next to the name on identity documents.
Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect, the lex specialis, the law of 19 July 1991 relating to population registers, identity, foreigner's cards and residence documents does not mention the title as a mandatory mention on the identity card.
The Belgian DPA therefore of the opinion that the only useful interpretation which is capable of give full effect to the notion of necessity as required by the case law of the ECHR and of the ECJ is that which consists in qualifying as "necessary for the performance of the mission of public interest ", the only data necessary for the purpose of identifying the person concerned.
The mention of the title is not necessary for the fulfillment of the mission of public interest.
Decision :
The Belgian DPA concludes that there is no basis of lawfulness for the processing on behalf of the defendant, and consequently conclude to a breach of Article 6.1.e of the GDPR as well as Articles 5.1.B and 5.1.c) and issues a reprimand to the defendant as well as the order to comply with the aforementionned obligations (principles) set in the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/15 Litigation Chamber Decision on the merits 37/2021 of March 16, 2021 File No .: DOS-2020-00310 Subject: Complaint for refusal to remove the mention of the title of nobility from the documents identity and other official documents The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs Yves Poullet and Christophe Boeraeve, members, taking over the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the data protection), hereinafter GDPR; Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA); Having regard to the internal regulations as approved by the House of Representatives on December 20 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; took the following decision regarding: - the complainant: Mrs X, - the defendant: Y, as representative of Y1 1. Facts and procedural history 1. In December 2015 and January 2016, the complainant addressed her administration municipality in order to be able to have an identity card drawn up without mentioning its title Decision on the merits 37/2021 - 2/15 nobility (Countess). The defendant considered that the claim was not admissible in the extent to which the title would, in her view, be an integral part of the name and must therefore appear on the identity card. 2. In September 2016, the complainant applied for a new passport from her municipality. In this framework, she chose the option "title of nobility: optional" (her title did not appear on previous versions of his passport). However, shortly after his request, the municipal administration contacted the complainant to inform her that the title must be indicated on the passport. 3. By letter of March 28, 2016, the predecessor of the APD, the Commission for the Protection of privacy (CPVP) questioned the defendant (more precisely the general manager of the General Directorate of Institutions and Population (DGIP)), on the compulsory nature or optional mention of the title of nobility on the identity card. 4. By letter of April 14, 2016, the defendant indicated that the insertion of the title of nobility in deeds is mandatory and is therefore mentioned on the identity card provided that it is included in the National Register of Natural Persons. To support its say, the defendant is based on: - Article 1 of the Royal Decree of January 26, 1822 relating to titles of nobility and qualities; - the Elementary Treaty of Belgian Civil Law by Professor Henri De Page; - the Y2 FAQ. 5. By letter of July 12, 2016, the CPVP replied to the defendant that it was not joining not the arguments developed in the letter of April 14, 2016 given that, after the Royal Decree of January 26, 1822 relating to titles of nobility and qualities, new legislation and decrees which must be taken into account have been adopted, namely: - the law of July 19, 1991 relating to population registers, maps identity cards, foreigner's cards and residence documents and amending the law of August 8, 1983 organizing a national register of persons physical, which specifies in its article 6, § 2, the data which must be mentioned on the identity card, among which are not found not explicitly titles of nobility; - the law of 8 December 1992 on the protection of privacy with regard to processing of personal data which stipulates in its article 4 § 1, 3 ° that “the data must be: (…) adequate, Decision on the merits 37/2021 - 3/15 relevant and not excessive in relation to the purposes for which they are obtained and for which they are subsequently processed (…) ”. 6. On September 30, 2016, the defendant requested the opinion of the Y2 Nobility Council regarding to the arguments raised by the CPP. The latter, in its opinion of 18 January 2017, joined the arguments developed by the defendant in its letter of April 14, 2016. 7. The opinion of Y3 was also requested by the defendant on March 8, 2017. The Y3 agrees with the defendant's position. 8. On May 9, 2017, the various departments concerned met. At the end of this meeting: - the Y3 reaffirmed the maintenance of the title of nobility on civil status documents, the title nobiliary forming an integral part of the name; - according to Y2, the title of nobility must be maintained on passports; - the CPVP, for its part, requested the deletion, at the request, of the reference to the title of nobility on the identity card. No consensus could be reached. 9. On May 16, 2017, the CPVP by means of a summary note, repeated the arguments justifying its position and proposed a solution consisting in systematically indicating the title of nobility on the identity card and passport, unless requested by the interested party title is not mentioned. 10. A letter repeating the various arguments formulated by the defendant and rejecting reasoned the solution proposed by the CPVP was then sent by the defendant to the CPP (dated May 28, 2018), who forwarded it to the complainant on October 18, 2018. The letter in question repeats the various arguments formulated by the defendant demonstrating that the solution proposed by the CPVP cannot be followed. 11. By letter of March 24, 2019 addressed to the defendant, the complainant reiterates her request removal of the title of nobility from their identity card and passport, and offers three solutions. 12. The complainant also wishes that her title no longer appears on any document issued by administration. 2. Legal basis Decision on the merits 37/2021 - 4/15 - Article 5.1.b of the GDPR “Personal data must be (…) collected for specific purposes, explicit and legitimate, and not be further processed in a manner incompatible with these purposes; further processing for archival purposes in the public interest, for research purposes scientific or historical or for statistical purposes is not considered, in accordance with Article 89, paragraph 1, as incompatible with the initial purposes (limitation of purposes) " - Article 5.1.c of the GDPR "Personal data must be (...) adequate, relevant and limited to what is necessary with regard to the purposes for which they are processed (data minimization) " - Article 6.1 .e of the GDPR "Processing is only lawful if, and insofar as, at least one of the following conditions is fulfilled: (...) the processing is necessary for the performance of a task of public interest or falling within the the exercise of public authority vested in the controller ' 3. The arguments of the parties 13. The defendant argues that the title of nobility is part of the name, and that it must therefore appear on identity documents. Any exemption would be subject to legislative amendment. The complainant considers conversely that the title is not part of the name, and that it is not necessary for its identification. 14. The defendant emphasizes that certain texts relating to civil status documents impose the mention of the title. However, civil status documents and identity documents must necessarily use the same information, on the basis of the necessary consistency between the register national and civil status registers. Therefore, according to the defendant, the title must appear on both civil status documents and identity documents. 15. The complainant argues that according to the European Court of Human Rights, the "right to name "implies the right not to be forced to include any particulars in their name which is not part of it (the title). However, the defendant replies that the title is an integral part by name. 16. According to the complainant, the mention of the title is a source of discrimination because it creates prejudices in the collective imagination. The defendant replies that the title is not a criterion protected constitutive of social origin, within the meaning of the law of May 10, 2007 tending to fight against certain forms of discrimination. Decision on the merits 37/2021 - 5/15 4. Motivation As a preliminary point, the Chamber notes that although the provisions of the GDPR mentioned below are not included in the submissions of the parties, the Contentious Chamber notes that the complaint is brought before it and, therefore, qualifies the legal arguments invoked and related the disputed facts included in the complaint with regard to the GDPR, in the context of the dispute brought before it and in the context of the competences assigned to it. The Litigation Chamber specifies that this decision focuses on the identity card, and does not address the passport or other documents issued by the administration (such as the permit driving, for example), insofar as only the competence of the defendant identity card. 4.1- As to the mention of the title next to the name on the identity card 17. In the current state of the law, the Contentious Chamber notes an uncertainty concerning 1 whether or not the title should appear next to the name on identity documents. Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect application, since it has not been repealed, it seems obsolete. It would seem that the usage has by subsequently introduced the insertion of the title on civil status documents. This use is notably taken up by the Royal Decree of January 8, 2006 as well as that of February 3, 2019 relating to state acts 3 civil, which explicitly mention that the title must be indicated (other legislative texts invoked do not comment on the mention of the title). 18. However, the lex specialis, the law of 19 July 1991 relating to population registers, identity, foreigner's cards and residence documents do not mention the title as part of the identity card. Its article 6 § 2 indicates in fact: “§ 2. [8 The identity card and the foreigner's card contain, in addition to the signature of the holder, personal information visible to the naked eye and electronically readable.] 8 Personal information visible to the naked eye and electronically readable concern: 1 ° the name; 2 ° the first two names; 3 ° the first letter of the third given name; 4 ° nationality; 1It should be noted at the outset that this question is different from whether the title is an integral part of the name, discussed below. 2AR of 8 January 2006 determining the types of information associated with the information referred to in Article 3, paragraph 1, of the Law of August 8, 1983 organizing a National Register of Natural Persons 3 AR of 3 February 2019 fixing the models of extracts and copies of civil status documents Decision on the merits 37/2021 - 6/15 5 ° [8 ...] 8 the date of birth; 6 ° sex; 7 ° the place of issue of the card; 8 ° the start and end date of the card's validity; 9 ° the name and number of the card; 10 ° the holder's photograph; 11 ° (...); <L 2004-07-09 / 30, art. 95, 011; In force: 25-07-2004> 12 ° the identification number of the National Register. " Insofar as this law specific to identity cards constitutes the lex specialis, thus that under the hierarchy of norms, this law must take precedence over the Royal Decree of 1822. 4.2- As to the question of whether the title is an integral part of the name 19. The question of whether the title is an integral part of the name is similarly debated. In Indeed, no normative text invoked by the parties is positioned on this subject (the RD mentioned above from 1822 only indicates that the title must appear next to the name, without make it clear that it is part of it). However, recent case law seems to distinguish between title and name. 20. To the extent that the argument based on the right to a name (invoked by the complainant to reject the inclusion in its name of its title) is directly linked to the question of whether the title is an integral part of the name or not, and that this aspect does not fall within the competence of the Litigation Chamber, this issue is not addressed in this decision. 21. The complainant also alleges discrimination linked to the mention of her title on her card. identity, because of the collective imagination frequently associated with titles of nobility. The Litigation Chamber considers that although this does not fall within its direct competence, to the extent that the “rules governing the protection of individuals with regard to processing of personal data concerning them should (...) respect their fundamental rights and freedoms ”, and that in addition the right to data protection is a fundamental right, aiming, among other things, to "contribute to the creation of an area of freedom, security and justice ”, this argument about discrimination can be taken for consideration by the Chamber, a fortiori insofar as the mention of the title is not 4 See in particular the C. App. Brussels, 2020-6638, 01 October 2020, p17-18 5 Recital 2 of the GDPR: "The principles and rules governing the protection of individuals with regard to processing personal data concerning them should, regardless of the nationality or residence of these persons individuals, respect their fundamental rights and freedoms, in particular their right to the protection of personal data staff. This Regulation aims to contribute to the achievement of an area of freedom, security and justice and of a united economic, economic and social progress, consolidation and convergence of economies within the internal market, as well as the well-being of natural persons ”. Decision on the merits 37/2021 - 7/15 necessary for the purpose of the processing pursued for an identity card (as listed infra). 4.3- As for the consistency between the national register and civil status registers 22. The defendant emphasizes that certain texts relating to civil status documents (the Royal Decrees of January 8, 2006 "determining the types of information associated with information referred to in article 3 paragraph 1 of the law of August 8, 1983 organizing a register national of natural persons "and the Royal Decree of February 3, 2019" fixing the models of extracts and copies of civil status documents ") require the mention of the title in civil status documents. However, the defendant argues that civil status documents and identity documents must necessarily use the same terms, on the basis of the necessary consistency between the national register and civil status registers. It also specifies that the intention of the legislator to reduce the discrepancies between these registers is all the more clear since the creation of the Bank of Civil Status Acts (BAEC) in 2018, one of the purposes of which is to update the data of the National Register on the basis of the data it contains. By 6 Therefore, according to the defendant, the title must appear on both civil status documents and on identity documents. 23. However, although it is sensitive to the need for consistency between the data appearing in the BAEC, in the national register and in the population registers, the Chamber Litigation, in its role as guardian of the GDPR and other laws relating to protection data and privacy, recalls the fundamental importance of respecting the right to the protection of personal data. The GDPR thus devotes in the same 6 Art. 72 of the law of 18 June 2018 laying down various provisions on civil law and provisions to promote alternative forms of dispute resolution “The BAEC's mission is: 1 ° to assist civil status officers and consular agents in the exercise of their legal missions in matters of establishment and updating of acts and registers of civil status; 2 ° to guarantee, as an authentic source, the storage, preservation and availability of all acts of the State civil included in the BAEC, without affecting the legal missions of the National Register as an authentic source of identification data of natural persons; 3 ° to provide a service to citizens, wherever they are; 4 ° to simplify administrative procedures via the obligation to reuse documents and data available in the BAEC; 5 ° to assist the judiciary in the exercise of its missions; 6 ° to provide for a central and uniform control at the level of the establishment and conservation of acts, as well as the issuance of extracts and copies thereof; 7 ° to allow the application of international treaties and agreements in matters of civil status; 8 ° to allow the establishment of global and anonymous statistics relating to civil status; 9 ° to ensure the conservation of civil status documents until the moment of their transfer to the [1 General Archives of the Kingdom and State Archives in the Provinces] 1; 10 ° to provide for simultaneous updating of the data in the National Register on the basis of the data listed in the BAEC. »Decision on the merits 37/2021 - 8/15 Article 25 (Data protection by design and data protection by default) than : “1- Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree of probability and of varying severity, which the processing presents for the rights and freedoms of individuals, the controller implements, both when determining the means of processing that at the time of the processing itself, technical and organizational measures appropriate, such as pseudonymization, which are intended to implement the principles relating to data protection, for example data minimization, in order to effective and to provide the processing with the necessary guarantees to meet the requirements of the this Regulation and to protect the rights of the data subject. 2- The data controller implements the technical and organizational measures appropriate to ensure that, by default, only personal data that is are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, to the extent of their treatment, their shelf life and accessibility. In particular, these measures ensure that, by default, personal data is not made accessible to an unspecified number of natural persons without the intervention of the natural person concerned. ” 4.3.1- As regards respect for the principles of minimization and finality (article 5.1.c. and article 5.1.b of the GDPR) 24. In its capacity as data controller, the defendant is required to respect the data protection principles and must be able to demonstrate that these are respected (principle of responsibility - article 5.2. of the GDPR). She must, moreover, always in his capacity as data controller, implement all the necessary measures for this purpose (article 24 of the GDPR). Article 5.1.b) of the GDPR enshrines the principle of finality, either the requirement that the data be collected for specific, explicit purposes and legitimate and are not further processed in a manner inconsistent with these purposes. It is in terms of the finality that other principles may also apply devoted to Article 5 of the GDPR including the principle of minimization, according to which only adequate, relevant and limited data to what is necessary for the purpose may be processed (article 5.1.c) of the GDPR). 25. In other words, each processing of personal data pursues its purpose clean. Treatment carried out as part of a family composition document or election convocation does not pursue the same purpose as processing carried out under Decision on the merits 37/2021 - 9/15 an identity card. The purpose pursued in this context of the identity card is in the identification of the person concerned. 26. In application of the principle of finality, the Litigation Chamber is of the opinion that the logic of a concordance between the national register and civil status documents does not imply that the The complainant's title must appear on her identity card. Indeed, the fact that the title of the complainant is included in the BAEC does not imply that each document whose data are generated on the basis of the BAEC must necessarily include exhaustively the data present in this database. As indicated above, the data included BAEC should be selected according to the purpose of the document generated (and also keeping in mind the principle of minimization - see next point -). This applies a fortiori to the identity card, a document used on a regular basis and for diverse in everyday life. 27. The notion of necessity is also included in Article 6.1.e of the GDPR, which provides that "the processing is necessary for the performance of a task of public interest or relevant of the exercise of public authority vested in the controller ”(we underline). This notion of necessity must be read in conjunction with the principle of data minimization (5.1.c of the RGPD -cf supra-), which must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ”. The purpose of the mentions of personal data on documents identity and civil status documents is the identification of the person concerned. It suits therefore to question the extent to which the mention of the title is necessary to the identification of the complainant. 28. The CJEU recalled in its Huber judgment that the notion of necessity is a “notion independent of Community law which must be interpreted in such a way as to fully subject to this directive as defined in Article 1 (1) of that directive this. "(§52). 29. She also stressed that "(...) it is the responsibility of the authority responsible for a register [...] of ensure that the stored data is, where appropriate, updated, so that, on the one hand, they correspond to the actual situation of the people concerned and, on the other hand part, that the superfluous data be deleted from said register. »(§60) (emphasis added) 30. This case-law, formulated admittedly in the light of Article 7 of Directive 95/46 / EC, is valid for all the bases of lawfulness which retain this condition of necessity. She remains relevant today even though Directive 95/46 was repealed since this 7 Compliance with this article of the processing in the present case is examined below in points 36 et seq. 8CEDH, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, December 16, 2008 Decision on the merits 37/2021 - 10/15 condition of necessity is maintained under Article 6.1 b) to f) of the GDPR. The article 6.1 of the GDPR replaces Article 7 of the Directive, without the relevant provisions being modified. 31. The Article 29 Group also referred to the case law of the ECHR for identify the requirement of necessity and concludes that the adjective "necessary" thus does not have the flexibility of terms such as "permissible", "normal", "useful", "reasonable" or 10 "Timely". 32. The Litigation Chamber considers that the indication of the surname, first name, date and place of birth, as well as the complainant's national registry number are sufficient to identify her. The fact that until 2011, the mention of the title of nobility on the passport was optional furthermore tends to show that the title is not necessary for the identification of the concerned person. 33. The Contentious Chamber further considers that it is necessary to distinguish, during the assessment the need for the mention of the title of nobility, the identity card, in that it is a document required and used daily on a regular basis, civil status documents (such as family composition for example). Insofar as the identity card is called upon to be used regularly on a daily basis, it is necessary to be all the more vigilant that there is only the information strictly necessary for identification. 34. The Contentious Chamber considers that the mention of the title of nobility, in any case cause, on the identity documents, is not a strictly necessary identification, and is therefore superfluous. Based on the principle of minimization (article 5.1, c) of the GDPR), the title does not have to appear on the identity card. 35. Abundantly, and without taking a position as to whether the title is part integral part of the name or not, the Litigation Chamber notes that the Royal Decree of 1822 relating to titles of nobility and qualities, requiring that the title be indicated next to the name (which indicates that the title of nobility is not the name but a complement to it), poses question under Article 5.1, c) of the GDPR (minimization principle). 4.3.2- As to the legal basis for the exercise of a public interest mission (Article 6.1.e of GDPR) 36. It is not disputed that there is indeed a processing of personal data in the head of the defendant. Insofar as the processing in question is carried out by the 9Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the data controller data within the meaning of Article 7 of Directive 95/46 / EC, WP 217. 10 ECHR, March 25, 1983, Silver and others v. United Kingdom, para 97. Decision on the Merits 37/2021 - 11/15 defendant in its capacity as an organ of the Belgian State, it is appropriate to wonder on the basis lawfulness of the processing and its compliance with Article 6.1.e of the GDPR. 37. The Contentious Chamber considers that the assessment by a data controller of the lawfulness of the processing carried out on the basis of its public interest mission (which, as a reminder, must be "Necessary for the performance of a mission of public interest or relating to the exercise of the public authority vested in the controller) cannot be detached from the purpose of the processing concerned, in this case, the identification of the person concerned. 38. To assert the contrary would amount to exempting the controller from any examination the relevance of the data processed, even though the implementation of this principle founder of data protection provided for in Article 5.1.c) of the GDPR comes to him in his quality of data controller. 39. The Contentious Chamber is of the opinion that the only useful interpretation which is capable of give full effect to the notion of necessity as required by the case law of the ECHR and of the CJEU is that which consists in qualifying as "necessary for the performance of the mission of public interest ", the only data necessary for the purpose of identifying the person concerned. The mention of the title is not necessary for the fulfillment of the mission of public interest. Therefore, the Contentious Chamber concludes that there is no basis of lawfulness for the processing on behalf of the defendant, and consequently to a breach of Article 6.1.e of the GDPR. 4.3.3- As to the "opt out" system proposed by the complainant 40. The complainant also proposes an "opt-out" system, in which a holder of a title of nobility could request that the title be removed from their identity documents and civil status documents. In the absence of a request, the title would be indicated systematically. The defendant rejects this proposition, arguing, in its conclusions, that it cannot operate on an individual basis and that the same regime must be applied to all holders of a noble title, at the risk of undermining the principles of legality, equality, and therefore legal certainty. 41. It emerges from a reading of the letter of May 28, 2018 from the Respondent to the APD (Exhibit 8 of the defendant) that the costs of adapting the defendant's computer system in order to automatically withdraw the title of nobility, in the event of such a request, would be too high for an individual request. If the Litigation Chamber is sensitive to this argument, it nevertheless recalls that the Court of Markets previously considered that the argument made by a bank of the technical difficulties and costs to adapt a computer program by inserting an acute accent on a customer name is not relevant. The Court also indicates that the computer programs used must comply with Decision on the merits 37/2021 - 12/15 to the requirements of the GDPR. It is reasonable to think that this reasoning would apply all the more so under the title of nobility. 42. In any event, the aforementioned letter of 28 May 2018 from the defendant refers to also the possibility of a one-off manual modification in the file (s) concerned, but reject this way of proceeding because the risk of error and forgetting would be too great. Gold, particularly in view of the defendant's indication that, on the date of the letter, the only holder of a nobiliary title who has made such a request is the complainant, the risk of error linked to manual manipulation in the computer system appears to be low. 43. The Contentious Chamber finally underlines that although it does not consider it necessary in the case in point that the defendant adapts its computer system to allow automatic withdrawal of the title of nobility, she recalls that a technological obstacle, according to the context and as far as is reasonable and proportional, cannot prevent the exercise one of his fundamental rights by a data subject. 44. For the sake of completeness and in view of the technical arguments raised by the defendant, the Contentious Chamber draws the attention of the defendant to the necessary respect of the data protection by design and data protection by default, based on 12 Article 25 of the GDPR. These concepts are among the cornerstones of the GDPR and the responsibility which is at the heart of it, in article 5.2 in conjunction with article 24 GDPR. They are contained in article 25 of the AVG mentioned above and are explained in more detail in recital 78 GDPR. The defendant therefore has the obligation to adopt the "measures appropriate technical and organizational to ensure that, by default, only data of a personal nature which are necessary for each specific purpose of the treatment are processed ”in addition to having incorporated such measures from the design stage. 45. In its Guidelines 4/2019 on data protection by design and data protection by default, the EDPB specifies that article 25.1 GDPR implies that data controllers must take data protection into account from the design and protect data by default at an early stage when planning a 11C. App. Brussels, 2019/7537, 09 October 2019, p15 12 Art. 25 GDPR: 1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and the purposes of the processing as well as the risks, varying in probability and severity, that the processing presents for the rights and freedoms of natural persons, the controller implements, both at the time of determining the means of processing that at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymisation, which are intended to implement the principles relating to data protection, for example example the minimization of data, effectively and to match the processing with the necessary guarantees in order to meet to the requirements of this Regulation and to protect the rights of the data subject. 2. The controller implements the appropriate technical and organizational measures to ensure that, by default, only the personal data that are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, to the extent of their processing, to their shelf life and accessibility. In particular, these measures ensure that, by default, data of a personnel are not made accessible to an unspecified number of natural persons without the intervention of the person physical concerned. Decision on the merits 37/2021 - 13/15 new treatment. Data controllers must implement the protection data from design by default before processing, and also continuously to duration of treatment, regularly reviewing the effectiveness of the chosen measures and guarantees. These same principles also apply to existing systems that deal with personal data. In other words, the protection of their data personal data is inherent (integrated) in the processing. 46. The CJEU has also underlined the importance of these concepts in its case law and, in particularly in its Digital Rights Ireland judgment according to which the essence of Article 8 of the Charter of Fundamental Rights of the European Union requires technical measures and organizational are taken to ensure that personal data are effectively protected against any risk of misuse and against any access and any unauthorized use. 14 5. Corrective measures and sanctions 47. On the basis of the above analysis, the Contentious Chamber considers that by refusing to make following the complainant's request to withdraw the mention of her title of nobility on her identity card, the data controller violated Article 5.1.c, 5.1.b and 6.1.e of the RPGD. 48. Under Article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; 10 ° order the rectification, restriction or erasure of the data and the notification thereof ci to data recipients; 13 EDPB, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, Version 2.0, Adopted on 20 October 2020, p 4 14CJUE, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, para. 40 and 66-67. Decision on the merits 37/2021 - 14/15 11 ° order the withdrawal of accreditation of certification bodies; 12 ° give periodic penalty payments; 13 ° issue administrative fines; 14 ° order the suspension of transborder data flows to another State or an organization international; 15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences data on file; 16 ° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority Datas. 49. It is important to contextualize the breach of Articles 5.1.c, 5.1.b and 6.1.e of the GDPR on the other hand, with a view to identifying the most appropriate sanctions and / or corrective measures. In accordance with Article 83 of the GDPR, administrative fines must be "Effective, proportionate and dissuasive". To this end, it is particularly advisable to keep account for "the nature, seriousness and duration of the violation". As indicated above, the principles of minimization (article 5.1.c) and finality (article 5.1.b) constitute stones Angulars of the GDPR, especially when combined with the principle of lawfulness (Article 6 GDPR) and data protection by design and data protection by default, by that they fall under the fundamental principles of data protection. Bedroom Litigation also notes that the complainant has been trying since 2016 to have the mention of his title of nobility in his administrative documents, without success. 50. However, insofar as Article 83 of the GDPR is not applicable to the authorities public, the Contentious Chamber considers that a reprimand constitutes the sanction more appropriate for the past failures mentioned above, and orders for the future the setting in accordance with the processing with the principles of finality and minimization, by withdrawing the mention of the title of nobility on the identity card of the complainant. 51. In view of the importance of transparency in the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority by deleting the data 15Article 83.2.a) of the GDPR 16Article 221 § 2 of the Law of 30 July 2018 on the protection of individuals with regard to data processing of a personal nature: "Article 83 of the Regulation does not apply to public authorities and their officials or agents. except in the case of legal persons governed by public law which offer goods or services on a market. »Decision on the merits 37/2021 - 15/15 direct identification of the parties and persons named, whether physical or moral. FOR THESE REASONS, THE LITIGATION CHAMBER Decide, after deliberation: - To impose a reprimand - Order the processing to comply with the principles of finality and minimization, in removing the mention of the title of nobility from the identity card of the complainant, within 30 days from the notification of this decision - to order the data controller to inform the Data Protection Authority by e-mail data (Litigation Chamber) of the result of this decision within the same period via the address e-mail litigationchamber@apd-gba.be Under Article 108, § 1 of the LCA, this decision may be appealed against to the Cour des marchés (Court of Appeal of Brussels) within 30 days of its notification, with the Data Protection Authority as respondent. (se.) Hielke Hijmans President of the Litigation Chamber