APD/GBA (Belgium) - 108/2024
From GDPRhub
| APD/GBA - 108/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 12(1) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 14 GDPR Article 15(1) GDPR Article 21(4) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 27.08.2024 |
| Decided: | |
| Published: | |
| Fine: | 8,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 108/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
The DPA fined a controller €8,000 for sending an unsolicited commercial e-mail to a data subject without providing them with information on the right to object in accordance with Article 21 GDPR. The controller also failed to respond to an access request by the data subject.
English Summary
Facts
A data subject received an unsolicited commercial e-mail from a company (data controller). It contained an invitation to create an account on the new online ticketing platform (football club) in order to purchase subscriptions and tickets. The data subject filed an access request under Article 15 GDPR to know the source of their data. According to the data subject, they didn’t disclose their data to the controller. In response, the controller deleted the data at hand, however the controller didn’t respond to the access request.
The data subject decided to complain with the Belgian DPA (ADP/GBA). Prior to lodging the complaint with the DPA, the data subject took part in an unsuccessful mediation proceedings.
During the examination proceedings, the DPA found the data subject’s data came from the database of a bankrupt soccer club, possessed by one of the controller’s business partners. The business partner transferred the data to the controller. Allegedly, the controller planned to restart the bankrupt club. Moreover, the controller’s privacy policy was lacking of clear information on data transfers to or from third parties. Additionally, the DPA identified other violations of the GDPR, in particular regarding the cookies transparency and the cookies setup.
In a written statement, the controller explained the data of the bankrupt club were transferred within the bankruptcy proceedings. Although the data subject received the e-mail from the controller, the “unsubscribe” button limited a potential harm of the data subject to mere reception of unsolicited commercial e-mail. The controller called the legitimate interest under Article 6(1)(f) GDPR to be a legal basis for sending the e-mails of that kind. Furthermore, the controller updated the privacy policy in line with recommendations of the DPA, addressing the shortcomings mentioned during the control.
Holding
The DPA upheld the complaint.
First, the DPA emphasised there was no clear legal basis for the data transfer from the controller’s business partner to the controller. Doubtless, the initial purpose of data processing was incompatible with the transfer to and subsequent data processing by the controller. Nevertheless, for the DPA the transfer of assets, including the database, related to the bankruptcy proceedings, fell within the scope of legitimate interest under Article 6(1)(f) GDPR. Hence, the data subject’s data were transferred lawfully.
Secondly, the controller relied on Article 6(1)(f) GDPR for direct marketing purposes and subsequent commercial mailing. The legitimate interest “test”, performed by the DPA indicated the controller was able to lawfully sent e-mail to former members of the bankrupt club (approximately 6,000 individuals), including the data subject. According to the DPA the legitimate interest pursued by the controller amounted to restarting the club, there was no alternative to effectively reach out the former members. Also, the members were aware of the club’s bankruptcy, so a takeover of the club was within their expectations.
Thirdly, the e-mail received by the data subject did not contain all information necessary under Article 14 GDPR. There was no information about right to object under Article 21 GDPR, as well no link to the privacy policy. The controller was then in breach of Article 5(1)(a) GDPR, Article 12(1) GDPR, Article 14 GDPR and Article 21(4) GDPR.
Fourthly, the controller didn’t respond to the data subject’s access request. The fact that the controller deleted the data was irrelevant. The data subject expected to be informed about the origin of the data, not necessarily their deletion. Hence, the data subject’s request was not handled and the controller violated Article 12(3) GDPR, Article 12(4) GDPR and Article 15(1) GDPR.
Consequently, for violations of Article 5(1)(a) GDPR, Article 12(1) GDPR, Article 12(3) GDPR, Article 12(4) GDPR, Article 14 GDPR, Article 15(1) and Article 21(4) GDPR the DPA imposed a fine of €8,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/31 Litigation Chamber Decision on the merits 108/2024 of 27 August 2024 File number: DOS-2020-00072 Subject: Acquisition of a membership list in the context of a takeover by the acquiring football club and use of the personal data obtained for commercial mailings The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, chairman, and Mr Dirk Van Der Kelen and Mr Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR"; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as “WOG”; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision regarding: Complainant: Mr X, hereinafter referred to as “the complainant” Defendant: Y, represented by counsel Nicolas Wesling and general manager Mr […], hereinafter referred to as “the defendant” Decision on the merits 108/2024 — 2/31 I. Facts and procedure 1. On 8 January 2020, the complainant lodged a complaint with the Data Protection Authority against the defendant. The complainant had previously submitted the file to the First Line Service for mediation, but the complainant claims that this mediation procedure did not produce a satisfactory result. 2. The subject of the complaint concerns the receipt of an unsolicited commercial e-mail sent on 2 October 2018 by the defendant to the complainant. In response to this, the complainant contacted the defendant on 3 October 2018 to ask how his personal data were obtained without his knowledge, since he had never provided them to the defendant himself. He therefore requested the defendant to inspect his personal data, whereby the complainant expressly requested that he inform him how the defendant obtained his personal data and on what legal basis they are processed. According to the complainant, the defendant did not provide a satisfactory answer to his request for inspection, but merely reported that his personal data were being deleted, although the complainant had not requested this. Furthermore, the complainant states that unwanted emails were still sent to him despite the notification of data erasure by the defendant. 3. The complaint is part of a bankruptcy in which the trustee initially arranged a transfer of the membership file of the bankrupt football club to W BV on 8 June 2018, after which the file was subsequently transferred to the defendant on 13 June 2018. The personal data of the subscribers of the bankrupt club were already in the database of Z, a private limited company under Dutch law, before the bankruptcy, since the bankrupt club had decided to cooperate with Z regarding communication with the supporters. The defendant in turn decided to continue the cooperation with Z. 4. On 10 February 2020, the complaint is declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG . 5. On 5 March 2020, the Dispute Chamber decides on the basis of Article 63, 2° and 94, 1° WOG to request an investigation from the Inspection Service. 6. On 6 March 2020, in accordance with Article 96, § 1 WOG, the request of the Dispute Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. 7. On 1 December 2020, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector General to the President of the Dispute Chamber (Article 91, § 1 and § 2 WOG). Decision on the merits 108/2024 — 3/31 The report contains findings regarding the subject of the complaint and decides, in summary, that: 1. The Inspection Service finds that the transfer of personal data by W BV to the defendant has not been directly and formally documented as required by Article 5.2. GDPR and Article 26.1. GDPR. 2. Z can be considered a processor within the meaning of Article 4. 8) GDPR. However, a processor agreement is missing, which means that Article 28.3. GDPR has been violated. 3. The defendant has violated Article 6 GDPR due to the lack of a valid basis for both the transfer of the personal data of the bankrupt club to the defendant and for the mailing to the subscribers of the bankrupt club. 4. The defendant has violated the purpose limitation principle (Article 5.1 GDPR), since the provision of personal data by the receiver to another controller, namely the defendant, cannot take place on the basis of compatibility with the collection purpose. The position of the Inspection Service is based on a view previously taken by the Dutch supervisory authority (Dutch Data Protection Authority). The Inspection Service also links this to a violation of Article 5.2. GDPR. 5. The information about transfer to third parties in the privacy policy is unclear and not in accordance with Article 12.1. GDPR. The report of the Inspection Service states that the privacy policy refers to both Directive 95/46/EC and the GDPR. According to the Inspection Service, this leads to suspect that the privacy policy dates from the period between the publication date of the GDPR on 4 May 2016 and 25 May 2018. The report states that one hypothesis is that the privacy policy of the bankrupt company was adopted, albeit with the contact details replaced. 6. The defendant violates the information obligation via the various privacy statements on […] that were not coordinated. Therefore, there is a violation of Articles 12, 13 and 14 GDPR. 7. With regard to the websites, it is established that the three cookie statements – which are to be distinguished from the privacy statements – were not drawn up in accordance with the information obligation of Articles 12, 13 and 14 GDPR. The consent requirement on the websites is not properly incorporated as required by Articles 7.2. and 7.3. GDPR. The respective websites do not respect the principles of data protection by design and default settings, thereby violating Article 25 GDPR. The principle of storage limitation (Article 5.1 e) GDPR) is not respected because the websites store cookies for too long. Decision on the merits 108/2024 — 4/31 8. The privacy and cookie statements on the websites are not coherent and not drawn up in accordance with Articles 5.1. a); 6; 7.3.; 12.1., 13 and 14 GDPR. 9. The complainant's right of access (Article 15 GDPR) was violated by the defendant. 10. The method of requesting personal data on the websites does not comply with the principle of data protection by design and by default (Article 25 GDPR) 11. The information included in the register of processing activities does not meet the requirements of Article 30.1. GDPR. 12. The duty to cooperate has been breached (Article 31 GDPR). 8. On 3 March 2021, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for substantive processing and the parties concerned are informed by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 WOG. They are also informed on the basis of Article 99 WOG of the deadlines for submitting their defences. The deadline for receipt of the defendant's conclusion of reply was set at 15 April 2021, that for the complainant's conclusion of reply on 6 May 2021 and that for the defendant's conclusion of reply on 27 May 2021. On 22 March 2021, the defendant requested a copy of the file (Article 95, § 2, 3° WOG), which was sent to him on 6 April 2021. The defendant also electronically accepts all communication regarding the case, reports that he will submit means of defence and indicates that he wishes to make use of the opportunity to be heard, in accordance with Article 98 WOG. 9. On 15 April 2021, the Dispute Chamber receives the defendant's conclusion of reply. First, the defendant sets out factually and on the basis of additional documents how he obtained the membership file of the bankrupt club, underlining the specific circumstances, namely the data transfer as a result of the bankruptcy with the subsequent restart, as well as the time frame, namely the coincidence with the application of the GDPR. In particular, with regard to the sending of e-mails to the plaintiff, the defendant states that an "Unsubscribe" button was provided and that the possible damage to the data subject was limited to the receipt of one unwanted e-mail. For the sending of the e-mail, the defendant relies on his legitimate interest. The defendant argues that both the privacy and cookie statements were adapted to the comments of the Inspection Service and that each e-mail contains a link leading to the privacy statement. Finally, thedefendantnotesthatneitherZnorthecuratorhaveformulatedanyreservationsDecisiononthesubstantivematter108/2024 — 5/31 onthetransferofthedataorthesendingofcommercialmessagestothepersonsincludedinthemembershipfile. 10. On 3 May 2021, the Disputes Chamber receives the conclusion of the reply from the complainant in which he emphasises that his request to the respondent did not concern the deletion of his data, but that he did wish to hear from the respondent how his data was obtained. According to the complainant, the respondent has violated the GDPR because it continued to refuse to provide clarification on this matter. The complainant states that the uncertainty cited by the respondent regarding the application of the GDPR in the first months after its entry into force is not an argument, since this had been extensively communicated in advance. The complainant also responds to the defendant's claim that the complainant's intention was to cause damage to the defendant rather than to protect his interests. The complainant states that he has previously been the victim of identity fraud, which is why he pays particular attention to the protection of his personal data. 11. On 27 May 2021, the Dispute Chamber receives the defendant's conclusion of reply which repeats the various elements as stated in the conclusion of reply and updates them by adding documents, in order to demonstrate that work has been done in the meantime to solve problems that emerged from the report of the Inspection Service. 12. On 22 January 2024, the parties are informed that the hearing will take place on 20 February 2024. 13. On 20 February 2024, the parties are heard by the Dispute Chamber. 14. On 22 February 2024, the minutes of the hearing are submitted to the parties. 15. On 22 February 2024, the Disputes Chamber receives a comment from the complainant regarding the minutes, which it decides to include in its deliberations. 16. On 4 July 2024, the Disputes Chamber informed the defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to give the defendant the opportunity to defend itself, before the sanction is actually imposed. 17. On 13 August 2024, the Disputes Chamber receives the defendant's response to the intention to impose an administrative fine, as well as the amount thereof. The defendant confirms without further ado that it accepts the proposed fine of EUR 8,000. He merely adds that the proposed amount 1The complainant apparently refers here to the date on which the GDPR became applicable, namely 25 May 2018 (Article 99.2 GDPR), not the date of entry into force, namely 24 May 2016 (Article 99.1 GDPR) Decision on the merits 108/2024 — 6/31 is nevertheless considered disproportionately high, but nevertheless fails to provide any reasoning for this. II. Reasoning a) Legal basis • Transfer of the membership file to the trustee and then transfer to the defendant 18. First, the Dispute Chamber examines whether the defendant lawfully came into possession of the complainant's personal data. Originally, the personal data of the complainant in his capacity as subscriber of V, were lawfully obtained by this club within the framework of the membership of the complainant of that club. This acquisition is not as such the subject of any dispute. V was nevertheless declared bankrupt on 14 May 2018. The assets, including all data of subscribers, including that of the complainant, have from that moment been managed by the trustee charged with the liquidation of the bankrupt estate before being transferred to WBV on the basis of the agreement dated 8 June 2018, immediately followed by the transfer on 13 June 2018 to the defendant. Prior to the actual transfer to the defendant of the assets, including the membership file, the trustee thus takes over the role of controller of the bankrupt football club. It is also established that the trustee processes this file for a purpose that is distinct from the initial purpose. Where the initial purpose at the time of the acquisition by the bankrupt was to record the membership of the complainant with all the associated facilities and communication regarding the activities of the club, the trustee has the same personal data by operation of law since the bankruptcy for a completely different purpose, namely the realisation of the assets falling under the estate, which in the present case also contain personal data. Since this data transfer constitutes processing within the meaning of Article 4. 2) GDPR for a new purpose that is distinct from the initial purpose, namely the registration of the membership of the football club, the Dispute Resolution Chamber shall examine whether or not this new purpose for which the membership file is processed within the context of a bankruptcy can be considered compatible with the initial purpose as brought to the attention of the complainant when he joined the club as a supporter. 19. In accordance with Article 5.1. b) GDPR, the processing of personal data for purposes other than those for which the personal data were initially collected may only be permitted if the processing is compatible with the purposes for which the personal data were initially collected. Taking into account the criteria Decision on the merits 108/2024 — 7/31 2 set out in Article 6.4. GDPR and recital 50 GDPR must therefore be examined whether the further processing, in this case the transfer of the membership file – containing the complainant’s data – to the trustee and subsequently to a transferee of the assets falling into the estate (in this case the defendant), is or is not compatible with the initial processing consisting of the registration of the membership of football supporters. The Dispute Chamber concludes that the complainant entrusted his personal data to the bankrupt club in order to join the club as a subscriber and could not reasonably have expected that the same data would be used in the context of a possible later bankruptcy for transfer to a trustee without the complainant being able to object to this and without the complainant being informed about this, and this regardless of the purpose for which the trustee in turn will process the personal data obtained. The Dispute Chamber hereby clarifies that, in assessing the reasonable expectations of the complainant, it takes into consideration that the receiver can, within the framework of his statutory assignment, convert the membership file thus obtained into cash for any other purpose that is distinct from the original purpose, and his assignment is by no means limited to effecting a restart of the club. Since the receiver is not obliged to merely make a restart possible, but it is possible that, as soon as bankruptcy occurs, the receiver can convert the membership file into cash for any other new purpose and this against the will of the parties involved, the data processing on the part of the receiver in the event of bankruptcy cannot simply be regarded as compatible further processing. 20. The determination that there is no compatible further processing leads to the conclusion that a separate legal basis is required for the transfer of the membership file by the curator to the defendant to be regarded as lawful. 21. After all, processing of personal data, including incompatible further processing as in the present case, is only lawful if there is a legal basis for doing so. For incompatible further processing, recourse should be had to Article 6.1. GDPR and Recital 50 GDPR. Recital 50 GDPR states that a separate legal basis is required for the processing of personal data for other 2 Recital 50 GDPR: […] In order to assess whether a purpose of further processing is compatible with the purpose for which the personal data were initially collected, the controller, after having fulfilled all requirements concerning the lawfulness of the original processing, should, inter alia, take into account: any link between those purposes and the purposes of the intended further processing; the context in which the data were collected; in particular the reasonable expectations of the data subjects based on their relationship with the controller regarding the further user; the nature of the personal data; the impact of the intended further processing on the data subjects; and appropriate safeguards in both the original and the intended further processing. 3Recital 50GDPR: Processing of personal data for purposes other than those for which the personal data were initially collected may only be permitted if the processing is compatible with the purposes for which the personal data were initially collected. In that case, no separate legal ground other than that on which the collection of personal data was authorised is required. […] Decision on the substance 108/2024 — 8/31 purposes that are incompatible with the purposes for which the personal data were initially collected. The separate legal grounds on the basis of which a processing, including therefore incompatible further processing, may be considered lawful are laid down in Article 6.1. GDPR. 22. To this end, the Dispute Chamber examines to what extent the legal grounds as determined in Article 6.1. GDPR can be invoked by the defendant in order to justify the further processing of the personal data relating to the complainant. The report of the Inspection Service refers to a letter that was sent by the Personal Data Authority to the Dutch Association of Insolvency Lawyers (INSOLAD) on 6 January 2020, which states that the transfer of the membership file by the trustee to third parties (such as the defendant) requires the prior, informed consent of each of the members individually. However, this is not the case in the file at hand. 23. Since there are no other elements in the file that indicate a possible other legal basis as included in Article 6.1 GDPR, the Dispute Chamber will investigate whether the transfer of the membership file by the receiver to the defendant can be based on Article 6.1f) GDPR, consisting of the legitimate interest of the receiver to proceed with that transfer. After all, the Dispute Chamber is of the opinion that, in order to ensure completeness of the analysis regarding the legal basis, all possible legal grounds should be examined. This is not the case in the aforementioned letter that was addressed by the Dutch Data Protection Authority to INSOLAD in which only consent (Article 6.1 a GDPR) is put forward as the legal basis for transfer by the receiver without examining whether legitimate interest (Article 6.1 f) GDPR) can serve as a possible legal basis. The report of the Inspection Service also lacks an investigation into the application of Article 6.1 f) GDPR as a possible legal basis for the transfer of the membership file by the trustee to the defendant, in which it is investigated whether the trustee, as the controller, can rely on the legitimate interest for the transfer to a third party. The report of the Inspection Service does state that no explicit explanation was given by the defendant for the processing at issue itself (the transfer of personal data from the bankrupt estate to the defendants/or via Z) that could justify an appeal to Article 6.1 f) GDPR, although the Inspection Service states that in its letter of 25 March 2020 addressed to the defendant it nevertheless referred to the Association of Insolvency Law Attorneys (INSOLAD). Through INSOLAD, the AP (Dutch Data Protection Authority) aims to inform as many insolvency lawyers and bankruptcy trustees as possible about the legal framework that applies to the processing of personal data in the estate of a bankrupt (legal) person, and the responsibility for compliance with the GDPR that rests with the trustee in that context. The letter states the following: “When selling personal data (e.g. in the form of a customer file) (…) there is a provision to another controller. (…) Such provision of personal data must be based on the prior consent of the data subject(s) in accordance with Article 7 GDPR.” Decision on the merits 108/2024 — 9/31 the legal elements that must be demonstrated for the application of Article 6.1 f) GDPR. However, the Dispute Chamber notes that the relevant letter only states that the defendant relies on the “legitimate interest” to demonstrate the lawfulness of the processing(s) and that three elements (legitimate interest, necessity of the processing, balancing of interests) must be demonstrated for this purpose. The relevant letter from the Inspection Service only mentions “processing(s)” in general terms, without specifying that the defendant is expected to justify the legal basis for “the transfer of the membership file from the bankrupt estate”. This then leads the Inspection Service to state that the legal basis for the initial transfer has not been explained or demonstrated by the defendant. The report contains no further explanation in this regard. The inspection report only addresses the legitimate interest of the defendant as controller, whereby the Inspection Service limits itself to the question of whether the defendant can use the data obtained from the bankrupt estate for sending mailings on the basis of Article 6.1 f) GDPR. The Inspection Service takes direct marketing as the starting point as the purpose pursued by the defendant to assess whether Article 6.1 f) GDPR can apply. However, the Dispute Chamber is of the opinion that it is crucial to ask the question beforehand whether the transfer of the membership file by the trustee to the defendant took place in a lawful manner and only then to ask the question whether the defendant could reuse the data obtained for sending mailings. 24. In accordance with Article 6.1 f) GDPR and the case-law of the Court of Justice of the European Union (hereinafter “the Court”), three cumulative conditions must be met for a controller to be able to validly rely on this ground of lawfulness, “namely, first, the pursuit of a legitimate interest of the controller or of the third party(ies) to whom the data are disclosed, second, the necessity of processing the personal data for the pursuit of the legitimate interest, and, third, the condition that the fundamental rights and freedoms of the data subject do not prevail” (Rigas judgment).5 25. In order to be able to rely on the ground of lawfulness of “legitimate interest” in accordance with Article 6.1 f) GDPR, the controller must, in other words, demonstrate that: 1) the interests pursued by the processing can be recognised as legitimate (the ‘purpose test’); 5CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgassatiksme’, paragraph 28. See alsoCJEU, 11 December 2019, C-708/18, TKt v AsociaţiadeProprietariblocM5A-ScaraA, paragraph 40. Decision on the substance 108/2024 — 10/31 2) the intended processing is necessary for the realisation of those interests (the ‘necessity test’); and 3) the weighing of these interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favour of the controller (the "balancing test"). 26. With regard to the first condition (the so-called "purpose test"), the Dispute Chamber of is of the opinion that the winding up of a bankruptcy must be considered to have been carried out with a view to a legitimate interest. It allows the trustee to fulfil his task enshrined in Book XX of the Code of Economic Law (WER), namely to proceed with the liquidation of the bankrupt estate as stipulated in Article XX.98 WER. This 6 statutory task means that the trustee is obliged to proceed with the sale of the assets that are still in the estate, in order to pay the debts of the bankrupt towards its creditors. The main thing is that the curator tries to sell at the highest possible price, which in a sense implies a commercial interest. Such a commercial interest can be a legitimate interest in accordance with recital 47 GDPR. This is also supported in Opinion 06/2014 of the Data Protection Group Article 29. The first condition contained in Article 6.1, f) GDPR is therefore met. 27. In order to meet the second condition, it must be demonstrated that the processing is necessary for the achievement of the objectives pursued. This means in particular that the question must be asked whether the same result can be achieved by other means without processing personal data or without unnecessarily intrusive processing for the data subjects. 6 Art. XX.98 WER. The bankruptcy procedure aims to place the debtor's assets under the authority of a trustee who is responsible for managing and liquidating the bankrupt's assets and distributing the proceeds among the creditors. 7 Recital 47 states that the processing of personal data for the purposes of direct marketing may be considered to be carried out for the purposes of a legitimate interest. Direct marketing is thus an example of a commercial interest that is considered a legitimate interest. See also: the judgment of the European Court of Justice of 29 July 2019 (case -40/17 Fashion ID) 8 Opinion 06/2014 on the concept of "legitimate interest of the controller" in Article 7 of Directive 95/46/EC: "The fact that the controller has such a legitimate interest in processing certain data does not mean that he can rely on Article 7(f) as a legal basis for the processing. The legitimacyoftheinterestofthecontrollerisonlyastartingpoint,oneoftheelementstobeanalyzedunderArticle7(f).WhetherArticle7(f)canbeuseddependsontheoutcomeoftheensuingbalancing. For example, a data controller may have a legitimate interest in knowing the preferences of its customers so that it can better personalise offers and, ultimately, provide products and services that better meet the needs and wishes of its customers. In view of this, Article 7(f) may be an appropriate legal basis for certain types of marketing activities, both online and offline, provided that appropriate safeguards exist (including a usable mechanism to object to such processing in accordance with Article 14(b), as will be demonstrated in Section III.3.6 The right to object and beyond).”[own emphasis] 9See also Decision on the merits 46/2024 of 15 March 2024. Decision on the merits 108/2024 — 11/31 28. The Dispute Resolution Chamber takes into consideration that in the present case there is a relaunch of the football club by the defendant, as is apparent from the factual elements cited in the defendant’s submission. This necessarily means a sale of the football club in its entirety to the defendant with a view to continuing the club. In order to be able to realise this restart, it is required and therefore necessary that the membership file is also transferred to the acquiring club, in this case the defendant. Without the contact details of the subscribers, in the present case limited to first name, surname and e-mail address, the subscribers cannot be reached and any restart after bankruptcy would in fact be made impossible. This leads to the conclusion that the second condition of Article 6.1 f) GDPR has also been met. 29. In order to determine whether the third condition of Article 6.1, f) GDPR - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and rights of the data subject, on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. In particular, it must be assessed whether “the data subject, at the time and in the context of the collection of the personal data, may reasonably expect that processing for that purpose may take place”.0 30. This is also emphasised by the Court in its judgment “TK v/ Asociaţia de Proprietari bloc M5A-ScaraA” of 11 December 2019, in which it states: “Also relevant to this assessment are the data subject’s reasonable expectations that his or her personal data will not be processed if, in the given circumstances of the case, the data subject cannot reasonably expect any further processing of the data”. 31. The Litigation Chamber examines whether the defendant’s interest is proportionate to the impact it has on the fundamental rights and freedoms of the data subjects, including the complainant. In this regard, the Disputes Chamber notes that it is established that the statutory task of the trustee is to represent the interests of the creditors. The trustee will therefore wish to achieve the highest possible proceeds by selling the entire assets, including the entire membership base, of the bankrupt to the restarter. After all, the membership base is to be regarded as essential in the minds of the restarter, since having the contact details of the subscribers forms the starting point for making a restart possible. 32. On the other hand, there is the interest of the subscribers to be able to continue to have access to their personal data, so that they are not transferred to a buyer – 10 Recital 47 GDPR. 1CJEU, 11 December 2019, C-708/18, TK v/ Asociaţia de Proprietaribloc M5A-ScaraA, paragraph 58. Decision on the merits 108/2024 — 12/31 in this case, the defendant – without being informed of this and without being able to object to it. However, it should not be forgotten that it falls within the normal expectations of the complainant that in the event of bankruptcy, the trustee will proceed to sell the assets and the associated membership file in order to facilitate the intended restart of the club. In this case, as is apparent from the agreement dated 13 June 2018, the trustee has transferred the membership file in its entirety to the defendant with a view to restarting the club. This restart is a fundamental element for the Dispute Chamber in the balancing of interests. Such a restart is also in the interest of the subscribers in the sense that if the initial purpose is continued unchanged by the acquiring club and as a result of which the impact on the data protection of the subscribers must be considered minimal, it is aimed at ensuring that the subscriber can continue to enjoy the benefits associated with membership. 33. It should also be taken into account that the data processing relating to membership only concerns the registration of the first name, surname and e-mail address. The impact on the complainant is therefore extremely small and the processing of his personal data is limited to a minimum. 34. The above elements as a whole lead the Dispute Chamber to conclude that the third condition has also been met and the transfer of the customer file by the receiver to the defendant can be based on the legal basis of Article 6.1 f) GDPR, which means that this incompatible further processing must be considered lawful within the meaning of Article 6 GDPR. In that sense, the agreement drawn up by the receiver on 13 June 2018 also states that the defendant retains all rights and obligations with regard to the former football club that was the subject of the bankruptcy. It is thus apparent from the factual elements of the file that with regard to the acquisition of the personal data of the subscribers, including those of the complainant, the defendant has taken over the rights and obligations of the former bankrupt football club, including those concerning the database concerning the subscribers, which means that it must be established that the complainant's data were lawfully transferred to the defendant in accordance with Article 6 GDPR. 35. The question whether the receiver has complied with the obligation under Article 12 GDPR in conjunction with Article 14 GDPR, in order to ensure transparent data processing, in which the data subjects are provided with the necessary information, in particular regarding their legitimate interest (Article 14.2 b) GDPR) and are informed of their right to object (Article 14.2 c) GDPR) is not apparent from the documents in the file. Since this point is not the subject of the complaint and no elements were presented that indicate that the GDPR would have been violated on this point, the Dispute Chamber will not go into this in more detail. • Commercial mailing by the defendant 36. For the marketing services relating to the 12 supporter data, the defendant relies on Z, who, as also confirmed in the inspection report, acts as a processor within the meaning of Article 4.8) GDPR and has already been engaged by the bankrupt club and with whom the defendant has continued the collaboration. The Dispute Chamber points out that the capacity of processor on the part of Z has remained unchanged for the entire duration of the appointment to provide communication with the supporters, subscribers of the club. When the original club was declared bankrupt, the receiver took over the role of controller (see above) and subsequently W BV became the controller pursuant to the transfer effected by the receiver that took place on 8 June 2018, after which the processing responsibility was definitively transferred to the defendant pursuant to the cooperation agreement concluded on 13 June 2018. 37. Based on the documents, it appears that the defendant instructed the processorZom, in accordance with the proposal drawn up by the processor at the request of the defendant, to send an e-mail to the members of the bankrupt football club with an invitation to create an account on the new online ticket platform in order to be able to purchase season tickets and tickets, as well as with the October 2018 newsletter. According to the documents, the defendant, as the controller, both in direct communication with the complainant and in the context of the mediation procedure by the First Line Service, relies on its legitimate interest in contacting the subscribers included in the membership file of the bankrupt club via the mailing sent by the processor. 38. The Dispute Chamber points out that the legitimate interest of the defendant could serve as a 13 legal basis for processing the identification data of the complainant as recorded in the membership file for direct marketing purposes. 12 A private limited company under Dutch law 1Article 6. 1. Processing shall only be lawful if and to the extent that at least one of the following conditions is met: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; […] f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Decision on the substance 108/2024 — 14/31 Recital 47 GDPR 14 expressly states that the processing of personal data for direct marketing purposes may be considered to be carried out for the purposes of a legitimate interest (Article 6.1 f) GDPR). This means that the controller does not have to obtain the data subject's consent (Article 6.1 a) GDPR) prior to processing for direct marketing. 39. In order to base the mailing to former subscribers on the legal basis of a "legitimate interest", the three-part test mentioned above must also be passed. 40. As regards the first condition (the so-called "purpose test"), the Dispute Chamber is of the opinion that the purpose pursued by the defendant, which consists of contacting former subscribers once by e-mail in order to offer them a subscription to the acquiring club in a restart, can be regarded as a legitimate interest within the meaning of recital 47 GDPR. Consequently, the first condition contained in Article 6.1, f) GDPR has been met. 41. Regarding the second condition (the so-called "necessity test"), the defendant has put forward arguments that make it plausible that the intended objective would not have been achieved on the basis of alternatives that, according to the Inspection Service, would be less intrusive for the former subscribers concerned than the mailing that was sent. Where the Inspection Service refers to a media campaign and flyers, the defendant points out that reaching all interested supporters cannot be achieved by a media campaign (whereby the supporters who would not yet be aware of the offer would then contact the defendant directly, which would not be feasible). Distributing flyers in the stadium is also not an option according to the defendant, since the supporters must first be informed about a match in order to be able to attend and then receive a flyer. In this respect, the defendant also points to the context in which a football match takes place, where the vast majority of the supporters will in all probability return home without a flyer and will therefore not be aware of its content. 42. The Dispute Chamber is of the opinion that without the mailing in question, the specific target group, which targets all former season-ticket holders, cannot be reached. The proposed alternatives would, after all, result in some of the supporters not being reached when flyers are distributed in the stadium or in the event of 14 Recital 47 GDPR: […] The processing of personal data for the purpose of direct marketing can be regarded as being carried out in the interests of a legitimate interest. Decision on the substance 108/2024 — 15/31 a media campaign would also be aimed at persons who do not belong to the target group at all. The second condition must therefore be considered to be met. 43. In assessing the third condition, the so-called "weighing test", the reasonable expectations of the former subscribers are paramount. It is established that the former subscribers, as supporters of the former football club, were unmistakably aware of the bankruptcy in which the club found itself, with the inherent possibility that the club would be taken over. 44. The Dispute Chamber decides that the defendant is right to rely on the legal basis contained in Article 6.1 f) GDPR to process the data as included in the membership file for direct marketing purposes. b) Transparency principle and information obligation 45. The defendant's right to process personal data for direct marketing purposes on the basis of his legitimate interest is counterbalanced by the fact that the defendant must comply with the objection that the data subject may at any time lodge against the processing of personal data concerning him, without the data subject having to provide any reasons (Article 21.2 GDPR and Article 21.3 GDPR). Although the complainant indicates that he has not exercised his right to object, the Dispute Resolution Chamber will examine to what extent the defendant has complied with his information obligation under Article 12 in conjunction with Article 14 GDPR. After all, the information obligation on the part of the controller stands alone as an obligation towards the data subjects from which the right to transparent data processing arises for them (Article 5.1 a) GDPR). 46. As regards the information on the right to object (Article 14.2 c) GDPR): Article 21.4 16 GDPR specifically and expressly stipulates that this option, separately from the other information, must already be included in the first message to the data subject, in this case the complainant. However, the message that is the subject of the complaint does not in any way make the right to object clearly known to the complainant. Moreover, the e-mail message only contains the option to click on "Unsubscribe" at the very bottom without any further explanation for the benefit of the data subject. The data subject must be given the opportunity in an understandable manner to exercise his right to object to the processing of his data for the purpose of direct marketing, regardless of whether it concerns initial or further processing, to object at any time and free of charge to such processing, including in the case of profiling to the extent that it relates to direct marketing. That right must be explicitly, clearly and separately from other information, brought to the attention of the data subject. 16Article 21.4 GDPR. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and presented clearly and separately from any other information. Decision on the substance 108/2024 — 16/31 marketing. The requirement to emphasise the right to object, which would put the data subject in a meaningful position to exercise this right, is completely missing. Simply offering a click on “Unsubscribe” cannot be considered as expressly and clearly drawing attention to the right to object, which would enable the data subject to assess with full knowledge of the facts what consequences are associated with this “Unsubscribe”. However, Recital 70 of the GDPR stipulates that this right must be explicitly, clearly and separately from other information, drawn to the attention of the data subject. In the absence of proper notification of this right to object to the complainant at the time he was first contacted, the defendant acted in breach of Article 21.4 of the GDPR. 47. As regards the other information (Article 14.1 and 14.2 GDPR) that the controller must provide, this provision (Article 14.3 b) GDPR) also requires that this is done at the latest at the time of the first contact with the data subject. The first message to the complainant does not contain any information as such either. At the very least, the first message should have contained a link to the privacy policy in which this information is included in an accessible, concise and clear manner. Such a link was not present in the e-mail message to the complainant and the report of the Inspection Service also indicates that the various privacy statements on the […] were not coordinated. Since the first message to the complainant does not contain the slightest reference to the necessary information to ensure transparent data processing, there is an infringement of Articles 5.1 a), 12.1 and 14 GDPR. c) Right of access 48. The complainant repeatedly informed the defendant that he requested that his request be followed up to inform him of the origin of his data and the legal basis for processing them, without at any time requesting that the data be erased. The defendant's response that the complainant's personal data were erased cannot therefore be considered an appropriate response to the complainant's request to find out in particular from the defendant how he obtained his personal data, indicating the legal basis for the data processing on the part of the defendant, and in general to obtain access to his personal data. 49. The Dispute Resolution Chamber establishes on the basis of the documents supporting the complaint that the complainant explicitly stated in his first request dated 3 October 2018 that he wanted to know how the defendant obtained his data and on what grounds they were processed, as well as that he wanted to have access to his personal data that the defendant had at its disposal. 17 See footnote 2. Decision on the merits 108/2024 — 17/31 50. However, no response was received from the defendant. However, on 7 November 2018 the complainant received another unwanted advertising e-mail from the defendant. On 8 November 2018 the complainant received the defendant's response to his first request stating that the complainant's data had been deleted. That same day, the complainant replied by pointing out that his request was intended to obtain access (origin, processing purposes, legal basis) to his personal data, and not to have them erased. The defendant, in turn, states that no data acquisition was carried out, but only a mailing was sent from the ticketing and communication systems to all subscribers of the bankrupt football club who had registered for this. Only after the intervention of the First Line Service in the context of the mediation procedure that was initiated by the complainant, the defendant explained on 11 December 2018 that the personal data of the former subscribers, including those of the complainant, were obtained by purchasing the estate and all associated software systems of the bankrupt club. Based on the data file thus obtained, the defendant wrote to the former subscribers in order to renew their subscription if desired, with the possibility to unsubscribe. The defendant states that his legitimate interest forms the basis for this. 51. These factual elements show that the complainant did not receive a response to the separate elements pursuant to Article 15.1 GDPR to which the right of access as exercised by him relates and where the statutory time limits as set out in Articles 12.3 and 12.4 GDPR were also not respected. As a result, the 18 19 defendant acted in breach of Articles 12.3 and 12.4 GDPR, as well as Article 15.1 GDPR. 18Article 12 GDPR. […] 3. The controller shall provide the data subject with information on the action taken pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request. Depending on the complexity and number of the requests, that period may be extended by a further two months if necessary. The controller shall inform the data subject of any such extension within one month of receipt of the request. Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise. 4. If the controller does not comply with the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to comply, and of the possibility of lodging a complaint with a supervisory authority or seeking judicial remedy. 19Article 15 GDPR 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the period for which the personal data are expected to be stored, or, if that is not possible, the criteria for determining that period; Decision on the substance 108/2024 — 18/31 d) Other findings 52. The defendant makes a general observation in the report of the Inspectorate that the report refers to case-law and opinions dating from after the moment at which the defendant received the membership list. According to the defendant, this is part of the Data Protection Authority's progressive insight on which the defendant could not rely at the time of the takeover of the bankrupt estate. 53. The Dispute Chamber takes this consideration into account in its decision in the sense that it decides to limit the infringements established to the essence of the complaint, namely the investigation of the legal basis, the requirement of transparent provision of information and communication, as well as compliance with the rights of the person concerned. This does not mean, however, that the Dispute Chamber may not take into account later rulings or interpretations of the law. III. Corrective measures and sanctions 54. With regard to the established infringement of Articles 5.1 a), 12.1, 14 GDPR and 21.4 GDPR, as well as of Articles 12.3, 12.4 GDPR and 15.1 GDPR, the Dispute Resolution Chamber decides to impose an administrative fine pursuant to its powers based on Article 83 GDPR and Article 100, §1, 13° WOG. 55. On 24 May 2023, the EDPB adopted Guidelines 04/2022 for the calculation of 20 administrative fines under the GDPR (hereinafter: the Guidelines) based on Article 70, paragraph 1, e) GDPR. The Guidelines apply immediately, as they do not provide for transitional law for procedures that were already ongoing at the time of the consent to the Guidelines. 56. The Guidelines describe a methodology for determining the amount of the fine as follows: Step 1: which and how many acts and infringements are subject to assessment; e) that the data subject has the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning him or her, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, all available information on the source of those data; (h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the relevant and expected consequences of such processing for the data subject. […] 20EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the substance 108/2024 — 19/31 Step 2: what amount forms the starting point for calculating the fine for the infringements established (starting amount); Step 3: which mitigating or aggravating circumstances, if any, arise that require an adjustment of the amount from step 2; Step 4: which maximum amounts apply to the infringements and whether any increases from the previous step do not exceed this amount; Step 5: the assessment of whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and if necessary is adjusted accordingly. 57. The Dispute Chamber determines the size of the administrative fine on the basis of this methodology. On 4 July 2024, the Dispute Chamber informed the defendant via the sanction form that it intended to impose an administrative fine of EUR 8,000. On 13 August 2024, the defendant submitted its response to the sanction form to the Dispute Chamber. This will be discussed further below. Step 1: Determining the acts and determining the infringements 58. In order to determine the starting amount of the fine, as described in the Guidelines, it must first be determined whether there is one or more sanctionable acts. The starting point is that one and the same act can be formed by the same or related processing activities. The term “related” refers to the principle that a single act can consist of several parts that are performed with a single intention and that are so closely related contextually (in particular with regard to identity of the data subject, purpose and nature), in space and in time that they can be regarded, objectively, as a single coherent act. 59. The infringements on the part of the defendant concern the non-compliance with the principle of transparency, the duty to provide information (Articles 5.1a), 12.1, 14 GDPR and 21.4 GDPR) and the disregard for the right of access (Articles 12.3, 12.4 GDPR and Article 15.1 GDPR). 60. In application of the Guidelines, the Dispute Resolution Chamber explains below that in the case at issue are circumstances that constitute one and the same conduct, but that conduct does not only constitute one, but several infringements, whereby it must be established that the attribution of one infringement excludes the attribution of another infringement. After all, the conduct that gave rise to the complaint and from which the infringements referred to above arose consists of sending the unsolicited e-mail to the complainant. In accordance with the principle of speciality1, it is established that the principle of transparency (Article 5.1 a) GDPR) as a basic principle forms an overarching concept that is concretised in Article 12 GDPR in the form of an obligation to provide information on the part of the controller, i.e. the defendant. Furthermore, the Guidelines refer to the consumption principle in cases where an infringement of one provision regularly leads to an infringement of another provision, because one infringement necessarily precedes the other. The Dispute Resolution Chamber thus concludes that the lack of transparent information and communication (Article 5.1 a) and Article 12.1, Article 14 and 21.4 GDPR) by the defendant led to the complainant subsequently being denied the right of access, despite Article 12.3, 12.4 in conjunction with Article 15.1 GDPR. 61. The Dispute Resolution Chamber finds that these circumstances can be considered as one and the same conduct constituting one or more infringements for which one administrative fine is imposed. Step 2: determining the starting amount 62. As described in the Guidelines, the starting amount of the fine must then be determined. This starting amount forms the basis for the further calculation in later steps, taking into account all relevant facts and circumstances. The Guidelines state that the starting amount is determined on the basis of three elements: i) the categorisation of the infringements according to Article 83, paragraphs 4 to 6, of the GDPR; ii) the gravity of the infringement and iii) the turnover of the company. These three elements are discussed below: i) Categorisation of the infringements according to Article 83, paragraphs 4 to 6 of the GDPR 63. As stated in the Guidelines, almost all obligations of the controller are categorised in the provisions of Article 83, paragraphs 4 to 6 of the GDPR. The GDPR distinguishes between two types of infringements. On the one hand, infringements that are punishable under Article 83(4) GDPR and for which a maximum fine of EUR 10,000,000 applies (or in the case of an undertaking, 2% of the annual turnover, whichever is higher), and on the other hand, infringements that are punishable under Article 83(5) and (6) GDPR and for which a maximum fine of EUR 20,000,000 applies (or in the case of an undertaking, 4% of the annual turnover, whichever is higher). By means of this 2The principle of speciality (specialia generalibus derogant) is a legal principle that implies that a more specific provision (derived from the same legal act or different legal acts with the same legal force) takes precedence over a more general provision, even though both provisions have the same purpose. See in this regard Case C-10/18 P, Marine Harvest v Commission Decision on the substance 108/2024 — 21/31 distinction, the legislator has provided an initial indication in abstracto of the seriousness of the infringement: the more serious the infringement, the higher the fine. 64. Since the Dispute Resolution Chamber finds that the defendant has infringed the transparency principle and the associated information obligation (Articles 5.1 a), 12.1, 14 GDPR and 21.4 GDPR), also ignoring the complainant's right of access (Articles 12.3, 12.4 GDPR and 15.1 GDPR), not only the basic principles of processing, but also the rights of the data subjects have not been complied with, which are fundamental and are therefore punishable in accordance with Article 83.5 a) and b) GDPR by an administrative fine of up to EUR 20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher. ii) Gravity of the infringement 65. In order to determine the gravity of the infringement, the Guidelines require that account be taken of the nature, gravity and duration of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data concerned. 66. Nature of the infringement – The Guidelines provide that the supervisory authority may examine the interest to be protected by the provision infringed and the place of this provision in the data protection framework. Transparency has long been an important principle of EU law. Transparency should ensure that citizens have confidence in the processes that affect them and help them to understand those processes, for which they should be properly informed and, if necessary, to object to them. Transparency and the resulting obligation to provide information on the part of the controller enable data subjects to exercise their rights in relation to their personal data, in this case the right of access. Transparency must therefore be regarded as a fundamental principle of data protection and as an overarching concept that forms a whole with the information requirements and communication with data subjects about the exercise of their rights. Breaches of these core provisions therefore constitute serious infringements, which can be punished with the highest administrative fines provided for in the GDPR. 22Article 1 of the Treaty on European Union (TEU) stipulates that decisions shall be taken “as openly as possible and as closely as possible to the citizen”; Article 11(2) of the TEU states that “the institutions shall maintain an open, transparent and regular dialogue with representative associations and civil society”; and Article 15 of the Treaty on the Functioning of the European Union (TFEU) provides, inter alia, that citizens of the Union have the right of access to documents of the Union institutions, bodies, offices and agencies, with the aim that these Union institutions, bodies, offices and agencies ensure transparency in their work. Decision on the substance 108/2024 — 22/31 67. Seriousness of the infringement — The assessment of the seriousness of the infringement requires that the various elements set out in Article 83.2(a) of the GDPR be assessed: 68. As regards the nature of the processing, the Litigation Chamber notes that the sending of the unsolicited mailing took place in the context of the sporting activity specific to a football club. In this regard, the Litigation Chamber states that the defendant does carry out the data processing within a recreational context, but that this does not alter the fact that the defendant, like any other controller, must pay the necessary attention to compliance with the provisions of the GDPR. The infringement must therefore be considered neutral in terms of its nature. 69. As regards the scope of the processing, the EDPB Guidelines on data protection impact assessments 23 recommend that, in addition to the number of data subjects, the volume of data, the duration or the permanent nature of the data processing, as well as the geographical scope of the processing, should be taken into account in order to determine whether personal data are processed on a large scale. 70. The present case concerns the personal data of one data subject, namely the complainant, and based on the defendant's statement to the complainant, the mailing in question was sent to 6,000 addressees. This was not refuted by the defendant who acknowledges that the mailing led to a mass registration of former subscribers, which resulted in 3,000 people purchasing a subscription. 71. The volume of personal data is rather small, since it only concerns the first name and surname and the e-mail address of the persons concerned. 72. The Dispute Chamber states that when assessing the scope of the data processing, it must be taken into account that the processing is limited to a defined set of personal data that only concerns the membership list of former subscribers and therefore has no wider application, but the fact that several thousand people are nevertheless involved cannot be ignored. This is an important element for the Dispute Chamber that has an impact on the amount of the fine. 73. With regard to the purpose of the processing, the Dispute Resolution Chamber finds that the processing was solely aimed at continuing the membership of the former subscribers, and therefore not at monitoring the complainant, nor at personal characteristics of the 23Guidelines for data protection impact assessments and determining whether processing is ‘likely to result in a high risk’ within the meaning of Regulation 2016/679, adopted on 4 April 2017, as amended and adopted on 4 October 2017, para. 5. 24Article 29 Data Protection Working Party – Guidelines for data protection impact assessments and determining whether processing is ‘likely to result in a high risk’ within the meaning of Regulation 2016/679 (WP248, rev01, 4 October 2017), p. 12. Decision on the substance 108/2024 — 23/31 neither to assess the complainant nor to take measures with negative consequences for the data subject. The processing of personal data does not constitute a core activity for the defendant, but it is an important secondary activity in which, as the defendant itself indicates, it is necessary to be able to reach the supporters by e-mail. Consequently, the Dispute Chamber states that more weight should be given to the infringements of the GDPR resulting from these necessary secondary activities. 74. Duration of the infringement – As regards the duration of the infringement, the Disputes Chamber notes that, despite the express request of the complainant on 3 October 2018 to obtain access to the personal data concerning him, the defendant did not give concrete effect to this request until 11 December 2018 following the mediation procedure at the First Line Service, through which the complainant was provided with information on the essential elements of his request for access, namely the origin of his data and the legal basis for the processing of the data. As regards the lack of transparency, including the provision of information and communication to the data subjects, the defendant only took measures to bring the privacy statement into line with the GDPR after the report of the Inspectorate on 1 December 2020. 75. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — The Litigation Chamber recalls that “intent” generally includes both knowledge and wilfulness with regard to the characteristics of a criminal offence, while “unintentional” means that there was no intention to cause the infringement, although the controller or processor has breached the duty of care prescribed by law. In other words, two cumulative elements are required for an infringement to be considered intentional, i.e., knowledge of the infringement and wilfulness with regard to that act. 76. As regards the element of intentionality, the Litigation Chamber also recalls that the Court of Justice has set a high threshold for an act to be considered intentional.27 For example, in criminal cases, the Court of Justice has held that there is “serious negligence” rather than “intent” when “the person liable commits a serious breach of his duty of care which he should and could have taken, taking into account his capacity, his knowledge, 25 Article 29 Data Protection Working Party – Guidelines on the application and setting of administrative fines within the meaning of Regulation (EU) 2016/679 (WP253, 3 October 2017), p. 12. 26ieookEDPB–BindingDecision1/2023onthedisputesubmittedbytheIESAondatatransfersbyMetaPlatformsIreland Ltd (Facebook), paragraph 103, available at https://edpb.europa.eu/system/files/2023- 05/edpb bindingdecision 202301 ie sa facebooktransfers en.pdf. 27See, inter alia, ECJ, 5 December 2023, Deutsche Wohnen, C807/21, ECLI:EU:C:2023:950, paragraph 74 et seq. and the case-law cited therein. Decision on the substance 108/2024 — 24/31 28 his skills and with his individual situation”. Even though an undertaking whose processing of personal data is at the core of its business activities is expected to take sufficient measures to protect personal data and to have a thorough understanding of its obligations in this regard, such a qualified 29 breach does not necessarily demonstrate that there has been an intentional infringement. 77. In other words, this means that a controller may also be punished with an administrative fine under Article 83 GDPR for conduct falling within the scope of the GDPR, where the controller could not have been unaware that its conduct constituted an infringement, regardless of whether it was aware that it was infringing the provisions of the GDPR.30 The defendant argues in this regard that the context of the situation and the specific circumstances must be taken into account, referring to the initial period of the applicability of the GDPR, as well as the fact that the transfer of the membership file took place in the context of a bankruptcy in which neither the trustee nor the processor made any reservations about the transfer of the data or the sending of commercial messages to the customer file. The defendant argues that the GDPR had just entered into force at the time of the takeover of the bankrupt estate and acknowledges that compliance with the GDPR was not the first item on the agenda at that time. Furthermore, the defendant also points out that the initial period of the application of the GDPR – which virtually coincided with the takeover of the bankrupt estate – was accompanied by uncertainty and ambiguity due to the open descriptions of the provisions in the GDPR, which also led to the fact that none of the parties involved took the principles of the GDPR into account during the transfer. The defendant emphasises that the non-compliance with the GDPR can be entirely attributed to ignorance on his part, but certainly not to bad intentions. According to the defendant, this is supported by the fact that the report of the Inspection Service was followed up by making adjustments to, among other things, the privacy statement which now provides the required information. 78. According to the Dispute Chamber, there are no elements in the file that indicate the intention on the part of the defendant to deliberately infringe Articles 5.1 a), 12.1, 14 GDPR and 21.4 GDPR, as well as Articles 12.3, 12.4 GDPR and 15.1 GDPR, but there is serious negligence. The Dispute Chamber notes that the 28CJEU, 3 June 2008, C-308/06, Intertanko et al. (ECLI:EU:C:2008:312), paragraph no. 77 29 See also EDPB – Binding Decision 2/2022 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, 28 July 2022, para. 204. 30 ECJ, 5 December 2023, C-807/21, Deutsche Wohnen SEt. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), para. 76. See also ECJ, 18 June 2013, C‑681/11, Schenker & Co. et al. (ECLI:EU:C:2013:404), para. 37; ECJ, 25 March 2021, Lundbeck v. Commission, C‑591/16 P (ECLI:EU:C:2021:243), paragraph 156; and CJEU 25 March 2021, C‑601/16 P, Arrow Group and Arrow Generics v. Commission (ECLI:EU:C:2021:244), paragraph 97. Decision on the substance 108/2024 — 25/31 defendant disregards the fact that the GDPR provided for a transitional period between its entry into force and the date on which the GDPR became applicable, being a two-year period that was precisely designed to give controllers sufficient time to comply by 25 May 2018, the date on which the GDPR became applicable. In the opinion of the Dispute Chamber, the defendant has had ample time to make the necessary adjustments in order to act in accordance with the GDPR, since, according to the information available in the KBO, the defendant has been active since at least 2008, albeit under a different name than that of the current club. The defendant cannot hide behind the receiver or the processor in order to relieve itself of its responsibility in the event of non-compliance with the GDPR. After all, the defendant has its own accountability obligation in accordance with Article 5.2 of the GDPR. The Dispute Chamber is prepared to show some leniency for the initial period in which the GDPR became applicable, but it does concern important infringements of the GDPR for data processing that constitutes an important secondary activity for the defendant, which leads to the Dispute Chamber assigning an average weight to these infringements. 79. Categories of personal data to which the infringement relates (Article 83.2.g) GDPR) — The processing at issue concerns only the processing of the first name, surname and email address of the former subscribers of the bankrupt club, which do not fall under the special protection provided by Articles 9 and 10 GDPR, nor are likely to cause immediate damage or distress to the data data subject. Consequently, the Dispute Chamber considers this to be neutral for the determination of the amount of the fine. iii) Turnover of the undertaking 80. The Dispute Chamber specifies that the most recent annual accounts filed by the defendant relate to 2022 and should therefore take into account the turnover figures for 2022. Since the turnover figures were not included in the 2022 annual accounts, the Dispute Chamber should use the gross margin for 2022 as an alternative. This gross margin is negative and amounts to -2369 EUR, while that of 2021 is positive and amounts to 558,356 EUR. However, the Dispute Chamber only bases its decision on the most recently available figures, namely those of 2022. iv) Conclusion starting amount a. Theoretical starting amount (based on the gravity of the infringement) 31 Crossroads Bank for Enterprises 32 Consulted via the website of the National Bank of Belgium Decision on the merits 108/2024 — 26/31 81. On the basis of Article 83.5 of the GDPR, the maximum fine is EUR 20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, if this figure is higher, which is not the case here. Consequently, the statutory maximum amount is EUR 20,000,000. 82. On the basis of the evaluation of the criteria set out above, the Litigation Chamber must determine whether the infringement is considered to be of minor, medium or high seriousness. These categories are without prejudice to the question of whether or not a fine may be imposed. 33 83. This assessment is not a mathematical calculation in which the above-mentioned factors are considered separately, but rather a thorough evaluation of the specific circumstances of the case, in which all the above-mentioned factors are interrelated. Therefore, when assessing the gravity of the infringement, the infringement as a whole must be considered. 34 ▪ When calculating the administrative fine for infringements of minor seriousness, the supervisory authority will set the basic amount for further calculation at an amount between 0 and 10% of the applicable statutory maximum. ▪ When calculating the administrative fine for infringements of medium seriousness, the supervisory authority will set the starting amount for further calculation at an amount between 10 and 20% of the applicable statutory maximum. ▪ When calculating the administrative fine for infringements of high seriousness, the supervisory authority will set the starting amount for further calculation 35 at an amount between 20 and 100% of the applicable statutory maximum. 84. As a rule, the more serious the infringement within the relevant category, the 36 higher the starting amount is likely to be. 85. The Dispute Resolution Chamber found that there was an infringement of Articles 5.1 a), 12.1, 14 GDPR and 21.4 GDPR, as well as Articles 12.3, 12.4 GDPR and 15.1 GDPR, which are included in the infringements of Article 83.5 GDPR. The Litigation Chamber then made an analysis 33 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf. 34EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf. 35EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23. 36 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23. Decision on the substance 108/2024 — 27/31 the nature of the infringement, the purpose, scope and duration of the processing, as well as the categories of personal data processed and the negligent nature of the infringement. 37 86. Based on the previous assessments of the above circumstances, the Litigation Chamber finds that the infringement falling within Article 83.5 GDPR is of medium seriousness. In doing so, the Dispute Resolution Chamber takes particular account of the considerable scale of the processing, the relatively long duration of the infringements and the defendant's failure to act in accordance with the GDPR. Consequently, the starting amount for further calculation must be set at an amount between 10% and 20% of the applicable statutory maximum. The Dispute Resolution decides to determine a theoretical starting amount of EUR 3,000,000, i.e. 15% of the applicable statutory maximum amount of EUR 20,000,000 (Article 83.5 GDPR). b. Adjustment of the starting amount based on the size of the undertaking 87. The Dispute Chamber must then examine whether the starting amount should be adjusted based on the size of the undertaking. This adjustment applies to undertakings to which the static statutory maximum applies, namely when the undertaking achieved a turnover of less than EUR 500 million in the previous financial year. Since this is the case in the present case, the fine must be adjusted to the size of the economic power of the undertaking whose annual turnover is less than EUR 2,000,000. 88. The Litigation Chamber has already explained that the infringement found falls under Article 83.5 of the GDPR and is of average severity. For infringements referred to in Article 83.5 of the GDPR, of average severity, applied to an undertaking with a turnover of less than EUR 2 million, the fine amounts to 0.2 to 0.4% of the starting amount, whereby the fine may not be less than EUR 6,000 or more than EUR 12,000. 38 89. Taking into account the minimum and maximum amounts per level set in the Guidelines, the relevant gross margin of the defendants factors are listed in “ III. Step 2” the Litigation Chamber decides to set the final starting amount of the established infringement (falling under Article 83.5 GDPR with average severity) at EUR 9,000, i.e. 0.30% of the theoretical starting amount of EUR 3,000,000. Step 3: assessment of aggravating and mitigating circumstances i) Assessment of the application of any aggravating or mitigating circumstances 37See paragraphs 95 to 102 of this decision. 38EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 52. Decision on the substance 108/2024 — 28/31 90. As stated in the Guidelines, it must then be assessed whether, in the circumstances of the case, there is reason to set the fine higher or lower than the starting amount specified above. The circumstances to be taken into account are listed in Article 83(2) GDPR. Each of the circumstances listed in that provision may be assessed only once. 39 The previous step has already taken into account the nature, gravity and duration of the infringement 40 , the intentional or negligent nature of the infringement and the categories of personal data . 42 This leaves parts c to f and h to k of Article 83(2) GDPR. 91. Previous relevant breaches by the controller or processor (Article 83.2.e) GDPR) – The Litigation Chamber takes into account that no other proceedings have been brought against the defendant to date. Referring to the Guidelines, the Litigation Chamber states that the absence of previous breaches should be considered neutral and cannot be considered a mitigating factor, as compliance with the GDPR is the norm. 43 92. The manner in which the supervisory authority became aware of the breach (Article 83.2.h) – Since the Litigation Chamber became aware of the breach as a result of a complaint, this element is considered neutral in accordance with the Guidelines. 44 93. The extent to which cooperation has been provided with the supervisory authority to remedy the breach and to limit the possible negative consequences thereof (Article 83.2.f) GDPR) — The Dispute Resolution Chamber notes that the defendant has cooperated. Although the report of the Inspection Service establishes a breach of the duty to cooperate (Article 31 GDPR) on the basis of the finding that, in the opinion of the Inspection Service, the defendant did not respond promptly to the questions asked, but that, after the intervention of the defendant's counsel, the questions that had remained unanswered until then were answered and a timely answer was also provided to the additional questions, the Dispute Resolution Chamber decides that this is sufficient to state that the defendant has provided the required cooperation. In addition, the Litigation Chamber finds, on the basis of the documents in the file, that the defendant has 39 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23. 40See paras 95-98 of this decision. 41See paras 99-101 of this decision. 42 See para. 102 of this decision. 43EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 32. 44 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 33. Decision on the merits 108/2024 — 29/31 has given the Inspection Service's findings not only by drawing up a privacy statement and cookie statement in accordance with the GDPR, but also every future e-mail sent by the defendant contains a link to the privacy statement with a view to providing sufficient information. This measure is such as to limit the negative consequences for the rights of the data subject, which is therefore considered a mitigating factor.5 94. Other mitigating or aggravating circumstances – The other factual elements in the file are not such that they should be taken into account as mitigating or aggravating circumstances. The context in which the data file was obtained, i.e. the bankruptcy of the previous football club, as well as the time of its acquisition, namely shortly after the GDPR came into effect, was already taken into account above. The Litigation Chamber therefore decides to consider this circumstance as neutral. 95. Finally, the Litigation Chamber points out that the other criteria of Article 83.2. GDPR are not such that they lead to a different administrative fine than that which the Litigation Chamber determined in the context of this decision. ii) Impact on the amount of the fine 96. In paragraph 86, the specific starting amount was set at EUR 9,000. In the following paragraphs, any mitigating or aggravating circumstances were examined. The Dispute Resolution Chamber ruled that the circumstance as described in Article 83.2.c) GDPR, namely the measures taken to limit the damage suffered by the persons involved, can be taken into account as mitigating. The other circumstances that can be taken into account must be assessed as neutral. Consequently, the fine is set at EUR 8,000. Step 4: Checking whether the maximum amounts have been exceeded 97. As explained above, the maximum fine for the infringements established is EUR 20,000,000. The administrative fine that the Dispute Resolution Chamber proposes in the present decision is well below the limit of this statutory maximum amount. Step 5: Assessment of the effective proportionate and dissuasive nature 98. On the basis of Article 83.5. a) and b) GDPR, the Dispute Resolution Chamber may impose an administrative fine for the infringements described above. As set out in the Guidelines, the imposition of a fine can be considered effective if it 45EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 32. Decision on the merits 108/2024 — 30/31 achieves the purpose for which it was imposed. That purpose may be, on the one hand, to punish unlawful conduct and, on the other hand, to promote compliance with the applicable rules. As regards the deterrent effect, the Litigation Chamber states that the administrative fine aims, on the one hand, to discourage repetition by the defendant and to induce him to take measures aimed at providing transparent information that respects the rights of the data subject, in particular with regard to communication by e-mail addressed to an entire membership file. On the other hand, the deterrent effect also applies to other controllers, in particular those with similar sporting activities, in order to evaluate the operation and, if necessary, take appropriate measures to prevent similar infringements. 46In addition, the Litigation Chamber considers that the administrative fine is proportionate in view of the nature, seriousness and duration of the infringement, as well as the other factors in Article 83.2 GDPR as assessed in this decision. The Litigation Chamber therefore finds that both objectives have been achieved and that the administrative fine to be imposed is therefore dissuasive and proportionate. 99. All of the elements set out above justify an effective, proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account the assessment criteria specified therein. 46Guidelines 04/2022 for the calculation of administrative fines under the GDPR (version 2.1), 24 May 2023, paragraph 142.
