APD/GBA (Belgium) - 2018-04762
From GDPRhub
| APD/GBA - 2018-04762 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 41 EU Charter |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 18.06.2018 |
| Decided: | 27.01.2025 |
| Published: | 10.02.2025 |
| Fine: | n/a |
| Parties: | Radio Télévision Belge de la Communauté française (RTBF) |
| National Case Number/Name: | 2018-04762 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | ao |
The DPA issued a reprimand to a controller for failing to identify a legal basis prior to processing. Further, it held that personal data could be necessary for the realization of a television service contract.
English Summary
Facts
Complaint
On the 18 June 2018, the data subject lodged a complaint with the DPA against Radio Télévision Belge de la Communauté francaise (RTBF), the controller.
The data subject complained that the live services of the controller are only available in Belgium if an email, login via Facebook or Google account is provided. Further, if users deactivate cookies and tracking by third parties, the connection fails. The data subject set out that the service should be available without having to surrender personal data.
Initially, the controller argued that it is pursuing a legitimate interest under Article 6(1)(f) GDPR in collecting the data.
Investigation by the Investigative Service (IS) of the APD
The investigation found that the controller collected the following data: first and surname, password, email address, phone number, date of birth and gender identity.
To the investigation by the SI, the controller argued that the principle of impartiality under Article 41 of the EU Charter of Fundamental Rights had not been respected. The controller alleged that the language used in the report issued by the investigative service of the DPA strongly favoured the position of the data subject.
Furthermore, the controller stated that it did not have enough time to answer the questions posed by the DPA and that the DPA had denied to meet the controller in person. It argued that due to this time pressure, it had made a mistake regarding the legal basis of the processing. Therefore, the true legal basis for the processing was in fact Article 6(1)(b) GDPR. The controller described that the TV service is a personalized service and that users are informed of this in the privacy policy. Therefore, creating an account for the service equates to a contractual relationship according to the controller and the data collected is necessary for the contract.
Holding
Alleged partiality of the SI
In regard to the allegations of partiality on the part of the IS, the Litigation Chamber of the DPA found that based on Article 66 §1 of the Belgian law on the powers of the DPA (La loi du 3 décembre 2017 portant création de l'Autorité de protection des données - LCA), the IS of the DPA did not have the power to meet with the controller and therefore rejected the controller's argument.
Account creation
The IS had found that the users were not adequately informed that the Facebook login option in fact created an account with the controller. However the LC found that the controller had made it sufficiently clear that a login with Facebook would create a user account with the controller and therefore found no violation.
Legal basis for the processing
The Litigation Chamber (LC) held that the controller cannot switch between legal basis and that the legal basis for processing must be set prior to the processing. The LC further pointed out that the tight deadline could not have been a valid reason for mixing up the legal basis as the legal basis should have been determined before the processing began.
However, the LC chose not to sanction the failure to identify the correct legal basis and assessed whether Article 6(1)(b) GDPR could provide a valid legal basis for the processing. The LC found that a contractual relationship existed and that the contract was valid under Belgian law. With regard to the necessity requirement, the LC pointed out that the service cannot be deliverable unless the data is processed, otherwise, the necessity requirement is not met. In addition, the LC highlighted that the data subject’s understanding of the necessity of the data processing must also be taken into account by the controller.
The LC found that the following details were in fact necessary for the contract in order to securely identify individuals: Name, password and email address. In regard to the phone number, date of birth, gender identity and profile picture, the LC held that the contract provided by the controller stipulated that it offered a personalised service and that a certain amount of personal data is therefore necessary to fulfill the purpose of the contract. The LC highlighted that the controller must make it clear to data subjects that entering this information is optional. It found that entering further details such as the date of birth, was in fact optional and not a requirement for the account creation.
The LC therefore found no violation of Article 6(1)(b) GDPR in regard to the collected data. Further, the LC concluded that although the controller had violated Article 5(1)(a) GDPR, 5(1)(b) GDPR and 6(1) GDPR for failing to determine the legal basis before processing data, it chose to dismiss these violations based on the specific circumstances of the case. It therefore merely issued a reprimand to the controller for the failure to identify a legal basis prior to processing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/27 Litigation Chamber Decision on the merits 17/2025 of 27 January 2025 File number: DOS-2018-04762 Subject: Complaint regarding the use of the “Auvio” service of RTBF The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke H IJMANS, President, and Messrs. Dirk Van Der Kelen and Christophe Boeraeve, members, resuming the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter "LCA"); Having regard to the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter "LTD"); Having regard to the internal rules as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; 1 Having regard to the documents in the file; Having regard to decision 170/2022 of 22 November 2022 of the Litigation Chamber; 1The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023 amending the law of 3 December 2017 establishing the data protection authority (LCA) entered into force on 01/06/2024. In accordance with Article 56 of the Law of 25 December 2023, it only applies to complaints, mediation files, requests, inspections and procedures before the Litigation Chamber initiated from this date: https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des- donnees.pdf Files initiated before 01/06/2024 [as in this case] are subject to the provisions of the LCA not amended by the Law of 25 December 2023 and the internal regulations as they existed before this date. Decision on the merits 17/2025 — 2/27 Took the following decision concerning: The complainant: X, hereinafter "the complainant"; The defendant: The Belgian Radio and Television of the French Community (RTBF), an autonomous public company of a cultural nature, Having as counsel Maître Peter Craddock, lawyer, whose firm is established Avenue Louise, 54 in 1050 Brussels. Hereinafter “RTBF” or “the defendant”. I. Facts and procedure 1. On 18 June 2018, the complainant filed a complaint with the Data Protection Authority (DPA) against the defendant. 2. Under the terms of his complaint, the complainant denounces the fact that the defendant’s live service (web streaming – Auvio) is accessible on Belgian territory only if visitors provide their personal data (email address/login, Facebook or Google accounts). He also points out that the process of connecting to the live service does not work if the user deactivates the cookies and trackers of third-party companies used by the defendant's website. 3. On 15 October 2018, the complaint was declared admissible on the basis of Articles 58 and 60 of the LCA and forwarded to the Litigation Chamber under Article 62, § 1 of the LCA. The complainant was informed of this on the same date. 4. On 23 October 2018, the Litigation Chamber decided to request an investigation from the Inspection Service (SI) under Articles 63, 2° and 94, 1° of the LCA. er 5. On 29 October 2018, in accordance with Article 96, § 1 of the LCA, the request of the Litigation Chamber to conduct an investigation is transmitted to the SI. The complainant is informed of this on the same date. 6. On 28 January 2020, the SI investigation is closed, the report is attached to the file and the latter is transmitted by the Inspector General to the President of the Litigation Chamber (Art. 91, § er 1 and § 2 of the LCA). The investigation report is based on two technical analysis reports dated 1 July 2019 and 9 January 2020 respectively. 7. According to its report, the SI makes the following findings: Decision on the merits 17/2025 — 3/27 - As regards the legal basis underlying the processing of registration data on the one hand and data relating to personalisation (profiling) on the other hand (finding 1): The SI is of the opinion that the defendant cannot rely on its legitimate interest which it invokes in support of the processing of registration data (Article 6.1.f) of the GDPR). With regard to the consent invoked above concerning the lawfulness of data processing related to personalization, the IS recalls that the data controller must have identified a basis for lawfulness prior to the processing of data (in this case, collection) and cannot switch from one basis to another. - As for the legitimacy of the processing of personal data for the purposes of advertising profiling and the possibility of opposition (findings 2, 3 and 4): the IS notes that while the defendant's management contract allows it to use content recommendation algorithms, the definition of this term does not include advertising. The IS concludes that the legitimacy of the advertising profiling purpose of the processing on the part of the defendant (and therefore compliance with Article 5.1.b) of the GDPR) may be called into doubt. Since at the time of registration, the user cannot refuse advertising profiling and the platform does not seem to allow easy opposition to it after registration, the IS concludes that the provisions of Articles 12.2., 21 and 25 of the GDPR do not seem to be met. Finally, the IS notes that the updating of the purposes in the registration form by including the purpose of advertising profiling has not, as of January 9, 2020, been carried out even though the defendant had undertaken to do so. The IS concludes that this appears incompatible with the requirements of Articles 12.1. 13 and 14 of the GDPR. - As for the use of social media data for login/registration purposes (findings 5 and 6): the IS concludes that the difference between the login and registration mechanism for the platform via social media (Facebook, Google) lacks clarity and explanation, in contradiction with Articles 12.1, 13 and 14 of the GDPR. The IS adds that the mechanism used under the cover of logging in via a Facebook account is in fact the creation of an RTBF account with the provision of the user's Facebook data, without the latter being informed. The IS concludes that this process is in contradiction with Articles 5.1.a), 5.1.b) and 5.1.c) as well as with Articles 12.1, 13 and 14 of the GDPR. 2The SI refers in this regard to the Guidelines on consent under the GDPR adopted by the Article 29 Working Party on 28 November 2017 as revised and adopted on 10 April 2018. For information, the Litigation Chamber adds that this prohibition on switching from one basis of lawfulness to another has been confirmed by the European Data Protection Board (EDPB) in its Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679. See. point 123: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf 3 The Litigation Chamber indicates that Article 27/1 of the Digital Service Act (DSA) (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services and amending Directive 2000/31/EC (Digital Services Regulation).) provides as follows in this regard: "Online platform providers that use recommendation systems shall set out in their general terms and conditions, in simple and understandable language, the main parameters used in their recommendation systems, as well as the options available to recipients of the service to modify or influence these main parameters". This is for information purposes, as these findings are not part of the referral to the Litigation Chamber ( cf. infra). Decision on the merits 17/2025 — 4/27 8. On 17 March 2020, the Contentious Chamber decided, pursuant to Article 95, § 1, 1° and Article 98 of the LCA, that the case could be dealt with on the merits. 9. On the same date, the parties concerned were informed by registered mail of the provisions as set out in Article 95, § 2 and Article 98 of the LCA. They were also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their submissions, namely 14 April (submissions in response) and 14 May 2020 (submissions in reply) for the defendant and 29 April 2020 (submissions in reply) for the complainant. 10. On 19 March 2020, the defendant requested a copy of the file (art. 95, §2, 3° LCA), which was sent to it on 25 March 2020. It also expressed the wish to be heard by the Litigation Division in accordance with Article 51 of the Rules of Procedure of the APD. 11. On 14 April 2020, the Litigation Division received the defendant's submissions in response. On 14 May 2020, it received the latter's summary submissions. Its argument can be summarised as follows, the details of its defence being discussed in the reasons for this decision (see below). - The first part of the defendant's submissions tends to demonstrate that the findings of the SI investigation must be dismissed since the preparation of its report and the technical analysis reports on which it is based were not done in compliance with the principles of good administration. - As for the substance, the defendant denies that there is any breach of the GDPR on its part. 12. On 28 April 2020, the Litigation Chamber received the complainant's submissions in response. In general, the complainant denounces the defendant's attitude and insists in particular on the practice of cookies, the lack of transparency and the question of the relevance of the collection of personal data as a mandatory step to access online content. 13. On 22 November 2022, the Litigation Chamber adopted Decision 170/2022, pursuant to which it dismissed the complaint pursuant to Article 100.1.1° of the LCA, which concerns the grievances covered by the Litigation Chamber's settlement decision 168/2022. 14. This settlement decision 168/2022 was addressed to the defendant of the present decision, namely RTBF. It was the result of an own-initiative investigation carried out by the IS into a series of grievances common to the complaint in question here. 15. The subject of this transaction concerned "potential infringements of the GDPR, with regard to cookies and, more generally, the storage and consent to the placement and subsequent processing of information on the user's device as a data subject". The transaction thus covers the "cookies" complaint in its entirety raised by the complainant under the terms of his complaint (second part) as well as findings 1 (only for advertising profiling), 2, 3 and 4 of the IS investigation report. 16. Within the limits of this decision 168/2022, the Litigation Chamber had thus exhausted its jurisdiction with regard to the facts reported by the complainant and the corresponding "cookies" complaints. Pursuant to its aforementioned decision 170/2022, the Litigation Chamber has therefore dismissed the complainant's complaint in light of these grievances on technical grounds, within the same material and temporal limits. 17. For the period from 20 November 2020 (time limit of the transaction - which is moreover after the closing date of the SI investigation on 28 January 2020 in this case) to date, the Litigation Chamber does not have any findings supporting the said grievances invoked by the complainant, it has therefore been unable to find any failure on the part of the defendant and dismissed the complaint on this point on technical grounds also in support of criterion A.1. of the dismissal policy note. 18. In the same decision 170/2022, the Litigation Chamber specifies that, with regard to the data processing in the context of connection and registration to the Auvio platform (findings 1 (regarding registration) and findings 5 and 6 of the inspection report), it will continue the procedure with an examination of the merits (point 28 of the decision): “With regard to the complaints relating to data processing in the context of connection and registration to the Auvio platform (first part of the complainant’s complaint and findings 1 (regarding registration), 5 and 6 of the inspection report), the Litigation Chamber decides to continue its examination, as these complaints are not covered by its settlement decision 168/2022. The defendant having requested to be heard in this case, the Litigation Chamber will schedule a hearing in the presence of the parties in due course." 19. On 30 November 2022, the parties were informed that the hearing would take place on 27 January 2023. In accordance with its letter of invitation to the hearing, the Litigation Chamber stated that, taking into account its decision 170/2002 issued with regard to part of the grievances raised in the complaint (see above), the hearing would focus only on the grievances not covered by this decision 170/2022, as mentioned by the Litigation Chamber in point 28 thereof. 20. The Litigation Chamber also requests the defendant, taking into account the period of time that has elapsed since the facts and since the findings of the IS, as well as taking into account the changes made by the defendant to its website during the proceedings, to kindly update the information provided to the Litigation Chamber: (a) regarding the process of logging in/creating an account-registration to the Auvio system, in particular via social networks on the one hand, and (b) regarding the information given to users to date regarding this on the other hand. The defendant is requested to communicate this factual information to the Litigation Chamber and to the complainant by 4 January 2023 at the latest. The Litigation Chamber adds that if it so wishes, the complainant may respond to these updates until 13 January 2023. The defendant will ultimately have, if applicable, a final right of reply until 24 January 2023. 21. On 4 January 2023, the defendant informed the Litigation Chamber that to the extent that the registration functionality by logging into a Facebook or Google account had not changed, but the interface had evolved (both on the RTBF side and on the Facebook/Meta side on the one hand and Google on the other), it sent it a document containing updates mainly in the form of new screenshots. She specifies that this document must be read in combination with her summary conclusions of 14 May 2020. 22. On 27 January 2023, the defendant alone was heard by the Litigation Division, the complainant having indicated to the Litigation Division that he would not participate in the hearing. 23. On 31 January 2023, the minutes of the hearing were communicated to the parties. 24. On 14 February 2023, the Litigation Division received from the defendant some comments relating to these minutes, which it took into account in its deliberation. II. Reasons II.1. As to the lawfulness of the processing of data collected during the registration phase II.1.1. The SI’s point of view 25. As mentioned above, the SI is of the opinion that the defendant cannot rely on the legitimate interest that it claims to have and that it invoked during the investigation in its letter of 11 July 2019 in response to the SI’s questions regarding the lawfulness of the processing of registration data, in particular that the SI identifies as a surname, a first name, a password and a valid email address. The SI does not exclude the possibility that the defendant may be qualified as a public authority within the meaning of Article 5 of the LTD, it questions the 4 applicability of Article 6.1. f) of the GDPR and points out in any event that the defendant has not demonstrated to the SI that it has carried out the balancing of interests required by Article 6.1.f) of the GDPR. 4See recital 47 of the GDPR. Decision on the merits 17/2025 — 7/27 26. The SI considers that the defendant is not more justified in relying on its legitimate interest and/or on the consent of users with regard to the processing of data collected in the registration phase for the purposes of personalization. The basis of lawfulness must be identified prior to processing and the data controller cannot switch from one to the other. II.1.2. The parties’ point of view The complainant 27. The complainant challenges the impossibility of watching a programme live on Auvio (in this case a Red Devils football match) without having to communicate certain personal data to the defendant (the creation of an account with communication of certain data being obligatory). He states that he cannot agree with the way in which the defendant has designed the Auvio service - the added value of which would be that of a personalised service: see below - considering that “he should be able to go online to the defendant’s website and follow the programme of his choice live without communicating data” (page 2 of the complainant’s conclusions). Consequently, the complainant is of the opinion that "RTBF has done nothing to limit the processing of personal data only to essential cases, necessary for the provision of services and with the free and clear consent of the person concerned" (page 1 of the complainant's conclusions of April 28, 2020). 28. The complainant also alleges that by requesting to be able to enter into dialogue with the APD services during the investigation, the defendant made “repeated attempts to distort the investigation of the Chamber (read the SI)”, in particular by “requesting privileged access to the members of the Chamber” (read the members of the SI) (page 5 2 of the complainant’s submissions). The defendant 29. In its “Submissions” and “Summary Submissions”, the defendant argues primarily that the SI reports are inadmissible and must be dismissed for violation of the general principle of good administration to which the APD (and its organs) is bound in its capacity as an administrative authority. In particular, the defendant is of the opinion that the principle of impartiality (Article 41 of the Charter of Fundamental Rights of the Union ) has not 5It should be noted at the outset that, contrary to what the complainant states, the defendant requested contact with the services of the Inspection (SI) and not with the Litigation Chamber. 6 Article 41: right to good administration 1. Everyone has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions, bodies, offices and agencies of the Union. 2. This right includes in particular: (a) the right of every person to be heard before any individual measure which would affect him or her adversely is taken; (b) the right of every person to have access to the file concerning him or her, while respecting the legitimate interests of confidentiality and professional and business secrecy; (c) the obligation for the administration to provide reasons for its decisions. 3. Everyone has the right to have the Union make good any damage caused by the institutions or by its servants in the exercise of their duties, in accordance with the general principles common to the laws of the Member States. 4. Any Decision on the merits 17/2025 — 8/27 respected, given that the investigation was conducted much more "for the prosecution" than "for the defence", particularly in view of the turns of phrase in the reports, the vocabulary chosen and the punctuation used in them (inappropriate exclamation marks in particular). As a result, according to the defendant, these reports support an appearance of bias on the part of the Litigation Chamber. 30. The defendant adds that the duty of thoroughness and the principle of internal reasoning (Article 41.2, 3rd indent of the Charter of Fundamental Rights of the Union) are also flouted, the final report containing errors of law, particularly with regard to the interpretation of Regulation (EU) 2017/1128 “Portability” of 14 June 2017 on the cross-border portability of online content services in the internal market. 7 31. The defendant adds that since the S.I. has not complied with the LCA, in particular Article 66 § 1 thereof, the entire investigation procedure is tainted. In particular, the defendant criticises the SI for refusing to respond to its request for a meeting of 17 June 2019, a request it made to explain itself with a view to active cooperation within the framework of the SI’s hearing powers. 32. In the alternative, the defendant argues that the SI’s substantive allegations are unfounded. 33. As for the legal basis for the processing of registration data (finding 1 of the SI), the defendant states that this question cannot be examined without taking into account the context in which it was put to it by the SI and the time limit within which it was required to respond. The defendant thus emphasises that it had (too) little time to answer the dozen or so questions put to it, in the middle of the summer holidays, under the threat of a finding of lack of cooperation in violation of Article 31 of the GDPR and by being refused a meeting with the IS (Article 66 of the LCA – see above). The time taken by the IS to respond, after the defendant’s reminder of 21 June 2019, to this request person may contact the institutions of the Union in one of the languages of the Treaties and must receive a response in the same language. 7 The defendant thus considers more particularly that the IS was wrong to reject the “Portability:” regulation. Indeed, the citizen, when he or she resides in the European Union, continues to have access to certain audiovisual content. Therefore, compliance with this portability regulation requires verification of the user's residence in the European Union (see below). 8To investigate the case, the Inspector General and the inspectors may, in accordance with the procedures determined by this Act: 1° identify persons; 2° interview persons; 3° conduct a written investigation; 4° carry out on-site examinations; 5° consult computer systems and copy the data they contain; 6° access information electronically; 7° seize or seal property or computer systems; 8° request the identification of the subscriber or regular user of an electronic communications service or the electronic communications means used. Decision on the merits 17/2025 — 9/27 meeting was also included in the already short period granted to it to submit its responses, the IS having refused any extension of the deadline. The defendant emphasizes that it is in this context that an unfortunate error regarding the legal basis crept into its response letter of 11 July 2019. 34. However, this error is of no consequence according to the defendant since it is acting in compliance with the GDPR. 35. The defendant thus develops that notwithstanding the mention of Article 6.1. f) of the GDPR, its letter of 11 July 2019 nevertheless contains all the factual indications attesting that the true legal basis for the processing of registration data is the contract entered into with the user (Article 6.1. b) of the GDPR). She emphasizes that in this regard, the Litigation Chamber cannot stop at the formulation of the legitimate interest (article 6.1. f) of the GDPR) taken up in the said letter of July 11, 2019 since it is up to it to verify the facts in light of the law, independently of this manifest error by the defendant. 36. The defendant explains that according to its General Terms of Use (GTU), the user may "access our [read its] services either freely or by registering in advance, in particular via a form mentioning the data necessary to be completed to enable optimal use" (Article B.1. GTU) 37. The defendant describes that the Auvio service is not a simple content service: it is a personalized service as evidenced by the information provided on this subject in the registration window on the site as well as in the first elements of its Data Usage Charter, under the terms of which the following is specified: "We offer you new content to be as close as possible to your tastes" and "Your experience is enriched; a use of your information solely to serve your interests" or that the defendant "seeks first and foremost to provide you with added value, both in terms of the content and the form in which it is delivered. This added value may, for example, take the form of personalized recommendations or services aimed at improving the accessibility of our content." 38. The defendant specifies that when creating its account (whether or not through a social network connector such as Facebook or Google), it is made clear to the subscriber that he must accept the defendant's T&Cs before being able to benefit from the service. Registration thus creates a contractual relationship between the user and the defendant. 39. In response to the complainant who considers that he should be able to freely follow the defendant’s programmes live on Auvio without any communication of personal data concerning him (i.e. without subscription) as well as to the question of the SI on this same Decision on the merits 17/2025 — 10/27 subject, the defendant, both on 15 April 2019 in response to the SI and by way of submissions, replied “that it is currently not permitted to access the live broadcasting service on the Auvio site without providing registration data in order to ensure sound, centralised and secure management of the services offered by RTBF on its various internet and mobile platforms, in accordance with Article 43 of the RTBF management contract which imposes on it a universal service obligation only in terrestrial broadcasting on radio and TV or through cable distribution on TV”. 9 40. As for the data processed during the registration phase, the defendant states that what is “necessary for the performance of the contract” within the meaning of Article 6.1.b) of the GDPR does not only include data whose provision is mandatory. The delivery of the service may differ depending on whether all the data that the subscriber is asked to provide are actually provided or not. In other words, the Auvio contract has several functionalities whose delivery depends on whether or not the optional personal data is provided. The fact remains that these data are, according to the defendant, all necessary for the performance of the contract within the meaning of Article 6.1.b) of the GDPR. - Thus, the first and last name are processed for the purpose of providing personalized recommendations but also for security purposes, more particularly to combat fraud. - The email address is processed for authentication purposes to close the registration procedure. Either the email address entered is already known to the defendant, which attests to an existing account; or the address is not known to the defendant, which sends to the said email address provided by the candidate subscriber an email containing a hyperlink to be activated to finalize the registration. - The date of birth (introduced during the proceedings) is processed following a decision of 8 March 20128 by the Higher Audiovisual Council (CSA) which complained that the defendant did not comply with the obligation to set up a system protecting minors against television programmes likely to harm their physical, mental and moral development, in application of the decree of the Government of the French Community of 21 February 2013 relating to the protection of minors against television programmes likely to harm their physical, mental or moral development, more particularly Article 4 § 1. In order to comply with this obligation, the defendant states that it has set up several 9 To the extent necessary, the Litigation Chamber specifies that this statement results from the content of its conclusions as well as those of its update factual day and what was explained in the hearing. 10Article 4.1: "In a non-linear television service, a category 3, 4 or 5 program can only be accessed by the user after entering a parental access code" Ministry of the French Community, Order of the Government of the French Community of 21 February 2013 relating to the protection of minors against television programs likely to harm their physical, mental or moral development, Official Journal, 11 March 2013. Decision on the merits 17/2025 — 11/27 measures recommended by the CSA such as the introduction of parental control by default, the possibility of creating an access code for content from "-12 years old" and the prohibition for children under 13 to create an Auvio profile. - As for the GSM number, the defendant states that Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on the cross-border portability of online content services in the internal market, applicable since 20 March 2018, requires the provider of this service (i.e. the defendant) to verify the subscriber’s Member State of residence (which must be a Member State of the European Union (EU)) using one of the verification means listed therein. A simple email address ending in “.be” is not part of the list of verification means listed by this regulation. The GSM number, however, is part of it. The defendant, by requesting their mobile number from Auvio users who wish to benefit from cross-border portability when they go on holiday in one of the EU countries, therefore complies with the GDPR since this is information necessary for the use of AUVIO abroad. - The processing of the address meets the same need but also that of personalisation. - Gender data is also processed for the purposes of personalising the Auvio service. 41. Finally, the defendant points out that consent (Article 6.1. a) of the GDPR) – which the complainant alleges should have been collected – is not the only basis for lawfulness that can be mobilised and that, therefore, consent is not always required before any processing can take place. II.1.3. Assessment of the Litigation Chamber As to the admissibility of the IS reports 42. With regard to the complaints of bias and lack of thoroughness raised by the defendant against the inspection reports, the Litigation Chamber considers that, even if they were well-founded, they do not have any repercussions on its impartiality with regard to the complaint based on the lawfulness of data processing during the registration phase. 1As already mentioned, the RTBF will indicate in a letter dated 11 July 2019 addressed to the SI, that the collection of the date of birth is being implemented in order to comply with the CSA decision to limit minors' access to certain content Decision on the merits 17/2025 — 12/27 43. When it chooses to refer the matter to the SI as in this case, the Litigation Chamber retains, as the Market Court recognises, a sovereign power of assessment of the complaint. Both the findings of the SI and the arguments developed by way of conclusions and the documents filed by the parties inform the decision-making of the Litigation Chamber. As an autonomous body, it nevertheless retains a power of assessment and the freedom to issue, not without relevant and reinforced motivation in accordance with the requirements of the Market Court, its own legal considerations on the situation brought before it, including with regard to the inspection report and the grievances raised, where appropriate, against it by the parties. 44. In this case, the Litigation Chamber notes that the SI report had, with regard to the grievance discussed in this section, concluded that the recourse to Article 6.1.f) of the GDPR invoked by the defendant itself was inadmissible. The Litigation Chamber remains free, after examination, to subscribe or not to this analysis. This own assessment is a fortiori essential in this case since the defendant indicated in terms of conclusions that it had wrongly - and this following the circumstances in which it was led to have to respond to the IS - invoked Article 6.1.f) of the GDPR in place of Article 6.1. b) of the GDPR and that the Litigation Chamber will take this into account in this decision as will be detailed in the section below. 45. As for the refusal to follow up on the request for a meeting with the IS made by the defendant, the Litigation Chamber notes that by letter of 24 June 2019, the IS replied that "holding a meeting with the data controller did not fall within its investigative powers as mentioned in Article 66 §1 of the LCA". It added that it had chosen to conduct a written investigation in this case. The Litigation Chamber cannot substitute its assessment for that of the SIquantàce. It notes that the defendant in any event had the opportunity to inform the latter of its position. As for the plaintiff’s interpretation that the defendant, by its request, attempted to distort the investigation, the Litigation Chamber is of the opinion that this interpretation belongs exclusively to it and that it has no evidence to corroborate it. As for the obligation to identify a basis of lawfulness 46. Pursuant to Articles 5.1. a) and 6.1. of the GDPR, any data processing must be based on one of the bases of lawfulness listed in Article 6.1. a) to f) of the GDPR. The Litigation Chamber 12Court of Markets (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Court of Markets (19th ch.A), December 7, 2022, 2022/AR/556. 13Cour des marchés (19th ch. A), 20 December 2023, 2023/AR/801 (point 30): 14tps://www.autoriteprotectiondonnees.be/publications/arret-du-20-decembre-2023-de-la-cour-des-marches-ar-801.pdf The Cour des marchés, the appeal body for decisions of the Litigation Chamber, has in this regard explicitly validated the possibility for the decision-making body of an administrative authority to deviate from the conclusions of the body of the same authority in charge of the investigation/inspection. See in this sense: Cour des marchés (19th ch. A), 28 February 2018, 2017/AR/1139 & 2017/MR/1, §25. Decision on the merits 17/2025 — 13/27 recalls that, pursuant to Article 6.1 of the GDPR, the processing of personal data is in fact lawful only if, and to the extent that, it is based on one of the bases of lawfulness listed therein. 47. This basis of lawfulness must be identified prior to processing. There is no doubt that this prior identification results from Article 6.1. of the GDPR even if it is not 15 explicitly formulated therein. It results from the combined reading of said Article 6.1 of the GDPR and Article 13.1.c) of the GDPR, in particular under the terms of which the data controller is required to provide the data subject, at the time he obtains the data concerning him from him, all the information listed in Article 13.1 and 13.2 of the GDPR, including "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing" (Article 13.1. c) of the GDPR). The implementation of this obligation necessarily presupposes that the data controller has identified this legal basis beforehand. This identification of the basis of legality prior to the operationalization of the processing contributes to the respect of the principles of loyalty and transparency (article 5.1. a), 13.1 c) and 14.1 c) of the GDPR) as well as that due to the principle of accountability and the obligations which result from it (article 5.2 and 24 of the GDPR). 48. The Litigation Chamber also recalls that it is the responsibility of the data controller to identify a single basis of lawfulness on which it bases its processing. This requirement also contributes to the principles of loyalty and transparency that it is the controller’s responsibility to implement (Article 5.1.a) of the GDPR). Since different consequences arise from one or the other basis of lawfulness, particularly in terms of the rights of the persons concerned, it is not 17 accepted that the data controller invokes one or the other according to the circumstances. Generally speaking, by invoking distinct bases of lawfulness, the data controller creates a certain vagueness in terms of the exercise of the rights of the persons concerned. 49. The Litigation Chamber notes that in this case, the defendant (even if erroneously as it claims) initially declared that it based the processing of 15 See European Data Protection Board (EDPB), Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679. See point 121: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf 16The Litigation Chamber emphasizes that while Article 30 of the GDPR relating to the Register of processing activities does not require in its §1 that the lawfulness of the processing be included among the elements to be included in the Register, the purpose of the processing must be mentioned, which should lead the data controller to define the corresponding lawfulness basis. In this sense, without calling into question its non-mandatory nature, the Commission for the Protection of Privacy had recommended at the time to include this basis of lawfulness as part of the additional information in the Register. See Recommendation No. 06/2017 of 14 June 2017 relating to the Register of Processing Activities (Article 30 of the GDPR) (page 17/35 of the French version). https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf 17 As an illustration, the data controller cannot consider that he bases the processing on the consent of the data subject (Article 6.1.a) of the GDPR) and on his legal obligation (Article 6.1.c) of the GDPR). Consent can indeed be withdrawn at any time and if it does not have the effect of compromising the validity of the processing carried out before this withdrawal (article 7.3. of the GDPR), it does not however allow, a priori, the data controller to continue the processing in the future (article 17.1.b) of the GDPR), at least not for the same purpose. By declaring that the processing is based on its legal obligation to take another hypothesis (article 6.1.c) of the GDPR), the data controller excludes in principle any possibility of opposition to the processing, the withdrawal of consent cannot be invoked nor the right of opposition which is reserved for the hypotheses of article 21.1. of the GDPR or to the processing of personal data based on article 6.1. e) or 6.1. f) and not on article 6.1.c) of the GDPR. Decision on the merits 17/2025 — 14/27 registration data on Article 6.1. f) of the GDPR (with the IS as part of the investigation as already mentioned) to then declare that it relies on Article 6.1. b) of the GDPR in its conclusions. If the defendant may have considered its response time to the IS too short, it is not up to the Litigation Chamber to comment on the length of the latter. Without prejudging the loyalty of data controllers faced with investigation duties, it appears in any event to the Litigation Chamber that since this is an obligation that must be satisfied before the processing is operationalised (i.e. from the design of the latter), the information regarding the basis of legality used should a priori be immediately available, the identification of which should have been made before any implementation of the Auvio service. 50. However, the Litigation Chamber notes that, on the one hand, it is in a detailed manner and with regard to the various data processed that the defendant stated the basis of the legitimate interest in its responses to the IS while, on the other hand, highlighting, in this same letter to the IS, elements of its documents which, according to it, clearly reflect that the processing falls within the framework of the "performance of the Auvio contract". If, as the defendant maintains, these textual elements were to reveal that a contract had indeed been entered into with the user at the time of the facts, it is all the more incomprehensible that the defendant relied on them in a letter in which it invokes its legitimate interest, even though it had identified the adequate basis of lawfulness beforehand. 51. In view of all the circumstances of the case, the arguments of the parties and its duty of care, the Litigation Chamber will examine below the relevance of the use of Article 6.1. b) of the GDPR, not without concluding that there was a breach of Articles 5.1. a) and 6.1 of the GDPR on the part of the defendant due to the fact that the defendant communicated Article 6.1. f) of the GDPR as a basis of lawfulness by the defendant to the IS. This communication, even by mistake - which error does not eliminate said breach -, reflects, according to the Litigation Chamber, a failure to identify in advance the basis of lawfulness that it will nevertheless choose not to sanction (see below). As for the use of the basis of lawfulness of Article 6.1.b) of the GDPR 52. The Litigation Chamber recalls that the use of the basis of lawfulness of Article 6.1. b) of the GDPR is subject to 3 conditions: - (1) a contractual or pre-contractual relationship exists between the data controller and the data subject; - (2) the contract must be valid under the applicable law; - (3) the processing of personal data meets the condition of necessity, in other words, the data processed are actually necessary for the performance of the contract. Decision on the merits 17/2025 — 15/27 53. The manner in which Article 6.1. b) of the GDPR must be applied has been the subject of several clarifications in recent years through Guidelines of the European Data Protection Board (EDPB), binding decisions of the EDPB on the basis of Article 65 of the GDPR and ultimately by a judgment of the Court of Justice of the European Union (CJEU) of 4 July 2023. This case law is summarised below and applied to the present case. 54. With regard to conditions (1) and (2), the data controller must, in accordance with its obligation of accountability under Article 5.2. of the GDPR, be able to demonstrate a) that a contract exists – that is, that the data subject and the data controller are engaged in a contractual relationship – and b) that the contract is valid under the applicable national contract law. 55. In this case, the Litigation Chamber is of the opinion that a contract is effectively concluded between the user on the one hand, here the complainant, and the defendant on the other hand by means of the subscription to the Auvio service (adherence to the conditions of the General Terms and Conditions and provision of personal data). Nothing calls into question the validity of this contract under the Belgian law applicable to it. As to the question of whether the passage through a contract was essential, the Litigation Chamber takes note of the defendant’s management contract and the absence of an obligation for the latter to provide free access to its media content via the Internet. In this case, the Litigation Chamber has no element of a nature, in the exercise of its powers, to challenge the applicability of this management contract, its content or the consequences drawn from it in casu. 56. As regards the condition of necessity for the processing of the personal data concerned (3), the Litigation Chamber recalls that in its Huber judgment, the Court of Justice of the European Union (CJEU), specified the following in regard to this condition of necessity: "having regard to the objective of ensuring an equivalent level of protection in all Member States, the concept of necessity as it results from Article 7, 1European Data Protection Board (EDPB), Guidelines 2/2019 of 8 October 2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines-art 6-1-b- adopted after public consultation fr.pdf 19EDPB European Data Protection Board (EDPB), Binding Decision 2/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Article 65 GDPR) – points 80 to 100: https://www.edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-22022-dispute-arisen fr and European Data Protection Board (EDPB), Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Article 65 GDPR) – points 106 et seq. This decision is only available in English and German: https://www.edpb.europa.eu/system/files/2023- 01/edpb bindingdecision 202203 ie sa meta facebookservice redacted en.pdf 20 Court of Justice of the European Union, judgment of 4 July 2023 – Case C-252/21 Meta Platforms E.A. (general terms and conditions of use of a social network), ECLI:EU:C:2023:537, paragraphs 97 et seq. Decision on the substance 17/2025 — 16/27 subse) , of Directive 95/46, which aims to precisely delimit one of the cases in which the processing of personal data is lawful, cannot have a variable content depending on the Member States. Therefore, it is an autonomous concept of Community law which must be interpreted in a manner that fully meets the purpose of this directive as defined in Article 1, paragraph 1 thereof" 22 (emphasis added by the Litigation Chamber). 57. This case law formulated in light of Article 7.e) of Directive 95/46/EC applies to all bases of lawfulness that retain this condition of necessity. It remains relevant today even though Directive 95/46/EC has been repealed since this condition of necessity is maintained under Article 6.1 b) to f) of the GDPR. 58. The Article 29 Working Party also referred to the case law of the European Court of Human Rights (Eur. Court HR) to identify the requirement of necessity. 23 It concluded that the adjective “necessary” does not have the flexibility of terms such as “admissible”, “normal”, “useful”, “reasonable” or “opportune”. 24 59. With regard in particular to Article 6.1.b) of the GDPR, the necessity of data processing is thus assessed first of all in the light of the main objective of the contract: the data controller must ensure that the provision of the product or service cannot take place without the implementation of the processing of the data in question. If, on the contrary, the objective of the contract can be achieved without the processing of specific data being implemented, the condition of necessity is not met. 60. The necessity of the processing is further assessed in light of the expectations of each party regarding the purpose of the contract: the controller must not rely exclusively on its point of view to assess its necessity in view of this purpose, it must also take into account the perspective of the data subject, his understanding of the main purpose of the contract or the way in which the service has been promoted. The purpose must be mutually understood as requiring the processing of data concerned. 61. The condition of necessity should therefore be interpreted restrictively when analysing the legal basis of the contract: it does not cover situations in which the processing is not genuinely necessary for the performance of the contract but rather imposed 21 The Member States provide that the processing of personal data may only be carried out if: (…) e) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or the third party to whom the data are communicated. 22 CJEU, 1§ December 2008, , judgment in Heinz Huber v. Bundesrepublik Deutschland, C-524/06 para. 52. 23 Article 29 Working Party, Opinion 06/2014 of 9 April 2014 on the concept of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46/EC, WP 217. 24 Eur. Court HR, 25 March 1983, Silver and Others v. the United Kingdom, § 97. Decision on the merits 17/2025 — 17/27 unilaterally to the data subject by the controller. In other words, the processing concerned must not pursue another objective, for example allowing the pursuit of distinct or exclusive interests of the controller. 62. In summary, the processing in question must be “objectively indispensable” to the performance of the contract (i.e. to achieve a purpose that is an integral part of the contractual service intended for users) such that the main purpose of this contract could not be achieved without this processing. Necessity is not determined by the sole formalisation of the contract and its content. If there are realistic and less intrusive alternatives, the processing is not necessary. The controller should be able to justify the necessity of its data processing in relation to the fundamental and mutually understood contractual purpose. In this regard, it should finally be possible for an ordinary user to know the “fundamental and mutually understood” purpose on the basis of the information presented by the controller. 63. The Litigation Chamber decides that since the Auvio service is designed as a contract for the provision of personalised content, the objective of this contract cannot be achieved without the processing of a certain amount of personal data (see below). It considers - in addition to the fact that it can reasonably be thought that the perception of a personalised offer necessarily involves, at the present time, a certain amount of personal data - that in the context of the present case, the information provided by the defendant when subscribing to the contract (via the creation of the account) is also sufficiently explicit. In other words, the objective of the Auvio contract must, according to the Litigation Chamber, be considered as mutually understood. 64. Only data “necessary” for the execution of said contract, regardless of the method chosen to subscribe to it (by directly providing personal data on the “Auvio” page of the defendant’s website or via the connection to the Facebook or Google social network of the subscriber, depending on the latter’s choice) may nevertheless be processed. 65. As for the data noted by the IS in its investigation report as being the mandatory registration data at the time of the investigation (surname, first name, password and email address), the Litigation Chamber considers that they are indeed “necessary for the execution of the “Auvio” contract. This data makes it possible to securely identify the user and create their account. 25 (paragraphs 88-94 of decision 02/2022). 26As stated in the investigation report, this purpose must nevertheless be repeated by the defendant in its documents. Decision on the merits 17/2025 — 18/27 66. As for the other data referred to in point 40 above, the Litigation Chamber makes the following findings. - With regard to the telephone number and residence of the user, the Litigation Chamber is of the opinion that the applicability of Regulation (EU) 2017/1128 of the European Parliament and of the Council of 14 June 2017 on the cross-border portability of online content services in the internal market is indeed likely to require the processing of these data for the purposes of allowing access to the Auvio service to Belgian residents when they are in another EU country. In doing so, these data can be considered as "necessary for the performance of the contract" thus "expanded" with regard to the accessibility of the Auvio service. The Contentious Chamber recalls that if one of these data should be sufficient for the purposes of this expanded personalized offer, only one of them could be processed in execution of the principle of minimization, notwithstanding the fact that the residence data is also processed for personalization purposes (weather for example). - Regarding the processing of the subscriber's date of birth, the Contentious Chamber is of the opinion that it does not have sufficient elements and technical findings to conclude on the objective necessity of its processing for the purposes of executing the contract. The Litigation Chamber notes the reasoning invoked by the defendant based on a decision of the CSA and on the obligations to which it is bound arising from the decree relating to the protection of minors with regard to certain content. Age verification for these purposes, if such is the obligation arising from it, must be carried out in compliance with data protection rules, in particular the principle of minimisation. As with any age verification system, the data controller must opt for a system that guarantees respect for the privacy and protection of the personal data of the users concerned. The defendant must therefore be able to demonstrate that the date of birth is actually essential in order to be able to perform the contract in full legality and that any other measure that is less prejudicial in terms of the protection of personal data could not achieve the desired result. - As for the gender data, the Litigation Chamber notes that here too, it does not have sufficient information regarding the personalization of the service to which the processing of this data results. The Litigation Chamber recalls that this processing for personalization purposes must necessarily take place in the 27 As part of the implementation of Article 8.2 of the GDPR in particular, the French data protection authority like its Spanish counterpart have published the following informative documents: https://www.cnil.fr/en/online-age- verification-balancing-privacy-and-protection-minors, and https://www.aepd.es/guides/decalogue-principles-age-verification- minors- Decision on the merits 17/2025 — 19/27 28 compliance with the law in general, including, in addition to the GDPR, non-discrimination rules for example and all the standards (legal in particular) to which the defendant is bound. It is also up to the defendant to be able to demonstrate that this is the case. - With regard to the profile photo processed when the user chooses to register via the social network to which he is already registered, the Litigation Chamber refers to point 89 below. 67. In conclusion, provided that it can demonstrate that all this data is essential for the variable personalization of the “Auvio” service (service as presented under the terms of the various information documents brought to the attention of users of the service), the defendant is authorized to rely on Article 6.1. b) of the GDPR. When this data is optional, it is important that this is very clearly specified to the user as well as the personalization of the service that will result from it; this is so that the subscriber can make an informed choice. II.2. As for the use of social network data for connection/registration purposes II.2.1. The IS’s point of view 68. As stated above, the IS notes in its investigation report that the distinction between the login and registration mechanism via social networks lacks clarity, contrary to Articles 12.1, 13 and 14 of the GDPR. It notes that the registration and login mechanisms are almost identical. 69. The report adds that following his login with his Facebook ID, a technical advisor of the IS was, without his knowledge, created a profile with his Facebook data on the defendant’s website, data that he was also asked to complete. The IS concludes that the mechanism used, under the guise of logging in via a Facebook account, is in fact the creation of an RTBF account with the provision of the user’s Facebook data, without the latter being informed. The SI concludes that this procedure is in contradiction with Articles 5.1a), 5.1.b), 5.1.c), 12.1, 13 and 14 of the GDPR. 28The Litigation Chamber draws the defendant's attention to the recent judgment of the Court of Justice of the European Union (CJEU) of 9 January 2025 - whose factual circumstances and legal elements are admittedly different - in Case C-394/23, Mousse v. Commission nationale de l'informatique et des libertés (CNIL) and SNCF Connect, more particularly the CJEU's focus on the risk of gender discrimination. Decision on the merits 17/2025 — 20/27 II.2.2. The parties’ point of view The complainant 70. The complainant states that the problem lies not so much in the question of informing the user who seeks to register as in the choice made by the defendant to make Auvio a personalized service for which it will therefore be necessary to create an account and communicate certain personal data for this purpose. The defendant 71. As a principal point, the defendant concludes, as already mentioned in section II.1.1., that the findings of the IS must be dismissed. Since findings 5 and 6 made by the IS are, according to it, here too, sad examples of its lack of thoroughness and impartiality, they taint the impartiality of the Litigation Chamber by repercussion. 72. As for finding 5, which accuses it of failing in its duty of transparency in the presentation of the two options for creating the Auvio account, namely “registration” on the one hand and “connection” on the other, the defendant considers that users are never misled as to the consequences of each of these procedures. 73. As for finding 6, which it considers intrinsically linked to finding 5 and which accuses it of not informing the user that logging in via a Facebook account is “in fact the creation of an RTBF account with the provision of the user’s Facebook data”, the defendant considers that it is unfounded. It adds that it never has access to the user’s Facebook or other account. 74. In its “Summary Conclusions”, the defendant detailed the steps of the 29 registration procedure via a social network connector (Facebook or Google). 75. The defendant considers that it follows from these steps that, contrary to the conclusion of the IS, it is very clear to the user that his name, photo and email address are communicated to the defendant in view of (1) the numerous occasions on which both the Data Usage Charter and its T&Cs are brought to the attention of the user and (2) the express indication by Facebook that this personal data is shared. Thus, with regard to the sharing of data itself, findings 5 and 6 of the IS for lack of transparency are unfounded. The process described 29The user begins by clicking on a REGISTER button via Facebook. A separate window then opens in which the user is asked to log in to their Facebook account, for example. Once logged in to this account, Facebook warns them that the process will lead to the transmission to the defendant of their name, profile picture and the email address linked to their Facebook account. This window presented by Facebook contains links to the defendant’s Data Usage Charter (RTBF’s privacy policy) and to the defendant’s T&Cs. Decision on the merits 17/2025 — 21/27 in terms of screenshots updated during the hearing, attests to this according to the defendant in the same way. 76. Finally, the defendant denies any flow of data "from RTBF to Facebook" as the complainant claims. It emphasizes that, however tainted by lack of thoroughness and impartiality the IS reports may be, they do not in any way mention such a flow. It insists on the fact that on Auvio, interaction with Facebook is only done to search for information enabling an Auvio account to be created more easily. More explicitly, as stated in the hearing minutes, when the user chooses to register in order to be able to connect to Auvio or connects to Auvio from the said social networks, there is no communication of data by RTBF to these social networks in return (for example, data relating to what has been viewed). II.2.3. The assessment of the Litigation Chamber As for the admissibility of the IS reports 77. As for the complaints raised against the IS reports, the Litigation Chamber reiterates the arguments that it developed above in section II.1.3. according to which, assuming they are well-founded, these complaints do not affect its power of assessment and its decision-making. Given the time that has elapsed since these reports, the Litigation Chamber has therefore requested as already mentioned, that the defendant present the manner in which the procedure for registration via connection to a social network was carried out as close as possible to the hearing date (point 20 above). As for the transparency of the account creation process via connection to a social network 78. The Litigation Chamber recalls that in application of the principle of loyalty and transparency and its obligation to provide information (Article 5.1.a) and 12.1 read in combination with Articles 13 and 14 of the GDPR), the defendant is required to present the data processing that it carries out in a manner that is easily understandable for the user, any deception or confusion must be excluded. 79. It is therefore necessary that the registration process via the creation of an Auvio account, - whether via a social network connector (Facebook, Google) or not - be clearly presented both in words and visually without confusion with a possible direct connection without going through the "account creation" or "I already have an account" box. 80. Allowing the future user to create an account based on data from a social network on which he is already registered is a conscious choice by the defendant. During the hearing, the latter highlighted that this choice had been made to facilitate access to Auvio content for its users. However, the person making this choice cannot completely exonerate himself from the way in which the communication of data from the social network to his service is carried out. Creating an Auvio account "from scratch" or via a social network is a choice that belongs to the user, however. The latter must nevertheless be informed of the data processing that will take place in this case to allow him to make a conscious choice. 81. The information provided for this purpose must be perfectly explicit - in text and in visual form - so that the user understands that he has the choice, (1) either to create an account via the communication of data to the defendant directly from the "Auvio" registration page, (2) or to create an account via a connection to his favorite social network, the data available and necessary for the execution of the Auvio contract (see below) of which will be reused for the creation of the Auvio account. As for the creation of an account via a social network connector, it must also be clear that the connection to said social network is part of the registration process and aims to create an account on Auvio based on the data available on said social network that are necessary for this service. It must undoubtedly follow that this is not, as has already been mentioned, a simple direct connection to Auvio via the social network. Any creation of an account without the user's knowledge when the latter logs in via a social network (outside the registration procedure) is prohibited. 82. The information relating to the data processing that this creation of an account entails must be available (where applicable via an active hyperlink that refers to the relevant information document(s)) at the time of creation of the account. 83. In each case, only the data essential to the execution of the Auvio contract may be processed under Article 6.1.b) of the GDPR (see above, Title II.1.). 84. The Litigation Chamber is of the opinion that during the hearing, the defendant sufficiently demonstrated to it that, with regard to the registration process, there was, at that date, no confusion between connection on the one hand and registration on the other. - After clicking on "Log in" on the Auvio page, a window appears with two separate buttons: "I already have an account" and "Start my registration". - By clicking on "Start my registration", a new window appears with the buttons "Continue with Facebook", "Continue with Google" as well as a registration form to be completed directly on the Auvio page. 85. The Litigation Chamber therefore notes that the possible connection via the social networks Facebook or Google is indeed done in the continuity of the registration process. The configuration of the pages does not allow connection without a new account "Start a registration" or without a pre-existing account "I already have an account". Decision on the merits 17/2025 — 23/27 86. The Litigation Chamber also notes that under the buttons “Continue with Facebook” and “Continue with Google”, the following text is provided “If you register 30 via Facebook or Google, you authorize RTBF to have access to some of your personal data and you accept the general conditions of use of RTBF (hyperlink highlighted) and the Auvio user agreement (hyperlink highlighted). RTBF does not transmit personal information about you to Facebook and Google in this context. For more information, see the FAQ. Their tracking cookie will be activated automatically”. 87. It follows that the candidate subscriber is thus informed that data from his social network will be transferred to the defendant for the purposes of subscribing to the Auvio contract, the content of which is detailed in the documents also provided. The Litigation Chamber understands that this data is that detailed in the step below. It considers that 31 more immediate information would be preferable. 88. The Litigation Chamber also notes from the defendant's submission that by clicking on "Continue with Facebook", a login window appears which states "Log in to use your account with RTBF" and that once the candidate user of Auvio is logged in via his Facebook credentials, the following message appears: "RTBF requests access to your name, profile photo and email address". Once the account has been created, the user can provide additional information. Thus, in addition to the email, password and first and last name, the user can add his address, postal code, city and country as well as his mobile number and date of birth or gender (see the screenshot of the presentation of January 23, 2023 and the factual update of January 4, 2023, page 3). 32The Litigation Chamber notes that a comparable process is planned via Google. 89. With regard to the profile photo, the Litigation Chamber considers that the defendant has failed to demonstrate that it is “necessary for the performance of the contract within the meaning of Article 6.1. b) of the GDPR. For the remainder, and to the extent necessary, the Litigation Chamber specifies that the considerations it issued in Title II.1.3 apply regardless of the method of creating an account. 90. In conclusion, the Litigation Chamber is aware of the time that has elapsed since the investigation report and since the hearing was held. It adopts this decision on the basis 30 It is the Litigation Chamber that emphasizes. 31 During the hearing, the Litigation Chamber shared its observation that the link to the FAQ was deactivated. The hyperlink should therefore be reactivated, which the defendant committed to in its response of 14 February 2023 to the minutes of the hearing. 32The defendant stated in its observations on the minutes of the hearing that, contrary to what had been pointed out during the hearing, there is no difference between the data requested during the direct registration phase on the defendant's website or registration via an existing social network account. Decision on the merits 17/2025 — 24/27 of the above elements, including those presented to it during the hearing and concludes that it does not have any evidence at the current stage allowing it to conclude that there has been a violation of the articles highlighted by the IS in its investigation report in light of findings 5 and 6 (points 7 and 68-69). 91. Subject to some adaptations of unavailable information hyperlinks or referring to an incorrect document and more appropriate wording, the Litigation Chamber considers that it was able to note that the registration procedure was presented in clear steps and that one method of this procedure allowed one to connect to a social network with a view to creating an Auvio account. III. Corrective measures and sanctions 92. Under Article 100.1 of the LCA, the Litigation Chamber has the power to: 1° dismiss the complaint; 2° order that there be no further action; 3° order a suspension of the ruling; 4° propose a transaction; 5° issue warnings or reprimands; 6° order compliance with the requests of the person concerned to exercise their rights; 7° order that the interested party be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of the processing; 9° order the processing to be brought into compliance; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of the certification bodies; 12° impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of transborder data flows to another State or an international body; 33 The hearing report states that the clause relating to registration via Facebook or Google is identical depending on whether the Internet user chooses to “Continue with Facebook” or “Continue with Google”, whether they already have an account (and are therefore only trying to log in) or are starting a registration. In the case where they already have an account (and are trying to log in and not register), the wording does not appear relevant since it explicitly refers to the registration process. The defendant indicated that it would take this into account in its observations on the hearing report. Decision on the merits 17/2025 — 25/27 15° forward the file to the Public Prosecutor’s Office of the King of Brussels, who will inform it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority 93. In support of the above findings, the Litigation Chamber decides, taking into account the circumstances of the case, in particular the age of the case (1) to send the defendant a warning that, if the defendant were in the future not to be able to demonstrate that the data processed during the registration phase are all “necessary for the performance of the Auvio contract” within the meaning of Article 6.1. b), it would be guilty of a breach of Article 6.1 of the GDPR. 94. For the remainder, the Litigation Chamber decides to dismiss the complaint, in accordance with Article 100.1, 1° of the LCA, for the reasons set out below. 95. In matters of dismissal, the Litigation Chamber is required to justify its 34 decision in stages and to: - pronounce a dismissal of technical action if the file does not contain or not enough elements likely to lead to a sanction or if it contains a technical obstacle preventing it from rendering a decision; - or pronounce a dismissal of opportunity, if despite the presence of elements likely to lead to a sanction, the continuation of the examination of the file does not seem appropriate taking into account the priorities of the Data Protection Authority (DPA) as specified and illustrated in its Dismissal Policy.35 96. In the event of dismissal based on several grounds, the latter (respectively, the ground(s) for dismissal of technical action and the ground(s) for dismissal of opportunity) must be treated in order of importance. 97. The Litigation Chamber decides that in this case, the complaint must, apart from the warning formulated above in point 101, be closed without further action. This closing without further action occurs on technical grounds since it concluded that no finding of a violation of the GDPR could be held against the defendant in relation to the other complaints raised against it by the complainant or the SI, with the exception of the breach of Article 5.1 a) and 34Cour des marchés (Court of Appeal of Brussels), 2 September 2020, judgment 2020/AR/329, p. 18. 35In this regard, the Litigation Chamber refers to its policy on classification without further action as developed and published on the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de- classement-sans-suite-de-la-chambre-contentieuse.pdf 36Cf. Title 3 – In which cases is my complaint likely to be classified without further action by the Litigation Chamber? of the policy on classification without further action of the Litigation Chamber. Decision on the merits 17/2025 — 27/27 filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or 38 via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (sé). Hielke H IJMANS President of the Contentious Chamber 4° the subject and summary of the grounds of the application; 5° the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 38 The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.
