Banner1.jpg

APD/GBA (Belgium) - 02/2025

From GDPRhub
Revision as of 16:43, 27 January 2025 by Jaslvl4 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2024-01344 |ECLI= |Original_Source_Name_1=Décision quant au fond 02/2025 du 7 janvier 2025 |Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n0-02-2025.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2024-01344
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 10 GDPR
Article 12(1) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 24 GDPR
Article 32 GDPR
Article 10 Law of 30 July, 2018
Article 107 Law of 30 July, 2018
Article 128 Law of 30 July, 2018
Article 13 Law of December 11, 1998
Article 22 Law of December 11, 1998
Type: Complaint
Outcome: Upheld
Started: 05.03.2024
Decided: 07.01.2025
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2024-01344
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Décision quant au fond 02/2025 du 7 janvier 2025 (in FR)
Initial Contributor: jaslvl4

The data subject filed a complaint against their employer, the controller, for unlawful processing of personal data forming part of a disciplinary action against them. The Belgian DPA found breaches of Articles 5, 6, 10, 12, 15, 24 and 32 GDPR.

English Summary

Facts

On January 19, 2023, the controller’s security officer requested the National Security Authority (NSA) to extend the security clearance of the data subject, which was rejected by means of a reasoned decision on July 7, 2023 and communicated back to the controller’s security officer. The data subject and the governing body of the controller received the reasoned decision, which was then forwarded to the data subject’s hierarchical superior by the governing body of the controller. This triggered disciplinary investigations surrounding the data subject, referring to allegations of indecent assault on a minor.

On March 5, 2024, the data subject filed a complaint with the Belgian Data Protection Authority (APD) concerning the unlawful processing of their personal data by their employer, the controller. On March 27, 2024, the APD declared the complaint admissible, leading to the APD Contentious Chamber delivering a decision on the substance of the case.

Holding

The Chamber found multiple GDPR violations by the controller. Article 5(1)(a) was breached by processing the reasoned decision without a valid legal basis, 5(1)(b) by sharing it with unauthorised parties contrary to its originally intended purpose, and 5(1)(f) by failing to ensure confidentiality of the personal data. Since the processing of personal data related to criminal offenses, the controller additionally violated Article 10. The lack of necessity for processing under public interest grounds breached Articles 6(1)(c) and 6(1)(e). Furthermore, the controller violated Articles 12(1), (3), and (4) by failing to inform the data subject, delaying access requests, and improperly invoking judicial secrecy, along with Article 15 for denying a legitimate access request by the data subject. Finally, breaches of Articles 24(1), 25(1), and 32 were found due to the controller's failure to implement measures ensuring compliance, leading to the unauthorized sharing of personal data in the reasoned decision.

The controller was ordered to delete the unlawfully processed data, provide the data subject access to the requested personal data, revise its internal policies for GDPR compliance by implementing the appropriate technical and organisational measures. Additionally, an administrative fine for GDPR non-compliance was imposed on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/24

Litigation Chamber

Decision on the merits 02/2025 of 7 January 2025

File number: DOS-2024-01344

Subject: Complaint relating to the unlawful processing of personal data by an

employer.

The Litigation Chamber of the Data Protection Authority, consisting of Mr.

Hielke HIJMANS, President, and Mr. Romain Robert and Mr. Christophe Boeraeve, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

hereinafter "GDPR";

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

“LCA”);

Having regard to the internal regulations as approved by the Chamber of Representatives on

20 December 2018 and published in the Belgian Official Journal on 15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The complainant: X, represented by Mr Alexandre Cassart, hereinafter “the complainant”;

The defendant: The Belgian Institute Y, represented by Mr Mireille Buydens and Mr Charles Bernard,

hereinafter “the defendant”. Decision on the merits 02/2025 — 2/24

I. Facts and procedure

1. On 5 March 2024, the complainant filed a complaint with the Data Protection Authority

against the defendant.

2. The subject of the complaint concerns the unlawful processing of personal data.

3. On 24 October 2024, the hierarchical superior, after receiving the reasoned decision to refuse

the extension of the complainant's security clearance (hereinafter, "reasoned decision"),

informed him that a disciplinary investigation had been opened against him. This reasoned

decision explicitly refers to the file currently being investigated by the

Public Prosecutor (hereinafter, "Prosecutor") in which the complainant is suspected of indecent assault

on a minor.

4. The granting and withdrawal of security clearances are governed by the law of 11 December

1998 relating to classification, security clearances, security certificates,

security notices and the regulated public service (hereinafter, "law of 11 December 1998"). 1

5. On 19 January 2023, the security officer requested the National Security Authority (hereinafter,

“NSA”) to extend the complainant’s security clearance.

6. On 7 July 2023, the NSA notified the defendant’s security officer of its refusal to

extend the complainant’s security clearance (hereinafter, “notification of the

decision”) (Exhibit 2), attached the reasoned decision (Exhibit 1) and requested the security

officer to communicate it to the latter. 2

7. On 24 July 2024, the complainant received the reasoned decision, in accordance with Article 22

paragraphs 3 and 5 of the Law of 11 December 1998.

3
8. At the time of the facts, the security officer was responsible for monitoring the elements relating to
4
security clearances that could lead to their review. As part of this obligation,

1
The case in question concerns a decision to withdraw security clearances; the terms of their granting will not be addressed
in this decision.
2Article 22, paragraphs 3 and 5 of the Law of 11 December 1998.

3Article 13/1 of the Law of 11 December 1998 was repealed on 31 December 2023; it stipulated: “Art. 13/1. The persons referred to in
Article 13, 1°, are in particular responsible for:

a) on the one hand, the application and monitoring of the security policy and the protection of classified information
or, on the other hand, the monitoring of security certificates or security notices;
b) monitoring, in particular for the mention of elements relating to persons who have received a security notice, a security
certificate, or a security clearance, and which may lead to a review of this security notice, security
certificate, or this security clearance.

The King may entrust security officers with other missions respectively in the area of security clearances and the
protection of what has been classified in accordance with Article 3, § 1, and in the area of security notices or security
certificates.

The security officer shall carry out his or her duties in complete independence. He shall report to the senior official of public administrations, public interest bodies or autonomous public companies, or to the head of the respective body of the public prosecutor referred to in Article 13, d), or to the head of a legal entity under private law. He shall inform the authority referred to in Article 15, paragraph 1, where this is provided for. ".

4
Article 13/1 of the Law of 11 December 1998. Decision on the merits 02/2025 — 3/24

5 6
he shall report to his senior official, the Counsel for the defendant, by

communicating to him the reasoned decision.

9. In turn, the Counsel for the defendant shall communicate the reasoned decision to the complainant's

hierarchical superior so that he may initiate a disciplinary investigation against the

latter.

10. Finally, the defendant's counsel communicates the reasoned decision to his lawyers to

request access to the file currently being investigated by the Prosecutor.

11. On 27 March 2024, the complaint is declared admissible by the Front Line Service on the

basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber
er
pursuant to Article 62, § 1 of the LCA.

12. On 3 May 2024, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and Article er 98 of the LCA, that the case can be dealt with on the merits. Pursuant to Article 92, 1° of the LCA,

the Litigation Chamber will make a decision on the merits with regard to the subject matter of the

complaint.

13. On 15 May 2024, the parties concerned are informed by registered mail of the

provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are

also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their

conclusions. The grievances noted by the Litigation Chamber relate to alleged

violations of the following articles:

- Alleged violation of Articles 5.1.a), 6 and 10 of the GDPR, due to the absence of a

legal basis providing for the processing of the complainant's judicial data, which led to

the opening of disciplinary proceedings against him.

- Alleged violation of Articles 5.1.b) and 6 of the GDPR, due to the lack

of information relating to the compatibility of the purposes of the processing concerned, namely

on the one hand, the transmission of the reasoned decision to the defendant’s Council and

on the other hand, the transmission of this decision to the complainant’s hierarchical superior.

- Alleged violation of Articles 12.1, 12.3, 12.4 and 15 of the GDPR, due to the refusal to

comply with the complainant’s exercise of the right of access for reasons that would fall

under the exception of Article 23.1.d) of the GDPR.

- Alleged violation of Articles 5.1.f) and 32 of the GDPR, due to the lack of

appropriate technical and organisational measures to guarantee confidentiality

5Ibid. 6The Council of the defendant is the executive body of the defendant, a public interest body with legal personality.

7Article 90.1 of the Royal Decree of [date] (hereinafter, “Administrative Status”). Decision on the merits 02/2025 — 4/24

of the personal data of the complainant, by sending the reasoned decision to his

hierarchical superior.

- Alleged violation of Articles 5.2, 24.1 and 25.2 of the GDPR, due to the

breaches of the responsibilities mentioned above, which resulted in the transmission of the

reasoned decision, the opening of disciplinary proceedings against the complainant, and the

transmission of a file to the Public Prosecutor.

For the findings relating to the subject matter of the complaint, the deadline for receipt of the defendant's

submissions in response was set at 26 June 2024, that for the complainant's

submissions in reply at 24 July 2024 and finally that for the defendant's

additional summary submissions at 21 August 2024.

14. On 29 May 2024, the defendant requested a copy of the

file (art. 95, §2, 3°LCA), which was sent to it on 10 June 2024.

15. On 26 June 2024, the Litigation Chamber received the defendant's submissions in response

with regard to the findings relating to the subject matter of the complaint.

16. On 23 July 2024, the Litigation Chamber received the complainant’s submissions in reply

with regard to the findings relating to the subject matter of the complaint.

17. On 13 August 2024, the Litigation Chamber acknowledged receipt of the

defendant’s request to include the ANS as an interested third party. On the same day, the

Litigation Chamber invited the defendant to support its request by providing

evidence demonstrating that the ANS would be likely to suffer personal, direct,

certain, current and legitimate harm as a result of the proceedings on the merits.

18. On 20 August 2024, the Litigation Chamber receives the additional summary

submissions from the defendant concerning the findings relating to the subject matter of the
complaint.

19. On 12 September 2024, the Litigation Chamber receives the defendant’s

arguments regarding the involvement of the ANS as an interested third party.

20. On 18 September 2024, the Litigation Chamber considers that it has not received

sufficient arguments indicating that the ANS would be likely to suffer personal, direct,

certain, current and legitimate harm as a result of the ongoing proceedings and decides not to invite

it as an interested third party.

II. The decision to refuse to extend the security clearance

21. The Litigation Chamber considers it important to detail the legal framework for this refusal to

extend the complainant’s security clearance. Decision on the merits 02/2025 — 5/24

22. In view of the flagrant interference of security investigations in the privacy of the persons

concerned, the legislator has regulated their withdrawal by the law of 11 December 1998,

in accordance with Article 8.2 of the Charter of Fundamental Rights of the European Union
8
(hereinafter, “Charter”). It follows that the law of 11 December 1998 consists of an official

authorisation to access classified data within the limits provided for by this law.

23. When the ANS decides, on the basis of a security investigation, not to extend a

security clearance, it notifies the person concerned, through the intervention of the security officer,

attaching the reasons thereto. This obligation to notify the reasoned decision to the

person concerned, de jure excludes any other recipient. 10

24. The obligation of the security officer under Article 13/1 of the Law of 11 December 1998 implies 11

monitoring individuals subject to security clearance in order to detect in time

worrying changes such as radicalisation and to communicate them to the ANS. 12

25. This same article obliges the officer to report, to the leaders of the

administrative authority to which the latter is attached, new elements or

irregularities as mentioned in the previous point to his managers.

III. Motivation

III.1. As for the alleged violation of Articles 5.1.a), 6 and 10 of the GDPR

III.1.1. Position of the complainant

26. In this case, the complainant considers that the opening of the disciplinary investigation is the result of a

chain of five processes:

- Processing1): The initial collection of his personal data by the ANS;

8Doc. Parl., Chamber of Representatives, 1193/1, p. 2.

9Article 22, paragraphs 3 and 5 of the law of 11 December 1998.
10
Article 22.3 of the law of 11 December 1998.

11The article was repealed on December 31, 2023. It stipulated that: "Art. 13/1. The persons referred to in Article 13, 1°, are in particular
responsible for:

a) on the one hand, the application and control of the security policy and the protection of classified information
or, on the other hand, the monitoring of security certificates or security notices;

b) monitoring, in particular for the mention of elements relating to persons who have received a security notice, a security certificate,
or a security clearance, and which may lead to a review of this security notice, security certificate,
or this security clearance.

The King may entrust security officers with other missions, respectively, in matters of security clearances and the protection of what has been classified in accordance with Article 3, § 1, and in matters of security notices or security certificates. The security officer shall carry out his duties in complete independence. He shall report to the official in charge of public administrations, public interest bodies or autonomous public companies, or to the head of the respective body of the public prosecutor referred to in Article 13, d), or to the head of a legal person under private law. He shall inform the authority referred to in Article 15, paragraph 1, where this is provided for. See also: Parliamentary Proceedings, 55K2443, Article 12
12Parliamentary Proceedings 54K2767/001, Article 3. Decision on the merits 02/2025 — 6/24

- Processing 2): Communication of the reasoned decision attached to the notification

of the decision by the NSA to the defendant’s security officer;

- Processing 3): Communication of the reasoned decision by the defendant’s security officer

to the defendant’s counsel;

- Processing 4): Transmission of the reasoned decision by the defendant’s counsel to the complainant’s hierarchical superior; and

- Processing 5): Communication of the reasoned decision by the defendant’s counsel to the defendant’s lawyer.

27. Furthermore, the complainant considers that the reasoned decision concerns a suspicion of an offence,

which, according to him, is incontestably of a criminal nature even if it is not established in

this case. Referring to the judgment of the Court of Justice of the European Union (hereinafter,
13
“CJEU”) of 24 September 2019, the complainant considers that these data fall within the

scope of Article 10 of the GDPR and benefit from its additional protection.

28. As to the lawfulness of processing operations 1) and 2), the complainant claims that they are based,

respectively, on the legal obligations arising from Articles 16 and 22 of the Law of 11

December 1998, in conjunction with Article 110 of the Law of 30 July 2018 on the protection

of natural persons with regard to the processing of personal data (hereinafter, “Law of 30 July 2018”). He considers the basis of these processing operations on Article 6.1.c)

of the GDPR to be justified and therefore processing operations 1) and 2) to be lawful.

29. As for processing (3), the complainant assumes that the defendant bases it on the need

for the security officer to report to his hierarchical superior, as prescribed by

Article 13/1 of the Law of 11 December 1998. However, he considers this provision not

clear, precise and foreseeable. Furthermore, the complainant considers that the purpose pursued by this

legal obligation does not correspond to that invoked by the defendant, namely, the

adoption of appropriate organizational measures against him.

30. As for processing (4), the complainant considers that Articles 10 §1.1 and 10 §1.3 of the Law of 30

July 2018 cannot be invoked, in the present case, to justify the processing of

judicial data within the meaning of Article 10 of the GDPR. First, the complainant claims that

the authorisation arising from the legal obligation to manage its own litigation is an

ex post authorisation of the processing. The dispute between the defendant’s Council and the

complainant only arose after the disputed processing. Next, not having been informed

of such exchanges concerning his data, the complainant claims not to have been aware

of a dispute with the defendant at the time of the processing. The complainant considers that

13 CJEU, 24 September 2019, judgment GC., AF, BH, ED v. Commission nationale de l’informatique et des libertés (CNIL), C-136/17,
paragraph 72. Decision on the merits 02/2025 — 7/24

this lack of information would make it impossible to base the processing 4) on grounds of

public interest for the performance of tasks of general interest.

31. As for the processing5), the complainant assumes that the defendant bases it on its legal obligation to conduct an urgent and thorough investigation arising from Article 90 of the Royal Decree of [date] (hereinafter, “Administrative Status”), governed by the general principle of reasonable time. However, the complainant refers to a letter from his hierarchical superior which
15
specifies that in the event of criminal action, the disciplinary procedure is suspended and to Article 93

of the Administrative Status which provides for the suspension of the investigation in the event of an investigation.

III.1.2. Position of the defendant

32. First, the defendant considers that the reasoned decision is not judicial data

within the meaning of Article 10 of the GDPR since it refers to a suspicion

of a criminal offence. To this end, it emphasizes that Article 10 of the GDPR has a

narrower scope of application than its counterpart in Directive 95/46/EC. The defendant considers

the relevance of the case law invoked by the complainant to be limited. In any event, the

defendant considers that the processing would have been in accordance with Article 10 §1 of the law of

30 July 2018 for the management of its litigation opposing it to the complainant and with Article 10 §3

of this same law as being necessary for the management and operation of a

public interest body charged by the law of [date] (hereinafter, "regulator's law") with a

public interest mission.

33. Secondly, the defendant argues that the Litigation Chamber has no jurisdiction to consider the processing operations 1) to 3) following a combined reading of Articles 107 and 128 §1 of the Law of 30 July 2018 granting Standing Committee R the jurisdiction to monitor the processing of personal data carried out by the security authorities as understood by Article 107, 1° of the Law of 11 December 1998.

34. In the alternative, the defendant considers the five processing operations to be lawful. As pointed out by

the complainant, processing operations 1) and 2) are based on Articles 16 and 22 of the Act of 11

December 1998.

35. Concerning processing operation 3), the defendant considers it necessary for compliance

with the legal obligation, arising from Article 13/1 of the Act of 11

December 1998, of the security officer to report to his/her managing official, the

Council of the defendant, to notify sensitive information, new elements or irregularities concerning

14Royal Decree of [date].

15
C.E., 21 December 2023, No. 258.302, pp. 15 and 16.
16Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data.

17Law of [date]. Decision on the merits 02/2025 — 8/24

individuals who have received or are to receive authorisation. In this sense, the defendant

emphasizes that the reasoned decision is in line with this obligation, requiring
that the defendant’s Council take the necessary and appropriate measures in view

of the nature of the security threat that justified this decision. The defendant adds

that the reasoned decision does not contain classified information, as understood by

Article 22.5 of the law of 11 December 1998 and that, as a result, they may be communicated

by the security officer to the defendant’s Council.

36. Concerning processing 4), the defendant considers that it pursues two distinct purposes,

on the one hand compliance with its procedural rules (purpose corresponding to Article 6.1.c) of the

GDPR), and on the other hand the management of its disciplinary disputes (purpose corresponding to

Article 6.1.e) of the GDPR). The defendant considers that processing 4) is necessary to

comply with its procedural rules in disciplinary matters as provided for in Article 90

of the Administrative Statute. This clear and precise legal standard of Belgian law would leave

the defendant's Council no other choice than to transmit the reasoned decision to
the complainant's hierarchical superior, the only one authorised to open a disciplinary

investigation.

Secondly, the defendant explains that the Administrative Status is incumbent on it to carry out

disciplinary functions relating to its statutory agents, which involve

processing that can be justified on the basis of Article 6.1.e) of the GDPR. The defendant adds

that since the disciplinary procedure is carried out by the hierarchical superior of the person

concerned, the latter must be able to assess any fact that could result in a disciplinary

measure as part of its urgent and in-depth investigation. 18

37. Finally, the defendant considers that processing 5) is lawful and is based on the same legal

bases as processing 4), namely Articles 6.1.c) and 6.1.e) of the GDPR. The defendant
19
explains that the case law of the Council of State imposes on it the obligation to exercise all

possible diligence in the context of these disciplinary investigations, including
contacting the Prosecutor in order to obtain access to the criminal file of the person

concerned in order to establish the materiality of the facts likely to give rise to a

disciplinary sanction.

III.1.3. Position of the Litigation Chamber

38. As a preliminary matter, the Litigation Chamber notes that neither the defendant nor the

complainant contests the lawfulness of processing 1) and 2).

18
Article 90.1 of the Administrative Statute. 19C.E., 12 April 2016, no. 234,333, Wuyard. C.E., 26 June 2013, no. 224,141, Brosse. C.E., 29 February 2000, no. 85,745, Van Mullen. C.E.,
27 June 2017, no. 238,626, Virentin. C.E., 2 May 2016, no. 234,616. Decision on the merits 02/2025 — 9/24

39. Furthermore, these treatments are carried out by the ANS, a security authority integrated into the

State Security, and do not fall under the provisions of the GDPR as understood by Article

2.2.a) .

40. Therefore, the Litigation Chamber considers that these processing operations fall within the

competence of the Standing Committee R and will not be analysed in this decision.

41. As a preliminary point, it is necessary to establish whether the reasoned decision falls within the scope

of Article 10 of the GDPR.

42. The latter requires, in a non-cumulative manner, that the processing of personal data

relating to criminal convictions, offences or related security measures be carried out

under the control of the public authority or that they are regulated

by Union law or by Belgian law, in this case the law of 30 July 2018.

i. Articles 2, 4.1 and 4.2 of the GDPR

43. It is important for the Litigation Chamber to establish whether the reasoned decision falls within the

definition of Article 4.1. of the GDPR, and if the processing operations, as identified in point 26 of this
24
decision, fall within the material scope as defined by Article 2 of the GDPR.

Processing of personal data

44. In this case, the complainant is identifiable on the basis of his first and last name, which

are included in the reasoned decision, which qualifies it as personal data within the

meaning of Article 4.1. of the GDPR.

45. Consequently, its communication by the security officer to the defendant’s

Counsel constitutes “processing”, within the meaning of Article 4.2. of the GDPR.

Material scope of the GDPR

46. Secondly, it is important to note that the communication of the reasoned decision falls

within the definition of the material scope of Article 2.1 of the GDPR and is not excluded

from the GDPR by the exceptions in its Article 2.2.a) and d).

25
47. On the one hand, Article 2.2.a) of the GDPR, read in the light of recital 16, excludes from the scope

of the GDPR the processing of personal data carried out by the

20Article 1ter of the Law of 11 December 1998.
21
Doc Parl., Chamber of Representatives, (…), 2017/2018, p.152.

22Article 128 of the Law of 30 July 2018.
23
Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data.

24Article 4.2. of the GDPR must be read in the light of recital 26, which provides for taking into account all the

means reasonably likely to be used to identify a data subject.

25Article 2. "This Regulation shall not apply to the processing of personal data carried out:

(a) in the context of an activity which does not fall within the scope of Union law;….". Decision on the substance 02/2025 — 10/24

state authorities in the context of an activity aimed at preserving national security or

26
an activity which may be classified in the same category.

48. In addition, processing operations 3), 4), and 5) are carried out by the regulator of the Belgian Institute Y,

27
a public interest body with legal personality, in the context of activities

relating to the management of its personnel. Consequently, these processing operations are not excluded

from the GDPR by Article 2.2.a).

28
49. On the other hand, Article 2.2.d) of the GDPR excludes from the GDPR the processing of data protected

by Directive 2016/680 of 27 April 2016, as transposed in Title II of the law of

30 July 2018.

30
50. This Title II applies to data processing carried out by the competent authorities,

for the purposes of preventing, detecting, investigating and prosecuting criminal offences

or enforcing criminal penalties. 31

51. Although the regulator’s law grants inspection powers to the defendant, these

do not fall within the purposes set out above.

52. The first condition is not met. The conditions of application of Title II of the law of

30 July 2018 being cumulative, the Litigation Chamber considers that it is not

necessary to analyse the second and decides that processing 3) to 5) is not excluded

from the GDPR by its article 2.2.d).

ii. Article 10 of the GDPR

53. It is first necessary to assess whether the reasoned decision can be qualified as “judicial data” in the sense of “personal data relating to criminal convictions

and offences or related security measures”. 32

54. In a second step, the Litigation Chamber will seek to verify whether the security

officer and the defendant's counsel are among the entities authorized to process

judicial data as provided for by the exceptions of Article 10 of the GDPR and Article 10

of the law of July 30, 2018.

26CJEU, 12 June 2021, judgment Latvijas Republikas Saeima, C-439/19, paragraph 66.

27Article 13 of the Regulator's Law.

28
Article 2.2.d): “[…]2. This Regulation shall not apply to the processing of personal data carried out:
[…] (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”.

29Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
30Article 26 §7 of the Law of 30 July 2018.
31
Article 27 of the Law of 30 July 2018.
32Article 10 of the GDPR. Decision on the merits 02/2025 — 11/24

“Judicial data”

55. The Litigation Chamber recalls that the reasoned decision explicitly mentions the

Prosecutor’s file in which the complainant is suspected of indecent assault on a minor.

56. In this regard, the Litigation Chamber refers to judgment C-136/17 of the CJEU 33 which explains

that “information concerning a judicial procedure conducted […] such as that

reporting on his indictment or the trial […] constitutes data relating to

“offences” and “criminal convictions” within the meaning of the first

subparagraph of Article 8(5) of Directive 95/46 and Article 10 of Regulation 2016/679”.

57. It follows that the CJEU intends to include in the scope of Article 10 of the GDPR

suspicions of criminal offences when they are the subject of a file currently being

investigated by the Prosecutor.

58. The reasoned decision contains, in the present case, judicial data as

understood by Article 10 of the GDPR insofar as it includes data relating to the

file currently being investigated by the Prosecutor in which the complainant is a suspect.

On the processing of judicial data

59. As explained in point 54, it is appropriate for the Litigation Chamber to assess whether the security

officer and the defendant’s counsel are exceptionally authorised to process judicial

data as understood by Article 10 of the GDPR and Article 10 of the Law of 30

July 2018.

60. The Litigation Chamber emphasises that a combined reading of the second exception

of Article 10 of the GDPR and Article 10 §1, 3 of the Law of 30

July 2018 authorises the security officer to carry out such processing when it is

necessary for reasons of public interest important for the performance of

tasks of general interest entrusted by or under a law.

61. In this case, a combined reading of Articles 13/1 and 22, paragraph 3 of the Law of 11

December 1998 as analyzed in Title II of this decision requires the security

officer to communicate the reasoned decision to the person concerned, by de jure exclusion

to the defendant’s counsel.

62. It follows that the Law of 11 December 1998 does not authorize the security

officer to transmit the reasoned decision to the defendant’s counsel.

63. The communication of the reasoned decision by the security

officer to the defendant’s counsel therefore goes beyond the scope of the exception provided for in Article 10 §1, 3 of the Law of 30
July 2018 and renders the processing 3) illegal due to the absence of a legal basis.

33CJEU, judgment of 24 September 2019, GC v. CNIL, C-136/17, paragraph 72. Decision on the merits 02/2025 — 12/24

64. The Litigation Chamber concludes that Articles 5.1.a), 6 and 10 of the GDPR are violated.

65. Consequently, since the original communication under processing 3) of the reasoned decision

has no legal basis, the Litigation Chamber considers that processing 4) and 5)

are also unlawful for the same reasons.

66. For all intents and purposes, the Litigation Chamber notes that the communication of the

notification of the decision – therefore without noting its motivation – by the security officer and the

Counsel for the defendant could, prima facie, have been a less intrusive means for the

fundamental rights and freedoms of the complainant to achieve the purposes of processing 3), 4),

and 5).

III.2. As for the alleged violation of Articles 12.1, 12.3 and 12.4 and 15 of the GDPR

III.2.1. Position of the complainant

67. The complainant considers that, in accordance with Article 15.4 of the GDPR as interpreted by the CJEU
34
in its judgment of 4 May 2023, it is possible to obtain a copy of entire documents,

when this copy proves essential to enable the data subject to exercise

the rights he or she holds under the GDPR. It is essential for him or her to obtain a copy of the

full content of the correspondence exchanged between the defendant and the Prosecutor in order to understand

and, if necessary, contest the processing of his or her personal data.

68. Furthermore, the complainant considers that the defendant is not called upon to provide any assistance

to the information, firstly because access to the criminal file was

refused by the Prosecutor and secondly because Article 93 of the Administrative

Status requires the suspension of disciplinary proceedings while criminal proceedings are

underway. Next, the complainant considers it important to recall that information, in

accordance with Article 28bis, §1 of the Code of Criminal Procedure (hereinafter,

“C.i.c.”), refers to all the elements of the acts intended to

investigate offences, perpetrators and evidence, and to gather

elements useful for the exercise of public action. The letter sent by the

defendant’s lawyer to the Prosecutor does not in any way correspond to an act of investigation. Thus, the

correspondence exchanges to which the complainant seeks access do not fall within the scope of

information and are not covered by its secrecy.

III.2.2. Position of the defendant

69. The defendant considers that the correspondence with the Prosecutor falls within the scope

of Article 23 of the GDPR through Article 28quinquies, §1, of the C.i.c.

which provides that “except for the exceptions provided for by law, information is secret. Any

34CJEU, 4 May 2023, judgment in F.F. v. Österreichische Datenschutzbehörde, C-487/21, paragraphs 21 to 45. Decision on the merits 02/2025 — 13/24

person who is called upon to provide professional assistance with the information is bound by

secrecy.

70. In addition, the defendant argues that the right of access to a copy under Article 15.3 of the

GDPR does not entail the right for the data subject to obtain a copy of the

original document but only to obtain a copy of these data. It concludes that it is

not under an obligation to provide a copy of the correspondence addressed to the

Prosecutor and that the complainant’s request for access consists of an attempt to

misuse the purposes of the right of access under Article 15 of the

GDPR in order to interfere with the judicial information and the disciplinary

investigation conducted by the defendant. It adds that a copy of an

extract from a document or of an entire document can only be required when the

contextualisation of the data processed is necessary to ensure its intelligibility. In this

sense, the present case constitutes the best evidence of the complainant’s knowledge of the

data contained in the correspondence with the Prosecutor.

III.2.3. Position of the Litigation Chamber

71. The Litigation Chamber will, on the one hand, assess whether the defendant can

legitimately justify its refusal to comply with the complainant’s request for access on the basis

of Article 23 of the GDPR and, on the other hand, will assess the requirements of Article 15.3 of the

GDPR and the complainant’s right to obtain a copy.

i. Article 15 of the GDPR

72. Under Article 15.1 of the GDPR, the data subject has the right to obtain from the

controller confirmation as to whether or not personal data concerning him or

her are being processed. Where they are processed, the data subject has the

right to obtain access to said data as well as to a series of information listed in

Article 15.1.a) to h) of the GDPR.

73. The Litigation Chamber recalls that the right of access constitutes an essential requirement

of the right to data protection, since it constitutes the "gateway" that allows
35
the exercise of the other rights conferred by the GDPR to the data subject.

74. Pursuant to Article 12.1 of the GDPR, it is the responsibility of the data controller to take "appropriate

measures to provide any information referred to in Articles 13 and 14 and to

make any communication under Articles 15 to 22 and Article 34 concerning

the processing to the data subject in a concise, transparent,

intelligible and easily accessible manner, in clear and plain terms [...]."

ii. Article 23 GDPR

35CJEU, 12 January 2023, judgment Österreichische Post AG, C-154/21, pts 37 and 38. Decision on the merits 02/2025 — 14/24

75. Article 23 GDPR provides that, under Union law or the law of a Member State,

the application of the rights listed in Articles 15 to 22 and 34 GDPR may be limited by

complying with the conditions set out in that article. The provisions of Article 23 GDPR

aim to strike a balance between these rights and other legitimate interests in a democratic

society. To this end, restrictions on the aforementioned rights are possible

provided that the following conditions are met:

- First: the derogation must be provided for by a legislative measure;

- Second: the derogation must pursue one of the grounds listed in the exhaustive

36
list of Article 23.1 of the GDPR;

- Third: the derogation must respect the essence of the

fundamental rights and freedoms;

- Fourth: the derogation must be a necessary and proportionate

measure in a democratic society (proportionality test);

- Fifth: the legislative measure must contain specific

provisions relating to certain characteristics of the processing in question. 37

36
Namely:

a) national security;

b) national defence;

c) public security;

d) the prevention, investigation, detection or
prosecution of criminal offences or the execution of
criminal penalties, including the safeguarding against and the
prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including in the monetary, budgetary, taxation, public health and social security

fields; (f) the protection of the independence of the judiciary and of judicial proceedings;

(g) the prevention, detection, investigation and prosecution of breaches of the ethics of regulated professions;

(h) a task of control, inspection or regulation linked, even occasionally, to the exercise
of official authority, in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or of the rights and freedoms of others;

(j) the enforcement of civil law requests.

37Article 23.2: In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions relating to, at least, where appropriate:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) safeguards to prevent misuse or unlawful access or transfer;

(e) the identification of the controller or categories of controllers;

(f) the applicable retention periods and safeguards, taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed of the restriction, unless this risks prejudicing the purpose of the restriction. Decision on the merits 02/2025 — 15/24

The exemption provided for by a legislative measure

76. Concerning the first condition, a legislative measure does not necessarily have to be a law in

the formal sense, but any sufficiently clear and precise legal standard, the application

of which is foreseeable for any person concerned is sufficient.38

77. In this case, the defendant invokes the exemption provided for by the C.i.c., a law that

provides for a limitation to the right of access through the secrecy of criminal information in its

Article 28quinquies.

78. Article 28bis C.i.c. establishes a list of acts included in the information and derogating from the

right of access, namely “all acts intended to search for offences, their perpetrators

and evidence, and to gather elements useful for the exercise of public action.”.

79. In this case, the personal data constituting the subject of the complainant’s request for access

consists of the correspondence between the defendant and the Prosecutor.

80. The Prosecutor’s refusal to grant the defendant access to the case file under investigation on the basis

of this Article 28quinquies is an indication that this correspondence is not useful for

the exercise of public action. On the contrary, it appears to be similar to a request

for information about the case file under investigation, which was refused on the basis of the

investigation secrecy of Article 28quinquies of the C.I.C.

81. The Litigation Chamber understands prima facie that nothing in the correspondence between the

defendant and the Prosecutor relates to the investigation and concludes that it does not consist of an

act as understood by Article 28bis of the C.I.C.

82. As a result, the justification for refusing the complainant’s request for access does not satisfy the

first condition of Article 23 of the GDPR.

83. Consequently, the Litigation Chamber does not consider it necessary to continue its

analysis of Article 23 of the GDPR and concludes that the request for access cannot be

refused on the basis of this article.

iii. Article 15.3 of the GDPR

84. As a preliminary point, the Litigation Chamber recalls that a refusal to follow up on the

request for access to a copy must be based on the result of a balancing exercise of

interests as provided for in Article 15.4 of the GDPR and not on the grounds that the complainant

would not demonstrate that the contextualisation of the data processed is

necessary to ensure its intelligibility. The Litigation Chamber considers the interpretation of the
defendant to be erroneous following a misreading of the judgment of the CJEU 39 on which it is based.

38 CJEU, 12 September 2024, judgment HTB Neute Immobilien Portfolio and Okorenta Neue Energien Okostabil IV, C-17/22 and C-
18/22, paragraph 68.
39 CJEU, 4 May 2023, Osterreichische Datenschutzbehorde and Crif, C-487/21, paragraph 41 Decision on the merits 02/2025 — 16/24

85. The GDPR provides under Article 15.3 that the controller provides a

copy of the personal data to the data subject. This right to a copy is

the main method of granting access to the data processed.0

86. In judgment C-487/21 of 4 May 2023, the CJEU considered that the right under Article 15.3 of the

GDPR presupposes the right to obtain a copy of extracts from documents or even entire

documents or extracts from databases which contain, among other things, the said data, if

the provision of such a copy is essential to enable the data subject

to effectively exercise the rights conferred on him by this regulation, it being

emphasized that account must be taken, in this regard, of the rights and freedoms of others” 41 (the

Litigation Chamber emphasizes).

87. Since the right of access is not an absolute right, Article 15.4 of the GDPR provides that the right

to obtain a copy may not adversely affect the rights and freedoms of others. Therefore,

the interpretation of Article 15.4 of the GDPR requires particular caution in order not

to unjustifiably extend the limitations authorised by Article 23 of the GDPR, in particular

43
to Article 23.1.i), which also retains the ground for limitation based on “infringement of the rights and

freedoms of others”. These limitations are in fact only authorised, in particular to the right of access,

under strict conditions.

88. Although it may give the impression of being formulated in absolute terms, Article 15.4 of the GDPR

nevertheless requires a proportionate approach. A balancing with other fundamental rights must, in accordance with the principle of proportionality, be carried out on a case-by-case basis by the data controller who intends to rely on it.

89. In this case, the Litigation Chamber notes that the defendant did not carry out a balancing of rights that would justify its refusal to comply with the complainant's right to obtain a copy.

90. The defendant justifies this refusal only on the basis of Article 23 of the GDPR in that this request would allow the complainant to interfere in the judicial investigation and the disciplinary investigation conducted by the defendant. This refusal proves to be invalid, as analyzed above.

40
EDPB, Guidelines 01/2022 on the right of access, paragraph 23
41CJEU, Judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF GmbH, C-487/21, ECLI:EU:C:2023:369, § 45.
42
CJEU, Judgment of 9 November 2010, Volker und Markus Schecke, Joined Cases C-92/09 and C-93/09, paragraph 48. See also:
EDPB, Guidelines 01/2022 on the right of access, paragraph 168.
43
Article 23.1. (i) of the GDPR provides that "1. Union or Member State law to which the controller or processor is subject may, by means of legislative measures, limit the scope of the obligations and rights provided for in Articles 12 to 22 and 34, as well as in Article 5, to the extent that the provisions of that law correspond to the rights and obligations provided for in Articles 12 to 22, where such a limitation respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure: (…)
(i) the protection of the data subject or the rights and freedoms of others".
44
Article 52.1 of the Charter of Fundamental Rights of the European Union. See also: EDPB, Guidelines 01/2022
on the right of access, point 174. Decision on the merits 02/2025 — 17/24

91. Consequently, the complainant is entitled to receive a copy of this correspondence

since the defendant has not justified its refusal to exercise the right to obtain a

copy in accordance with Article 15.4. of the GDPR.

92. In conclusion, the Litigation Chamber considers that the defendant has failed to

fulfil its obligations under Articles 12.1, 12.3, 12.4 and 15 of the GDPR. Accordingly, the

Litigation Chamber orders the defendant to provide the complainant with access to a copy of the

correspondence it had with the Prosecutor.

III.3. As for the alleged violations of Articles 5.1.f), 5.2, 24.1, 25.2 and 32 of the GDPR

III.3.1. Position of the complainant

93. In this case, the complainant considers that all the measures listed by the defendant do not

explain how the access by the hierarchical superior to his data

complies with the requirements of Articles 5.1.f) and 32 of the GDPR. He also notes that

only security officers and administrative staff responsible for monitoring individual

files are included in the list of categories of persons having access to personal

data relating to criminal convictions and offences collected as part of the

screening procedure. Consequently, the complainant considers that this list is not

relevant to justifying lawful or legitimate access to his data by his hierarchical

superior.

94. Finally, as for the processing register, the complainant notes that it is not dated and strongly contests its reliability and relevance. Regardless of this, the complainant points out the fact that the register does not illustrate how access to his data by his hierarchical superior complies with the principles of integrity and confidentiality enshrined in the GDPR. 

95. The complainant also points out that several members of the defendant's Council are aware of the facts of which he is suspected in the context of the judicial investigation opened against him, which constitutes an unauthorized disclosure of his data and a security breach expressly mentioned in Article 32.2 of the GDPR. 

96. Consequently, the complainant considers that the defendant has not sufficiently demonstrated that

the measures adopted to guarantee the integrity and confidentiality of the data that it

processed, moreover unlawfully, were appropriate in relation to the level of risk identified.

97. Finally, the complainant considers that the defendant, by not having provided sufficient

evidence to demonstrate its compliance with Articles 5.1.a), 5.1.b), 5.1.f), 6, 10, 12.1, 12.3,

12.4, 15 and 32 of the GDPR, has also not proven that it has complied with the

45All operations carried out by the defendant relating to security authorisations, certificates and

notices (Additional summary conclusions, p. 63). Decision on the merits 02/2025 — 18/24

liability imposed by Articles 24.1 and 25.2 of the GDPR. This principle of liability

requires that the controller not only take adequate measures

to comply with the GDPR, but also be able to demonstrate this

compliance in a tangible manner. The lack of satisfactory evidence of

compliance with the aforementioned articles highlights a failure in the

application of this fundamental principle.

III.3.2. Position of the defendant

98. The defendant considers that it has implemented appropriate

technical and organizational measures to ensure a level of security

appropriate to the risks. These organizational measures concern in particular the

security and confidentiality of the data collected by the

defendant in the context of the application of the law of 11 December 1998 and

consist of a unit dedicated to so-called "screening" operations.

99. It highlights in particular the following technical and organisational measures: any

correspondence addressed to it in the context of the screening procedure may not

under any circumstances be opened by the registry but must be immediately forwarded to the

competent department; physical documents containing data relating to

authorisations, certificates and security notices are kept in a specific, secure

cabinet, access to which is limited to the defendant’s security officers; and the

defendant has drawn up a list of the categories of persons having access to

personal data relating to criminal convictions and criminal offences or related

security measures collected in the context of the screening procedure;

screening operations are subject to a strict operational process defined in an

internal document and describing the authorised interactions between security

officers and other bodies;

the computer data collected as part of the screening process are

stored on a specific server that is subject to appropriate technical and

computer measures and that is only accessible to security officers and administrative

staff useful for processing this data.

100. The defendant explains that the alleged violation of these articles, which

would be characterized by the sending of the reasoned decision to the defendant’s

Council and to the complainant’s hierarchical superior, does not concern the

appropriateness of the defendant’s technical and organizational

measures but only the lawfulness of the processing resulting

from a legal obligation imposed on the security officer and the defendant.

101. The defendant considers that it has been able to demonstrate that the processing in question was

carried out in accordance with the provisions of the GDPR and that the alleged violations are

46Article 13/1 Law of 11 December 1998 and Article 90 of the Administrative Statute. Decision on the merits 02/2025 — 19/24

superfluous since they are based on the alleged other violations alleged by the

complainant.

III.3.3. Position of the Litigation Chamber

i. Principles of security and liability

102. The Litigation Chamber recalls that, in its capacity as data controller, the

defendant is required to implement the data protection principles and must

be able to demonstrate that these are respected (principle of liability –

Articles 5.2. of the GDPR).

103. Based on Article 5.1.f) of the GDPR, personal data must be processed

in a manner that ensures appropriate security, "including protection against

unauthorized or unlawful processing and against accidental loss, destruction or

damage, using appropriate technical or organizational measures".

104. In this regard, account must be taken of the state of the art, the

costs of implementation and the nature, scope, context and purposes of the processing as well as the

likelihood and severity of the risks that the processing presents for the rights and freedoms of

individuals. In addition, the Litigation Chamber recalls that the reasoned decision is a

judicial piece of data to which the defendant must pay particular attention.

105. The Litigation Chamber recalls that the defendant, still in its capacity as

data controller, must implement all necessary measures to this end

(Article 24 of the GDPR). The Litigation Chamber insists, as it has already had the

opportunity to recall in previous decisions taken against public officials, on

the fact that the public sector must, in general, be a vector of example in the

measures it adopts to guarantee respect for the fundamental right to the protection of

personal data.

106. Article 32.1 of the GDPR provides that when assessing the appropriate level of security, particular account must be taken of the risks presented by the processing, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or from unauthorized access to such data, whether accidental or unlawful. 

107. The Litigation Chamber recalls that this Article 32 must be read in the light of Articles 5.2 and 24 of the GDPR, which require the data controller to demonstrate compliance with Article 32 of the GDPR by taking appropriate technical and organizational measures in a transparent and traceable manner. The Litigation Chamber also recalls that

47APD decisions 10/2019 and 11/2019 of 25 November 2019. See also, APD decision 129/2021 of 26 November 2021 Decision on the merits 02/2025 — 20/24

Article 25 of the GDPR requires the data controller to implement the measures

necessary to comply with the rules of the GDPR upstream of its acts and procedures.

108. It should be noted that the principle of security with its various components

of integrity, confidentiality and availability is included in Articles 5.1.f) and 32 of the GDPR and is

now elevated to the same level as the fundamental principles of lawfulness, transparency and

loyalty. In this regard, Article 32.2.b) of the GDPR provides that “[…] The controller[s] of the

processing […] shall implement appropriate technical and organizational measures

in order to guarantee a level of security appropriate to the risk, including, among other things, as

required; b) means of guaranteeing confidentiality, integrity, availability

[…]”.

109. Finally, the Litigation Chamber would like to emphasize that the reasoned decision is a judicial

data as understood by Article 10 of the GDPR which concerns behavior leading to

the disapproval of society even when the person has not (yet) been convicted,

where applicable. By its nature, this reasoned decision deserves specific protection

due to the serious interference in private and professional life that its processing constitutes.

ii. Technical and organizational measures of the defendant

110. In this case, the unlawfulness of processing 3) to 5) indicates a breach of confidentiality

of the reasoned decision. In this regard, the defendant provided an undated extract from

its processing register (Exhibit 6) in which it identifies the risk of disclosure of

reasoned decisions and attaches to it as an organizational measure an access management (i.e.,

the security officer and the administrative staff – 3 agents) and as a technical measure

restricted access to this data (i.e., the reasoned decisions are kept under seal).

111. Furthermore, the Litigation Chamber notes that the technical and

organizational measures are sufficient to ensure the confidentiality of the reasoned decisions

in exceptional situations where the defendant would become aware of them.

112. The Litigation Chamber notes, however, that the defendant should also include

measures relating to exceptional situations in which the security officer

could disclose a reasoned decision to his or her manager.

113. As a result, the Litigation Chamber does not find any infringement of Articles 5.1.f), 24.1,

25.2 and 32 of the GDPR.

IV. As for corrective measures and sanctions

114. Under Article 100 LCA, the Litigation Chamber has the power to:

1° dismiss the complaint;

2° order that there be no case to answer; Decision on the merits 02/2025 — 21/24

3° order a suspension of the decision;

4° propose a transaction;

5° issue warnings or reprimands;

6° order compliance with the requests of the data subject to exercise these rights;

7° order that the data subject be informed of the security problem;

8° order the freezing, limitation or temporary or permanent prohibition of the processing;

9° order the processing to be brought into compliance;

10° order the rectification, restriction or erasure of data and the notification of

these to the recipients of the data;

11° order the withdrawal of the accreditation of certification bodies;

12° impose periodic penalty payments;

13° impose administrative fines;

14° order the suspension of cross-border data flows to another State or an

international organisation;

15° forward the file to the Public Prosecutor's Office of Brussels, who

informs it of the follow-up given to the file;

16° decide on a case-by-case basis to publish its decisions on the

website of the Data Protection Authority

115. Based on the documents in the file and following its analysis, the Litigation Chamber concludes,

a. to the unlawfulness of the communication of the reasoned decision for processing 3), 4) and 5). The
Litigation Chamber considers that these processing operations are not justified with regard

to Article 10 of the GDPR, as specified in Title III.1.

b. to a violation of Articles 12.1, 12.3, 12.4 and 15 of the GDPR following the defendant’s

refusal to comply with the complainant’s request for access, which is not based on

any valid legal basis under Article 23 of the GDPR, as specified in Title

III.3.

116. Due to these breaches, the Litigation Chamber issues a reprimand
against the defendant on the basis of Article 100, 5° of the LCA.

117. Due to the unlawfulness of the communication of the reasoned decision in processing 3), 4)

and 5) and consequently, the unlawful detention of the latter by the defendant, the Merits Decision 02/2025 — 22/24

Litigation Chamber orders the defendant to erase the reasoned decision, the latter

having been the subject of unlawful processing.

118. Concerning the unjustified refusal of the request for access, the Litigation Chamber orders the

defendant to follow up usefully on the request for access of the complainant on the basis of Article

100, 6° of the LCA, and to give him a copy of the correspondence between the Prosecutor and the

defendant.

48
CJEU, judgment of 14 March 2024, Újpesti Polgármesteri Hivatal, case C-46/23, paragraph 42. Decision on the merits 02/2025 — 24/24

In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant.

Such an appeal may be lodged by means of an interlocutory application which must contain the

49
information listed in Article 1034ter of the Judicial Code. The interlocutory application must be
50
filed at the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code. , or

via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).

(Sé). Hielke H IJMANS

President of the Litigation Chamber

49
The application must contain, under penalty of nullity:
1° the indication of the day, month and year;

2° the name, first name, address of the applicant, as well as, where applicable, his/her qualifications and his/her national register number or
company number;

3° the name, first name, address and, where applicable, the qualifications of the person to be summoned;

4° the subject and summary statement of the grounds of the application;

5° the indication of the judge who is seized of the application;

the signature of the applicant or his/her lawyer. 50
The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.