APD/GBA (Belgium) - 02/2025
APD/GBA - DOS-2024-01344 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 10 GDPR Article 12(1) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 24 GDPR Article 32 GDPR Article 10 Law of 30 July, 2018 Article 107 Law of 30 July, 2018 Article 128 Law of 30 July, 2018 Article 13 Law of December 11, 1998 Article 22 Law of December 11, 1998 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.03.2024 |
Decided: | 07.01.2025 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DOS-2024-01344 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Décision quant au fond 02/2025 du 7 janvier 2025 (in FR) |
Initial Contributor: | jaslvl4 |
The data subject filed a complaint against their employer, the controller, for unlawful processing of personal data forming part of a disciplinary action against them. The Belgian DPA found breaches of Articles 5, 6, 10, 12, 15, 24 and 32 GDPR.
English Summary
Facts
On January 19, 2023, the controller’s security officer requested the National Security Authority (NSA) to extend the security clearance of the data subject, which was rejected by means of a reasoned decision on July 7, 2023 and communicated back to the controller’s security officer. The data subject and the governing body of the controller received the reasoned decision, which was then forwarded to the data subject’s hierarchical superior by the governing body of the controller. This triggered disciplinary investigations surrounding the data subject, referring to allegations of indecent assault on a minor.
On March 5, 2024, the data subject filed a complaint with the Belgian Data Protection Authority (APD) concerning the unlawful processing of their personal data by their employer, the controller. On March 27, 2024, the APD declared the complaint admissible, leading to the APD Contentious Chamber delivering a decision on the substance of the case.
Holding
The Chamber found multiple GDPR violations by the controller. Article 5(1)(a) was breached by processing the reasoned decision without a valid legal basis, 5(1)(b) by sharing it with unauthorised parties contrary to its originally intended purpose, and 5(1)(f) by failing to ensure confidentiality of the personal data. Since the processing of personal data related to criminal offenses, the controller additionally violated Article 10. The lack of necessity for processing under public interest grounds breached Articles 6(1)(c) and 6(1)(e). Furthermore, the controller violated Articles 12(1), (3), and (4) by failing to inform the data subject, delaying access requests, and improperly invoking judicial secrecy, along with Article 15 for denying a legitimate access request by the data subject. Finally, breaches of Articles 24(1), 25(1), and 32 were found due to the controller's failure to implement measures ensuring compliance, leading to the unauthorized sharing of personal data in the reasoned decision.
The controller was ordered to delete the unlawfully processed data, provide the data subject access to the requested personal data, revise its internal policies for GDPR compliance by implementing the appropriate technical and organisational measures. Additionally, an administrative fine for GDPR non-compliance was imposed on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/24 Litigation Chamber Decision on the merits 02/2025 of 7 January 2025 File number: DOS-2024-01344 Subject: Complaint relating to the unlawful processing of personal data by an employer. The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke HIJMANS, President, and Mr. Romain Robert and Mr. Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter “LCA”); Having regard to the internal regulations as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The complainant: X, represented by Mr Alexandre Cassart, hereinafter “the complainant”; The defendant: The Belgian Institute Y, represented by Mr Mireille Buydens and Mr Charles Bernard, hereinafter “the defendant”. Decision on the merits 02/2025 — 2/24 I. Facts and procedure 1. On 5 March 2024, the complainant filed a complaint with the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the unlawful processing of personal data. 3. On 24 October 2024, the hierarchical superior, after receiving the reasoned decision to refuse the extension of the complainant's security clearance (hereinafter, "reasoned decision"), informed him that a disciplinary investigation had been opened against him. This reasoned decision explicitly refers to the file currently being investigated by the Public Prosecutor (hereinafter, "Prosecutor") in which the complainant is suspected of indecent assault on a minor. 4. The granting and withdrawal of security clearances are governed by the law of 11 December 1998 relating to classification, security clearances, security certificates, security notices and the regulated public service (hereinafter, "law of 11 December 1998"). 1 5. On 19 January 2023, the security officer requested the National Security Authority (hereinafter, “NSA”) to extend the complainant’s security clearance. 6. On 7 July 2023, the NSA notified the defendant’s security officer of its refusal to extend the complainant’s security clearance (hereinafter, “notification of the decision”) (Exhibit 2), attached the reasoned decision (Exhibit 1) and requested the security officer to communicate it to the latter. 2 7. On 24 July 2024, the complainant received the reasoned decision, in accordance with Article 22 paragraphs 3 and 5 of the Law of 11 December 1998. 3 8. At the time of the facts, the security officer was responsible for monitoring the elements relating to 4 security clearances that could lead to their review. As part of this obligation, 1 The case in question concerns a decision to withdraw security clearances; the terms of their granting will not be addressed in this decision. 2Article 22, paragraphs 3 and 5 of the Law of 11 December 1998. 3Article 13/1 of the Law of 11 December 1998 was repealed on 31 December 2023; it stipulated: “Art. 13/1. The persons referred to in Article 13, 1°, are in particular responsible for: a) on the one hand, the application and monitoring of the security policy and the protection of classified information or, on the other hand, the monitoring of security certificates or security notices; b) monitoring, in particular for the mention of elements relating to persons who have received a security notice, a security certificate, or a security clearance, and which may lead to a review of this security notice, security certificate, or this security clearance. The King may entrust security officers with other missions respectively in the area of security clearances and the protection of what has been classified in accordance with Article 3, § 1, and in the area of security notices or security certificates. The security officer shall carry out his or her duties in complete independence. He shall report to the senior official of public administrations, public interest bodies or autonomous public companies, or to the head of the respective body of the public prosecutor referred to in Article 13, d), or to the head of a legal entity under private law. He shall inform the authority referred to in Article 15, paragraph 1, where this is provided for. ". 4 Article 13/1 of the Law of 11 December 1998. Decision on the merits 02/2025 — 3/24 5 6 he shall report to his senior official, the Counsel for the defendant, by communicating to him the reasoned decision. 9. In turn, the Counsel for the defendant shall communicate the reasoned decision to the complainant's hierarchical superior so that he may initiate a disciplinary investigation against the latter. 10. Finally, the defendant's counsel communicates the reasoned decision to his lawyers to request access to the file currently being investigated by the Prosecutor. 11. On 27 March 2024, the complaint is declared admissible by the Front Line Service on the basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber er pursuant to Article 62, § 1 of the LCA. 12. On 3 May 2024, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and Article er 98 of the LCA, that the case can be dealt with on the merits. Pursuant to Article 92, 1° of the LCA, the Litigation Chamber will make a decision on the merits with regard to the subject matter of the complaint. 13. On 15 May 2024, the parties concerned are informed by registered mail of the provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their conclusions. The grievances noted by the Litigation Chamber relate to alleged violations of the following articles: - Alleged violation of Articles 5.1.a), 6 and 10 of the GDPR, due to the absence of a legal basis providing for the processing of the complainant's judicial data, which led to the opening of disciplinary proceedings against him. - Alleged violation of Articles 5.1.b) and 6 of the GDPR, due to the lack of information relating to the compatibility of the purposes of the processing concerned, namely on the one hand, the transmission of the reasoned decision to the defendant’s Council and on the other hand, the transmission of this decision to the complainant’s hierarchical superior. - Alleged violation of Articles 12.1, 12.3, 12.4 and 15 of the GDPR, due to the refusal to comply with the complainant’s exercise of the right of access for reasons that would fall under the exception of Article 23.1.d) of the GDPR. - Alleged violation of Articles 5.1.f) and 32 of the GDPR, due to the lack of appropriate technical and organisational measures to guarantee confidentiality 5Ibid. 6The Council of the defendant is the executive body of the defendant, a public interest body with legal personality. 7Article 90.1 of the Royal Decree of [date] (hereinafter, “Administrative Status”). Decision on the merits 02/2025 — 4/24 of the personal data of the complainant, by sending the reasoned decision to his hierarchical superior. - Alleged violation of Articles 5.2, 24.1 and 25.2 of the GDPR, due to the breaches of the responsibilities mentioned above, which resulted in the transmission of the reasoned decision, the opening of disciplinary proceedings against the complainant, and the transmission of a file to the Public Prosecutor. For the findings relating to the subject matter of the complaint, the deadline for receipt of the defendant's submissions in response was set at 26 June 2024, that for the complainant's submissions in reply at 24 July 2024 and finally that for the defendant's additional summary submissions at 21 August 2024. 14. On 29 May 2024, the defendant requested a copy of the file (art. 95, §2, 3°LCA), which was sent to it on 10 June 2024. 15. On 26 June 2024, the Litigation Chamber received the defendant's submissions in response with regard to the findings relating to the subject matter of the complaint. 16. On 23 July 2024, the Litigation Chamber received the complainant’s submissions in reply with regard to the findings relating to the subject matter of the complaint. 17. On 13 August 2024, the Litigation Chamber acknowledged receipt of the defendant’s request to include the ANS as an interested third party. On the same day, the Litigation Chamber invited the defendant to support its request by providing evidence demonstrating that the ANS would be likely to suffer personal, direct, certain, current and legitimate harm as a result of the proceedings on the merits. 18. On 20 August 2024, the Litigation Chamber receives the additional summary submissions from the defendant concerning the findings relating to the subject matter of the complaint. 19. On 12 September 2024, the Litigation Chamber receives the defendant’s arguments regarding the involvement of the ANS as an interested third party. 20. On 18 September 2024, the Litigation Chamber considers that it has not received sufficient arguments indicating that the ANS would be likely to suffer personal, direct, certain, current and legitimate harm as a result of the ongoing proceedings and decides not to invite it as an interested third party. II. The decision to refuse to extend the security clearance 21. The Litigation Chamber considers it important to detail the legal framework for this refusal to extend the complainant’s security clearance. Decision on the merits 02/2025 — 5/24 22. In view of the flagrant interference of security investigations in the privacy of the persons concerned, the legislator has regulated their withdrawal by the law of 11 December 1998, in accordance with Article 8.2 of the Charter of Fundamental Rights of the European Union 8 (hereinafter, “Charter”). It follows that the law of 11 December 1998 consists of an official authorisation to access classified data within the limits provided for by this law. 23. When the ANS decides, on the basis of a security investigation, not to extend a security clearance, it notifies the person concerned, through the intervention of the security officer, attaching the reasons thereto. This obligation to notify the reasoned decision to the person concerned, de jure excludes any other recipient. 10 24. The obligation of the security officer under Article 13/1 of the Law of 11 December 1998 implies 11 monitoring individuals subject to security clearance in order to detect in time worrying changes such as radicalisation and to communicate them to the ANS. 12 25. This same article obliges the officer to report, to the leaders of the administrative authority to which the latter is attached, new elements or irregularities as mentioned in the previous point to his managers. III. Motivation III.1. As for the alleged violation of Articles 5.1.a), 6 and 10 of the GDPR III.1.1. Position of the complainant 26. In this case, the complainant considers that the opening of the disciplinary investigation is the result of a chain of five processes: - Processing1): The initial collection of his personal data by the ANS; 8Doc. Parl., Chamber of Representatives, 1193/1, p. 2. 9Article 22, paragraphs 3 and 5 of the law of 11 December 1998. 10 Article 22.3 of the law of 11 December 1998. 11The article was repealed on December 31, 2023. It stipulated that: "Art. 13/1. The persons referred to in Article 13, 1°, are in particular responsible for: a) on the one hand, the application and control of the security policy and the protection of classified information or, on the other hand, the monitoring of security certificates or security notices; b) monitoring, in particular for the mention of elements relating to persons who have received a security notice, a security certificate, or a security clearance, and which may lead to a review of this security notice, security certificate, or this security clearance. The King may entrust security officers with other missions, respectively, in matters of security clearances and the protection of what has been classified in accordance with Article 3, § 1, and in matters of security notices or security certificates. The security officer shall carry out his duties in complete independence. He shall report to the official in charge of public administrations, public interest bodies or autonomous public companies, or to the head of the respective body of the public prosecutor referred to in Article 13, d), or to the head of a legal person under private law. He shall inform the authority referred to in Article 15, paragraph 1, where this is provided for. See also: Parliamentary Proceedings, 55K2443, Article 12 12Parliamentary Proceedings 54K2767/001, Article 3. Decision on the merits 02/2025 — 6/24 - Processing 2): Communication of the reasoned decision attached to the notification of the decision by the NSA to the defendant’s security officer; - Processing 3): Communication of the reasoned decision by the defendant’s security officer to the defendant’s counsel; - Processing 4): Transmission of the reasoned decision by the defendant’s counsel to the complainant’s hierarchical superior; and - Processing 5): Communication of the reasoned decision by the defendant’s counsel to the defendant’s lawyer. 27. Furthermore, the complainant considers that the reasoned decision concerns a suspicion of an offence, which, according to him, is incontestably of a criminal nature even if it is not established in this case. Referring to the judgment of the Court of Justice of the European Union (hereinafter, 13 “CJEU”) of 24 September 2019, the complainant considers that these data fall within the scope of Article 10 of the GDPR and benefit from its additional protection. 28. As to the lawfulness of processing operations 1) and 2), the complainant claims that they are based, respectively, on the legal obligations arising from Articles 16 and 22 of the Law of 11 December 1998, in conjunction with Article 110 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter, “Law of 30 July 2018”). He considers the basis of these processing operations on Article 6.1.c) of the GDPR to be justified and therefore processing operations 1) and 2) to be lawful. 29. As for processing (3), the complainant assumes that the defendant bases it on the need for the security officer to report to his hierarchical superior, as prescribed by Article 13/1 of the Law of 11 December 1998. However, he considers this provision not clear, precise and foreseeable. Furthermore, the complainant considers that the purpose pursued by this legal obligation does not correspond to that invoked by the defendant, namely, the adoption of appropriate organizational measures against him. 30. As for processing (4), the complainant considers that Articles 10 §1.1 and 10 §1.3 of the Law of 30 July 2018 cannot be invoked, in the present case, to justify the processing of judicial data within the meaning of Article 10 of the GDPR. First, the complainant claims that the authorisation arising from the legal obligation to manage its own litigation is an ex post authorisation of the processing. The dispute between the defendant’s Council and the complainant only arose after the disputed processing. Next, not having been informed of such exchanges concerning his data, the complainant claims not to have been aware of a dispute with the defendant at the time of the processing. The complainant considers that 13 CJEU, 24 September 2019, judgment GC., AF, BH, ED v. Commission nationale de l’informatique et des libertés (CNIL), C-136/17, paragraph 72. Decision on the merits 02/2025 — 7/24 this lack of information would make it impossible to base the processing 4) on grounds of public interest for the performance of tasks of general interest. 31. As for the processing5), the complainant assumes that the defendant bases it on its legal obligation to conduct an urgent and thorough investigation arising from Article 90 of the Royal Decree of [date] (hereinafter, “Administrative Status”), governed by the general principle of reasonable time. However, the complainant refers to a letter from his hierarchical superior which 15 specifies that in the event of criminal action, the disciplinary procedure is suspended and to Article 93 of the Administrative Status which provides for the suspension of the investigation in the event of an investigation. III.1.2. Position of the defendant 32. First, the defendant considers that the reasoned decision is not judicial data within the meaning of Article 10 of the GDPR since it refers to a suspicion of a criminal offence. To this end, it emphasizes that Article 10 of the GDPR has a narrower scope of application than its counterpart in Directive 95/46/EC. The defendant considers the relevance of the case law invoked by the complainant to be limited. In any event, the defendant considers that the processing would have been in accordance with Article 10 §1 of the law of 30 July 2018 for the management of its litigation opposing it to the complainant and with Article 10 §3 of this same law as being necessary for the management and operation of a public interest body charged by the law of [date] (hereinafter, "regulator's law") with a public interest mission. 33. Secondly, the defendant argues that the Litigation Chamber has no jurisdiction to consider the processing operations 1) to 3) following a combined reading of Articles 107 and 128 §1 of the Law of 30 July 2018 granting Standing Committee R the jurisdiction to monitor the processing of personal data carried out by the security authorities as understood by Article 107, 1° of the Law of 11 December 1998. 34. In the alternative, the defendant considers the five processing operations to be lawful. As pointed out by the complainant, processing operations 1) and 2) are based on Articles 16 and 22 of the Act of 11 December 1998. 35. Concerning processing operation 3), the defendant considers it necessary for compliance with the legal obligation, arising from Article 13/1 of the Act of 11 December 1998, of the security officer to report to his/her managing official, the Council of the defendant, to notify sensitive information, new elements or irregularities concerning 14Royal Decree of [date]. 15 C.E., 21 December 2023, No. 258.302, pp. 15 and 16. 16Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 17Law of [date]. Decision on the merits 02/2025 — 8/24 individuals who have received or are to receive authorisation. In this sense, the defendant emphasizes that the reasoned decision is in line with this obligation, requiring that the defendant’s Council take the necessary and appropriate measures in view of the nature of the security threat that justified this decision. The defendant adds that the reasoned decision does not contain classified information, as understood by Article 22.5 of the law of 11 December 1998 and that, as a result, they may be communicated by the security officer to the defendant’s Council. 36. Concerning processing 4), the defendant considers that it pursues two distinct purposes, on the one hand compliance with its procedural rules (purpose corresponding to Article 6.1.c) of the GDPR), and on the other hand the management of its disciplinary disputes (purpose corresponding to Article 6.1.e) of the GDPR). The defendant considers that processing 4) is necessary to comply with its procedural rules in disciplinary matters as provided for in Article 90 of the Administrative Statute. This clear and precise legal standard of Belgian law would leave the defendant's Council no other choice than to transmit the reasoned decision to the complainant's hierarchical superior, the only one authorised to open a disciplinary investigation. Secondly, the defendant explains that the Administrative Status is incumbent on it to carry out disciplinary functions relating to its statutory agents, which involve processing that can be justified on the basis of Article 6.1.e) of the GDPR. The defendant adds that since the disciplinary procedure is carried out by the hierarchical superior of the person concerned, the latter must be able to assess any fact that could result in a disciplinary measure as part of its urgent and in-depth investigation. 18 37. Finally, the defendant considers that processing 5) is lawful and is based on the same legal bases as processing 4), namely Articles 6.1.c) and 6.1.e) of the GDPR. The defendant 19 explains that the case law of the Council of State imposes on it the obligation to exercise all possible diligence in the context of these disciplinary investigations, including contacting the Prosecutor in order to obtain access to the criminal file of the person concerned in order to establish the materiality of the facts likely to give rise to a disciplinary sanction. III.1.3. Position of the Litigation Chamber 38. As a preliminary matter, the Litigation Chamber notes that neither the defendant nor the complainant contests the lawfulness of processing 1) and 2). 18 Article 90.1 of the Administrative Statute. 19C.E., 12 April 2016, no. 234,333, Wuyard. C.E., 26 June 2013, no. 224,141, Brosse. C.E., 29 February 2000, no. 85,745, Van Mullen. C.E., 27 June 2017, no. 238,626, Virentin. C.E., 2 May 2016, no. 234,616. Decision on the merits 02/2025 — 9/24 39. Furthermore, these treatments are carried out by the ANS, a security authority integrated into the State Security, and do not fall under the provisions of the GDPR as understood by Article 2.2.a) . 40. Therefore, the Litigation Chamber considers that these processing operations fall within the competence of the Standing Committee R and will not be analysed in this decision. 41. As a preliminary point, it is necessary to establish whether the reasoned decision falls within the scope of Article 10 of the GDPR. 42. The latter requires, in a non-cumulative manner, that the processing of personal data relating to criminal convictions, offences or related security measures be carried out under the control of the public authority or that they are regulated by Union law or by Belgian law, in this case the law of 30 July 2018. i. Articles 2, 4.1 and 4.2 of the GDPR 43. It is important for the Litigation Chamber to establish whether the reasoned decision falls within the definition of Article 4.1. of the GDPR, and if the processing operations, as identified in point 26 of this 24 decision, fall within the material scope as defined by Article 2 of the GDPR. Processing of personal data 44. In this case, the complainant is identifiable on the basis of his first and last name, which are included in the reasoned decision, which qualifies it as personal data within the meaning of Article 4.1. of the GDPR. 45. Consequently, its communication by the security officer to the defendant’s Counsel constitutes “processing”, within the meaning of Article 4.2. of the GDPR. Material scope of the GDPR 46. Secondly, it is important to note that the communication of the reasoned decision falls within the definition of the material scope of Article 2.1 of the GDPR and is not excluded from the GDPR by the exceptions in its Article 2.2.a) and d). 25 47. On the one hand, Article 2.2.a) of the GDPR, read in the light of recital 16, excludes from the scope of the GDPR the processing of personal data carried out by the 20Article 1ter of the Law of 11 December 1998. 21 Doc Parl., Chamber of Representatives, (…), 2017/2018, p.152. 22Article 128 of the Law of 30 July 2018. 23 Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data. 24Article 4.2. of the GDPR must be read in the light of recital 26, which provides for taking into account all the means reasonably likely to be used to identify a data subject. 25Article 2. "This Regulation shall not apply to the processing of personal data carried out: (a) in the context of an activity which does not fall within the scope of Union law;….". Decision on the substance 02/2025 — 10/24 state authorities in the context of an activity aimed at preserving national security or 26 an activity which may be classified in the same category. 48. In addition, processing operations 3), 4), and 5) are carried out by the regulator of the Belgian Institute Y, 27 a public interest body with legal personality, in the context of activities relating to the management of its personnel. Consequently, these processing operations are not excluded from the GDPR by Article 2.2.a). 28 49. On the other hand, Article 2.2.d) of the GDPR excludes from the GDPR the processing of data protected by Directive 2016/680 of 27 April 2016, as transposed in Title II of the law of 30 July 2018. 30 50. This Title II applies to data processing carried out by the competent authorities, for the purposes of preventing, detecting, investigating and prosecuting criminal offences or enforcing criminal penalties. 31 51. Although the regulator’s law grants inspection powers to the defendant, these do not fall within the purposes set out above. 52. The first condition is not met. The conditions of application of Title II of the law of 30 July 2018 being cumulative, the Litigation Chamber considers that it is not necessary to analyse the second and decides that processing 3) to 5) is not excluded from the GDPR by its article 2.2.d). ii. Article 10 of the GDPR 53. It is first necessary to assess whether the reasoned decision can be qualified as “judicial data” in the sense of “personal data relating to criminal convictions and offences or related security measures”. 32 54. In a second step, the Litigation Chamber will seek to verify whether the security officer and the defendant's counsel are among the entities authorized to process judicial data as provided for by the exceptions of Article 10 of the GDPR and Article 10 of the law of July 30, 2018. 26CJEU, 12 June 2021, judgment Latvijas Republikas Saeima, C-439/19, paragraph 66. 27Article 13 of the Regulator's Law. 28 Article 2.2.d): “[…]2. This Regulation shall not apply to the processing of personal data carried out: […] (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”. 29Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. 30Article 26 §7 of the Law of 30 July 2018. 31 Article 27 of the Law of 30 July 2018. 32Article 10 of the GDPR. Decision on the merits 02/2025 — 11/24 “Judicial data” 55. The Litigation Chamber recalls that the reasoned decision explicitly mentions the Prosecutor’s file in which the complainant is suspected of indecent assault on a minor. 56. In this regard, the Litigation Chamber refers to judgment C-136/17 of the CJEU 33 which explains that “information concerning a judicial procedure conducted […] such as that reporting on his indictment or the trial […] constitutes data relating to “offences” and “criminal convictions” within the meaning of the first subparagraph of Article 8(5) of Directive 95/46 and Article 10 of Regulation 2016/679”. 57. It follows that the CJEU intends to include in the scope of Article 10 of the GDPR suspicions of criminal offences when they are the subject of a file currently being investigated by the Prosecutor. 58. The reasoned decision contains, in the present case, judicial data as understood by Article 10 of the GDPR insofar as it includes data relating to the file currently being investigated by the Prosecutor in which the complainant is a suspect. On the processing of judicial data 59. As explained in point 54, it is appropriate for the Litigation Chamber to assess whether the security officer and the defendant’s counsel are exceptionally authorised to process judicial data as understood by Article 10 of the GDPR and Article 10 of the Law of 30 July 2018. 60. The Litigation Chamber emphasises that a combined reading of the second exception of Article 10 of the GDPR and Article 10 §1, 3 of the Law of 30 July 2018 authorises the security officer to carry out such processing when it is necessary for reasons of public interest important for the performance of tasks of general interest entrusted by or under a law. 61. In this case, a combined reading of Articles 13/1 and 22, paragraph 3 of the Law of 11 December 1998 as analyzed in Title II of this decision requires the security officer to communicate the reasoned decision to the person concerned, by de jure exclusion to the defendant’s counsel. 62. It follows that the Law of 11 December 1998 does not authorize the security officer to transmit the reasoned decision to the defendant’s counsel. 63. The communication of the reasoned decision by the security officer to the defendant’s counsel therefore goes beyond the scope of the exception provided for in Article 10 §1, 3 of the Law of 30 July 2018 and renders the processing 3) illegal due to the absence of a legal basis. 33CJEU, judgment of 24 September 2019, GC v. CNIL, C-136/17, paragraph 72. Decision on the merits 02/2025 — 12/24 64. The Litigation Chamber concludes that Articles 5.1.a), 6 and 10 of the GDPR are violated. 65. Consequently, since the original communication under processing 3) of the reasoned decision has no legal basis, the Litigation Chamber considers that processing 4) and 5) are also unlawful for the same reasons. 66. For all intents and purposes, the Litigation Chamber notes that the communication of the notification of the decision – therefore without noting its motivation – by the security officer and the Counsel for the defendant could, prima facie, have been a less intrusive means for the fundamental rights and freedoms of the complainant to achieve the purposes of processing 3), 4), and 5). III.2. As for the alleged violation of Articles 12.1, 12.3 and 12.4 and 15 of the GDPR III.2.1. Position of the complainant 67. The complainant considers that, in accordance with Article 15.4 of the GDPR as interpreted by the CJEU 34 in its judgment of 4 May 2023, it is possible to obtain a copy of entire documents, when this copy proves essential to enable the data subject to exercise the rights he or she holds under the GDPR. It is essential for him or her to obtain a copy of the full content of the correspondence exchanged between the defendant and the Prosecutor in order to understand and, if necessary, contest the processing of his or her personal data. 68. Furthermore, the complainant considers that the defendant is not called upon to provide any assistance to the information, firstly because access to the criminal file was refused by the Prosecutor and secondly because Article 93 of the Administrative Status requires the suspension of disciplinary proceedings while criminal proceedings are underway. Next, the complainant considers it important to recall that information, in accordance with Article 28bis, §1 of the Code of Criminal Procedure (hereinafter, “C.i.c.”), refers to all the elements of the acts intended to investigate offences, perpetrators and evidence, and to gather elements useful for the exercise of public action. The letter sent by the defendant’s lawyer to the Prosecutor does not in any way correspond to an act of investigation. Thus, the correspondence exchanges to which the complainant seeks access do not fall within the scope of information and are not covered by its secrecy. III.2.2. Position of the defendant 69. The defendant considers that the correspondence with the Prosecutor falls within the scope of Article 23 of the GDPR through Article 28quinquies, §1, of the C.i.c. which provides that “except for the exceptions provided for by law, information is secret. Any 34CJEU, 4 May 2023, judgment in F.F. v. Österreichische Datenschutzbehörde, C-487/21, paragraphs 21 to 45. Decision on the merits 02/2025 — 13/24 person who is called upon to provide professional assistance with the information is bound by secrecy. 70. In addition, the defendant argues that the right of access to a copy under Article 15.3 of the GDPR does not entail the right for the data subject to obtain a copy of the original document but only to obtain a copy of these data. It concludes that it is not under an obligation to provide a copy of the correspondence addressed to the Prosecutor and that the complainant’s request for access consists of an attempt to misuse the purposes of the right of access under Article 15 of the GDPR in order to interfere with the judicial information and the disciplinary investigation conducted by the defendant. It adds that a copy of an extract from a document or of an entire document can only be required when the contextualisation of the data processed is necessary to ensure its intelligibility. In this sense, the present case constitutes the best evidence of the complainant’s knowledge of the data contained in the correspondence with the Prosecutor. III.2.3. Position of the Litigation Chamber 71. The Litigation Chamber will, on the one hand, assess whether the defendant can legitimately justify its refusal to comply with the complainant’s request for access on the basis of Article 23 of the GDPR and, on the other hand, will assess the requirements of Article 15.3 of the GDPR and the complainant’s right to obtain a copy. i. Article 15 of the GDPR 72. Under Article 15.1 of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where they are processed, the data subject has the right to obtain access to said data as well as to a series of information listed in Article 15.1.a) to h) of the GDPR. 73. The Litigation Chamber recalls that the right of access constitutes an essential requirement of the right to data protection, since it constitutes the "gateway" that allows 35 the exercise of the other rights conferred by the GDPR to the data subject. 74. Pursuant to Article 12.1 of the GDPR, it is the responsibility of the data controller to take "appropriate measures to provide any information referred to in Articles 13 and 14 and to make any communication under Articles 15 to 22 and Article 34 concerning the processing to the data subject in a concise, transparent, intelligible and easily accessible manner, in clear and plain terms [...]." ii. Article 23 GDPR 35CJEU, 12 January 2023, judgment Österreichische Post AG, C-154/21, pts 37 and 38. Decision on the merits 02/2025 — 14/24 75. Article 23 GDPR provides that, under Union law or the law of a Member State, the application of the rights listed in Articles 15 to 22 and 34 GDPR may be limited by complying with the conditions set out in that article. The provisions of Article 23 GDPR aim to strike a balance between these rights and other legitimate interests in a democratic society. To this end, restrictions on the aforementioned rights are possible provided that the following conditions are met: - First: the derogation must be provided for by a legislative measure; - Second: the derogation must pursue one of the grounds listed in the exhaustive 36 list of Article 23.1 of the GDPR; - Third: the derogation must respect the essence of the fundamental rights and freedoms; - Fourth: the derogation must be a necessary and proportionate measure in a democratic society (proportionality test); - Fifth: the legislative measure must contain specific provisions relating to certain characteristics of the processing in question. 37 36 Namely: a) national security; b) national defence; c) public security; d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including in the monetary, budgetary, taxation, public health and social security fields; (f) the protection of the independence of the judiciary and of judicial proceedings; (g) the prevention, detection, investigation and prosecution of breaches of the ethics of regulated professions; (h) a task of control, inspection or regulation linked, even occasionally, to the exercise of official authority, in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or of the rights and freedoms of others; (j) the enforcement of civil law requests. 37Article 23.2: In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions relating to, at least, where appropriate: (a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restrictions introduced; (d) safeguards to prevent misuse or unlawful access or transfer; (e) the identification of the controller or categories of controllers; (f) the applicable retention periods and safeguards, taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed of the restriction, unless this risks prejudicing the purpose of the restriction. Decision on the merits 02/2025 — 15/24 The exemption provided for by a legislative measure 76. Concerning the first condition, a legislative measure does not necessarily have to be a law in the formal sense, but any sufficiently clear and precise legal standard, the application of which is foreseeable for any person concerned is sufficient.38 77. In this case, the defendant invokes the exemption provided for by the C.i.c., a law that provides for a limitation to the right of access through the secrecy of criminal information in its Article 28quinquies. 78. Article 28bis C.i.c. establishes a list of acts included in the information and derogating from the right of access, namely “all acts intended to search for offences, their perpetrators and evidence, and to gather elements useful for the exercise of public action.”. 79. In this case, the personal data constituting the subject of the complainant’s request for access consists of the correspondence between the defendant and the Prosecutor. 80. The Prosecutor’s refusal to grant the defendant access to the case file under investigation on the basis of this Article 28quinquies is an indication that this correspondence is not useful for the exercise of public action. On the contrary, it appears to be similar to a request for information about the case file under investigation, which was refused on the basis of the investigation secrecy of Article 28quinquies of the C.I.C. 81. The Litigation Chamber understands prima facie that nothing in the correspondence between the defendant and the Prosecutor relates to the investigation and concludes that it does not consist of an act as understood by Article 28bis of the C.I.C. 82. As a result, the justification for refusing the complainant’s request for access does not satisfy the first condition of Article 23 of the GDPR. 83. Consequently, the Litigation Chamber does not consider it necessary to continue its analysis of Article 23 of the GDPR and concludes that the request for access cannot be refused on the basis of this article. iii. Article 15.3 of the GDPR 84. As a preliminary point, the Litigation Chamber recalls that a refusal to follow up on the request for access to a copy must be based on the result of a balancing exercise of interests as provided for in Article 15.4 of the GDPR and not on the grounds that the complainant would not demonstrate that the contextualisation of the data processed is necessary to ensure its intelligibility. The Litigation Chamber considers the interpretation of the defendant to be erroneous following a misreading of the judgment of the CJEU 39 on which it is based. 38 CJEU, 12 September 2024, judgment HTB Neute Immobilien Portfolio and Okorenta Neue Energien Okostabil IV, C-17/22 and C- 18/22, paragraph 68. 39 CJEU, 4 May 2023, Osterreichische Datenschutzbehorde and Crif, C-487/21, paragraph 41 Decision on the merits 02/2025 — 16/24 85. The GDPR provides under Article 15.3 that the controller provides a copy of the personal data to the data subject. This right to a copy is the main method of granting access to the data processed.0 86. In judgment C-487/21 of 4 May 2023, the CJEU considered that the right under Article 15.3 of the GDPR presupposes the right to obtain a copy of extracts from documents or even entire documents or extracts from databases which contain, among other things, the said data, if the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him by this regulation, it being emphasized that account must be taken, in this regard, of the rights and freedoms of others” 41 (the Litigation Chamber emphasizes). 87. Since the right of access is not an absolute right, Article 15.4 of the GDPR provides that the right to obtain a copy may not adversely affect the rights and freedoms of others. Therefore, the interpretation of Article 15.4 of the GDPR requires particular caution in order not to unjustifiably extend the limitations authorised by Article 23 of the GDPR, in particular 43 to Article 23.1.i), which also retains the ground for limitation based on “infringement of the rights and freedoms of others”. These limitations are in fact only authorised, in particular to the right of access, under strict conditions. 88. Although it may give the impression of being formulated in absolute terms, Article 15.4 of the GDPR nevertheless requires a proportionate approach. A balancing with other fundamental rights must, in accordance with the principle of proportionality, be carried out on a case-by-case basis by the data controller who intends to rely on it. 89. In this case, the Litigation Chamber notes that the defendant did not carry out a balancing of rights that would justify its refusal to comply with the complainant's right to obtain a copy. 90. The defendant justifies this refusal only on the basis of Article 23 of the GDPR in that this request would allow the complainant to interfere in the judicial investigation and the disciplinary investigation conducted by the defendant. This refusal proves to be invalid, as analyzed above. 40 EDPB, Guidelines 01/2022 on the right of access, paragraph 23 41CJEU, Judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF GmbH, C-487/21, ECLI:EU:C:2023:369, § 45. 42 CJEU, Judgment of 9 November 2010, Volker und Markus Schecke, Joined Cases C-92/09 and C-93/09, paragraph 48. See also: EDPB, Guidelines 01/2022 on the right of access, paragraph 168. 43 Article 23.1. (i) of the GDPR provides that "1. Union or Member State law to which the controller or processor is subject may, by means of legislative measures, limit the scope of the obligations and rights provided for in Articles 12 to 22 and 34, as well as in Article 5, to the extent that the provisions of that law correspond to the rights and obligations provided for in Articles 12 to 22, where such a limitation respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure: (…) (i) the protection of the data subject or the rights and freedoms of others". 44 Article 52.1 of the Charter of Fundamental Rights of the European Union. See also: EDPB, Guidelines 01/2022 on the right of access, point 174. Decision on the merits 02/2025 — 17/24 91. Consequently, the complainant is entitled to receive a copy of this correspondence since the defendant has not justified its refusal to exercise the right to obtain a copy in accordance with Article 15.4. of the GDPR. 92. In conclusion, the Litigation Chamber considers that the defendant has failed to fulfil its obligations under Articles 12.1, 12.3, 12.4 and 15 of the GDPR. Accordingly, the Litigation Chamber orders the defendant to provide the complainant with access to a copy of the correspondence it had with the Prosecutor. III.3. As for the alleged violations of Articles 5.1.f), 5.2, 24.1, 25.2 and 32 of the GDPR III.3.1. Position of the complainant 93. In this case, the complainant considers that all the measures listed by the defendant do not explain how the access by the hierarchical superior to his data complies with the requirements of Articles 5.1.f) and 32 of the GDPR. He also notes that only security officers and administrative staff responsible for monitoring individual files are included in the list of categories of persons having access to personal data relating to criminal convictions and offences collected as part of the screening procedure. Consequently, the complainant considers that this list is not relevant to justifying lawful or legitimate access to his data by his hierarchical superior. 94. Finally, as for the processing register, the complainant notes that it is not dated and strongly contests its reliability and relevance. Regardless of this, the complainant points out the fact that the register does not illustrate how access to his data by his hierarchical superior complies with the principles of integrity and confidentiality enshrined in the GDPR. 95. The complainant also points out that several members of the defendant's Council are aware of the facts of which he is suspected in the context of the judicial investigation opened against him, which constitutes an unauthorized disclosure of his data and a security breach expressly mentioned in Article 32.2 of the GDPR. 96. Consequently, the complainant considers that the defendant has not sufficiently demonstrated that the measures adopted to guarantee the integrity and confidentiality of the data that it processed, moreover unlawfully, were appropriate in relation to the level of risk identified. 97. Finally, the complainant considers that the defendant, by not having provided sufficient evidence to demonstrate its compliance with Articles 5.1.a), 5.1.b), 5.1.f), 6, 10, 12.1, 12.3, 12.4, 15 and 32 of the GDPR, has also not proven that it has complied with the 45All operations carried out by the defendant relating to security authorisations, certificates and notices (Additional summary conclusions, p. 63). Decision on the merits 02/2025 — 18/24 liability imposed by Articles 24.1 and 25.2 of the GDPR. This principle of liability requires that the controller not only take adequate measures to comply with the GDPR, but also be able to demonstrate this compliance in a tangible manner. The lack of satisfactory evidence of compliance with the aforementioned articles highlights a failure in the application of this fundamental principle. III.3.2. Position of the defendant 98. The defendant considers that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks. These organizational measures concern in particular the security and confidentiality of the data collected by the defendant in the context of the application of the law of 11 December 1998 and consist of a unit dedicated to so-called "screening" operations. 99. It highlights in particular the following technical and organisational measures: any correspondence addressed to it in the context of the screening procedure may not under any circumstances be opened by the registry but must be immediately forwarded to the competent department; physical documents containing data relating to authorisations, certificates and security notices are kept in a specific, secure cabinet, access to which is limited to the defendant’s security officers; and the defendant has drawn up a list of the categories of persons having access to personal data relating to criminal convictions and criminal offences or related security measures collected in the context of the screening procedure; screening operations are subject to a strict operational process defined in an internal document and describing the authorised interactions between security officers and other bodies; the computer data collected as part of the screening process are stored on a specific server that is subject to appropriate technical and computer measures and that is only accessible to security officers and administrative staff useful for processing this data. 100. The defendant explains that the alleged violation of these articles, which would be characterized by the sending of the reasoned decision to the defendant’s Council and to the complainant’s hierarchical superior, does not concern the appropriateness of the defendant’s technical and organizational measures but only the lawfulness of the processing resulting from a legal obligation imposed on the security officer and the defendant. 101. The defendant considers that it has been able to demonstrate that the processing in question was carried out in accordance with the provisions of the GDPR and that the alleged violations are 46Article 13/1 Law of 11 December 1998 and Article 90 of the Administrative Statute. Decision on the merits 02/2025 — 19/24 superfluous since they are based on the alleged other violations alleged by the complainant. III.3.3. Position of the Litigation Chamber i. Principles of security and liability 102. The Litigation Chamber recalls that, in its capacity as data controller, the defendant is required to implement the data protection principles and must be able to demonstrate that these are respected (principle of liability – Articles 5.2. of the GDPR). 103. Based on Article 5.1.f) of the GDPR, personal data must be processed in a manner that ensures appropriate security, "including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures". 104. In this regard, account must be taken of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risks that the processing presents for the rights and freedoms of individuals. In addition, the Litigation Chamber recalls that the reasoned decision is a judicial piece of data to which the defendant must pay particular attention. 105. The Litigation Chamber recalls that the defendant, still in its capacity as data controller, must implement all necessary measures to this end (Article 24 of the GDPR). The Litigation Chamber insists, as it has already had the opportunity to recall in previous decisions taken against public officials, on the fact that the public sector must, in general, be a vector of example in the measures it adopts to guarantee respect for the fundamental right to the protection of personal data. 106. Article 32.1 of the GDPR provides that when assessing the appropriate level of security, particular account must be taken of the risks presented by the processing, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or from unauthorized access to such data, whether accidental or unlawful. 107. The Litigation Chamber recalls that this Article 32 must be read in the light of Articles 5.2 and 24 of the GDPR, which require the data controller to demonstrate compliance with Article 32 of the GDPR by taking appropriate technical and organizational measures in a transparent and traceable manner. The Litigation Chamber also recalls that 47APD decisions 10/2019 and 11/2019 of 25 November 2019. See also, APD decision 129/2021 of 26 November 2021 Decision on the merits 02/2025 — 20/24 Article 25 of the GDPR requires the data controller to implement the measures necessary to comply with the rules of the GDPR upstream of its acts and procedures. 108. It should be noted that the principle of security with its various components of integrity, confidentiality and availability is included in Articles 5.1.f) and 32 of the GDPR and is now elevated to the same level as the fundamental principles of lawfulness, transparency and loyalty. In this regard, Article 32.2.b) of the GDPR provides that “[…] The controller[s] of the processing […] shall implement appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk, including, among other things, as required; b) means of guaranteeing confidentiality, integrity, availability […]”. 109. Finally, the Litigation Chamber would like to emphasize that the reasoned decision is a judicial data as understood by Article 10 of the GDPR which concerns behavior leading to the disapproval of society even when the person has not (yet) been convicted, where applicable. By its nature, this reasoned decision deserves specific protection due to the serious interference in private and professional life that its processing constitutes. ii. Technical and organizational measures of the defendant 110. In this case, the unlawfulness of processing 3) to 5) indicates a breach of confidentiality of the reasoned decision. In this regard, the defendant provided an undated extract from its processing register (Exhibit 6) in which it identifies the risk of disclosure of reasoned decisions and attaches to it as an organizational measure an access management (i.e., the security officer and the administrative staff – 3 agents) and as a technical measure restricted access to this data (i.e., the reasoned decisions are kept under seal). 111. Furthermore, the Litigation Chamber notes that the technical and organizational measures are sufficient to ensure the confidentiality of the reasoned decisions in exceptional situations where the defendant would become aware of them. 112. The Litigation Chamber notes, however, that the defendant should also include measures relating to exceptional situations in which the security officer could disclose a reasoned decision to his or her manager. 113. As a result, the Litigation Chamber does not find any infringement of Articles 5.1.f), 24.1, 25.2 and 32 of the GDPR. IV. As for corrective measures and sanctions 114. Under Article 100 LCA, the Litigation Chamber has the power to: 1° dismiss the complaint; 2° order that there be no case to answer; Decision on the merits 02/2025 — 21/24 3° order a suspension of the decision; 4° propose a transaction; 5° issue warnings or reprimands; 6° order compliance with the requests of the data subject to exercise these rights; 7° order that the data subject be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of the processing; 9° order the processing to be brought into compliance; 10° order the rectification, restriction or erasure of data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of certification bodies; 12° impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international organisation; 15° forward the file to the Public Prosecutor's Office of Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority 115. Based on the documents in the file and following its analysis, the Litigation Chamber concludes, a. to the unlawfulness of the communication of the reasoned decision for processing 3), 4) and 5). The Litigation Chamber considers that these processing operations are not justified with regard to Article 10 of the GDPR, as specified in Title III.1. b. to a violation of Articles 12.1, 12.3, 12.4 and 15 of the GDPR following the defendant’s refusal to comply with the complainant’s request for access, which is not based on any valid legal basis under Article 23 of the GDPR, as specified in Title III.3. 116. Due to these breaches, the Litigation Chamber issues a reprimand against the defendant on the basis of Article 100, 5° of the LCA. 117. Due to the unlawfulness of the communication of the reasoned decision in processing 3), 4) and 5) and consequently, the unlawful detention of the latter by the defendant, the Merits Decision 02/2025 — 22/24 Litigation Chamber orders the defendant to erase the reasoned decision, the latter having been the subject of unlawful processing. 118. Concerning the unjustified refusal of the request for access, the Litigation Chamber orders the defendant to follow up usefully on the request for access of the complainant on the basis of Article 100, 6° of the LCA, and to give him a copy of the correspondence between the Prosecutor and the defendant. 48 CJEU, judgment of 14 March 2024, Újpesti Polgármesteri Hivatal, case C-46/23, paragraph 42. Decision on the merits 02/2025 — 24/24 In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant. Such an appeal may be lodged by means of an interlocutory application which must contain the 49 information listed in Article 1034ter of the Judicial Code. The interlocutory application must be 50 filed at the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code. , or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (Sé). Hielke H IJMANS President of the Litigation Chamber 49 The application must contain, under penalty of nullity: 1° the indication of the day, month and year; 2° the name, first name, address of the applicant, as well as, where applicable, his/her qualifications and his/her national register number or company number; 3° the name, first name, address and, where applicable, the qualifications of the person to be summoned; 4° the subject and summary statement of the grounds of the application; 5° the indication of the judge who is seized of the application; the signature of the applicant or his/her lawyer. 50 The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.