APD/GBA (Belgium) - 62/2022

From GDPRhub
Revision as of 18:41, 1 June 2022 by Hha (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 62/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 30 GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 23.07.2018
Decided: 29.04.2022
Published: 29.04.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 62/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 62/2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA held, among others, that a controller is not obliged to report a data breach which results from listing the recipients of an email in CC instead of BCC if the email is only received by a small group (16 people).

English Summary

Facts

The data subjects are mother and son. The controller is a public institution for youth care with a focus on children with a difficult family background.

On 23 July 2018, the Belgian DPA received a complaint from the mother containing three alleged violations of the controller. First, it was alleged that the controller took photographs of the complainant’s minor son for the purpose of external publication, without the necessary parental consent. Second, it was alleged that the controller sent a group e-mail (16 recipients) and put all of them in CC instead of BCC. This revealed the e-mail addresses of all recipients to one another. Third, it was argued that the controller was sending out a newsletter which, among others, invited the recipients to donate to the controller without having a legal basis for such communications. The controller argued that the newsletter does not qualify as direct marketing but is an essential tool for the controller to keep the parents of the children involved.

In its investigation the Belgian DPA established that the first allegation was not supported by evidence and that the email incident was not communicated to the DPA by the controller. The DPA also found that the newsletter was only received by the parents if they had previously subscribed to it on the controller's website. Moreover, the newsletter also contained an unsubscribe button.

Holding

The DPA found that the complaint did not provide sufficient evidence to establish a violation of the controller in relation to the taking of photographs of the son, however it discussed the hypothetical situation that visual material of juveniles would have been made public by the controller. The DPA decided that in such a case prior consent, or at least specific permission of the parents or the legal guardian is indispensable in the absence of a legitimate interest or legal obligation for the publication of pictures. It further noted that the controller can as a public authority not invoke legitimate interest as a legal basis for the processing personal data.

Regarding the use of CC instead of BCC, the DPA concluded that the controller violated Article 6 GDPR because it had no legal basis to disclose the email addresses. It reasoned that Article 6(1)(a) GDPR was not applicable because the recipients of the newsletter did not consent to the disclosure of their email address to other recipients and Article 6(1)(f) GDPR was not applicable because the controller had no legitimate interest in disclosing the email addresses. Furthermore, the DPA concluded that the usage of CC amounted to a data breach but did not pose a risk to the rights and freedoms of the data subjects because the exposure was limited to e-mail addresses and to a small group of recipients (16 people). The DPA therefore found that the controller was not obliged to report the data breach to the DPA according to Article 33(1) GDPR.

Regarding the newsletter, the DPA considered it partly as direct marketing for which the controller obtained consent as a legal basis. However, the DPA noted that the controller, when informing the data subjects about the purposes of the newsletter in its privacy policy, did not make a clear distinction between communications in relation to its core mission and marketing communiciations. The DPA, therefore, found that the controller infringed Articles 12 and 13 GDPR.

Comment

Note that in Belgium, the government and its institutions cannot be fined.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/21
Dispute Tribunal
Decision on the merits 62/2022 of 29 April 2022
File number : DOS-2018-03944
Subject: Sending a global e-mail with all destinations visible, sending service
messages without a legitimate basis and processing images of a minor without
parental consent
The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman and Mr Yves Poullet and Mr Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data and repealing Directive 95/46/EC (General Data Protection
Regulation), hereinafter AVG;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the Rules of Procedure, as approved by the Chamber of Representatives on 20
December 2018 and published in the Moniteur Belge on 15 January 2019;
Having regard to the documents in the file;
has adopted the following decision on:
The complainant: Ms X, hereinafter "the complainant";
The defendant: Y, hereinafter "the defendant" or "the controller
Decision on the merits 62/2022 - 2/21

Facts and procedure
On July 23, 2018, Ms. X filed a complaint with the Data Protection Authority (hereinafter
'GBA') against Y.
The subject matter of the complaint relates to a grouped transmission of data by e-mail
which allowed the recipients to identify the e-mail addresses of other data subjects and to
the sending of communications (service messages) for which the legal basis was contested
by the complainant. In addition, the complainant alleges that the defendant, without
informing her in advance, allowed the complainant's minor son to participate in a project
intended for external publication, which also involved taking photographs of the son, but
without obtaining the complainant's parental consent.
On 11 September 2018, the complaint was declared admissible by the First Aid Service on
the basis of Articles 58 and 60 of the WOG and was transferred to the Disputes Chamber
on the basis of Article 62, § 1 of the WOG.
On 3 October 2018, the Dispute Tribunal decided to request an investigation from the
Inspectorate on the basis of Articles 63, 2° and 94, 1° of the CPC.
On 3 October 2018, pursuant to Article 96, § 1 of the WOG, the request of the Dispute
Resolution Chamber to conduct an investigation is transmitted to the Inspectorate,
together with the complaint and the inventory of documents.
On 23 March 2021, the investigation is completed by the Inspectorate, the report is
attached to the file and the file is handed over by the Inspector General to the President
of the Dispute Settlement Chamber (Article 91, § 1 and § 2 of the WOG).
The report contains findings with regard to the data controller as well as the subject of the
complaint, and concludes first of all that the data controller is responsible for "integrated
youth care with housing" and is considered to be a Flemish administrative authority as
referred to in Article 2, 10° of the eGovernment Decree1 and described on the website of
the Flemish Government2 , as the defendant meets the criteria of Article I, 3, 6° of the
eGovernment Decree3.
The Inspectorate then notes that the complainant distinguishes two processing activities
in her complaint: the alleged data breach resulting from the email communication of 7
June 2018, on the one hand, and the unsolicited news email messages of 27 March 2019 and
29 May 2019, on the other.
1
 Decree of 18 July 2008 on electronic administrative data exchange, B.S. , 29 October 2008.
2
 https://overheid.vlaanderen.be/digitale-overheid/is-uw-organisatie-een-vlaamse-bestuursinstantie/.
3
 Executive Decree of 7 December 2018, B.S. , 19 December 2018.http://www.jjgoldman.net/index/
Decision on the merits 62/2022 - 3/21

According to the Inspectorate, the first processing activity falls within the operation and
core mission of the defendant. The Inspectorate also considers it sufficiently proven, on
the basis of the documents submitted and the defendant's reply, that the principle of
transparency has been complied with. Data subjects are adequately informed about the
processing of their personal data in the context of the sending of newsletters and service
communications, thanks to the information contained in the privacy statement, which can
be easily found on the website of the controller.
Moreover, the Inspectorate notes that, since April 2018, the defendant has indicated that
it no longer automatically enrols the parents of young people staying at Y, but invites
them to enrol via the website (opt-in system). The Inspectorate notes that data subjects are
invited to subscribe to the newsletter by entering their e-mail address on the website
independently, and that this subscription does not have a blocking effect on further visits
to the website. Thus, the Inspectorate concludes that the consent of data subjects is
sufficiently informed, specific, free and unambiguous.
Moreover, although the complainant makes no reference to the opt-out possibility for
service communications in her complaint, the Inspectorate notes that data subjects still
have the possibility to withdraw their consent at any time by writing to the data
protection officer of the defendant.
Therefore, the Inspectorate considers the first processing operation to be in compliance
with Articles 5, 6 and 4.11 in conjunction with Article 7.2 AVG, as well as with Articles 12.1
and 13 and 14 AVG.
Furthermore, the Inspectorate notes that, although the recipients of the email message
were able to learn the identity and email address of the other recipients, the content of
the June 2018 communication does not contain any personal data.
As regards the use of CC instead of BCC, which according to the complainant should be
regarded as a data breach, the Inspectorate first confirms that the defendant failed to
report the incident to the GBA within 72 hours.
However, according to the Inspectorate, this breach of Article 33 AVG must be qualified
somewhat, in the sense that the controller may have been able to rely on the likelihood
that the data breach posed a low risk to the rights and freedoms of natural persons, in
accordance with Article 33.1 AVG, in order to decide not to notify the GBA.
Decision on the merits 62/2022 - 4/21

The Inspectorate stresses in particular that the data breach was limited both in the
number of recipients (16 parents or guardians) and in the personal data exposed (the e-
mail address from which the identity of the recipients could possibly be established), with
the result that the e-mail in question may have caused only very limited damage to the
complainant.
The inspection report also refers to the fact that the complaint and infringement rather
referred to a non-intentional, one-off and mainly human error, in view of the defendant's ICT
Code of Conduct which states that staff should use BCC when necessary.
Furthermore, according to the Inspectorate, the data leakage could be avoided in the
future because the defendant learned from the situation and already has a procedure and
form that can be used to report a data leakage.
Finally, the Inspectorate refers to the internal awareness raising and training on the
existing ICT Code of Conduct and Security Incident Procedure as well as the relevant
reporting form, which the defendant has provided since the incident to the staff of the
department where the incident occurred.
In view of the above elements, the Inspectorate considers that the violation of Article 33.1
of the AVG could be closed. Notwithstanding this, the Inspectorate notes a series of
concerns in relation to the defendant's internal procedure.
More specifically, the Inspectorate notes that a notification to the GBA is not provided for
in the security breach procedure, and that the aforementioned procedure could therefore
be supplemented with specific instructions to always provide for a record of incidents in
the defendant's own data breach register, to apologise to those concerned, and to send
an e-mail to the recipients of e-mails sent in error, asking for the immediate deletion of
the preceding e-mail.
With regard to the second processing activity, namely the two e-mail communications of
27 March and 29 May 2019, the Inspectorate notes that it relates to the sending of news
messages inter alia to the parents of adolescents staying in the controller's unit.
The Inspectorate notes that these newsletters contain an unsubscribe option at the
bottom of the email messages, and that data subjects are also offered the possibility to
withdraw their consent by writing to the data protection officer of the defendant.
Decision on the merits 62/2022 - 5/21

On the basis of these specific elements available in the file, the Inspectorate finds that the
consent provided by the controller is free and unambiguous, and therefore meets the
conditions provided for in Article 4.11 in conjunction with Article 7.3 AVG. The
Inspectorate shall establish this processing activity on the basis of Article
6.1.a) AVG and notes that this processing activity can be considered as being in
compliance with Article 5.1.a) AVG.
As to whether the complainant was adequately informed of the processing of her
personal data for the purpose of sending newsletters, the Inspectorate notes that data
subjects are adequately informed by means of the privacy statement on the website of
the controller. Therefore, the Inspectorate concludes that the sending of the disputed
newsletters does not constitute a violation of Articles 12.1, 13 and 14 of the AVG.
The report shall also contain findings which go beyond the subject matter of the
complaint. In particular, the Inspectorate finds that the submitted register of processing
activities is incomplete and unclear, and that the defendant has therefore infringed Article
30.1 of the AVG.
On 23 September 2021, the Dispute Tribunal decides, on the basis of Article 95, § 1, 1° and
Article 98 of the CPC, that the case is ready for examination on the merits.
On 23 February 2022, the parties concerned shall be notified of the provisions referred to
in Article 95 § 2 and those referred to in Article 98 of the CPC. They are also notified of the
time limits for lodging their defences pursuant to Article 99 of the CPC.
In view of the fact that the complainant was resident in the Dutch-speaking area at the
time she lodged the complaint, and that according to the inspection report the defendant
is considered to be a Flemish administrative authority4 , the Dispute Chamber also
decided to conduct the proceedings in Dutch, in accordance with its language policy5.
However, both parties are given 14 days to object.
On 6 October 2021, the complainant objects to the use of Dutch as the language of the
proceedings. Bearing in mind that, at the time when she lodged her complaint, the
complainant, in French, was resident in the homogeneous Dutch-speaking area; that the
defendant must be regarded as a Flemish administrative authority; and that, moreover,
the complainant used Dutch on several occasions in the context of her exchanges with the
defendant and with, inter alia, the services
4
 Inspection report of 23 March 2021, p. 3.
5
 Language policy note used by the Dispute Resolution Chamber, available on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/nota-talenbeleid-gehanteerd-door-de-geschillenkamer.pdf
Decision on the merits 62/2022 - 6/21

of the Youth Welfare Agency, the Dispute Tribunal decides to propose to the parties by
registered letter on 14 October 2021 the following agreement.
a.
 The official language of the proceedings shall remain Dutch, it being understood that,
in the proceedings before the Dispute Tribunal, the parties may express
themselves in French or Dutch, both in writing in their submissions and orally at
any hearing.
b.
 The Dispute Tribunal undertakes to conduct its correspondence with the parties
concerned in both French and Dutch at all times in future, in accordance with
Article 41 § 1 and § 2 of the Laws of 18 July 1966 on the use of languages in
administrative matters (hereinafter, 'SWT')6.
The previously communicated deadlines will be replaced by new deadlines.
The Dispute Tribunal will also provide the complainant with a French translation
of the Dutch inspection report, without this French version replacing the
inspection report.
c.
 The Dispute Chamber will not translate the procedural documents submitted by a
party for the benefit of the other party, nor will it cover the costs incurred by
them in connection with the translation of these documents. The parties are also
not required to provide translations of their procedural documents.
d.
 The Dispute Resolution Chamber undertakes to take its final decision in Dutch,
and simultaneously to communicate a French version to the complainant; both
versions will be made available on the GBA website.

 In the absence of an objection within 7 days of the communication of the previous
proposal, the Dispute Tribunal will send a new invitation to the parties to submit their
defence. The deadline for receipt of the Respondent's Statement of Defence was set at 6
December 2021, that for the Complainant's Statement of Defence at 3 January 2022 and
that for the Respondent's Statement of Defence at 24 January 2022.

 Pursuant to Articles 95 § 2, 98 and 99 WOG, the parties are notified both by e-mail and by
registered mail that the scope of this case concerns the following alleged infringements by
the defendant:
1)
 alleged breach of Articles 6 and 7 AVG, concerning the lack of parental consent for
the alleged processing of image material of the
6
 Laws of 18 July 1966 on the use of languages in administrative matters, B.S. , 2 August 1966.
Decision on the merits 62/2022 - 7/21

complainant's minor son for the purpose of external publication, without her
knowledge;
2)
 Alleged breach of Articles 5, 6 and 4(11) in conjunction with Article 7 AVG,
concerning the email communication of 7 June 2018 between the defendant's
"[...]" department and the parents;
3)
 Alleged violation of Article 12.1 and Articles 13 and 14 AVG, regarding the
newsletter information in the defendant's privacy statement;
4)
 alleged breach of Article 30 of the AVG, due to an incomplete and unclear
register of processing activities;
5)
 alleged violation of Article 33.1 of the AVG, due to insufficient internal
procedures on security breaches, which provide that incidents are always
recorded in a separate data breach register of the controller, and that incidents
must be reported to the GBA, if applicable.
On 25 October 2021, the defendant's data protection officer acknowledged receipt of the
Dispute Tribunal's letter and its annexes by e-mail.
On 3 December 2021, the Dispute Tribunal received the Respondent's Statement of
Defence as regards the findings relating to the subject-matter of the complaint. This
conclusion also contains the defendant's response concerning the findings made by the
Inspectorate outside the scope of the complaint.
With regard to infringement 1, the defendant points to the lack of any finding in that
regard by the Inspectorate, as a result of which the defendant does not consider it
possible to submit a defence in that regard. For the rest, the defendant states that its staff
ask the competent minor, or the parents if the minor is deemed not to be competent (guide
age 12), for permission to take and distribute photographs. This is also included in the
defendant's reception brochure which has already been provided in the context of the
inspection investigation.
As regards infringements 2 and 3, the defendant refers to the Inspectorate's finding that
the infringements were properly monitored and rectified by the controller. The defendant
also states that no similar incident has occurred in the past and that it is therefore a one-
off, human "beginner's mistake", given the recent entry into force of the AVG at the time
of the incident. The defendant also stresses that it provides regular internal training and
awareness-raising.
Decision on the merits 62/2022 - 8/21

II. Motivation
With regard to infringement 4, the defendant states that the recommendations made in
the inspection report to complete the register of processing activities have now been
incorporated in the abovementioned register. In particular, a tab on version control was
added, as well as a tab on the organisation and the data protection officer. In addition, a
tab explaining the technical and organisational measures was added, as well as a tab with
the retention periods applied. Finally, the defendant states that the complaint dates from
6 months after the entry into force of the AVG, when the defendant focused on training
its staff on the use of procedures.
As regards infringement 5, where the Inspectorate notes that the internal procedure for
reporting security incidents provides for the defendant to report data breaches to the Flemish
Supervisory Commission (VTC), the defendant considers that it can rely on the information
available on the Flemish Government's website7. Furthermore, the defendant states that
data subjects are free to lodge a complaint with the GBA following data leaks, and that it is
prepared to report its incidents to the GBA anyway. Finally, the defendant confirms that
e-mails sent in error are now added to the incident register, and that employees should
request the "wrong recipients" to delete the message immediately.
The Dispute Tribunal did not receive a statement of reply from the complainant.
II.1. Competence of the Data Protection Authority in relation to a Flemish administrative
authority

 First of all, by analogy with its decision 15/2020 of 15 April 20208 and following on from the
statement in the Inspectorate's report, the Dispute Tribunal clarifies that the GBA is
competent to act in the present case.

 The AVG is a regulation which is directly applicable in the Union and cannot be transposed
by Member States into national law. Nor may provisions of the AVG be specified in
national legislation, except where the AVG expressly allows this. Data protection has thus
become, in principle, a matter of European law9.
7
 https://overheid.vlaanderen.be/digitale-overheid/is-uw-organisatie-een-vlaamse-bestuursinstantie.
8
 Decision on the merits 15/2020 of 15 April 2020 of the Disputes Chamber of the GBA, para. 69-70 and 77 et seq. See
also decision 23/2022 of 11 February 2022, para. 6, and decision 31/2022 of 4 March 2022, paras. 33-43, available on the
GBA website: https://www.gegevensbeschermingsautoriteit.be/burger/publicaties/beslissingen.
9
 See e.g. in C. KUNER, L.A. BYGRAVE and C. DOCKSEY (eds.),The EU General Data Protection Regulation: A Commentary,
Oxford University Press, 2020, pp. 54-56.
Decision on the merits 62/2022 - 9/21

The issuing of any regulatory provisions on personal data by the federal or state
government must therefore be done within the framework established by the AVG. In this
respect, the Court refers to Article 22 of the Constitution10 and the settled case law of the
Constitutional Court, which states that the right to respect for private life, as guaranteed
in Article 22 of the Constitution (as well as in treaties), has a broad scope and includes, inter
alia, the protection of personal data and personal information11.
The Constitutional Court and the Legislation Division of the Council of State have already
ruled that the introduction of general restrictions on the rights guaranteed by a
constitutional provision is a matter reserved to the federal legislator12. Consequently, the
state authorities retain the possibility of providing, within their powers, for specific
restrictions, only to the extent and on the condition that they respect the general federal
legislation in this respect13.
In short, the Court of Arbitration finds that the federal and regional authorities are
empowered to issue general and specific rules respectively on the protection of private
and family life, and only to the extent permitted by the AVG and within the rules of the
AVG which are directly applicable in the Belgian legal order14.
In its Opinion No 61.267/2/AV of 27 June 2017, issued in response to the preliminary draft
that led to the WOG, the Legislation Section of the Council of State addressed in detail the
competence-sharing rules on data protection supervision15. In the aforementioned
opinion, the Council of State stated that the federal government may establish a
supervisory authority with "a general competence [...] over all processing of personal data,
including those carried out in matters for which the Communities and Regions are
competent "16. "Such a regime does not affect the competence of the Communities and
10
 "Everyone has the right to respect for his private and family life, except in the cases and under the conditions provided
for by law. The law, the decree or the rule referred to in Article 134 shall guarantee the protection of that right."
11
 See e.g. GwH, No 29/2018, 15 March 2018, B.11; No 104/2018, 19 July 2018, B.21; No 153/2018, 8 November 2018, B.9.1. See
also
A. ALEN and K. MUYLLE, Handboek van het Belgisch Staatsrecht, Mechelen, Kluwer 2011, pp. 917 ff.
12
 A. ALEN and K. MUYLLE, Handboek van het Belgisch Staatsrecht, Mechelen, Kluwer, 2011, 918; K. REYBROUCK and S.
SOTTIAUX,
De federale bevoegdheden, Antwerpen, Intersentia, 2019, 122; J. VANDE LANOTTE, G. GOEDERTIER , Y. HAECK , J. GOOSSENS and
T. DE PELSMAEKER, Belgisch Publiekrecht, Bruges, die Keure, 2015, p. 449.
13
Court of Arbitration, No 50/2003, 30 April 2003, B.8.10; No 51/2003, 30 April 2003, B.4.12; No 162/2004, 20 October
2004 and 16/2005, 19 January 2005; GwH, 20 October 2004, 14 February 2008; Adv. RvS nr. 37.288/3 of 15 July 2004, Parl. St. Vl.
Parl. 2005-2006, no. 531/1: "[...] the Communities and the Regions [are] only competent [...] to authorise and regulate
specific restrictions to the right to respect for private life in so far as, in so doing, they adapt or supplement the
federally determined basic standards, but [...] they [are] not competent [...] to affect those federal basic standards".
14
 J. VAN PRAET, De latente staatshervorming, Bruges, die Keure, 2011, pp. 249-250.
15
 Adv.RvS no. 61.267/2 of 27 June 2017 on the preliminary draft law 'reforming the Commission for the Protection of
Privacy', pp. 28-45.
16
 Ibid, p. 12, para. 5.
Decision on the merits 62/2022 - 10/21

Consequently, according to the Council of State, the federal supervisory authorities can
only be empowered to monitor the specific rules they have issued for data processing in
the context of activities falling within their competence, and this of course only to the
extent that the AVG still allows Member States to adopt specific provisions and that the
provisions of the WOG are not prejudiced.
In short, the GBA, as the federal supervisory authority, is the competent authority to
monitor the general rules, including the mandatory provisions of the AVG which do not
require further national implementation, in accordance with Article 4 of the WOG18. This
is also the case if the data processing relates to a matter falling within the competence of
the Communities or Regions (federal authorities) and/or if the controller is a public body
falling within the competence of the Communities or Regions, even if the federal authority
itself has established a supervisory authority within the meaning of the DPA.
In view of the above, the Court concludes that, in order for a federal supervisory
authority to be competent, it is by no means sufficient that the data processing relates to
a federal matter. Moreover, the federal State in question must also, within the scope left to
the Member States by the AVG, have adopted specific rules for the processing of personal
data in the context of that matter. It is only the monitoring of compliance with those
specific federal rules that can be entrusted to the federal supervisory authority.
The Court stresses that the notion of 'specific rules' should not be interpreted too broadly.
It appears from the cited opinion of the Council of State that the notion of 'specific rules'
refers to specific limitations or special safeguards, which derogate from or go beyond the
general provisions, safeguards and limitations contained in, or deriving from, the AVG or
federal legislation. In other words, the mere fact that the Länder implement or confirm
(by decree or order) a general rule does not mean that this rule acquires the character of
a 'specific rule'. A specific rule only exists when the federal states, using the scope left by
the AVG, establish additional safeguards or restrictions.
In addition, any limitations of powers of a data protection authority under the AVG would
only be possible if, at the level
17
 Ibid, p. 12, para. 6.
18
 See also e.g. Adv.RvS, no. 66.033/1/AV of 3 June 2019 on a draft decree of the Flemish Government of 10 December
2010 'implementing the decree on private employment agencies, as regards the introduction of a registration obligation
for sports agents', p. 5, para. 5.3; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decree of the Flemish Government
'containing the detailed rules for the processing, preservation and evidentiary value of the electronic data concerning the
allowances in the framework of the family policy', p. 7, para. 5.3.
Decision on the merits 62/2022 - 11/21

of a Land would have established a supervisory authority which meets all the
requirements imposed on supervisory authorities by the European Treaties and which has
also been given all the functions and powers of a supervisory authority. In this context,
reference is made in particular to Articles 51 to 59 of the DPA. This is not the case for the
Flemish Supervisory Commission.
It follows from the above that the Flemish authorities are subject to the directly applicable
provisions of the AVG and that the GBA is competent to act in n the present case. This
competence also means that incidents relating to personal data, as defined in Article 4.12)
AVG, must be reported to the competent supervisory authority, in this case the GBA,
pursuant to Article 33.1 AVG.

II.2.
Lack of parental consent for taking and distributing photographs of a
minors
The Dispute Tribunal takes note of the fact that Mrs. X complains that the defendant had
photographs taken of her minor son for external publication without her prior information
and consent.
However, the Dispute Tribunal notes that the complainant responded negatively to the
Inspectorate's request to provide some evidence of this alleged processing. More
specifically, the complainant notes that the defendant refused to provide her with more
information about the project. Moreover, a member of the defendant's ombudsman
service is alleged to have stated that participation in the project was proposed directly to
the young people, that participation could also be anonymous and that for this reason the
defendant "did not really [ask for] permission".
The Dispute Chamber notes that the defendant does not dispute that the processing in
question took place, but refers to its reception brochure in which a statement of consent
provides for the possibility for educators or competent young people to give their consent
to the taking and use of atmospheric photographs19.
First of all, the Court stresses that the protection of personal data, which is covered by the
AVG, must be dissociated from the "right to image", which is a personal right provided for
in Article XI.174 of the Code of Economic Law. Therefore, the fact that a person agrees to
be photographed or filmed does not necessarily mean that he or she consents to the
publication or dissemination of
19
 Welcome brochure of the non-profit organisation Sporen, p. 13.
Decision on the merits 62/2022 - 12/21

these images. These two consents are separate and must therefore be requested
separately20.
The Dispute Chamber understands from the documents submitted that the complainant's
son was 15 years old at the time of the facts. However, neither the AVG nor the Belgian
Data Protection Act provide any clarification as to the age at which minors may
themselves have access to their personal data, except in the specific context of a direct
offer of information society services to a child21.
Although all natural persons are holders of the right to representation, the exercise of
that right is closely linked to the holder's capacity or incapacity to act.22 Legal doctrine
therefore provides for a distinction between minors with capacity and minors without
capacity, and it should also be stated that "current case law assesses the concept of
capacity according to the concrete, factual circumstances of the case and not on the basis
of a specific age".23 The right to representation is not limited to minors, but also includes the
right to be represented by a legal person.
In other words, in the absence of a conclusive answer as to whether the complainant still
had parental authority over her son at the time of the judgment of the juvenile court and as
to whether or not the latter had the capacity to distinguish, it is impossible for the Dispute
Tribunal to ascertain whether the complainant's consent to the disputed processing in the
present case was necessary.
As a result, the provisions of ordinary law relating to the capacity of minors24 to exercise
their right to image apply in principle, and the Dispute Chamber takes the prima facie
view that parental consent - as well as the consent of the persons concerned if they have
the capacity to distinguish - is necessary for the processing of image material of minors
under the age of 18.
However, the Dispute Tribunal finds that the complaint is not sufficiently substantiated
with evidence of the existence of a breach of the AVG or of data protection laws, and it is
clearly not possible to obtain such evidence25. Nor is the
20
 https://www.gegevensbeschermingsautoriteit.be/burger/thema-s/recht-op-afbeelding/principes.
21
 Article 8 of the AVG ; Article 7 of the Law of 30 July 2018 on the protection of natural persons with regard to the
processing of personal data, B.S. , 5 September 2018.
22
 E. GULDIX, The rights of personality, privacy and private life in their interrelationship, Doctoral thesis Faculty of Law,
Brussels, 1986, pp. 246-247.
23
 Kh. Brussels, 24 February 1995, Ing.-Cons. 1995, p. 333, note L. MULLER; Rb. Brussels, 17 May 2002, AM, 2003, p. 138.
See also
L. DIERICKX, The right to image, Intersentia, Antwerp-Oxford, 2005, pp. 39-42.
24
 Articles 388, 488 and 1123 to 1125 of the Civil Code. Unauthorised minors are absolutely, generally and completely
incapable of acting and are therefore represented. See also FR. SWENNEN, The law of persons and family law, Intersentia,
Antwerp-Cambridge, 2012, para. 265 ff.
25
 In this respect, the Dispute Tribunal refers to section 3.1, A.1 of its dismissal policy, as set out on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschillenkamer.pdf.
Decision on the merits 62/2022 - 13/21
Dispute Tribunal able to establish that prior parental consent was required in the present
case. Thus, on the basis of the facts and the legal complaints raised in the complaint, the
Dispute Resolution Chamber cannot conclude that there has been a breach of data
protection rules. In short, on the basis of the above elements, the Dispute Resolution
Chamber considers that no breach of the AVG can be established; this complaint is
therefore declared as manifestly unfounded26.

 However, on the assumption that in the present case there was in fact a publication of
images of minors, the Dispute Chamber questions to what extent such a publication with
photographs of minors on social media or communication platforms is necessary for the
performance of a task in the public interest entrusted to the defendant or falls within a
legal obligation incumbent on the defendant. The fact that the case in question concerns
young people with a difficult family situation or background should, in the view of the
Dispute Resolution Chamber, at least call for caution, and should even be a reason not to
publish images in which those young people are identifiable, except where parental
consent is obtained in advance for specific processing purposes. Since the defendant is to
be regarded as a Flemish public authority27 , it cannot, in accordance with Article 6.1 in
fine AVG, rely on the legitimate interest as a basis for processing personal data.28 In the
absence of a legitimate interest or legal obligation for the publication of images depicting
young people in a recognisable manner, the Dispute Chamber concludes that prior
consent, or at least specific consent, from the parents or the legal guardian is
indispensable.

II.3.Lawfulness of the processing of the complainant's personal data in the context of the
service notification dated 7 June 2018

It is established that the defendant has the contact details of the parents and guardians in
order to communicate with them concerning information relevant to the defendant's
relationship with the parents of the young people. The Dispute Chamber assumes that
there is a legal basis for obtaining this data, as referred to in Article 6.1 of the AVG, more
specifically the need for processing in order to comply with a legal obligation (Article 6.1.c)
26
 Ibidem, section 3.1, A.2.
27
 Inspectorate Investigation Report, p. 3. See also para. 7 in this decision.
28
 Article 6.1.f) AVG : "Processing is lawful only if and insofar as at least one of the following conditions is met : [...] f) processing
is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing
carried out by public authorities in the performance of their duties." See also para. 67 in this decision.
Decision on the merits 62/2022 - 14/21
AVG). For this reason, consent as a legal basis in accordance with the conditions of Articles
4.7 and 7 AVG is not conceivable for obtaining the data. After all, parents of young people
do not have the free choice of whether or not to provide their contact details to the
defendant.

 The Dispute Tribunal shall examine the extent to which the defendant may share the
complainant's contact details with third parties, in this case the parents of other young
people. Pursuant to Article 5(1)(b) of the AVG, the processing of personal data for
purposes other than those for which the personal data were originally collected may be
authorised only if the processing is compatible with the purposes for which the personal
data were originally collected. Taking into account the criteria set out in Article 6.4 AVG
and Recital 50 AVG29 , it should thus be assessed whether the purpose of the further
processing, in this case the communication by e-mail of the complainant's contact details
to the parents of other young people, is compatible or not with the purpose of the initial
processing consisting in the collection of the complainant's contact details within the
context of direct contact between the parents of young people and the respondent. The
Dispute Resolution Chamber concludes that the complainant provided her contact details
within the context of her relationship with the defendant and could not reasonably expect
the defendant to share those same details with third parties who, although they have a
personal relationship with the defendant, since they are parents of other young people, are
outside the relationship between the complainant and the defendant.

 This leads to the conclusion that there is no compatible further processing, so that a
separate legal basis is required for the communication of the complainant's contact
details to the parents of other young people to be lawful. Processing of personal data,
including incompatible further processing as in the present case, is only lawful if there is a
legal basis for it. For incompatible further processing, reference should be made to Article
6(1) AVG and Recital 50 AVG. Recital 50 AVG30 states that a separate legal basis is
required for the processing of personal data for other purposes which are incompatible
with the
29
 Recital 50 GDPR: [...] In order to assess whether a purpose of further processing is compatible with the purpose for
which the personal data were originally collected, the controller should, after having complied with all the requirements
of lawfulness of the original processing, take into account, inter alia: any link between those purposes and the purposes of
the intended further processing; the context in which the data were collected; in particular, the data subjects' reasonable
expectations based on their relationship with the controller regarding their further use; the nature of the personal data;
the impact of the intended further processing on the data subjects; and appropriate safeguards in both the initial and the
intended further processing.
30
 Recital 50 AVG: The processing of personal data for purposes other than those for which the personal data were
originally collected should only be allowed if the processing is compatible with the purposes for which the personal data
were originally collected. In that case, no separate legal basis other than the one on the basis of which the collection of
personal data was authorised is required. [...]
Decision on the merits 62/2022 - 15/21

purposes for which the personal data were originally collected. Those separate legal
grounds on the basis of which a processing operation, including thus incompatible further
processing operations, can be considered lawful are set out in Article 6(1) AVG.
To that end, the Dispute Chamber shall examine the extent to which the legal grounds
provided for in Article 6.1 of the AVG may be invoked by the defendant in order to justify
the further processing of the personal data relating to the complainant.
The defendant itself does not mention any legal basis which would allow it to carry out
the processing of data which is the subject of the complaint, namely the communication
of the complainant's e-mail address to the parents of other young people. Moreover, the
defendant expressly admits that that communication was an error. The defendant does
not therefore argue that the communication was authorised and does not therefore seek
to justify it by expressly invoking any legal basis.
On the basis of the factual elements available in the file, the Dispute Resolution Chamber
examines, of its own motion, whether there is any legal basis which could allow the
defendant to send the e-mail containing the complainant's e-mail address visible to all
addressees, taking into account that there is a simple technical means of reaching the
intended addressees of the e-mail in a single movement without everyone's e-mail
addresses being visible, namely sending it in BCC instead of CC.
Given the capacity of the defendant31 , it cannot, in principle, rely on its legitimate
interest (Article 6(1)(f) AVG) or that of a third party for the communication of the
complainant's e-mail address to other parents.
The other legal grounds contained in Article 6.1.a) to 6.1.e) AVG are not applicable in the
present case either, since
▪
 the subject-matter of the complaint and the documents in the case file do not in
any way show that the complainant gave her consent (Article 6(1)(a) AVG) to the
processing in question, nor that the defendant intends to rely on consent;
▪
 the Dispute Chamber does not find it plausible that the disclosure of the
complainant's contact details to other parents is necessary for the performance
of an agreement between the complainant and the respondent
31
 See para. 60 in fine in this decision.
Decision on the merits 62/2022 - 16/21

(Article 6(1)(b) AVG), nor that such disclosure would result from a legal obligation
incumbent on the defendant (Article 6(1)(c) AVG);
▪
 there can be no doubt that the communication of the complainant's e-mail
address was not necessary in order to protect the vital interests of the parents
concerned or of another natural person (Article 6(1)(d) AVG), and that the
communication of the parents' contact details is necessary for the performance of
a task carried out in the public interest which has been assigned to the
respondent (Article 6(1)(e) AVG).
The Dispute Tribunal considers that the foregoing elements sufficiently demonstrate that
the defendant cannot rely on any legal basis showing the lawfulness of the data
processing operation as initiated by it. Moreover, the defendant does not contest the
facts and states itself that in the e-mail in question which is the subject of the complaint,
the complainant's e-mail address was placed in the field 'CC', together with those of other
parents, instead of 'BCC', contrary to what is provided for in the ICT Code of Conduct for
staff. As a result, the defendant claims that the employee who sent out the
communication committed a breach in relation to the complainant's personal data.
Despite the fact that the documents produced by the defendant show that general
guidelines have been drawn up within its organisation whereby global e-mails are to
include destinations in BCC, the complainant shows that those guidelines were not applied
in practice. In the service note dated 7 June 2018 attached by the complainant and to which
the complaint relates, those guidelines are not complied with. The defendant does not
deny this, but states that the incident occurred as a result of human error and was of a one-
off and incidental nature.
Notwithstanding the improvements made since then, according to the Respondent, the
Dispute Chamber concludes, on the basis of the above elements, that the infringement of
Articles 5, 6 and 4.11 in conjunction with Article 7 AVG has been proven with respect to the
service notice of 7 June 2018, in which the contact details of all recipients remained visible.
In line with the statement in the Inspectorate's report, the Dispute Chamber finds that, on
the other hand, no breach of Article 33.1 AVG can be established, since it is not
established that the data leak resulting from the service communication of 7 June 2018
posed a risk to the complainant's rights and freedoms, and the defendant was therefore
not obliged to report the breach to the GBA.
Decision on the merits 62/2022 - 17/21

II.4.
Lawfulness of the processing of the complainant's personal data in the context of the
sending of newsletters to parents and educators
In its reply to the Inspectorate, the defendant states that it does not regard the newsletters as
direct marketing, but as an essential means of keeping the parents of the young people
staying in the living groups involved, of providing parents with food for thought in
communicating with their children, and of keeping parents informed of activities such as
parent contacts.
The complainant notes, on the other hand, that the electronic newsletters also call on
recipients to support, either by volunteering or financially, Y's initiatives and operations,
as well as promoting external service providers such as travel organisations.
The Dispute Chamber finds, on the basis of the submitted newsletters dated 27 March
2019 and 29 May 2019, that the recipients concerned are being invited to make voluntary
deposits for the benefit of the Y, which does not fall within the Respondent's core mission
as an Organisation for Special Youth Care. Therefore, the Dispute Resolution Chamber
finds that the newsletters in this case do not fall exclusively within the scope of the decree
on integrated youth care, but must also be considered in part as direct marketing
communications. To this end, the Disputes Chamber examines which legal basis as
provided for in Article
6.1 AVG is invoked by the controller.
From the defendant's reply to the Inspectorate's questions32 , the Dispute Settlement
Body understands that data subjects can subscribe to the electronic newsletter on its
website via an opt-in. The defendant also states that consents given are kept in
MailChimp, and recipients can unsubscribe via a "reply to newsletter" or via the
"unsubscribe" button at the bottom of each newsletter. In the course of that investigation,
the Respondent was further able to establish that MailChimp did not record any attempt
by the Complainant to unsubscribe via the button provided for that purpose, nor did any
email from the Complainant arrive via the "reply" functionality.
The Dispute Tribunal finds that data subjects are informed in an appropriate manner of
the processing of their personal data for the purpose of sending newsletters and that the
defendant is justified in relying on their consent as the basis for that processing. The Court
also finds that the defendant has taken appropriate measures to enable data subjects to
withdraw their consent easily if they wish to unsubscribe.
Notwithstanding the above, the Court notes that the lack of a clear distinction between
service notices and electronic newsletters may, however, lead to confusion for data
subjects as to the precise lawfulness ground.
32
 Piece 12, pp. 1-2.
Decision on the merits 62/2022 - 18/21

Indeed, the consent of data subjects does not constitute an appropriate basis for
communications which must be considered necessary for the provision of services, such as
communications on parental contacts, or communications which have their origin in a
legal obligation incumbent on the controller, such as in this case the involvement of
parents and guardians in the provision of youth care33. Nevertheless, it is not for the
Dispute Tribunal to determine which specific legal obligation the defendant may or may
not invoke as a basis for its service communications to parents and carers, in the context
of its core tasks.
Following the above findings, the Dispute Resolution Chamber concludes that the
defendant in the present case did not sufficiently inform the parties concerned about the
distinction between service announcements and communications directly related to its
core mission, on the one hand, and communications to be qualified as direct marketing,
on the other hand. In this respect, the Court stresses in particular the importance of an
appropriate legal basis for both necessary service communications and electronic
newsletters which voluntarily inform parents or guardians of the day-to-day functioning of
the organisation.
In the absence of clear information on the different categories of electronic
communications to parents and carers, both in the online privacy notice and in the
welcome brochure, the Dispute Chamber finds that the defendant has violated Articles 12
and 13 AVG.
33
 The Dispute Tribunal refers in particular to the joint commitment envisaged by Article 8 of the Decree of 12 July 2013
on integrated youth care, B.S. , 13 September 2013, applicable to the defendant:
"Integrated youth care" refers to cooperation and coordination in youth care with the aim of making a joint commitment on
behalf of minors, their parents and, where appropriate, their carers and the persons involved in their environment and for th at
purpose :
1° to work towards the socialisation of youth care; 2° to organise timely
access to youth care;
3° to ensure the flexibility and continuity of youth care services, including the seamless transition to other forms of care;
4° to deal appropriately with situations of concern in youth care; 5° to provide
a subsidiary offer of crisis youth care;
6° to enable them to participate as much as possible in youth care;
7° to achieve an integrated approach in the organisation and provision of youth care services."
Decision on the merits 62/2022 - 19/21

II.5.
Obligation to document security incidents and to notify the Data
Protection Authority
The Inspectorate notes in the course of its investigation that the defendant's internal
procedure for dealing with security incidents does not explicitly provide for the systematic
inclusion of erroneously sent e-mails as incidents in its own data leakage register, and that
the form used for following up security incidents does not provide for mandatory
reporting to the GBA.
The Court recalls that a controller must document all breaches as interpreted in Article
33.5 of the AVG, regardless of whether the breach must be notified to the supervisory
authority:
"The controller shall document all personal data breaches, including the facts of the
personal data breach, its consequences and the remedial measures taken. Such
documentation shall enable the supervisory authority to monitor compliance with this
Article. "
In the absence of a determination by the Inspectorate regarding the inclusion of the data
breach following the service notification dated 7 June 2018 in an internal incident register of
the Respondent, the Dispute Chamber is unable to conclude that there has been a breach
of the AVG and of data protection regulations. As a result, the Dispute Chamber decides
to order the dismissal of the prosecution as regards this point. However, the Dispute
Resolution Chamber takes note of the defendant's intention to have incident reports
submitted via the Intranet in the future, which will be followed by an automatic email to the
employee concerned with follow-up steps, a reference to the modified incident procedure
and some examples of data breaches.
As regards the additions to the internal procedure proposed by the Inspectorate, in
particular the obligation to notify the GBA of personal data breaches, the Court refers to
the explanation given above concerning the GBA's general competence for compliance
with the AVG34.

II.6. Register of processing operations
 The Dispute Settlement Body agrees with the Inspectorate's finding that the register of
processing operations is incomplete and unclear. Article 30 of the AVG explicitly provides
that the register shall contain, inter alia, the name and contact details of the controller
and any joint processing
34
 See para. 40-50 in this decision.
Decision on the merits 62/2022 - 20/21

III. Publication.
controller and, where applicable, of the representative of the controller and of the Data
Protection Officer. In addition, the controller should describe the envisaged time limits
within which the different categories of data are to be erased, taking into account that
vague time limits such as "retention period unknown" or "lawful retention period" do not
provide sufficient clarity. Finally, the description of the organisational and technical
measures taken should allow for an understanding of the precise effect of the measures in
order to assess the extent to which they adequately protect the personal data concerned.
Given the absence of the aforementioned information in the register of processing
activities of the defendant at the time of the investigation, the Dispute Chamber considers
that the infringement of Article 30 AVG has been sufficiently proven.
of the decision
In view of the importance of transparency with regard to the decision-making of the
Dispute Resolution Chamber, this decision is published on the GBA website. However, it is
not necessary for the parties' identifying data to be published directly for this purpose.
Decision on the merits 62/2022 - 21/21
FOR THESE REASONS,
the Dispute Chamber of the Data Protection Authority shall, after deliberation, decide to:
-
 pursuant to Article 100 § 1, 1° WOG, dismiss the complaint as regards the taking and
publication of the image of the complainant's underage son, without her prior
consent;
-
 pursuant to Article 100, § 1, 2° WOG, to order the removal from the register of the
data leak of 7 June 2018 in the internal incident register;
-
 on the basis of Article 100 § 1, 5° WOG, issue a warning to the defendant with regard to
the notification of personal data breaches to the Data Protection Authority, in
accordance with Article 33 AVG;
-
 on the basis of Article 100, § 1, 5° WOG, issue a reprimand against the defendant for
the infringement of Articles 5, 6 and 4.11 in conjunction with Article 7 AVG in the
context of the service announcement of 7 June 2018, in which the contact details of all
addressees remained visible;
-
 on the basis of Article 100 § 1, 5° WOG, issue a reprimand against the defendant for
the infringement of Articles 12 and 13 AVG for the lack of transparency in the
defendant's privacy statement regarding the processing grounds for the service
communications to parents and educators, on the one hand, and the newsletters to be
considered as direct marketing, on the other hand;
-
 order the defendant, pursuant to Article 100 § 1, 9° WOG, to bring its privacy
statement into compliance with Articles 12 and 13 AVG;
-
 order the defendant, pursuant to Article 100 § 1, 9° WOG, to bring the register of
processing activities into line with Article 30 AVG;
Pursuant to Article 108, § 1 of the WOG, an appeal against this decision may be lodged
with the Marktenhof, with the Data Protection Authority as defendant, within a period of
thirty days from the notification.
(Get). Hielke HIJMANS
President of the Dispute Chamber