APD/GBA (Belgium) - 57/2023
From GDPRhub
| APD/GBA - 57/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 13(1)(c) GDPR Article 13(2)(a) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 07.04.2022 |
| Decided: | 17.05.2023 |
| Published: | |
| Fine: | 40,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 57/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | kv33 |
TO BE UPDATED
The Belgian DPA fined a professional content creator €40,000 for inadequately responding to an access request. The controller had refused to provide recordings of phone conversations with the data subject.
English Summary
Facts
On 18 August 2021 (26), the data subject signed two contracts with the controller to develop a website and shoot promotional videos. To discuss the details, the data subject and the controller had multiple phone conversations, which were recorded by the controller without the data subject’s knowledge (according to the data subject). The controller stated that it recorded the conversations to document the data subject’s specific requirements for both the website and the promotional video’s. (1)
Sometime in 2021, the controller and the data subject started having disagreements about the contracts. Following this, the data subject exercised his right to access (Article 15 GDPR) multiple times, the last one on 21 March 2022. (46) He specifically wanted information about the recorded phone conversations. The controller refused to provide a copy of the recordings multiple times, but invited the data subject to its office to listen to the recordings there.
On 7 April 2022, the data subject filed a complaint at the Belgian DPA. According to the data subject, the phone conversations were recorded illegally and his right of access was frustrated by the controller. (1)
On 29 June 2022, the investigation service of the DPA finished its investigation and determined several violations of the GDPR. (4)
The controller clarified its position at different moments during the procedure. It stated that its legal basis for recording the telephone conversations was Article 6(1)(b) GDRP. (18) The recordings were necessary for the performance of the contract and for the guarantee for the quality of the controller’s services. (21)
The controller also stated that it did not obstruct the data subject’s right to access. The controller acknowledged that it had refused to provide a copy, but it had instead invited the data subject to listen to the recordings at the controller’s office. (37)
The controller also stated that it was not obligated to provide a copy of the recordings at all, since the right to a copy was not an absolute right, pursuant to Article 15(4) GDPR. (37) The controller did not want to provide a copy to the data subject in order to protect its employees from potentially unhappy customers. In this sense, the controller argued that the rights of its employees prevailed against the rights of data subject. (57)
The controller also stated that the data subject merely wanted these phone recording to start a civil procedure against the controller. (58)
The controller also did not want to provide the recordings because these could make it possible to get information about the controller’s methods, know-how and trade secrets, since these phone conversations were very detailed and focussed on the specific demands of the customers. (60) The controller argued that its methods could for example be deduced from the questions it had asked the data subjects in these conversations.
The controller also stated that it had informed the data subject in a GDPR complaint manner about the fact that the phone conversations would be recorded. (74)
Holding
First, the DPA assessed the claimed legal basis of the controller, Article 6(1)(b) GDPR, and looked at the two signed contracts. (26) According to the DPA, there needed to be a ‘direct and objective’ connection between the processing of personal data and the goal of the contract. (27) Without explicitly confirming this, the DPA implied that there was such a connection. The DPA also agreed with the controller that the phone recordings were necessary for the performance of the contract. the DPA stated that it was efficient to record the phone conversations in order to document the preferences of the customer. Because of this efficiency, the necessity requirement was met. There was therefore no violation of Article 5(1)(a) and Article 6(1) GDPR. (28 – 29)
Second, The DPA assessed if the controller obstructed the data subject’s right to access. The DPA stated that the right of access is a gateway for exercising other rights. (42) The right to a copy, as stated in Article 15(3) GDPR, should not be treated as an additional right, but as a way to get access to all personal data. Looking at the goal of the right to access, which is to inform the data subject about processing and to allow the data subject to check this, providing a summary of the data is not sufficient. All the information about all data has to be disclosed. The DPA also confirmed that it was usually not enough to only provide temporary access to the personal data. (47)
The DPA also assessed the question in which form the access should be granted. In this case, the controller should have provided a copy of the recordings tot the data subject, since the sound of the data subject's voice was also personal data, which could not be provided in the written transcripts. (49)
The DPA agreed with the controller that the right to an access and the right to a copy was not absolute, looking at recital 4 GDPR and Article 52 ECFR. The DPA referred to the EDPB Guidelines on access and stated that the right to access should be weighted against other fundamental rights in three steps: It should be determined if there are (1) any negative effects when the right of access is granted. Then, the interests of all parties should be assessed, looking at the circumstances and the risks involved. The controller should try to (2) reconcile the interests of all parties. When this is deemed impossible, the controller should decide (3) which interest should prevail. (54)
The DPA held that the controller failed to satisfy the second step, since the controller did not try to find a way to reconcile the interests of both parties. (56) The DPA also concluded that the controller did not satisfy the third step. The rights of the controller’s employees did not prevail against the rights of data subjects, since any personal data of the controller's employees in the recorded phone conversations would be limited. This could potentially only include voice and name. The phone conversations were also recorded when the employees were doing their jobs. The DPA therefore concluded that the risks for the controller's employees were minimal to non-existent. (57)
Third, the controller assessed another reason of the controller for not providing access, which was the fact that the data subject wanted to start a civil procedure according to the controller. The DPA stated that the data subject’s reasoning for requesting access should not be considered a condition for providing access. The DPA therefore also rejected this argument. (58 – 59)
Fourth, the DPA assessed the controller’s argument about not wanting to disclose any know-how or trade secrets. The DPA referred to recital 63 GDPR and stated that the GDPR did not include a definition of a 'trade secret’, and therefore looked at the definition in Belgian Law (Artikel I.17/1 WER). (61) The DPA concluded that the phone recordings did not qualify to be considered ‘trade secrets’ according to the conditions of this Belgian Law. (62 – 63)
Considering the above four points, the DPA held that the controller violated Article 12(2) and 15 GDPR because the controller did respond adequately to the access request, the first violation.
Fifth, the DPA held that the controller violated Articles 5(1)(a), 12(1), 12(2), 13(1)(c) and 13(2)(a) GDPR by not providing adequate information to the data subject about the phone recordings, the second violation. (80) The DPA stated that both the contracts included a provision in which it was stated that phone conversations could be recorded for the performance of the contract. The possibility of phone recordings was also mentioned in the privacy policy of the controller. (78) However, the DPA determined that the controller did not provide all the necessary information. (78) Among other things, the controller did not provide adequate information, in both the contract and the privacy policy, about the legal bases, the purposes of the processing, as required by Article 13(1) and 13(2) GDPR (79), and the storage limitations, as required by Article 13(2)(a) GDPR. (80)
Sixth, the DPA held that the controller violated Articles 5(2), 24(1) and 25 GDPR because the controller had not been able to provide evidence that it had deployed sufficient technical and organisational measure to comply with articles 12(2), 15, 12(1), 13(1)(c) and 13(2)(a) GDPR. This was the third violation.
After considering multiple aggravating and mitigating factors, the DPA imposed the following sanctions for each of the violations: For the first violation (in combination with the third violation), the DPA fined the controller €40,000. For the second violation (in combination with the third violation), the DPA warned the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/33
Litigation room
Decision on the substance57/2023 of 17 May 2023
File number : DOS-2022-01721
Subject: Complaint regarding refusal of access to sound recordings
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs. Jelle Stassijns and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The complainant: Mr. X, represented by Mr. Arne Saerens and Mr. Peter Van
Aerschot, both with offices at 8200 Bruges, Lieven Bauwensstraat
20, hereinafter “the complainant”;
The Defendant: Y, represented by MrBenjaminDocquir and Mr. MargoCornette, both
having its office at Marsveldplein 5, 1050 Brussels, hereinafter referred to as “the defendant”. Decision on the substance 57/2023 – 2/33
I. Factual Procedure
1. On 7 April 2022, the complainant submits a complaint to the Data Protection Authority against
defendant.
The complainant has concluded two agreements with the defendant whereby the defendant
would be responsible for developing a website (“…”) and company videos (“…”) for the
complainant, collectively referred to as "the Agreements". Under these agreements
telephone conversations took place regarding the functional development and design of
this website and videos. Such telephone conversations were recorded by the
defendant with a view to the proper implementation of the complainant's wishes in the framework
of the agreement. However, the complainant claims that he was not aware of this
recordings. Since 2021, there has been a dispute between the complainant and the defendant regarding the
performance of the agreement. In this context, the complainant has the right to inspect
with regard to telephone recordings. The defendant refused to provide a copy
of the telephone recordings, but states that the complainant can access the recordings
listen in her offices. The complainant believes that the telephone calls were unlawful
recorded and that his right of access was ignored. So he has a complaint
submitted to the GBA.
2. On April 28, 2022, the complaint will be declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG
submitted to the Disputes Chamber.
3. On April 28, 2022, in accordance with Article 96, § 1 WOG, the request of the
Disputes Chamber to carry out an investigation submitted to the Inspection Service,
together with the complaint and the inventory of the documents.
4. The investigation by the Inspectorate will be completed on 29 June 2022, the report reads
appended to the file and the file is transferred by the Inspector General to
the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject of the complaint and decision
that there would be a violation of:
1. Article 5 (1) (a) and (2) and Article 6 (1) GDPR;
2. Article 5, Article 24 (1) and 25 (1) and (2) GDPR;
3. Article 12 paragraph 1, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR; and
4. Article 12(1) and (2), Article 13(1) and (2), Article 5(2); Article 24(1) and Article
25(1) and (2). Decision on the substance 57/2023 – 3/33
5. On 4 July 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG
that the file is ready for consideration on the merits.
6. On 4 July 2022, the parties concerned will be notified by registered mail
of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.
they are informed of the time limits for their
to file defenses.
As regards the findings relating to the subject matter of the complaint, the
deadline for receipt of the statement of defense from the defendant
recorded on 29 August 2022, those for the complainant's reply on 19
September 2022 and finally those for the defendant's reply on 10
October 2022.
7. On 8 July 2022, the complainant requests a copy of the file (Article 95, § 2, 3° WOG), which
was transferred to him on July 14, 2022, and he indicates that he wishes to make use of
the possibility to be heard, in accordance with Article 98 WOG.
8. On 11 July 2022, the complainant will electronically accept all communication regarding the case.
9. On August 29, 2022, the Disputes Chamber will receive the conclusion of the answer from the
defendant with regard to the findings relating to the subject matter of the
complaint. The defendant argues that the processing on its part is correct and permitted
data processing, with the principle of lawfulness and transparency
are respected. The defendant also argues that it may be incomplete
answering a question from the Inspectorate does not constitute a violation of the
accountability. The defendant then argues that it is entitled to
inspectionhasnotcomplicated. Finally, the defendant points out that they are transparent
has provided information to the complainant and has the necessary technical and
organizational measures to ensure the exercise of data subjects' rights
facilitate.
10. On 19 September 2022, the Litigation Chamber will receive the conclusion of the complainant's reply
with regard to the findings regarding the object of the complaint. The complainant
agrees with the findings of the Inspectorate regarding the unlawfulness of the
processing, the accountability for compliance with the obligations in the GDPR
and the transparency and information obligations on the part of the defendant. For what
concerns the finding regarding the obstruction of the right of inspection, the defendant states
that he wishes to exercise his right of access, as granted by the GDPR, and
that the restrictions invoked by the defendant are disproportionate to
his right of access. Decision on the substance 57/2023 – 4/33
11. On 10 October 2022, the Disputes Chamber will receive the statement of rejoinder from the
defendant with regard to the findings relating to the subject matter of the
complaint in which the argumentation is resumed as set out in the conclusion of
answer.
12. On November 28, 2022, the parties will be notified that the hearing will
take place on January 30, 2023.
13. On January 30, 2023, the parties will be heard by the Disputes Chamber.
14. On February 3, 2023, the minutes of the hearing will be sent to the parties appearing
submitted.
15. The Disputes Chamber does not receive any comments because of the parties that have appeared
regarding the record.
16. On 5 April 2023, the Disputes Chamber informed the defendant of its intention
made to proceed to the imposition of an administrative fine, as well as the
amount thereof in order to give the defendant the opportunity to defend himself,
before the sanction is effectively imposed.
17. On May 25, 2023, the Disputes Chamber will receive the response of the defendant to the
intention to impose an administrative fine, as well as the amount
of them.
II. Motivation
II.1. Article 5 (1) (a) (2) and Article 6 (1) GDPR with regard to legality
II.1.1. Findings in the Inspection Report
18. During the investigation, the defendant explained that the processing of
personal data through the recordings of the telephone conversations is based
to Article 6(1)(b) GDPR, i.e. “the processing is necessary for the performance of a
agreement to which the data subject is a party, or at the request of the data subject before the
conclusion of an agreement to take measures'. Based on his research
the Inspectorate concludes that the defendant has fulfilled the obligations imposed by Article
5 (1) (a), (2) and Article 6 GDPR has not been complied with. From the Respondent's Replies
After all, the Inspectorate cannot determine the research questions during the inspection
to what extent telephone conversations are effectively recorded, what the exact
purposes and the duration of storage of the recordings. In addition, the
according to the Inspectorate, the defendant failed to demonstrate the necessity. Hereby refers
the Inspectorate according to Article 10/1, §1 of the Law of 30 July 2018 on the
protection of natural persons with regard to the processing of Substance Decision 57/2023 – 5/33
personal data, which allows recording of telephone conversations provided that the bee
the communication involved parties are informed of before registration
the registration, its precise purposes and the duration of storage of the registration. The
The Inspectorate thus concludes that the defendant has complied with the obligations
by Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the
principle of legality.
II.1.2. Position of the complainant
19. In its conclusions, the complainant fully agrees with the findings of the Inspectorate.
II.1.3. Defendant's position
20. The defendant disputes this finding and argues in its conclusion that the recordings are
are really necessary for the correct execution of the agreement.
21. As to the necessity for proper performance, the defendant notes
that the Inspectorate has not asked to demonstrate the necessary nature,
since only the defendant was asked on what legal basis the processing operations,
being the recordings of the telephone conversations have taken place. In her conclusions
the defendant further explains the necessity. The necessity is twofold:
on the one hand the implementation of the specific agreement between the defendant and the complainant and
on the other hand, the guarantee of the quality of this agreement, which is a necessary
corollarium is of the execution of the agreement. These phone calls are for
to discuss the wishes and needs of the customer. The defendant illustrates this as follows:
when the parties have signed a contract, for example for making a
website, they discuss the concrete implementation modalities by telephone. The purpose of
this conversation is essential because it is at this time that the client explains his activities
are, what he expects from the website, etc. Based on this telephone conversation, a first
website layout design. This method was chosen on the basis of
the clientele of the defendant (mainly self-employed persons) who prefer a fast and
telephone conversation instead of an exchange of e-mails. This method does not prevent
that the customer receives written confirmation of the basic data that were
provided for the development of the website. Through constant communication between
her and her clients, the defendant can deliver tailor-made projects for the client
the recordings give the project managers the opportunity to check whether the needs have been met
of the customer, as expressed during the conversations. Thus, according to the defendant, no
there is a violation of Article 5 (1) a) (lawfulness) j° Article 6 (1) GDPR. Decision on the substance 57/2023 – 6/33
II.1.4. Review by the Litigation Chamber
22. Starting point of article 5, paragraph 1, a) GDPR, is that personal data is only lawfully
may be processed. This means, among other things, that there is a legal basis for the processing
of personal data as referred to in Article 6(1) of the GDPR must be present. In
further elaboration of this basic principle, article 6, paragraph 1 GDPR states that personal data only
may be processed on the basis of one of the legal grounds listed in the article.
23. The Disputes Chamber notes that the recording of telephone conversations in the context of
business transactions are governed by both the GDPR and Article 10/1, §1 of the Law
of 30 July 2018 on the protection of natural persons with regard to the
processing of personal data (hereinafter: WVP).
24. The assessment of this file will therefore initially take place on the basis of the
provisions of the GDPR. The question arises to what extent the processing of
personal data took place lawfully, in accordance with, inter alia, Articles 5 and 6
of the GDPR. The Disputes Chamber emphasizes that the application of the GDPR as a regulation
of the European Union takes precedence over the aforementioned national legislation because of the direct
operation and primacy within the European legal order. 1
25. As already mentioned, the defendant argues that the recording of the telephone conversations
is based on the legal basis as understood in Article 6(1)(b) GDPR, i.e. “the
processing is necessary for the performance of a contract involving the data subject
party, or at the request of the data subject before entering into a contract
to take measures”. It is therefore up to the defendant to prove that she
legitimately invokes this ground for processing.
26. When personal data are necessary to perform a contract with the data subject
that agreement forms the basis for the processing of those
personal data, as stated in Article 6(1)(b) GDPR. The Disputes Chamber finds that the
parties have entered into two agreements, the (“…”) dd. August 18, 2021 for what
concerns the development of the website and the (“…”) for the purpose of producing a
corporate video, also concluded on August 18, 2021. Both agreements were signed
the Disputes Chamber.
27. Furthermore, a controller can only rely on this legal basis
if the processing of personal data is strictly necessary for the conclusion or
1ie inter alia CJEU of 5 February 1963, NV Algemene Transport- en Expeditie Onderneming van Gend & Loos t. Dutch
Administration of Taxes, C-26-62, ECLI:EU:C:1963:1; CJEU of 15 July 1964, Flaminio Costa v. E.N.E.L., C-6-64,
ECLI:EU:C:1964:66; on the legal protection of citizens on the basis of Union law and the principles of 'direct
effect” and “primacy”, see C. BARNARD, The Substantive Law of the EU: The Four Freedoms, Oxford (5th ed.), 2016, 17. Decision on the substance 57/2023 – 7/33
performance of the agreement. There must therefore be a direct and objective connection
between the processing of personal data and the purpose of the contract.
28. The Disputes Chamber establishes that, according to the defendant, the necessity relates
has on the one hand the performance of the specific agreement between the defendant and
complainant and, on the other hand, the guarantee of the quality of this agreement. Based on
two agreements between the defendant and the complainant
Litigation Chamber finds that these agreements contain several more general provisions
contain such as a description and cost of the services chosen by the complainant as
subscriber, the type of video to be produced, etc. Provisions regarding the
specific modalities were not stipulated in these agreements. The included
telephone conversations took place in the context of discussions of the specific
modalities.It goes without saying that not all customers have the same wishes and requirements
for their website or video. Also using a phone call allows you to easily
to discuss, clarify any ambiguities or ask questions, for both
parties. Any requirements for the customer can also change, which means that the
the defendant can respond more quickly by conducting these conversations by telephone
instead of by email. The recordings of these conversations are for replay
listened to if necessary (for example, when in doubt about certain aspects of the website, or to
verifying that all customer requests have been met). Considering its efficiency for
both the controller and the customer, the Litigation Chamber is of the opinion that
the necessity requirement is met.
29. As a result of the above, the Litigation Chamber believes that there is no infringement of
Article 5 (1) a) with regard to lawfulness and Article 6 (1) GDPR was committed
by the defendant.
II.2. Article 12, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR
II.2.1. Findings in the Inspection Report
30. On the basis of its investigation, the Inspectorate determines the right of the defendant
ofinspectionoftheplaintiffunjustlycomplicated.After all,thedefendantrefuses a copy
of the telephone recordings, but only offers the possibility to transfer the recordings
to come and listen at its head office. The defendant states, according to the
Inspectorate no elements that justify that it would actually be impossible to
to provide the complainant with a copy of the aforementioned recordings in which, where appropriate
personal data of third parties have been made unrecognizable. Decision on the substance 57/2023 – 8/33
II.2.2. Position of the complainant
31. The complainant recalls that – in accordance with Article 15 GDPR – the
controller must provide access via a copy of the
personal data. If a copy is the most appropriate way of providing access,
can, may and must be provided with a copy. The initial refusal of the
the defendant is a blatant violation of his rights, according to the complainant. The proposal to
to come and listen to the recordings at the head office does not meet the requirements of the
right of access as provided for in the AVG and makes it more difficult to exercise the right to
access significantly.
32. The complainant does not dispute that the right of access is not absolute and can be limited if
it would prejudice the rights and freedoms of others. However, this should not matter
lead to deprivation of all information. However, the complainant argues that the
restrictions do not apply to this case.
33. With regard to the exception in Article 15(4) GDPR regarding respect for the
rights of freedoms of third parties, the complainant states that the processed personal data of
the employees in the telephone conversation are very limited. It is, after all, a normal
professional telephone conversation using standard salutations.
Consequently, according to the complainant, the refusal to provide a copy is for these reasons
disproportionate. The complainant adds in subordinate order that he can too
agree to receive a version where the direct identification data of the
employees are omitted, or possibly even a written version of the
conversations where the direct identification data of the employees are omitted,
provided that the text of the recordings has been checked by an objective party or by the
playing the conversations after receiving the written text.
34. As to the defendant's argument regarding the use of the recordings as
piece of evidence in the context of legal proceedings, reminds the complainant that there is
no such legal proceedings have yet taken place. In addition, the
Respondent for forwarding the correct call/text. If the defendant
forwards the authentic conversations and declares this to be the case, there is none for the complainant
problem about this.
35. Finally, the complainant refers to the defendant's argument that the provision of
a copy of the recordings may constitute a breach of business secrecy. The complainer
argues that this cannot be the case. After all, these are standard conversations between a
customer and a company. Questions were asked during these conversations
website builder proposes to build a website or to make a business on a website
can imagine. According to the complainant, this cannot constitute a business secret. In addition, eight Decision on the substance 57/2023 – 9/33
the complainant is bound by the provisions of the GDPR when obtaining or processing it
of the copies and that this is of course only intended for personal consultation.
36. With regard to the alleged abuse of law, the applicant argues in its conclusions that it
the defendant herself has always contacted the complainant by telephone.
If all contacts were made by e-mail, the complainant would have all information
possess. Since the defendant therefore chose to make contact by telephone
it is normal that she should also be responsible for safeguarding the right
upon inspection by the complainant as he cannot exercise this himself. The complainant argues that it is not
the rights of defense of the defendant are being violated, but the
rightsofdefenseofthedefendant.After all,the complainant exercises a personal rightthat
is granted to him pursuant to a European regulation. This right to inspect the
the complainant is misunderstood by the defendant merely to keep the evidence to herself
and therefore complicates any future procedure.
II.2.3. Defendant's position
37. In principle, the defendant argues in its conclusions that it does not have the right of access
unnecessarily complicated. As already stated, she has refused to provide a copy of
the recordings, but instead she invites the complainant to the recordings in her office
come and listen. After all, it argues that granting inspection does not mean a copy
must be provided. Referring to article 15, paragraph 4 GDPR, the defendant argues that it
right to obtain a copy is not absolute and obtaining a copy is not
may interfere with the rights and freedoms of others. The defendant argues that
reluctance to send a copy of a recording is fourfold.
38. Firstly, these recordings also contain personal data about/of employees of the
defendant. According to the defendant, it is not desirable that such recordings be included in the
get hold of a (dissatisfied) customer, as dissatisfied customers become employees
directly and in an unauthorized manner. Besides, it would
providing these recordings constitute a breach of protection
personal data of the employees who are part of the recordings. Hereby has
the defendant made the trade-off between, in its view, improper use of the
right of access on the one hand and the right to protection of personal data of the
involved employees on the other hand.
39. Second, the defendant argues that the complainant wishes to use these recordings as
evidence in a civil dispute or proceeding. If it comes to a court
procedure, it is necessary to preserve the authenticity of the recordings.
This is made more difficult when the personal data of the employees concerned is removed from the
conversation will be deleted. Decision on the substance 57/2023 – 10/33
40. Thirdly, the defendant argues that a large part of the production process is done by telephone
expires. Based on the telephone recordings, the working methods and know-how, and
according to the business secrets, can be derived from the defendant.
41. Fourth, the defendant argues that the exercise of the right of access is unfounded
since it constitutes a manifest form of abuse of law. The complainant and the defendant are
after all, involved in a contractual dispute regarding the performance of the agreement.
As part of this, the complainant wishes to use the recordings as evidence in the context of
a possible legal action. The rules and restrictions on the submission
however, evidence in civil litigation is expressly regulated to rights
of defense and the right to contradict. Due to the obligation to
to transfer recordings, the right to a fair trial as guaranteed in Article 6
of the European Convention on Human Rights are ignored as the
as a party to civil proceedings, the defendant can itself take the initiative and determine how
the process proceeds. Deny the defendant the right to choose which evidence it wants
presenting and when, is a flagrant violation of her right to due process.
II.2.4. Review by the Litigation Chamber
General principles
42. To begin with, the Disputes Chamber points out that the right of access is one of the
mainrequirementsoftherighttodataprotection.Itisthe"gateway"
which enables the exercise of other rights conferred by the GDPR on the data subject
grants, such as the right to rectification, the right to erasure and the right to
restriction of processing. 2
43. The complainant has repeatedly exercised his right of access pursuant to Article 15 GDPR with regard to
of the defendant by requesting that he be provided with a copy of the recordings of
the telephone conversations in which the complainant participated. Through his lawyer, Mr
the complainant sent a final request by e-mail and registered letter on 21 March 2022
to the complainant:
My client urges you to provide an electronic copy of all
telephone conversation recordings that you have that involve my client if
participant in the call.
My client also requests about the processing of the telephone conversation recordings
provide him with the following additional information:
2See most recently CJEU, 12 January 2023, ÖsterreichischePostAG, C-154/21, ECLI:EU:C:2023:3, para 38, but also CJEU,
17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16,
EU:C:2017:994, para 57, see also decision 15/2021 dd. February 9, 2021, para 141, and decision 41/2020 dd. July 29, 2020, para
47 Decision on the substance 57/2023 – 11/33
- the processing purposes
- the grounds for processing
- what other categories of personal data you have with regard to the conducted
keeps track of telephone conversations in addition to the actual recordings,
- the recipients or categories of recipients to whom the data is or will be
provided;
- if possible, the period during which the personal data is expected to be collected
are stored, or if that is not possible, the criteria for determining that period;
- when the personal data is transferred to a third country or a
international organization, information on the appropriate safeguards in this regard
transfer.
44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the
to obtain a definite answer from the controller as to whether or not he is being processed
regarding personal data. If the latter is the case, the person concerned has it
right to obtain access to those personal data and to information referred to in Article 15,
paragraph 1 a) - h) is stated, such as the purpose of the processing of the data and the
any recipients of the data, as well as information about its existence
rights, including the right to request rectification or erasure of its data, or to
submit a complaint to the GBA. The purpose of the right of inspection is the state concerned
to understand how his personal data is processed and what the consequences are
can be checked as well as the correctness of the processed data without being
to justify intention. 3
45. Article 12 of the GDPR concerns the way in which data subjects can exercise their rights
exercise and stipulates that the controller is exercising those rights
must be facilitated by the data subject (Article 12 (2) of the GDPR), and without delay and in
must provide information about the
measures taken in response to his request (Article 12(3) of the GDPR).
Where the controller does not intend to comply with the request,
he must communicate his refusal within one month, and inform the person concerned about the
possibility to submit a complaint against this refusal to the supervisory authority
data protection authority or appeal to the courts (Article 12(4).
of the GDPR).
3 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 12/33
46. The Disputes Chamber notes that the last request for inspection was sent by e-mail and
by registered mail on March 21, 2022. In this context, the Disputes Chamber points out that
the European Data Protection Board (hereinafter: EDPB) at that time already published the 'Guidelines
4
01/2022 regarding the rights of data subjects – right of access”.
published which provides guidance for controllers to deal with the
exercising the right to access.
Modality – provision of a copy
47. With regard to the modalities on which a controller should act
the Disputes Chamber points out
that Article 15 (3) GDPR stipulates that the controller must provide the data subject with a
copy of the personal data being processed. The obligation to a
to provide a copy should not be construed as an additional right of the data subject,
but as a means of granting access to the data. Consequently, access serves
to the data pursuant to Article 15 (1) GDPR, the complete information on all
data and this access cannot therefore be construed as granting
access to only a summary of the data. The obligation to make a copy
provision serves the purposes of the right of access, namely to the data subject
to become aware of the lawfulness of the processing and to verify it
check (recital 63). To achieve these goals it is in most
cases, it is not sufficient that the data subject may view the information only temporarily
the data subject must be able to access the information by obtaining a copy of the
receive personal data. 5
48. The question therefore arises in what form the copy should be provided. Article 15, paragraph 3 infine
AVG states that when the data subject submits his request electronically, and
does not request any other arrangement, the information in a commonly used electronic format
must be provided, whereby the prevalence must be determined from the
6
point of view of the data subject and not of the controller. In some
In some cases, the circumstances themselves determine the format in which the personal data must be used
be provided, such as with audio recordings since the voice of the person concerned itself is a
personal data. In some cases, a transcript of the conversations can also be provided
4 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf
5
EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 21 et seq.
6 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available for consultation
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 146 et seq. Decision on the substance 57/2023 – 13/33
suffice, for example when this was agreed between the complainant and the
7
controller.
49. The Disputes Chamber believes that it had to transfer a copy of the sound recordings
must be forwarded to the complainant. After all, these sound recordings contain the
personal data that are spoken, but also the voice of the complainant, which
also constitutes personal data and cannot be displayed in transcripts.
50. For the sake of completeness, the Disputes Chamber refers to the judgment rendered in the case
8
“Österreichische Datenschutzbehörde” in which the Court of Justice stated that “it
right to obtain from the controller a copy of the
personal data that are processed means that the data subject has a fair and
comprehensible reproduction of all such data must be given. This right includes it
right to obtain a copy of extracts from documents or even complete ones
documents or database extracts containing, among other things, those data, if the
provision of such a copy is indispensable to enable the data subject
effectively exercise the rights conferred on him by this Regulation, whereby must
It should be emphasized that this should also take into account the rights and
freedoms of others”.9
Exceptions
51. Despite this broad concept of a copy, and notwithstanding the fact that it is the
the main modality with which access must be granted, may be subject to certain conditions
circumstances other modalities are appropriate. Recital 63 of the GDPR states that it
right of access must not prejudice the rights or freedoms of others, including
including business secrets or intellectual property and in particular to it
copyright that protects the software. However, those considerations should not lead to it
that the data subject is withheld all information.
52. As already explained, the defendant puts forward several arguments in its claims
about this.
53. First, the defendant argues that the telephone recordings also contain personal data of
include its employees. The rights and freedoms of these employees continue to apply
to be insured by the defendant. The Litigation Chamber notes that Article 15, paragraph 4 of
the GDPR stipulates that the right to obtain a copy must not affect the
rights and freedoms of others. The general concern that rights and freedoms
of others can be affected by complying with the request for access, is not
7 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 153 et seq.
8
ECJ, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369.
9 CJEU, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369, para 45. Decision on the substance 57/2023 – 14/33
sufficient to invoke Article 15 (4) GDPR. The Disputes Chamber points it out
note, however, that the controller must be able to demonstrate that in the concrete
situation, the rights or freedoms of others would actually be affected.
54. As can be deduced from recital 4 of the GDPR and from the rationale behind Article 52 paragraph
1,of the European Charter of Fundamental Rights, in particular the right to protection
of personal data is not an absolute right. Recital 4 states more in particular: “[…]
The right to the protection of personal data is not absolute, but must be
be considered in relation to its function in society and must conform to it
principle of proportionality against other fundamental rights […]".
the exercise of the right of access must also be weighed against others
fundamental rights in accordance with the principle of proportionality. The EDPB has in the
Guidelines provide three steps to perform this trade-off. When this
consideration ex Article 15 (4) GDPR shows that granting the request is negative
affects the rights and freedoms of other participants (step 1), the
interests of all participants are weighed, taking into account the specifics
circumstances of the case and with the likelihood and severity of the risks involved
associated with the provision of the data. The controller
must try to reconcile the conflicting rights (step 2), for example
by taking appropriate measures to mitigate the risk to the rights and freedoms of
limiting others, such as, for example, the information concerning others as much as possible
illegible instead of refusing to provide a copy of the personal data
provide. However, if it is impossible to find a reconciliation solution, the
controller decide in a next step which of the conflicting
rights and freedoms and freedoms prevail (step 3).
55. Applied to the present case, the defendant has in accordance with the above
step one evaluated the complainant's application and determined that the withdrawals
contain personal data of employees.
56. In the context of step 2, to verify whether transferring the copy has an impact on
the rights and freedoms of others, the defendant must as
controller to try to resolve the conflicting interests
reconcile by taking appropriate measures to mitigate the risk to rights and freedoms
of the data subject as much as possible. It is in this context that the defendant
has offered to come and listen to the recordings at its head office. The complainer
has refused this possibility, but could nevertheless agree to a transcript
received with omission of the direct identification data of the employees of
defendant, subject to the necessary guarantees regarding the correctness thereof
found a way between the parties to reconcile the conflicting rights. Decision on the substance 57/2023 – 15/33
57. In the third step, the defendant thus had to verify which of the conflicting
rights prevail. This should take into account the probability and
seriousness of possible risks with regard to the rights and freedoms of the
employees in the telephone recordings. The defendant contends that the right belongs to her
employees prevail and in this way wishes to shield them from (dissatisfied)
customers. The Disputes Chamber does not follow this view. The Disputes Chamber notes that there
personal data of the employees may be present in the telephone recordings,
but that it is about a limited amount, such as the voice and the name. In addition
the conversation is of a professional nature. The Litigation Chamber therefore also concludes that it is very minor
have no adverse consequences for the rights and freedoms of employees. The
The Litigation Chamber therefore rules that the defendant does not rely on these rights and
liberties can appeal for the refusal to transfer a copy to the
defendant.
58. As a second argument in the context of the refusal to provide a copy to the
The complainant points out to the defendant that the Inspectorate has misunderstood during the investigation
that the complainant wishes to use these recordings as evidence in a civil lawsuit
dispute or proceeding, the authenticity and integrity of which must be preserved. The
The complainant argues in this regard that no legal proceedings have yet been initiated.
59. The Disputes Chamber points out that, given the broad application and interpretation of the
right of access, the purpose for which the right of access is exercised must not be
considered a condition for the exercise of this right. So it won't come
to data controllers to verify why the data subject has access to it
personal data, but only on what the request for access entails and whether or not
not processed personal data of the data subject. In the aforementioned Guidelines, the
EDPB also gives as an example that a controller is not allowed to access
refuse on the basis of suspicions that the personal data concerned would be used
may be required by the person concerned to defend himself in court in the case
10
of a commercial dispute with the controller. The Dispute Room
therefore concludes that the defendant cannot rely on this for the refusal
of the right of access.
60. Third, the defendant argues that a large part of the production process is by telephone
and aims to discuss the needs, wishes, working method, etc. with the customer.
After all, the products offered by the defendant are tailor-made products
for the customer. Based on the conversation content, such as the questions that would be asked
10EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-aparas_13.dAG Emiliou
confirms this statement in its Opinions in Case C-307/22, 20 April 2023, FT v. DW, para 28, https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62022CC0307. Decision on the substance 57/2023 – 16/33
to the customer, it would therefore be possible to share the working methods, know-how and so on
derive business secrets from the defendant.
61. As already mentioned, recital 63 states that the right of access must not be prejudiced
to the rights or freedoms of others, including trade secrets. The GDPR
does not, however, clarify what should be covered by business secrecy within the meaning of Recital 63 GDPR
to be understood. In Belgian national law, Article I.17/1 ELC defines it
trade secret as follows:
“Information that meets the following cumulative conditions:
a) it is secret in the sense that it, in its entirety or in its correct composition and
arrangement of its constituents is not generally known or easily accessible
is for persons within the circles usually dealing with the
relevant type of information;
b) it has commercial value because it is secret;
c) it has been subject to reasonable consideration by the person lawfully in control of it
measures, given the circumstances, to keep it secret.”
62. The Disputes Chamber understands from the conclusions of the defendant that in the recordings
discussing how the website would be built. Questions would have been asked
from which the know-how and production processes of the defendant could
be diverted.Transmitting a copy of these conversations would constitute a violation
form part of the defendant's trade secret, the defendant claims. The
However, the Litigation Chamber notes that this information does not comply with the above
stated definition of a trade secret. According to the first condition of the aforementioned
definition is a trade secret in the sense that it, in its entirety, or in its proper form
composition and arrangement of its constituents, is not generally known, or easy
is accessible to persons within the circles usually dealing with the
relevant type of information. The Litigation Chamber notes that this information is not
limited access. After all, this information is communicated in
standard conversations with all customers, where it is also possible for competitors to
pretending to be a customer in order to obtain the necessary information. Moreover, this one
information is also not protected by means of a non-disclosure agreement. This would
thus mean that the customers would have access to the alleged business secrets of the defendant
can and may pass on to third parties. After all, the information is already given during
the conversations themselves without any agreement to keep them secret at the time
to hold. Moreover, the information still needs to be in the correct composition or arrangement
components are placed so that they could be relevant to the know-how
track down. Decision on the substance 57/2023 – 17/33
63. In view of the above, the Litigation Chamber rules that the above-mentioned exceptions
to the right to transmit a copy do not apply in this case.
Abuse of law
64. In subordinate order, the defendant argues that the exercise of the right of access
is unfounded as it constitutes a manifest abuse of law. The Defendant
argues in this connection that the complainant misused the relevant
wishes to obtain recordings in the context of the commercial dispute. In its conclusions
the complainant argues that it is the defendant herself who is in constant contact by telephone
recorded with the complainant. According to the complainant, the defendant must therefore be responsible for the
safeguard the complainant's right of inspection, as he cannot exercise this himself.
65. The Litigation Chamber recalls that EU law is not intended to be abused or
11
fraud may be invoked. Advocate General Kokott argues in connection with the
abuse of the right of access that determines whether there has been abuse as well
requires an objective as well as a subjective element. What, first, the objective element
must be apparent from a set of objective circumstances that, notwithstanding the
formal compliance with the conditions imposed by a Union regulation, the
scheme intended purpose was not achieved.Secondly, such determination is also required
a subjective element, in the sense that it must appear from a set of objective factors that
the essential purpose of the acts in question is an unjustified
gain benefit. After all, the prohibition of abuse does not apply when the
the acts in question may have an explanation other than the mere acquisition of
an (unjustified) advantage. 12
66. With regard to the objective element, the Disputes Chamber notes that the wishes and
needs of the complainant, which he expresses as a customer of the defendant, as personal data
be qualified as such information because of its content, purpose or effect
is related to a specific person (namely the complainant himself). Express these conversations
after all, the vision and train of thought of the complainant with regard to the desired products.
The collection of this information by the defendant is for the purpose of developing a product
tailor-made for the complainant. After all, it is the intention of the complainant to
the bespoke website and video to differentiate itself (and its sole proprietorship).
of its competitors.
11 CJEU, 9 March 1999, Centros, C‑212/97, EU:C:1999:126, para 24, CJEU, 2 June 2016, Bogendorff von Wolffersdorff,
C‑438/14, EU:C:2016:401, paragraph 57.
12AG Opinion at CJEU, 20 July 2017, Nowak, C-434/16, ECLI:EU:C:2017:582, para 42 et seq.
13The Court of Justice has held that "insofar as the official title of the legal person is one or more natural
13 13
identifies persons", the legal person under articles 7 and 8 of the Charter 13 and the fundamental rights of the
European Union is entitled to the protection of data related to it. Since the AVG
is an elaboration of the overarching safeguards laid down in these Charter provisions, such
protection for legal persons also derive from the GDPR, although this protection does not extend to the legal person as such Decision on the substance 57/2023 – 18/33
67. This qualification as personal data results in the basic principles of the GDPR
apply as well as that the data subject can exercise his rights under the GDPR
exercise, such as the evaluation of its correctness or the right to oppose
the processing of his personal data outside the context of the closed
agreements to. It must thus be established that the granting of a right to
access to those wants and needs in the recordings serves the purpose of the GDPR, that in it
exists to guarantee the protection of the right to privacy of the
complainant in connection with the processing of his personal data.
68. With regard to the subjective element, the Litigation Chamber finds that the essential
the purpose of the acts in question is not to take an unfair advantage
to acquire. The Disputes Chamber states that the exercise of the right of access is the only
way is for the complainant to check to gain access to which personal data the
the defendant processes and how this processing takes place, if necessary. Since
the contacts are made by telephone, the complainant himself has no written record of the
processing of its data. A request cannot be refused if the
the person concerned would have the intention to use the personal data to file a complaint
serve against the defendant. Consequently, there can be no question of an abuse of law.
69. The Inspection Report finds that there would also be an infringement of Article 12, paragraph 3 and paragraph
4 GDPR. However, the Litigation Chamber finds that the defendant has an answer
has formulated to the request of the complainant within the set period of one month,
as a result of which there is no infringement of Article 12 (3) GDPR. The defendant has
the request for inspection was also not simply refused, but stated -insufficient
equivalent - alternatives to, so that there is no infringement of Article
12 (4) GDPR.
70. In view of the above, the Disputes Chamber rules that the defendant is not correct
and has lawfully acted upon the exercise of the right of access to the
complainant, which constitutes an infringement of Article 12(2) and Article 15 of the GDPR.
II.3. Article 5(1)(a) (transparency), Article 12(1) and Article 13(1) and (2) GDPR
71. Based on Article 12(1) and Article 13(1) and (2) of the GDPR, it is necessary that the
defendant as controller to the data subjects concise, transparent
and provides understandable information about the personal data being processed. The
the aforementioned transparency obligations constitute a concretization of the general ones
transparency obligation of Article 5, paragraph 1, a) of the GDPR. As already explained
concerns, but the natural person(s) who form these, and probably mainly occur in cases where the
legal entity is in fact a sole proprietorship or a small family business with a transparent "corporate veil".
14EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 19/33
the defendant take the appropriate technical and organizational measures to
guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. The
the defendant must thereby effectively implement the data protection principles, the
protect the rights of the data subjects and only process personal data that
are necessary for each specific purpose of the processing.
II.3.1. Findings in the Inspection Report
72. The Inspectorate first of all finds that the defendant does not demonstrate that she is the complainant
has effectively informed transparently and in a timely manner about the information that needs to be disclosed
delivered in accordance with Articles 12 and 13 of the GDPR.
II.3.2. Position of the complainant
73. The complainant fully agrees with the findings of the Inspectorate. Adds to this
he admitted that he had indeed not been adequately informed that the
conversations were recorded. The complainant disputes that he contacted each by telephone
was informed that the interviews were being recorded. It's first on it
subsequent e-mail communication that he was informed of the recordings. Consequently has
the defendant has not complied with its information obligation.
II.3.3. Defendant's position
74. The defendant argues in its conclusions that it has failed to fulfill its obligations of transparency
has not violated Articles 12 and 13 GDPR. The defendant argues that it
complainant at different times and through different channels
informed about the disputed processing, namely at the conclusion of the agreements,
via the privacy statement on the website and via the automatic messages upon receipt of
the calls. As for the lack of clarity regarding the recordings made by the
Inspection Service was established, the defendant raises that the telephone calls
were only recorded for incoming and outgoing calls from the general number.
If an employee contacted the complainant directly or directly through the
the complainant was contacted, the conversations were not recorded. In addition, the
complainant was informed of his rights under the GDPR according to the defendant's implementation
in order to facilitate its exercise. The defendant therefore concludes that it is
has duly complied with its obligations under Articles 12 and 13 of the GDPR.
II.3.4. Review by the Litigation Chamber
75. The Litigation Chamber must judge whether the complainant has been adequately informed about the
disputed processing to meet the requirements of Article 12 (1) and Article 13 (1) and (2) GDPR
to fulfil. Decision on the substance 57/2023 – 20/33
76. Article 12(1) GDPR requires the controller to “use appropriate
measures” to ensure that the data subject receives the information referred to in Articles 13 and 14
[...] related to processing in a concise, transparent, understandable and easy way
accessible forms in a clear, simple language, especially when the
information is specifically intended for a child”.
77. The Disputes Chamber notes that Article 14 of both concluded agreements stipulates
that the telephone conversations can be recorded for the purpose of carrying out the
agreement.This is also mentioned in the privacy statement
Litigation Chamber to the Group's Transparency Guidelines
Data Protection Article 29 which provides as follows: "Any company with
a website would have a statement or notice on that site about the protection of the
privacy should be published. A direct link to this statement or
notice on the protection of privacy would be clearly visible
must be on every page of the website, under a commonly used term (eg.
"Confidentiality", "Confidentiality Policy" or "Protection Notice".
privacy".15 The Article 29 Data Protection Working Party states that "all
information sent to a data subject should also be accessible at
a single place or in the same document (on paper or in electronic format) that is easy
can be consulted by this person if he has any information given to him
16
wish to consult."
78. The Litigation Chamber points out that the complainant was informed about the disputed
processing via the agreements – signed by him – and via the privacy statement.
However, the Disputes Chamber hereby notes that not all essential information has been communicated
became.
79. First of all, the Disputes Chamber notes in this context that the privacy statement is not op
mentions in sufficient detail the precise legal basis(s), the
purposes of the processing and the personal data used, as required
by Article 13 (1) and (2) GDPR. The Disputes Chamber has established that the privacy statement is
mentions these elements, but that the manner in which it is not comprehensible and transparent to
the data subjects, since it is not clear to the data subject which data is for which
purposeareprocessedandbased on whatlegal basisthis is done.Ideallyprovides
the controller a list of the different purposes for which
he processes personal data, each time indicating which (categories of)
15Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
Version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11.
16Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
Version adopted on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 57/2023 – 21/33
personal data are processed for this purpose, from which source they were obtained
how long they are kept with what (categories of) recipients they (may) become
shared.17
80. Second, the Disputes Chamber notes that the privacy statement does not state clearly
makes of the retention periods of the personal data concerned or the criteria for
provision thereof, as required by Article 13 (2) a) GDPR. The privacy statement states
the following in this regard: “[Defendant] shall use all necessary means to ensure
ensure that the data of a personal nature is kept for the above
purposes described and that it does not exceed the legal deadlines.” As also from the
Guidance from the Data Protection Group shows that such
wording not. The Data Protection Working Party points out in this regard that the
(mention of the) retention period is related to the principle of minimum
data processing contained in article 5, paragraph 1, c) GDPR, as well as the requirement of storage limitation
of Article 5 (1) e) GDPR. It specifies that “the storage period (or the criteria for
determine) may be dictated by factors such as legal requirements or sectoral requirements
guidelines, but should always be formulated in such a way that the data subject, on the basis
of his or her own situation, can assess the retention period for specific
data/purposes”. 18 In view of all the foregoing, the Disputes Chamber proposes a
violation of Article 5(1)(a), Article 12(1) and (2), Article 13(1)(c) and (2)(a)
of the GDPR.
II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR
II.4.1. Findings in the Inspection Report
81. The controller must comply with the principles of Article 5 GDPR and that
can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j°
Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every
controller takes appropriate technical and organizational measures
to ensure and be able to demonstrate that the processing takes place
in accordance with the GDPR.
82. In its Inspection Report, the Inspectorate finds that Articles 5, 24, paragraph 1 and 25, paragraph 1 and
2 GDPR were violated.
17
This allows the data subjects to ask specifically with which individual via a request for the right of access
recipients the personal data are communicated, see e.g. CJEU, 12 January 2023, Österreichische Post AG, C-154/21,
ECLI:EU:C:2023:3.
18Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260rev1 adopted on 29 November
2017, p 25. Substantive decision 57/2023 – 22/33
83. In the context of his research on accountability in the context of the
compliance with the basic principles of Article 5, paragraph 2 GDPR, the Inspection Service has the following
question sent to the defendant:
“A documented answer to the question of which technical and
organizational measures the [the defendant] has taken to ensure that
its processing activities take place in accordance with the principles on
processing of personal data in accordance with Articles 5, 24 and 25 of the GDPR.”
84. The defendant has formulated an answer to the above question that, according to the
Inspectorate, focuses on – according to the defendant – the correct handling of the
request for the complainant's right of access. The Inspectorate sets its
Inspection report that this answer is next to the issue, since the question related to
the compliance of the defendant with all the basic principles of the GDPR since the 25th of May 2018.
As a result, the Inspection Service concludes that there is an infringement of article 5, article
24 (1) and Article 25 (1) GDPR.
85. Secondly, the Inspectorate finds that the defendant does not provide evidence
what technical and organizational measures were taken to exercise it
of the rights of the data subjects and to be able to adequately monitor them
in accordance with Article 12 GDPR. In this context, the Inspection Service refers to (i) being
previous finding that the defendant wrongly denied the complainant's right of access
made it more difficult and (ii) the fact that the defendant does not mention anything in its answer
and copies of documents that in practice, on the one hand, the management and employees
inform and raise awareness of the defendant about facilitating and adequate follow-up
of the rights of the data subjects and, on the other hand, contribute to preventing infringements and
(human) errors regarding the rights of the data subjects become effective and efficient
followed up and, where necessary, sanctioned. As a result, the Inspectorate arrives at the
finding that there is a violation of Article 24(1) and Article 25(1) GDPR.
II.4.2. Position of the complainant
86. The complainant agrees with the findings in the Inspection Report.
II.4.3. Defendant's position
87. In its claims, the defendant disputes this finding. The defendant regrets that the
The Inspectorate has come to a violation of accountability, as understood
in Article 5 (2), Article 24 (1) and Article 25 (1) GDPR due to a misunderstanding of a
of the questions of the Inspectorate by the defendant. The defendant denies the
finding that her answer to the above question was not concrete enough, while
the question was anything but specifically formulated, according to the defendant. The Defendant
also notes that it had stated in its reply that it was always available for any decision on the substance 57/2023 – 23/33
further information, but that no further questions were asked. In addition, some
days later the inspection investigation was completed.
88. Since the defendant's findings regarding transparency and the right of access
contested, it therefore also argues that it does have the appropriate technical and organizational
has taken measures to ensure transparency obligations and
facilitating the right of access.
II.4.4. Review by the Litigation Chamber
89. The Litigation Chamber recalls that each controller has the
basic principles on the protection of personal data as understood in Article 5,
must comply with paragraph 1 GDPR and must be able to demonstrate this. That follows from the
accountability in Article 5(2) GDPR in conjunction with Article 24(1) GDPR as
confirmed by the Litigation Chamber .19
90. Based on Articles 24 and 25 of the GDPR, the defendant must take appropriate technical
and organizational measures to ensure and be able to demonstrate that the
processing takes place in accordance with the GDPR. The defendant must do so
effectively implement data protection principles, the rights of data subjects
as well as only process personal data that is necessary for each
specific purpose of the processing.
91. As part of its investigation, the Inspectorate assessed to what extent the
the defendant has taken the necessary technical and organizational measures to
comply with these principles from Article 5 (1) GDPR and in particular the principle of
legality and transparency. In this case, the defendant has replied to
the Inspection Service in which it explains the aspects regarding the GDPR from the
complaint, such as the information obligations and the right of access. The Dispute Chamber reads
however, in the Inspection Report that the answer formulated by the defendant
was not sufficient for the Inspectorate. As explained above, the
Inspectorate in this case believes that certain information, which is for the Inspectorate
is essential to arrive at a good assessment, which means that the
Inspectorate concluded that there had been a violation of Article 5, paragraph
2, Article 24 (1) and Article 25 (1) GDPR.
92. The Disputes Chamber hereby notes if the Inspectorate establishes that there are no
concrete information was provided by a controller, this one
leads to further research. The Disputes Chamber establishes that
in this case no additional questions were asked about specific subjects or that no
19 Decision on the merits 34/2020 of 23 June 2020 available via the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 57/2023 – 24/33
no specific documents were requested in order to make a proper assessment of the
case with regard to accountability under the
basic principles of the GDPR included in Article 5(1)(b) to f) GDPR.
93. The Disputes Chamber established in section II.2.4 that there had been an infringement of
the obligation to facilitate the request for access by the data subject
in accordance with article 12, paragraph 2 j ° article 15 GDPR. The Disputes Chamber has ruled in part II.3.4
that there was also a breach of the transparency obligations such as
included in Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR with regard to the
understandable language and the indication of the retention periods in the privacy statement.
94. The Disputes Chamber therefore concludes that the defendant could not demonstrate that he had the
has taken necessary technical and organizational measures to comply with these
obligations. Consequently, the Litigation Chamber concludes that there was an infringement of
Articles 5 (2), 24 (1) and 25 (1) GDPR with regard to the obligations
arising from Article 12, paragraph 2 j° Article 15 GDPR on the one hand and Article 12, paragraph 1 and Article
13 (1) c) and (2) a) GDPR on the other hand.
95. With regard to accountability in the context of compliance with the
basic principles of the GDPR as understood in Article 5(1)(b) to f) GDPR, the
Litigation Chamber determined that there are insufficient elements to lead to a violation of this
judgements.
III. Sanctions
III.1. General
96. On the basis of the documents in the file, the Disputes Chamber establishes that there is
subsequent violations
- Article 12, paragraph 2 and Article 15 GDPR with regard to the right of access;
- Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR, for
with regard to the understandable language and the indication of the retention periods in the
privacy declaration;
97. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the exclusion of prosecution;
3° to order a suspension of the judgment;
4° propose a settlement;
5° formulate warnings and reprimands;
6° to order that the data subject's requests to exercise his rights be complied with
to practice; Decision on the substance 57/2023 – 25/33
7° order that the data subject be informed of the security problem;
8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
9° order that the processing be brought into compliance;
10° rectification, restriction or deletion of data and notification
to recommend it to the recipients of the data;
11° to order the withdrawal of the accreditation of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or
to recommend an international institution;
15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who
informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of
the Data Protection Authority.
III.2. Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) (a) GDPR in
in combination with the accountability principle ex Article 5(2), Article 24(1) and
Article 25 (1) GDPR
98. As regards the infringement of Article 5(1)(a) (transparency), Article 12(1) and Article
13 (1) (c) and (2) a) GDPR, with regard to the understandable language and the indication of the
retention periods in the privacy statement, the Disputes Chamber reminds that they have a lot
attaches importance to transparency as one of the fundamental principles of the GDPR.
Transparency is an overarching obligation under the GDPR, which applies
is in three key areas: 1) the provision of information to data subjects related to
proper processing; 2) the way in which controllers
communicate with data subjects about their rights under the GDPR; and 3) the manner
on which controllers help data subjects to exercise their rights.
In addition, transparency enables those involved to
hold controllers and processors accountable. It's coming
therefore to the defendant as controller to take the necessary appropriate
take technical and organizational measures to enforce the principle of transparency
guarantees. In the present case, the breach of transparency is not of that nature
prevent or seriously hinder the application of these core areas. In this case, the infringement
limited to stating the necessary information in a cluttered manner,
as well as not explicitly stating the retention period. Consequently, the Litigation Chamber
is therefore of the opinion that a reprimand in accordance with Article 100, paragraph 1, 5° is appropriate
for this infringement.
III.3. Article 12 (2), Article 15 GDPR, in combination with the principle of accountability ex
Article 5(2), Article 24(1) and Article 25(1) GDPR Decision on the substance 57/2023 – 26/33
99. With regard to Article 12 (2), (3) and (4), Article 15 GDPR, in conjunction with the
accountability principle pursuant to Article 5(2), Article 24(1) and Article 25(1) GDPR for
with regard to the right of access, the Disputes Chamber considers it appropriate to have a
impose an administrative fine in the amount of EUR 40,000 (Article 83, paragraph 2, Article
100, §1, 13° WOG and article 101 WOG).
100. It should be pointed out in this context that the administrative fine does not matter
aims to end unified transgression, but requires a strong enforcement of
the rules of the GDPR. After all, as can be seen from recital 148 GDPR, the GDPR states
First of all, in the event of any serious infringement – including the first finding of an infringement –
penalties, including administrative fines, in addition to or instead of appropriate ones
measures are imposed. The Litigation Chamber will then demonstrate that the infringements
the defendant has committed on the aforementioned provisions of the GDPR by no means minor
infringements, nor that the fine would impose a disproportionate burden on a
natural person as referred to in recital 148 GDPR, where in either case
a fine may be waived. The fact that it is an initial determination of a
the defendant committed an infringement of the GDPR, does not affect this in any way
to the possibility for the Disputes Chamber to make an administrative decision
impose a fine. The Disputes Chamber will impose the administrative fine
application of Article 58(2)(i) GDPR. The instrument of administrative fine has
in no way intended to terminate infringements. To this end, the GDPR and the WOG provide for a
number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9°
WOG.
21
101. Taking into account Article 83 GDPR and the case law of the Marktenhof,
the Disputes Chamber to impose an administrative sanction in concrete terms:
The seriousness of the breach (Article 83(2)(a) GDPR)
102. In the context of the transparency principle, the controller must provide the
facilitating the exercise of the data subject's rights. For data protection
it is essential that data subjects can easily exercise their rights under the GDPR
can exercise. This enables the data subject to simply
20Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties,
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or instead of
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If it
concerns a minor infringement or if the expected fine would place a disproportionate burden on a natural person
person,a reprimand may be chosen instead of a fine.However, account should be taken of
with the nature, seriousness and duration of the infringement, with the intentional nature of the infringement, with damage-limiting
measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement occurred
has come to the attention of the supervisory authority, with compliance with the measures taken against
the controller or the processor, with the adherence to a code of conduct and with all other aggravating
or mitigating factors. The imposition of penalties, including administrative fines, should be subject
to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter,
including effective remedy and due process. [own underlining]
21Brussels Court of Appeal (Marktenhof section), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the substance 57/2023 – 27/33
way to find out which personal data a controller
processed and whether this processing is lawful. A good interpretation of the right of access is
furthermore necessary to exercise other rights, such as the right to rectification
and the right to data erasure. This principle was recently endorsed by the Court of Justice
22
confirmed. In view of the present violation, however, in the opinion of the
Litigation Chamber concerns a serious infringement, in which the defendant's rights
stakeholders has not been sufficiently facilitated. The Disputes Chamber considers the imposition of
a reprimand is therefore insufficiently effective, not proportionate and not dissuasive.
The defendant has not facilitated the right of inspection with its propagated policy
after all, refuses to allow access in a manner that allows the complainant to
view personal data not only temporarily. Consequently, it became the exercise of it
right of access of the complainant by the defendant. From a professional party
as the defendant, who systematically processes personal data in the context of the
performs recordings for the performance of agreements, it may be expected that it will be on the
is aware of the applicable standards and the appropriate technical and organizational
takes measures to handle this personal data correctly. The
the defendant has thus failed to observe the guarantees that the GDPR provides for the right of access
gives to respect.
The number of data subjects (Article 83 paragraph 2, a) GDPR)
The Disputes Chamber notes that recording telephone conversations is a
is standard practice of the Defendant, and that the disclosure policy
this personal data is not in accordance with applicable law, making it
it cannot be ruled out that similar cases have occurred or will occur
occur in the future. However, the Disputes Chamber takes into account the fact that only
one complaint was lodged.
The intentional or negligent nature of the breach (Article 83(2)(b) GDPR)
As to whether or not the breaches were intentional (not negligent)
have been committed, the Litigation Chamber reminds that "not
intentionally” means that it was not the intention to commit the infringement, although the
the controller had not complied with the duty of care pursuant to
the law rested upon him. With regard to the negligent nature of the infringement
(article 83.2.b GDPR), the Dispute Chamber understands that the infringement was not committed with
malicious intent to harm the AVG. The Disputes Chamber finds that the defendant
has always responded to the complainant's requests, and that it has alternatives in terms of
22 CJEU, 12 January 2023, Österreichische Post AG, C-154/21, ECLI:EU:C:2023:3, para 28 et seq. see also CJEU, 17 July 2014, YS
et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16, EU:C:2017:994,
para 57 Decision on the substance 57/2023 – 28/33
proposed modalities with regard to the inspection, but that these were not sufficient
to the modalities provided for the GDPR and the guidelines mentioned above
the EDPB.
Measures taken to limit the damage suffered by those involved
In the framework of the principle of transparency, the controller must on the basis
of Article 12, paragraph 2, of the GDPR, the exercise of the rights of the data subject
under - inter alia - Article 15 of the GDPR. Both the complainant and the
the defendant suggested possible solutions, but failed to reach a compromise. Like this
the defendant failed to comply with prior to and during the proceedings
the various possible solutions proposed by the complainant, such as
for example, transferring the transcript after checking its accuracy. A
possible solution offered by the defendant was to listen to the
recordings at the head office in Drogenbos. It is for data protection
essential that those involved have to in an easy way, and not just temporarily
can see. The Disputes Chamber therefore argues that an alternative method of access is then
of the right to a copy was offered, but that this offered modality no
could provide an adequate solution.
Previous breaches by the controller (Article 83(2)(e) GDPR).
The Litigation Chamber also takes into account the fact that the defendant has never before
was the subject of an enforcement procedure of the GBA.
Categories of personal data (Article 83(2)(g) GDPR)
The Litigation Chamber takes into account the fact that there is no evidence that is sensitive
data were processed.
Aggravating circumstance (Article 83(2)(k) GDPR)
The Disputes Chamber points out that the present case concerns the rights of
data subjects and in particular the right of access. As already mentioned, the right of
inspect the gateway for other rights or claims - whether or not under the GDPR
to practice. It is therefore essential to guarantee this access in a way that the
data subject has access in a sustainable manner. The Disputes Chamber also takes this into account
with the fact that there was an imbalance between the parties in that sense of the complainant
had the requested personal data and could not simply do so without it
intervention of the defendant.
Extenuating circumstances (Article 83(2)(k) GDPR) Decision on the substance 57/2023 – 29/33
The Litigation Chamber also takes into account the fact that the defendant is constructive
has cooperated, both during the Inspection investigation and during the procedure for the
Litigation room.
Conclusion
103. The whole of the elements set out above justifies an effective,
proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account
the assessment criteria specified therein. The Litigation Chamber points out that the other
criteria of art. 83 (2) GDPR in this case are not such that they lead to another
administrative fine than that imposed by the Litigation Chamber in the context of this
decision has been made.
104. On 5 April 2023, a sanction form (“form for reaction against intended
sanction”) addressed to the defendant containing the intention to impose a fine of 70,000
to impose EUR. She submitted her response regarding the content on April 25, 2023. The
In summary, the defendant states in its response to the sanction form that:
1) the Litigation Chamber has not taken into account the concerns of the
defendant, nor with the fact that the request for access to a broader civil law
dispute, which is in no way taken into account by the
dispute room;
2) the fact that the complainant is invited to listen to the recording is not
necessarily means that the right of inspection is only temporary. Complainant has it
right to make notes while listening and always received one in the past
summary via e-mail of the elements that were discussed during a telephone conversation
discussed, including the personal data processed by the defendant.
The goal was not to prevent him from accessing it, but to prevent it
evidence would be unauthorizedly distributed, altered or manipulated.
If it did, it could be used in a conflicting way
with the rights of the defendant's employees;
3) from the alleged fact that it would have hindered the right of access – quod certe
non -, the Litigation Chamber cannot possibly establish and decide that the defendant
would not have appropriate procedures (under Articles 24 and 25 GDPR);
4) the complainant's lawyer never proposed to come and listen to the recording
has answered;
5) the Litigation Chamber assumes that it would systematically process large-scale processing
perform. This is not the case; and Decision on the substance 57/2023 – 30/33
6) the proposed fine is disproportionate to the infringements committed
established.
105. The defendant regrets that certain circumstances were not taken into account,
in particular the duration of the infringement, the non-intentional nature of the infringement and the
categories of personal data to which the breach relates.
1) First, with regard to the duration of the infringement, the defendant wishes to repeat
refer to the civil dispute that exists between the parties.
2) Second, there was no willful misconduct or malice on the part of the defendant.
The Respondent has robust and adequate internal procedures, policies and
rules in place to protect personal data and always in good faith
endeavored to comply with the GDPR in both spirit and letter.
3) Finally, as indicated above, are the categories of data used by
defendant are processed limited and usually relate to the company
and not on the natural person himself (e.g. contact details, company name,
company social network and domain name).
106. The Disputes Chamber is of the opinion that the above has been accepted by the defendant in the
elements put forward in the sanction form have already been dealt with in the decision and in
were taken into account when determining the fine in accordance with Article
83 (2) GDPR. The elements from the sanction form used by the Disputes Chamber
additional considerations are discussed below.
107. As to the defendant's argument regarding the alleged
disproportionate nature of the administrative fine, the Disputes Chamber points out
that according to Article 83.5 GDPR, the violations of the Articles are Article 12(2)(3)
and paragraph 4, Article 15 GDPR subject to administrative fines of up to EUR 20,000,000
or 4% of the total annual turnover of the previous financial year.
108. As regards the defendant's argument that the administrative
fine in this case would be higher than in previous decisions of the Litigation Chamber,
should be pointed out that in accordance with Article 83.2 GDPR as well as the guidelines
of the Group 29 23 fines are imposed “according to the circumstances
of the specific case”. In addition, the Disputes Chamber points to the
case law of the Court of Appeal in Brussels, section Marktenhof, according to which “het
Belgian legal system does not [assign] nor to a binding precedent value
administrative or judicial decisions. Any decision of a judge (and this
23Data Protection GroupArticle 29, Guidelinesontheapplicationandsettingofadministrativefinesforthe purposes
of Regulation 2016/679, 3 October 2017. Decision on the substance 57/2023 – 31/33
applies equally to any decision of an administrative authority, provided that it
principle of equality is not violated) is specific and does not extend to another
than the case under consideration”. 24 With regard to the amount of the imposed
administrative fine, the Marktenhof also pointed to the margin of appreciation of the
Litigation Chamber: “In practice, this means that the GBA cannot decide on its own
offender not to impose a fine, but also that, if they decide to impose a fine, these
is situated between the minimum, ranging from EUR 1, and the intended maximum. Which
fine is imposed, will be decided by the GBA taking into account the criteria set
are listed by Article 83 (2) GDPR”. 25
109. The defendant objects that when determining the amount of the fine in the
sanction form the consolidated turnover of the French parent company has been used in
instead of the turnover of the defendant itself. The defendant does not wish to go alone
emphasize that it was a subsidiary of Regicom Webformance in 2021,
but also that the Disputes Chamber should only take into account the annual figures of the
defendant since parent company does not exercise decisive influence over the
subsidiary. The defendant also submits its annual figures for 2021
amounted to EUR 24,683,149.
110. On the basis of all the elements set out above, the
Litigation Chamber to adjust the proposed sanction from EUR 70,000 to EUR 40,000.
The established infringements warrant an effective, proportionate and dissuasive
sanction as referred to in Article 83 GDPR, taking into account the provisions therein
assessment criteria. The Disputes Chamber is of the opinion that a lower fine in the
the present case would not meet the requirement of Article 83(1) of the GDPR
criteria, according to which the
administrative fine is not only proportionate, but also effective and dissuasive
must be.
III.4. Other grievances
111. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the
Inspectorate because, based on the facts and the documents in the file, they do not belong to the
conclude that there has been a breach of the GDPR. These grievances and
findings of the Inspectorate are therefore regarded as manifestly unfounded
within the meaning of Art. 57(4) GDPR.
24
Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 12.
25Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 42.
26
See point 3.A.2 of the Litigation Chamber's Dismissal Policy, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 57/2023 – 32/33
IV. Publication of the decision
112. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for the
identification data of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- on the basis of article 100, §1, 5° WOG to formulate a reprimand with regard to the
defendant for the infringement of Article 5(1) (transparency), Article 12(1) and Article
13 (1) (c) (2) (a) GDPR with regard to the understandable language and the indication of the
retention periods in the privacy statement;
- based on Article 83 GDPR and Articles 100, 1, 13° and 101 WOG, an administrative
to impose a fine of EUR 40,000 on the defendant for the infringement of article
12 (2) Art. 15 GDPR with regard to facilitating the right of access to the
complainer;
- pursuant to art. 100, §1, 6° WOG to order the defendant to grant the right of access
to be known to the complainant in accordance with Article 12, paragraph 2 in conjunction with 15 GDPR; and
- to dismiss the other grievances pursuant to Article 100, §1, 1° WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
Brussels appeal), with the Data Protection Authority as defendant.
Such an appeal may be made by means of an inter partes petition
27
listed in Article 1034ter of the Judicial Code and must contain .
27 The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer. Decision on the substance 57/2023 – 33/33
a contradictory petition must be submitted to the Registry of the Market Court
28
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). Hielke HIJMANS
Chairman of the Litigation Chamber
28 The application with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.
