APD/GBA (Belgium) - 57/2021
From GDPRhub
| APD/GBA (Belgium) - 57/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 13(1)(c) GDPR Article 13(1)(d) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 06.05.2021 |
| Published: | 06.05.2021 |
| Fine: | 30.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 57/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Dutch |
| Original Source: | Beslissing ten gronde 57/2021 van 06 mei 2021 (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA states that a separate and clearly defined purpose is necessary for transfer to a third party. Multiple, different processing can take place for the same purpose, but each requires a legal basis.
English Summary
Facts
This decision is a reconsideration of the decision 24/2020 and executes the appeal of the Market Court of 18 November 2020 (2020/AR/813), it gives the defendant the possibility to defend itself against all infractions on the GDPR for which the initial sanction was based on.
To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.
Dispute
Holding
Legal basis of legitimate interest The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes: - conducting computer tests; - monitoring the quality of service; - training of personnel; - monitoring and reporting; - storing recordings of video surveillance for the statutory period; and - compiling statistics from coded data, including big data. For each of these purposes, a balancing test was done.
The DPA recites the requirements for relying on Article 6(1)(f), namely purpose test, necessity of the processing and a balancing test.
As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as the data controller can in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.
In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.
In order to verify whether the third condition of Article 6(1)(f) - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."
Conducting computer tests The DPA holds that this satisfies the first, second and third criteriua. It does state that the data subject could be more informed about the tests.
Monitoring the quality of service and compiling statistics from coded data, including big data This topic has three parts: "statistics and quality tests", "satisfaction questionnaires" and "quality tests operations", each legitimate interest basis was assessed by the DPA:
Statistics and quality tests All criteria have been fulfilled.
Satisfaction questionnaires All criteria have been fulfilled.
Quality tests operations All criteria have been fulfilled.
Training of personnel The first criteria has been fulfilled. The necessity test has not been fulfilled, as it is not necessary to use client data in order to provide training cases for personnel, this is a breach of data minimisation of Article 5(1)(c). The balancing test is also not fulfilled as it is not within the reasonable expectations of a person taking an insurance for their information to be used as an example.
Monitoring and reporting The first criteria has been fulfilled. The second criteria has been fulfilled as a minimum of data is necessary to fulfill legal obligations. Said legal obligations however, did not foresee in an explicit legal basis for the processing. The third criteria has also been fulfilled as it is a reasonable expectation of a data subject that the insurance company must fulfill its legal obligations.
Storing recordings of video surveillance for the statutory period The first and second criteria have been fulfilled. The third criteria has not been fulfilled as a data subject signing an insurance contract cannot reasonably expect that their data will be used for video surveillance. This falls under the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects.
Model of balancing test The defendant states that all these balancing tests scored less than 30 on the model that they used, which means legitimate interest can be used as a legal basis.
The DPA holds that this is purely instrumental and no legal value can be given to a model.
Legal basis for transfer to third parties The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of Article 4(2).
The DPA states according to Article 5(1)(a), personal data must be processed processed for a specific purpose and the processing must be legitimate within the meaning of Article 6(1). It is possible to do multiple processing for the same purpose, but this must be done in compliance with the above.
As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(c), there is a breach of the GDPR.
Transparency principle Notwithstanding Article 13(1)(d) regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.
Those legitimate interest are not public as they contain company sensitive information and the documents are very 'heavy', not suited for a privacy notice.
As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(d), there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.
Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/36
Dispute Chamber
Decision on the merits 57/2021 of 06 May 2021
File number: DOS-2019-02902
Subject: Lack of transparency in a privacy statement
insurance company (reconsideration of decision 24-2020)
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
.
.
. Decision on the merits 57/2021 - 2/36
has taken the following decision regarding:
- Mr X, hereinafter “the complainant”;
- Y, represented by Masters Benoit Van Asbroeck and Simon Mortier, hereinafter “de
defendant".
1. Facts and procedure
1. This decision is a reconsideration of decision 24/2020 of the Disputes Chamber of 14
May 2020, and implements the judgment of the Marktenhof of 18 November 2020, with
roll number 2020 / AR / 813.
2. This decision must be read in conjunction with decision 24/2020 and contains a
review to give the defendant the opportunity to defend himself
regarding all breaches of the GDPR for which a sanction was imposed in the initial decision,
insofar as these infringements are contested by Y. With this review, the
The disputes chamber thus falls within the framework of the initial decision, also with regard to the
administrative fine that cannot exceed the amount of the initially determined fine.
With regard to the allegations concerning the Disputes Chamber in the initial decision
ruled that there was no breach of the GDPR, that judgment is preserved. The
infringements identified in the initial decision and not contested by Y remain
equally preserved.
3. On June 14, 2019, the complainant lodged a complaint with the Data Protection Authority against
defendant.
The object of the complaint concerns the use of health data that the
insurance company of the person concerned has obtained under a
hospitalization insurance for other purposes without the express consent of the
insured person concerned. The complainant states that he has no problem with his
health data is processed for the performance of obligations under
the hospitalization insurance taken out with the defendant, but a problem
when those same health data are processed for the purposes listed
in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9
of the same privacy statement (it concerns point 6, but the reference to point 9 is a
material mistake) as stated in the defendant's privacy statement. He asks that
specifically for those purposes, as well as for the transfer the defendant gives the choice to the
data subject to consent or not to the processing of his health data. Decision on the merits 57/2021 - 3/36
Finally, the complainant indicates that he wishes to receive a data protection impact assessment
of the defendant as there is a high-risk data processing involved
The involved.
4. On 26 June 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of
the WOG, the complainant will be informed of this on the basis of art. 61 WOG and the complaint becomes
on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.
5. On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it
file is ready for treatment on the merits.
6. On July 24, 2019, the parties concerned will be notified of
the provisions as stated in article 95, §2 and in art. 98 WOG. The were also involved
parties on the basis of art. 99 WOG of the time limits for their defenses
to submit. The deadline for receiving the complainant's reply was
recorded on 7 October 2019 and 7 November 2019 for the defendant.
7. On July 29, 2019, the defendant reports to the Disputes Chamber that it has taken note of
the complaint, it requests a copy of the file (art.95, §2, 3 ° WOG) and accepts it electronically
all communication regarding the case (art. 98, 1 ° WOG).
8. A copy of the file will be sent to the defendant on 30 July 2019.
9. On August 2, 2019, the Disputes Chamber will receive a letter in which the defendant indicates
that he wishes to be heard by the Disputes Chamber (art. 98, 2 ° WOG).
10. On September 6, 2019, the Disputes Chamber will receive the statement of defense from the
defendant. Respondent argues, first, that processing special categories of
personal data, in this case health data by health insurer Y in a lawful manner
happens. The processing of these special categories of personal data (Art.9 GDPR)
is prohibited in principle. The respondent invokes the exception for the processing
of Article 9 (2) a GDPR, the express consent of the data subject. Second, argues
respondent that no separate consent is required for each transfer of
personal data. Thirdly, according to the respondent, there is no question of asking
consent to the processing of data other than health data. Finally it was
according to the respondent, a data protection impact assessment is not necessary in this case
since it concerns existing processing operations and not new processing operations
commences after May 25, 2018. Decision on the merits 57/2021 - 4/36
11. The complainant has not exercised the right to submit a reply.
12. The defendant does not submit a new claim and only submits exhibits on 7 November 2019
in support of the statement of defense submitted on 6 September 2019.
13. On January 9, 2020, the Parties will be notified that the hearing will take place
on January 28, 2020.
14. On January 28, 2020, the defendant will be heard by the Disputes Chamber. The complainant, though
duly summoned, did not appear. Among other things, the defendant answers questions from
the Disputes Chamber on the legal basis for the processing of personal data, no
being health data. After this, the debates are closed.
15. On January 29, 2019, the official report of the hearing will be presented to the parties.
16. On January 31, 2020, the defendant will provide the annual turnover as requested during the hearing
of the last three financial years. For the years 2016-2018, these always amount to a turnover between
the 500 and 600 million Euros.
17. On 6 February 2020, the Disputes Chamber will receive a number of comments from the defendant
with regard to the official report, which it decides to include in its deliberations.
18. On March 25, 2020, the Disputes Chamber will notify the defendant of its intention to do so
to impose an administrative fine, as well as the amount thereof
in order to give the defendant the opportunity to defend himself before the sanction becomes effective
is imposed.
19. On May 8, 2020, the Disputes Chamber will receive the respondent's response to the intention
to impose an administrative fine, as well as the amount thereof.
The defendant alleges that the alleged infringements as contained in the intent of
the Disputes Chamber would be completely new and he was unable to do so
to defend. However, the Disputes Chamber must establish this from the documents in the file
it is indisputable that the defendant does have full rights of defense
can exercise.
The defendant also claims to disagree with the imposition of a fine, or the
intended amount of the fine. However, he does not put forward any (new) arguments
substantiation of this thesis. The response of the defendant gives before the Dispute Chamber Decision on the merits 57/2021 - 5/36
therefore no reason to adjust the intention to impose a
administrative fine nor to change the amount of the fine such as
intended.
20. On May 14, 2020, the Disputes Chamber ruled as follows in its Decision on the merits 24/2020:
- on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in
is brought into line with article 5.1 a), article 5.2, article 6.1, article 12.1, article
13.1 c) and d) and 13.2 b) GDPR.
- on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine
of EUR 50,000 as a result of the violations of article 5.1 a), article 5.2, article 6.1, article
12.1, article 13.1 c) and d) and article 13.2 b) GDPR.
21. On 17 June 2020, the Disputes Chamber will receive the
notification of an application against the GBA, lodged at the Registry of the Court.
22. The introductory session for the Marktenhof will take place on 24 June 2020, at which the
conclusion deadlines for the parties are set, as well as the case is set for
pleadings at the session on October 21, 2020.
The Marktenhof will pass judgment on 18 November 2020.
The judgment contains the following points for attention with regard to the assessment of
the subject of the petition:
• Annulment of decision on the merits no. 24/2020 of 14 May 2020 of the Disputes Chamber.
• The Marktenhof argues that the defendant should be given the opportunity - after the complaint is ready
and clearly formulated in writing - in order to reach a written conclusion on this
take. The fact that the defendant was asked on the occasion of the hearing
(which was stated in the minutes of the hearing) to take a position
on the general question of the legitimate interest on which the defendant
is relying on processing other than health data and that the defendant
only formulated a brief answer to this without any reservations or objections
does not adequately justify decision no. 24/2020 of 14 May 2020.
23. Following up on the judgment, the Disputes Chamber will decide on November 27, 2020 to proceed
to retake the file with a view to taking a new decision. The
The underlying consideration is that the Disputes Chamber notwithstanding the
1
The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 57/2021 - 6/36
annulment of the aforementioned decision by the judgment of the Marktenhof, is still contained
by the initial complaint filed on June 14, 2019 as declared admissible by the
First-line service on June 26, 2019. Therefore, the debates will be reopened
and new closing deadlines are set, so that parties can take a stand
regarding the legitimate interest on which the defendant relies on other than
process health data.
The parties are notified of the following settlement deadlines:
• the deadline for the complainant's reply is set at 8
January 2021;
• the deadline for the defendant's reply is set at 19
February 2021;
The date of the hearing will also be determined, which will take place on March 22, 2021.
24. On 27 November 2020, the Disputes Chamber will receive the notification from the complainant that the
because of the clear arguments it seems unnecessary to add additional arguments to him.
On the same day, the Disputes Chamber will inform the defendant that it informs the complainant
has stated that it will not submit a conclusion. At the request of the defendant, the
The Disputes Chamber also states that the initially determined date for the statement of reply of the
defendant, as well as the date of the hearing.
25. On February 19, 2021, the Disputes Chamber will receive the conclusion with accompanying documents from
the defendant. In it, the defendant puts forward the following pleas:
• The respondent can rely on its legitimate interests for the processing
of personal data for purposes in accordance with Article 4.3 of its old
privacy statement (no violation of article 5.1 a); 5.2, 6.1 f) and 13.1 c) and d)
GDPR.
• Respondent can rely on an applicable legal basis for transfers to
third parties in accordance with Article 6 of the old privacy statement (no
violation of articles 5.1 a), 5.2, 6.1 and 13.1 c) and d) GDPR.
• If defendant cannot invoke all legal grounds under Article
6.1 GDPR for the processing purposes in accordance with Article 4.3 of the old
privacy statement and transfers to third parties in accordance with Article 6 of the old
privacy statement, this constitutes an infringement of the freedom to conduct a business of the
defendant.
• Respondent argues that a reprimand is sufficient and that the administrative fine of
€ 50,000.00 is disproportionate. Decision on the merits 57/2021 - 7/36
26. On March 22, 2020, the parties will be heard by the Disputes Chamber. The complainant, though
duly summoned, did not appear. The defendant will explain his defense during the hearing
to. No elements other than those that already form part of this are applied
File. After this, the debates are closed.
27. The minutes of the hearing will be presented to the parties on 25 March 2021
in accordance with Article 54 of the Rules of Procedure. The defendant delivers on April 5
2021 the Disputes Chamber some comments with regard to the official report, which
she decides to include it in her deliberation.
28. On April 6, 2021, the Disputes Chamber announced its intention to the defendant
to proceed to impose an administrative fine, as well as the amount
in order to give the defendant the opportunity to defend himself before the sanction
is effectively enforced.
29. On April 27, 2021, the Disputes Chamber will receive the respondent's response to the intention
to impose an administrative fine, as well as the amount thereof.
In summary, the defendant states in his response to the intention to impose a
administrative fine the following:
- With regard to the lack of a demonstrated legitimate interest as a legal basis for the
purposes “training personnel” and “storage of video surveillance recordings
during the legal period, ”the defendant argues that there was no
questions were asked regarding legality, necessity or the
proportionality of these processing purposes.
In this regard, the Disputes Chamber notes that the defendant in the claims already
The legality, necessity and proportionality of all have been discussed extensively
processing purposes, including those for “staff training” and “storage
of video surveillance recordings during the legal period ”, so that no
additional clarification was requested during the hearing. Be at a hearing
only punctual questions were asked about any remaining uncertainties in order to clarify them
and to allow the Disputes Chamber to form an opinion.
At present, the Disputes Chamber can only establish that the respondent's response to the
intention to impose an administrative fine as a result of the infringement of
Article 6.1 GDPR with regard to the purposes “training personnel” and “storage
of video surveillance recordings during the legal period ”in the absence of a Decision on the merits 57/2021 - 8/36
demonstrated legitimate interest as legal basis, does not contain any new elements that of
nature to change the judgment of the Disputes Chamber.
- With regard to the amount of the fine, the defendant is of the opinion that no fine is possible
be charged for charging that personal data would have been processed without it
to have a legitimate interest. At the very least, the defendant believes that a
amount of EUR 30,000 is disproportionately high. The defendant argues that from the
written conclusions and the hearing revealed that general training material
in principle, it is always anonymized and there is virtually no personal data of customers
are processed via CCTV. The documents in the file do not show that either
any personal data of the complainant would have been processed for this
processing purposes. For that reason, the complainant (and by extension the other customers of
defendant), have in principle not been personally harmed by any lack of
legitimate interests for the processing activities “staff training” and
“The storage of video surveillance recordings during the legal period”.
The Disputes Chamber emphasizes whether or not experiencing any personal harm
does not constitute a criterion for imposing an administrative fine, as this is not
included in Article 83.2 GDPR. It will therefore motivate this sanction in its decision below
without taking into account whether or not the complainant has any personal disadvantage
ago. The criteria for imposing an administrative fine are clearly defined
in article 83.2 GDPR, on which the Disputes Chamber will make its decision regarding the administrative
fine.
To the extent necessary, the Disputes Chamber adds that the complainant is
has provided personal data to the defendant for processing under a
hospitalization insurance and the defendant then on the basis of the then
privacy statement indicated that the personal data of the complainant was also processed for all
purposes stated in the privacy statement. Based on the then privacy statement
the defendant processed the complainant's data for each of the purposes included
in the privacy statement. This is also evident from the conclusion that underlies the current one
decision, in which the defendant himself defines the allegations arising from the complaint
(see marginal 33) and the allegations under points f), g) and h) are the subject of
his defense. The allegations arising from the complaint and as made by the defendant himself
described in his conclusion, concern defects in the privacy statement issued by the complainant
concern, as well as ipso facto any other customer of the defendant who has a
take out hospitalization insurance. After all, the privacy statement is not exclusively for the complainant
drawn up, but for each client of the defendant who takes out hospitalization insurance. Decision on the merits 57/2021 - 9/36
This also explains why the defendant in his claim the legality, necessity
and proportionality of all processing purposes, without distinction of whether or not
concerns a processing purpose for which personal data of the complainant will be made
processed, tries to demonstrate. The defendant verifies whether it is for all processing purposes
has a legitimate interest, because for each of those processing purposes the
personal data of the complainant were processed in accordance with the then
privacy declaration.
- In addition, the defendant is of the opinion that an amount of EUR 30,000 is disproportionate to
the infringement.
More specifically, as regards the seriousness of the infringement, the defendant does not agree with the
statement of the Disputes Chamber that, solely because of the fact that an infringement of Articles 5
and 6 of the GDPR, the infringements are therefore automatically “serious” and
Would be “serious”. The defendant argues that on the one hand these articles are the basis
lie with almost the entire GDPR and therefore virtually any violation of the other GDPR
articles can be reduced to an infringement of articles 5 and 6 GDPR.
On the other hand, these infringements are classified as being “serious” and “serious”.
prevent a differentiation from being made with infringements that are actual
weighty and serious, such as, for example, the complete absence of one
privacy declaration. However, this is not at all relevant here.
The defendant argues that it has indeed stated these processing purposes in its
privacy statement and has extensive weighing of interests with due diligence
to determine whether it can rely on its legitimate interests.
Regarding the defendant's contention that a breach of the basic principles of the GDPR
included in Articles 5 and 6 GDPR would not automatically be considered serious and serious
can be considered, the Disputes Chamber notes that Article 83.5 GDPR itself provides for
a more severe punishment for this infringement for which there is the highest maximum fine
determined precisely because of the fact that these are basic principles that lie at the heart of a
concern data processing. The defendant's claim that any breach of the GDPR
can be traced back to a breach of basic principles, does not stand as the
The Disputes Chamber is caught by the complaint and carries out the assessment against the GDPR within those limits
and therefore by no means, contrary to what the defendant maintains, any infringement could be possible
are "reduced" to violations of the basic principles. Since the complaint is exactly the
basic principles, the Disputes Chamber will rule on the
application of those principles. Where the defendant cites as an example that the
a complete absence of a privacy statement would be serious and important, states the
Disputes Chamber that the total lack of a privacy statement is not only a serious and Decision on the merits 57/2021 - 10/36
would be a serious infringement, but a total disregard of the GDPR. However, this increases
does not mean that a defective privacy statement, such as in the present case, which contains the
does not respect basic principles of the GDPR, if it must be serious and weighty
classified.
Regarding the duration of the breach, the defendant points out that it already has its privacy statement
during the initial procedure at the beginning of 2020 and has amended its privacy statement to
following the initial decision of the Disputes Chamber at the beginning of 2021
adjusted and this should be taken into account as an attenuating circumstance.
As to the deterrent effect, the defendant points to her again
willingness to constantly adjust its privacy statement, which they do
twice has done so in a very drastic manner, thus the purpose of these proceedings
this has been achieved according to the defendant.
The Disputes Chamber has already announced its intention to impose an administrative one
fine, as well as the amount thereof, that it is already done by the defendant
efforts to bring the new privacy statement into line with the GDPR,
evidence of his willingness. Hand must be
noted that although the changes made to the new privacy statement are beneficial
are an element in the assessment of the administrative fine, they do not serve it
that the infringements established would be rectified (see marginal 120).
The Disputes Chamber gives more detailed reasons for the imposition of the administrative fine
in section 3 of this decision.
It follows from the foregoing that the respondent's response to the Disputes Chamber is none
gives rise to an adjustment of the intention to impose an administrative one
fine, nor to change the amount of the fine as intended.
2. Justification
1. Legitimate interest
a) Preliminary remark
30. It follows from the judgment of the Marktenhof that the Disputes Chamber in its decision 24/2020 of
May 14, 2020 would have ruled without the defendant being able to fully comply
because the decision of the Disputes Chamber would not have been limited to the
allegations that are the subject of the complaint. Decision on the merits 57/2021 - 11/36
31. However, the complainant explicitly states in the complaint that the customer should be given the choice whether to use
agrees to the processing operations listed in points 4.3 and 6 and does not receive them. After all, once
he has given his consent to the processing of his personal data in the context of
hospitalization insurance, according to the complainant, data processing should be limited to
to perform the obligations arising from that insurance. The complainant argues
that the defendant does not use his data for any other purpose, more specifically the
the purposes stated in points 4.3 and 6 of the old privacy statement, can be processed without
permission. The complaint thus becomes the legal basis of the processing for the purposes
listed in section 4.3. The complainant believes that those purposes are mentioned in point 4.3
consent is required and the defendant therefore does not automatically obtain the data obtained on the basis
of permission in the context of a hospitalization insurance can also be used for others
purposes, for which the defendant relies on his legitimate interest.
32. The complaint thus essentially relates to the legal basis on which the defendant can rely
appeal to process the personal data obtained from the complainant for the purposes
listed in points 4.3 and 6 of the defendant's old privacy statement.
33. In the present claim of the defendant, the allegations are listed in the paragraphs
a) to h):
“A) Y would consent to the processing of medical data for the purpose of closing
and executing insurance contracts under duress, eliminating these
consent would be invalid (violation of Article 5 (1) (a))
(legality principle); 6 (1) (a) and 9 (2) (a) GDPR)
b) Y must grant the Complainant access to the DPIA
(“GBEB”) that it allegedly carried out for the processing of medical data related
with the performance of insurance contracts with its customers (violation of articles
35 and 36 GDPR)
c) Y should, in Articles 4.3 and 6 of the old Privacy Statement, make a better distinction
between the processing of medical data on the one hand and the processing of other "ordinary"
personal data on the other hand (violation of Article 13 (1) (c) GDPR);
d) Y should take additional steps to inform data subjects of their
right to object pursuant to Article 21 (2) GDPR (violation of Article 12 (1)
and 13 (2) (b) GDPR) Decision on the substance 57/2021 - 12/36
e) Y serves the legal grounds referred to in Article 6 of the Y old Privacy Statement for the
transfer of personal data to third parties, to be further clarified (violation of Article 13,
para.1 lit.c) GDPR)
f) Y would process personal data without proven legal basis (including her
legitimate interest within the meaning of Article 6 (1) of the GDPR) for a number of in Article 4.3 of the
the purposes stated in the old Y Privacy Statement and in Article 6 of the old Y Privacy Statement
said transfers to third parties (violation of Article 5 (1) (a))
(principle of legality) and 6 (1) GDPR)
g) Y would have provided insufficient information about her in her old Privacy Statement
legitimate interests, where Y invokes this legal basis (violation of
Articles 5 (1) (a) (principle of transparency) and 13 (1) (c) and (d) GDPR)
h) Y, where Y relies on this legal basis, would not have sufficiently demonstrated why
its legitimate interests would exist and would have failed to demonstrate in
to what extent her interests would outweigh the interests and fundamental rights of the Complainant
(Violation of Article 5 (2) GDPR). "
34. The defendant also confirms that the allegations set out in points a) to h)
arise from the complaint by stating the following in the conclusion:
“Should the Dispute Chamber consider the above allegations and alleged violations
on the GDPR by Y (points a to h) do not arise from the complaint […], becomes the Disputes Chamber
invited to inform Y of this […]. ”
35. The Disputes Chamber notes in this regard that already in the complaint the allegations as now
described by the respondent in points a) to h) and
about which the defendant now indicates that these do indeed arise from the complaint,
but about which he nevertheless put forward no defense in respect of f), g) and h) in the
procedure prior to decision 24/2020 of 14 May 2020.
As to the allegations under a) to e) of his Opinion, the defendant states
indicates that he has either been able to defend himself and has been upheld by the
Disputes Chamber (this concerns allegations a) and b)), or has not disputed the allegations
and has been corrected in the new privacy statement (this concerns the allegations under c), d) and
e)). Regarding the established infringement of Article 13.1 c) GDPR regarding the allegation under
c), the breach of Article 12.1 and Article 13.2 b) GDPR on allegation under point (d) and the Decision on the merits 57/2021 - 13/36
infringement of article 13.1 c) GDPR regarding the allegation under e) refers the Dispute Chamber
to the motivation for this in decision 24/2020 of 14 May 2020.
The defense in the present Opinion focuses only on the allegations under points f), g)
and H).
36. To the extent that there would be some uncertainty about the subject of the complaint
on behalf of the defendant prior to the decision 24/2020, the
The litigation chamber nevertheless offered the defendant the opportunity to submit itself
and the Disputes Chamber will then check whether, and if necessary, to what extent the
defendant has infringed the GDPR with regard to allegations such as
described in points f), g) and h) of his opinion and whether the administrative fine should be applied
are maintained.
b) Legal basis for the purposes stated under 4.3 of the privacy statement
37. The defendant argues that it can rely on its legitimate interests for the
processing of non-sensitive personal data for the following purposes
under point 4.3 of the old privacy statement:
• performing computer tests;
• monitoring the quality of the service;
• training of personnel;
• monitoring and reporting;
• the storage of video surveillance recordings during the legal period; and
• compiling statistics on coded data, including big data.
38. For each of these purposes, the defendant has carried out a balancing of interests. The
The Disputes Chamber below assesses the weighing of interests for each of these purposes
2
in accordance with the firm decision-making it uses to assess the
legitimate interest.
39. In accordance with article 6.1 f) GDPR and the case law of the Court of Justice of the European
Union must meet three cumulative conditions for a
2 See inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of October 30, 2020;
Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. Decision on the merits 57/2021 - 14/36
controller can validly invoke this ground of lawfulness, “te
know, in the first place, the promotion of a legitimate interest of the
controller or of the third party (ies) to whom the data are provided, in the
second, the necessity of processing the personal data for the purpose
of the legitimate interest, and, thirdly, the condition that the fundamental
rights and freedoms of the person involved in data protection do not prevail ”
(“Rigas” judgment).
40. In order to be able to rely on the lawfulness ground of
in other words, the “legitimate interest” is the responsibility of the controller
to show that:
1) the interests pursued by this processing can be recognized as justified
(the “target key”);
2) the intended processing is necessary for the realization of these interests (the
“Necessity test”); and
3) the balancing of these interests against the interests, fundamental freedoms and
fundamental rights of data subjects weighs in favor of the
controller (the “balancing test”).
41. With regard to the purpose of “performing computer tests”, the defendant argues
next one:
“Context of the processing purpose
This processing purpose includes the tests performed by IT testers and developers:
• related to "changes", which are minor changes or related to purely functional ones
aspects; and
• in the context of any automation projects.
These tests are carried out as part of:
• IT and network security;
• the maintenance, improvement and development of (the quality of) Y products and services;
or
• improving the customer experience (eg to make internal processes and systems more efficient
for back-office activities, to enhance the user experience in Y's digital channels
improve, etc.).
3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
recital 40. Decision on the substance 57/2021 - 15/36
This process does not include the acceptance and emulation phase, which is only specialized by the team
activities "can be performed before the changes can actually be made
implemented and can be put into production. ”
42. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the processing purpose should be as described by the defendant
considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
43. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
44. Based on the purpose, being the performance of computer tests, the Dispute Chamber serves
establish that the defendant asserts that, where possible, dummy data or
anonymous data is used (e.g. in case of changes where different
systems or applications are involved and that require a unique reference, such as the
policy number). Only when there is no other option will personal data be used to collect the
to be able to realize the intended change or development. Possible possibilities for (a
further) limitations of data processing are constantly being researched and progressive
introduced as part of the project 'data anonymization in non-production environments'. Furthermore
Strict access controls are introduced on the IT environments where the IT tests are carried out
executed. Procedures are also established for how these IT tests should be carried out
are carried out, which must be taken into account by all concerned.
45. The Disputes Chamber notes that the defendant states that he only uses personal data
when there is no other option. During the hearing, Y stated that the tests are always taking place
based on dummy data, but that the test phase determines the extent to which with
such data can be tested. After all, in some cases the boundaries of the
opportunities to do data masking. This has to do with the life cycle of
the tests, namely gradually dummy data can be used in IT testing, but
sometimes the processing of personal data is required in order to ensure the interaction between
to be able to insure applications. The Disputes Chamber is of the opinion that the defendant does so
reasonably plausible that the computer systems are not always based on Decision on the merits 57/2021 - 16/36
anonymized or pseudonymized data can be tested. To the second
condition is thus fulfilled, by showing that the principle of minimal
data processing (Article 5.1. c) GDPR) has been complied with. Nevertheless, the Disputes Chamber notes
note that for purposes of clarification as to the customers concerned, the defendant might
consider providing some brief explanation of the case in the privacy statement
in which the defendant has no choice but to perform computer tests with personal data.
46. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
4
expect that processing can take place for that purpose ”.
47. The Disputes Chamber is of the opinion that when collecting personal data in the framework
it can be assumed that the policyholder is taking out an insurance policy
at that time can reasonably expect that his data will be
used to perform computer tests. After all, customers expect a correct one
execution of their insurance contracts, which is accompanied by a safe and correct
management of IT systems. The interest of the customers thus requires that the functionalities of
the IT environment are tested for this purpose.
48. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
Purpose “conducting computer tests” may rely on the legal basis contained in
Article 6.1 f) GDPR.
49. Regarding the purpose “monitoring the quality of the service” and “the
compiling statistics on coded data, including big data ”, states the
defendant that this comprises three parts and determines that:
- For the section “Statistics and quality tests”
“Context of the processing purpose
4 Recital 47 GDPR. Decision on the merits 57/2021 - 17/36
Y, as an insurer, is subject to prudential supervision. This means, among other things, that they
is bound to overall control of its company and its performance, including,
but not limited to, the audit of the sales performance, performance and fees
certain hospital networks and the coverages / reimbursements. This relates to the
general control of the quality of the services and the performance of the
insurance company to ensure its continuity. This processing purpose
includes both one-off and recurring reports with or without use
made of big data methodologies. These are mainly aggregated or
anonymised reports, unless specific statistics are required (by category
eg per age group). ”
50. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the context of the processing purpose should be as described by the defendant
are considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
51. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
52. The Disputes Chamber notes that the defendant only justifies that it is for him
is necessary to compile statistics and perform quality testing, as the
financial viability, quality of service, premium setting and the
performance cannot be determined without actively measuring it. The Disputes Chamber misunderstands
by no means the need for the defendant to have statistics and
quality tests, but the defendant mainly limits himself to asserting that
aggregated or anonymized reports are prepared, unless specific statistics
required (per category such as eg per age group). Moreover, the defendant proposes that
the format of those reports may or may not be using big data methodologies.
53. To what extent the statistics still contain personal data or allow to proceed with
re-identification of a data subject will be further explained during the hearing. The
defendant states that there are still very few statistics containing personal data. The Decision on the merits 57/2021 - 18/36
statistics do not contain names and certainly no health data. The statistics
do contain codes, but they are mass aggregated, segmented data.
5
Also requires the directive (EU) 2016/97 on insurance distribution and the Belgian
implementing legislation of this Directive that provided for specific reporting
personal data are processed. Sometimes policy data is processed in the reporting,
but with that no further processing in the statistics takes place. Each report has one
purpose and the processing may not go beyond that. A register is kept of
those reports and their purpose, which are strictly regulated through the data warehouse and
which requires "approvals" to deviate from it.
54. The Disputes Chamber decides that the defendant has made the necessary efforts to resolve the
limit data processing for this purpose to what is strictly necessary. To the second
condition is thus fulfilled by showing that the principle of minimal
data processing (Article 5.1. c) GDPR) has been complied with.
55. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
expect that processing can take place for that purpose ”.
56. The Disputes Chamber follows the defendant's position that if a person has a
enters into an insurance agreement with Y, he can reasonably expect that Y will be intern
performs checks and compiles statistics to ensure that Y is contractual
fulfill obligations.
57. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
Purpose “Statistics and Quality Requirements” can invoke the legal basis included in
Article 6.1 f) GDPR.
- For the section “Satisfaction surveys”
5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution
(recast), OJ L 26/19. Decision on the merits 57/2021 - 19/36
“Context of the processing purpose
This processing purpose includes determining the NPS ("Net Promoter Score"), the
satisfaction factor of the customers based on an external survey by a third party to determine the
to safeguard anonymity of the query. This factor is calculated with regard to the follow-up
by the Y Contact Center and the claims department (claims handling)
58. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the processing purpose should be as described by the defendant
considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
59. In order to meet the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
60. Based on the purpose of conducting satisfaction surveys, the
Disputes Chamber to determine that the defendant asserts that the customer through this questioning
can give an opinion anonymously and thus assert his interests. The results
are aggregated and processed by an outside company so that the anonymity of the
those involved can be indemnified. During the hearing it is added that the
customers always have the choice whether or not to participate in the survey, as they always have
have the right to object. The Disputes Chamber finds that the customers thus over
have the necessary freedom of choice and that the results of those who participate in the
survey in anonymous form will be made available to the defendant.
The second condition is thus fulfilled by showing that the principle of
minimum data processing (Article 5.1. c) GDPR) has been complied with.
61. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject Decision on the substance 57/2021 - 20/36
at the time and in the context of the collection of the personal data is reasonably permitted
6
expect that processing can take place for that purpose ”.
62. The Disputes Chamber is of the opinion that when collecting personal data in the framework
it can be assumed that the policyholder is taking out an insurance policy
at that time can reasonably expect that his data will be provided by the defendant
will be used to gauge his satisfaction with the service provided by the
defendant.
63. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
purpose “conducting satisfaction surveys” can rely on the legal basis
included in Article 6.1 f) GDPR.
- For the part “Quality tests operations”
“Context of the processing purpose
This processing purpose relates to the general control of the quality of
the operational services and performance of Y. This is about quality checks where
every employee involved must perform 2 random checks per week for up to
the correct underwriting or performance of the insurance contract and applicable
instructions and procedures for this purpose. "
64. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the processing purpose should be as described by the defendant
considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
65. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
6 Recital 47 GDPR. Decision on the merits 57/2021 - 21/36
66. Based on the purpose, being the general control of the quality of the operational
services and performance of Y, the Disputes Chamber must determine that the defendant is late
apply that Y is subject to the insurance distribution directive (EU) 2016/97
and the Belgian implementing legislation that the insurance companies oblige them
tailor services to the desires and needs of their customers. As indicated
during the hearing, the defendant does not invoke his legal obligation (Article 6.1
c) GDPR) as the legal basis for the processing, given the nature and scope of the reporting
is not explicitly imposed as such by law. Hence, the defendant for that
processing its 'legitimate interest under that legislation' as the legal basis.
The second condition is thus fulfilled by showing that the principle of
minimum data processing (Article 5.1. c) GDPR) has been complied with. The processing of
personal data is necessary in order to actively measure the quality of the service.
67. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
expect that processing can take place for that purpose ”. 7
68. The Disputes Chamber is of the opinion that when collecting personal data in the framework
it can be assumed that the policyholder is taking out an insurance policy
at that time can reasonably expect that his data will be
used to carry out internal quality control to ensure that Y hair
comply with legal and contractual obligations.
69. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
purpose “quality testing operations” can rely on the legal basis included in Article
6.1 f) GDPR.
70. With regard to the purpose of “training personnel”, the defendant states the following:
“Context of the processing purpose
7 Recital 47 GDPR. Decision on the merits 57/2021 - 22/36
This includes the organization and follow-up of training courses, awareness-raising sessions ("awareness") and
training for Y employees who come into contact with (personal data of) customers.
Training courses include:
• insurance technical aspects (eg with regard to Y products);
• technical aspects (eg the use of Office 365 applications, training on
information security, etc.);
• "on the job" training courses (training for new employees as well as training with the aim of increasing the
to continuously improve service quality); and
• more general aspects such as compliance topics (eg the GDPR, IDD, etc.). ”
71. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the processing purpose should be as described by the defendant
considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
72. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
73. Based on the purpose, being the training of personnel, the Disputes Chamber should be established
to argue that the defendant argues that in exceptional cases the cases are used
contain, or become, personal data of customers for the training
personal data of customers used for the preparation of the training material. The
defendant argues that the underlying material (cases), however, is generally complete
is anonymized.
74. The Disputes Chamber notes that the defendant states that in the context of training courses the
cases only contain personal data of customers in exceptional cases or
personal data of customers are used for the preparation of the training material.
However, the defendant fails to clarify in which cases he would be required
offer training to staff based on customers' personal data.
The defendant does not reasonably demonstrate that staff training is not always on
could be provided on the basis of anonymised data. To the second Decision on the merits 57/2021 - 23/36
condition is thus not fulfilled because it has not been demonstrated that the principle of minimal
data processing (Article 5.1. c) GDPR) has been complied with.
75. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
8
expect that processing can take place for that purpose ”.
76. The Disputes Chamber is of the opinion that when collecting personal data in the framework
it cannot be assumed that the policyholder takes out insurance
at that time can reasonably expect that his data will be
used for staff training. A policyholder can only expect to
normal management of his customer file, which only requires access to the information contained therein
information by the personnel who have to perform tasks therein for the benefit of the person concerned
customer. When information from concrete files is shared in the context of a course,
the processing of that information is not limited to those who have to perform tasks in
the relevant file.
77. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
purpose "training of personnel" cannot rely on the legal basis "justified."
interest "and there is therefore a violation of article 6.1 f) GDPR. The Disputes Chamber observes
in addition to that if the defendant nevertheless wishes to receive personal data of customers
use for staff training, he can rely on another legal basis
being the consent (Article 6.1 a) GDPR).
78. With regard to the purpose of “monitoring and reporting”, the respondent states the following:
“Context of the processing purpose
This processing purpose includes the preparation of reports for the purpose of checks
can perform in the context of:
• IFRS 17 accounting standards for insurance contracts and the Belgian, general
accepted accounting rules ("Belgian GAAP");
8 Recital 47 GDPR. Decision on the merits 57/2021 - 24/36
• calculating the reserves (in the context of, for example, the law of 13 March 2016 on
the status and supervision of insurance or reinsurance companies (Solvency
II law), etc.); or
• profitability monitoring or reporting in the context of major damage claims.
These reports are created for both internal audit and reporting purposes
to the Y1 Re group (of which Y is a part). This keeps recurring reports as well
one-off ad hoc reports. Only fully aggregated,
anonymised, or if not otherwise possible pseudonymized reports prepared in
in the context of major claims or ad hoc reports regarding specific cases or outliers. ”
79. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the context of the processing purpose should be as described by the defendant
are considered performed for a legitimate interest. The importance that the
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
80. In order to meet the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
81. Based on the purpose, being monitoring and reporting, the Disputes Chamber must determine
argue that the defendant asserts that the various general financial and
insurance law regulations (in the context of, for example, the law of 13 March 2016
on the status and supervision of insurance or reinsurance undertakings
(Solvency II law)) cannot be complied with without compiling the necessary reports
or to monitor. As indicated at the hearing, the
here too, the defendant does not rely on his legal obligation (Article 6.1 c) GDPR) as legal basis
for the processing, since the nature and scope of the reporting is not explicitly stated as
imposed by law as such. Hence, the defendant for those processing operations
Uses "legitimate interest under that legislation" as the legal basis. To the second
condition is thus fulfilled by showing that the principle of minimal
data processing (Article 5.1. c) GDPR) has been complied with. The processing of personal data
is necessary as legislation cannot be complied with without the
necessary reports are drawn up or monitoring is carried out. Decision on the merits 57/2021 - 25/36
82. The defendant adds that only fully aggregated, anonymized, or if
not otherwise possible pseudonymized reports are prepared in the context of large
claims for damages or ad hoc reports related to specific cases or outliers. To the
second condition is thus fulfilled by showing that the principle of minimal
data processing (Article 5.1. c) GDPR) has been complied with.
83. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
9
expect that processing can take place for that purpose ”.
84. The Disputes Chamber is of the opinion that when collecting personal data in the framework
it can be assumed that the policyholder is taking out an insurance policy
at that time can reasonably expect that his data will be
used for the fulfillment of the legal and contractual obligations of the defendant.
85. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
purpose “monitoring and reporting” can rely on the legal basis included in article 6.1
f) GDPR.
86. Regarding the purpose “the storage of video surveillance recordings during the
legal period ”, the defendant states that:
“Context of the processing purpose
It concerns the processing of personal data by means of the cameras that are located
within Y's premises with the aim of customer security, data security and the
protection of the company's assets. "
87. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judgment that the processing purpose should be as described by the defendant
considered performed for a legitimate interest. The importance that the
9 Recital 47 GDPR. Decision on the merits 57/2021 - 26/36
defendant as controller may in accordance with recital 47
GDPR can be considered justified in itself. The first is therefore satisfied
condition contained in Article 6.1, f) GDPR.
88. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without an unnecessarily invasive one
processing for data subjects.
89. Based on the purpose, being the provision of video surveillance, the Disputes Chamber serves
establish that the defendant asserts that the images are stored in a secure
surroundings. Both the space and the affected IT servers are subject to strict
access protection. The images are accessed according to strict procedures. The
storage of the images is also limited to the legal retention period (in principle 30 days).
90. The second condition is thus fulfilled in that it was established that the principle of
minimum data processing (Article 5.1. c) GDPR) has been complied with.
91. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
expect that processing can take place for that purpose ”. 10
92. The Disputes Chamber is of the opinion that with the collection of personal data in the framework
it cannot be assumed that the policyholder takes out insurance
at that time can reasonably expect that his data will be
used for video surveillance. The purpose of video surveillance is unrelated to the
conclusion of an insurance contract, so that the policyholder does not adhere to it
can expect that his personal data is provided in response to a
insurance contract will be used in the context of video surveillance. Only at
there is video surveillance when physically entering the defendant's premises and then it suffices
10
Recital 47 GDPR. Decision on the merits 57/2021 - 27/36
that the camera law is complied with, including the obligation to affix a
icon with information to notify the data subject.
93. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
purpose “the storage of video surveillance recordings during the legal period” does not
can rely on the legal basis "legitimate interest" and thus there is an infringement
to Article 6.1 f) GDPR.
94. For the sake of completeness, the Disputes Chamber adds that if a controller
wishes to use surveillance cameras, these are legal obligations
ensuing from the law of 21 March 2007 regulating the placement and use of
security cameras must comply. As soon as a controller uses
of surveillance cameras, arise from the aforementioned law obligations regarding
data processing, so that the controller can rely on article 6.1 c)
GDPR. In that regard, the defendant stated at the hearing that in
the necessary pictograms have been affixed in accordance with this law.
c) Model of balancing of interests
95. For each of the foregoing purposes, the defendant argues that the
processing purpose is permissible because of the quantitative score calculated by the model
balance of interests that Y uses is lower than 30. The defendant argues that on the basis of that
model the processing purposes can be based on the legitimate interests
of the controller as long as this score does not exceed 30.
96. In this regard, the Disputes Chamber should note that the model used by Y is a
is a purely internal instrument that can at most act as a guideline within the company,
but from which no legal arguments can be drawn to support the assessment against the
legal basis of Article 6.1 f) GDPR. To the scores calculated on the basis of that model
therefore no legal value can be attached.
d) All legal grounds included in Article 6.1 GDPR
97. The defendant is of the opinion that the Disputes Chamber in its decision 24/2020 would have stated that
he can only rely on consent as a legal basis (Article 6.1 a) GDPR) for the Decision on the merits 57/2021 - 28/36
processing purposes included in point 4.3. of the old privacy statement and not on
the other legal grounds of Article 6.1 GDPR.
98. The Disputes Chamber explains that the following was made in this regard in the decision 24/2020
mention:
The Disputes Chamber is therefore of the opinion that the violation of art. 6.1. AVG is proven,
since the data processing is for the purposes stated in sections 1, 2, 3, 4, 6 and
7 of point 4.3. of the privacy statement, without any demonstrated legitimate interest,
should be based on the consent of the complainant in the absence of any other possible
applicable legal basis in art. 6.1. AVG. ”
99. From this the defendant deduces, albeit incorrectly, that the Dispute Chamber is the only one
legal basis for the purposes specified therein precedes the consent. The defendant
however, ignores the fact that the Disputes Chamber reaches that decision, precisely because the
defendant fails to demonstrate any legitimate interest and thus in
fails to demonstrate that the applicable conditions have been fulfilled to comply with this
legal basis in Article 6.1 f) GDPR. The Disputes Chamber stated in its decision
after all expressly that the defendant has in no way demonstrated from what
legitimate interest or would exist and also failed to demonstrate to what extent his interest
would outweigh the interests and fundamental rights of the complainant, although the defendant
is obliged to do so on the basis of its accountability obligation (Article 5.2 GDPR). The
Accordingly, the Disputes Chamber could not withhold article 6.1 f) GDPR as a valid legal basis. On base
of the factual elements leading to the decision 24/2020 was the only remaining
legal basis the consent.
100. The Disputes Chamber emphasizes that every controller, including the
defendant, can invoke any possible legal basis of Article 6.1 GDPR, but that the
applicable conditions for the legal basis invoked must be fulfilled.
2. Legal basis for transfers to third parties
101. First, the defendant claims that a transfer to third parties does not have a processing purpose
is itself, but is merely a form of processing of personal data within the meaning of Article
4.2 GDPR. The defendant states that he only draws up balances of interests per
processing purpose, but not per processing. Decision on the merits 57/2021 - 29/36
102. The Disputes Chamber states that it follows from article 5.1 a) GDPR that personal data must be
processed for a specific purpose and that such processing must be lawful in the sense
of Article 6.1 GDPR. So it is clear that any processing must be done within the framework
of a specific, explicit and justified purpose and that
processing must be based on a legal ground for it to be lawful
considered. It is of course possible to perform multiple processing operations within the meaning of Article 4.2 GDPR
for the same purpose, but this does not alter the fact that the
data processing for a specific purpose can only be considered lawful
labeled if there is a legal basis for doing so.
103. The Disputes Chamber notes that any transfer to third parties must be determined with the
in view of the purpose for which the transfer takes place. To be able to verify whether the transfer is to
third parties can be regarded as lawful, it must thus be determined for what purpose
which is passed on to third parties.
104. As the defendant rightly points out, the legal basis for the transfer to processors (which
however, no third parties within the meaning of Article 4, 10) GDPR) are the same as for the
data processing by the defendant himself. After all, the processing purpose remains
unchanged, as the processor only processes the personal data for the benefit of the
defendant as controller.
105. If the personal data are transferred to a third party within the meaning of Article 4. 10)
GDPR with a view to the purpose of enabling that third party to provide the relevant personal data
to process it for your own purposes, then that transfer must cease for that specific purpose
considered themselves and requires a separate legal basis. With a view to
transparency should become the processing basis for all transfers in the privacy statement
stated that the defendant fulfills his obligation under art. 13.1 c) would comply with GDPR. This is
However, this is not the case, so that the Disputes Chamber is of the opinion that there is a
infringement of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.
3. Transparency principle
106. Notwithstanding the fact that Article 13.1 d) GDPR requires the controller to send the
provides the data subject with information about his legitimate interests, if the processing
is based on Article 6 (1) (f), the defendant maintains that it suffices
for the purposes of the privacy statement referred to in point 4.3, as well as for the purposes of 6 of the Decision on the merits 57/2021 - 30/36
data transfers based on Article 6 (1) (f) GDPR only
state that personal data is processed on the basis of the legitimate interest of
the defendant without indicating exactly what that legitimate interest would consist of.
107. The defendant argues that the balancing of interests concerns internal documents that have not been handled by Y
made public or included in its Privacy Statement, in view of the
business sensitive information they contain. Moreover, this involves bulky, rather privacy-
technical documents that are typically not included in a privacy statement.
108. For transmission to “the companies of the group Y1 Re to which Y belongs, for monitoring
and reporting ”, the defendant confirms that this is a transfer to another
controller, indicates the defendant demonstrating his legitimate interest
consists in its conclusion under the processing purpose “monitoring and reporting”, but late
after clarifying his legitimate interest in the privacy statement.
109. Furthermore, the defendant also refers to recital 48 of the GDPR which states that
controllers that are part of a concern or group of institutions
associated with a central body may have a legitimate interest in the
forwarding of personal data within the group for internal administrative purposes,
including the processing of personal data of customers or employees.
110. The Disputes Chamber acknowledges that consideration 48 applies to the defendant, but this
does not prevent the defendant from being transparent about this in his privacy statement and
also in such a case must indicate the legal basis and must make it clear where it is
legitimate interest exists, which is not the case in the old privacy statement.
111. Responsible for transfers to “subcontractors in the European Union or abroad
for processing activities defined by Y ”, the defendant argues that it concerns
processors of Y.
112. The Disputes Chamber therefore restates the reasoning in this regard from its decision
24/2020 to decide on an infringement of Article 13.1 d) GDPR in conjunction with Article 5.1 a) GDPR
and Article 5.2 GDPR. The privacy statement only mentions that for those referred to in 4.3. listed
purposes personal data are processed on the basis of the legitimate interest of the
defendant without indicating exactly what that legitimate interest would consist of,
while art. 13.1. d) GDPR does require the controller to comply
obliged to provide the data subject with information about his legitimate interests,
if the processing is based on Article 6 (1) (f). Decision on the merits 57/2021 - 31/36
113. The Disputes Chamber also refers to the Guidelines of the European Committee for the
data protection (EDPB) on transparency according to Regulation (EU)
2016/679, who stress the need to identify the specific interest in question
for the benefit of the data subject.
114. Also with regard to point 6. of the privacy statement, the defendant does not indicate why
legitimate interest, on which he relies, would exist to obtain personal data from the
to process the complainant for the purpose of transferring it to “The companies of the Y1 RE group
to which Y belongs, for monitoring and reporting ”and“ Subcontractors in the European Union
or beyond, responsible for processing activities defined by Y ”. However
requires art. 13.1. d) GDPR in fact that the controller is the data subject
must provide information about his legitimate interests, if the processing
is based on Article 6 (1) (f). The Disputes Chamber refers again to the
Guidelines on transparency in accordance with Regulation (EU) 2016/679 and the
stated above in this regard.
115. The Disputes Chamber stated in its decision 24/2020 that as best practice the
controller also, before becoming personal data of the data subject
collected, can provide the data subject with information about the assessment to be made
created in order to be able to use Article 6 (1) (f) as a legal basis for the processing.
To avoid information fatigue, this information can be included in a layered
privacy statement / notice. 12 The information provided to data subjects should make clear
that these data subjects can receive information about the assessment upon request. This is
essential for effective transparency when data subjects have doubts about the
fairness of the consideration made as to whether to submit a complaint to a supervisory authority
authority.
116. As the defendant points out, he is unwilling to apply the aforementioned best practice,
because, according to him, it concerns internal privacy-technical documents with company-sensitive
information.
11
EDPB, Guidelines of the Article 29 Working Party on Data Protection on Transparency under Regulation (EU)
2016/679, approved November 29, 2017, last revised and approved April 11, 2018, p. 42.
12See paragraph 35 of the guidelines referred to in footnote 6. Decision on the substance 57/2021 - 32/36
117. The Disputes Chamber argues that even if the defendant refuses to follow this best practice,
he is at least obliged to notify the data subject on a
concise, transparent, intelligible and easily accessible form and in clear and
provide simple language information about his legitimate interest for each of the
purposes for which he relies on that legal basis. It is by no means to comply with this
requires privacy-technical documents to be made public, but it is
requires that information about the legitimate interest is provided in clear
wording that can be easily understood by a customer or potential customer of the defendant
118. The Disputes Chamber finds that the information required by Article 13.1 d) GDPR is in no way whatsoever
is made available by the defendant, so that the infringement of Article 13.1 d)
GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.
4. Administrative fine
119. The fact that the defendant does indeed commit the infringements of Articles 5.1 a), 5.2, 6.1, 12.1, 13.1
c) and d) and 13.2 b) GDPR, brings the Dispute Chamber to the administrative
fine. This sanction does not extend to an offense committed
but with a view to vigorous enforcement of the rules of the GDPR. As
is clear from recital 148 of the GDPR, the GDPR states that in the event of any serious infringement
- including when an infringement is first established - penalties, including administrative ones
13
fines are imposed in addition to or instead of appropriate measures. After this, the
Disputes Chamber states that the breaches committed by the defendant against Articles 5.1 a),
5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR in no way concern minor infringements, nor that the
a fine would cause a disproportionate burden on a natural person as referred to in
Recital 148 GDPR, whereby a fine can be waived in either case.
The fact that it is a first finding of an infringement committed by the defendant in the
13
Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
instead of a fine, a reprimand can be chosen. However, the
nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,
with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
supervisory authority has come up with compliance with the measures taken against the
controller or processor, with affiliation to a code of conduct and any other aggravating or
mitigating factors. Imposing penalties, including administrative fines, should be subject to
appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
effective remedy and due process. [own underlining] Decision on the merits 57/2021 - 33/36
GDPR, does not in any way affect the possibility for the Disputes Chamber
to impose an administrative fine. The Disputes Chamber explains the administrative
fine in accordance with article 58.2 i) GDPR.
120. The Disputes Chamber emphasizes once again that the instrument of administrative fine
is in no way intended to end infringements. To this end, the AVG and the WOG provide for a
number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 °
WOG. She also emphasizes that the administrative fine is one of the sanctions foreseen
in article 58.2 GDPR and article 100 WOG. Neither EU law nor national Belgian law
has a hierarchy with regard to the sanctions to be imposed. It stands as the Dispute Chamber
body of an independent data protection authority as referred to in Article 51
AVG is free to choose the most appropriate sanction. The Disputes Chamber is of the opinion that, in view of the
accountability of the controller, the imposition of a
administrative fine for violation of the GDPR could be expected. 14
15
121. Taking into account article 83 GDPR and the case law of the Marktenhof, the
Disputes Chamber imposing an administrative sanction in concrete terms:
- The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.
- The duration of the infringement: the infringements are assessed for this aspect in
in light of the date on which the GDPR became applicable, namely May 25
2018. The defendant's privacy statement appears to have remained unchanged since
the GDPR becoming applicable until such time as, following the
complaint, a new privacy statement has been drawn up. The new privacy statement constitutes
however, not the object of assessment by the Dispute Chamber, so that they themselves
also does not comment on the extent to which the new privacy statement is consistent
is with the GDPR.
- The necessary deterrent effect to prevent further infringements.
122. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes
that compliance with the principles set out in art. 5 GDPR - in the present case in particular the
transparency principle including accountability, as well as the
principle of legality - essential, because it is fundamental principles of
data protection. The Disputes Chamber considers the defendant's infringement
14 With regard to the jurisdiction of the Disputes Chamber regarding the imposition of an administrative fine, see also decision no
55/2021 of April 26, 2021, available in French on the GBA website.
15
Court of Appeal Brussels (section Marktenhof), Judgment 2020/1471 of 19 February 2020. Decision on the merits 57/2021 - 34/36
the principle of legality specified in art. 6 GDPR and the transparency principle
which is specifically laid down in Articles 12 and 13 GDPR, therefore as a serious violation.
123. An important element in determining the amount of the fine is the fact that the defendant
subsequent infringements as motivated in decision 24/2020 not disputed and as a result thereof
has already made efforts to address the new privacy statement on those points
to comply with the GDPR:
- Infringement of Article 13.1 c) GDPR due to lack of clear distinction between the
processing health data on the one hand, and processing the other 'normal'
personal data on the other hand and this for each of the purposes of 4.3. of the
privacy statement, as for each of the 6. transmissions of the privacy statement.
- Violation of Articles 12.1 and 13.2 b) GDPR in the absence of mention in the privacy statement
of the possibility for the data subject to exercise his right of retention.
- Infringement of Article 13.1 c) GDPR due to lack of indication of the legal basis for the
transfer to each of the distinct categories of third parties in point 6. of the
privacy declaration.
124. Although the changes made to the new privacy statement are a positive element
when assessing the administrative fine, the Disputes Chamber emphasizes that it is there
do not seek to rectify the infringements established. The
infringements have been identified and cannot be reversed retroactively by the
controller who still processes his data - albeit too late
complies with the requirements of the GDPR.
125. In addition, the current decision also identifies infringements:
- Violation of article 6.1 GDPR with regard to the purposes of “training personnel” and
“The storage of video surveillance recordings during the legal period”.
- Violation of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.
- Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.
Furthermore, the Disputes Chamber also takes into account the finding that the violation of Article 6.1
AVG is limited to two processing purposes “staff training” and “the storage of
recordings of video surveillance during the legal period ”and is therefore of a nature to be a
justify a reduction in the amount of the fine. In addition, the established
breaches of the principle of transparency and accountability are so serious Decision on the substance 57/2021 - 35/36
that a substantial fine is required. This applies all the more in view of the large scale
of the processing of non-health data by the defendant with
decisive impact on all insured persons who have taken out hospitalization insurance
affiliated with Y, which concerns a significant number of stakeholders. A decisive element
this is also due to the fact that Y is a major player in the insurance market that may become
expects the latter to duly and with the necessary conscientiousness align its privacy policy with the
GDPR.
126. With regard to the lack of transparency, the Disputes Chamber also points out that the GDPR is exactly
has provided for a transition period of 2 years 16 to the end of each controller
give the necessary time to prepare and adapt to the requirements set by the
GDPR. The defendant's argument made at the hearing that the changes
which the GDPR has implemented compared to the previous directive 95/46 / EC of the European
Parliament and the Council on the protection of individuals with regard to the
processing of personal data and on the free movement of such data to the
based on the lack of transparency cannot therefore be accepted. The
defendant argues that Articles 13 and 14 GDPR, in conjunction with Article 12 GDPR, and the precise manner of
interpretation of it caused the difficulty. The transparency guidelines of
Group 29 (now EDPB) were an auxiliary tool. Here too, the Disputes Chamber serves
state that those guidelines date back to 29 November 2017, have been revised and adopted
on April 11, 2018 and have remained unchanged since then. The defendant thus disposed of
sufficient time, as required by its accountability (Article 5.2 GDPR)
privacy statement to align with the GDPR.
127. This leads the Disputes Chamber to reconsider the fine and reduce it to € 30,000.
128. The totality of the elements set out above justifies an effective,
proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein
certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.
GDPR in this case are not such as to lead to a different administrative fine than
those adopted by the Disputes Chamber in the context of this decision.
5. Publication of the decision
16
Article 99 GDPR Decision on the substance 57/2021 - 36/36
129. Given the importance of transparency with regard to the decision-making process of the
Disputes Chamber, this decision will be published on the GBA website. However, it is
does not require that the identification data of the parties be directly
announced.
FOR THESE REASONS,
the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her
to review decision 24/2020 of 14 May 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG
and art. 101 WOG to impose an administrative fine of € 30,000.00 as a result of the infringements
to Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR.
On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within
a period of thirty days from the notification at the Marktenhof, with the
Data protection authority as defendant.
(Get) Hielke Hijmans
Chairman of the Disputes Chamber
