APD/GBA (Belgium) - 105/2022
From GDPRhub
| APD/GBA - 105/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 2(1) GDPR Article 4(1) GDPR Article 4(6) GDPR Article 55(3) GDPR Article 57(1)(a) GDPR Article 57(1)(f) GDPR Article 57(1)(v) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 18.11.2019 |
| Decided: | 17.06.2022 |
| Published: | 17.06.2022 |
| Fine: | n/a |
| Parties: | FOD Financiën |
| National Case Number/Name: | 105/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Beslissing ten gronde 105/2022 (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA held that it could not establish a breach of professional secrecy pursuant to Article 55(3) GDPR as only a judge was competent to do so. It could not, therefore, find the data obtained from the complainant's criminal record to be unlawfully obtained.
English Summary
Facts
The controller is the Belgian tax authority (Algemene Administratie van de Bijzondere Belastinginspectie). The complainant provides tax advice services. The data subjects are (1) the complainant (hereinafter: Tax Advisor) and its (2) customers (hereinafter: Customers).
The Tax Advisor was involved in a criminal investigation into tax fraud, forgery of documents, and the use of false documents. The investigation was still pending when the DPA issued the decision.
The controller used the Tax Advisor’s criminal records for an investigation into tax evasion of his Customers. These documents only contained personal data of the Customers. The controller’s notice to the Customers of the investigation contained the Tax Advisor’s personal data (full name; address; data of birth).
The Tax Advisor issued a complaint with the DPA for unlawful processing of personal data. He stated that it damaged his reputation and breached his clients' confidentiality, which cost him customers.
Regarding the data from his criminal records, the Tax Advisor stated that it did relate to him because (1) he processed it in the context of his independent professional activity and (2) it was obtained from his criminal records. He further argued that customer data is covered by professional secrecy and thus cannot be processed for tax purposes.
The controller stated that the notice to the Customers, on its own, did not fall under the definition of 'filing system' under Article 4(6). Therefore the GDPR was not applicable.
Holding
The DPA noted that a complaint by someone other than the data subject can be admissible if they have a sufficient interest (Article 58 WOG). Sufficient interest is present if the complainant's interest in some way relates to the interest of the data subjects (mere commercial interest is not enough). The DPA found that the Tax Advisor's interest was purely commercial and thus, not sufficient.
The DPA also disregarded the Tax Adviser's argument that the data obtained from his criminal records is covered by professional secrecy. The DPA noted that only the judge on the merits can decide on a breach of professional secrecy. As this did not happen (yet), it cannot examine whether the acquisition of data by the controller was in accordance with the GDPR.
Regarding the controller’s notice to the Customers, the DPA held that, contrary to the controllers argument, the GDPR was applicable. The notice is part of a tax file that is managed by controller, which makes it part of a filing system as described in Article Article 4(6). However, the DPA refrained from ruling on the lawfulness of the processing of that data, as they were already the subject of pending legal proceedings as part of the main dispute.
The DPA therefore held that the complaint was inadmissible.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12
Dispute room
Decision on the merits 105/2022 of 17 June 2022
File number : DOS-2019-05858
Subject : Use of personal data obtained through inspection of the criminal file
at the expense of the complainant for the valuation of the complainant's customers
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
†
The complainant: Mr X, hereinafter referred to as “the complainant”; †
†
The defendant: FPS Finance, General Administration of the Special Tax Inspectorate, King
Boulevard Albert II 33 box 48, 1030 Brussels, hereinafter referred to as “the defendant”, Decision on the substance 105/2022 - 2/12
I. Facts procedure
1. On 18 November 2019, the complainant lodged a complaint with the Data Protection Authority against
the defendant.
The subject of the complaint concerns the use by the General Administration of the Special
Tax Inspectorate (hereinafter: AABBI) of data obtained by viewing
the criminal file charged by the complainant in which, in the context of a search of the house with abandonment and
network search data would have been copied and taken, including
personal data of customers of the complainant's companies. The AABBI would
have used personal data to proceed with valuing those customers, as well as to
accuse them of fraud.
2. On March 17, 2020, the complaint is declared admissible by the first-line service on the basis of the
Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the
Dispute room.
3. On August 12, 2020, the Disputes Chamber will decide on the basis of Article 95, §1, 1° and Article 98 WOG
that the file is ready for treatment on the merits and the parties involved are informed
made of the provisions as stated in article 95, §2, as well as of these in article 98 WOG.
they are informed, pursuant to Article 99 of the WOG, of the time limits for their
to file defences.
The deadline for receipt of the defendant's statement of defense was thereby set
laid down on September 25, 2020, this for the conclusion of the complainant's reply on October 16
2020 and this for the defendant's reply on November 6, 2020.
4. On August 18, 2020, the complainant electronically accepts all communication regarding the case,
in accordance with article 98 WOG.
5. On September 22, 2020, the Disputes Chamber will receive the statement of defense from the
defendant in which an overview is given of the proceedings previously conducted by the
complainant with regard to the defendant and the pending proceedings concerning the complainant and
the complainant's customers. The defendant contests the jurisdiction of the Disputes Chamber both for
as regards the temporal, as the material scope. In the alternative, the
the defendant that the processing on his behalf is a correct and permitted data processing
respecting the principles of effectiveness and proportionality, as well as
that they are processed within a secure framework and are protected against unauthorized
access, unauthorized use, loss or unauthorized alteration., Judgment on the merits 105/2022 - 3/12
6. On 16 October 2020, the Disputes Chamber will receive the statement of reply from the complainant in which
it is explained that the Disputes Chamber has both temporal and material jurisdiction. According to the
complainant, the complaint is manifestly well-founded and has the defendant, in carrying out his legal
mandate as a tax authority, the rules arising from Articles 5.1 a), 5.1 c) and 6. 1 c) not
complied with. The complainant also once again acknowledges all communication regarding the case
accept electronically and want to make use of the opportunity to be heard,
in accordance with article 98 WOG. The complainant also requests an integral copy of the file
(article 95, §2, 3° WOG).
7. On November 5, 2020, the Disputes Chamber will receive the statement of reply from the defendant
in which the argumentation is resumed as set out in the statement of defense.
8. On 9 February 2022, the parties will be notified that the hearing will take place
on May 9, 2022.
9. On 9 May 2022, the parties will be heard by the Disputes Chamber.
10. The minutes of the hearing will be submitted to the parties on 16 May 2022.
11. On May 23, 2022, the Disputes Chamber will receive comments from the complainant, which he/she
requests to be attached to the minutes of the hearing. The Disputes Chamber decides
to include it in its deliberations.
II. Justification
I. Jurisdiction of the Dispute Chamber
a) Collection of personal data from the complainant on 15 May 2013
12. First of all, the Disputes Chamber emphasizes that it derives its competence from the GDPR, from
1
applicable from May 25, 2018 and the law of December 3, 2017 establishing the
2
Data Protection Authority, also entered into force on 25 May 2018, more specifically
1
Article 99 GDPR.
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
2
art. 110 WOG.
This Act shall enter into force on 25 May 2018, with the exception of Chapter III which shall enter into force on the date of publication of this Act
published in the Belgian Official Gazette.
The King may determine a date of entry into force for each provision thereof, with the exception of the provisions of Chapter III
prior to the date stated in the first paragraph., Decision on the merits 105/2022 - 4/12
Article 4, §1 WOG . With regard to the facts that occurred before that date, i.e. the
processing of the data provided by the judicial authorities as a result of a
search of the complainant's house with disembarkation were copied and taken, which took place
on May 15, 2013, the Disputes Chamber can only establish that it occurred well before the
application of the GDPR have occurred and a complaint has only been lodged with the
Data Protection Authority on November 18, 2019, when the GDPR is already fully
was applicable. It follows from this that the Disputes Chamber is not authorized to decide on the
4
data collection dated 15 May 2013 to judge . The Disputes Chamber can face these facts
nor declare competent under the transitional provision included in Article 112 WOG, 5
as the complaint was not pending at the time of the entry into force of the aforementioned
Law of 3 December 2017. In this regard, the complainant specifies in his reply that his
complaint does not target the original data processing by the Public Prosecution Service, but does
the subsequent processing (see below margin numbers 15 et seq.). Because the complainant himself indicates that the
original data collection by the Public Prosecution Service is not in dispute, constitutes
this is not a point on which the Disputes Chamber should go further.
13. For the sake of completeness, the Disputes Chamber adds that the mere fact that the complaint was
first-line service has been declared admissible, does not imply that the Disputes Chamber
is authorized to assess the complaint in its entirety. In accordance with Article 60(2) of the WOG
the Frontline Service only examines the formal admissibility conditions such as
6
included in this provision. Admittedly, the first-line service also globally assesses the
competence of the Data Protection Authority, which relates to the complaint in
its entirety, but this does not alter the fact that the Disputes Chamber itself determines the extent to which it is competent
3
art. 4. §1. The Data Protection Authority is responsible for supervising compliance with the fundamental principles of the
protection of personal data, within the framework of this law and of the laws containing provisions on the protection of
the processing of personal data.
Without prejudice to the powers of the Community or Regional Governments, of the Community or Regional Parliaments, of the
United College or of the United Assembly referred to in Article 60 of the special law of January 12, 1989 relating to the
Brussels institutions, the Data Protection Authority exercises this mission on the territory of the entire Kingdom, regardless of
which national law applies to the processing concerned.
4See in that regard: Decision on the merits 19/2020 of 29 April 2020, Decision on the merits 124/2021 of 10 November 2021.
5Art. 112 WOG.
Chapter VI does not apply to complaints or requests pending with the Data Protection Authority at the moment
of the entry into force of this law.
The complaints or requests referred to in the first paragraph are handled by the Data Protection Authority, as the legal successor of the Commission
for the protection of privacy, further handled according to the procedure applicable before the entry into force
of this law.
6 Art. 60. The frontline service examines whether the complaint or request is admissible.
A complaint is admissible when:
- it is drawn up in one of the national languages;
- contains a statement of the facts and the necessary indications for the identification of the processing to which it relates;
- it falls under the competence of the Data Protection Authority.
[…], Decision on the substance 105/2022 - 5/12
can define concretely. Well, for the facts that occurred specifically on May 15th
2013, the Disputes Chamber is not competent for the reason set out above.
b)Processing of data obtained by accessing the criminal file and use
of it in the valuation procedure against clients of the complainant after 25 May 2018
14. The personal data that are the subject of the present complaint
personal data that were collected in the context of a judicial investigation into tax
fraud, tax forgery and use of false documents. Since the processing has
carried out by a competent authority in the field of criminal law, here in principle
7
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 of
8
application. It follows from Article 9.1 of Directive 2016/680/EU and Recital 34 of this Directive
that in case the personal data is collected for the purpose of prevention, investigation,
investigation or prosecution of criminal offences, are passed on to a recipient, in this case
the defendant, who processes the data in question for purposes other than those of the
Directive, the GDPR applies to the transmission of personal data. This is done by the
parties as such are not disputed.
15. Specific with regard to the defendant's argument that the GDPR does not apply to
the processing of the data of the companies of the complainant's customers with
referring to recital 14 of the GDPR, the Disputes Chamber points out that the
argumentation ignores the definition of the term 'personal data' in Article 4.1) GDPR . 10
7
Articles 1 and 2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons in connection with the processing of personal data by competent authorities for the purposes of the prevention,
investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, and concerning the free movement of such
data and repealing Council Framework Decision 2008/977/JHA.
8
Recital 34 Directive (EU) 2016/680.
The processing of personal data by competent authorities for the purposes of prevention, investigation, detection or
prosecution of criminal offenses or the execution of penalties, including protection against and prevention of dangers
for public security must relate to an operation or set of operations on personal data
or a set of personal data for those purposes, whether or not performed by automated means or otherwise,
such as collecting, recording, organizing, structuring, storing, updating, modifying, retrieving, consulting, using, aligning,
combine, subject to processing restrictions, delete or destroy data. In particular, the provisions of this
Directive should apply to the transmission of personal data for the purposes of this Directive to a
recipient not covered by this Directive. Recipient is understood to mean a natural or legal person, a
public authority, agency or any other body to whom or to which the personal data is lawfully provided by the competent authority
be published. Where the personal data was initially collected by a competent authority for one of the
purposes of this Directive, Regulation (EU) 2016/679 should apply to the transmission of those data for other
purposes other than those of this Directive, if such processing is permitted by Union or Member State law. More specifically to serve
the provisions of Regulation (EU) 2016/679 to apply to the transfer of personal data for purposes not covered by
fall under this Directive. Regulation (EU) 2016/679 should apply to the processing of personal data by a recipient
which is not the competent authority or which does not act as a competent authority within the meaning of this Directive and to whom the personal data
have been lawfully disclosed by a competent authority. When implementing this Directive, Member States should also apply
may further specify the rules of Regulation (EU) 2016/679, provided that the conditions laid down therein are met.
9
Recital 14 GDPR. The protection afforded by this Regulation applies to natural persons, irrespective of their
nationality or residence, in connection with the processing of their personal data. This Regulation does not concern the
processing of data on legal persons and in particular companies established as legal persons, such as name and legal form
of the legal person and the contact details of the legal person.
10
Article 4. For the purposes of this Regulation:, Decision on the substance 105/2022 - 6/12
Submit insofar as data concerning a legal person are so characteristic of the
identity of a natural person, which makes them identifiable, do concern them
personal data within the meaning of Article 4.1) GDPR.
16. The processing involved in the complaint concerns personal data of the complainant's customers
which are processed by the defendant after 25 May 2018 in the context of instructions from
tax evasion. Although this processing falls within the scope of the GDPR,
but it should be emphasized that the personal data of the customers who rely
on the complainant's services consisting of the provision of tax advice, cannot
are qualified as personal data concerning the complainant himself. In that vision
the Disputes Chamber then examines whether there is a sufficient interest in respect of the
complainant in order to be able to submit a complaint in this regard.
17. With regard to the interest of the complainant, the Disputes Chamber refers to Article 58 WOG in which
it is stated that: ”Anyone can submit a complaint or request in writing, dated and signed”
submit to the Data Protection Authority”. In accordance with Article 60, paragraph 2
WOG “A complaint is admissible if it:
- is drawn up in one of the national languages;
- contains a statement of the facts, as well as the necessary indications for the identification of the
processing to which it relates;
- it falls under the competence of the Data Protection Authority”.
18. The preparatory work of the WOG determines: "The Data Protection Authority"
can receive complaints or requests from anyone; natural persons but also
legal persons, associations or institutions that commit an alleged infringement of the Regulation
wish to sue. A complaint or request to the Data Protection Authority should be
in writing, dated and signed by the authorized person. A request
must be interpreted in the broad sense of the word (request for information or explanation, a
request to mediate, ...)”.
1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); if
identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to a
identifier such as a name, an identification number, location data, an online identifier or of one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural
person;
†
11par. doc., Chamber of Representatives, 2016-2017, DOC 54 2648/001, p.40 (comment to article 58 of the
original bill)., Decision on the substance 105/2022 - 7/12
19. The WOG thus does not exclude that a person other than the person concerned or the person designated by the
the person concerned is authorized, as referred to in Article 220 of the Act of 30 July 2018 on the
protection of natural persons with regard to the processing of personal data,
can lodge a complaint with the Authority.
20. While the GDPR approaches the 'complaint' from the point of view of the data subject, by the
impose obligations on supervisory authorities when a person makes a complaint (see the
Articles 57.1., f) and 77 of the GDPR), the GDPR does not prevent national law from persons other than
provides the person concerned with the opportunity to lodge a complaint with the national supervisory authority.
The possibility of such a referral is also in accordance with the orders
assigned to the supervisory authorities by the GDPR. In that regard and in general
taken, each control authority shall ensure: the monitoring and enforcement of the application of
the GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to the
protection of personal data (Article 57, 1., v) GDPR) .2
21. In that regard, the Disputes Chamber rules that Article 58WOG gives every person the opportunity
to make a complaint, provided that he has a sufficient interest in accordance with
the aforementioned provisions of the GDPR . 13
22. The condition is therefore that the complainant demonstrates a sufficient interest. In this regard
the Disputes Chamber to determine that the complainant merely mentions a commercial interest
consisting of the loss of confidentiality of the customer data used by the
defendant for valuation purposes aimed at the customers, with reputational damage on account of the
resulting in the complainant stating that in certain cases customers have blocked him
pointed out.
23. The complainant clearly appears to be pursuing a commercial interest which cannot be considered sufficient
are considered. After all, the mere pursuit of a commercial interest is not sufficient to
demonstrate a sufficient interest, this in the absence of any concrete element that can be
distinct from this self-contained commercial interest, which the complainant would
may affect the data processing by the defendant with regard to the
personal data of the clientele. The factual elements of the file do not show that the
the complainant has a data protection interest that corresponds to the interest
of the customers against whom a legal dispute procedure is still pending. From the pure
fact that the data processing by the defendant relates to personal data of
after all, it does not automatically follow from the complainant's customers that the complainant has ipso facto
any interest in that data processing by the defendant. Contrary to what the
12
In the same sentence: Decision on the merits 30/2020 of 8 June 2020
13See in the same sentence: Decision on the merits 80/2020 of 17 September 2020; Decision on the merits 63/2021 of 01 June 2021; Decision
on the merits 117/2021 of October 22, 2021; Decision 49/2022 of 5 April 2022, Decision on the substance 105/2022 - 8/12
complainant argues, customer data does not in any way become data relating to the complainant
solely and solely because the customer data is processed by him in the context of his
independent professional activity and originate from the original file, being the criminal file
at his own expense. The complainant does not sufficiently demonstrate that there is a question of
an interest that coincides with the interest of these customers, so that he does not complain on his own initiative
can submit regarding the data processing relating to the customers. Moreover
nor does he have any power of representation in this area for the concerned
customers.
24. In addition,customers specifically mention the complaint, especially the couple
Z, already reached an agreement with the defendant on 8 May 2020, which led to the investigation into them
was terminated. In that regard, the Z couple have no complaint themselves regarding possible infringement of
protection of their personal data.
25. Consequently, the complainant has no interest in doing so, given the
statement of approval from Mr and Mrs Z and the resulting lack of interest in
on their behalf to lodge a complaint themselves with regard to the processing of their
personal data by the defendant.
26. Because the complainant fails to demonstrate the existence of a sufficient interest on his part
in order to have his complaint handled by the Data Protection Authority, the
Disputes Chamber to determine the non-conformity with the procedural rules by the
declaration of admissibility of the complaint and the subsequent handling of the complaint.
27. In view of the fact that the complainant does not demonstrate that he has an interest that is sufficient
concretely to be able to file a complaint, the Disputes Chamber furthermore finds that the complainant
also did not have the capacity to file a complaint and that the full
procedure has therefore been affected by the absence not only of importance, but also of
capacity on the part of the complainant.
c) Processing of data concerning the complainant after 25 May 2018
28. The defendant agrees that the surname and first name of the complainant appear in the preceding
notices of indications of tax evasion and the notice of amendment and
in addition, his surname, first name, date of birth and address appear in the official reports from
the criminal file attached to the messages from the defendant.
29. The aforementioned data fall under the notion of personal data as defined in Article 4.1)
GDPR, which are processed within the meaning of Article 2. 1 GDPR. Not just any whole or in part
automated data processing falls under the scope of the GDPR, but also
any processing of personal data that is included in a file or is intended to
to be included therein. Although the defendant attempts to demonstrate that these data are not, Decision on the merits 105/2022 - 9/12
be part of a file as defined in Article 4.6) GDPR by stating that the
notifications extending the investigation period, the requests for information nor the
neither the notification of change nor the attachments in themselves a structured set of personal data
forms that are accessible via criteria, the Disputes Chamber must point out that the aforementioned
documents are not only part of the initial criminal file against the complainant, but also
are included in full in the valuation file managed by the defendant of which it is established that
this is structured according to specific criteria, which therefore does constitute a file . 14
After all, a public service such as the defendant by definition manages several files, whereby
these files as well as each file in itself must necessarily be
structured in such a way that they are accessible according to certain criteria. From this follows
that the GDPR applies to the data processing concerning the complainant.
30. However, the file containing the documents containing the complainant's personal data
included, was submitted for assessment by the defendant as being a party to the
pending tax proceeding in respect of some customers. The processing of the
The complainant's personal data must be placed in a broader context, to which
a tax dispute is based and of which the data processing is an integral part.
After all, the documents submitted by the parties in the proceedings are currently being assessed
to the court on the merits, which must thus be regarded as controller
with regard to the file containing all supporting documents sent to him
regarding the tax dispute between the parties, including the documents with
personal data concerning the complainant. In that regard, the Disputes Chamber rules that it
15 16
pursuant to Article 55.3 of the GDPR in conjunction with Article 4, § 2 of the WOG, cannot rule on a
sub-aspect that, although related to documents in which the personal data of the
complainant are processed, but that as part of the main dispute is already the subject
of pending legal proceedings . To judge otherwise would result in the
14Recital 15 GDPR: “In order to avoid a serious risk of circumvention, the protection of natural persons should be
be technology neutral and not dependent on the technologies used. The protection of natural persons should
apply to both automated processing of personal data and manual processing thereof if the personal data
are stored or intended to be stored in a file. Files or a collection of files and their covers, which
are not structured according to specific criteria should not fall within the scope of this Regulation.”
A contrario, files or a collection of files that are structured according to specific criteria, do fall under the
scope of the GDPR.
See also the Judgment of the Council of State no. 91.531 of 11 December 2000 in the case A. 69.056/IX-2103, Dewinter v Belgian State: that,
after all, almost all government documents are the subject of an automated or manual arrangement in "files" - in
the French "fichier" - which refer to it;
15Article 55. 3 GDPR. Supervisory authorities are not competent to supervise processing by courts in the exercise of
their judicial duties.
16
Article 4, § 2 WOG. The supervision organized by this law does not relate to the processing by the courts and
courts as well as by the public prosecutor in the exercise of their judicial functions.
17See in that sense the judgment of 24 March 2022 CJEU - case C-245/20 against the Dutch Data Protection Authority:
“32. As the Advocate General noted in points 80 and 81 of his Opinion, it is apparent from the wording of recital 20
of Regulation 2016/679 itself, and in particular from the use of the word 'including', which defines the scope of the
of this Regulation to ensure the independence of the judiciary in the execution of its judicial power, Decision on the substance 105/2022 - 10/12
Litigation Chamber the independence of the judiciary in the exercise of its
18
would jeopardize judicial tasks, in particular in the area of decision-making .
It goes without saying that this can by no means be the intention.
d) Professional secrecy and use of the accounting program
31. The documents that the defendant has obtained from the criminal file charges against the complainant are according to the
complainant obtained by the defendant with disregard of the professional secrecy to which the complainant is responsible
held.
32. The complainant argues that the customer data is covered by his professional secrecy and thus cannot be
are processed for valuation purposes with regard to the relevant customers. Based on this
the complainant relied on the decision of the Council of the Institute of accountants and
tax consultants (IAB) dated 17 May 2016 stating that: "[…] if the tax
administration in the event of an audit by a tax or accounting adviser in principle secret
should discover data that he could avoid to incriminate third parties, he must
renounce. In principle, this data is covered by professional secrecy and can only be used
with regard to the taxpayer, being the member of the IAB. The Council continues
declare that the taxpayer, in this case the complainant, has cooperated with the request for
cannot refuse information purely because of its professional secrecy, but has the right to do so
in such a way that the identity of its clientele and the content of its
protects work. According to the Council, the taxpayer may not fully
invoke professional secrecy, but after anonymizing the client and the nature of the performance
does indeed prove the probable nature of the publication, as requested by the
AABBI, to be delivered.
tasks cannot be limited to guaranteeing judicial independence in the establishment of a specific
court decision.
33. In general, preserving the independence of the judiciary presupposes that the courts
exercise judicial functions completely autonomously, without any hierarchical link and without being subordinate to or from anywhere
receive orders or instructions, and thus be protected from outside interference or pressure that could affect the independence of the
jeopardize the judgment of their members in disputes submitted to them. The respect for the rights under the
Safeguards of independence and impartiality required by Union law presuppose that rules exist which are suitable for
to dispel any legitimate doubt that the institution concerned is not influenced by external factors and
impartial to the interests involved […].
34. The reference in Article 55(3) of Regulation 2016/679 to processing by courts 'in the exercise of their judicial
tasks' should therefore be understood in the context of this Regulation as meaning not only processing of
personal data by courts in the context of concrete cases, but in a broader sense relates to all processing by
courts in the exercise of their judicial activities, so that processing operations subject to supervision by the
supervisory authority can directly or indirectly influence the independence of their members or their decisions, outside the
competence of this authority.”
18Recital 20 GDPR. While this Regulation applies, inter alia, to the activities of courts and other
judicial authorities, Union or Member State law should regulate the processing and processing procedures relating to the
processing of personal data by courts and other judicial authorities can be further specified. The competence
of the supervisory authorities should not extend to the processing of personal data by courts in the context of
their judicial functions, in order to ensure the independence of the judiciary in the exercise of its judicial functions,
including decision-making. It must be possible to entrust the supervision of such data processing to specific
authorities within the judicial system of the Member State, which, in particular, are responsible for ensuring compliance with the rules of this Regulation
ensure that members of the judiciary are made more aware of their obligations under this Regulation, and complaints
with regard to those data processing operations.[Own underlining], Decision on the merits 105/2022 - 11/12
33. In this regard, the Disputes Chamber notes that the aforementioned decision of the Council of the IAB
was taken in response to the request of the AABBI under Article 334 WIB to
assess whether, and to what extent, the inquiry or production of books
and modesty is compatible with the observance of professional secrecy.
34. Not only did the complainant refuse to itself provide the AABBI with the information requested,
provide after anonymization of the client and the nature of the services, but also tries to
decision of the Council of the IAB about continuing professional secrecy to the intelligence
obtained by the AABBI by any means other than through the stated inquiry that
was made to the complainant. It is undisputed that the defendant provided the data relating to the customers
has not obtained through the request for information made by the defendant to the
complainant and about which the defendant has obtained the advice of the IAB. The defendant is
came into possession of information concerning the customers of the bearing through inspection
of the criminal file on the basis of article 327, 1 WIB to then proceed to an appraisal of the
concerning customers. The complainant uses the ILO's decision to argue that the
professional secrecy was violated as a result of which the defendant would be unlawfully in possession
information concerning the complainant's customers. The Disputes Chamber can only
establish that the decision of the ILO on professional secrecy only relates to the
request information from the defendant addressed to the complainant himself. There is no determination
violation of professional secrecy regarding the way in which the defendant does
obtained, namely by means of inspection of the criminal file. Since it is not up to the
Litigation Chamber is due to rule on whether or not the violation of the
professional secrecy following the inspection of the criminal file (Article 55.3 AVG in conjunction with Article 4,
19
§ 2 WOG), it cannot assess whether or not the personal data thus obtained is
be processed lawfully by the defendant. Only if the judges ground for violation
of professional secrecy, the Disputes Chamber may in turn decide
review data collection on behalf of the defendant against the principles of the GDPR regarding
lawfulness and minimum data processing requested by the complainant.
35. The complainant further argues that the defendant obtained the customer data from the
criminal file on the basis of a file created by the complainant himself
accounting program to use accounting documents - of which the complainant exists
disputed - to produce on the basis of which the concerned customers are accused of fraud.
In this regard, the Disputes Chamber notes that the assessment of the evidential value of the
the data obtained through inspection by the defendant, its reliability and any
inferences that can be drawn on the basis of that data belong to the
19See margin no. 30., Decision on the substance 105/2022 - 12/12
main tax dispute and therefore revert to the court on the merits (Article 55, § 3 GDPR in conjunction with
Article 4, § 2 WOG).
36. Finally, the Disputes Chamber notes that insofar as the complainant points out that the processing
of data concerning his wife is targeted, the complainant does not contribute anything
showing that he has powers of representation in this regard. Consequently
the Disputes Chamber will not elaborate on this point.
III. Publication of the decision
37. Given the importance of transparency in the decision-making of the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. It is not necessary, however, that the identification data
directly from the complainant. However, it follows from the nature of the complaint that ipso
de facto that the identity of the defendant is known in such a way that it is identified as such
stated in the decision.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decided, after deliberation, to
of Article 100, §1, 1° WOG, to dismiss the complaint in view of the fact that there is no infringement in this regard
can be determined on the basis of the GDPR.
Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a
period of thirty days, from the notification, to the Marktenhof, with the
Data Protection Authority as Defendant.
(Get). Hielke Hijmans
Chairman of the Disputes Chamber
20See margin no. 30.
