Supreme Court - C.20.0323.N

From GDPRhub
Revision as of 07:07, 28 October 2021 by FD (talk | contribs) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Supreme Court - C.20.0323.N
Courts logo1.png
Court: Supreme Court (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 5(1)(c) GDPR
Article 6(1)(a) GDPR
Article 57(1)(f) GDPR
Decided: 07.10.2021
Published: 07.10.2021
Parties: Gegevensbeschermingsautoriteit (Data Protection Authority)
Verreydt BV
National Case Number/Name: C.20.0323.N
European Case Law Identifier: BE:CASS:2021:ARR.20211007.1N.4
Appeal from: Court of Appeal of Brussels (Belgium)
2019/AR/1600
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Hof van Cassatie (Nr. C.20.0323.N) (in Dutch)
Initial Contributor: Matthias Smet

The Belgian Supreme Court ruled that the lawfulness of a processing activity should have been assessed by the trial judge on the basis of Article 6 GDPR even if no personal data was processed. The case related to a customer's refusal to provide his electronic ID card to a shop owner to become part of a loyalty program.

English Summary

Facts

A shop owner tied admission to a loyalty scheme to the presentation of an eID (i.e. a Belgian electronic identity card). A data subject refused to provide his eID, considering that such data processing was excessive and not proportionate when taking into account the purpose of the processing. The data subject further filed a complaint before the Belgian DPA (APD/GBA) for being deprived of the advantages conferred by the loyalty scheme.

On 17 September 2019, the Belgian DPA fined the shop owner for requiring customers to present their eID in order to obtain a loyalty card and imposed a fine of €10,000. The shop owner appealed that decision.

The imposed fine of €10,000 was later annulled by the Court of Appeal of Brussels, because (i) the new eID legislation could not be applied retroactively ; (ii) the fine was not sufficiently justified and (iii) the data linked to the eID of the Complainant had actually not been processed by the shop owner, since the data subject had refused to provide such eID. The Belgian DPA contested the legality of such a decision before the Supreme Court of Belgium.

Holding

The Supreme Court annulled the decision of the Court of Appeal of Brussels because it considered that the Court of Appeal did not correctly apply the law.

The Supreme Court considered in particular that the Court of Appeal of Brussels erred in law by not properly considering whether the compulsory reading of an identity card as the only mean of creating a customer loyalty card is contrary to the principle of data minimisation under Article 5(1)(c) GDPR, and contrary to the obligation to obtain the freely given consent of the data subject under Article 6(1)(a) GDPR, when refusal to provide such data results into a disadvantage for the data subject (such as not being able to obtain discounts).

The Supreme Court stated that the Court of Appeal should have considered the loss of an advantage in assessing whether consent is freely given under GDPR. It also confirmed that the Belgian DPA can handle and act on a complaint of a data subject, regardless of whether personal data of that data subject have actually been processed (in this case, the customer who filed the complaint with the Belgian DPA refused to give the eID card and thus no data was processed).

For these reasons, the Supreme Court annulled the contested decision and referred the case back to the Court of Appeal of Brussels.

N.B. The Supreme Court can only annul a decision based on its legality ; by contrast, the Supreme Court cannot rule on the merits of a case. Hence, the Court of Appeal of Brussels will have to adopt a new decision in line with the ruling of the Supreme Court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                             OCTOBER 7, 2021 C.20.0323N/1














                   Court of Cassation of Belgium







                                 Judgment






No. C.20.0323.N

DATA PROTECTION AUTHORITY, with registered office at 1000 Brussels,

Drukpersstraat 35, registered with the KBO under number 0694.679.950,

plaintiff,

represented by mr. Johan Verbist, lawyer at the Court of Cassation, with

office in 2000 Antwerp, Amerikalei 187/302, where the plaintiff is domiciled
chooses,


in return for

VERREYDT bv, with registered office at 2200 Herentals, Ring 99, registered with the KBO

under the number 0428.824.132,

defendant,

represented by mr. Bruno Maes, lawyer at the Court of Cassation, with

office at 1170 Brussels, Terhulpensesteenweg 177/7, where the defendant lives
chooses place. OCTOBER 7, 2021 C .20.0323N/2


I. JURISDICTION BEFORE THE COURT



The appeal in cassation is directed against the judgment of the Brussels Court of Appeal,
Marktenhof section, from 19 February 2020.


Attorney General Els Herregodts has issued a written statement on September 22, 2021

conclusion laid down.

Councilor Bart Wylleman has reported.

Attorney General Els Herregodts has concluded.



II. REMEDIES



In its application attached to this judgment, the plaintiff puts forward two pleas:
at.



III. DECISION OF THE COURT



Judgement


First remedy


Second part



1. Pursuant to Article 2(1) of Regulation (EU) 2016/679 of 27 April 2016,

concerning the protection of natural persons with regard to processing
of personal data and on the free movement of such data and

drawing of Directive 95/46/EC (General Data Protection Regulation,

hereinafter GDPR), this regulation applies to all or part of

automated processing, as well as to the processing of personal data that

are included in a file or are intended to be included therein

man.

Under Article 4, 2) GDPR, “processing” means an operation

or a set of operations relating to personal data or a

whole of personal data, whether or not carried out by automated means, 7OCTOBER 2021 C .20.0323N 3


such as collecting, recording, organizing, structuring, storing, updating or

modify, retrieve, consult, use, provide by means of forwarding

thing, distribute or otherwise make available, align or combine
creating, blocking, deleting or destroying data.


Article 5(1)(c) GDPR provides that personal data must be adequate, in order to
relevant and limited to what is necessary for the purposes for which it is

processed (“minimum data protection”).


Pursuant to Article 57 GDPR, each supervisory authority on its
territory the following tasks: (a) monitor and enforce the application of

this regulation; (…) f) handles complaints from data subjects, or from bodies,

organizations or associations in accordance with Article 80, examine the content of

the complaint to the extent that it is appropriate and the complainant will inform the complainant within a reasonable
period of notice of the progress and outcome of the investigation, in particular

if further investigation or coordination with another supervisory authority

is necessary; (…) (h) conduct investigations into the application of these

classification, including on the basis of information received from another supervisory
receiving authority or other government agency.


Point 141 of the preamble to this regulation provides that "any data subject"

should have the right to lodge a complaint with a single supervisory authority
authority, in particular in the Member State where he or she usually resides, and a

effective remedy in accordance with Article 47 of the

Charter of Fundamental Rights of the European Union if he believes that

infringement of his rights under this Regulation (…).”

2. Pursuant to Article 4, § 1, first paragraph, of the Law of 3 December 2017 until

towards the Data Protection Authority, this authority is responsible
body for monitoring compliance with the basic principles of protection

of the personal data, within the framework of this law and of the laws that stipulate

ments on the protection of the processing of personal data.

Pursuant to Article 63 of the aforementioned law, the referral to the inspectorate may be

service: 1° when the management committee establishes serious indications

of the existence of a practice which may give rise to an infringement of the

basic principles of the protection of personal data, in the context of 7OCTOBER 2021 C.20.0323.N/4


this Act and the laws containing provisions for the protection of

processing of personal data; 2° when the litigation chamber, at the

of a complaint has decided that an investigation by the inspectorate is necessary
is; (…) 6° of its own accord when it finds serious indications of the

existence of a practice which may give rise to an infringement of the land

principles of the protection of personal data, within the framework of this law

and of the laws containing provisions for the protection of the processing
king of personal data.


The legislative history clarifies with regard to the aforementioned Article 63, 2°, that the

inspection service is understood as “when a data subject is of the opinion that
violation of his rights under the GDPR and a complaint about this

submits to the Data Protection Authority and which, in accordance with Article 62, §

1, is transferred to the litigation chamber. The litigation chamber may

decide that an investigation should be conducted.”

Pursuant to Article 72 of the aforementioned law, the Inspector General and the

inspectors, without prejudice to the provisions of this chapter, proceed to any
search, any check and any interrogation, as well as obtain all the information they need

deem to ensure that the basic principles of protection

of the personal data, within the framework of this law and of the laws that stipulate

contain information on the protection of the processing of personal data,

which they supervise are actually complied with.

Pursuant to Article 100, § 1, of this law, the litigation chamber has the power

to take corrective action, including: (…) 9° to order that the
processing is brought into conformity, or to (…) 13° administrative

to impose fines.

3. It undeniably follows from all the aforementioned legal provisions that a

data subject has the right to lodge a complaint with the Data Protection

authority against a processing practice that it believes is infringing

invokes his rights under the GDPR, such as the right to have his personal
to have data processed as a minimum, pursuant to Article 5(1)(c) GDPR, so that

he can enjoy a benefit or service. This is also the case when the

personal data of the data subject themselves were not processed, but these were processed before 7OCTOBER 2021 C.20.0323.N/5


has not obtained part or the service, because, precisely for the sake of existence, he

of the allegedly infringing practice, his consent to the processing

has refused.

When the Data Protection Authority, after investigating such

complaint, determines that the practice actually gives rise to an infringement of
the basic principles of the protection of personal data, such as the

ginsel of minimum data processing contained in Article 5(1)(c) GDPR, it is

authorized to take corrective measures and, if necessary, an administrative

to impose a fine, even if the complainant's personal data was

not processed itself. After all, the rights of the
complainant under the GDPR, when he is obliged to disclose his personal data

process data in accordance with that infringing practice so that he is of a

benefit or service.

4. From the findings of the appellate courts and the documents on which the Court

able to take heed, it appears that:

- a customer of the defendant has lodged a complaint with the plaintiff because

   she, to obtain a loyalty card and receive discounts on her purchases

   was obliged to show her electronic identity card

   read into the defendant's computer system and, as a result of a
   refusal of this and in the absence of an alternative, such as providing the

   strictly necessary personal data on paper, not of the benefit of the

   could enjoy discounts;

- it appears from the plaintiff's inspection report that the customer data provided by

   are stored by means of reading the electronic identity card, the

   the following are: name, first names, address, date of birth, gender, from when
   if the person concerned is a customer and the amount of the purchases, and that the barcode

   of the electronic identity card containing the national register number,

   is linked by the defendant to the customer's data;

- the claimant has ruled in the contested decision of 17 September 2019

   that an infringement of Article 5(1)(c) of the GDPR has been proven, because the processing

   of customer data does not follow the principle of data minimum processing

   because it implies the use of the national register number that is OCTOBER 7, 2021 C.20.0323.N/6


   included in the barcode of the electronic identity card, which is not

   relevant, and it involves the retention of data on gender and

   date of birth, which are also irrelevant.

5. The appeal judges ruled that "the complainant in this case did not have an eID card"

was offered and therefore no processing of its data was carried out.
fair. Therefore, [plaintiff] shows no actual infringement in connection with

personal data.”


6. By holding on that ground that an infringement of Article 5(1)(c) GDPR
has not been proved and set aside the contested decision of the plaintiff, while

it is not required that the complainant's personal data have actually been processed

to ensure that the claimant takes corrective action or

may impose an administrative fine, after it has been established that a practice exists
giving rise to a breach of the principle of minimum data

effect, the appeal judges do not justify their decision legally.

The part is valid.


7. There is no reason to refer the question to the Court for a preliminary ruling
of Justice of the European Union.



Fourth part


8. Article 288(2) TFEU provides that a regulation has general application

king has. It is binding in its entirety and directly applicable

in each Member State.

Pursuant to Article 6(1) of the GDPR, the processing is lawful only if and for

provided that at least one of the following conditions is met: (a) the
the person concerned has given permission for the processing of his personal data

vens for one or more specific purposes.


Pursuant to Article 4, 11) GDPR, with the “consent” of the data subject,
stand: any free, specific, informed and unambiguous expression of will that

inform the data subject by means of a statement or an unambiguous active

accepts an act concerning him/her concerning the processing of personal data. OCTOBER 7, 2021 C.20.0323.N/7


Point 42 of the preamble to this regulation states that “consent may not”

shall be deemed to have been freely granted if the person concerned has no real or free
has a choice or cannot refuse or withdraw its consent without detriment

effects."

9. It follows from all the above provisions that also the loss of a

benefit or service in the event of refusal of consent the possibility of a genuine

free choice and can constitute an adverse consequence in the sense of

point 42 of the preamble, as a result of which consent is not considered
to be freely granted within the meaning of Article 4, 11) GDPR.


10. The appellate courts find that the plaintiff in the contested decision of 17
September 2019 ruled that an infringement of Article 6(1)(a) GDPR

essential, as consent is not deemed to have been freely given if

the data subject cannot refuse or withdraw it without adverse consequences and there

in the present case there is no question of such free consent, because the
ger, and by extension all customers, can only enjoy discounts by

their electronic identity card and the defendant has no alternative

natively for the creation of a loyalty card in order to take advantage of this

can enjoy.

11. They then rule that:

- the claimant, regarding the lack of an alternative, refers to a still

   non-applicable legislation, namely Article 6, § 4, of the Law of 19 July

   1991 on the population registers, identity cards, aliens
   gen cards and the residence documents, as amended by the law of 25 November

   ber 2018, which was not yet applicable at the time of the facts

   underlying the current dispute;

- the plaintiff further erroneously assumes the unproven assumption that the

   the complainant would suffer an indisputable disadvantage because of the fact that she

   don't miss out on a loyalty card, discounts would go wrong. This constitutes
   no disadvantage because only a possible extra advantage is lost.


12. By thus failing to verify whether the plaintiff's decision on the free
permission to read in the electronic identity card to receive discounts

was correct pursuant to Articles 6.1, a) and 4, 11), GDPR, in particular- 7OCTOBER 2021 C .20.0323N/8


or pursuant to those directly applicable provisions an alternative had to be

are offered for the purpose of obtaining discounts where, specifically under

those provisions, the loss of the benefit of those discounts in the event of refusal of
consent may also have an adverse effect, and to judge on that basis

that an infringement of Article 6(1)(a) GDPR has not been proven, the appeal

judges the aforementioned provisions.

The part is valid.


(…)


dictum


The Council,

Set aside the judgment under appeal, in so far as it finds that an infringement of Articles

5(1)(c) and 6(1)(a) GDPR is not proven and the contested decision of the

plaintiff on that ground.

Orders that this judgment be reported on the side of the

partially quashed judgment.

Keep the costs and leave the decision to the factual judge.


Refers the case thus limited to the Court of Appeal in Brussels, Section
Marktenhof, composed differently.


This judgment was delivered in Brussels by the Court of Cassation, First Chamber, together
composed of section chairman Eric Dirix, as chairman, section chairman Koen

Mestdagh, and the counselors Bart Wylleman, Ilse Couwenberg and Sven

Mosselmans, and pronounced in a public court hearing on 7 October 2021 by

Section Chair Eric Dirix, in the presence of Advocate General Els
Herregodts, assisted by Clerk Vanity Vanden Hende. OCTOBER 7, 2021 C.20.0323N9










V. Vanden Hende S. Mosselmans I. Couwenberg







  B. Wylleman K. Mestdagh E. Dirix APPLICATION/1










          EXTRACT FROM THE PROVISION IN CASSATION




FOR: the DATA PROTECTION AUTHORITY, independent

             public institution with legal personality, with social
             registered office at 1000 Brussels, Drukpersstraat 35, registered
             in the Crossroads Bank for Enterprises under the number

             0694,679,950,



       plaintiff in cassation,



             assisted and represented by the undersigned lawyer at
             the Court of Cassation Johan Verbist, with office in 2000
             ANTWERP 1, Amerikalei 187/302, where choice of residence

             is being done,






AGAINST: the NV VERREYDT, with registered office in 2200 Herentals,

             Ring (NDW) 99, registered in the Crossroads Bank for Enterprises
             ming under the number 0428.824.132,



       defendant in cassation,





                                    *

                                 ** APPLICATION /2



       Plaintiff has the honor to submit to your assessment a judgment that was issued on 19
February 2020 contradiction between the parties was pointed out by the Section
               e
Marktenhof (19 Chamber A) of the Court of Appeal in Brussels (2019/AR/1600). APPLICATION 3


                    FIRST SUBMISSION OF CASSATION





       Violated legal provisions



         Articles 4 § 1, 63, 72 and 100 § 1 of the Law of December 3, 2017
           establishing the Data Protection Authority;
         Articles 1319, 1320 and 1322 of the Civil Code;

         Preamble 42 and Articles 2.1, 4 2), 4.11, 5.1 c), 5.2, 6.1 and 57.1 a),
           f) and h) of Regulation (EU) 2016/679 of the European Parliament

           ment and the Council of 27 April 2016 on the protection of
           natural persons in connection with the processing of personal data
           data and on the free movement of such data and until revocation

           of Directive 95/46/EC (General Data Protection Regulation
           screening) (hereinafter: GDPR);

         Article 288, paragraph 2 of the Convention on the Functioning of the
           European Union (TFEU), as coordinated by the Treaty of

           Lisbon of December 13, 2007, approved by Law of June 19
           2008 (BS 19 February 2009), by Decree of the Flemish Community
           board/the Flemish Region of October 10, 2008 (BS 5 November

           2008), by Decree of the French Community of May 23, 2008 (BS
           July 15, 2008), by Decree of the German-speaking Community of May 19

           2008 (BS 15 July 2008), by Decree of the Walloon Region of 22 May
           2008 (BS 29 May 2008), by Decree of the Walloon Region of 22
           May 2008 (BS 30 May 2008), by Ordinance of the Brussels Capital

           Municipal Region of 10 July 2008 (BS 6 August 2008), by Ordonnan-
           tie of the Joint Community Commission of 10 July

           2008 (BS 6 August 2008) and by Decree of the French Commu-
           committee of 17 July 2008 (BS 26 August 2008).
         Article 149 of the Constitution.





       Challenged decision


      The appeal judges ruled that the decision of 17 September 2019 on

has been taken lawfully with regard to the detected infringements of Article 5.1 c) GDPR
and 6.1 GDPR, and they annul the decision for the following reasons: APPLICATION /4


“8. Discussion – the grounds for destruction



8.1. Infringement of Article 5.1. c) GDPR


[Defendant] asserts:

[…]

[Plaintiff] argues in this regard:

 […]



 The contested decision considers:

 The Inspectorate thus confirms the complaint in the sense that no alternative
 is offered to customers who want a loyalty card, but do not
 wish to have their electronic identity card used by the

 again for the creation of such a loyalty card, while it is
 obtaining the permission and offering an alternative

 required by the Inspectorate.


 The Inspectorate also refers to art. 6, 54 of the law of 19

 July 1991 on the population registers, identity cards, de
 aliens cards and residence documents, as applicable
 as of December 23, 2018, and which provides that the electronic

 identity card may only be read or used with the free,
 specific and informed consent of its holder. When

 a benefit or service is offered to a citizen through his electronic
 national identity card in the context of an IT application, must
 an alternative is also proposed that the use of the elec-

 tronic ID card not required. Furthermore, the Inspectorate refers
 in this regard also to Recommendation No. 03/2011 in order to
 ing requirement and support the offer of an alternative.



 The Act of 19 July 1991 on the population registers, the identity

 cards, the aliens cards and the residence documents
 now in article 6 5 4 second and third paragraph:

 The National Register Number and the holder's photo may only be used
 if authorized to do so by. or pursuant to a law, a de-

 creet or ordinance. The electronic identity card may only be delivered


sent or used with the free, specific and informed consent
of the holder of the electronic identity card. When a

benefit or service is offered to a citizen through his electronic
identity card in the context of an IT application, must also

an alternative that does not allow the use of the electronic identity card
required, be presented to the person concerned.



This text was added by the law of November 25, 2018 and took effect
effective on December 23, 2018. This law is therefore not applicable to the actual

on the basis of the current dispute, since the complaint dates from
from August 28, 2018.



At the time of the complaint, this text read as follows:

"§ 4. Any automated check of the card by optical or other
reading procedures must be the subject of a royal decree, after
advice of the sectoral committee of the National Register referred to in Article 15

of the Act of 8 August 1983 regulating a National Register of the
natural persons. "



The motives of the inspection service - which [plaintiff] argues that as
serve as the basis for the decision - are illegal. A law that absolutely

was not applicable at the time of the complaint and a "recommendation"
which does not have legal force cannot serve as a basis for the

assessing conduct as being contrary to applicable law
caught.



It has not been demonstrated, and consequently not conclusively proven, that at the time
of the complaint an alternative had to be offered.



The contested decision further considers:

"The Disputes Chamber also notes that the processing of
the customer data (surname, first names, address, date of birth, gender,

from when the data subject is a customer and the amount of the purchases) the
does not respect the principle of minimum data processing, since it

given 'gender and date of birth' are also irrelevant.
The Disputes Chamber assumes that the customer card will not be REQUEST /6


used to check the minimum age for alcohol consumption
buy.



Since the defendant's conduct with regard to the production of

loyalty cards do not comply with the principle of data minimum processing,
the Disputes Chamber is therefore of the opinion that the infringement of art. 5.1. c)
A VG is proven."



No EID card was presented by the complainant in this case and there is

so no processing of her data happened. Therefore shows
[plaintiff] no actual infringement in connection with personal data
at.



There was no legal alternative (yet) offered to the complainant at the time

turn into. This has changed since December 23, 2018, but those regulations can
cannot be applied retroactively by [plaintiff].



Moreover, the Disputes Chamber erroneously assumes a number of
essence assumptions:

• that a liquor store loyalty card would not be used for
monitoring the prohibition of the sale of alcohol to minors;

• that the complainant would suffer an undeniable disadvantage by the fact that she

by missing out on the creation of a loyalty card, discounts would
pen. This does not constitute a disadvantage because only a possible additional advantage

is lost (the Court emphasizes). It is different when the EID card
is asked for a legal or contractual right (for example, the
to obtain or retain the right to warranty).



An infringement of art. 5.1. c) GDPR is therefore not applicable in this specific case

proven.


The [defendant]'s sixth plea is well founded on this point.



8.2. Infringement of art. 6.1. GDPR: APPLICATION /7


[Plaintiff] further bases its decision on an infringement of Article 6.1. GDPR,
to know that the lawfulness of the processing depends on the

consent of the data subject for the processing of his personal data
data for one or more specific purposes or the processing is necessary

is for the protection of the legitimate interests of the public
operations manager or a third party, except when the interested
or the fundamental rights and freedoms of the data subject

that require the protection of personal data outweigh those
interests, in particular where the data subject is a child.



[Plaintiff] states:

[…]



To the extent that [plaintiff] refers again to the lack of an alternative
native, it refers again (see point 8.1 above) to a not yet applicable
sane legislation.



The Marktenhof refers to what was stated under point 8.1 above.

suggested.


The infringement of article 6.1. AVG is therefore not proven. the seventh

[defendant]'s plea is well founded on this point.



8.3. Conclusion of points 8.1 and 8.2:


To the extent that the contested decision is not sufficiently motivated to

that certain motives of the contested decision are incompatible
with the documents from the file and with the current legal provisions on

the moment of the complaint and the Marktenhof cannot determine which motive
or which motives, according to them, were de facto decisive for the
to justify the contested decision, the Market Court must determine

that the motives cited by [plaintiff] explain the proven fact of the
infringements (and, as a consequence, likewise the imposition of sanctions for the sake of

of these alleged infringements). The decision is to
that reason was taken unlawfully and must therefore be declared null and void.
to be cleared” (judgment challenged p. 24-29) P ENDING 8


       Grievances



       (…)




       Second part



       Under Article 288(2) TFEU, a regulation has a general

my meaning. It is binding in its entirety and directly applicable
seldom in every Member State.



       Pursuant to Article 2.1 of the GDPR, this Regulation applies to the
wholly or partly automated processing, as well as to the processing of

personal data that are included in a file or that are intended to
to be included therein.

       Pursuant to Article 4 2) GDPR, "processing" should be understood,
an operation or set of operations relating to personal data

data or a set of personal data, whether or not carried out via automated
processes, such as collecting, recording, organizing, structuring, storing,

update or change, request, consult, use, provide by means of
transmission, distribution or otherwise making available, alignment
or combine, block, erase or destroy data.



       Pursuant to Article 5.1 c) GDPR, personal data must be adequate,

relevant and limited to what is necessary for the purposes for which
they are processed (“minimal data processing”).



       Pursuant to Article 57.1 a), f) and h) GDPR, each and every
supervisory authority in its territory the application of this Regulation;

it handles complaints from data subjects, or from bodies, organizations or associations
in accordance with Article 80, investigate the content of the complaint to the extent
appropriate and inform the complainant within a reasonable time of

the progress and outcome of the investigation, in particular if further
find out whether coordination with another supervisory authority is necessary; and

it shall conduct investigations into the application of this Regulation, including to
based on information received from another supervisory authority or other
received by the government agency. APPLICATION /9




       Pursuant to Article 4 § 1 of the Law of 3 December 2017 establishing
the Data Protection Authority, the Data Protection Authority is

responsible for monitoring compliance with the fundamental principles of the
protection of personal data, in the context of this law and of the laws
containing provisions on the protection of the processing of personal

data. Without prejudice to the competences of the Community or Regional
minorities, of the Community or Regional Parliaments, of the United
ge or of the United Assembly referred to in Article 60 of the Special Law

of January 12, 1989 with regard to the Brussels institutions, the Gege-
protection authority carries out this mission throughout the territory of the

Kingdom, regardless of which national law on the processing of personal data concerned
pass.



       Pursuant to Article 63 of the same law, the application may be brought before the
inspection service, including when the management committee has serious indications
singing establishes the existence of a practice that may give rise to a

breach of the basic principles of the protection of personal data, in
within the framework of this law and of the laws containing provisions on the

protection of the processing of personal data; when the litigation chamber
has decided in response to a complaint that an investigation by the Inspectorate
service is needed; or of her own accord when she finds serious indications

of the existence of a practice which may give rise to an infringement of the
basic principles of the protection of personal data, in the context of
this Act and the laws containing provisions for the protection of

processing of personal data.



       Under Article 72 of the same law, the Inspector General and the
inspectors, without prejudice to the provisions of this chapter, proceed to any
inquiry, inspection and interrogation, as well as any information they obtain

deem it necessary to satisfy themselves that the basic principles of the
protection of personal data, in the context of this law and of the laws
containing provisions on the protection of the processing of personal

data, which they monitor, are actually complied with.



       Article 100, § 1 of the same law lists the measures that the disputed
room can impose. APPLICATION /10


       It follows from these provisions, read in conjunction with each other, that the
Data protection authority can act investigating and sanctioning against

with regard to a practice which may give rise to an infringement of the land
principles of the protection of personal data, and that they are more particularly
can act without investigating and sanctioning a practice

which may give rise to a breach of the principle of data minimum
processing.



       It is therefore in no way required that a complainant first has actually provided his data.
unlawfully processed before the claimant could act.

This would go against both the spirit and the text of the Law of December 3, 2017.
If the claimant, whether or not on the basis of a complaint, establishes a practice that
may lead to a breach of the fundamental principles of the protection of

the personal data, it can investigate and impose sanctions against this practice.
action, even if the complainant's own data has not been processed.

be.


      The contested decision dated September 17, 2019 of the Plaintiff refers to the

manner of the defendant with regard to the production of loyalty cards. "From
the inspection report also shows that the customer data being processed is
gender are: name, first name, address, date of birth, gender, from when the

the person concerned is a customer and the amount of the purchases. The barcode of the electronic
national identity card containing the national register number is issued by the

defendant linked to the customer's data […] Because the course of action
of the defendant with regard to the production of loyalty cards, the principle of
does not comply with minimum data processing, the Disputes Chamber is therefore of

considers that the infringement of art. 5.1. c) GDPR is proven” (p. 6)


      This concerns a processing established by the claimant with regard to per-

personal data within the meaning of the GDPR, and in any case a practice that gives rise to
indicates or at least may constitute an infringement of the fundamental principles of the

protection of personal data within the meaning of the Act of 3 December 2017.


      The appellate judges consider that “the complainant in this case did not have an EID

card [has] been presented and no processing of its data has therefore taken place.
fair. Therefore, [plaintiff] shows no actual infringement in connection with per-
personal data”. APPLICATION /11


       By ruling on this ground that a breach of Article 5.1 c) GDPR is not
proven and to set aside the contested decision, where an actual

The processing of the complainant's data is not a necessary requirement in order for
the Data Protection Authority can take an investigative and sanctioning action,

and it is sufficient that a practice is identified which may give rise to a
violation of the principle of data minimum processing, the appeal
judges Articles 2.1, 4 2), 5.1 c) and 57.1 a), f) and h) GDPR, to the extent necessary

read in conjunction with Article 288(2) TFEU and Articles 4 §
1, 63, 72 and 100 § 1 of the Law of 3 December 2017 establishing the Gege-

protection authority.


       In a subordinate order, Plaintiff requests the Court for the following preliminary ruling:

cial question to the Court of Justice of the European Union:



       “Is Article 57.1, in particular the provisions a), f) and h), of the Regulation
       deing (EU) 2016/679 of the European Parliament and of the Council of 27
       April 2016 on the protection of natural persons in relation

       connection with the processing of personal data and with regard to the freedom of
       movement of such data and repealing Directive 95/46/EC, thus

       be understood that the supervisory authority receiving a complaint
       who, after investigating the complaint, determines that there is a
       practice giving rise to a breach of fundamental principles of the

       protection of personal data, although there are specific
       until the complainant is not actual processing of personal data

       happened now that he had not given his consent, not sanctioned
       can take action with regard to the established practice?”





       (…)


       Fourth part



       Under Article 288(2) TFEU, a regulation has a general

my meaning. It is binding in its entirety and directly applicable
seldom in every Member State. APPLICATION /12


       Pursuant to Article 6.1 of the GDPR, the processing is only lawful if and
provided that at least one of the following conditions is met:

       a) the data subject has consented to the processing of

               are personal data for one or more specific purposes;
       b) the processing is necessary for the performance of a contract

               arrival to which the data subject is a party, or at the request of the
               the party to take measures before the conclusion of a contract

               to take;
       c) the processing is necessary for compliance with a legal

               obligation on the controller;

       d) the processing is necessary to protect the vital interests of the data subject
               to protect the traveler or another natural person;

       e) the processing is necessary for the performance of a task of
               public interest or of a task in the course of the performance

               of the public authority vested in the controller
               dedicated;

       f) the processing is necessary for the representation of judicial
               legitimate interests of the controller or of

               a third party, except where the interests or fundamental rights and
               fundamental freedoms of the data subject for the protection of
               require personal data, outweigh those interests, with

               especially when the person concerned is a child.



       Pursuant to Article 4.11 of the GDPR, subject to the 'consent' of the data subject,
understood, any free, specific, informed and unambiguous expression of will
with which the data subject by means of a statement or an unambiguous

accepts active action regarding the processing of personal data.


       Preamble 42 also stipulates that permission may not be

considers to be freely granted if the data subject has no real or free choice
or cannot refuse or withdraw its consent without detriment.



       The decision of the claimant dated September 17, 2019 states the following:
next one:



       According to the Dispute Chamber, contrary to what the defendant
       submits, there is no question of consent as a legal basis for the APPLICATION /13


       effect, since the consent within the current working method of the
       defendant can in no way be regarded as a free consent in

       the meaning of art. 4.11 GDPR, in the absence of an alternative system that allows
       allows to create a loyalty card without using the electronic
       identity card, which makes it possible for the data subject also in that case

       to benefit from discounts […] As a general rule, the GDPR
       that if a data subject has no real choice, he is forced to

       feels to give permission or it will negatively affect him
       if he or she does not consent, the consent is not valid […] By-
       that in the present case the complainant, and by extension all customers, only

       can enjoy discounts through their electronic identification
       identification card, and no alternative is offered by the defendant
       for the creation of a loyalty card, in order to take advantage of this advantage

       enjoy, it is clear that there is no question of free consent
       […] The Disputes Chamber decides that the infringement of art. 6.1. GDPR is moving

       zen” (p. 7)


       The appellate judges judge, partly through a reference to their previous

considers that the motives of the contested decision are illegal, now that this
tens are once again based on the lack of an alternative and thus on a
law that was not applicable at the time of the complaint (in particular the Act

of July 19, 1991 as amended by the Law of November 25, 2018).



       In doing so, however, the appeal judges interpret the decision
which is incompatible with its wording. From the motives of the disputed
After all, this decision, as cited above, shows that the legal basis

battle is indeed located in Article 6.1 AVG and Article 4.11 AVG. It's from the-
they provisions, read in conjunction with Preamble 42 . to the extent necessary
GDPR, that the requirement of a “free consent” is derived and made concrete

sed as being a consent that must involve a free choice
without adverse effects.



       In so far as the appellate judges consider the motives of the contested decision
sing an interpretation inconsistent with its wording, with

in particular by reading therein that to find the legal basis of the decision
is in the Law of 19 July 1991 as amended by the Law of 25 November 2018,
where it appears from the wording that the legal basis is indeed

can be found in Article 6.1 AVG and Article 4.11 AVG, the appeal judges are violating the
evidential value of these motives (violation of articles 1319, 1320 and 1322

of the Civil Code). APPLICATION /14




       To the extent that the appellate courts fail to verify whether the
legal analysis taken with regard to Article 6.1 AVG and Article 4.11 AVG correct

is, in particular with regard to the interpretation of the required 'free consent',
they also misunderstand the judicial obligation to state reasons (violation of Article 149

of the Constitution) as well as Articles 6.1 and 4.11 GDPR, to the extent necessary in
read in conjunction with Preamble 42 GDPR and Article 288(2) TFEU.





(…)