APD/GBA (Belgium) - 147/2022
From GDPRhub
| APD/GBA - 147/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 2(1) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 13(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.10.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 147/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | n/a |
The Belgian DPA ordered a controller, a vacation park owner, to comply with the principle of data minimisation pursuant to Article 5(1)(c) GDPR. The controller legally processed personal data according to Article 6(1)(b) GDPR to prevent the fraudulent abuse of a swimming pool discount card, but unnecessarily requested photos and degree of kinship of the data subject's family members when their names alone would have sufficed.
English Summary
Facts
The controller was the owner of a ‘vacation park’. The data subject owned one of the apartments in this park.
The controller provided a special membership card for the owners of an apartment which included a discount for access to the swimming pool. Family members, limited to a certain degree of kinship, were also allowed to use this card. Several details had to be provided to use the card, such as the name of the card owner, a photo of every user family member using it, and their degree of kinship to the owner. It became clear from the proceedings that fraudulent use of the card had occurred in the past by loaned it to unauthorized third parties to profit from the discount. The controller used two legal grounds for the processing: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Article 6(1)(f) GDPR, however, was only recently added as a legal ground. The data subject filed a complaint at the DPA, stating that he wanted to access the pool with a discount without providing the photos of the users of the card and their degree of kinship.
Holding
The DPA held that the controller could rely on Article 6(1)(b) GDPR to regulate access to its swimming pool. The DPA stated that according to Article 13(1)(c) GDPR, the controller should mention the legal basis and the purpose of the processing to the data subject before it starts processing personal data. The controller had mentioned in the contract with the data subject that it would have the possibility to regulate access to the pool. Therefore, the controller could rely on Article 6(1)(b) GDPR.
The DPA did however state that the controller could not rely on Article 6(1)(f) GDPR because this legal ground was added to the privacy policy after the processing had already started. Nevertheless, this finding did not affect the decision since the DPA held that one legal ground was enough for the controller to process personal data.
The DPA did however determine that the controller violated Article 5(1)(c) GDPR, stating that personal data could only be processed when the goal of the processing could not be reached any other way. The DPA held that identifying data subjects for preventing fraud was a specified, explicit and legitimate purpose in the context of Article 5(1)(b) GDPR. However, the DPA continued by stating that only providing names of the people who could use the card was sufficient for reaching the goal of preventing fraud. The DPA disagreed with the controller here, who stated that it would be necessary to also load a photo and degree of kinship on the card, and read this card automatically with an ID-Card reader, every time the card was used at the pool. The DPA held that this was not necessary for the intended goal and determined that this could even entail automatic processing (Article 2(1) GDPR).
Regarding the obligatory photo, the DPA was of the opinion that a human check at the reception was sufficient to prevent fraud and that providing a photo was therefore unnecessary. The DPA also stated that such a visual check would not even fall under the GDPR. The DPA also held that it was not necessary to provide the degree of kinship of family members. The DPA held that this degree of kinship did not provide any additional value, because the controller would not even be able verify this degree of kinship provided by the data subject. Therefore, there was a less privacy intrusive way to reach the intended goal, which resulted in a violation of Article 5(1)(c) GDPR by the controller.
The DPA ordered the controller to bring its processing in compliance with Article 5(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8
Dispute room
Decision on the merits 147/2022 of 17 October 2022
File number : DOS-2019-04465
Subject: Digital membership card as access card for a reduced rate
The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs Dirk Van Der Kelen and Christophe Boeraeve, members.
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Has made the following decision regarding:
The complainant: Mr X, hereinafter referred to as “the complainant”
The Defendant: Y. Y1. hereinafter referred to as “the defendant” Decision on the merits 147/2022 - 2/8
I. Facts procedure
1. On December 3, 2019, the complainant submits a complaint to the Data Protection Authority
against the defendant.
2. The subject of the complaint concerns the creation of a digital membership card by the
defendant for holiday home owners and their family members limited to one
certain degree of kinship in order to give them access at a favorable rate
to the pool for a large number of swims per holiday home. It is not for that purpose
only the name of the applicant, also owner of the holiday home, to be provided,
but also for each user of the card a photo must be uploaded in a
e e
data file, as well as the family ties (1 or 2 degree) must be stated. the complainant
who owns a home in the holiday park wishes to gain access to the
swimming pool at the preferential rate, but without providing photos and without
indication of the degree of kinship.
3. On January 7, 2020, the complaint will be declared admissible by the Frontline Service on the grounds
of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, 1 WOG
submitted to the Disputes Chamber.
4. On August 11, 2020, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° enart. 98WOG
that the file is ready for processing on the merits.
5. On 11 August 2020, the concerned parties will be notified of the provisions
as stated in article 95, § 2, as well as those in art. 98 WOG. They are also based on
of art. 99 WOG of the time limits for submitting their defences.
The deadline for receipt of the defendant's response was
laid down on September 25, 2020, this for the conclusion of the complainant's reply
on October 16, 2020 and, finally, for the defendant's reply to the statement on
Nov 6, 2020.
6. In the absence of response from the defendant to the invitation to submit
defenses and with a view to safeguarding the rights of the defence, the
Dispute Chamber on June 24, 2022, in accordance with Article 52 of the Rules of Procedure
of internal order to proceed to a hearing which will be scheduled for July 4, 2022.
7. On June 28, 2022, the defendant requests a copy of the file (art. 95, §2, 3° WOG),
which was transferred to him the same day.
8. At the request of the defendant, the date of the hearing is moved to 5
Sep 2022.
9. On August 29, 2022, the Disputes Chamber will receive the statement of reply from the
defendant. In it, the defendant explains that the membership card is an exceptional Decision on the merits 147/2022 - 3/8
commercial offer to private owners and its unauthorized use
led to the collection of personal data, including photos of the beneficiaries
of the map. In court, the defendant argues that the privacy principles as included in
Article 5.1 a) - d) and f) GDPR are complied with, as well as the accountability principle
laid down in article 5.2 GDPR. Finally, the defendant argues that the photos cannot be
are considered biometric data within the meaning of Article 9 GDPR.
10. On September 5, 2022, the parties will be heard by the Disputes Chamber.
11. On September 7, 2022, the minutes of the hearing will be sent to the parties
submitted.
12. On September 13, 2022, the Disputes Chamber will receive some
comments with regard to the official report, which it decides to include in
her deliberation.
13. On 15 September 2022, the Disputes Chamber will also receive a number of
comments with regard to the official report, which are included in
the deliberation.
II. Justification
a) Legal basis
14. The defendant argues that the processing of the personal data on the basis of the
digital membership card, namely the first name and last name, as well as the photo of both
e e
the private owner if each of his family members is limited to the 1 and 2 degree, his basis
can be found in Article 6.1 b) GDPR. In addition, the defendant invokes his
legitimate interest (Article 6.1 f) GDPR) to have data processing based on the
digital map as legitimate.
15. The Disputes Chamber elaborates on the legal grounds used by the defendant
cited. In accordance with Article 13.1 c) GDPR, before starting the
processing activities are determined by the controller which
legal basis applies, and in relation to what specific purpose, with the 1
obligation on the defendant to inform the complainant.
16. Applied specifically to the present file, the Disputes Chamber establishes that the appendix to
2 3
the basic deed concerning the holiday domain in Article 19 provides that the defendant for
1See in this regard the Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edge nos. 121-
123); https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
2 In the basic deed referred to as: “annex Regulations of Co-ownership and Internal Order”
3Article 19 of the basic deed reads as follows: “Any owner may stay on the domain when it suits him with the
members of his family. He may also receive guests provided they are neither too numerous nor too noisy. The Decision on the merits 147/2022 - 4/8
will issue appropriate regulations to the visiting relatives or guests or
charge fees for the use of, among other things, the swimming pool. The Disputes Chamber determines
that the defendant contractually has the option under the aforementioned provision
to regulate access to the swimming pool, as the defendant has in practice
done by providing a preferential rate for the owner and his relatives in 1 and 2
degree. The complainant acknowledges in his conclusion as well as during the hearing that this system is
a favorable rate to access the swimming area has been in existence for many years.
The Disputes Chamber is of the opinion that the basis for this can be found in the basic deed and
the data processing is thus based on Article 6.1 b) GDPR in order to
e e
a holiday home and its family members limited to the 1 and 2 degree via an access card
be able to enjoy the advantage of access to the swimming pool at
a discounted rate.
17. In the following, the question to what extent the processing of the
personal data by means of the digital membership card as it is currently
set up, namely with processing the photos of the users of the card as well as the
indication of the degree of kinship to the owner of the property
holiday home respects the principle of minimum data processing.
18. For the sake of completeness, the Disputes Chamber also notes that the legal basis
‘legitimate interest’ (Article 6.1 f) GDPR) to which the defendant relies in the subsidiary order
bases, is invoked by the defendant post factum and the defendant indicates that
this legal basis was recently added to the privacy statement. The
The Disputes Chamber repeats that due to the obligation to collect at the time of the collection of
personal data to provide the legal basis on which the
controller (Article 13.1 c) GDPR), the defendant before
When collecting is started, you have to decide what the legal basis is for this. The
addition of the legal basis 'legitimate interest' after the data collection
took place, as in the present case, is not in accordance with the requirement that the
legal basispriortocollectionofthephotosandinformationaboutdegree
of kinship must be determined and made known to the
person concerned, being the complainant. However, it is sufficient that there is one valid legal basis
is present, which in the present case is the agreement that formed the basis of the
data collection.
19. It follows from the foregoing that the Disputes Chamber determines that the legal basis on which the
the complainant primarily invokes the performance of an agreement (Article 6.1 b)
the owner of the lot is responsible for damage caused by his guests
issue appropriate regulations or charge the visiting relatives or guests for the use of, among other things,
swimming pool, sports pond or even for access to the domain. The owner is personally responsible for the
registration of the persons he accommodates under his roof. Other external visitors to the domain will
be subject to the same provisions.” Decision on the merits 147/2022 - 5/8
GDPR), which constitutes a valid legal basis for the processing by the defendant of the
personal data by means of the digital membership card. Thus
it is established that the defendant does not infringe article 6.1 AVG in conjunction with article 13.1 c)
GDPR has committed.
b) Minimum data processing principle
20. The existence of a legal ground that allows the defendant to
to proceed with data processing in the light of the purpose pursued by him, in
this case consisting of the granting of an advantage to the owners and a limited
number of relatives by giving them access to the swimming pool at a favorable rate,
does not mean that the defendant is obliged to comply with the principle of minimum
data processing. This means that the defendant must determine how the
purpose can be achieved on the basis of sufficient data, relevant
are limited to what is necessary for the purposes for which they are being processed
(Article 5.1 c) GDPR).
21. When applied to the present complaint, it must be verified whether the defendant has
and the degree of kinship of the intended users of the membership card may
retrieving and then processing it in a data file with a view to a
controlled access to the swimming pool at a discounted rate to prevent card abuse
prevented by third parties. Indeed, in the past, it was repeatedly established that third parties
unauthorized use of the card because some owners used the then-current
made a paper card with swimming sessions available to the tenants of their
holiday home in the context of private rental. Based on the purpose
consisting of averting possible misuse of the card, it should be checked whether
for this purpose the processing of the relevant photos and degree of relationship is required.
22. Personal data may only be processed if the purpose of the processing is not
can reasonably be realized in another way. From the actual elements of
4Recital 39 GDPR.
“Any processing of personal data must be done properly and lawfully. Fornatural persons serves it
be transparent that personal data concerning them is collected, used, consulted or otherwise
processed and to what extent the personal data is or will be processed. According to the
transparency principle, information and communication in connection with the processing of those personal data
be easily accessible and understandable, and must be clearly used in a simple language
in particular informing data subjects about the identity of the controller and the purposes of the
processing, as well as further information to ensure fair and transparent processing with regard to the
natural persons concerned and their right to receive confirmation and communication of their personal data that
are processed. Natural persons must be made aware of the risks, rules, safeguards and rights in
connection with the processing of personal data, as well as how they exercise their rights in relation to this
be able to carry out processing. More specifically, the specific purposes for which the personal data are collected
processed, to be explicit and legitimate and to be established when the personal data is collected. The
personal data must be adequate, relevant and limited to what is necessary for the
purposes for which they are processed. In particular, this requires ensuring that the storage period of the
personal data is kept to a strict minimum. Personal data may only be processed if the Decision on the merits 147/2022 - 6/8
the file shows that there is a need to identify the users of the card who are
offer at the pool, so that it can be verified whether the users actually
are those who are entitled to access the pool at the
favorable discount rate and thus abuse can be excluded. This constitutes a
specific, explicit and legitimate purpose within the meaning of Article 5.1
b) GDPR . It is common ground that the owners concerned, including the complainant, were
written by the defendant explaining in the letter that pursuant to
misuse of the paper card would be switched to a digital card with
explanation that henceforth the photos of the beneficiaries indicating the degree of
relationship would be necessary.
23. Exactly about the need to provide photos with the degree
of kinship and its processing in a database for the purpose of
use of the digital card in the context of combating abuse, the
to have examined the defendant during the hearing to use the identity card as
means of access control, but that its reading is in no way less
would be privacy violating, since the identity card contains more data than necessary
for access control.
24. In this regard, the Disputes Chamber points out that the purpose pursued by the
Defendant can be reached solely by the names of the
to process beneficiaries of the discounted rate in a data file that is
linked to a digital map. After all, it is sufficient that the beneficiary of the card
at the pool entrance counter where he can get the discounted rate
granted provided he offers his digital membership card and on presentation of his
identity card. It is by no means necessary that the complainant shows his identity card
'reading' as the defendant argues, which is an automated
data processing in accordance with Article 2.1 of the GDPR. Reading the
identity card would have the consequence that by means of an e-ID card reader, more
data is processed than necessary for the purpose, since a lot of data is stored on the card
more information than that which the defendant believes it needs.
25. The Disputes Chamber states that it is sufficient that the names of the beneficiaries are
processed by means of the membership card and can be consulted by the
purpose of the processing cannot reasonably be achieved in any other way. To make sure that
personal data are not kept for longer than necessary, the controller must set time limits
for the erasure of data or for a periodic review thereof. All reasonable measures must be taken
taken to ensure that incorrect data is corrected or deleted
be processed in a manner that ensures appropriate security and confidentiality of that data, including for
preventing unauthorized access or use of personal data and equipment intended for
processing is used.” [own underlining]
5See in this regard also recital 39 GDPR which states: “[…] More specifically, the specific purposes serve
for which the personal data are processed must be explicit and justified and to be established when the
personal data is collected. […]” Decision on the substance 147/2022 - 7/8
receptionist.To make sure whoever offers the membership card is right
is a beneficiary of the preferential rate, provides a purely visual check of the
identity card on which both the name and the photo of the person concerned are visible
stated, the guarantee of correct identification. Processing photos of the
beneficiaries can therefore in no way be regarded as relevant and necessary
for the realization of the intended purpose. The combination of the
processing the names of the beneficiaries of the benefit rate by means of the
membership card linked to a database, which is a
data processing within the meaning of Article 4. 2) GDPR, and, on the other hand, the visual
verification of the identity card which also contains the name of the beneficiary,
as well as the photo that can be used to check whether the person who presents himself
at the entrance counter is actually the person to whom that name and photo belong and
is thus entitled to use the membership card is sufficient to prevent misuse
A mere visual check in which physical similarities are checked
of those who want access and the photo on the identity card, do not fall under the
scope of the GDPR, as such control is not accompanied by any
form of processing within the meaning of article 2.1 AVG. In case of identity verification, the
visu, after all, there is no question of fully or partially automated processing,
nor of any processing contained in a file or intended to be incorporated therein
Hospitalized. It follows that with this method the intended goal can be achieved in
a less privacy-violating way than that currently used by the defendant.
26. This also applies to the processing of the degree of kinship whose
processing is also irrelevant and necessary in light of the purpose. The
notification of the degree of kinship for each beneficiary, as requested by the
defendant, is based on the simple “declaration of honor” of the owner of the
vacation home. The Disputes Chamber is of the opinion that it is sufficient that the owner of the
holiday home only gives the names of his relatives in the 1st and 2nd degree without him
for each of them should state the exact degree. The designation of the
kinship degree offers no added value, since this information is not
may be subject to some scrutiny given that the unverified
information to be provided by the owner himself, which is not objective
can be established by the defendant on the basis of any document. This leads to
that the Disputes Chamber is of the opinion that also with regard to the degree of kinship the
processing only the names of the beneficiaries is sufficient without further specification
of the degree of kinship.
27. By virtue of the fact that the defendant's purpose can be achieved without
processing of the photos of the beneficiaries of the membership card and their degree of Decision on the merits 147/2022 - 8/8
relationship, it is established that the defendant has a violation of article 5.1c) GDPR
committed.
III. Publication of the decision
28. Given the importance of transparency in the decision-making of the
Litigation Chamber, this decision is published on the website of the
Data Protection Authority. However, it is not necessary for the
identifiers of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to
pursuant to art. 100, §1, 9° WOG, to order the defendant that the processing in
is brought into line with Article 5.1, c) GDPR, within a period of
two months, the Data Protection Authority about it within the same period
to inform.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice against this decision, an appeal may be lodged with the Marktenhof (court of
profession Brussels), with the Data Protection Authority as defendant.
Such an appeal may be lodged by means of an adversarial petition that the
must contain the statements listed in Article 1034ter of the Judicial Code. It
adversarial petition must be submitted to the registry of the Marktenhof
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). HielkeIJMANS
Chairman of the Disputes Chamber
6The petition states, on pain of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and the brief summary of the grounds of the claim;
5° the court before whom the claim is brought;
6° the signature of the applicant or of his lawyer.
7The application with its annex shall be sent by registered letter, in as many copies as there are parties concerned
sent to the clerk of the court or deposited at the clerk's office.
