APD/GBA (Belgium) - 99/2023
APD/GBA - 99/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 6(1)(c) GDPR Article 17(1)(d) GDPR Article 17(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 25.05.2023 |
Decided: | 13.07.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 99/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA warned a municipality for collecting unnecessary information to determine a tourist tax due for owners renting out their properties.
English Summary
Facts
The data subject owned properties he was renting out to tourists. He received a tourist tax form from the municipality (controller) where he was required to fill in personal information about himself and the date of birth, stay duration and full names of the renters.
Considering that this processing breached the data minimization principle of Article 5(1)(c) GDPR and lacked a legal basis under Article 6 GDPR, the data subject filed a complaint with the Belgian DPA.
Holding
The Belgian DPA distinguished between the collection of the data subject's data and the collection of renters' data. It held that the municipality could only rely on legal obligation under Article 6(1)(c) GDPR for the collection that concerned renters. The controller could however not rely on any legal obligation to collect data about the owner of the properties. Thus, the DPA issued a warning to the controller for lack of legal basis.
Furthermore, the DPA deemed the collection of all data not strictly necessary for tourist tax purposes, excessive and contrary to the principle of data minimization under Article 5(1)(c) GDPR. The tourist tax is calculated based on the number of occupants. As such, any other information (such as data of birth, stay duration and name) is unnecessary. The DPA therefore issued a warning to the controller for breach of data minimization.
Comment
This is a prima facie decision, not a decision on the merits.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/11 Litigation Chamber Decision 99/2023 of July 13, 2023 File number: DOS-2023-02312 Subject: Complaint relating to unlawful collection of personal data in the context of the collection of a municipal tourist tax The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to processing of personal data (hereinafter LTD); Having regard to the Rules of Procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Mr. X, hereinafter “the plaintiff”; The defendant: City Y, represented by its Communal College of Mayors and Aldermen, hereinafter “the defendant”. Decision 99/2023 - 2/11 I. Facts and procedure 1. The complaint concerns the collection of personal data by the defendant in the context of the collection of a municipal tourist tax via a form which, according to the complainant, requests the communication of excessive data in contradiction with the principles of lawfulness (article 6.1. of the GDPR) and minimization (article 5.1.c) of the GDPR) enshrined in the GDPR. 2. On May 25, 2023, the complainant filed a complaint with the Data Protection Authority (APD) against the defendant. 3. The content of the complaint can be summarized as follows: 4. The plaintiff is the owner of a dwelling in City Y (the defendant). he receives annually a form to be completed in order to collect the tourist tax established by the City. 5. The complainant was thus sent a paper letter at the beginning of 2023 inviting him to complete the form entitled “Declaration form to be completed by the taxpayer relating to: Tax residence permit – Financial year 2022”. The complainant produced this letter in the file. 6. The complainant points out that the impugned form asks him to provide data for all the occupants of his property, whether they are domiciled there or not. However, the regulation council which institutes the said tourist tax for the financial years […] including the financial year 2022 provides that the chargeable event for the tax is precisely the absence of domicile in the GOOD. The collection of data relating to people domiciled in its property (and more generally in the goods concerned by the tax) therefore appears to him to be unlawful with regard to the article 6.1 of the GDPR (lack of basis of lawfulness). 7. The complainant also denounces that this form asks him to mention, for each occupant to whom he makes his property available or to whom he rents it out, the information following: a) last name and first name of this occupant, b) date of birth of the occupant as well as (c) the date of entry and exit of the property by this occupant. 8. The complainant points out in this regard that under the terms of the aforementioned municipal regulation, the tax is levied according to the number of occupants per year (the tax is in fact annual and lump sum per occupant with regard to the type of accommodation in which the complainant is owner). The collection of the aforementioned data relating to each occupant seems to him as soon as then superfluous. According to the plaintiff, the defendant collects personal data relating to the occupants of his property in violation of the principle of minimization (article 5.1.c) of the GDPR). Decision 99/2023 - 3/11 9. The complainant indicated that, despite his doubts as to the compliance with the GDPR of the communication of the data requested, completed the form sent to him in his status of taxpayer by the defendant. 10. The complainant reports having contacted the Data Protection Officer (DPO) of the defendant at the same time. 11. The complainant produced the exchange of e-mails that took place with the DPO between the months of March and May 2023. The latter told the complainant that it had issued recommendations to the attention of the Municipal Council similar to the concerns it raised but that the form having already been sent to some of the owners for 2022, the modifications said form decided by the Municipal Council following its opinion should intervene for the next annual enrollment (2023). 12. In an email dated April 19, 2023, the Respondent's DPO writes precisely the following: "I have myself analyzed the data processing that you mention in your mail of March 29, 2023 and delivered a report as well as recommendations at the Communal College in November 2022. The administrative processes for their implementation are however quite long, in particular because they require the consultation between all parties (administrative services, College and Council municipal). The College finally took the decision, in December 2022, to apply at least the recommendations formulated by revising the form allowing the declaration of the tax in order to suppress the collection of personal data of the tenants and to stick to the taxable base of the tax, namely the number of occupants /accommodation. However, it was not possible to apply this decision as soon as the declaration forms relating to the 2022 financial year since forms "old version" had already been sent to certain taxpayers. For concern equality between citizens, the use of this new form has therefore been postponed and will come into effect for the sending of declaration forms relating to the 2023 financial year. (…)”. 13. The complainant also states that he questioned the DPO as to the fate that would be reserved for excessive data collected. The complainant points out that the DPO, relying moreover of his capacity as archivist alongside that of DPO, confirmed to him by email of May 24 2023 that the data would be archived for the legal duration of 5 years and that a periodical deletion once the deadlines had expired was organized under his supervision. Decision 99/2023 - 4/11 14. On June 30, 2023, the APD's Front Line Service (SPL) declared the complaint admissible on the basis of articles 58 and 60 of the LCA and sends it to the Litigation Chamber in accordance with Article 62, § 1 of the LCA. II. Motivation II.1. Regarding the jurisdiction of the DPA and the Litigation Chamber 15. The DPA is the Belgian authority responsible in particular for monitoring compliance with the GDPR by application of Article 8 of the Charter of Fundamental Rights of the European Union (EU), of article 16 of the Treaty on the Functioning of the European Union (TFEU) and of article 51 GDPR. 16. It follows in this respect from Article 4 of the LCA and its explanatory memorandum that DPA is "competent to carry out the missions and mandates to monitor compliance with the principles fundamentals of protection of personal data as established in the 1 Regulation 2016/679. (…)”. 17. Under Article 77 of the GDPR, it is provided that “without prejudice to any other remedy administrative or judicial, any person concerned has the right to introduce a complaint to a supervisory authority, in particular in the Member State in which is his habitual residence, his place of work or the place where the violation is alleged to have been committed, if it considers that the processing of personal data concerning constitutes a violation of this regulation”. 18. Before examining the merits of the complaint, the Litigation Chamber would like to specify the following with regard to its competence. 19. The Litigation Chamber notes that it appears from the complaint lodged that the complainant communicated a certain number of data concerning the rental of his property, which constitute personal data concerning him (see point 21 below). These same data are also data concerning the occupants of his property, such as example their identity and date of birth. The complainant reports having had doubts as to the compliance with the GDPR of such communication of data to which it was bound – data from third parties in addition (see point 9). 1Explanatory memorandum to the Law of 3 December 2017 creating the Data Protection Authority (APD), Chambre representatives, DOC 54 2648/001, page 13 under article 4. Decision 99/2023 - 5/11 20. In its note relating to the Complainant's Position, the Litigation Chamber states that not only data subjects 3 within the meaning of the GDPR, but also other people have the possibility to lodge a complaint provided that the conditions of admissibility of the complaint are satisfied and provided that these persons justify a sufficient interest. The mere fact of pursuing a public interest is not sufficient in this regard. A complainant who is not a data subject within the meaning of the GDPR must be able to demonstrate to what regard he may personally have a connection with the data processing of which he is complains. 21. In this case, the Litigation Chamber is of the opinion that the complainant is a person concerned in the sense that the data that he must provide relating to the occupants of his property are also data relating to his property and therefore indirectly, data the re. Unquestionably, the identity of the occupants is linked to their property, as are the entry and exit dates of each occupant. Regarding the date of birth of occupants which, at first glance, may appear to relate exclusively to the occupant and not to the plaintiff, the Litigation Chamber considers from the start of the broad interpretation that it should give to the notion of "personal data" and to the support of the position adopted by Group 29 on this concept that the date of birth of the occupant must 5 also be considered to relate to the complainant. 22. In any event, the plaintiff has a sufficient "interest in acting" to lodge a complaint in relation to the processing (i.e. the communication to the defendant) of the data personal information relating to the occupants of his property. Indeed, if the defendant were to request the communication of data in contradiction with the GDPR, it would associate the complainant to this violation. 23. Insofar as necessary, the Litigation Chamber also considers that the collection reported data, even organized by sending and returning paper forms completed (non-automated processing) as appears to be the case in this case, consists in a processing of personal data called to appear in a file, of moreover probably partially automated once the data is sent back to 2 https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-plaignant-dans-la-procedure-au- within-the-litigation-chamber.pdf 3Complainants who meet the qualification of the GDPR are potentially affected in their subjective rights, being given that their action concerns by definition a processing of their own personal data. They witness therefore of interest. 4In its note relating to the position of the plaintiff, the Litigation Chamber cites Decisions no. 30/2020 (points 4 e.s.) and no. 80/2020 (points 47 e.s.). 5 See. in this respect Article 29 Group, Opinion 04/2007 on the concept of personal data, WP 136 of 20 June 2007, pages 10 et seq. relating to the interpretation of “concerning” in the definition of personal data as than provided for in Directive 95/46/EC. This interpretation may continue to apply to the definition of character data personnel provided for in Article 4.1. of the GDPR, the concepts not differing from one text to another. Decision 99/2023 - 6/11 the administration of the defendant. It is therefore in any case a treatment of personal data subject to the GDPR in execution of article 2.1. of the GDPR. II.2. Regarding compliance with Article 6 of the GDPR (lawfulness) 24. Pursuant to Article 6 of the GDPR, any processing of personal data must rely on one of the bases of lawfulness that it provides. In this regard, the defendant bases the collection of the data requested via the form sent to the complainant on the rules aforementioned municipality. The Litigation Chamber notes that the chargeable event for the tax of stay for the collection of which the data concerned is requested is worded as follows: “Article 2 – Generating event This applies to the stay of unregistered persons, for the accommodation where they are staying, in the population register or in the register of foreigners”. 6 25. In other words, the fact giving rise to the tourist tax is the absence of domicile of the people in the good. It is clear from the municipal regulations that the objective of the tax is to correct the imbalance created between the part of the population residing in the territory of the defendant and contributing to the finances of the latter on the one hand and the part of the non-domiciled population who do not contribute to it on the other hand. Regulationpointeencesens the need to make up for the shortfall (additional cents) relating to buildings allocated to the use of housing for the benefit of persons not domiciled in its territory and not for the use of accommodation for the benefit of persons domiciled in the territory of the defendant. 26. It follows that for the application of the aforementioned municipal regulations and the collection of the tax established, the concept of “occupants” must be understood as not including persons domiciled in the property concerned. 27. However, as the complainant denounces, the letter from the beginning of 2023 which was sent to him with the form to be completed indicates unequivocally that "Any property put up for rent or available on the territory of City Y must be filled in on the form, as well as any occupant, domiciled or not in the property”. The Litigation Chamber reproduces here the terms of said letter including bold highlighting and underlining of the terms "all occupant, domiciled or not in the property”. 28. By asking the owners concerned, such as the complainant, to provide him with personal data concerning occupants domiciled with it, the defendant prima facie collection of personal data without having a basis of lawfulness which 6Registration in the population register is based on domicile. Decision 99/2023 - 7/11 justifies. Indeed, only the data necessary for the satisfaction of the legal obligation which is his own can be dealt with by the defendant (article 6.1.c)). The Litigation Chamber therefore decides to issue a warning to the defendant regarding this (see below). In doing so, the defendant also places its taxpayers such as the plaintiff in a position delicate, non-compliant with the GDPR, requesting that in execution of their own obligation, they communicate excessive personal data of third parties. 29. For all practical purposes, the Litigation Chamber recalls here that to provide for an obligation to processing of personal data within the meaning of Article 6.1.c of the GDPR, it is necessary, as pointed out by the Article 29 Working Party, the legal predecessor of the Committee European Data Protection Officer (EDPS), that the legal provision establishing it meets “all the conditions required to render the obligation valid and binding". Its wording must therefore be clear and precise in such a way that the person responsible processing subject to this obligation does not have a margin of appreciation in the determination of the essential elements of the processing of personal data necessary to comply with its legal obligation. II.3. Regarding compliance with Article 5.1.c) of the GDPR (minimization) 30. The Litigation Chamber also recalls that pursuant to Article 5.1.c) of the GDPR, personal data must be adequate, relevant and limited to what is necessary with regard to the purposes for which they are processed (minimization of data). 31. In support of the complaint and the documents produced by the complainant, in particular the request for communication of the data of the occupants of the property and the regulations already mentioned, the Litigation Chamber concludes that the collection of data relating to the occupants seems, prima facie, excessive and contrary to the principle of minimization devoted to Article 5.1. c) GDPR. 32. Indeed, only the collection by the defendant (and therefore the communication by the plaintiff) data necessary for the achievement of the purpose pursued – either in this case the registration of the tourist tax – is authorized in execution of this article 5.1.c) of the GDPR. 33. As this tourist tax is calculated annually and on the basis of a flat rate per occupant, the Chambre Litigation understands that the number of annual occupants must be declared by the owner. On the other hand, the Litigation Chamber does not perceive, primafacie, how 7 “Article 29” Working Party, Opinion 06/2014 on the notion of legitimate interest pursued by the data controller data within the meaning of article 7 of directive 95/46/EC, p. 21. 8 “Article 29” Working Party, Opinion 06/2014 on the notion of legitimate interest pursued by the data controller data within the meaning of article 7 of directive 95/46/EC, p. 22. Decision 99/2023 - 8/11 the communication of the requested data relating to the occupants is necessary for this finality. The Litigation Chamber recalls in this respect that the condition of necessity must assess themselves strictly. For example, it does not see, prima facie, how the date of birth of the occupant is necessary to establish the number of occupants in the property unless the age of the occupant should be taken into account in the collection of the said tax. The same applies to the first and last names of the occupants as well as the dates of entry and exit. The Litigation Chamber then decides to issue a warning to the defendant as to this (see below). II.4. Regarding data retention 34. The Litigation Chamber also recalls that pursuant to Article 17.1 of the GDPR, the person concerned has the right to obtain the erasure, within the as soon as possible, of personal data concerning him and that the person responsible for the processing has the obligation to erase this personal data as soon as possible deadlines, when one of the reasons listed in Article 17.1 of the GDPR applies, including, "when the personal data have been unlawfully processed" (Article 17.1.d) of the GDPR). 35. Only if the data controller should be able to invoke one of the exceptions provided for in Article 17.3. of the GDPR only data processed in contradiction with the GDPR could be kept. In the light of the conclusions, admittedly prima facie (see below) of the Litigation Chamber in points 28 and 33 above, it is incumbent on the defendant assess compliance with its obligations in this regard (accountability) and, where applicable, erase said data. 36. Finally, the Litigation Chamber also recalls that a protection delegate (DPO) may carry out other missions and tasks insofar as these do not lead to a conflict of interest with his function as DPO, in particular with regard to the independence with which he/she must exercise it (Article 38.6 of the GDPR). The DPO cannot furthermore, receive no instructions concerning the performance of his duties (Article 38.3 GDPR). 37. With regard to the question of the existence of conflicts of interest, the Court of Justice of the European Union 9 (CJEU) in a judgment of February 9, 2023 recalled - referring to the articles cited above - that the GDPR provided that the DPO could perform other missions and tasks, provided that the latter do not lead to a conflict of interest, in order to preserve 9 CJEU, judgment X-FAB Dresden GmbH & Co. KG c. FC, C-453/21. https://curia.europa.eu/juris/document/document.jsf%3Bjsessionid=01B3AC0EA10C69E1E137D316B3A6BB46?text=&do cid=270323&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=224750 Decision 99/2023 - 9/11 his independence. She pointed out in particular that the DPO could not see himself entrust missions that would lead him to determine the purposes and means of the processing of personal data with the controller or its subcontractor, the latter having to be able to carry out a control of these purposes and of these means independently. 38. The Litigation Chamber is of the opinion that this means in practice that when a DPO is associated with other missions, it cannot be called upon to determine the purposes or the means of certain treatments, since he could not at the same time objectively control these last .0 39. It appears from the documents produced by the complainant in support of his complaint that the DPO of the defendant also acts as an archivist. This accumulation of functions emerges from the signature of the emails from the DPO and of the comments it made, dated May 24, 2023, in response to the complainant, relying on this double role (point 13). 40. Being a prima facie decision, and in the absence of any evidence that in the case in point, there would be on the part of the Data Protection Officer (DPO) the defendant, a conflict of interest with her function as archivist, the Litigation Chamber is limited to the aforementioned reminder. 41. It specifies in this respect that this reminder - like that formulated in points 34 and 35 - does not constitutes neither a remedy nor a sanction within the meaning of Article 95 of the LCA. II.5. As for the warning 42. The Litigation Division would like to point out that this warning decision is a prima facie decision taken by the Litigation Chamber in accordance with Article 95 of the LCA - based on the sole complaint filed by the plaintiff and the exhibits he produced in support of it - in the context of the "procedure prior to the substantive decision". He ... not It is therefore not a decision on the merits within the meaning of Article 100 LCA. 43. The purpose of this warning decision is to inform the defendant and to inform him enables compliance in the future (2023 tax enrollment form) with regard to Articles 6 and 5.1. c) GDPR (points 27 and 32). The choice of this sanction depends into account the commitments that the defendant seems to have made, which were reported by the DPO with which the defendant is not confused (and vice versa). The warning nevertheless constitutes a precedent which will be taken into account in the event of any new complaint having the same subject. 10Voy. also the G29 Guidelines, endorsed by the European Data Protection Board (EDPS) concerning Data Protection Officers (DPO), WP 243 of 5 April 2017: https://ec.europa.eu/newsroom/article29/items/612048 Decision 99/2023 - 10/11 44. Therefore, if the defendant does not agree with the content of this prima facie decision facie and believes that it can make factual and/or legal arguments that could lead to another decision on the points on which this warning relates, it can submit a request for substantive processing to the Litigation Division via the e-mail address litigationchamber@apd-gba.be, within 30 days of the notification of this decision. 45. In the event of further processing of the complaint on the merits pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties, either the plaintiff than the defendant, to introduce their arguments in the form of conclusions and to attach to the file all the documents that he and she deem useful. 46. The Litigation Division informs in this respect both the plaintiff and the defendant that the procedural file relating to the complaint leading to this warning decision may, in application of article 95.2, 3° of the ACL, be requested by preferably addressing an e-mail to the registry of the Litigation Chamber (litigationchamber@apd-gba.be). 47. Finally, for the sake of completeness and transparency, the Litigation Chamber emphasizes that an examination of the case on the merits may lead to the imposition of the measures mentioned at section 100 of the ACL .1 11 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 99/2023 - 11/11 III. Publication and communication of the decision 48. Given the importance of transparency with regard to the process decision-making and the decisions of the Litigation Chamber, this decision will be published on the ODA website. However, for this purpose it is not necessary that the data identification of the parties are directly mentioned. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, subject to the introduction of a request by the defendant for treatment on the merits in accordance with articles 98 e.s. of the ACL via the e-mail address litigationchamber@apd-gba.be, within 30 days of notification of the this decision, to issue a warning against the defendant pursuant to of Article 58.2.a) of the GDPR and Article 95.1, 4° of the LCA with regard to the grievances any breaches of Articles 6 and 5.1. c) GDPR (points 28 and 33). In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 13 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke HIJMANS President of the Litigation Chamber 12The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 13The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.