APD/GBA (Belgium) - 57/2023
APD/GBA - 57/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 07.04.2022 |
Decided: | 17.05.2023 |
Published: | |
Fine: | 40,000 EUR |
Parties: | n/a |
National Case Number/Name: | 57/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | kv33 |
The Belgian DPA fined a professional content creator €40,000 for inadequately responding to an access request. The controller had refused to provide copies of recorded phone conversations between the controller and the data subject.
English Summary
Facts
On 18 August 2021 (26), the data subject signed two contract with the controller to develop a website and create promotional videos. To discuss the details, the data subject and the controller had a few conversations over the phone, which were recorded by the controller without the data subject’s knowledge (according to the data subject) The controller did this to record the data subject’s requirements and specific wishes for both the website and the promotional video’s.
Since 2021, the controller and the data subject started having disagreements regarding the signed contract. Following this, the data subject exercised his right to access (Article 15 GDPR) multiple times regarding the recorded telephone conversations. The last request was done on 21 March 2022. (46) The controller refused to provide a copy of the telephone conversations but invited the data subject to the controller’s office to listen to the phone conversations there.
On 7 April 2022, the data subject filed a complaint at the DPA. According to the data subject, the phone conversations were illegally recorded and his right of access was ignored. (1) On 29 June 2022, The investigation service of the DPA finished its investigation and determined several violations of the GDPR.
The controller clarified its position at different moments during the procedure. It stated that its legal basis for recording the telephone conversations was Article 6(1)(b) GDRP. The recordings were necessary for the contract itself and for the quality of the controller’s services. (21). The controller also stated that it did not obstruct the data subject’s right to access, since it had invited the data subject to listen to the recordings at the controller’s office. It also stated that it was not obligated to provide a copy of the recordings, since the right to a copy was not absolute pursuant to Article 15(4) GDPR. ( ) It also did not want to provide a copy to the data subject in order to its employees from unhappy customers. The controller stated that the right of its employees prevailed against the right of access of the data subject. (57) The controller also stated that the data subject merely wanted these phone recording to start a civil procedure against the controller. (58) The controller also did not want to provide the conversations because these could make it possible to get information about the controller’s methods, knowhow and trade secrets, since these phone conversations were very detailed and focussed on the specific demands of the customers. (60) The controller also stated that it had informed the data subject in a GDPR complaint manner about the fact that the phone conversations would be recorded. (74)
Holding
First, the DPA assessed the claimed legal basis of the controller, Article 6(1)(b) GDPR. According to the DPA, there needed to be a ‘direct and objective’ connection between the processing of personal data and the goal of the contract. (27) Without explicitly confirming this, the DPA implied that this was the case. The DPA also agreed with the controller that the phone recordings were necessary for the performance of the contract. Among other reasons, the DPA stated that it was efficient to record the preferences of its customer. It also stated that phone conversations were more efficient that e-mail. There was therefore no violation of Article 5(1)(a) and Article 6(1) GDPR. (28 – 29)
Second, The DPA determined if the controller obstructed the data subject’s right to access. The DPA stated that the right of access is a gateway to other rights. (42) The right to a copy should not be treated as an additional right, but as a way to get access to the all personal data, so not only a copy. The DPA stated that it was in most cases also not enough to comply with the purposes of the right to access when the data subject only had temporary access to the personal data. (47) The DPA also assessed the question in which form the access should be granted. In this case, the controller should have provided a copy of the transcripts tot the data subject, since the sound of his voice was also personal data and could not be provided in transcripts. (49) The DPA explicitly referred to Österreichische Datenschutzbehörde (50). The DPA agreed with the controller that the right to a acces and the right to a copy was not absolute, looking at recital 4 GDPR and Article 52 ECFR. The DPA referred to the EDPB Guidelines and stated that the right to access should be weighted against other fundamental rights in three steps: It should be determined if there are any negative effects when the right of access is granted. Then, the interests of all parties should be assessed, looking at the circumstances and the risks involved. The controller should try to reconcile the interests of all parties When this is deemed impossible, the controller should decide which interest should prevail. (54)
The DPA held that the controller failed to satisfy the second step, since the controller did not try to find a way to reconcile the interests of both parties. The DPA also concluded that the controller did not satisfy the third step. The rights of the controller’s employees did not prevail against the rights of data subjects, since any personal data of employees in the recorded phone conversations would be limited, such as voice and name. The phone conversation was also recorded when the employees were doing their jobs. The DPA therefore concluded that the access should not have been frustrated by the controller for this reason. (57)
Third, the controller assessed another reason of the controller for not providing access, which was the fact that the data subject wanted to start a civil procedure according to the controller. The DPA stated that the data subject’s reason for wanting access should not be considered a condition for exercising this right. The controller should only determine The DPA therefore also rejected this argument. (58 – 59)
Fourth, the DPA assessed the controller’s argument about not wanting to disclose any knowhow or trade secrets. The DPA referred to recital 63 GDPR and stated that the GDPR what a ‘trade secret’ actually was, and therefore looked at the definition in Belgian Law (Artikel I.17/1 WER). (61) The DPA concluded that the phone recordings did not qualify to be considered ‘ trade secrets’ according to the conditions of this Belgian Law. (62 – 63)
Considering the above four points, the DPA held that the controller violated Article 12(2) and 15 GDPR because the controller did respond adequately to the access request.
Fifth, the DPA held that the controller violated Articles 5(1)(a), 12(1), 12(2) 13(1)(c) and 13(2)(a) GDPR by not providing adequate information to the data subject about the phone recordings. ( ) The DPA stated that both the agreements signed by the data subject and the controller included a provision in which it was stated that phone conversations for the performance of the contract. The possibility of phone recordings was also mentioned in the privacy policy of the controller. (78) However, the DPA determined that the controller did not provide all the necessary information. Among other things, the controller did not provide adequate information, in both the contract and the privacy policy, about the legal bases, the purposes of the processing , as required by Article 13(1) and 13(2) GDPR. (79) , and the storage limitations, as required by Article 13(2)(a) GDPR.
Sixth, the DPA held that the controller violated Articles 5(2), 24(1) and 25 GDPR because the controller had not been able to provide evidence that it had deployed sufficient technical and organisational measure to comply with articles 12(2), 15 AVG, 12(1), 13(1)(c) and 13(2)(a) GDPR.
After considering multiple
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/33 Litigation room Decision on the substance57/2023 of 17 May 2023 File number : DOS-2022-01721 Subject: Complaint regarding refusal of access to sound recordings The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Jelle Stassijns and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainant: Mr. X, represented by Mr. Arne Saerens and Mr. Peter Van Aerschot, both with offices at 8200 Bruges, Lieven Bauwensstraat 20, hereinafter “the complainant”; The Defendant: Y, represented by MrBenjaminDocquir and Mr. MargoCornette, both having its office at Marsveldplein 5, 1050 Brussels, hereinafter referred to as “the defendant”. Decision on the substance 57/2023 – 2/33 I. Factual Procedure 1. On 7 April 2022, the complainant submits a complaint to the Data Protection Authority against defendant. The complainant has concluded two agreements with the defendant whereby the defendant would be responsible for developing a website (“…”) and company videos (“…”) for the complainant, collectively referred to as "the Agreements". Under these agreements telephone conversations took place regarding the functional development and design of this website and videos. Such telephone conversations were recorded by the defendant with a view to the proper implementation of the complainant's wishes in the framework of the agreement. However, the complainant claims that he was not aware of this recordings. Since 2021, there has been a dispute between the complainant and the defendant regarding the performance of the agreement. In this context, the complainant has the right to inspect with regard to telephone recordings. The defendant refused to provide a copy of the telephone recordings, but states that the complainant can access the recordings listen in her offices. The complainant believes that the telephone calls were unlawful recorded and that his right of access was ignored. So he has a complaint submitted to the GBA. 2. On April 28, 2022, the complaint will be declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG submitted to the Disputes Chamber. 3. On April 28, 2022, in accordance with Article 96, § 1 WOG, the request of the Disputes Chamber to carry out an investigation submitted to the Inspection Service, together with the complaint and the inventory of the documents. 4. The investigation by the Inspectorate will be completed on 29 June 2022, the report reads appended to the file and the file is transferred by the Inspector General to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and decision that there would be a violation of: 1. Article 5 (1) (a) and (2) and Article 6 (1) GDPR; 2. Article 5, Article 24 (1) and 25 (1) and (2) GDPR; 3. Article 12 paragraph 1, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR; and 4. Article 12(1) and (2), Article 13(1) and (2), Article 5(2); Article 24(1) and Article 25(1) and (2). Decision on the substance 57/2023 – 3/33 5. On 4 July 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for consideration on the merits. 6. On 4 July 2022, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG. they are informed of the time limits for their to file defenses. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the statement of defense from the defendant recorded on 29 August 2022, those for the complainant's reply on 19 September 2022 and finally those for the defendant's reply on 10 October 2022. 7. On 8 July 2022, the complainant requests a copy of the file (Article 95, § 2, 3° WOG), which was transferred to him on July 14, 2022, and he indicates that he wishes to make use of the possibility to be heard, in accordance with Article 98 WOG. 8. On 11 July 2022, the complainant will electronically accept all communication regarding the case. 9. On August 29, 2022, the Disputes Chamber will receive the conclusion of the answer from the defendant with regard to the findings relating to the subject matter of the complaint. The defendant argues that the processing on its part is correct and permitted data processing, with the principle of lawfulness and transparency are respected. The defendant also argues that it may be incomplete answering a question from the Inspectorate does not constitute a violation of the accountability. The defendant then argues that it is entitled to inspectionhasnotcomplicated. Finally, the defendant points out that they are transparent has provided information to the complainant and has the necessary technical and organizational measures to ensure the exercise of data subjects' rights facilitate. 10. On 19 September 2022, the Litigation Chamber will receive the conclusion of the complainant's reply with regard to the findings regarding the object of the complaint. The complainant agrees with the findings of the Inspectorate regarding the unlawfulness of the processing, the accountability for compliance with the obligations in the GDPR and the transparency and information obligations on the part of the defendant. For what concerns the finding regarding the obstruction of the right of inspection, the defendant states that he wishes to exercise his right of access, as granted by the GDPR, and that the restrictions invoked by the defendant are disproportionate to his right of access. Decision on the substance 57/2023 – 4/33 11. On 10 October 2022, the Disputes Chamber will receive the statement of rejoinder from the defendant with regard to the findings relating to the subject matter of the complaint in which the argumentation is resumed as set out in the conclusion of answer. 12. On November 28, 2022, the parties will be notified that the hearing will take place on January 30, 2023. 13. On January 30, 2023, the parties will be heard by the Disputes Chamber. 14. On February 3, 2023, the minutes of the hearing will be sent to the parties appearing submitted. 15. The Disputes Chamber does not receive any comments because of the parties that have appeared regarding the record. 16. On 5 April 2023, the Disputes Chamber informed the defendant of its intention made to proceed to the imposition of an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to defend himself, before the sanction is effectively imposed. 17. On May 25, 2023, the Disputes Chamber will receive the response of the defendant to the intention to impose an administrative fine, as well as the amount of them. II. Motivation II.1. Article 5 (1) (a) (2) and Article 6 (1) GDPR with regard to legality II.1.1. Findings in the Inspection Report 18. During the investigation, the defendant explained that the processing of personal data through the recordings of the telephone conversations is based to Article 6(1)(b) GDPR, i.e. “the processing is necessary for the performance of a agreement to which the data subject is a party, or at the request of the data subject before the conclusion of an agreement to take measures'. Based on his research the Inspectorate concludes that the defendant has fulfilled the obligations imposed by Article 5 (1) (a), (2) and Article 6 GDPR has not been complied with. From the Respondent's Replies After all, the Inspectorate cannot determine the research questions during the inspection to what extent telephone conversations are effectively recorded, what the exact purposes and the duration of storage of the recordings. In addition, the according to the Inspectorate, the defendant failed to demonstrate the necessity. Hereby refers the Inspectorate according to Article 10/1, §1 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of Substance Decision 57/2023 – 5/33 personal data, which allows recording of telephone conversations provided that the bee the communication involved parties are informed of before registration the registration, its precise purposes and the duration of storage of the registration. The The Inspectorate thus concludes that the defendant has complied with the obligations by Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the principle of legality. II.1.2. Position of the complainant 19. In its conclusions, the complainant fully agrees with the findings of the Inspectorate. II.1.3. Defendant's position 20. The defendant disputes this finding and argues in its conclusion that the recordings are are really necessary for the correct execution of the agreement. 21. As to the necessity for proper performance, the defendant notes that the Inspectorate has not asked to demonstrate the necessary nature, since only the defendant was asked on what legal basis the processing operations, being the recordings of the telephone conversations have taken place. In her conclusions the defendant further explains the necessity. The necessity is twofold: on the one hand the implementation of the specific agreement between the defendant and the complainant and on the other hand, the guarantee of the quality of this agreement, which is a necessary corollarium is of the execution of the agreement. These phone calls are for to discuss the wishes and needs of the customer. The defendant illustrates this as follows: when the parties have signed a contract, for example for making a website, they discuss the concrete implementation modalities by telephone. The purpose of this conversation is essential because it is at this time that the client explains his activities are, what he expects from the website, etc. Based on this telephone conversation, a first website layout design. This method was chosen on the basis of the clientele of the defendant (mainly self-employed persons) who prefer a fast and telephone conversation instead of an exchange of e-mails. This method does not prevent that the customer receives written confirmation of the basic data that were provided for the development of the website. Through constant communication between her and her clients, the defendant can deliver tailor-made projects for the client the recordings give the project managers the opportunity to check whether the needs have been met of the customer, as expressed during the conversations. Thus, according to the defendant, no there is a violation of Article 5 (1) a) (lawfulness) j° Article 6 (1) GDPR. Decision on the substance 57/2023 – 6/33 II.1.4. Review by the Litigation Chamber 22. Starting point of article 5, paragraph 1, a) GDPR, is that personal data is only lawfully may be processed. This means, among other things, that there is a legal basis for the processing of personal data as referred to in Article 6(1) of the GDPR must be present. In further elaboration of this basic principle, article 6, paragraph 1 GDPR states that personal data only may be processed on the basis of one of the legal grounds listed in the article. 23. The Disputes Chamber notes that the recording of telephone conversations in the context of business transactions are governed by both the GDPR and Article 10/1, §1 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter: WVP). 24. The assessment of this file will therefore initially take place on the basis of the provisions of the GDPR. The question arises to what extent the processing of personal data took place lawfully, in accordance with, inter alia, Articles 5 and 6 of the GDPR. The Disputes Chamber emphasizes that the application of the GDPR as a regulation of the European Union takes precedence over the aforementioned national legislation because of the direct operation and primacy within the European legal order. 1 25. As already mentioned, the defendant argues that the recording of the telephone conversations is based on the legal basis as understood in Article 6(1)(b) GDPR, i.e. “the processing is necessary for the performance of a contract involving the data subject party, or at the request of the data subject before entering into a contract to take measures”. It is therefore up to the defendant to prove that she legitimately invokes this ground for processing. 26. When personal data are necessary to perform a contract with the data subject that agreement forms the basis for the processing of those personal data, as stated in Article 6(1)(b) GDPR. The Disputes Chamber finds that the parties have entered into two agreements, the (“…”) dd. August 18, 2021 for what concerns the development of the website and the (“…”) for the purpose of producing a corporate video, also concluded on August 18, 2021. Both agreements were signed the Disputes Chamber. 27. Furthermore, a controller can only rely on this legal basis if the processing of personal data is strictly necessary for the conclusion or 1ie inter alia CJEU of 5 February 1963, NV Algemene Transport- en Expeditie Onderneming van Gend & Loos t. Dutch Administration of Taxes, C-26-62, ECLI:EU:C:1963:1; CJEU of 15 July 1964, Flaminio Costa v. E.N.E.L., C-6-64, ECLI:EU:C:1964:66; on the legal protection of citizens on the basis of Union law and the principles of 'direct effect” and “primacy”, see C. BARNARD, The Substantive Law of the EU: The Four Freedoms, Oxford (5th ed.), 2016, 17. Decision on the substance 57/2023 – 7/33 performance of the agreement. There must therefore be a direct and objective connection between the processing of personal data and the purpose of the contract. 28. The Disputes Chamber establishes that, according to the defendant, the necessity relates has on the one hand the performance of the specific agreement between the defendant and complainant and, on the other hand, the guarantee of the quality of this agreement. Based on two agreements between the defendant and the complainant Litigation Chamber finds that these agreements contain several more general provisions contain such as a description and cost of the services chosen by the complainant as subscriber, the type of video to be produced, etc. Provisions regarding the specific modalities were not stipulated in these agreements. The included telephone conversations took place in the context of discussions of the specific modalities.It goes without saying that not all customers have the same wishes and requirements for their website or video. Also using a phone call allows you to easily to discuss, clarify any ambiguities or ask questions, for both parties. Any requirements for the customer can also change, which means that the the defendant can respond more quickly by conducting these conversations by telephone instead of by email. The recordings of these conversations are for replay listened to if necessary (for example, when in doubt about certain aspects of the website, or to verifying that all customer requests have been met). Considering its efficiency for both the controller and the customer, the Litigation Chamber is of the opinion that the necessity requirement is met. 29. As a result of the above, the Litigation Chamber believes that there is no infringement of Article 5 (1) a) with regard to lawfulness and Article 6 (1) GDPR was committed by the defendant. II.2. Article 12, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR II.2.1. Findings in the Inspection Report 30. On the basis of its investigation, the Inspectorate determines the right of the defendant ofinspectionoftheplaintiffunjustlycomplicated.After all,thedefendantrefuses a copy of the telephone recordings, but only offers the possibility to transfer the recordings to come and listen at its head office. The defendant states, according to the Inspectorate no elements that justify that it would actually be impossible to to provide the complainant with a copy of the aforementioned recordings in which, where appropriate personal data of third parties have been made unrecognizable. Decision on the substance 57/2023 – 8/33 II.2.2. Position of the complainant 31. The complainant recalls that – in accordance with Article 15 GDPR – the controller must provide access via a copy of the personal data. If a copy is the most appropriate way of providing access, can, may and must be provided with a copy. The initial refusal of the the defendant is a blatant violation of his rights, according to the complainant. The proposal to to come and listen to the recordings at the head office does not meet the requirements of the right of access as provided for in the AVG and makes it more difficult to exercise the right to access significantly. 32. The complainant does not dispute that the right of access is not absolute and can be limited if it would prejudice the rights and freedoms of others. However, this should not matter lead to deprivation of all information. However, the complainant argues that the restrictions do not apply to this case. 33. With regard to the exception in Article 15(4) GDPR regarding respect for the rights of freedoms of third parties, the complainant states that the processed personal data of the employees in the telephone conversation are very limited. It is, after all, a normal professional telephone conversation using standard salutations. Consequently, according to the complainant, the refusal to provide a copy is for these reasons disproportionate. The complainant adds in subordinate order that he can too agree to receive a version where the direct identification data of the employees are omitted, or possibly even a written version of the conversations where the direct identification data of the employees are omitted, provided that the text of the recordings has been checked by an objective party or by the playing the conversations after receiving the written text. 34. As to the defendant's argument regarding the use of the recordings as piece of evidence in the context of legal proceedings, reminds the complainant that there is no such legal proceedings have yet taken place. In addition, the Respondent for forwarding the correct call/text. If the defendant forwards the authentic conversations and declares this to be the case, there is none for the complainant problem about this. 35. Finally, the complainant refers to the defendant's argument that the provision of a copy of the recordings may constitute a breach of business secrecy. The complainer argues that this cannot be the case. After all, these are standard conversations between a customer and a company. Questions were asked during these conversations website builder proposes to build a website or to make a business on a website can imagine. According to the complainant, this cannot constitute a business secret. In addition, eight Decision on the substance 57/2023 – 9/33 the complainant is bound by the provisions of the GDPR when obtaining or processing it of the copies and that this is of course only intended for personal consultation. 36. With regard to the alleged abuse of law, the applicant argues in its conclusions that it the defendant herself has always contacted the complainant by telephone. If all contacts were made by e-mail, the complainant would have all information possess. Since the defendant therefore chose to make contact by telephone it is normal that she should also be responsible for safeguarding the right upon inspection by the complainant as he cannot exercise this himself. The complainant argues that it is not the rights of defense of the defendant are being violated, but the rightsofdefenseofthedefendant.After all,the complainant exercises a personal rightthat is granted to him pursuant to a European regulation. This right to inspect the the complainant is misunderstood by the defendant merely to keep the evidence to herself and therefore complicates any future procedure. II.2.3. Defendant's position 37. In principle, the defendant argues in its conclusions that it does not have the right of access unnecessarily complicated. As already stated, she has refused to provide a copy of the recordings, but instead she invites the complainant to the recordings in her office come and listen. After all, it argues that granting inspection does not mean a copy must be provided. Referring to article 15, paragraph 4 GDPR, the defendant argues that it right to obtain a copy is not absolute and obtaining a copy is not may interfere with the rights and freedoms of others. The defendant argues that reluctance to send a copy of a recording is fourfold. 38. Firstly, these recordings also contain personal data about/of employees of the defendant. According to the defendant, it is not desirable that such recordings be included in the get hold of a (dissatisfied) customer, as dissatisfied customers become employees directly and in an unauthorized manner. Besides, it would providing these recordings constitute a breach of protection personal data of the employees who are part of the recordings. Hereby has the defendant made the trade-off between, in its view, improper use of the right of access on the one hand and the right to protection of personal data of the involved employees on the other hand. 39. Second, the defendant argues that the complainant wishes to use these recordings as evidence in a civil dispute or proceeding. If it comes to a court procedure, it is necessary to preserve the authenticity of the recordings. This is made more difficult when the personal data of the employees concerned is removed from the conversation will be deleted. Decision on the substance 57/2023 – 10/33 40. Thirdly, the defendant argues that a large part of the production process is done by telephone expires. Based on the telephone recordings, the working methods and know-how, and according to the business secrets, can be derived from the defendant. 41. Fourth, the defendant argues that the exercise of the right of access is unfounded since it constitutes a manifest form of abuse of law. The complainant and the defendant are after all, involved in a contractual dispute regarding the performance of the agreement. As part of this, the complainant wishes to use the recordings as evidence in the context of a possible legal action. The rules and restrictions on the submission however, evidence in civil litigation is expressly regulated to rights of defense and the right to contradict. Due to the obligation to to transfer recordings, the right to a fair trial as guaranteed in Article 6 of the European Convention on Human Rights are ignored as the as a party to civil proceedings, the defendant can itself take the initiative and determine how the process proceeds. Deny the defendant the right to choose which evidence it wants presenting and when, is a flagrant violation of her right to due process. II.2.4. Review by the Litigation Chamber General principles 42. To begin with, the Disputes Chamber points out that the right of access is one of the mainrequirementsoftherighttodataprotection.Itisthe"gateway" which enables the exercise of other rights conferred by the GDPR on the data subject grants, such as the right to rectification, the right to erasure and the right to restriction of processing. 2 43. The complainant has repeatedly exercised his right of access pursuant to Article 15 GDPR with regard to of the defendant by requesting that he be provided with a copy of the recordings of the telephone conversations in which the complainant participated. Through his lawyer, Mr the complainant sent a final request by e-mail and registered letter on 21 March 2022 to the complainant: My client urges you to provide an electronic copy of all telephone conversation recordings that you have that involve my client if participant in the call. My client also requests about the processing of the telephone conversation recordings provide him with the following additional information: 2See most recently CJEU, 12 January 2023, ÖsterreichischePostAG, C-154/21, ECLI:EU:C:2023:3, para 38, but also CJEU, 17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16, EU:C:2017:994, para 57, see also decision 15/2021 dd. February 9, 2021, para 141, and decision 41/2020 dd. July 29, 2020, para 47 Decision on the substance 57/2023 – 11/33 - the processing purposes - the grounds for processing - what other categories of personal data you have with regard to the conducted keeps track of telephone conversations in addition to the actual recordings, - the recipients or categories of recipients to whom the data is or will be provided; - if possible, the period during which the personal data is expected to be collected are stored, or if that is not possible, the criteria for determining that period; - when the personal data is transferred to a third country or a international organization, information on the appropriate safeguards in this regard transfer. 44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the to obtain a definite answer from the controller as to whether or not he is being processed regarding personal data. If the latter is the case, the person concerned has it right to obtain access to those personal data and to information referred to in Article 15, paragraph 1 a) - h) is stated, such as the purpose of the processing of the data and the any recipients of the data, as well as information about its existence rights, including the right to request rectification or erasure of its data, or to submit a complaint to the GBA. The purpose of the right of inspection is the state concerned to understand how his personal data is processed and what the consequences are can be checked as well as the correctness of the processed data without being to justify intention. 3 45. Article 12 of the GDPR concerns the way in which data subjects can exercise their rights exercise and stipulates that the controller is exercising those rights must be facilitated by the data subject (Article 12 (2) of the GDPR), and without delay and in must provide information about the measures taken in response to his request (Article 12(3) of the GDPR). Where the controller does not intend to comply with the request, he must communicate his refusal within one month, and inform the person concerned about the possibility to submit a complaint against this refusal to the supervisory authority data protection authority or appeal to the courts (Article 12(4). of the GDPR). 3 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 12/33 46. The Disputes Chamber notes that the last request for inspection was sent by e-mail and by registered mail on March 21, 2022. In this context, the Disputes Chamber points out that the European Data Protection Board (hereinafter: EDPB) at that time already published the 'Guidelines 4 01/2022 regarding the rights of data subjects – right of access”. published which provides guidance for controllers to deal with the exercising the right to access. Modality – provision of a copy 47. With regard to the modalities on which a controller should act the Disputes Chamber points out that Article 15 (3) GDPR stipulates that the controller must provide the data subject with a copy of the personal data being processed. The obligation to a to provide a copy should not be construed as an additional right of the data subject, but as a means of granting access to the data. Consequently, access serves to the data pursuant to Article 15 (1) GDPR, the complete information on all data and this access cannot therefore be construed as granting access to only a summary of the data. The obligation to make a copy provision serves the purposes of the right of access, namely to the data subject to become aware of the lawfulness of the processing and to verify it check (recital 63). To achieve these goals it is in most cases, it is not sufficient that the data subject may view the information only temporarily the data subject must be able to access the information by obtaining a copy of the receive personal data. 5 48. The question therefore arises in what form the copy should be provided. Article 15, paragraph 3 infine AVG states that when the data subject submits his request electronically, and does not request any other arrangement, the information in a commonly used electronic format must be provided, whereby the prevalence must be determined from the 6 point of view of the data subject and not of the controller. In some In some cases, the circumstances themselves determine the format in which the personal data must be used be provided, such as with audio recordings since the voice of the person concerned itself is a personal data. In some cases, a transcript of the conversations can also be provided 4 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf 5 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 21 et seq. 6 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available for consultation https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 146 et seq. Decision on the substance 57/2023 – 13/33 suffice, for example when this was agreed between the complainant and the 7 controller. 49. The Disputes Chamber believes that it had to transfer a copy of the sound recordings must be forwarded to the complainant. After all, these sound recordings contain the personal data that are spoken, but also the voice of the complainant, which also constitutes personal data and cannot be displayed in transcripts. 50. For the sake of completeness, the Disputes Chamber refers to the judgment rendered in the case 8 “Österreichische Datenschutzbehörde” in which the Court of Justice stated that “it right to obtain from the controller a copy of the personal data that are processed means that the data subject has a fair and comprehensible reproduction of all such data must be given. This right includes it right to obtain a copy of extracts from documents or even complete ones documents or database extracts containing, among other things, those data, if the provision of such a copy is indispensable to enable the data subject effectively exercise the rights conferred on him by this Regulation, whereby must It should be emphasized that this should also take into account the rights and freedoms of others”.9 Exceptions 51. Despite this broad concept of a copy, and notwithstanding the fact that it is the the main modality with which access must be granted, may be subject to certain conditions circumstances other modalities are appropriate. Recital 63 of the GDPR states that it right of access must not prejudice the rights or freedoms of others, including including business secrets or intellectual property and in particular to it copyright that protects the software. However, those considerations should not lead to it that the data subject is withheld all information. 52. As already explained, the defendant puts forward several arguments in its claims about this. 53. First, the defendant argues that the telephone recordings also contain personal data of include its employees. The rights and freedoms of these employees continue to apply to be insured by the defendant. The Litigation Chamber notes that Article 15, paragraph 4 of the GDPR stipulates that the right to obtain a copy must not affect the rights and freedoms of others. The general concern that rights and freedoms of others can be affected by complying with the request for access, is not 7 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 153 et seq. 8 ECJ, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369. 9 CJEU, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369, para 45. Decision on the substance 57/2023 – 14/33 sufficient to invoke Article 15 (4) GDPR. The Disputes Chamber points it out note, however, that the controller must be able to demonstrate that in the concrete situation, the rights or freedoms of others would actually be affected. 54. As can be deduced from recital 4 of the GDPR and from the rationale behind Article 52 paragraph 1,of the European Charter of Fundamental Rights, in particular the right to protection of personal data is not an absolute right. Recital 4 states more in particular: “[…] The right to the protection of personal data is not absolute, but must be be considered in relation to its function in society and must conform to it principle of proportionality against other fundamental rights […]". the exercise of the right of access must also be weighed against others fundamental rights in accordance with the principle of proportionality. The EDPB has in the Guidelines provide three steps to perform this trade-off. When this consideration ex Article 15 (4) GDPR shows that granting the request is negative affects the rights and freedoms of other participants (step 1), the interests of all participants are weighed, taking into account the specifics circumstances of the case and with the likelihood and severity of the risks involved associated with the provision of the data. The controller must try to reconcile the conflicting rights (step 2), for example by taking appropriate measures to mitigate the risk to the rights and freedoms of limiting others, such as, for example, the information concerning others as much as possible illegible instead of refusing to provide a copy of the personal data provide. However, if it is impossible to find a reconciliation solution, the controller decide in a next step which of the conflicting rights and freedoms and freedoms prevail (step 3). 55. Applied to the present case, the defendant has in accordance with the above step one evaluated the complainant's application and determined that the withdrawals contain personal data of employees. 56. In the context of step 2, to verify whether transferring the copy has an impact on the rights and freedoms of others, the defendant must as controller to try to resolve the conflicting interests reconcile by taking appropriate measures to mitigate the risk to rights and freedoms of the data subject as much as possible. It is in this context that the defendant has offered to come and listen to the recordings at its head office. The complainer has refused this possibility, but could nevertheless agree to a transcript received with omission of the direct identification data of the employees of defendant, subject to the necessary guarantees regarding the correctness thereof found a way between the parties to reconcile the conflicting rights. Decision on the substance 57/2023 – 15/33 57. In the third step, the defendant thus had to verify which of the conflicting rights prevail. This should take into account the probability and seriousness of possible risks with regard to the rights and freedoms of the employees in the telephone recordings. The defendant contends that the right belongs to her employees prevail and in this way wishes to shield them from (dissatisfied) customers. The Disputes Chamber does not follow this view. The Disputes Chamber notes that there personal data of the employees may be present in the telephone recordings, but that it is about a limited amount, such as the voice and the name. In addition the conversation is of a professional nature. The Litigation Chamber therefore also concludes that it is very minor have no adverse consequences for the rights and freedoms of employees. The The Litigation Chamber therefore rules that the defendant does not rely on these rights and liberties can appeal for the refusal to transfer a copy to the defendant. 58. As a second argument in the context of the refusal to provide a copy to the The complainant points out to the defendant that the Inspectorate has misunderstood during the investigation that the complainant wishes to use these recordings as evidence in a civil lawsuit dispute or proceeding, the authenticity and integrity of which must be preserved. The The complainant argues in this regard that no legal proceedings have yet been initiated. 59. The Disputes Chamber points out that, given the broad application and interpretation of the right of access, the purpose for which the right of access is exercised must not be considered a condition for the exercise of this right. So it won't come to data controllers to verify why the data subject has access to it personal data, but only on what the request for access entails and whether or not not processed personal data of the data subject. In the aforementioned Guidelines, the EDPB also gives as an example that a controller is not allowed to access refuse on the basis of suspicions that the personal data concerned would be used may be required by the person concerned to defend himself in court in the case 10 of a commercial dispute with the controller. The Dispute Room therefore concludes that the defendant cannot rely on this for the refusal of the right of access. 60. Third, the defendant argues that a large part of the production process is by telephone and aims to discuss the needs, wishes, working method, etc. with the customer. After all, the products offered by the defendant are tailor-made products for the customer. Based on the conversation content, such as the questions that would be asked 10EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-aparas_13.dAG Emiliou confirms this statement in its Opinions in Case C-307/22, 20 April 2023, FT v. DW, para 28, https://eur- lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62022CC0307. Decision on the substance 57/2023 – 16/33 to the customer, it would therefore be possible to share the working methods, know-how and so on derive business secrets from the defendant. 61. As already mentioned, recital 63 states that the right of access must not be prejudiced to the rights or freedoms of others, including trade secrets. The GDPR does not, however, clarify what should be covered by business secrecy within the meaning of Recital 63 GDPR to be understood. In Belgian national law, Article I.17/1 ELC defines it trade secret as follows: “Information that meets the following cumulative conditions: a) it is secret in the sense that it, in its entirety or in its correct composition and arrangement of its constituents is not generally known or easily accessible is for persons within the circles usually dealing with the relevant type of information; b) it has commercial value because it is secret; c) it has been subject to reasonable consideration by the person lawfully in control of it measures, given the circumstances, to keep it secret.” 62. The Disputes Chamber understands from the conclusions of the defendant that in the recordings discussing how the website would be built. Questions would have been asked from which the know-how and production processes of the defendant could be diverted.Transmitting a copy of these conversations would constitute a violation form part of the defendant's trade secret, the defendant claims. The However, the Litigation Chamber notes that this information does not comply with the above stated definition of a trade secret. According to the first condition of the aforementioned definition is a trade secret in the sense that it, in its entirety, or in its proper form composition and arrangement of its constituents, is not generally known, or easy is accessible to persons within the circles usually dealing with the relevant type of information. The Litigation Chamber notes that this information is not limited access. After all, this information is communicated in standard conversations with all customers, where it is also possible for competitors to pretending to be a customer in order to obtain the necessary information. Moreover, this one information is also not protected by means of a non-disclosure agreement. This would thus mean that the customers would have access to the alleged business secrets of the defendant can and may pass on to third parties. After all, the information is already given during the conversations themselves without any agreement to keep them secret at the time to hold. Moreover, the information still needs to be in the correct composition or arrangement components are placed so that they could be relevant to the know-how track down. Decision on the substance 57/2023 – 17/33 63. In view of the above, the Litigation Chamber rules that the above-mentioned exceptions to the right to transmit a copy do not apply in this case. Abuse of law 64. In subordinate order, the defendant argues that the exercise of the right of access is unfounded as it constitutes a manifest abuse of law. The Defendant argues in this connection that the complainant misused the relevant wishes to obtain recordings in the context of the commercial dispute. In its conclusions the complainant argues that it is the defendant herself who is in constant contact by telephone recorded with the complainant. According to the complainant, the defendant must therefore be responsible for the safeguard the complainant's right of inspection, as he cannot exercise this himself. 65. The Litigation Chamber recalls that EU law is not intended to be abused or 11 fraud may be invoked. Advocate General Kokott argues in connection with the abuse of the right of access that determines whether there has been abuse as well requires an objective as well as a subjective element. What, first, the objective element must be apparent from a set of objective circumstances that, notwithstanding the formal compliance with the conditions imposed by a Union regulation, the scheme intended purpose was not achieved.Secondly, such determination is also required a subjective element, in the sense that it must appear from a set of objective factors that the essential purpose of the acts in question is an unjustified gain benefit. After all, the prohibition of abuse does not apply when the the acts in question may have an explanation other than the mere acquisition of an (unjustified) advantage. 12 66. With regard to the objective element, the Disputes Chamber notes that the wishes and needs of the complainant, which he expresses as a customer of the defendant, as personal data be qualified as such information because of its content, purpose or effect is related to a specific person (namely the complainant himself). Express these conversations after all, the vision and train of thought of the complainant with regard to the desired products. The collection of this information by the defendant is for the purpose of developing a product tailor-made for the complainant. After all, it is the intention of the complainant to the bespoke website and video to differentiate itself (and its sole proprietorship). of its competitors. 11 CJEU, 9 March 1999, Centros, C‑212/97, EU:C:1999:126, para 24, CJEU, 2 June 2016, Bogendorff von Wolffersdorff, C‑438/14, EU:C:2016:401, paragraph 57. 12AG Opinion at CJEU, 20 July 2017, Nowak, C-434/16, ECLI:EU:C:2017:582, para 42 et seq. 13The Court of Justice has held that "insofar as the official title of the legal person is one or more natural 13 13 identifies persons", the legal person under articles 7 and 8 of the Charter 13 and the fundamental rights of the European Union is entitled to the protection of data related to it. Since the AVG is an elaboration of the overarching safeguards laid down in these Charter provisions, such protection for legal persons also derive from the GDPR, although this protection does not extend to the legal person as such Decision on the substance 57/2023 – 18/33 67. This qualification as personal data results in the basic principles of the GDPR apply as well as that the data subject can exercise his rights under the GDPR exercise, such as the evaluation of its correctness or the right to oppose the processing of his personal data outside the context of the closed agreements to. It must thus be established that the granting of a right to access to those wants and needs in the recordings serves the purpose of the GDPR, that in it exists to guarantee the protection of the right to privacy of the complainant in connection with the processing of his personal data. 68. With regard to the subjective element, the Litigation Chamber finds that the essential the purpose of the acts in question is not to take an unfair advantage to acquire. The Disputes Chamber states that the exercise of the right of access is the only way is for the complainant to check to gain access to which personal data the the defendant processes and how this processing takes place, if necessary. Since the contacts are made by telephone, the complainant himself has no written record of the processing of its data. A request cannot be refused if the the person concerned would have the intention to use the personal data to file a complaint serve against the defendant. Consequently, there can be no question of an abuse of law. 69. The Inspection Report finds that there would also be an infringement of Article 12, paragraph 3 and paragraph 4 GDPR. However, the Litigation Chamber finds that the defendant has an answer has formulated to the request of the complainant within the set period of one month, as a result of which there is no infringement of Article 12 (3) GDPR. The defendant has the request for inspection was also not simply refused, but stated -insufficient equivalent - alternatives to, so that there is no infringement of Article 12 (4) GDPR. 70. In view of the above, the Disputes Chamber rules that the defendant is not correct and has lawfully acted upon the exercise of the right of access to the complainant, which constitutes an infringement of Article 12(2) and Article 15 of the GDPR. II.3. Article 5(1)(a) (transparency), Article 12(1) and Article 13(1) and (2) GDPR 71. Based on Article 12(1) and Article 13(1) and (2) of the GDPR, it is necessary that the defendant as controller to the data subjects concise, transparent and provides understandable information about the personal data being processed. The the aforementioned transparency obligations constitute a concretization of the general ones transparency obligation of Article 5, paragraph 1, a) of the GDPR. As already explained concerns, but the natural person(s) who form these, and probably mainly occur in cases where the legal entity is in fact a sole proprietorship or a small family business with a transparent "corporate veil". 14EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 19/33 the defendant take the appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. The the defendant must thereby effectively implement the data protection principles, the protect the rights of the data subjects and only process personal data that are necessary for each specific purpose of the processing. II.3.1. Findings in the Inspection Report 72. The Inspectorate first of all finds that the defendant does not demonstrate that she is the complainant has effectively informed transparently and in a timely manner about the information that needs to be disclosed delivered in accordance with Articles 12 and 13 of the GDPR. II.3.2. Position of the complainant 73. The complainant fully agrees with the findings of the Inspectorate. Adds to this he admitted that he had indeed not been adequately informed that the conversations were recorded. The complainant disputes that he contacted each by telephone was informed that the interviews were being recorded. It's first on it subsequent e-mail communication that he was informed of the recordings. Consequently has the defendant has not complied with its information obligation. II.3.3. Defendant's position 74. The defendant argues in its conclusions that it has failed to fulfill its obligations of transparency has not violated Articles 12 and 13 GDPR. The defendant argues that it complainant at different times and through different channels informed about the disputed processing, namely at the conclusion of the agreements, via the privacy statement on the website and via the automatic messages upon receipt of the calls. As for the lack of clarity regarding the recordings made by the Inspection Service was established, the defendant raises that the telephone calls were only recorded for incoming and outgoing calls from the general number. If an employee contacted the complainant directly or directly through the the complainant was contacted, the conversations were not recorded. In addition, the complainant was informed of his rights under the GDPR according to the defendant's implementation in order to facilitate its exercise. The defendant therefore concludes that it is has duly complied with its obligations under Articles 12 and 13 of the GDPR. II.3.4. Review by the Litigation Chamber 75. The Litigation Chamber must judge whether the complainant has been adequately informed about the disputed processing to meet the requirements of Article 12 (1) and Article 13 (1) and (2) GDPR to fulfil. Decision on the substance 57/2023 – 20/33 76. Article 12(1) GDPR requires the controller to “use appropriate measures” to ensure that the data subject receives the information referred to in Articles 13 and 14 [...] related to processing in a concise, transparent, understandable and easy way accessible forms in a clear, simple language, especially when the information is specifically intended for a child”. 77. The Disputes Chamber notes that Article 14 of both concluded agreements stipulates that the telephone conversations can be recorded for the purpose of carrying out the agreement.This is also mentioned in the privacy statement Litigation Chamber to the Group's Transparency Guidelines Data Protection Article 29 which provides as follows: "Any company with a website would have a statement or notice on that site about the protection of the privacy should be published. A direct link to this statement or notice on the protection of privacy would be clearly visible must be on every page of the website, under a commonly used term (eg. "Confidentiality", "Confidentiality Policy" or "Protection Notice". privacy".15 The Article 29 Data Protection Working Party states that "all information sent to a data subject should also be accessible at a single place or in the same document (on paper or in electronic format) that is easy can be consulted by this person if he has any information given to him 16 wish to consult." 78. The Litigation Chamber points out that the complainant was informed about the disputed processing via the agreements – signed by him – and via the privacy statement. However, the Disputes Chamber hereby notes that not all essential information has been communicated became. 79. First of all, the Disputes Chamber notes in this context that the privacy statement is not op mentions in sufficient detail the precise legal basis(s), the purposes of the processing and the personal data used, as required by Article 13 (1) and (2) GDPR. The Disputes Chamber has established that the privacy statement is mentions these elements, but that the manner in which it is not comprehensible and transparent to the data subjects, since it is not clear to the data subject which data is for which purposeareprocessedandbased on whatlegal basisthis is done.Ideallyprovides the controller a list of the different purposes for which he processes personal data, each time indicating which (categories of) 15Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and Version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11. 16Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and Version adopted on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 57/2023 – 21/33 personal data are processed for this purpose, from which source they were obtained how long they are kept with what (categories of) recipients they (may) become shared.17 80. Second, the Disputes Chamber notes that the privacy statement does not state clearly makes of the retention periods of the personal data concerned or the criteria for provision thereof, as required by Article 13 (2) a) GDPR. The privacy statement states the following in this regard: “[Defendant] shall use all necessary means to ensure ensure that the data of a personal nature is kept for the above purposes described and that it does not exceed the legal deadlines.” As also from the Guidance from the Data Protection Group shows that such wording not. The Data Protection Working Party points out in this regard that the (mention of the) retention period is related to the principle of minimum data processing contained in article 5, paragraph 1, c) GDPR, as well as the requirement of storage limitation of Article 5 (1) e) GDPR. It specifies that “the storage period (or the criteria for determine) may be dictated by factors such as legal requirements or sectoral requirements guidelines, but should always be formulated in such a way that the data subject, on the basis of his or her own situation, can assess the retention period for specific data/purposes”. 18 In view of all the foregoing, the Disputes Chamber proposes a violation of Article 5(1)(a), Article 12(1) and (2), Article 13(1)(c) and (2)(a) of the GDPR. II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR II.4.1. Findings in the Inspection Report 81. The controller must comply with the principles of Article 5 GDPR and that can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j° Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every controller takes appropriate technical and organizational measures to ensure and be able to demonstrate that the processing takes place in accordance with the GDPR. 82. In its Inspection Report, the Inspectorate finds that Articles 5, 24, paragraph 1 and 25, paragraph 1 and 2 GDPR were violated. 17 This allows the data subjects to ask specifically with which individual via a request for the right of access recipients the personal data are communicated, see e.g. CJEU, 12 January 2023, Österreichische Post AG, C-154/21, ECLI:EU:C:2023:3. 18Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260rev1 adopted on 29 November 2017, p 25. Substantive decision 57/2023 – 22/33 83. In the context of his research on accountability in the context of the compliance with the basic principles of Article 5, paragraph 2 GDPR, the Inspection Service has the following question sent to the defendant: “A documented answer to the question of which technical and organizational measures the [the defendant] has taken to ensure that its processing activities take place in accordance with the principles on processing of personal data in accordance with Articles 5, 24 and 25 of the GDPR.” 84. The defendant has formulated an answer to the above question that, according to the Inspectorate, focuses on – according to the defendant – the correct handling of the request for the complainant's right of access. The Inspectorate sets its Inspection report that this answer is next to the issue, since the question related to the compliance of the defendant with all the basic principles of the GDPR since the 25th of May 2018. As a result, the Inspection Service concludes that there is an infringement of article 5, article 24 (1) and Article 25 (1) GDPR. 85. Secondly, the Inspectorate finds that the defendant does not provide evidence what technical and organizational measures were taken to exercise it of the rights of the data subjects and to be able to adequately monitor them in accordance with Article 12 GDPR. In this context, the Inspection Service refers to (i) being previous finding that the defendant wrongly denied the complainant's right of access made it more difficult and (ii) the fact that the defendant does not mention anything in its answer and copies of documents that in practice, on the one hand, the management and employees inform and raise awareness of the defendant about facilitating and adequate follow-up of the rights of the data subjects and, on the other hand, contribute to preventing infringements and (human) errors regarding the rights of the data subjects become effective and efficient followed up and, where necessary, sanctioned. As a result, the Inspectorate arrives at the finding that there is a violation of Article 24(1) and Article 25(1) GDPR. II.4.2. Position of the complainant 86. The complainant agrees with the findings in the Inspection Report. II.4.3. Defendant's position 87. In its claims, the defendant disputes this finding. The defendant regrets that the The Inspectorate has come to a violation of accountability, as understood in Article 5 (2), Article 24 (1) and Article 25 (1) GDPR due to a misunderstanding of a of the questions of the Inspectorate by the defendant. The defendant denies the finding that her answer to the above question was not concrete enough, while the question was anything but specifically formulated, according to the defendant. The Defendant also notes that it had stated in its reply that it was always available for any decision on the substance 57/2023 – 23/33 further information, but that no further questions were asked. In addition, some days later the inspection investigation was completed. 88. Since the defendant's findings regarding transparency and the right of access contested, it therefore also argues that it does have the appropriate technical and organizational has taken measures to ensure transparency obligations and facilitating the right of access. II.4.4. Review by the Litigation Chamber 89. The Litigation Chamber recalls that each controller has the basic principles on the protection of personal data as understood in Article 5, must comply with paragraph 1 GDPR and must be able to demonstrate this. That follows from the accountability in Article 5(2) GDPR in conjunction with Article 24(1) GDPR as confirmed by the Litigation Chamber .19 90. Based on Articles 24 and 25 of the GDPR, the defendant must take appropriate technical and organizational measures to ensure and be able to demonstrate that the processing takes place in accordance with the GDPR. The defendant must do so effectively implement data protection principles, the rights of data subjects as well as only process personal data that is necessary for each specific purpose of the processing. 91. As part of its investigation, the Inspectorate assessed to what extent the the defendant has taken the necessary technical and organizational measures to comply with these principles from Article 5 (1) GDPR and in particular the principle of legality and transparency. In this case, the defendant has replied to the Inspection Service in which it explains the aspects regarding the GDPR from the complaint, such as the information obligations and the right of access. The Dispute Chamber reads however, in the Inspection Report that the answer formulated by the defendant was not sufficient for the Inspectorate. As explained above, the Inspectorate in this case believes that certain information, which is for the Inspectorate is essential to arrive at a good assessment, which means that the Inspectorate concluded that there had been a violation of Article 5, paragraph 2, Article 24 (1) and Article 25 (1) GDPR. 92. The Disputes Chamber hereby notes if the Inspectorate establishes that there are no concrete information was provided by a controller, this one leads to further research. The Disputes Chamber establishes that in this case no additional questions were asked about specific subjects or that no 19 Decision on the merits 34/2020 of 23 June 2020 available via the web page https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 57/2023 – 24/33 no specific documents were requested in order to make a proper assessment of the case with regard to accountability under the basic principles of the GDPR included in Article 5(1)(b) to f) GDPR. 93. The Disputes Chamber established in section II.2.4 that there had been an infringement of the obligation to facilitate the request for access by the data subject in accordance with article 12, paragraph 2 j ° article 15 GDPR. The Disputes Chamber has ruled in part II.3.4 that there was also a breach of the transparency obligations such as included in Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR with regard to the understandable language and the indication of the retention periods in the privacy statement. 94. The Disputes Chamber therefore concludes that the defendant could not demonstrate that he had the has taken necessary technical and organizational measures to comply with these obligations. Consequently, the Litigation Chamber concludes that there was an infringement of Articles 5 (2), 24 (1) and 25 (1) GDPR with regard to the obligations arising from Article 12, paragraph 2 j° Article 15 GDPR on the one hand and Article 12, paragraph 1 and Article 13 (1) c) and (2) a) GDPR on the other hand. 95. With regard to accountability in the context of compliance with the basic principles of the GDPR as understood in Article 5(1)(b) to f) GDPR, the Litigation Chamber determined that there are insufficient elements to lead to a violation of this judgements. III. Sanctions III.1. General 96. On the basis of the documents in the file, the Disputes Chamber establishes that there is subsequent violations - Article 12, paragraph 2 and Article 15 GDPR with regard to the right of access; - Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR, for with regard to the understandable language and the indication of the retention periods in the privacy declaration; 97. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° to order a suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° to order that the data subject's requests to exercise his rights be complied with to practice; Decision on the substance 57/2023 – 25/33 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° rectification, restriction or deletion of data and notification to recommend it to the recipients of the data; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or to recommend an international institution; 15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. III.2. Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) (a) GDPR in in combination with the accountability principle ex Article 5(2), Article 24(1) and Article 25 (1) GDPR 98. As regards the infringement of Article 5(1)(a) (transparency), Article 12(1) and Article 13 (1) (c) and (2) a) GDPR, with regard to the understandable language and the indication of the retention periods in the privacy statement, the Disputes Chamber reminds that they have a lot attaches importance to transparency as one of the fundamental principles of the GDPR. Transparency is an overarching obligation under the GDPR, which applies is in three key areas: 1) the provision of information to data subjects related to proper processing; 2) the way in which controllers communicate with data subjects about their rights under the GDPR; and 3) the manner on which controllers help data subjects to exercise their rights. In addition, transparency enables those involved to hold controllers and processors accountable. It's coming therefore to the defendant as controller to take the necessary appropriate take technical and organizational measures to enforce the principle of transparency guarantees. In the present case, the breach of transparency is not of that nature prevent or seriously hinder the application of these core areas. In this case, the infringement limited to stating the necessary information in a cluttered manner, as well as not explicitly stating the retention period. Consequently, the Litigation Chamber is therefore of the opinion that a reprimand in accordance with Article 100, paragraph 1, 5° is appropriate for this infringement. III.3. Article 12 (2), Article 15 GDPR, in combination with the principle of accountability ex Article 5(2), Article 24(1) and Article 25(1) GDPR Decision on the substance 57/2023 – 26/33 99. With regard to Article 12 (2), (3) and (4), Article 15 GDPR, in conjunction with the accountability principle pursuant to Article 5(2), Article 24(1) and Article 25(1) GDPR for with regard to the right of access, the Disputes Chamber considers it appropriate to have a impose an administrative fine in the amount of EUR 40,000 (Article 83, paragraph 2, Article 100, §1, 13° WOG and article 101 WOG). 100. It should be pointed out in this context that the administrative fine does not matter aims to end unified transgression, but requires a strong enforcement of the rules of the GDPR. After all, as can be seen from recital 148 GDPR, the GDPR states First of all, in the event of any serious infringement – including the first finding of an infringement – penalties, including administrative fines, in addition to or instead of appropriate ones measures are imposed. The Litigation Chamber will then demonstrate that the infringements the defendant has committed on the aforementioned provisions of the GDPR by no means minor infringements, nor that the fine would impose a disproportionate burden on a natural person as referred to in recital 148 GDPR, where in either case a fine may be waived. The fact that it is an initial determination of a the defendant committed an infringement of the GDPR, does not affect this in any way to the possibility for the Disputes Chamber to make an administrative decision impose a fine. The Disputes Chamber will impose the administrative fine application of Article 58(2)(i) GDPR. The instrument of administrative fine has in no way intended to terminate infringements. To this end, the GDPR and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9° WOG. 21 101. Taking into account Article 83 GDPR and the case law of the Marktenhof, the Disputes Chamber to impose an administrative sanction in concrete terms: The seriousness of the breach (Article 83(2)(a) GDPR) 102. In the context of the transparency principle, the controller must provide the facilitating the exercise of the data subject's rights. For data protection it is essential that data subjects can easily exercise their rights under the GDPR can exercise. This enables the data subject to simply 20Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties, including administrative fines, to be imposed for any infringement of the Regulation, in addition to or instead of appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If it concerns a minor infringement or if the expected fine would place a disproportionate burden on a natural person person,a reprimand may be chosen instead of a fine.However, account should be taken of with the nature, seriousness and duration of the infringement, with the intentional nature of the infringement, with damage-limiting measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement occurred has come to the attention of the supervisory authority, with compliance with the measures taken against the controller or the processor, with the adherence to a code of conduct and with all other aggravating or mitigating factors. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective remedy and due process. [own underlining] 21Brussels Court of Appeal (Marktenhof section), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the substance 57/2023 – 27/33 way to find out which personal data a controller processed and whether this processing is lawful. A good interpretation of the right of access is furthermore necessary to exercise other rights, such as the right to rectification and the right to data erasure. This principle was recently endorsed by the Court of Justice 22 confirmed. In view of the present violation, however, in the opinion of the Litigation Chamber concerns a serious infringement, in which the defendant's rights stakeholders has not been sufficiently facilitated. The Disputes Chamber considers the imposition of a reprimand is therefore insufficiently effective, not proportionate and not dissuasive. The defendant has not facilitated the right of inspection with its propagated policy after all, refuses to allow access in a manner that allows the complainant to view personal data not only temporarily. Consequently, it became the exercise of it right of access of the complainant by the defendant. From a professional party as the defendant, who systematically processes personal data in the context of the performs recordings for the performance of agreements, it may be expected that it will be on the is aware of the applicable standards and the appropriate technical and organizational takes measures to handle this personal data correctly. The the defendant has thus failed to observe the guarantees that the GDPR provides for the right of access gives to respect. The number of data subjects (Article 83 paragraph 2, a) GDPR) The Disputes Chamber notes that recording telephone conversations is a is standard practice of the Defendant, and that the disclosure policy this personal data is not in accordance with applicable law, making it it cannot be ruled out that similar cases have occurred or will occur occur in the future. However, the Disputes Chamber takes into account the fact that only one complaint was lodged. The intentional or negligent nature of the breach (Article 83(2)(b) GDPR) As to whether or not the breaches were intentional (not negligent) have been committed, the Litigation Chamber reminds that "not intentionally” means that it was not the intention to commit the infringement, although the the controller had not complied with the duty of care pursuant to the law rested upon him. With regard to the negligent nature of the infringement (article 83.2.b GDPR), the Dispute Chamber understands that the infringement was not committed with malicious intent to harm the AVG. The Disputes Chamber finds that the defendant has always responded to the complainant's requests, and that it has alternatives in terms of 22 CJEU, 12 January 2023, Österreichische Post AG, C-154/21, ECLI:EU:C:2023:3, para 28 et seq. see also CJEU, 17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16, EU:C:2017:994, para 57 Decision on the substance 57/2023 – 28/33 proposed modalities with regard to the inspection, but that these were not sufficient to the modalities provided for the GDPR and the guidelines mentioned above the EDPB. Measures taken to limit the damage suffered by those involved In the framework of the principle of transparency, the controller must on the basis of Article 12, paragraph 2, of the GDPR, the exercise of the rights of the data subject under - inter alia - Article 15 of the GDPR. Both the complainant and the the defendant suggested possible solutions, but failed to reach a compromise. Like this the defendant failed to comply with prior to and during the proceedings the various possible solutions proposed by the complainant, such as for example, transferring the transcript after checking its accuracy. A possible solution offered by the defendant was to listen to the recordings at the head office in Drogenbos. It is for data protection essential that those involved have to in an easy way, and not just temporarily can see. The Disputes Chamber therefore argues that an alternative method of access is then of the right to a copy was offered, but that this offered modality no could provide an adequate solution. Previous breaches by the controller (Article 83(2)(e) GDPR). The Litigation Chamber also takes into account the fact that the defendant has never before was the subject of an enforcement procedure of the GBA. Categories of personal data (Article 83(2)(g) GDPR) The Litigation Chamber takes into account the fact that there is no evidence that is sensitive data were processed. Aggravating circumstance (Article 83(2)(k) GDPR) The Disputes Chamber points out that the present case concerns the rights of data subjects and in particular the right of access. As already mentioned, the right of inspect the gateway for other rights or claims - whether or not under the GDPR to practice. It is therefore essential to guarantee this access in a way that the data subject has access in a sustainable manner. The Disputes Chamber also takes this into account with the fact that there was an imbalance between the parties in that sense of the complainant had the requested personal data and could not simply do so without it intervention of the defendant. Extenuating circumstances (Article 83(2)(k) GDPR) Decision on the substance 57/2023 – 29/33 The Litigation Chamber also takes into account the fact that the defendant is constructive has cooperated, both during the Inspection investigation and during the procedure for the Litigation room. Conclusion 103. The whole of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account the assessment criteria specified therein. The Litigation Chamber points out that the other criteria of art. 83 (2) GDPR in this case are not such that they lead to another administrative fine than that imposed by the Litigation Chamber in the context of this decision has been made. 104. On 5 April 2023, a sanction form (“form for reaction against intended sanction”) addressed to the defendant containing the intention to impose a fine of 70,000 to impose EUR. She submitted her response regarding the content on April 25, 2023. The In summary, the defendant states in its response to the sanction form that: 1) the Litigation Chamber has not taken into account the concerns of the defendant, nor with the fact that the request for access to a broader civil law dispute, which is in no way taken into account by the dispute room; 2) the fact that the complainant is invited to listen to the recording is not necessarily means that the right of inspection is only temporary. Complainant has it right to make notes while listening and always received one in the past summary via e-mail of the elements that were discussed during a telephone conversation discussed, including the personal data processed by the defendant. The goal was not to prevent him from accessing it, but to prevent it evidence would be unauthorizedly distributed, altered or manipulated. If it did, it could be used in a conflicting way with the rights of the defendant's employees; 3) from the alleged fact that it would have hindered the right of access – quod certe non -, the Litigation Chamber cannot possibly establish and decide that the defendant would not have appropriate procedures (under Articles 24 and 25 GDPR); 4) the complainant's lawyer never proposed to come and listen to the recording has answered; 5) the Litigation Chamber assumes that it would systematically process large-scale processing perform. This is not the case; and Decision on the substance 57/2023 – 30/33 6) the proposed fine is disproportionate to the infringements committed established. 105. The defendant regrets that certain circumstances were not taken into account, in particular the duration of the infringement, the non-intentional nature of the infringement and the categories of personal data to which the breach relates. 1) First, with regard to the duration of the infringement, the defendant wishes to repeat refer to the civil dispute that exists between the parties. 2) Second, there was no willful misconduct or malice on the part of the defendant. The Respondent has robust and adequate internal procedures, policies and rules in place to protect personal data and always in good faith endeavored to comply with the GDPR in both spirit and letter. 3) Finally, as indicated above, are the categories of data used by defendant are processed limited and usually relate to the company and not on the natural person himself (e.g. contact details, company name, company social network and domain name). 106. The Disputes Chamber is of the opinion that the above has been accepted by the defendant in the elements put forward in the sanction form have already been dealt with in the decision and in were taken into account when determining the fine in accordance with Article 83 (2) GDPR. The elements from the sanction form used by the Disputes Chamber additional considerations are discussed below. 107. As to the defendant's argument regarding the alleged disproportionate nature of the administrative fine, the Disputes Chamber points out that according to Article 83.5 GDPR, the violations of the Articles are Article 12(2)(3) and paragraph 4, Article 15 GDPR subject to administrative fines of up to EUR 20,000,000 or 4% of the total annual turnover of the previous financial year. 108. As regards the defendant's argument that the administrative fine in this case would be higher than in previous decisions of the Litigation Chamber, should be pointed out that in accordance with Article 83.2 GDPR as well as the guidelines of the Group 29 23 fines are imposed “according to the circumstances of the specific case”. In addition, the Disputes Chamber points to the case law of the Court of Appeal in Brussels, section Marktenhof, according to which “het Belgian legal system does not [assign] nor to a binding precedent value administrative or judicial decisions. Any decision of a judge (and this 23Data Protection GroupArticle 29, Guidelinesontheapplicationandsettingofadministrativefinesforthe purposes of Regulation 2016/679, 3 October 2017. Decision on the substance 57/2023 – 31/33 applies equally to any decision of an administrative authority, provided that it principle of equality is not violated) is specific and does not extend to another than the case under consideration”. 24 With regard to the amount of the imposed administrative fine, the Marktenhof also pointed to the margin of appreciation of the Litigation Chamber: “In practice, this means that the GBA cannot decide on its own offender not to impose a fine, but also that, if they decide to impose a fine, these is situated between the minimum, ranging from EUR 1, and the intended maximum. Which fine is imposed, will be decided by the GBA taking into account the criteria set are listed by Article 83 (2) GDPR”. 25 109. The defendant objects that when determining the amount of the fine in the sanction form the consolidated turnover of the French parent company has been used in instead of the turnover of the defendant itself. The defendant does not wish to go alone emphasize that it was a subsidiary of Regicom Webformance in 2021, but also that the Disputes Chamber should only take into account the annual figures of the defendant since parent company does not exercise decisive influence over the subsidiary. The defendant also submits its annual figures for 2021 amounted to EUR 24,683,149. 110. On the basis of all the elements set out above, the Litigation Chamber to adjust the proposed sanction from EUR 70,000 to EUR 40,000. The established infringements warrant an effective, proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account the provisions therein assessment criteria. The Disputes Chamber is of the opinion that a lower fine in the the present case would not meet the requirement of Article 83(1) of the GDPR criteria, according to which the administrative fine is not only proportionate, but also effective and dissuasive must be. III.4. Other grievances 111. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the Inspectorate because, based on the facts and the documents in the file, they do not belong to the conclude that there has been a breach of the GDPR. These grievances and findings of the Inspectorate are therefore regarded as manifestly unfounded within the meaning of Art. 57(4) GDPR. 24 Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 12. 25Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 42. 26 See point 3.A.2 of the Litigation Chamber's Dismissal Policy, dd. June 18, 2021, available at https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 57/2023 – 32/33 IV. Publication of the decision 112. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - on the basis of article 100, §1, 5° WOG to formulate a reprimand with regard to the defendant for the infringement of Article 5(1) (transparency), Article 12(1) and Article 13 (1) (c) (2) (a) GDPR with regard to the understandable language and the indication of the retention periods in the privacy statement; - based on Article 83 GDPR and Articles 100, 1, 13° and 101 WOG, an administrative to impose a fine of EUR 40,000 on the defendant for the infringement of article 12 (2) Art. 15 GDPR with regard to facilitating the right of access to the complainer; - pursuant to art. 100, §1, 6° WOG to order the defendant to grant the right of access to be known to the complainant in accordance with Article 12, paragraph 2 in conjunction with 15 GDPR; and - to dismiss the other grievances pursuant to Article 100, §1, 1° WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition 27 listed in Article 1034ter of the Judicial Code and must contain . 27 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. Decision on the substance 57/2023 – 33/33 a contradictory petition must be submitted to the Registry of the Market Court 28 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 28 The application with its annex is sent, in as many copies as there are parties involved, by registered letter sent to the clerk of the court or deposited at the clerk's office.