Court of Appeal of Brussels - 2020/AR/813
The Court of Appeal of Brussels held the Belgian DPA violated the principles of proper administration by only orally mentioned additional violations to the controller at the hearing, and later basing its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.
English Summary
Facts
This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed that its health data was used for a purpose to which he did not explicitly agree by the controller. The DPA upheld the complaint and stated that there was a lack of transparancy in the controller's privacy policy as it did not demontrate any legitimate interest. Therefore the controller violated Article 5(1)(a) and (2), Article 6(1), Article 12(1), Article 13(1)(b) and (c) GDPR. The DPA imposed a fine of €50.000.
The controller appealed the decision of the DPA at the Court of Appeal of Brussels and raised the following pleas:
- The decision was void because of a lack of reasoning regarding the legal basis for
- the processing of personal data with regard to the purposes set out in Article 4.3 of its Privacy Statement, and
- the transfers to third parties set out in Article 6 of its Privacy Statement.
- It should have been able to rely on its legitimate interests for the processing of personal data for certain purposes and for transfers to third parties.
- When it could not rely on its legitimate interests, it should have been able to rely on legal grounds other than the consent.
- The decision violates its freedom of enterprise.
- The fine was disproportionate.
In response the DPA requested the Court to declare the appeal unfounded, as:
- the contested decision was properly reasoned in law and in fact. It was based the information available, in view of the active duty of responsibility of the controller. The balancing of interests provided by te controller did not change this. (regarding the controllers's 1st to 4th plea)
- the decision did not unlawfully restrict the controller's ability to stop the violations found. The fact that the GBA, based on the information at its disposal, presumed that it was possible to use consent as a legal basis does not affect the lawfulness of the decision. (regarding the controller's 2th and 3th plea)
- the fine was not disproportionate in the light of the various violations found. Each of the violations established (including the uncontested ones) could justify the fine. (regarding the controller's 5th plea)
Holding
The Court of Appeal stated the DPA violated the principles of proper administration. The DPA orally mentioned additional violations to the controller at the hearing. The DPA later based its decision on these additional violations. The Court held that the controller must be able to defend itself properly against the additional alleged violations in writing.
The Court annulled the decision and ordered the DPA to pay the costs of proceedings. Furthermore, the Court noted that if an administrative fine would still be at issue, the DPA had to reduce the amount.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
,Brussels Court of Appeal -2020/AR/813 - p. 2 ON: X. [...], requesting party, represented by [...] and [...] against the decision of the Disputes Chamber of the GBA of 14 May 2020, number 24/2020 file DOS-2019-02902. AGAINST: The DATA PROTECTION AUTHORITY. public institution under Belgian law, ON 0694.679.950, with registered office 1000 BRUSSELS, Drukpersstraat35, defendant, represented by mr. ROETS Joos, Mr. CLOOTS Elke and Mr VAN DIEST Thomas, lawyers, all office in 2018 ANTWERP, Oostenstraat 38/201 *** 1. Jurisdiction of the Market Court: The Court of Appeal derives its jurisdiction from an application lodged with the registry of the Court of Appeal in Brussels on June 12, 2020 by X against the DATA PROTECTION AUTHORITY (hereinafter "GBA"). With this petition, X appeals to the Market Court against the decision of the Dispute chamber of the GBA of 14 May 2020 number 24/2020 file DOS-2019-02902. 2. The claims before the Market Court: By opinion lodged at the registry on September 9, 2020, X . claims First to declare the (limited) appeal of X admissible and admissible and therefore: r PAGE 01-00001823325-0002-0040-02-01-� L _J,Court of Appeal Brussels - 2020/AR/813 - p. 3 In main order: • annul the Decision for lack of motivation; In subordinate order: • to rule that X did not infringe Article 6(1) of the GDPR, to the extent that the processing of personal data for the following purposes (Article 4.3 of the X}'s privacy statement can be made on the basis of another in Article 6 (1) GDPR legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}: ► performing computer tests; ► monitoring the quality of the service; ► training staff; ► monitoring and reporting; ► the storage of video surveillance recordings during the legal period; ► and ► compiling statistics on encrypted data, including big data; • to consider that X does not infringe Article 6(1) of the GDPR, to the extent that the transfer transfers of personal data to the following third parties (Article 6 of the Privacy Statement of X) can be made on the basis of another provided for in Article 6 (1) of the GDPR legal basis other than the consent of the data subject (Article 6(1)(a) GDPR}: o the companies of the Zwaartoe Xbelongs group, for ► monitoring and reporting; and ► subcontractors in the European Union or beyond, responsible/verifiable for ► processing activities defined by X; • to rule that X did not infringe the provisions of Article 5(2) of the GDPR accountability, to the extent that X invokes its legitimate interest (Article 6, paragraph 1 lit. f) GDPR} as the legal basis for the processing operations referred to in the first two points of personal data; • to rule that X did not infringe Article 13(1)(c) and d) GDPR, to the extent that X invokes its legitimate interest (Article 6(1)(f) GDPR} if legal basis for the processing of personal data referred to in the first two points; • to rule that X has not infringed Article 5(1)(a) GDPR, to the extent that X invokes its legitimate interest (Article 6(1)(f) GDPR} if legal basis for the processing of personal data referred to in the first two points; and impose a warning on X. In more subordinate order: rPAGE □1- □□□□ 1823325-0003- □040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813 - p. 4 • should an administrative fine still arise, quad non, the amount of the administrative fine. In each case: • order the GBA to pay the costs of the appeal proceedings, including the court fee. By decision lodged on September 30, 2020, the GBA claims: - In main order; declare the applicant's application unfounded; In any event, order the applicant to pay the costs of the proceedings, including the basic amount of the legal compensation, estimated at 1,440 euros. 3. The facts: The various parties provide their own facts. The Marktenhof hereby only reiterates the factual account of the GBA. The GBA summarizes as follows: 1. On June 14, 2019, Mr. V (hereinafter: 'the complainant') lodge a complaint with the Data Protection Authority (DPA) against X (document 1). The complaint concerns the use of health data that X as insurance company has obtained from the complainant in the context of a hospitalization insurance- for certain other purposes, without the express consent of the insured person. Deck bearing set (piece1): "X acquires through coercion the right to process sensitive personal data for the granting of his hospitalization insurance. The customer can only access through explicit consent to agree to all processing, otherwise no coverage can be provided be given for hospitalization insurance. This is logical for processing essential for the performance of the obligations. However, there are no legitimate interests for the processing operations listed in point 4.3. The customer should be given the choice whether to agree to this and will not get it. Even online on X one can only agree to everything and the customer only gets 1 single option. Passing on to third parties is also not allowed without permission unless a legal obligation exists. This is not the case for many transfers in [point 6], the customer has no choice here either. We wish that the customer for this matters in point 4.3 and [6] can give individual consent, that X are forms r PAGE □1- □□□□ 1823325- □□□ 4-□□ 4□-□ 2- □1-� L _J,Court of Appeal Brussels -2020/AR/813 -p. 5 and that all customers receive a new form with the custom options." In other words, the complaint is not aimed at the processing of health data for the performance of obligations in the context of the hospitalization insurance that was concluded with X. The complaint focuses on the fact that the same health data be processed without further ado for the purposes listed in point 4.3. of the privacy statement and with the transfer of that data to third parties as stated in point 6 of the same privacy statement. More specifically, the privacy statement of X(document1, appendix) states: "2. The following categories of personal data are processed by X: identification data, Financial details, Personal characteristics, Physical data, Lifestyles, Leisure activities and interests, Image recordings, Sound recordings, Health data and Judicial data. 3. X mainly collects your personal data when: • you take out X insurance for yourself or a third person, such as a member of your family, by completing the necessary documents; • you contact X for information about our products and services; • you the different services and tools (applications, personal platforms, newsletters, etc.) that we make available to inform you or to contact us to request information; • you exercise a right established as part of our contractual relationship; • you visit our websites or social networks; • you visit our buildings: for security reasons your visit will be video recorded and preserved by CCTV cameras; • a third party authorized to do so provides us with your personal data (professional service providers, your insurance intermediary, your employer as part of a group insurance policy, a healthcare provider, etc.) 4. Personal data is processed for the following purposes:[...] 4.3. Based on the legitimate interest of X,, for: • performing computer tests; [1] • monitoring the quality of the service; [2] • training staff; [3] • monitoring and reporting; [4] • preventing abuse and fraud; [5] • the storage of video surveillance recordings during the legal period; [6] • compiling statistics on coded data, including big data; [7] r PAGE 01-00001823325-0005-0040-02-01- � L _J,Court of Appeal Brussels -2020/AR/813 - p. 6 • providing information, regardless of the means of communication, about the commercial actions, products and services of X and of the group to which it belongs. [B] [...] 6. The data will only be used for what is necessary for the above purposes are communicated to the following third parties: • Insurance intermediaries for the statistical purposes of coded data that they will explain at the request of the person concerned and produce; [1] • Insurance intermediaries, for health data, in compensation statements and in the copy of the insurance contract with any exclusions and/or additional premiums, if the person concerned informs them beforehand has given explicit and informed consent; [2] • Health insurance funds, for facilitating reimbursements; {3} • One or more insurance companies in case of co-insurance, assistance and/or recovery of costs in the event of liability of a third party at the occurrence of the damage; [4] • The companies of the Z group to which X belongs, for monitoring and reporting; [5} • Subcontractors in the European Union or beyond, responsible/verifiable for processing activities defined by X; {6] • The insurance ombudsman in the event of a dispute; [7] • Banking institutions; [B] • Postal, transport and delivery companies to better send our mail; {9] • Tax and social administrations, due to legal obligations from X; {10) • The public supervisory and controlling authorities, because of the legal obligations of X; [11) • The IPT (Insurance Premium Tax) to which you are, if applicable subject to the payment of the international tax.[12)" In addition, X's consent form (document 1, appendix) provides: "[...] I declare that I have read the attached X Privacy Statement (which is also available on the X website [...] under 'Privacy' section or on paper request to X). I acknowledge that my personal health data may only be processed with my permission. However, if I don't give permission, then it can close and/or the proper execution of the insurance contract are prevented. I further acknowledge that I have the right to withdraw my consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. [...] I hereby give my express permission to X to use my process health data (or that of the minor whose data I have r PAGE □ 1-□□□ 01823325- □□□ 6- □□ 4□-□ 2-□ 1-� L _J,Court of Appeal Brussels - 2020/AR/813 - p. 7 legal representative), if necessary by means of full automated processing, without the intervention of a professional in the healthcare, for risk assessment, management of (pre)contractual relationships, the issuance and execution of insurance contracts, claims management, possible dispute resolution, prevention, detection and investigation of insurance fraud, and notification of an amendment to the insurance contract.,, Finally, the complainant indicated that it wanted a data protection impact assessment received from X as it involves the processing of high-risk data for those involved. 2. On 26 June 2019, the complaint was declared admissible under Articles 58 and 60 of the law of December 3, 2017 establishing the Data Protection Authority {WOG), the complainant was informed on the basis of of Article 61 of the WOG and the complaint pursuant to Article 62, §1 of the WOG was forwarded to the Dispute Chamber of the GBA. 3. On July 23, 2019, the Disputes Chamber decided on the basis of art. 95, §1, 1° and art. 98 WOG that the file was ready for treatment on the merits. On July 24, 2019, the involved parties {complainant and X) were therefore notified of the provisions as stated in art. 95, §2 WOG as well as those in art. 98 WOG. In its notification to X, the Disputes Chamber stated, among other things (document 6): "The complaint concerns the processing of sensitive personal data by X in the under a hospitalization insurance, whereby the explicit consent of the person concerned would be enforced. A copy of the complaint, as well as the inventory of the documents in the file will be sent to you as an attachment.,, The parties involved were also notified, pursuant to art. 99 WOG notified of the time limits for submitting their defences. The latest date for receipt of the conclusion of reply from X was recorded on September 6, 2019. Subsequently, the complainant submit a statement of reply by 7 October 2019 at the latest and X could submit statement of reply by no later than November 2019. Also, on 30 July 2019 sent a copy of the file to X. 4. On September 6, 2019, the Disputes Chamber received the statement of defense because of X. Here X {piece 13 stated): firstly, that processing special categories of personal data, in this case health data, by health insurer X in a lawfully done. The processing of these special categories of personal data is in principle prohibited {art. 9 GDPR). X invokes the · processing of health data, however, on the exceptional ground of Article 9 para. 2 a) GDPR, in particular the ground for exception "explicit consent of the r PAGE 01-00001823325-0007-0040-02-01- � L _J,Court of Appeal Brussels - 2020/AR/813 - p. 8 person concerned'. X further emphasized (piece 13, p. 9): "In this case, the consent is only requested for the processing of health data necessary for insurance contracts concluded with X. The data is necessarily processed for risk analyses, claims handling and settlements." X also argued (document 13, p. 10 et seq.) that we/definitely no permission is requested for processing of data other than health data, nor is consent sought for the processing based on legitimate interest. With regard to point 4.3 of the Privacy statement emphasizedX (piece 13, p. 10-11): "In his complaint, the complainant points out that a 'separate consent' would be necessary for the processing operations listed in Art. 4.3 of the Privacy declaration. The complainant argues that X "forces" the person concerned to to consent to the processing in Art. 4.3 and them to the point gives no choice. However, the complainant's assertion is based on a misreading of the Privacy Statement and Consent Form. [...] [X] invokes the legitimate interest to obtain certain be able to process personal data (art. 4.3 Privacy statement). X processes this data to perform tasks related to its business activities For example, it is perfectly normal that X processes personal data to prevent abuse and fraud. [...] The complainant cites that the "customer [should] be given the choice whether to use [Art. 4.3 of the Privacy Statement].” However, this view is consistent not with the structure of the Privacy Statement. For the processing that are listed in Art. 4.3 (legitimate interest) is no consent required, since [X] invokes the justified interest. In this case, it concerns "ordinary" personal data, where one can perfectly invoke the legitimate interest and should not fall back on the permission as in the case of health data. [...] Nor does the Consent Form contain any consent for such processing. A clear distinction should therefore be made made between the Consent Form on the one hand and the Privacy statement on the other hand. The scope of the Consent Form is limited to the health data of those involved. Although there is a message made from the Privacy Statement, but this is at most proof of acquaintance with the transparency obligations of Chapter II/GDPR to fulfil. [...] rPAGE □1- □□□□ 1823325- □□□ 8- □□4□-□ 2- □1-� L _J,Court of Appeal Brussels -2020/AR/813 - p. 9 Therefore, no reference is made in this Consent Form to other data, such as data processed on the basis of the legitimate interest for the purposes set out in Art. 4.3 of the Privacy declaration. It can be concluded in conclusion that X in no way asks for permission (and the data subject therefore in no way gives his consent) for the processing operations listed in art. 4.3 of the Privacy Statement. [...]" In addition, regarding point 6 of the Privacy Statement, X stated that X did not must request separate consent for each of the transfers listed therein. X emphasized, in line with what she stated regarding point 4.3 of the Privacy Statement (piece 13, p. 12-13): "To be able to pass on personal data (read: to process) is a legal requirement basis needed. As discussed earlier, X does not only process personal data by relying on consent as a legal basis. She also invokes relies, as the case may be, on the performance of the agreement, the legitimate interest and the legal obligation. [...] For each of the persons mentioned in Art. 6 of the Privacy Statement is set out below an overview on the basis of which legal basis the transfer takes place." In the aforementioned overview, X stated, inter alia, with regard to the following two categories of transfer: "The companies of the Z group to which X belongs, for monitoring and reporting.Legitimate interest Subcontractors in the European Union or beyond, responsible for processing activities defined by X. Legitimate interest." XContinued: "It is clear from this that the difference/purposes stated in Art. 4 of the Privacy Statement, in particular the execution of the agreement, the consent, the legitimate interest and the legal obligation as legal basis for the transfer to specific persons." Finally, X argued that a data protection impact assessment in the present case was not necessary, as it involved pre-existing processing concerned and he did not act on new processing operations that started after May 25, 2018. 5. The complainant, for its part, did not submit a reply. X reported on 7 November 2019 that it would therefore not submit an (additional) statement of reply. However, in addition to its justification with regard to point 4.3 and point 9 of its Privacy statement, an overview of case law and legal doctrine submitted to the Disputes Chamber, in support of its first conclusion of 6 September 2019 (document 17, with 8 appendices). IPAGE □1-□□□ 01823325- □□□ 9-□□ 4□-□ 2-□ 1-� L _J,Court of Appeal Brussels -2020/AR/813 -p. 10 6. The Disputes Chamber subsequently organized a hearing on 28 January 2020, where X was heard. The complainant, although duly summoned, did not appear on the hearing. During the hearing, the Disputes Chamber requested X to (among other things) to provide justification for the legitimate interest on which X relies for the processing of data other than health; where X as follows replied (piece 23, p. 2): "The Disputes Chamber asks what constitutes the legitimate interest in which X invokes what would be the processing of non-health data based. X argues that it is important to expand its economic activity. X states that the complainant can object to this" (opt-out system). The The Disputes Chamber asks how the exercise of this objection is facilitated. X states that usually collective objections are submitted, mainly/primarily for direct marketing purposes, through [...], but less individually. DPO of X answers such requests for data, other than health data, should not be process. The Disputes Chamber states that it follows from the privacy statement (point 4.3.8} that for direct marketing no consent is required. X states that she adheres to all legal provisions on direct marketing, but direct marketing almost is non-existent with X. It is only as a precaution (for possible direct marketing in the future) that this purpose is included in the privacy declaration." 7. On January 29, 2020, the minutes of the hearing was sent to the parties transferred (pieces 24 and 25). On January 31, 2020, X, as requested during the hearing, information on the annual turnover of the last three financial years to the Dispute room. Over the years 2016-2018, this annual turnover always amounted to an amount between [...] and [...] million euros (documents 26 and 27). On February 6, 2020, X also made some comments on the official report to the Disputes Chamber (document 28), which will be the Geschilenkamer were taken into consideration during the deliberations (document 38, p. 4). With regard to the representation, in the PV, of the general question of the justified interest that X invokes to process other than health data (as well as the brief answer from X), X did not formulate any reservations or objections. Only X made the following comment about direct marketing (piece 28, p. 2): "With regard to the last paragraph on page 2, we point out that the complaint in this file does not relate to the direct marketing policy of X. The processing of personal data for the purpose of direct marketing was only allowed raised as an example of how to exercise an objection to the processing of personal data based on the legitimate interests of X, is facilitated. However, during the hearing we emphasized that the GDPR (more specifically recital 47) confirms that direct marketing can be carried out on the basis of its legitimate interest: "The processing of personal data for the benefit of rPAGE 01-00001823325-0010-0040-02-01- � L _J,Court of Appeal Brussels - 2020/AR/813 - p. 11 of direct marketing can be regarded as carried out with a view to a legitimate interest." Consent (opt-in) is required for certain forms of direct marketing, in In other cases, however, personal data may be processed for direct marketing purposes based on X's legitimate interests. This is for example, the case when X sends direct marketing to existing customers as the conditions of the Royal Decree of April 4, 2003 to regulation of the sending of advertising by electronic mail has been complied with." 8. On 25 March 2020, the Disputes Chamber, with due observance of the judgment of 19 February 2020 of your Court, informed X of the intention to proceed with the the imposition of an administrative fine, and the contemplated amount thereof, in order to hear X about this, before the sanction would actually be imposed (document 30). In addition to an announcement of the infringements that the Disputes Chamber intended to t pose, the Disputes Chamber also reported (document 30): "2. The Disputes Chamber intends to impose a fine of: 50,000 euros 3. The following circumstances in particular play a role: • It concerns violations of essential principles of the General Data Protection Regulation. • Defendant is a company that collects personal data on a large scale, including health data processed. • A high degree of negligence has been established. • The complaint and procedure at the Disputes Chamber did not lead to a adaptation of practices. 4. The amount of this amount is based on the following considerations: • Seriousness of the infringement er there is a serious violation of the GDPR by the defendant. First and foremost there is a breach of fundamental data protection principles. In addition, this infringement has a relatively large impact, as there is a large number of persons involved have been affected by this infringement (all-insured persons who have affiliated hospitalization insurance with X). • The duration of the infringement: From what the defendant has put forward in the proceedings before the The Disputes Chamber does not show that the smell has ended and has therefore continued until January 25, 2020. The Disputes Chamber does not take any adjustments into account made after the debates on the findings have been concluded. • The necessary deterrent effect to prevent further infringements. The whole of the elements set out above justifies a effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the assessment criteria specified therein. • The Disputes Chamber relies on the following annual figures of defendant: The documents you have submitted are based on an annual turnover of EUR [...] for 2018." rPAGE 01-00001823325-0011-0040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813 - p. 12 9. On May 8, 2020, the Disputes Chamber received X's response to the intention to the imposition of an administrative fine, as well as regarding the intended amount thereof (piece 37). In its response, X argued that the alleged infringements, such as included in the notification of the intention to impose an administrative fine, would be completely new and that X was unable to take a position on this matter to take. X also stated that it disagreed with the imposition of a fine, as well as with the intended amount of the fine (document 37). 10. Subsequently, the Disputes Chamber took the contested decision No 24/2020 on 14 May 2020, which is currently being challenged in your Court (document 38). In this decision, the Disputes Chamber established the following infringements of the GDPR (document 38, p. 14}: • "Breach of art. 6.1GDPR: o the data processing for the purposes stated in parts 1, 2, 3, 4, 6 and 7 of point 4.3 of the privacy statement, without any evidence legitimate interest, is wrongly not based on the consent of the complainant in the absence of any other possibly applicable legal ground in art. 6.1 AVG. o the data processing for transfers to third parties mentioned in section 5 and 6 included under 6. of the privacy statement, without any evidence legitimate interest, is wrongly not based on the consent of the complainant in the absence of any other possible applicable legal basis in art. 6.1 GDPR. • Infringement of the provisions of article 5.2. GDPR enshrined accountability, in to the extent that the defendant invokes its legitimate interest as a legal basis •for the data processing specified above. Infringement of art. 12.1, art. 13.1, c) and d) GDPR, as well as on Art. 13.2 b) GDPR, in to the extent that the defendant has not provided the required information to the complainant and has failed to take the appropriate measures to ensure that the complainant Articles 13 and the information referred to in art. 21.2 GDPR referred to communication in in connection with the processing, in particular: o the points 4.3 and 6 of the privacy statement do not make a clear distinction make between the processing of health data on the one hand, and the processing of the other 'ordinary' data on the other. o no information is provided to the data subject regarding his legitimate interests. o no appropriate measures have been taken to inform the data subject regarding, among other things, the provisions in art. 21.2AVG guaranteed upright objection. o the processing basis for all transfers not in the privacy statement to be mentioned. • Infringement of the in art. 5.1.a} enshrined basic principle that personal data must are processed in a manner that is lawful, fair and transparency." r PAGE 01- 00001823325-0012-0040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813 - p. 13 The (most) relevant parts/motives of the decision in this case are set out below: displayed. With regard to point 4.3 of X's privacy statement, the Disputes Chamber considered (among others) (document 38, p. 6 ff.): 1a} Purposes in 4.3 of the privacy statement - Processing ground (art. 6.1 AVG} The Disputes Chamber establishes that the problem presented by the complainant relates to has on point 4.3 of the defendant's privacy statement, which states that personal data is processed on the basis of the legitimate interest of X, for the following purposes: • performing computer tests; [1 Y • monitoring the quality of services;[2] • training staff;[3} • monitoring and reporting;[4] • preventing abuse and fraud;[S] • the storage of video surveillance recordings during the legal period period;[6} • compiling statistics on coded data, including big data;[?] • providing information, regardless of the means of communication, about the commercial actions, products and services of X and of the group to which it belongs.[B] [...] The defendant argues in this regard that for the processing operations listed in 4.3 of the privacy statement no consent is required, as the defendant for the purposes stated therein, in accordance with Article 6.1f}GDPR, invokes the legitimate interest as the legal basis for the processing. The defendant argues that he can rely on that legal basis, since only 'ordinary' personal data are processed for those purposes and no permission from the data subject is required as in the case of health data as referred to in article9GDPR. The defendant argues that for the purposes set out in point 4.3 of the privacy statement, although personal data are processed, but no health data. The Disputes Chamber has established that for the processing of personal data, other than health data, the lawfulness of the processing should be assessed in the light of art. 6.1 GDPR that six secondary processing grounds including the legitimate interest (art. 6.1.f}GDPR} to which the defendant appeals in this case. The Disputes Chamber emphasizes, however, that when a controller relies on a legitimate interest to processing as lawful, in accordance with the jurisprudence of the European Court of Justice three cumulative conditions [..] must be met in order for the processing of personal data to be lawful, namely, first rPAGE 01-00001823325-0013-0040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813 -p. 14 place, the representation of a legitimate interest of the data processing controller or of the third party(s) to whom the data is provided, in the secondly, the necessity of the processing of the personal data for the representation of the legitimate interest and, thirdly, the fact that the fundamental rights and freedoms of data subjects person do not prevail. This requires a balancing of the interests or fundamental rights and fundamental freedoms of the data subject (Art. 6.1.f) GDPR) and in this balancing the considerations of the GDPR related to Art. 6.1.f) GDPR eligible [...] be taken, in particular Recital 47. Thus, the Disputes Chamber is of the opinion that for each of the purposes stated in point 4.3 of the privacy statement, it should be checked to what extent the the defendant can invoke the legitimate interest as a legal ground on which processing is based. Recital 47 of the GDPR focuses on the fact that a careful assessment is required to determine whether a legitimate interest, as well as to determine whether a data subject at the time and in the context of the collection of the personal data may reasonably expect that processing for that purpose can take place. On the basis of the elements available to the Disputes Chamber, it is of the opinion that the defendant can base the data processing on the justified importance for the purpose/statement of "preventing abuse and fraud" as stated in part 5 of point 4.3 of the privacy statement. After all, it is certain that the processing of personal data for this purpose is necessary for the representing the legitimate interest of the defendant and that this interest outweighs the complainant's interest in protecting his/her personal data. In this regard, the Disputes Chamber refers to recital 47 of the GDPR, which states that the processing of personal data that is strictly is necessary for fraud prevention a legitimate interest of the is the controller. The Disputes Chamber adds that notwithstanding the claim of the defendant that no health data is processed for the purposes in 4.3 of the privacy statement, including the purpose of "preventing misuse and fraud", it is nevertheless clear from the consent form that the explicit consent is requested to process health data for, among other things, "prevention, detection and investigation of insurance fraud." The The Disputes Chamber establishes here that there is an incoherence between what the defendant in declares his conclusion and what determines the consent form and comes to this back to the assessment of the obligation of transparency that rests on the defendant. The purpose stated in section 8 of point 4.3 of the privacy statement "the providing information, regardless of the means of communication, about the commercial actions, products and services of X and of the group to which it belongs" that should be qualified as direct marketing, is also possible � r PAGE 01-00001823325-0014-0040-02-01- L _J,Court of Appeal Brussels- 2020/AR/813- p. 15 on the basis of the legitimate interest, but must be read in conjunction with Art. 21.2 GDPR, which provides that the data subject has the right at any time to to object to the processing of personal data concerning him for direct marketing, including profiling related to direct marketing. The Disputes Chamber will also return to this when assessing the transparency obligation on the part of the defendant. For the other purposes included in art. 4.3 of the privacy statement is the The Disputes Chamber is of the opinion that there is no legitimate interest in on behalf of the defendant that would outweigh the interests and fundamental rights of the complainant to the protection of his personal data. Recital 47 stating that a legitimate interest may be present when there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer, according to the Disputes Chamber does not mean that in the context of that relationship in which the complainant is acting as a customer of the defendant, a data processing would be possible are for any purpose. The defendant does not demonstrate in any way what his legitimate interest would consist of and also fails to demonstrate to what extent his interest would outweigh the interests and fundamental rights of the complainant, although he is obliged to do so by virtue of his accountability (art. 5.2.GDPR}. The Disputes Chamber is therefore of the opinion that the infringement of art. 6.1 GDPR is proven, since the data processing for the purposes stated in the parts 1, 2, 3, 4, 6 and 7 of point 4.3 of the privacy statement, without any demonstrated legitimate interest, must be based on the consent of the complainant in the absence of any other possibly applicable legal ground in art. 6.1 GDPR. The diversity of purposes listed in 4.3 of the privacy statement brings the Disputes Chamber to the decision that for each of those purposes separately the possibility should be given to the complainant, and by extension to all data subjects who use the service offered by the defendant, in order to not consent to the processing of his personal data. The The Disputes Chamber refers in this regard to the Guidelines on consent in accordance with Regulation 2016/679, which provides: a service may include multiple processing activities for multiple purposes. In In such cases, data subjects should be able to choose freely which purpose they accept, instead of having to grant permission for a package from processing purposes. In a particular case, according to the GDPR, it may be be justified in having to obtain multiple consents for using the provision of a service is commenced." With regard to point 6 of X's privacy statement, the Disputes Chamber also considered (among others) (document 38, p. 12 ff): "In addition to 4.3 of the privacy statement, the complainant also states that with regard to point 6 of the privacy statement, which relates to the transfer of personal data rPAGE 01-00001823325-0015-0040-02-01- � L _J,Court of Appeal Brussels -2020/AR/813 -p. 16 to third parties, poses a problem because he is not given the choice here either offered to decide whether or not to transfer his personal data to third parties to agree. The complainant states that transfers to third parties are not allowed without permission are permitted, unless there is a legal obligation to do so. The defendant argues that it does not rely solely on the consent as legal basis for the transfer of personal data to third parties, but on the other hand, also, depending on the case, to rely on the implementation of the agreement, the legitimate interest and the legal obligation and specifies for each of the categories of third parties mentioned in 6. of the privacy statement, each time on which legal basis the transfer is based. [...] The Disputes Chamber notes, however, that for both the transfer to "De companies of the Z group to which X belongs, for monitoring and reporting", if the transfer to "Subcontractors in the European Union or beyond, controller/verification for processing activities defined by X", de defendant relies on his legitimate interest as the legal basis for the processing. However, the defendant does not demonstrate in any way what is justified interest would exist and also fails to demonstrate to what extent his interest would prevail outweigh the interests and fundamental rights of the complainant, even though he is held on the basis of its accountability obligation (Art. 5.2 and 24 GDPR). The The Disputes Chamber also refers to the requirements for the use of the processing basis legitimate interest arising from the previously cited case law of the European Court of Justice. The Disputes Chamber is therefore of the opinion that also with regard to the transfer of personal data to third parties the infringement of art. 6.1 GDPR is proven, as the data processing for the transfers to third parties mentioned in parts 5 and 6 included under 6. of the privacy statement, without any demonstrated legitimate interest, should be based on the consent of the complainant in the absence of any other possibly applicable legal basis in art. 6.1AVG." With regard to the requirement of transparent information (art. 5.1.a), art. 12.1 and art. 13.1 and 13.2 GDPR}, the Disputes Chamber observed (among other things) with regard to point 4.3 and point 6 of the privacy declaration: With regard to point 4.3 of the privacy statement (document 38, p. 9): Under the GDPR, the controller is obliged to inform the data subject a concise, transparent, comprehensible and easily accessible form and in _clear and plain language to inform (art. 5.1.a), art. 12.1 and art. 13.1 GDPR}. The Disputes Chamber notes that, with regard to 4.3 and 6 of the privacy statement, the defendant falls short of that obligation. ;i r PAGE 01-00 □□ 1823325-0016- □□4□-□ 2- □1- L _J,Court of Appeal Brussels-2020/AR/813- p. 17 75 0 First, the defendant fails to make a clear distinction between the processing of health data on the one hand, and the processing of the other 'ordinary' personal data on the other hand and this for each of the purposes of 4.3 of the privacy statement, as for each of the transfers of 6 of the privacy declaration. Such a distinction is, however, of fundamental importance to determine the legal basis on which the processing can be based for a specific purpose or transfer to a third party (art. 13.1.c}GDPR}. [...] In addition, the privacy statement only states that for the . mentioned in 4.3 purposes personal data are processed on the basis of the justifiable interest of the defendant without indicating from which that legitimate interest then exactly would exist, while art. 13.1.d) GDPR does require that the controller is obliged to provide the data subject with information about its legitimate interests, if the processing is based on Article 6, ld 1, point f), is based. The Disputes Chamber also refers to the Guidelines on Transparency in accordance with Regulation (EU) 2016/679, emphasizing that the specific interest in question must be identified for the benefit of the data subject. [...]" With regard to point 6. of the privacy statement (document 38, p. 11}: "Also with regard to point 6. of the privacy statement, the defendant states in his argumentation from which his legitimate interest, on which he relies, would exist to process the complainant's personal data for the purpose of transfer to "the companies of the Z group to which X belongs, for monitoring and reporting", and "Subcontractors in the European Union or beyond, responsible for processing activities defined by X". However, art. 13.1.d) GDPR it is true that the controller must provide the information concerned with regard to his legitimate interests, if the processing is based on Article 6(1)(f). The The Disputes Chamber refers again to the Guidelines on Transparency in accordance with Regulation {EU) 2016/679 and the above mentioned." Finally, with regard to the sanctions imposed (including the imposed administrative fine of 50,000 euros), the Disputes Chamber considered (among other things) (document 38; p. 13 et seq.): "[...] The Disputes Chamber establishes that an infringement of art.5.1.a), art.5.2, art. 6.1, art. 12.1, art. 13.1.c} and d) and 13.2.b) AVG, has been proven and it is appropriate to recommend that the processing is brought into line with these articles of the GDPR (Art. 58.2.d} GDPR and Art. 100, §1, 9 WOG}, as well as in addition to this corrective measure impose an administrative fine (art. 83.2 GDPR; art. 100, §1, 13 WOG and art. 101 WOG}. [...] Taking into account Article 83 GDPR and the case law of the Market Court, does the Disputes Chamber motivate the imposition of an administrative sanction in concretely: rPAGE 01-00001823325-0017-0040-02-01- � L _J, 7S 1 Court of Appeal Brussels -2020/AR/813 - p. 18 The gravity of the infringement: the foregoing reasoning shows the seriousness of the infringement infringement. The duration of the infringement: from what the defendant has put forward in the proceedings before the Disputes Chamber do not show that the infringement has ended and therefore has lasted until January 25, 2020. In addition, the Disputes Chamber does not take into account adjustments made after the debates on the findings have been Closed. The necessary deterrent effect to prevent further infringements. With regard to the nature and seriousness of the infringement {Art. 83.2 a) GDPR} emphasizes 'the Dispute chamber that compliance with the principles stipulated in art. 5 GDPR - in in the present case, in particular the principle of transparency and legality, as well as accountability - is essential, because it is the fundamental principles of data protection. The Disputes Chamber considers the infringements of the defendant on the principle of legality as specified in art. 6 GDPR and the principle of transparency laid down in concrete terms in Articles 12 and 13 GDPR, as a serious violation. While no data subjects' health data is processed without the express consent required for that purpose and the defendant invokes a other processing ground with regard to the data not covered by a special protection regime in the GDPR, the Disputes Chamber is of the opinion that the relatively large impact of the identified infringements affecting all insured persons who have joined X through hospitalization insurance, in must be taken into account when determining the administrative fine. The whole of the elements set out above justifies a effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the assessment criteria laid down therein. The Dispute Room points out that the other criteria of art. 83.2. GDPR in this case are not of a nature that they lead to an administrative fine other than that imposed by the Disputes Chamber under this decision." 4. The legal framework of the jurisdiction of the Market Court: The matter is governed by the Belgian Law of December 3, 2017 establishing the Data Protection Authority (hereinafter WOG). With regard to the commencement and admissibility of a complaint or request, the articles 58 and next what follows. Art. 58 Anyone can submit a complaint or request in writing, dated and signed to the Data Protection Authority. The Data Protection Authority will draw up a form for this purpose. □1- □□□□ 1823325- □□ 18- □□4 □-□ 2-□ 1-;i !PAGE L _J,,,,,,,,,,Court of Appeal Brussels -2020/AR/813 - p. 28 kJ any other aggravating or mitigating action applicable to the circumstances of the case factor, such as financial gains made or losses avoided, which may or may not be directly arising out of the infringement.,, Recital 47 reads as follows: "The legitimate interests of a controller, including those of a controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or fundamental rights and fundamental freedoms of the data subject do not outweigh, taking into account the reasonable expectations of the data subject based on his relationship with the controller. Such a legitimate interest may be present, for example, when there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or is employed by the controller. In any case, a careful assessment is required to determine whether there is a legitimate interest, as well as to determine whether a data subject at the time and in the context of the collection of the personal data can reasonably expect that processing for that purpose take place. In particular, the interests and fundamental rights of the data subject may outweigh the interests of the controller when personal data is processed in circumstances in which the data subjects reasonably do not expect further processing. Since it is up to the legislator to legal basis for personal data processing by public authorities, legal basis do not apply to the processing by public authorities in the context of the performance of their duties. The processing of personal data that is strictly necessary is for fraud prevention is also a legitimate interest of the controller in question. The processing of personal data for the purpose of of direct marketing can be regarded as carried out with a view to legitimate interest." 5. The invoked pleas. 5.1. X applies the following means: First plea- In principal order- The Decision is null and void, as it is poorly motivated what concerns the legal basis for the processing of personal data for purposes ex article 4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers third parties exArticle6 of X's Privacy Statement. Second plea - In subordinate order - X should be able to rely on her legitimate interests in the processing of personal data for certain purposes and transfers to third parties. Third plea - In subordinate order - X should have the option, if she could not rely on its legitimate interests, to rely on legal grounds other than the consent of the data subject. rPAGE 01-00001823325-0028-0040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813 - p. 29 Fourth plea- In minor order - The Decision constitutes an infringement of the liberty of entrepreneurship of X. Fifth plea- In minor order - The administrative fine of EUR 50,000 is disproportionately. 5.2. The GBAlaat apply: 3.1. First ground of defence: In the main proceedings - The appeal is unfounded, as the contested decision of the Disputes Chamber is properly substantiated in fact and in law The Disputes Chamber has, based on the active accountability that rests on the controller, in its assessment, appropriately based on the available data - The considerations of interests currently provided by X (post factum) are not of a nature to jeopardize the regularity of the contested decision (defence against the applicant's first to fourth complaints) 3.2. Second ground of defence: In the main proceedings - The appeal is unfounded, as the contested decision does not unlawfully restrict X's ability to to terminate established violations and to comply with the provisions of the AVG - The fact that the GBA, in view of the available data, expresses a possible adjustment on the basis of art. 6.1.a) GDPR is not intended to affect the regularity of the contested decision (defense against the second and third complaints of applicant) 3.3. Third ground of defence: In the main order - The . imposed by the Disputes Chamber administrative fine is properly justified in fact and in law fine is by no means disproportionate in light of the various infringements - Any of the established infringements (including the uncontested infringements) may justify the fine (defense against the applicant's fifth ground of appeal) 6. Assessment - the reasons for the decision as to the legal basis for the processing of personal data for purposes pursuant to Article 4.3 of the X's privacy statement, as well as regarding the legal basis for the transfers to third parties ex Article 6 of the Privacy Statement of X. (GBA's first plea of Xen's first defense) 6.1. X allows, among other things, the following: However, on the basis of the first conclusion on appeal from the GBA, X now learns that she is convicted because the GBA believes that X should have proactively demonstrated from which her legitimate interests exist, this on the basis of a so-called 'active' accountability, in accordance with Article 5(2) of the GDPR. 1 PAGE □1- □0001823325-0029-0040-02-01- � L _J,Court of Appeal Brussels - 2020/AR/813- p. 30 47. By stating that X should have provided the necessary information proactively carry in the Joop of the proceedings, and by using the term 'active' accountability, the DPA masks the fact that it had not requested the information and that it consequently failed to provide sufficient reasons for the Decision. As mentioned before, the complaint mainly related to the processing of medical data and the related related consent. 48. Article 5, Jid 2 GDPR does indeed imply an accountability, which means that controller/verify compliance with the principles of processing personal data (Article 5(1) of the GDPR) must be able to demonstrate. One of these principles is the principle of lawfulness/ (Article 5, Jid 1, point a) GDPR), which provides that personal data must be processed in a manner that is appropriate for the data subject is lawful, which means, among other things, that it is based on a legal basis (such as included in Article 6 GDPR). 49. This duty of accountability implies that controllers/calibrators always must be technically and organizationally capable of complying with the GDPR demonstrate. On the other hand, it does not imply that controllers/gauges must always assess whether and when they should be held accountable. The GBA interprets this accountability in a way that suits it justification of its inadequately motivated decision and encloses this duty in a role in the context of the taking of evidence in legal proceedings that does not have. 50. It is therefore incomprehensible that the GBA is of the opinion that X in the context of the procedure would have had sufficient opportunity for the Disputes Chamber to demonstrate out of which its legitimate interests consist. That would have been the case, among other things at the session of January 28, 2020, in the context of which the GBA asked X from which the legitimate interests of X exist on which it relies for the processing of other than medical information. 51. X replied that that interest consists in pursuing its economic activities, which is also true. It is impossible to verbally to give a comprehensive answer to a question that requires a bulky and nuanced answer required, such as the extent of the weighing of interests that X has in the context of this procedure teaches, oo demonstrates (see Papers 10, 11A, 118, 11C, 12, 13, and 14). Nor did the GBA inquire into the weighing of interests during this session or allude to the fact that it was advisable to add it anyway. 52. It is therefore not correct that the GBA alludes that X only has reservations or should have formulated objections to the official report of the session of 28 January 2020 to demonstrate its legitimate interests. The main arguments went about the permission and the case was after all considered after the hearing, which is also is expressly confirmed by the record of the hearing: "The defendant was heard and has had the opportunity to present his arguments. The case is then taken into consideration and today the Disputes Chamber proceeds to: making her decision." (self-emphasis). r PAGE 01-00001823325-0030-0040-02-01-� l _J,Court of Appeal Brussels -2020/AR/813-p. 31 ---�--->-��-------------------------- 53. It cannot be denied that the GBA also has a responsibility to to safeguard the rights of defense and due process, inter alia guaranteed in Article 6 of the European Convention on Human Rights. 54. All this means that at the time the GBA made the Decision, there was no there had been a debate about the existence of legitimate interests under X and they only X's Privacy Statement had to make a statement about this. However, a privacy statement alone is not sufficient to verify whether based on a legal basis for a particular processing. Moreover, as your Court has already pointed out has judged, the motives invoked by the GBA can only make a decision support if they appear from the documents in the file on which the GBA was able to consider to beat. 55. More specifically, a privacy statement, identifying which legal basis of applies to which processing purpose is only a reflection of the analysis that serves have been carried out to determine whether the concrete processing carried out in practice by the controller is assumed, actually complies with all relevant legal requirements for the application of that legal basis. In this case, the balancing of interests drawn up by X demonstrated that the processing operations in question may indeed be based on its legitimate interests. 56. The foregoing partly explains why the statement of reasons for the Decision is flawed as to what concerns the legal basis for the processing of personal data for purposes ex article 4.3 of X's Privacy Statement, as well as regarding the legal basis for the transfers to third parties pursuant to article 6 of X's Privacy Statement. 57. However, there are other cases in which it was established that decisions of the GBA are lacking motivation. Both in judgments of your Court of 23 October 2019; if that of February 19, 2020, decisions of the GBA were quashed because of motivational flaws. In yet another judgment, that of 9 October 2019, your Court held, prima facie, that the contested decision "without any contradictory debate" was conducted - does not seem to comply with the aforementioned law of July 29, 1991, but the Marktenhof is not authorized to ex officio this decision, the validity of which and conformity with the general principles of good administration, is not disputed, to sanction". 58. However, Articles 2 and 3 of the Law of 29 July 1991 on the explicit motivation of the administrative acts, the administrative authority (in this case the GBA) to include the legal and factual considerations in the deed (in this case the Decision) that underlie the Decisions and that in an 'adequate' way. 59. The adequacy of the statement of reasons means that it must be pertinent, that is, it must clearly be related to the Decision, and that it must be sound, i.e. the reasons cited must suffice to Decision to wear. r PAGE 01-00001823325-0031-0040-02-01-� �!l�l!I L oo-w. _J, Court of Appeal Brussels -2020/AR/813- p. 32 60. The main raison d'être of the obligation to state reasons, as imposed by the aforementioned law of 29 July 1991, consists in the fact that the person concerned in the Decision itself must be able to find the motives on the basis of which it was taken, so that the person concerned can determine in full knowledge of the facts whether it is appropriate to Fight decision. 61. The substantive obligation to state reasons means that every administrative legal act must rely on motives whose actual existence has been duly argued and which are in law accountable for that act. 62. Next, X will show on which points the reasoning of the Decision is not is sufficient, which means that the Decision must be quashed. Given the GBA has imposed an administrative sanction for all alleged infringements together and not a separate sanction for each infringement, is the (defective) motivation regarding the processing of personal data for the purposes of article 4.3 of the X's privacy statement as well as regarding the legal basis for transfers to third parties parties pursuant to Article 6 of X's Privacy Statement, not severable from the rest of the Decision. As a result, the Decision must be annulled in its entirety." 6.2. In the complaint2, as it was brought to the attention of X (document 1 file GBA), Mr V is concerned that X proceeds through compulsion to process sensitive personal data for the provision of his hospitalization insurance. If the customer does not gives explicit permission for all processing, he will not be covered for the hospitalization insurance. The complainant does not consider this a problem for the hospitalization insurance itself but for the processing listed in point 4.3 of the privacy statement. That point states that Xde processes data: Based on X's legitimate interest, for: • performing computer tests; • monitoring the quality of the service; • training staff; • monitoring and reporting; • preventing abuse and fraud; • the storage of video surveillance recordings during the legal period; • compiling statistics of coded data, including big data; • providing information, regardless of the means of communication, about the commercial actions, products and services of X and of the group to which it belongs." 2 This is not a person who lodges a complaint in his capacity as a citizen, but in his capacity of data protection officer of the association [...]. By mail of 9 September 2019 (document 14 file GBA), Mr V complains · by the way about that with regard to the proceedings before the Disputes Chamber as private person was written to by X where his complaint emanates from his company. 1 PAGE 01-00001823325-0032-0040-02-01-� L _J, Court of Appeal Brussels - 2020/AR/813- p. 33 By registered letter dated 24 July 2019 (document 6 GBA), the Disputes Chamber of the GBA indicates to X knowledge of the complaint that is ready for substantive treatment. The complaint itself is expressed in the electronically completed form (document 3, same file), in which the the complainant states: "X has been using this for a long time, more than a year after the entry into force of the Framework Protection Act of personal data from July 30, 2018, they still have no adjustment for this applied. Attached you will find the form for the customers as proof. As a citizen you do not have choice and they process this from a lot of customers, by definition this is a high risk, moreover I want to request the DPIA {GBEB) privacy analysis which is an obligation for processing high-risk data for citizens". As part of enabling the case, X has reached a detailed conclusion in which it defends itself with regard to the issue of explicit consent (document 13 GBA). The contested decision (document 39 GBA) is entitled "lack of transparency in the privacy statement of an insurance company". The GBA does not dispute that the question of legitimate interest was only raised orally on the hearing where the complainant was not present. The GBA concludes: "With regard to the representation, in the PV, of the general question regarding the legitimate interest that X relies on to process data other than health (as well as X's brief answer), X did not formulate any reservations or objections.,, The GBA adds: "On March 25, 2020, the Disputes Chamber, with due observance of the judgment of 19 February 2020 of your Court/to X of the intention to proceed with the the imposition of an administrative fine, and communicated the contemplated amount thereof, in order to Hear about this before the sanction was actually imposed (document 30). " 6.3. In accordance with the WOG, the Disputes Chamber of the GBA is established in one of the following ways caught (Article 92): 1° by the frontline service, in accordance with Article 62, §1, for the treatment of a k°eight; 2 by a concerned party lodging an appeal pursuant to Articles 71 and 90 against measures taken by the inspection service; 3°by the inspection service after it has concluded an investigation in accordance with Article 91 §2. 3 Marktenhof, 19 February 2020, roll no. 2020/1471. r PAGE □1- □□□ 01823325- □□33- □□ 4□-□ 2- □1-;i L _J,,Court of Appeal Brussels -2020/AR/813 - p. 35 6.4. The official report of the hearing of 28 January 2020 (document 25 GBA) shows that the members of the The Disputes Chamber orally asked the question "what constitutes the legitimate interest on which X invokes what would be the processing of non-health data based". The official report then mentions X's oral answer, after which the decision followed from the Disputes Chamber that there was no reason to reopen the debates (see for this). 6.5. The GBA has opted to provide an exceptionally low-threshold system for the submitting a complaint in particular filling out an online form. This method involves a danger, namely that the complaint is (often) not formulated in a legally responsible manner but rather in the terms of the complainant, who often limits himself to putting "in the picture" of citing an alleged fact. If the Disputes Chamber of the GBA then decides that the complaint can be handled, but the does not adjust the formulation of the complaint and does not articulate the stated facts according to the possible infringements of the privacy legislation sensu fata with indication of the relevant articles of law, it can leave the data subject in the dark about the actual legal scope and possible consequences of the complaint. The Marktenhof is of the opinion that he/she with regard to whom a complaint is being handled (who may give rise to a sanction, including an administrative fine) in clear, in an ambiguous and transparent manner must have knowledge of the actual allegation both in fact a Is in a right way that he/she can defend himself/herself in a correct manner. The mention of the infringements (read: the articles of the privacy legislation sensu fata) is primordial. The sanctions that the legislator has permitted to the Disputes Chamber of the GBA requires that the defender clearly knows what he has to defend against. It certainly cannot be regarded as a bad thing for the complainant that he limits himself in his complaint to the mentioning alleged facts that he believes are in conflict with privacy legislation, but it cannot be the case that the person concerned who has to defend himself, more in the legal is left in the dark other than the person posing for any criminal or administrative infringement sensu fata to justify. 6.6. It is the Disputes Chamber of the GBA - after it judges that the file is ready for handling on the merits - of course allowed to sensu fata . the possible infringements of privacy legislation (much) broader than the infringement(s) for which the initial complainant had turned to the GBA. r PAGE 01-00001823325-0035-0040-02-01- � L _J,, !no Court of Appeal Brussels -2020/AR/813 - p. 37 It must be deduced from reading these articles together that the legislator in the administrative procedure for handling complaints has wanted to introduce a kind of procedure that has a form of comparability with legal proceedings (as regulated in the Ger. W.). The decisions of the litigation chamber of the GBA are purely administrative decisions, which legal force cannot be equated with judicial decisions, but which are nevertheless in to the extent that this is reasonably possible, should take the form of a judicial decision as much as possible trying to approach. To this end, it is also required that the rules of procedure, which apply to ensure that a valid decision could be reached, should be followed to the extent possible become. Even though the Disputes Chamber of the GBA is not a body that meets the requirements of the independent and impartial judge, yet it must - in accordance with the rules of good administration that it is obliged to comply - openly and with as much equality of arms as possible communicate with the data subject against whom she is prosecuting a complaint. It constitutes mismanagement not to inform the person concerned prior to the treatment of to inform the file of the exact allegations or infringements to which he - according to °the investigation conducted - could be guilty. It is for this reason that Article 95 § 2, 2 WOG states that the person concerned must be informed of the complaint. The person concerned must be able to defend "against the allegations of the complaint". If the Disputes Chamber of the GBA is of the opinion that the infringement constitutes another fact or object than that which is described in the complaint, then it belongs to at least 4 Dispute chamber of the GBA to make that clear and unambiguous in the convocation (provided in Article 95 § 2 WOG) to make known to the person concerned so that he/she is informed in writing about this can defend (through the conclusions drawn by him or his lawyer). Whilst at the hearing, the person concerned may respond verbally to the comments from the designated member or members of the Disputes Chamber, but, if than the Disputes Chamber is of the opinion that the infringement(s) is (are) broader than what is stated in the convocation was made, then it should be very transparent to communicate about this and the to respect arms equality and the rights of defence. The Disputes Chamber of the GBA states that X was given the opportunity to defend himself about the fine that the litigation chamber intended to impose on her. Well, just in the same context and for the same reasons, it belongs to the Disputes Chamber of the GBA to open the debate reopen - with the possibility for the data subject to re-open in writing and orally respond-to the amended allegations of infringement(s). It appears from the present documents that the Disputes Chamber has adopted these principles of elementary transparent good governance - in which the rights of defense are fully respected - has not complied. 4Insofar as the Inspectorate should not (should) be caught. 1 PAGE 01-00001823325-0037-0040-02-01-� L _J,Court of Appeal Brussels -2020/AR/813-p. 38 The statement of the Disputes Chamber of the GBA that X asked on the occasion of the hearing was (which was stated in the record of the hearing) to take a position regarding the general question of the legitimate interest on which X invokes other than to process health data and that X only formulated a brief answer to this without reservations or objections, the contested decision does not adequately justify. X had to be given the opportunity - after the complaint was clearly and clearly formulated in writing - to reach a written conclusion thereon. The reasoning of the Dispute Chamber of the After all, GBA must be able to be tested by the Market Court in relation to the means or arguments that the person concerned has developed in his conclusion. In the letter of 14 April 2020 (document 37 GBA) it is stated that the term for reply by X is determined by 8 May 2020 at the latest and adds "this term comes to the Disputes Chamber as reasonable, given the rather limited scope of the Disputes Chamber's request to respond to the proposed sanction, which moreover does not imply a reopening of the debates". The circumstance that the Market Court in a judgment of 19 February 2020 (in another case) has stated that the Disputes Chamber of the GBA, before imposing an administrative fine, should inform the data subject of this intention and give him the opportunity responding to this: does not have the consequence that the Disputes Chamber of the GBA for all other new elements (other than the imposition of a fine) would have a safe conduct. It The principle laid down by the Marktenhof naturally applies to all new elements that do not have been the subject of the complaint and the accompanying file documents as they are submitted to the person concerned were notified. That in the aforementioned judgment the Marktenhof only mentioned administrative sanction is, of course (simply) due to the fact that the Court did not pronounces judgment in general terms, but only judges in a specific dispute and at least with regard to the specific points of dispute that are at issue in that dispute. 6.8. The complainant requested a DPIA (= a data protection impact assessment). That is an instrument to to map out the privacy risks of data processing in advance and to to take measures to reduce the risks. Now that the Disputes Chamber of the GBA has followed X's argument in this regard, point not to be entered. 6.9. It appears from the foregoing that the rules set out above (points 6.5 to 6.7) were not complied with. The basic plea of lack of sufficient motivation is not made concrete by the GBA refuted. The invoked motives can only support a decision if they appear from the documents of the file that the authority (DPA) was able to observe. Admittedly, the GBA establishes in an unassailable manner the existence of the facts on which it relies; the consequences he deduces from this are left to his judgment and policy, but the Marktenhof rPAGE 01-00001823325-0038-0040-02-01-� L _J,Court of Appeal Brussels - 2020/AR/813- p. 39 checks whether the DPA has not drawn any conclusions from the facts established by it that cannot be justified on the basis of those facts. For those reasons, the contested decision disregards the rules of good administration and must to be destroyed. 7. Decision. The contested decision is annulled. 8. The court costs. The GBA is the unsuccessful party. The costs are settled on the legal compensation for disputes that cannot be valued in money, amounting to €1,440.00. FOR THESE REASONS, THE COURT, Right to contradiction ; Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court cases; Declares the appeal admissible and well-founded; Annuls the contested decision number 24/2020 file DOS-2019-02902 of 14 May 2020 of the Dispute Chamber of the Data Protection Authority regarding X; Orders the Data Protection Authority to pay the costs of the appeal, settled on 1,460 euros (€20.00Budgetary Fund + €1,440 court fee). Condemns the Data Protection Authority, in accordance with Article 269/2 of the Code of registration, mortgage and court fees to be paid to the Belgian State, FPS Finance, of the right of appeal in the amount of 400.00 euros; rPAGE 01-00001823325-0039-0040-02-01-� L _J,