APD/GBA (Belgium) - 75/2023

From GDPRhub
Revision as of 08:55, 29 June 2023 by Mg (talk | contribs) (Mg moved page APD/GBA (Belgium) - DOS-2021-07350 to APD/GBA (Belgium) - 75/2023: consistency)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2021-07350
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(1)(f) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 15(1)(a) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 14.06.2023
Fine: 10000 EUR
Parties: n/a
National Case Number/Name: DOS-2021-07350
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: GBA (Belgium) (in NL)
Initial Contributor: n/a

Publicly available information of tens of thousands of doctors across Belgium were collected and processed without a legitimate basis. Their information were published on an online platform consisting of profiles for doctors. The interests of the data subjects outweighed the controller’s interests. The controller was fined 10,000 EUR for its GDPR violations.

English Summary

Facts

A provider of an online platform (the controller) collected on a large scale - without consent - publicly available contact data on tens of thousands of doctors. This data was then published on the controller's online platform. The platform distinguished between “free profiles” and “paying profiles” of doctors. With regard to the paying profiles, the doctors and the controller have a contract in place which is not the case in regard to the free profiles.

A group of doctors (the complainants), that did not have a contract with the controller, made an erasure requests under Article 17(1) GDPR to the controller via a registered letter on 25 Oct 2021.

The controller stated that the letter was not received by it at the time, and stated that the letter was sent during a lockdown period during which employees and the manager worked from home. The controller claimed to eventually have received the erasure requests on 13 January 2022, as the letter of the complainants was then found within a pile of mail, whichafter, the controller acted on them on 14 January 2022.

Thereafter, the complainants filed a complaint with the Belgian DPA against the controller. The complainants alleged that the controller breached Articles 5(1)(a), 5(2) and 6 GDPR. Moreover, they claimed that the controller violated the GDPR by deleting their personal data, too late.

The controller claimed that, with regard to "free profiles", it has a legal basis under Article 6(1)(f) GDPR, as the it has legitimate interests to process the data. The claimed interests by the controller were 1) freedom of expression and information under Article 11 of the Charter and the Belgian Constitution, as well as, 2) the controller's economic interest, based on freedom of enterprise.

Holding

The DPA recalled that pursuant to Article 5(1)(a) GDPR, personal data must be processed lawfully. This means that the processing must have a legal basis under Article 6 GDPR. As the controller had claimed to have legitimate interests pursuant to Article 6(1)(f) GDPR, with regard to the “free profiles”, to process the information: the DPA proceeded to assess the balance of interests of the controller and the complainants.

When it comes to assessing the balance of interests, under CJEU case law (C-708/18, ECLI:EU:C:2019:1064, para 56), the controller must take into account the reasonable expectations of the data subject that their personal data will not be processed, when they cannot reasonably expect further processing. In this case, the DPA found, that the complainants could not reasonably expect that their data would be further processed for other purposes, since, initially, the contact information of the doctors, were published, with their consent, on their own, their group practice's, or hospital's website.

Furthermore, the DPA emphasized that the freedom of enterprise, as recognised in Article 16 of the Charter, is not unlimited and stops where other fundamental rights - such as the right to protection of personal data - begin. Thereafter, it was found that the interests raised by the controller did not override those of the complainants. Consequently, the controller could not invoke a legitimate interest, because the interests of the complainants outweigh the interests of the controller or the third party.

Consequently, the DPA held that the controller breached Article 6(1)(f) GDPR with regard to the “free profiles”. As far as “paying profiles” were concerned, the DPA notes that the complaint only concerns the processing of personal data in the context of free profiles with regard to doctors who precisely do not want such agreement (paid profiles) with the controller.

With regard to acting on the complainants’ erasure request on a timely manner, it was noted by the DPA, that during lockdown period, telecommuting was strongly recommended, not mandatory. Therefore, the DPA held that the controller was not unable to follow up on mail. The controller was not found to have taken appropriate measures to facilitate the data subject's right to data erasure, which constitutes a violation of Article 12(2) GDPR. As a result, the right to data erasure was not implemented in a timely manner, in accordance with Article 12(3) GDPR. This non-compliance was found to be the result of the failure to facilitate the exercise of the data subject rights. Consequently, DPA found that there has been a breach of Article 12(2) GDPR.

Eventually, the controller was fined 10,000 EUR for breaching Articles 5(1)(a) and 6(1)(f) GDPR as regards the lawfulness of the processing, as well as, 12(2) GDPR and 17(1) GDPR for not taking appropriate measures to facilitate the exercise of their rights by data subjects.

Comment

In a case with similar facts, of the German Supreme Court (BGH - VI ZR 60/21), the court came to an opposite conclusion that an online platform collecting and publishing personal data of doctors does not violate the provisions of the GDPR. See a summary of this case on the GDPRHub here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/26




                                                                           Litigation room


                                         Decision on the substance75/2023 of 14 June 2023



File number : DOS-2021-07350


Subject: Processing of personal data on a platform



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The complainants: Healthcare providers X represented by Mr. Ann Dierickx, office clerk

                   at 3000 Leuven, Mechelsestraat 107-109, hereinafter “the complainants”;


The defendant: Y, represented by 'Mr. Emmanuel Cornu and Mr. Eric DeGryse,
                   with offices at 1050 Brussels, Avenue Louise 250/10, hereinafter “de

                   defendant”. Decision on the substance 75/2023 - 2/26


I. Factual Procedure


 1. On November 23, 2021, the complainants submit a complaint to the

       Data Protection Authority against the Defendant.

 2. On November 25, 2021, the complaint will be declared admissible by the First Line Service on

       pursuant to Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG

       submitted to the Disputes Chamber.

 3. On December 10, 2021, in accordance with Article 96, § 1 WOG, the request of the

       Disputes Chamber to carry out an investigation submitted to the Inspection Service,

       together with the complaint and the inventory of the documents.

 4. The investigation by the Inspectorate will be completed on February 2, 2022, it will be

       report is appended to the file and the file is reviewed by the Inspector General

       sent to the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

       The report contains findings regarding the subject of the complaint and decision

       that:


          1. there is a violation of Article 5 (1) (a) and (2) and Article 6 (1) GDPR; and that

          2. there is a violation of article 12, paragraph 1, paragraph 2 and paragraph 3, article 17, article 19, article

             24 (1) and Article 25 (1) GDPR.

 5. On February 4, 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

       WOG that the file is ready for treatment on the merits.

 6. On 4 February 2022, the parties involved will be notified by email of the

       provisions as stated in Article 95, § 2, as well as those in Article 98 WOG. Also

       they are informed of the time limits for their

       to file defenses.

       The deadline for receipt of the statement of defense from the defendant was

       hereby recorded on 18 March 2022, this for the statement of reply of the complainants

       April 8, 2022 and this one for the defendant's rejoinder on April 29, 2022.

 7. On 8 February 2022, the complainants will electronically accept all communication regarding the case

       and ask the complainants for a copy of the file (article 95, § 2, 3° WOG), which was sent to them

       transferred on February 9, 2022.

 8. On February 17, 2022, the defendant electronically accepts all communications regarding the

       case. The defendant hereby makes a reasoned statement to the Disputes Chamber

       request to change the procedural language from Dutch to French, as well

       the defendant asks for a copy of the file (Article 95, § 2, 3 ° WOG), which was given to her

       transferred on 14 March 2022. Substantive decision 75/2023 - 3/26


9. On February 21, 2022, the Disputes Chamber receives a request from the complainants on the

     to keep Dutch as the language of proceedings.

10. On March 7, 2022, the Disputes Chamber will inform the parties about the retention of the

     Dutch as a procedural language in accordance with its language policy, as there is only 1

     procedural language. However, the Disputes Chamber states that the parties can turn to it

     address in the national language of their choice and that the Dispute Chamber will respond to the

     parties in the language they prefer. The Disputes Chamber makes adjusted terms for this

     for the parties to submit conclusions about.

11. On March 14, 2022, the Disputes Chamber receives the defendant's objection to the

     retention of Dutch as a procedural language and that proposed by the Disputes Chamber

     language arrangement. On the same day, the Disputes Chamber will send adjusted deadlines

     submit claims to the parties.

     The deadline for receipt of the statement of defense from the defendant was

     hereby recorded on 25 April 2022, this for the conclusion of the complainants' reply on 16

     May 2022 and those for the defendant's rejoinder on 6 June 2022.

12. After assessing the objection regarding the language of the proceedings of the defendant, the

     Litigation Chamber on March 22, 2022 the decision regarding the preservation of the

     Dutch as the language of the proceedings to the parties, with adjusted deadlines for submission.

     The deadline for receipt of the statement of defense from the defendant was

     hereby set on 3 May 2022, those for the statement of reply of the complainants on 24

     May 2022 and those for the defendant's statement of defense on 14 June 2022.

13. On March 18, 2022, the Disputes Chamber will receive the statement of defense from the

     defendant. First, the defense alleges a violation of Articles 41 and 42 of the

     coordinated laws on the use of languages in administrative affairs for the sake of preservation

     of Dutch as a procedural language. On the merits, the defendant argues that the processing

     constitutes lawful data processing. Subsequently, the defendant claims that she
     has proceeded to the deletion of the personal data from the first knowledge

     of the data erasure request.


14. On 17 May 2022, the Disputes Chamber will receive the statement of reply from the complainants. The

     The complainants argue that the defendant complied with the rules in the contested processing
     from articles 5, paragraph 1, a), 5, paragraph 2 and 6 GDPR has not been complied with.

     indicates that the defendant has belatedly proceeded to a complete removal of the

     personal data in question violated the provisions of the GDPR.


15. On 13 June 2022, the Litigation Chamber received the statement of rejoinder from the
     defendant in which she repeats her arguments from the statement of defense and Decision on the substance 75/2023 - 4/26


       additionally notes that the complaint was filed on behalf of the practitioners, but the

       statement of reply was submitted on behalf of Z comm.v.


 16. On September 28, 2022, the parties will be notified that the hearing will
       take place on November 18, 2022.


 17. On November 18, 2022, the parties appearing will be heard by the Disputes Chamber.

 18. On November 21, 2022, the minutes of the hearing will be sent to the parties

       transferred.


 19. On January 26, 2023, the Disputes Chamber receives some from the defendant

       remarks with regard to the official report which it decides to include in
       her deliberation.


 20. On 16 May 2023, the Disputes Chamber informed the defendant of its intention

       made to proceed to the imposition of an administrative fine, as well as the

       amount thereof in order to give the defendant the opportunity to defend himself,
       before the sanction is effectively imposed.


 21. On June 5, 2023, the Disputes Chamber will receive the response of the defendant to the

       intention to impose an administrative fine, as well as the amount

       of them.




II. Motivation


    II.1. Decision on Dutch as a procedural language

 22. As already explained, the defendant objected to the Dutch als

       procedural language. The defendant argues that Dutch should be retained as the language of proceedings

       is contrary to Articles 41, §1 and 42 of the Royal Decree of 18 July 1966 containing

       coordination of the laws on the use of languages in administrative matters (hereinafter: SWT).

       has complied.

 23. In view of the above, the question arises which language legislation applies to the

       procedure before the Litigation Chamber.


 24. With regard to the procedural language for the GBA, Article 57 of the WOG in the

       within the framework of the dispute resolution procedure that "[t]e DPA uses the language in which the
       procedure is conducted according to the needs specific to the case".

       Pursuant to this Article 57 WOG, read in conjunction with Article 60 WOG, the

       procedure conducted in one of the national languages. However, this article 57 WOG is general



1
 B.S. August 2, 1966. Decision on the substance 75/2023 - 5/26


       formulated and does not provide for any general foreseeable regulation of the procedural language

       the parties to a multilingual procedure.


 25. The Marktenhof has already discussed some elements regarding the language used in the proceedings

       clarified before the Litigation Chamber. It has determined that the law of 15 June 1935 on

       the language used in court cases does not apply to the Disputes Chamber:

       "It is incontestable that the language law of 15 June 1935 does not apply to

       conducted the procedure before the GBA. In principle, every person/legal entity must oppose

       those who are prosecuted for a complaint have the opportunity to defend themselves in their own language

       (and not in that of the complainant).”


 26. The Marktenhof continues: “[t]e GBA, which is an autonomous government service with

       legal personality, is a central service whose scope covers the entire country

       within the meaning of the laws of 18 July 1966 on the use of languages in administrative matters. Out of service
       it is in its relations with the public, individuals and private companies

       subject to the provisions of Articles 40 to 45 of the aforementioned

       language laws.”2


 27. These articles read as follows:

       “Art. 41. - § 1. - The central services for their relations with private individuals

       use of those of the three languages used by those concerned.”


       “Art.42.-Decentralized services draw up deeds, certificates, declarations, authorisations

       and licenses in those of the three languages of which the private individual concerned uses

       asks.”

 28. In a recent interim judgment dd. March 8, 2023, the Market Court has determined that there

       there is disagreement about the applicability of this language legislation to the procedures

       for the Dispute Chamber. The Marktenhof considers in this regard: “[t]end a

       create a clearer framework and provide foreseeability for the parties in this regard,

       the Marktenhof should rule on this, possibly after questioning it

       Constitutional Court". However, the Disputes Chamber notes that this judgment dates from after the

       decisions of the Disputes Chamber to use Dutch as the language of proceedings,

       therefore not taken into account in those decisions.

 29. In its judgment dd. July 7, 2021, the Market Court has in any case clearly stated that in

       in principle every person/legal entity against whom a complaint is being prosecuted, the

       must have the opportunity to defend himself in his own language (and not that of the complainant).






2 Brussels Court of Appeal, Marktenhof section, 7 July 2021, 2021/AR/320, p. 19-20.
3 Brussels Court of Appeal, Marktenhof section, 8 March 2023, 2023/AR/184, p. 12. Decision on the substance 75/2023 - 6/26


     evading the prosecuted party to his or her language may, among other things, be a violation

     form part of the rights of defence.

30. Since only one official procedural language can apply

     The Disputes Chamber must therefore decide whether this should be Dutch or French in the present case

     are.The Litigation ChamberdecidedtoretainDutchasprocedurallanguage.Hereby

     decision, the Disputes Chamber took into account the following elements: the

     The defendant's registered office is located in (bilingual) Brussels

     Capital Region, the articles of association of the defendant are drawn up in Dutch, de
     the defendant is active throughout the territory of Belgium, and the complainants are Dutch-speaking.

     The Disputes Chamber points out that it has not taken this into account in this assessment

     with the objections regarding French as the procedural language formulated by the lawyer

     of the complainants as stated in the letter dd. February 4, 2022 it was determined that “if a

     the defendant wishes to file a reasoned objection to the use of this language

     make it possible to do so within a period of 14 days after the sending of this letter, at
     preferably via litigationchamber@apd-gba.be or via the contact details above

     this letter” (own underlining).


31. The Disputes Chamber has also taken the findings into account in this decision

     of the Marktenhof that any natural or legal person against whom a complaint
     persecuted must have the opportunity to defend themselves in their own language. The

     The Disputes Chamber has therefore proposed a regulation by analogy with Articles 41,

     §1 and 42 SWT. First of all, the Litigation Chamber reminds that these articles only refer to the

     regulating language use between the private individual and the central government department, that is in this case

     respectively each party and the Disputes Chamber, by extension the GBA. These articles

     therefore do not regulate in which language the parties must communicate with each other.

     The proposed language regime was as follows. By analogy with the above

     position of the rights of defense of the defendant, states the

     Disputes Chamber in the first place that both must be able to turn to the Disputes Chamber

     their own language. The parties were therefore free to submit procedural documents and conclusions to
     the Litigation Chamber in their language of choice. These procedural documents filed by a party

     would not, however, be translated by the Litigation Chamber for the benefit of the

     other party; nor would it be liable for the related costs incurred by the parties

     with the translation of these documents. The parties also did not have to provide translations of their own

     provide procedural documents for the other party. Both sides would too

     simultaneously receive the decision in their preferred language.

     At the start of the hearing at the Litigation Chamber, the Chairman also stated

     indicated that the parties could express themselves in the language they preferred. Decision on the substance 75/2023 - 7/26


32. The Disputes Chamber notes that the defendant has submitted claims in Dutch

     submitted and expressed himself during the hearing in Dutch, as a result of which the

     Disputes Chamber, in accordance with the above regulation, is also in Dutch until the

     parties.

33. The Disputes Chamber therefore rules that, in accordance with the case law of the

     Marktenhof, the rights of defense had not been violated since the defendant

     could defend itself in its own language, and the Litigation Chamber would also address the

     parties in their chosen language. This is also evident from the fact that the letters
     containing the deadlines for submissions received after the first objection of the

     defendant about the language of the proceedings, by the Disputes Chamber in both languages

     parties were transferred.


   II.2. Identity of the complainant

34. The Disputes Chamber notes that the complaint was filed on behalf of a number of individuals

     appointed professionals who were all represented by the same

     counselor. The conclusion of reply dd. May 13, 2022 have been filed due to the

     limited partnership Z of which the professionals who have the complaint

     be a retired member.

35. The Disputes Chamber finds that comm.v. Z, on whose behalf the submissions of reply were made

     filed, no party is involved.

   II.3. Article 5 (1) (a) and (2) and Article 6 (1) GDPR.


36. In its conclusions, the defendant argues that a distinction must be made

     between the free profiles on the one hand and the paying profiles on the other hand. The

     Litigation Chamber will first assess the legality of the free profiles and

     then the legality of the paying profiles.

      II.3.1. Article 6(1)(f) GDPR (Free Profiles)


37. The Litigation Chamber recalls that pursuant to Article 5(1)(a) GDPR personal data

     must be lawfully processed. This means that the processing must be done on

     based on the processing grounds as set out in Article 6 GDPR.

38. The Inspectorate maintains that the defendant has fulfilled the obligations imposed by Article 5(1)

     a) and has not complied with paragraph 2 of the GDPR and Article 6 of the GDPR. To this end, the

     Inspectorate applies that the fact that personal data of certain data subjects such as

     the Complainants are publicly accessible on certain professional websites, does not imply

     that those data subjects can reasonably expect that those personal data
     then by the defendant systematically and without their consent on a Substantive Decision 75/2023 - 8/26



       large-scale manner be made available to anyone who accesses its website

       used and processed further.


 39. The defendant argues in its conclusions that it does not invoke the authorization for the

       processing of the personal data, as this is organizationally difficult to achieve.

       However, the defendant argues that the processing is lawful under Article 6(6).

       1, f) GDPR (legitimate interest) with regard to the free profiles.

 40. In order to be able to rely on the

       legal basis of the “legitimate interest”, the

       to demonstrate to the controller that:

         1) the interests it pursues with the processing can be justified

         be recognized (the “goal test”);

         2) the intended processing is necessary for the fulfillment of these interests

          (the “necessity test”); and

         3) the balancing of these interests against the interests, fundamental

         freedoms and fundamental rights of data subjects in favor of the

         controller or a third party (the “balancing test”). 4


 41. The Disputes Chamber will check whether these conditions have been met with regard to the

       litigious processing.


                    (i) Is there a legitimate interest? (target key)

 42. The first condition is that the defendant pursues the interests of itself or a third party

       that qualify as justifiable. The interests must be on the date of processing

       be real, current, and not hypothetical. A legitimate interest must

       lawful, sufficiently clear, real and not speculative.


 43. The defendant puts forward three different interests:


            a. the interest of a third party (the potential patient): namely increasing the

                access to health care for patients and their free choice

                facilitating health care providers through the right to freedom of expression, viz

                granting the opportunity to write reviews about the healthcare provider (in

                the case of paying profiles) on the one hand, the possibility to take note



4 CJEU, 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rigas pašvaldības SIA

'Rīgas satiksme', C-13/16; ECLI:EU:C:2017:336, para. 28-31 and CJEU Judgment of 11 December 2019, TK v/ Asociaţia
deProprietariblocM5A-ScaraA,C-708/18,ECLI:EU:C:2019:1064,para. 40-44. See also previous decisions in the same way
of the Disputes Chamber, including 21/2022 of February 2, 2022.
5
 Some questions about the legitimate interest are supposed to be answered by the Court of Justice of the
European Union in case C-621:22 (KoninkijkeNederlandse Lawn Tennisbond v. Autoriteit Persoonsgegevens.
6 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 44.

7 Opinion 06/2014 on the concept of “legitimate interests of the data controller” in Article
7 of Directive 95/46/EC, 9 April 2014, Article 29 Data Protection Working Party, p.31. Decision on the substance 75/2023 - 9/26


              of these reviews on the other hand. As for the interest of the potential patient

              the defendant argues that through the platform it enables patients to

              easy to find and contact a healthcare professional
              record with him/her by sharing not only useful, but even

              necessary information. The defendant argues that this contributes to the law

              of each patient to access health care, as well as his right to free

              choice of the professional he wishes to consult, as guaranteed

              by Article 6 of the Law of 22 August 2002 on the rights of

              patients. Secondly, the platform also allows patients to express an opinion
              sharing about the healthcare provider (with a paying profile). It justified

              interest here is to implement Article 11 of the Charter of the

              Fundamental rights of the European Union in conjunction with Articles 19 and 25 of the Constitution in which the

              right to freedom of expression is guaranteed.

          b. the interest of the data subjects (i.e. the healthcare professionals in the

              healthcare), namely attracting new patients and creating

              of appointments via the platform; and

          c. the defendant's own economic interest, based on the freedom of

              entrepreneurship.

44. With regard to this first condition, the Litigation Chamber is of the opinion that the platform

      which is controlled by the defendant an interest of the controller,

      the healthcare providers and a general interest of the patients of the platform.


45. First of all, the collection of data about healthcare providers can be regarded as
      an expression of freedom of information under Article 11 of the Charter of the

      fundamental rights of the EU (hereinafter: Charter), both in its active and passive

      dimension, namely actively adding the data as well as consulting the

      facts. In addition, there is also a social desirability of the platform.

      Thanks to this platform, patients can make a more informed choice about their treatment
      healthcare providers. The right of users to spread opinions is also one

      fundamental right enshrined in Article 11 of the Charter.


46. Next, the interest of the data subject is to gain more visibility and
      easy to find, also an interest that can be regarded as legitimate.


47. Finally, the operation of the platform also forms part of the provisions of Article 16 of the

      Charter enshrined fundamental right of entrepreneurship of the
      controller. In this case, the Litigation Chamber determines that the defendant

      within the framework of the exercise of its commercial activities

      interests. Decision on the substance 75/2023 - 10/26



  48. In view of the above, the Litigation Chamber finds that the defendant meets the first

        condition has been met a priori.

                    (ii) Is the processing necessary? (necessity test)


 49. The Court of Justice has ruled on this, inter alia, in the TK judgment

       condition of necessity:

                “With regard to the second condition of Article 7(f) of Directive

                95/46, namely that the processing of personal data must be necessary

                for the protection of the legitimate interest, the Court recalled

                brought that the exceptions to the protection of personal data and the

                its limitations must remain within the limits of what is strictly necessary

                (judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 30 et seq.

                cited case law).


                In assessing this condition, the referring court must verify whether it

                legitimate interest of the data processing that is pursued

                with the video surveillance at issue in the main proceedings and which essentially consists of the

                to ensure the safety of goods and persons and to prevent criminal offences

                cannot reasonably be achieved as effectively with others

                means that are less detrimental to fundamental freedoms and

                rights of the data subjects, in particular the right to respect for the

                private life and the right to protection of personal data as guaranteed
                                                            8
                by Articles 7 and 8 of the Charter.”

 50. The Court of Justice also notes that the condition relating to the necessity of

       the processing, moreover, must be examined in conjunction with the principle of

       'minimum data processing' laid down in Article 6(1)(c) of the Directive

       95/46. According to that provision, personal data must be 'adequate, relevant

       and are not excessive [...] in relation to the purposes for which they are collected or

       for which they are subsequently processed”. 9 The Court of Justice has also

       clarifies that if there are realistic and less invasive alternatives, the treatment

       is not "necessary".


 51. This case law formulated in relation to Article 7(e) of Directive 95/46/EC

       remains relevant to this day. Article 6(1) of the GDPR takes over the wording from

       Article 7 of Directive 95/46/EC.



8 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, C-708/18, ECLI:EU:C:2019:1064, para
46-47.
9
 CJEU,11December2019,AsociațiaDeProprietariBlocM5a-ScaraA,C-708/18,C-708/18,ECLI:EU:C:2019:1064,para46.
10CJEU, 9 November 2010, Volker & Markus Schecke GbR and Hartmut Eifert v. Land Hessen, , merged affairs
C‑92/09 and C‑93/09, ECLI:EU:C:2010:662. Decision on the substance 75/2023 - 11/26


 52. In this context, the defendant refers to the personal data stated on the platform

       are exclusively professional and public data, which also apply to others

       professional websites can be found. In addition, the defendant also has the

       e-mail addresses of the complainants that are only used internally to be involved

       inform the professional via the so-called performance mails. Finally, the

       the defendant that there are several such professional websites that

       association of professionals, such as the websites of the Order of Doctors or of the

       Psychologists Committee.


 53. The Litigation Chamber notes that the second condition also appears to be met,
       since the surname, first name, specialty of the healthcare providers involved are necessary

       to enable users of the website to contact them.


                   (iii) Balancing of Interests

 54. Finally, the interests or fundamental rights of the data subject should not be overridden

       outweigh the interests of the controller or the third party around them

       to be able to successfully rely on Article 6 (1) (f) GDPR, which must always be assessed

       in the light of the specific circumstances of the case. The Court of Justice

       notes that the seriousness of the

       infringement, nature of the personal data involved, the nature and concrete manner of

       processing of the data concerned and the reasonable expectations of the data subject

       that his personal data will not be processed if he has no reasonable need for further processing
                                         12
       processing can be expected.

 55. As regards the balancing of interests, the defendant argues that only an absolute

       minimum of professional data of the data subjects are processed, that these

       personal data are not sensitive in nature and that these personal data are already public

       available on the websites of third parties, or by some data subjects on their own

       website. The defendant argues that it is within the reasonable expectations of the person concerned

       falls that their personal data is processed by a platform such as that of the

       defendant, in view of the fact that the complainants themselves are involved in the establishment of

       such a platform. The defendant points out that the legitimate interest pursued by

       its pursuit does not differ from the legitimate interest of similar ones

       platforms. The defendant argues that its platform is more easily accessible to

       the patients, since it is an easily navigable database in which care providers are selected

       all kinds of specializations of the health sector are included.


11
 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 56.
12 CJEU, 11 December 2019, Asociația De Proprietari Bloc M5a-Scara A, C-708/18, ECLI:EU:C:2019:1064, para 57 and 58 ;
Opinion 06/20214 on the concept of “legitimate interest of the data controller” in
article 7 of Directive 95/46/EC, 9 April 2014, Article 29 Data Protection Working Party, p. 50 et seq. can be consulted via
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf. Decision on the substance 75/2023 - 12/26



 56. The Disputes Chamber is of the opinion that there has been a serious breach of the

       fundamental rights of data subjects. The defendant collects on a large scale – without

       consent – personal data of tens of thousands of professionals in the

       healthcare. This data is then published on the platform of the

       defendant from which it derives commercial profits. As for the nature of the

       contact details, the Disputes Chamber notes that these are indeed public

       facts. The public nature of the personal data does not prevent the

       processing continues to require appropriate safeguards. The fact that personal data for

       being publicly available is a factor that can be taken into account in the assessment

       especially if its disclosure was accompanied by a reasonable expectation

       of further use of the data for certain purposes. 13In this context, the

       Litigation Chamber that the disputed processing is not within the reasonable expectations of

       the person falls. 14 The contact details of the professionals

       published on their own website or that of their group practice or hospital, with their

       consent to that processing. It is not within their reasonable expectation that this

       data is further processed for other purposes, such as the publication of this

       personal data by commercial parties (in this case based on commercial interest

       of the defendant).


 57. When balancing interests, the Litigation Chamber also takes into account the principle of

       data minimization. In this context, the Disputes Chamber refers to the retention periods of

       these personal data determined by the defendant. In the privacy policy states

       the defendant the following:

       “[The Respondent] will store the personal data it collects in electronic and/or

       keep the printed form for the time absolutely necessary to comply with the

       the aforementioned processing purposes and for as long as such retention becomes necessary

       deemed for us to comply with our legal obligations or to comply with our legal obligations

       defend interests in court.”


 58. This wording allows the controller to process these personal data

       indefinitely, and possibly even indefinitely. Considering it

       The Disputes Chamber therefore concludes above that the processing is not in

       proportionate to the goal.


 59. The Litigation Chamber therefore also concludes that the service provided by the defendant exists

       from the collection of personal data from public sources and the processing thereof



13Article 29 Working Party, Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of
Directive 95/46/EC, p.3, available at https://ec.europa.eu/justice/article-29/documentation/opinion-
recommendation/files/2014/wp217_en.pdf.

14 See also decision on the merits 84/2022 dd. May 24, 2022, available at
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-84-2022.pdf. Decision on the substance 75/2023 - 13/26


     on its platform. For the collection and processing of that personal data, the

     defendant did not ask for consent, although the consent was the most

     constitutes an appropriate legal basis to the extent that the processed personal data relates

     have on individual natural persons. The freedom of enterprise as recognized
     in Article 16 of the Charter of Fundamental Rights of the European Union is not unlimited

     and upholds where other fundamental rights – such as those protected in Article 8 of the Charter

     right to protection of personal data – start. Consequently, the Litigation Chamber

     considers that the interests raised by the defendant do not prevail over those of

     The involved.

60. Under these circumstances, the Litigation Chamber is of the opinion that the defendant is not

     can successfully invoke a legitimate interest. Consequently, there is one

     infringement of Article 6 (1) f) GDPR with regard to the free profiles.

      II.3.2. Article 6(1)(b) GDPR (paying profiles)


61. With regard to the paying profiles, the processing is lawful according to the defendant

     based on Article 6(1)(b) GDPR (execution of a contract). The professionals

     can choose to enter into an agreement with the

     defendant. Within the framework of this agreement, these professionals can oppose

     payment participate in the shaping of their profile on the platform by eg
     adding a CV or by indicating which languages they speak. In addition, there are one

     series of other benefits such as better visibility on the platform, a

     management instrument to save time when making agreements, an instrument to

     send appointment reminders, etc.

62. The Disputes Chamber finds that the complaint and the inspection report only concern

     have on the processing of personal data in the context of free profiles

     after all, concerns doctors who do not want to conclude such an agreement with the

     defendant. The Disputes Chamber will therefore not proceed to the assessment of the

     lawfulness of the data processing in the context of the paying profiles.

   II.4. Article 12(1),(2) and (3), Article 17, Article 19, Article 24(1) and Article 25(1)
        AVG


63. Article 12 (1) GDPR stipulates that the controller must take appropriate measures

     must take in order for the data subject to receive the information in connection with the processing in a

     concise, transparent, intelligible and easily accessible form and in clear and

     simple task. Article 12 of the GDPR regulates the way in which the data subjects receive their

     be able to exercise rights and stipulates that the controller shall exercise them
     of those rights by the data subject (Article 12(2) of the GDPR), and him

     without delayin any eventwithin one monthafterreceiptoftherequestinformationDecision on the substance 75/2023 - 14/26


     give information about the measures taken in response to his request (Article 12, par

     3 GDPR).

64. A data subject should have the right to request the erasure of his or her personal data

     if they are processed in violation of the GDPR. Article 17 (1) GDPR sums up

     a number of cases in which the data subject has the right to without unreasonable

     delay in having his personal data deleted by the

     controller, such as in the situation where personal data is unlawful

     have been processed.

65. Article 24 GDPR requires the controller, taking into account the

     nature, scope, context and purpose of the processing, appropriate technical and

     takes organizational measures to ensure and be able to demonstrate that the

     processing is carried out in accordance with this Regulation.

66. Article 5(2) and Article 24 GDPR impose general accountability obligations and

     compliance requirements to data controllers. More specifically, these require

     provisions of controllers that they take appropriate measures to
     prevent any violations of the rules of the GDPR in order to protect the right to

     to ensure data protection.


67. Finally, Article 19 GDPR stipulates that the controller must inform each recipient

     to whom personal data has been disclosed, of any deletion of
     personal data in accordance with Article 17 (1) of the GDPR, unless this proves impossible

     or disproportionate effort.


      II.4.1. Findings in the Inspection Report


68.  The Inspectorate finds that there is a violation of the above articles and refers
     to the following elements:


          a. the defendant did not provide the Inspectorate with any supporting documents

              how the request to remove the complainants was answered;

          b. the defendant did not provide any supporting documents to the Inspectorate

              that on January 14, 2022, the necessary steps were effectively taken to reduce the

              delete personal data of the complainants;

          c. the defendant did not provide any supporting documents to the Inspectorate

              that it was effectively unable to comply with the request for removal of the complainants

              was sent by registered mail. Decision on the substance 75/2023 - 15/26



        II.4.2. Defendant's position


 69. The defendant disputes this finding and maintains, in essence, that it is indeed an effect

       has given to the complainants' data erasure request on 14 January 2022. Om
       to begin with, the defendant points out that it only became aware of it on 13 January 2022

       of the data erasure request of the complainants. The registered letter dd. 25

       October 2021 addressed to the registered office and delivered there on October 26

       2021 was not received by (an employee of) the defendant. The

       the defendant's business manager, to whom the letter was addressed, has it

       receipt not signed. In this context, the defendant argues that in Belgium

       that was currently in a lockdown period with mandatory homework, so that the employees

       and the defendant's business manager could not receive the registered letter

       to take. The defendant therefore argues that the actual knowledge of the request for

       data erasure took place on January 13, 2022 and that it was being implemented

       given to that request on January 14, 2022. The defendant puts forward various claims in this regard

       documents, such as a statement from the employee who provided the personal data

       has removed. In addition, the defendant also takes screenshots of the internal

       management platform which states that on January 14, 2022, this data has the status “removed from

       [defendant]".

 70. The defendant further states that there is a memorandum in the intern with regard to almost all complainants

       management platform is included reminding that she will not be in touch again

       with the relevant professional. In this respect, the defendant refers to the

       Guidelines 5/2019 “on the criteria for the right to be forgotten in the

       search engine matters under the GDPR”. 15 To the extent that one can the defendant

       consider it a search engine for healthcare professionals, can

       a request addressed to it can also be regarded as a request for delisting, whereby

       complete deletion of data does not take place and the search engine is therefore useful

       can give to the request of the complainants never to be contacted again. The

       the defendant states that, pursuant to the conclusions of the reply dd. May 13, 2022, also this note

       has removed and provides evidence to this effect. This results in the defendant

       can no longer guarantee that the complainants will never be contacted again, because,

       now that this information no longer exists, they can no longer know that the practitioner is in

       issue has requested never to be contacted again.

 71. Next, the defendant argues that it cannot be criticized for not having the

       has taken the necessary technical and organizational measures, in view of the



15EDPB, Guidelines 5/2019 on the criteria for the right to be forgotten in the search engine business
pursuant to the GDPR, dd. July 7, 2020, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation
_nl.pdf. Decision on the substance 75/2023 - 16/26


     notification system to the Google search engine that the defendant has integrated into

     its internal management platform. This notification procedure is triggered as soon as a

     employee processes the request for data erasure on the management platform. The

     actual removal by the search engine (of the search results related
     to the) personal data is normally done after 15 days, depending on the

     priorities/capacities of the search engine, this may take longer in certain cases. It

     the fact that the results can still be found on Google is due to a reactivity problem

     with Google itself and not with the defendant.

72. Finally, the defendant claims that it has not fulfilled the obligations arising from Article 12(1)(2)

     and paragraph 3 GDPR has complied. She actually has the request for data erasure

     received on January 13, 2022, it complied with it on January 14, 2022 and it

     informed those involved on 7 February 2022. The same applies

     for the additional request to delete the internal note mentioned above. This one has

     received by the defendant through the conclusions of the reply dd. May 13, 2022, she has this
     implemented on May 17, 2022 and on May 23, 2022, it advised the lawyer of the

     concerned are hereby informed. In this context, the defendant notes that the list

     of those involved in the complaint was more limited in number than the letter dd. October 25, 2021. Op

     May 13, 2022, via the statement of defense, the defendant learned that in the registered

     write dd. October 25, 2021, 5 other professionals were also mentioned

     of which it had not yet deleted the data. The defendant has in good faith
     always complied with all requests for data erasure that it has received.


73. In a secondary order, the defendant argues that there is no error, nor

     negligence. After all, the complainants themselves decided to cancel their request by email during the lockdown period

     send by registered mail. However, the defendant sends to the
     professionals whose e-mail address she has, a performance mail in which she

     are informed about the statistics of their profile, and through this mail they also receive

     access to their profile where they can change or delete their data

     to ask. The relevant healthcare practitioner can use a button at the bottom of the performance mail

     unsubscribe from the emails. A request for data erasure can also be sent

     to the e-mail address mentioned above in the privacy policy. The defendant argues
     therefore more efficient and reliable options were available to the complainants,

     thenonly a request by registered letter.The reference to decision 74/2020of

     the Disputes Chamber by the Inspectorate is therefore incorrect, since the defendant

     offers data subjects various options for exercising their rights.

74. Only after receipt of the letter from the Inspection Service dated 13 January 2022 in the building where

     its offices are located, the defendant was able to take note of the registered letter

     dd. October 25, 2021 after finding it in a pile of advertising mail. The letter was there Decision on the substance 75/2023 - 17/26


     apparently deposited by a third party, a neighbor or the postman himself, and the

     the defendant cannot be held liable.

75. Finally, the defendant argues that it was under no obligation to comply with the

     request for data erasure, since none of the cases from Article 17, paragraph 1a)-d) GDPRop

     apply in this case. In addition, Article 17(3)(a) GDPR provides for an exception

     to the right to data erasure insofar as the processing is necessary for the right to freedom

     of expression and information.

      II.4.3. Review by the Litigation Chamber


76. In section II.3, the Litigation Chamber has determined that the personal data of the complainants

     were processed unlawfully with regard to the free profiles. The defendant served
     therefore pursuant to Article 17 (1) (d) GDPR to delete the personal data, if

     that was requested.


77. Based on the above, the controller must make an arrangement
     to enable data subjects to exercise their rights easily and simply

     to practice. A controller is not allowed any unnecessary thresholds

     raise for data subjects to exercise the aforementioned rights. When a

     controller has a policy that prevents the exercise of the said

     interferes with rights and actively propagates this policy, there may be
     violation of article 12, second paragraph, of the GDPR.


78. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR:

     “There should be arrangements in place to enable the person concerned to exercise his rights

     under this Regulation, such as mechanisms to
     request, in particular, access to and rectification or erasure of

     personal data and, if applicable, to obtain it free of charge, as well as to

     to exercise the right to object. [...]”

79. In view of the above, the Disputes Chamber concludes that the defendant indeed

     provides variousopportunitiestoperformtherighttodatawipe.Hereby

     the Disputes Chamber notes that the possibility to delete the data via the

     profile implies that the data subjects should make use of the unlawful

     createdprofiletodeletethisprofile,whichcannotbetheintention. The same
     can be said about the unsubscribe button in the performance mails. The defendant points

     Please note that the data erasure request can also be sent to the email address

     stated in the privacy policy. However, it is more difficult to receive an e-mail

     check. The Litigation Chamber points out that the defendant writes in its privacy policy

     that data subjects can exercise their rights by writing to the mentioned e-mail

     e-mail address or the stated postal address. Consequently, the data subjects must also be able to use Decision on the substance 75/2023 - 18/26


       making a registered letter, whether or not with acknowledgment of receipt, since this

       is a very common means of official and formal communication and those involved

       guarantees that it will be received by the recipient.


 80. The defendant argues that the registered letter was sent during a
       lockdown period during which the employees and the manager worked at home. The

       Litigation Chamber notes that teleworking was strongly recommended in the period October 2021,

       and not mandatory. The defendant was therefore not unable to organize itself

       to perform certain activities, such as tracking mail. The Dispute Room

       finds that the defendant has not taken the appropriate measures for the right to

       facilitate data erasure of the data subject, which constitutes a violation of Article 12, paragraph

       2 GDPR.

 81. Due to the lack of facilitation of the exercise of the right to

       erasure, the right to erasure was not exercised in time,

       in accordance with Article 12 (3) GDPR. The Litigation Chamber finds that this non-compliance

       is the result of inadequate facilitation of the exercise of the rights, and that the

       the defendant soon after receipt of the letter from the Inspectorate dated. January 13, 2022

       acted as well as for subsequent requests soon after becoming aware of them
       has.


 82. The Inspectorate also finds a violation of Article 19 GDPR, but justifies this

       determination not. Nor does she submit documents in this regard. The Dispute Room

       therefore considers this infringement to be unproven.

 83. In view of the above, the Disputes Chamber concludes that there has been an infringement

       to Article 12 (2) GDPR.


    II.5. Sanctions and corrective measures


        II.5.1. General

 84. On the basis of the documents in the file, the Disputes Chamber establishes that there is

       following infringements:


            a. Article 5, paragraph 1, a) j° Article 6, paragraph 1, f) with regard to the lawfulness of the

                processing of personal data; and

            b. Article 12 (2) GDPR j° Article 17 (1) GDPR for not taking the appropriate

                measures to facilitate the exercise of their rights by data subjects.







16https://www.info-coronavirus.be/nl/news/occ-2610/. Decision on the substance 75/2023 - 19/26


85. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:


     1° to dismiss a complaint;
     2° to order the exclusion of prosecution;

     3° to order a suspension of the judgment;

     4° propose a settlement;

     5° formulate warnings and reprimands;

     6° to order that the data subject's requests to exercise his rights be complied with

     to practice;
     7° order that the data subject be informed of the security problem;

     8° order that the processing be temporarily or permanently frozen, restricted or prohibited;

     9° order that the processing be brought into compliance;

     10° rectification, restriction or deletion of data and notification

     to recommend it to the recipients of the data;

     11° to order the withdrawal of the accreditation of certification bodies;
     12° to impose penalty payments;

     13° to impose administrative fines;

     14° the suspension of cross-border data flows to another State or

     to recommend an international institution;

     15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who

     informs it of the follow-up given to the file;
     16° decide on a case-by-case basis to publish its decisions on the website of

     the Data Protection Authority.



      II.5.2. Established infringement of Article 5(1)(a) j° Article 6(1)(f) and Article 12(2)
          GDPR in conjunction with Article 17 (1) GDPR.


          II.5.2.1. Administrative fine

86. In accordance with Article 101 WOG, the Disputes Chamber decides an administrative one

     impose a fine on the defendant for the following infringements:


             o Article 5, paragraph 1, a) j° Article 6, paragraph 1, f) with regard to the lawfulness of the

                 processing of personal data; and

             o Article 12 (2) GDPR j° Article 17 (1) GDPR for not taking the appropriate

                 measures to facilitate the exercise of their rights by data subjects.

87. For a violation of Articles 5 and 6 of the AVG, the Disputes Chamber can, on the basis of

     Article 83, fifth paragraph, a) GDPR Not to impose an administrative fine up to EUR 20,000,000 or for

     a company up to 4% of the total worldwide annual turnover in the previous financial year, Decision on the substance 75/2023 - 20/26



       if this number is higher. A violation of the aforementioned provisions therefore gives

       in accordance with Article 83 (5) GDPR gives rise to the highest fines.

 88. For a violation of Article 17 GDPR, the Disputes Chamber can, on the basis of Article 83, paragraph

       5, b) AVG Also impose an administrative fine up to an amount of 20,000.00

       EURorforacompanyupto4%ofthetotalworldwideannualturnoverintheprevious

       fiscal year if that figure is higher.


 89. The Disputes Chamber considers it appropriate to impose an administrative fine
       amount of EUR 10,000 (article 83, paragraph 2, article 100, §1, 13°WO and article 101WOG).

       fine is imposed for both the infringement of Article 5(1)(a) j° Article 6(1)(f) GDPR and

       the infringement of Article 12 (2) GDPR and Article 17 (1) GDPR.


 90. It should be pointed out in this context that the administrative fine does not matter

       aims to end unified transgression, but requires a strong enforcement of

       the rules of the GDPR. After all, as can be seen from recital 148 GDPR, the GDPR states

       First of all, in the event of any serious infringement – including the first finding of an infringement –

       penalties, including administrative fines, in addition to or instead of appropriate ones
                                      17
       measures are imposed. The Disputes Chamber then demonstrates that the infringements that

       the defendant has committed on the aforementioned provisions of the GDPR by no means minor

       infringements, nor that the fine would impose a disproportionate burden on a

       natural person as referred to in recital 148 GDPR, where in either case
       a fine may be waived. The fact that it is an initial determination of a

       the defendant committed an infringement of the GDPR, does not affect this in any way

       to the possibility for the Disputes Chamber to make an administrative decision

       impose a fine. The Disputes Chamber will impose the administrative fine

       application of Article 58(2)(i) GDPR. The instrument of administrative fine has

       in no way intended to terminate infringements. To this end, the GDPR and the WOG provide for a

       number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9°

       WOG.








17
 Recital 148 provides: “In order to strengthen enforcement of the rules of this Regulation, penalties should be
including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead
of appropriate measures imposed by the supervisory authorities pursuant to this Regulation
it concerns a minor infringement or if the expected fine would place a disproportionate burden on a
natural person, a reprimand can be chosen instead of a fine. However, it must be taken into account
be taken into account the nature, seriousness and duration of the infringement, the intentional nature of the infringement, with
harm reduction measures, with the degree of responsibility, or with previous relevant infringements, with the manner
on which the breach has come to the knowledge of the supervisory authority, with compliance with the measures that
were taken against the controller or processor, with adherence to a code of conduct and with
any other aggravating or mitigating factors. Imposing punishments, including administrative ones
fines, should be subject to appropriate procedural safeguards in accordance with the general principles of
Union law and the Charter, including effective remedy and due process. Decision on the substance 75/2023 - 21/26


 91. In determining this amount, the Litigation Chamber bases itself on the 2021 annual report

       which was deposited with the national bank on 8 July 2022 showing that the turnover was 605,865

       amounts to EUR. The amount roughly corresponds to 4% of this annual turnover.


 92. Taking into account Article 83 GDPR, the case law of the Marktenhof, as well as

       the criteria set out in the EDPB guidelines on the calculation of the
                                    19
       administrative fines, the Litigation Chamber motivates the imposition of a

       administrative fine in concrete terms, taking into account the following when assessing

       elements:

       Severity of the violation (Article 83(2)(a) GDPR)


 93. The Litigation Chamber has established that, with regard to the free profiles,

       personal data of tens of thousands of professionals throughout Belgium

       collected and processed without lawful basis. The defendant cannot
       successfully invoke Article 6 (1) (f) GDPR (legitimate interest) as they do not

       meets the conditions as developed by the European Court of Justice

       Union. The defendant collects data from various types of sources without this

       within the reasonable expectation of the healthcare professionals involved. Although the

       interests pursued by the defendant are legitimate, and the

       processed personal data are limited to what is necessary to the litigious

       processing, they do not prevail over those of the data subjects.


       The number of data subjects (Article 83 paragraph 2, a) GDPR)

       It involves tens of thousands of healthcare professionals, geographically

       spread throughout Belgium.


       Negligent or intentional nature of the breach (Article 83(2)(b) GDPR)

 94. As to whether the infringement was intentional or negligent

       was committed (article 83.2.b) of the GDPR), the Litigation Chamber reminds that "not

       intentionally” means that it was not the intention to commit the infringement, although the

       the controller had not complied with the duty of care pursuant to

       the law rested upon him. In this case, the Disputes Chamber rules that the infringement is not of

       is intentional in nature, because the defendant has indeed made an analysis in order to

       determine which legal basis would be most appropriate in the present case. There is consequently

       no - apparent - intention to violate the GDPR on the part of the defendant. This turns out

       among other things from the argument of the defendant in which it argues that the applicability
       of consent as a legal basis (Article 6(1)(a) GDPR) was examined for the




18Brussels Court of Appeal (Marktenhof section), X t. GBA, Judgment 2020/1471 of 19 February 2020
19Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 Mon 2022 (version for public
consultation). Decision on the substance 75/2023 - 22/26


     intended processing, but was found to be less suitable. In this context, the

     Litigation Chamber, however, notes that the defendant has the contact details of the

     data subjects – because they were collected to be placed on the platform

     places – and that, as described in this decision, there is no doubt that
     consentis the only proper legal basis for this processing

     simply asked. After all, the defendant could use one

     standard requestwith limited individualization as the case may be.TheLitigation Chamber

     therefore considers that the infringement was committed through negligence.

     The duration of the breach (Article 83(2)(a) GDPR)


95. The Litigation Chamber also refers to the duration of the infringement, namely since 25 May 2018

     to date as it has not yet been terminated. This means that it is long-term

     and structural violation of a basic principle (lawfulness) of the GDPR.

     Aggravating circumstance (Article 83(2)(k) GDPR)

96. The Litigation Chamber also takes into account the fact that the defendant made a profit that

     arises from the unlawful processing as an aggravating circumstance.


     Mitigating circumstance (Article 83(2)(k) GDPR)

97. The Litigation Chamber also takes into account the fact that the defendant has never before

     was the subject of an enforcement procedure of the DPA (article 83, paragraph 2, e) GDPR).

98. The Litigation Chamber notes that the defendant has swiftly implemented the

     right to erasure as soon as it has become aware of the request in question

     of the data subject. With regard to the inadequate facilitation of the right to

     data erasure of the complainants, the Disputes Chamber is of the opinion that no additional

     fine must be imposed.

     The categories of personal data affected by the breach (Article 83(2)

     g) GDPR

     As far as the contact details of the data subjects are concerned, these are public

     personal data and no personal data of a special nature.


     Conclusion

99. The whole of the elements set out above justifies an effective,

     proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the

     certain assessment criteria. The Litigation Chamber points out that the other criteria

     of art. 83.2. AVG in this case are not of a nature that they lead to another administrative

     fine than that which the Disputes Chamber has in the context of this decision
     established. Decision on the substance 75/2023 - 23/26


100. In summary, the defendant argues in its response to the sanction form that:


      (i) the seriousness of the offense cannot be deduced from the possibility of it
             providing reviews on free profiles, as that option does not exist;


      (ii) the number of people involved cannot be taken into consideration when determining

             the fine, as the fulfillment of the interests pursued by the defendant

             requires the largest possible number of data subjects and the Litigation Chamber recognizes this
             the interests pursued are justified


      (iii) the duration of the alleged infringement cannot be taken into consideration

             the determination of the fine, now that the defendant could reasonably assume at all times
             that there was no infringement, in view of authoritative foreign case law with

             relating to an identical situation;


      (iv) the defendant cannot be accused of negligence as it chose not to provide data

             processing on the basis of consent, not because this is practically impossible
             would be, but because an analysis showed that the legitimate interests of a

             provided a more appropriate basis for the purposes of the intended processing;


      (v) the processing of data by the defendant never reached the stated 'large

             negative consequences' can have (and has never had) for those involved
             (financial and reputational damage), which the Disputes Chamber deduces from the

             review option of profiles, since this option does not exist for the

             (free) profiles of those involved;

      (vi) the personal data in the reviews has no potential financial consequences for the

             data subjects may have since these reviews do not exist on their free

             profiles.


101. The elements from the sanction form used by the Litigation Chamber
     additional considerations are discussed below.


102. As the defendant notes in the sanction form, the review option is indeed

     not present for the free profiles. This aspect is therefore no longer included in the

     the Litigation Chamber's consideration of the seriousness of the breach and its potential consequences
     of the data subjects in the context of the consideration of the administrative fine.


103. As for the argument that the number of people involved should not be taken into account

     the Disputes Chamber notes that the interest pursued is indeed a broad one
     possible database required. As already explained, the target test is only one of the three

     conditions for a successful appeal to Article 6 (1) f) GDPR. The illegitimate

     processing therefore concerns a large number of persons. Decision on the substance 75/2023 - 24/26



 104. As to the argument that the duration of

       the infringement and its negligent nature, the defendant refers to German case law

       whereby a platform similar to that of the defendant was considered to be in

       comply with the GDPR. The Litigation Chamber takes note of this, but

       also refers to a previous decision dated 24 May 2022 on its website regarding a

       similar referral website. The Disputes Chamber ruled in this decision

       that such processing does not fulfill the conditions for a successful appeal

       to Article 6(1)(f) GDPR. The Disputes Chamber takes account of the relatively recent developments

       character of this decision.


 105. On the basis of all the elements set out above, the

       Litigation Chamber to adjust proposed sanction from EUR 20,000 to EUR 10,000.

       The established infringements warrant an effective, proportionate and dissuasive

       sanction as referred to in Article 83 GDPR, taking into account the provisions therein

       assessment criteria. The Disputes Chamber is of the opinion that a lower fine in the

       the present case would not meet the requirement of Article 83(1) of the GDPR

       criteria, according to which the administrative fine is not only proportionate, but also

       must be effective and deterrent.

            II.5.2.2. Stop order


 106. Pursuant to Article 100, paragraph 1, 8° and 9° WOG, the Litigation Chamber also orders

       to the defendant to terminate the violation of article 5, paragraph 1 j ° article 6, paragraph 1, f) GDPR

       and keep it terminated. The defendant can comply with this by processing

       personal data of healthcare professionals with regard to the

       to terminate free profiles on its platform or by, for example, consent,


       in accordance with Article 4, 11) of the GDPR to be obtained from the data subjects for the

       processing of personal data.

        II.5.3. Other grievances


 107. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the

       Inspectorate because, based on the facts and the documents in the file, they do not belong to the

       conclude that there has been a breach of the GDPR. These grievances and

       findings of the Inspectorate are therefore regarded as manifestly unfounded

       within the meaning of Art. 57(4) GDPR.







20 Substance decision 84/2022 of 24 May 2022, which can be consulted at
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-84-2022.pdf.

21 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 75/2023 - 25/26





III. Publication of the decision


 108. Given the importance of transparency with regard to decision-making by the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. However, it is not necessary for the

       identification data of the parties are disclosed directly.



     FOR THESE REASONS,

     the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


     - pursuant to Article 58, paragraph 2 GDPR and Article 100, §1; 13° WOG an administrative one

         to impose a fine of EUR 10,000 for the infringement of Article 5, paragraph 1, a) j° Article 6,

         paragraph 1, f) GDPR and the violation of Article 12, paragraph 2 in conjunction with Article 17, paragraph 1 GDPR;

     - on the basis of Article 100, §1, 8° and 9° WOG order the violation of Article 5, paragraph 1,

         a) j° terminate and keep terminated in Article 6 (1) f) GDPR, and then in a

         provide a valid legal basis for the processing of the personal data;


     - to dismiss the other grievances pursuant to Article 100, §1, 1° WOG.










Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.

Such an appeal may be made by means of an inter partes petition

listed in Article 1034ter of the Judicial Code and must contain .The 22

a contradictory petition must be submitted to the Registry of the Market Court









22 The petition states, under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
    summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer. Decision on the substance 75/2023 - 26/26


                                                                      23
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).









(get). Hielke HIJMANS

Chairman of the Litigation Chamber



































































23 The application with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.