APD/GBA (Belgium) - 137/2023
From GDPRhub
| APD/GBA - 137/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(1) GDPR Article 14 GDPR Article 14(5)(c) GDPR Article 28(1) GDPR Article 28(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.09.2020 |
| Decided: | 29.10.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 137/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Autorité de protection des données (in FR) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA held that retroactivity clauses in a data processing agreement are invalid as they would allow for the circumvention of Article 28(3) GDPR. Moreover, the DPA clarified that both the controller and processor are responsible for concluding the data processing agreement.
English Summary
Facts
On 20 May 2020 the data subject received a parking fine from a municipality, the controller, for a parking violation.
On 6 July 2020, the data subject requested evidence of the parking violation in question and received several photographs of their vehicle. They also sought information on how their personal data was being processed and wanted to obtain the agreement concluded between the municipality (the controller) and a third-party service (the processor) used in the establishment and collection of the fee requested from them. Following their request, the data subject found that there was no data processing agreement in place at the time of the events.
On 4 September 2020, the data subject submitted a complaint against both controller and processor for violation of Article 28(3) GDPR, which obliges controllers to implement a data processing agreement. On 20 November 2020, the DPA opened an investigation and transmitted the case to the Inspection Service (SI). On 11 May 2021, the SI's investigation was closed, and the case was transferred back to the DPA. The SI found that the processing contract between the controller and the processor was only entered into on 27 July 2020. The investigation found that at the time of processing of the data subject's data, no contract existed.
However, the contract of 27 July 2020 included a retroactivity clause.
Holding
The Belgian DPA found a violation of Articles 28, 14 and 12 GDPR.
The Belgian DPA noted that Article 28(1) GDPR mandates a processor to provide sufficient guarantees to protect the rights of data subjects. Article 28(3) GDPR obliges controllers to implement a data processing agreement. The DPA held that including a retro-activity clause in the agreement does not remedy the absence of the contract at the time of the event. Such an admission would allow for the circumvention of the application of the obligations of Article 28(3) GDPR which aims to ensure the protection of the rights and freedoms of the data subjects. The DPA concluded that both the controller, as well the processor, were responsible for ensuring that a data processing agreement was timely put into place.
The DPA also found violations for lack of transparency under Article 12(1) GDPR and Article 14 GDPR, as the controller had failed to fulfill the informational obligations under Article 14 GDPR. The municipality argued that the exception under Article 14(5)(c) GDPR applied to it. The municipality cited the law of 22 February 1965, which permits municipalities to set parking charges to motor vehicles, and the Order of 22 January 2009 relating to the enforcement of parking charges. The DPA rejected this, noting that exceptions must be interpreted restrictively. The legislation cited by the municipality did not contain any exceptions to disclosure obligations. As such, the DPA held that the legislation invoked by the municipality was insufficiently concrete. The DPA added that even if the exemption were to apply, the controller was still required to inform the data subject about sources and recipients of their personal data unless legally prohibited.
As such, both the municipality and third-party were reprimanded for breach of Article 28(3) GDPR, and the municipality was reprimanded for violations of Article 14 GDPR and Article 12(1) GDPR for failure to take appropriate measures to fully inform the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/16
ChamberLitigation
Decision on merits 137/2023 of September 29, 2023
File number: DOS-2020-04511
Subject: Complaint relating to the absence of a subcontracting contract (article 28.3. of the GDPR)
and the absence of sufficient information by a public authority (article 14 of the GDPR)
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, president, and gentlemen Romain Robert and Christophe Boeraeve, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter
ACL);
Considering the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Has taken the following decision regarding:
The complainant: Mr.
The defendants: Municipality Y1, hereinafter: “the first defendant”;
The company Y2, represented by Maître Louis Leurquin, lawyer, whose
firm is established avenue Brugmann, 435 à 1180 Brussels (Uccle), hereinafter:
“the second defendant”;
Hereinafter referred to together as “the Defendants”. Decision on merits 137/2023 – 2/16
I. Facts and procedure
1. On September 4, 2020, the complainant lodged a complaint with the Protection Authority
data (APD) against the defendants.
2. The subject of his complaint concerns, on the one hand, the absence of a subcontracting contract between the
first and second defendants in relation to the processing of the complainant's data
as well as, on the other hand, the manner in which the complainant's data were processed within the framework
of the establishment and collection by the first defendant of a royalty
parking due by the complainant.
3. The facts giving rise to the complaint can be summarized as follows.
4. The plaintiff states that he received a royalty from the first defendant for a
parking dated May 20, 2020 on the Place (...). This parking fee
was sent to his home and includes his first and last name, his address and the license plate
registration of his vehicle.
5. On July 6, 2020, the complainant contacted the Tax department of the first
defendant to obtain proof of the parking violation attributed to him.
In response, the complainant was sent several photographs of his vehicle. He has
then questioned the said Tax department of the first respondent on the manner in which
the personal data concerning him were processed within the framework of
the establishment and collection of the fee claimed from him.
6. Informed in response that the first defendant would use the services of third parties, including
second defendant, the plaintiff requested to obtain the agreement concluded with this
last. It is, by the first defendant’s own admission, proven that the subcontract
contract which was to link it to the second defendant did not exist at the time of the facts
concerning the complainant.
7. The Litigation Chamber mentions here from the outset that it was on July 27, 2020 that a
“Personal data processing agreement” (CTDCP) was signed between
the defendants. Article 2 of this CTDCP defines the role of each party. The second
defendant is described there as a computer engineering company which develops and
markets software, which manages IT infrastructures and provides its expertise
intended for both public and private clients. As part of its activities, it may be
required to carry out processing of personal data belonging to its
client such as the first defendant in this case, particularly in the context of the exercise of
its installation, support and/or maintenance and hosting activities. The contract
continues by indicating that in the context of the treatments carried out, the second defendant Decision on the merits 137/2023 – 3/16
acts as a subcontractor while its client, the first defendant in
the species, acts as controller.
8. On October 23, 2020, the complaint was declared admissible by the First Line Service (SPL)
of the ODA on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
Litigation under article 62, § 1 of the LCA.
9. On November 20, 2020, in accordance with article 96, § 1 of LCA, the request of the Chamber
Contentious to carry out an investigation is transmitted to the Inspection Service (IS).
10. On May 11, 2021, the IS investigation was closed, the report was attached to the file and it was
transmitted by the Inspector General to the President of the Litigation Chamber (art. 91, § 1 and § er
2 of the LCA).
11. This inspection report makes the following findings:
has. Violation of article 28.3. of the GDPR by the first defendant: the SI establishes that
the subcontracting contract between the first defendant in its capacity as
data controller and the second defendant in its capacity as sub-processor
contract was concluded on July 27, 2020. The SI therefore notes that at the time of the
facts denounced and the processing of the complainant's data within the framework of
the establishment and collection of the parking fee for May 20, 2020,
such a contract did not exist, in violation of article 28.3 of the GDPR. The SI adds
that the retroactivity clause contained in said subcontracting contract cannot be
prejudice the rights of third parties, in particular those of the complainant.
b. Violation of articles 12.1 and 14 of the GDPR by the first defendant: the IS establishes
that the exemption from information provided for in (article 14.5. c) of the GDPR invoked by the
first defendant cannot be accepted in this case. In support of the Lines
guidelines on transparency of the European Committee for the Protection of
data (EDPS), the SI concludes that the texts 2 invoked by the first
defendant, if they establish the lawfulness of the processing, do not require it to obtain (or
to receive communication) of the data that it processes within the framework of the
collection of the royalty in question and above all, do not contain
1
European Data Protection Board (EDPS), Guidelines on transparency under the UIE Regulation)
2016/679 of April 11, 2018. These guidelines adopted by Group 29 (WP 260) were adopted by the
EDPS during its inaugural session on May 25, 2018: https://ec.europa.eu/newsroom/article29/items/622227.
2The first defendant invokes the following texts: article 6 of the royal decree of July 20, 2001 relating to
the registration of vehicles which provides that the investigation and criminal prosecution of crimes, misdemeanors and contraventions are
the purposes for which which personal data in the directory may be processed; the law
of February 22, 1065 allowing municipalities to establish parking fees applicable to vehicles
engine ; the fee regulation relating to its municipal parking policy voted by the Municipal Council on the date
of [….] which allows parking fees to be established when a vehicle does not comply with the relevant legislation and
the order of January 22, 2019 (chapter VII) – parking fees and monitoring of compliance with the rules of
parking. Decision on merits 137/2023 – 4/16
appropriate measures to protect the legitimate interests of the person
concerned as required by article 14.5.c) of the GDPR in order to be mobilized.
The SI notes that the first defendant also invokes the AF deliberation
23/2013 of July 25, 2013 of the Federal Authority Sector Committee (CSAF) of the 3
Commission for the Protection of Private Life (CPVP) providing single authorization and
amending with regard to private concessionaires of municipalities
Brussels, the autonomous Brussels municipal rules and the Brussels Agency
parking of the Brussels-Capital Region deliberation AF 12/2009
bearing a single authorization for access to the DIV directory for purposes
identification of persons who are debtors, due to the use of a
vehicle, of remuneration, which according to it retains its validity in accordance with
section 111 of the LCA. The SI notes that this deliberation specifically requires
provide information to the person concerned via the website
of the data controller as well as on payment requests. The IS
notes that such information is neither provided on the website of the first
defendant nor on the payment requests sent (2nd reminder). The IS
also points out that the fact of the first respondent being authorized to
access the DIV (Vehicle Registration Department - directory of
vehicles) does not exempt it from the information obligation.
er
12. On July 9, 2021, the Litigation Chamber decides, under Article 95, § 1, 1° and
article 98 of the LCA, that the file can be processed on its merits.
13. On the same date, the parties are informed by registered mail of the provisions such
as set out in article 95, § 2 and article 98 of the LCA. They are also informed, in
under section 99 of the LCA, deadlines for transmitting their conclusions. The deadline
for receipt of submissions in response from the defendants was set for September 6
2021, that for the conclusions in the complainant's reply as of September 28, 2021 and that for
the defendants' reply submissions as of October 20, 2021.
14. Still under the terms of this letter of July 9, 2021, the Litigation Chamber specifies that
the first respondent is invited to put forward its arguments in light of the findings
carried out in his regard by the IS. In addition, she invites him to put forward his arguments with regard to the
compliance with articles 5.2. and 24 of the GDPR as soon as a proven breach of one or the other
3The Commission for the Protection of Private Life (CPVP) was the Belgian data protection authority within the meaning of the article
28 of Directive 95/46/EC. The Data Protection Authority (DPA) succeeded it on May 25, 2018 in execution
of article 3 of the LCA.
4
Article 36bis of the LVP provided that any electronic communication of personal data by a public service
federal or by a public body with legal personality which comes under the federal authority requires authorization from
principle of the CSAF unless the communication has already been the subject of authorization in principle from another committee
sector created within the CPVP. The mission of the CSAF is to check whether the communication complies with the provisions
legal and regulatory. Decision on merits 137/2023 – 5/16
of articles 28, 12.1 and/or 14 of the GDPR retained by the IS is likely to constitute, by
as a result, a breach of these provisions (articles 5.2. and 24 of the GDPR) consecrating
the principle of accountability.
15. At the start of the complaint filed by the complainant (which also denounces a potential
breach of its obligations arising from the GDPR by the second defendant – see point
1), the Litigation Chamber also invites the latter to present its arguments to the
with regard to article 28 of the GDPR and the obligation to supervise its relationship with the
first defendant by a subcontracting contract compliant with article 28.3. of the GDPR.
16. On September 2, 2021, the Litigation Chamber receives the conclusions in response from the
first defendant:
- As for the complaint based on a violation of article 28.3. of the GDPR, the first defendant
does not deny that there was in fact no contract or other legal act linking it to the
second defendant at the time of the facts giving rise to the complaint. The first one
defendant, however, emphasizes that this contract - the signature of which had not been judged
priority, particularly in the absence of high risk for the people concerned and
given the context of the covid 19 pandemic requiring priority - a
was concluded on July 27, 2020 and that the situation is now regularized, including
for the past, taking into account the retroactivity clause to May 25, 2018 provided for by
article 3 of the said contract (article 3).
- As for the complaint based on a violation of articles 12.1 and 14 of the GDPR, the first
defendant declares, based on the conclusions of the SI on this point, to take note of
what article 14.5. c) of the GDPR would not apply and indicates having modified its
website by adding a text containing the elements of information required by
article 14 of the GDPR and adapted payment request letters within the framework of
parking fees by adding an informative clause.
17. On September 3, 2021, the second defendant notified the Litigation Chamber that she
refers and adheres to the arguments developed by the first defendant in its
conclusions in response of September 2, 2021 (point 16), which conclusions can be
considered to be filed in his name and on his behalf as well.
18. On September 4, 2021, the Litigation Chamber receives the conclusions in response to the
complainant:
- The complainant welcomes the fact that the first defendant recognizes the breaches
what to blame her for while doubting her good faith when she invokes “the excuse
too easy” according to him of the epidemic of the covid 19 virus to explain his delay in
signing of a subcontracting contract. It notes in this regard that the GDPR was in Decision on the merits 137/2023 – 6/16
in force since May 25, 2016, i.e. even before the award of the public contract by the
first respondent to the second respondent in late 2016.
- The plaintiff also points out that the first defendant minimizes the data
personal information which it communicates to the second defendant. Only the plate
registration of offenders would be sent to him while the IS report
mentions that other personal data concerning him (such as
photographs of his vehicle) are also communicated. Generally speaking, the
complainant denounces the lack of exemplarity and transparency of the first
defendant as a public administration.
- Finally, the complainant wishes to be made aware of the harm he has suffered as a result of his non-
respect for personal data both morally and financially
evaluating its shortfall at €1,500.00 ex aequo et bono with regard to time and
energy devoted to this matter.
19. On September 30, 2021, the Litigation Chamber receives the conclusions in response to the
first defendant. As for the compensation claimed by the plaintiff for damage suffered,
the first defendant argues that the plaintiff's data was not used to
purposes not provided for by law and that he cannot have suffered damage due to improper use
of these. It also emphasizes that public authorities are exempt from
administrative fines.
20. Also on September 30, the Litigation Chamber received a final reaction from the
complainant. This reaction is submitted out of time, the complainant having already had the opportunity to
conclude (point 18) and the last word goes to the defendants. The complainant insists
in particular on the fact that the fee could only be established through communication
contrary to the GDPR of data concerning him which, from his point of view, invalidates the
royalty as such. He also recalls that if the public authorities are
exempt from administrative fines, non-pecuniary administrative sanctions
may be imposed on them as well as criminal sanctions. The complainant finally recalls his
claim for compensation.
II. Motivation
II.1. As for the breach of article 28.3. of the GDPR by the first and second
defendants
21. Article 28.1. of the GDPR provides that when processing must be carried out on behalf
of a data controller, the latter only uses subcontractors who
present sufficient guarantees regarding the implementation of technical measures and Decision on the merits 137/2023 – 7/16
appropriate organizational measures to ensure that the processing meets the requirements of the
GDPR and guarantees the protection of the rights of the data subject.
22. Pursuant to article 28.3. of the GDPR, such processing must be governed by a contract or by
another legal act under Union law or the law of a Member State, which binds the
subcontractor with regard to the controller, defines the purpose and duration of the processing,
the nature and purpose of the processing, the type of personal data and the
categories of data subjects as well as the obligations and rights of the person responsible
of treatment. This contract or other legal act must also provide in particular for
burden of the subcontractor the series of obligations listed in letters a) to h) of article 28.3.
of the GDPR.
23. In this case, the Litigation Chamber characterizes the first defendant as “responsible for
processing” within the meaning of Article 4.7. of the GDPR. It is the entity that defines the purposes and
means of the processing complained of (i.e. the processing of personal data
relating to the complainant for the purposes of establishing and collecting a payment fee
parking), as part of the exercise of a competence which has been legally granted to him
entrusted. This characterization is not contested by the defendants.
24. The Litigation Chamber qualifies the second defendant as a “subcontractor” within the meaning of
Article 4.8. of the GDPR in that it acts on instructions from the defendant. This
qualification is also not contested by the defendants.
25. The Litigation Chamber decides that both the first and second defendants
were required to conclude a subcontracting contract or to bind themselves by an act
legally binding regarding the exercise of the subcontracting mission that they
had established between them, in accordance with article 28.3. of the GDPR.
26. The Litigation Chamber endorses in this regard the position of the EDPS according to which “being
given that the Regulation establishes a clear obligation to conclude a written contract,
where no other relevant legal act is in force, its absence constitutes a
GDPR violation. Both the controller and the processor are responsible for
ensure that a contract or other legal act governs the processing. Subject to
provisions of Article 83 of the GDPR, the competent supervisory authority will be able to
5European Data Protection Committee (EDPS), Guidelines 07/2020 concerning the notions of responsibility
of processing and subcontractor in the GDPR, version 2.0. from July 7, 2021 https://edpb.europa.eu/system/files/2022-
02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf
6It is the Litigation Chamber which underlines. Article 28, paragraph 3, does not apply only to those responsible for
treatment. When only the subcontractor is covered by the territorial scope of the GDPR (article 3), the obligation
is only directly applicable to the subcontractor. See. also in this sense the Guidelines 3/2018 of the Committee
European Data Protection Authority (EDPS) relating to the territorial scope of the GDPR, p. 12.
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_fr.pdf. Decision on merits 137/2023 – 8/16
to impose an administrative fine on both the controller and the subcontractor,
taking into account the circumstances specific to each situation. 7
27. In other words, the obligation to conclude a contract or to be bound by a legal act
binding weighs both on the data controller (here the first defendant) and
on the subcontractor (hereinafter the second defendant) and not on the sole person responsible for
treatment. This is particularly important when, as is the case in this case, a
subcontractor offers its specialized services to a large number of managers
separate treatments. It would not comply with the GDPR (nor with the reality on the ground)
to consider that the initiative for concluding the contract (and its proposed content) does not
should only come from the data controller.
28. In the present case, the first and second defendants do not dispute that the contract of
subcontracting which was to bind them did not exist at the time of the facts reported. This contract has
was concluded on July 27, 2020, i.e. on a date subsequent to these facts and the processing of
subsequent data which, as a reminder, finds its origin in a parking lot at 20
May 2020. In the explanations she gave to try to justify this signature
late (point 16), the first defendant (followed by the second defendant – point 17)
indicates that at the time of the award of the public contract to the second defendant by a
deliberation at the end of 2016, the GDPR did not yet exist. On this point, the Contention Chamber
reminds the defendants that in reality, the GDPR was in force since May 25, 2016
(article 99.1. of the GDPR), i.e. for more than 6 months already at the time of the deliberation
award of the contract mentioned by the first defendant. Consequently, from
the award of the public contract by the first defendant to the second defendant, these
The latter had to comply with the GDPR and therefore sign as quickly as possible and
in any event, no later than May 24, 2018, a subcontracting contract in accordance with
Article 28.3. of the GDPR. The legislator had in fact expressly provided for a period
transitional period of 2 years to enable compliance with the GDPR, including the
regard to pre-existing situations following the application of the GDPR but which would persist beyond
this one.
29. With the SI (point 10), the Litigation Chamber is of the opinion that the retroactivity clause
provided for by the contract of July 27, 2020 is not likely to compensate for the absence of a contract in
time of the facts. If such retroactivity were to be admitted, it would de facto allow
circumvent the application over time of the obligation of article 28.3 of the GDPR which weighs thus
that it was developed in points 26 and 27 above, both on the data controller and
on the subcontractor. However, as has just been explained in point 28, the GDPR itself has provided
a period of 2 years separating its entry into force from its entry into force for implementation
in progressive compliance by all entities concerned (article 99 of the GDPR).
7It is the Litigation Chamber which underlines. Decision on merits 137/2023 – 9/16
The obligation to conclude such a contract is also intended to clearly distribute the
responsibilities of each of the defendants in their respective capacity as responsible for
processing on the one hand and the subcontractor on the other. As highlighted in recital 79 of
GDPR, this obligation also pursues the objective of guaranteeing the protection of rights and
freedoms of the persons concerned including the data which will be processed within the framework
of the relationship that the data controller chooses to create between them (here the
first defendant) and the subcontractor (here the second defendant) are thus
protected. This absence of protection - while it is required by the GDPR - cannot be
covered by a contractual retroactivity clause agreed solely by the
defendants in disregard of the rights of the persons concerned - who are not parties to the
contract – enshrined in a standard, of European rank in addition.
30. In light of the above, the Litigation Chamber concludes that both the first and the second
The second defendants were guilty of a breach of Article 28.3. of
GDPR. For all useful purposes, the Litigation Chamber specifies that it is empowered to retain a
breach of this provision by the second respondent notwithstanding the absence of
breach pointed out in the head of the latter by the IS and this, in execution of its
own skills. The second defendant implicated under the terms of the complaint
filed (point 1) was also invited to defend itself with regard to this breach in
respect for the contradictory debate (point 15) and does not deny the absence of a contract at the time
facts.
31. The defendants also claim that in any event, they respected the
obligations arising from the Law of December 8, 1992 relating to the protection of private life
with regard to data processing (LVP) previously applicable (article 16 devoted to
9
obligations of the subcontractor) and that taking into account other emergencies particularly linked to the
covid-19 virus pandemic, compliance with the GDPR has not been seen
as a priority from 2018 given the few risks incurred by the taxpayer in the
context concerned. The defendants also argue that the rights of the plaintiff have
always been respected, even before the conclusion of the contract on July 27, 2020 and that the
data concerning him have not been used for purposes other than those related to the royalty
parking.
8The LCA does not require the Litigation Chamber to use the Inspection Service. Indeed, the Litigation Chamber
decides sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63.2° of the LCA and
art. 94, 1° of the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber may
process the complaint without resorting to the Inspection Service. It thus has a power of appreciation of the complaint which is
independent of the inspection (Cour des Marches (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Court of
markets (19th ch. A), December 7, 2022, 2022/AR/556).
9It should be noted that the obligations of the subcontractor were very limited compared to the requirements required by article
28 of the GDPR. Article 16 of the LVP was in fact limited to providing that the subcontractor could only act on instructions from the
data controller and must present sufficient guarantees to ensure the security of the processing which it
were subcontracted. Decision on merits 137/2023 – 10/16
32. For the Litigation Chamber, the circumstances invoked by the defendants -
even if they prove to be true, they are not likely to eliminate the existence of a failure in
their boss. They could, however, at most be taken into account by the Chamber
Contentious in the assessment of the appropriate sanction with regard to all of the
circumstances of the case.
II.2. As for the breach of article 12.1. and 14 of the GDPR by the first defendant
33. The Litigation Chamber takes note of what the first defendant has now
provided for information reflecting the elements required in execution of article 14 of the GDPR to
destination of the persons concerned on its website on the one hand and has also
committed to providing information to the persons concerned when sending requests
payment of royalties on the other hand.
34. The Litigation Chamber nevertheless concludes that for the past, the first
defendant was guilty of a breach of articles 12.1 and 14 of the GDPR in
not providing adequate information for the attention of the persons concerned. There
In this regard, the Litigation Chamber shares the analysis of the SI which rules out the applicability of
Article 14.5.c) of the GDPR.
35. Under the terms of this article 14.5.c), the data controller is exempt from his obligation
information when and to the extent that “obtaining or communicating information
information is expressly provided for by Union or Member State law
to which the controller is subject and which provides for appropriate measures
aimed at protecting the legitimate interests of the data subject.
36. The Litigation Chamber notes a difference in language between the French version and, by
example, the Dutch and English versions of this provision. Indeed, while the
French version of article 14.5.c) of the GDPR mentions “when and to the extent that
obtaining or communicating information is expressly provided for by law
of the Union or the Member State", the Dutch and English versions of the text retain
respectively the following terms: “wanneer en voor zover het verkrijgen de verstrekken
van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of lidstaatelijk recht” and “
where and insofar obtaining or disclosure is expressly laid down by Union or Member State
law”. (read: obtaining or disclosure of data in accordance with the terms of recital 62).
The Litigation Chamber is of the opinion that it is indeed the obtaining and communication of
data which must be provided for by national law (or, where applicable, by Union law
European) and notwithstanding the terms of the French version of article 14.5.c) of the GDPR.
37. What is provided for in article 14.5. c) of the GDPR constitutes an exception to the right to information.
Failing to be informed that data processing concerning it is being carried out, the Decision on the merits 137/2023 – 11/16
data subject is deprived of information which is in principle spontaneously available to him
provided by the data controller and which facilitates the exercise of his other rights including
it is also informed of the existence and methods of exercise through this means (article
13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).
38. This exemption must be interpreted restrictively since it constitutes a
exception to the information obligation provided for by the fundamental right to the protection of
data and the corollary information obligation imposed on the data controller.
It also deprives, as already mentioned, the person concerned of information on
the existence and methods of exercising their other rights which are, for their part, not
subject to the same exception “in the event of obtaining or communication expressly provided for
by the law”. As an example, the right of access (article 15 of the GDPR) - which in turn opens the way
to exercise other rights such as the right to rectification, opposition or even erasure
– does not know this exception (article 15.4. of the GDPR).
39. The ratio legis of this exception in Article 14.5.c) of the GDPR is based on the fact that the
national legislation would require the obtaining or communication of said data. He imports
provided that this legislation is particularly clear and complies with the qualities that must
adopt any data protection legislation and that this
obtaining/communication is binding on the data controller which he must
be able to demonstrate. Said legislation must also provide for appropriate measures to
guarantee the legitimate interests of the data subject.
40. The Litigation Chamber adds that finally, the obligation to obtain or communicate
of said data must, in order to trigger the exception of article 14.5.c) of the GDPR,
logically cover all the data which would have been processed by the person responsible for
processing which would invoke exemption from information.
41. The SI report notes that the first defendant relies on the following texts:
has. Article 6 of the royal decree of July 20, 2001 relating to vehicle registration
which provides that the search and criminal prosecution of crimes, misdemeanors and
contraventions are the purposes for which personal data
from the DIV directory (Directorate of Vehicle Registration) can make
the subject of treatment.
The Litigation Chamber notes that this provision specifies the purposes of the DIV
consultation of which is authorized for the benefit of the first defendant for
these purposes, including that of establishing the fee.
b. The law of February 22, 1965 allowing municipalities to establish royalties
parking applicable to motor vehicles. Decision on merits 137/2023 – 12/16
Here too the Litigation Chamber notes that this is a text which allows the
first respondent to establish the parking fee. When examining the
text, the Litigation Chamber notes that article 2 of the legislation provides that “
for the collection of remunerations, taxes or royalties from
parking referred to in Article 1, the towns and municipalities and their
concessionaires and autonomous municipal authorities are authorized to request
identity of the holder of the number of the registration mark to the responsible authority
of vehicle registration, in accordance with the law on the protection of
private life ". The text thus provides the right for municipalities such as the first
defendant to consult the DIV for the purposes of establishing the fee.
vs. The fee regulation relating to the municipal parking policy voted by
the municipal council dated […] which makes it possible to establish the royalties of
parking when a vehicle does not comply with the relevant legislation.
Upon analysis of this text communicated by the first defendant SI, the Chamber
Litigation notes (i) that it organizes the modalities according to which the
parking is regulated, subdivided (paid zone, blue zone etc.) and according to what rate,
(ii) that it details the terms of amicable recovery and amicable complaint
as well as (iii) the terms of forced recovery and recourse against the procedure
forced recovery. The text further details the exemption cards
existing.
The Litigation Chamber, however, does not identify any provision which specifies
what data the first defendant would be required to obtain in the context
of the establishment and collection of a parking fee.
d. The order of January 22, 2009 10 – chapter VII – royalties
parking and monitoring compliance with parking rules. The text
organizes the parking policy in the Brussels-Capital region, creates
the Parking Agency, sets the amount of fees and addresses the issue
of the control and collection of these royalties as well as their cost for the
municipalities etc.
Here too, the Litigation Chamber does not identify any provision relating to
the compulsory obtaining/communication of data including the first defendant
could rely on it to found the exemption from information that it invoked.
10Read the Order of January 22, 2009 on the organization of parking policy and creation of the Parking Agency
parking lot of the Brussels-Capital Region, M.B., January 30, 2009. Decision on the merits 137/2023 – 13/16
42. In support of the above, the Litigation Chamber concludes that if we understand that the
first respondent certainly needs certain data to establish a fee
parking and collect it (and be authorized to consult a source such as theDIV at
this effect), the texts that it invokes in support of its competence do not provide for obtaining
or mandatory communication of the data it has processed in this case (including
photographs). As the SI also points out, none of these texts provides for
additional appropriate measures intended to protect the interests of individuals
concerned in this context where no information would therefore be provided to them in the sense
proactive that the GDPR gives to this obligation. Consequently, the Litigation Chamber
notes that the conditions for application of article 14.5.c) of the GDPR are not met and
that the first defendant was, therefore, not authorized to invoke this exception.
43. In this sense, the deliberation of the CSAF to which the first respondent refers enjoined
to inform the people concerned, which the first defendant failed to do
TO DO.
44. Finally, for cases where the data controller would be entitled to rely on article
14.5.c of the GDPR, the Litigation Chamber recalls as highlighted by the EDPS in its
Transparency guidelines already cited, this exemption does not require them
less than “the controller should clearly notify individuals
concerned that it obtains or communicates personal data in accordance with
the right in question, unless there is a legal prohibition preventing it from doing so. This
This provision complies with recital 41 of the GDPR, which provides that a legal basis or
a legislative measure should be clear and precise and its application should be
foreseeable for litigants, in accordance with the case law of the Court of Justice of
the European Union and the European Court of Human Rights”. This obligation
is in line with that which the data controller has to identify - in execution
of articles 13.1.c) and 14.1.c) of the GDPR - the legal bases of its processing and this,
prior to their operationalization. In this regard, it is not enough to indicate that
data processing will take place in execution of a legal obligation or to refer
purely and simply to the application of article 6.1. c) of the DPR. It is the responsibility of the person responsible
of processing to identify the relevant legislation which underlies the processing it carries out.
45. In conclusion, the Litigation Chamber notes a breach of Article 14 of the GDPR
on the part of the first defendant combined with a breach of article 12.1 of the
GDPR. Indeed, failing to provide the information listed in Article 14 of the GDPR
to the persons concerned, the first respondent also fails to comply with this provision
which requires the data controller to take appropriate measures to provide
any information referred to in Articles 13 and 14 in a concise, transparent,
understandable and easily accessible, in clear and simple terms. Decision on merits 137/2023 – 14/16
II.3. As for corrective measures and sanctions
46. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:
1° close the complaint without further action;
2° order the dismissal of the case;
3° pronounce a suspension of the sentence;
4° propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the requests of the person concerned to exercise their rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or definitive ban on processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of data and notification of
these to the recipients of the data;
11° order the withdrawal of the accreditation of certification bodies;
12° give fines;
13° issue administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection.
47. It is important to contextualize the failings of which each of the defendants committed
made responsible in order to identify the most corrective measures and/or sanctions
adapted.
48. The Litigation Chamber wishes to point out that it is sovereignly its responsibility
independent administrative authority - in compliance with the relevant articles of the GDPR and
of the LCA - to determine the corrective measure(s) and/or sanction(s)
appropriate(s) with regard to all the circumstances of the file. Thus, it does not belong
for the complainant to ask the Litigation Chamber to order this or that measure
corrective or sanction (exemplary) and even less that it takes measures which do not
would not appear among those that the Litigation Chamber is authorized to impose. If,
notwithstanding the above, the complainant had to make such a request, it is not the responsibility
not for the Contentious Chamber to justify why it would not retain one or the other
request thus formulated by the complainant. These considerations leave the obligation intact
for the Litigation Chamber to provide reasons for the choice of measure and/or sanction for which Decision on the merits 137/2023 – 15/16
judge, (among the list of measures and sanctions made available to him by articles 58 of the
RGPD and 95.1 and 100.1 of the LCA) appropriate to condemn the party(ies) involved.
49. Still in this regard, the Litigation Chamber specifies that it does not have jurisdiction to
grant damages or compensation for possible harm suffered or to
invalidate a parking fee. These skills are not provided for by the article
58 of the aforementioned GDPR nor by article 100.1. of the LCA cited above. The imposition of such
Measures are reserved, if necessary, to the competent courts and tribunals.
50. In view of the failings noted on the part of the first respondent in the
Articles 28.3. (point 30), 14 and 12.1. of the GDPR (point 45) in its capacity as a public authority, the
Litigation Chamber decides that the reprimand constitutes the appropriate sanction.
51. The Contentious Chamber also notes that it emerges from the recognition of the facts by the
first defendant, the signing of a subcontracting contract in July 2020 and
commitments made in terms of information to the people concerned, that the first
The defendant took stock of the breaches denounced in articles 28.3., 14 and 12.1. of
GDPR already mentioned.
52. Concerning the second defendant, the Litigation Chamber also decides to
send a reprimand with regard to the breach noted in article 28.3 of the GDPR (point
30) in his head as well. Considering all the circumstances of the case, this
In the eyes of the Litigation Chamber, this measure constitutes the appropriate sanction for the
past breach noted.
III. Publication of the decision
53. Given the importance of transparency regarding the decision-making process of the Chamber
Contentious, this decision is published on the APD website. However, it is not
not necessary for this purpose that the identification data of the parties be directly
mentioned. Decision on merits 137/2023 – 16/16
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
- Under article 100.5° of the LCA, to send a reprimand to the first
defendant for breaches of articles 28.3, 14 and 12.1. of the GDPR.
- Under article 100.5° of the LCA, to send a reprimand to the second
defendant for the breach of article 28.3. GDPR
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days from its notification, to the Court of Markets (court
of Appeal of Brussels), with the Data Protection Authority (DPA) as a party
defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory request must be
12
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).
(sé). Hielke H IJMANS
President of the Litigation Chamber
11The request contains barely any nullity:
1° indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
Business Number;
3° the surname, first name, address and, where applicable, the status of the person to be summoned;
4° the object and summary of the grounds of the request;
5° indication of the judge who is seized of the request;
6° the signature of the applicant or his lawyer.
12
The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.
