APD/GBA (Belgium) - 112/2024
From GDPRhub
| APD/GBA - 112/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 80(1) GDPR Article 80(2) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 06.09.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Roularta Media Group N.V. noyb |
| National Case Number/Name: | 112/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | ADP/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
The DPA dismissed the complaint lodged by a representative under Article 80(1) GDPR due to the lack of interest of data subject. Additionally, the website operator was advised to implement appropriate measures regarding the processing activities via Google Analytics.
English Summary
Facts
A data subject visited website flair.be, operated by Roularta Media Group N.V. The Google Analytics HTML code was embedded within the website. Because of that, the personal data concerning the data subject were processed, including its transfer to the USA.
The data subject, represented by noyb under Article 80(1) GDPR, filed a complaint with the Belgian DPA (ADP/GBA).
During the investigation, the DPA questioned the existence data subject’s interest to initiate the proceedings, in particular, due to the fact the data subject was an trainee at noyb by that time.
Holding
The DPA rejected the complaint.
The violation of the GDPR at hand was “artificial”. If it wasn’t for noyb’s project, the data subject wouldn’t found the website concern nor the alleged violation. There was not evidence that the data subject visited the website concerned regularly. For the DPA it meant the visit on the website was done only to allow the violations of the GDPR occur. The data subject didn’t determine the details necessary to bring a case before the DPA on their own as the details were “predetermined” by noyb. Hence, the data subject didn’t enjoy their own “litigation interest”.
Moreover, according to the DPA the abuse of rights took place in the case at hand. The Belgian law didn’t implement Article 80(2) GDPR. Therefore, noyb tried to pursue their own interest, under the cover of the data subject one. Besides, the data subject didn’t act at their discretion, being a trainee interested in satisfying their employer (noyb). Since the data subject was instructed on the details of the case to lodge the complaint as a part of noyb project, not their own interest, the DPA found noyb abused the right to complaint under Article 80(1) GDPR.
For the subject matter of the case, the DPA referred to the report prepared by its investigatory body. The DPA advised the website operator to implement appropriate technical and organisational measures.
Comment
In the case APD/GBA (Belgium) - 113/2024, the fact that the data subject was a trainee represented by noyb didn't influence the proceedings and the APD/GBA upheld the complaint.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/33
Dispute resolution
Decision on the merits 112/2024 of 6 September 2024
File number: DOS-2020-03924
Subject: dismissal of a complaint file concerning the transfer of personal data to
the United States due to a defect in the representation mandate, under
Article 80.1 GDPR.
The Dispute Resolution of the Data Protection Authority, composed of Mr.
Hielke HIJMANS , chairman, and Messrs. Christophe Boeraeve and Dirk Van Der Kelen, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR";
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter referred to as the "WOG";
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
15 January 2019;
Having regard to the documents in the file;
1The new Internal Rules (“RIO”), following the amendments made by the law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (GBA), entered into force on 1 June 2024.
In accordance with Article 56 of the law of 25 December 2023, the new RIO only applies to complaints,
mediations, inspections and proceedings before the Dispute Chamber that were initiated on or after that date:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-
gegevensbeschermingsautoriteit.pdf
Cases initiated before 1 June 2024, as in the present case, are subject to the provisions of the WOG as they were not
amended by the law of 25 December 2023 and the RIO as it was before that date existed:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf. Decision on the merits 112/2024 — 2/33
Has taken the following decision regarding:
Complainant: X, represented by Noyb – European Center for Digital Rights),
hereinafter “the complainant” or “complaining party”;
Defendants: Roularta Media Group N.V., represented by Mr. Tom DE CORDIER and
Mr. Valeska DE PAUW, hereinafter “the first defendant”;
Google LLC, represented by Mr. Jan CLINCK, Mr. Florence
NIEUWBOURG, Mr. Pierre ANTOINE and Mr. Gerrit VANDENDRIESSCHE, hereinafter
“the second defendant”. Decision on the merits 112/2024 — 3/33
I. Facts and procedure
1. The subject of the complaint concerns the alleged tracking of the complainant by the second
defendant when visiting a website (flair.be) of the first defendant. In this
process, "HTML code" (for the Google Analytics tool) was allegedly placed
('embedded') via the website of the first defendant, which could be
linked to the complainant's account with the second defendant. According to the
complaint, related personal data were illegally forwarded to the United States of America in this
context. 2
2. On 18 August 2020, the complainant, through his representative,
lodged a complaint with the Data Protection Authority against the defendants. The
complaint was filed in French. 3. On 26 August 2020, the complaint is declared admissible by the First Line Service on the basis of
Articles 58 and 60 WOG and the complaint is transferred to the Dispute Chamber on the basis of Article 62, § 1 WOG
.
4. On 25 September 2020, the Dispute Chamber decides on the basis of Article 63, 2° and 94, 1°
WOG to request an investigation from the Inspection Service.
5. Subsequently, on 25 September 2020, in accordance with Article 96, § 1 WOG, the request
from the Dispute Chamber to conduct an investigation is transferred to the Inspection Service, together with the complaint and the inventory of the documents. Given that the first
defendant is located in a Dutch-speaking legal area and the second defendant
is established in the United States of America, the proceedings are conducted in Dutch in accordance
with Article 57 WOG. The Inspection Service's investigation will be conducted in Dutch, and the Inspection Service's report will be filed in Dutch.
6. On 13 October 2022, the Inspection Service will complete the investigation, add the report to the file and transfer the file to the chairman of the Dispute Chamber by the Inspector General (Article 91, § 1 and § 2 WOG). This
investigation report addresses a number of issues related to the filing of the
3
complaint.
7. In its report, the Inspection Service first states that Noyb does not show in the complaint "what the
'sufficient and concrete interest' is of the data subject (a natural person residing in
Vienna, Austria) to file a complaint against the specific website . . . In addition,
the Inspection Service notes that the website […] is a Dutch/French website
2Complaint in DOS-2020-03924, p. 2: “The transfer of data from the complainant to the United States is illegal”; loosely translated: “The
transfer of data from the complainant to the United States is illegal.”
3Inspection Service investigation report in DOS-2020-03924, pp. 18-24. Decision on the merits 112/2024 — 4/33
concerns . . . while the person concerned . . . does not speak Dutch”. Furthermore, the
Inspection Service states: “In view of the aforementioned procedural objections, the Inspection Service can question the
request from Noyb – European Center for Digital Rights as a valid ‘complaint’ under
national law.”
8. Secondly, the investigation report states that a semi-automatic ‘bulk’ method was
used for the requests processed by Noyb that were submitted to the GBA in
August 2020. . . The various requests for investigation submitted in August 2020
had a similar layout and signature. The subsequent sending of additional documents
took place in a linked e-mail[…] The same person concerned who gave power of attorney to Noyb – European
Center for Digital Rights 6
always returns for the various requests.”
9. Thirdly, the Inspection Service points out that the procedure “must meet the usual basic requirements of any power of attorney... that is to say, clearly formulate against whom a complaint is being
lodged.” The Inspection Service then refers to “the power of attorney” in
question, which is intended to be used “with regard to the Irish Supervisor and not
with regard to the Belgian Supervisor” and which merely refers to (at that time internal)
file numbers (of Noyb) as regards the identity of the first defendant. The
Inspection Service concludes: “The content of the power of attorney also shows that Noyb – European
Center for Digital Rights was not properly mandated” as various elements in the
mandate were not formulated, were unclear or were formulated ambiguously.
10. Fourthly, the Inspection Service points out that the complainant was “employed” as an intern at Noyb
at the time of the power of attorney of this organisation as a representative. The Inspection Service
points in this context to several personal communications that the complainant made on the public
forum (via social media), in which the person referred to his work in connection
with the Noyb project. For example, at one point the person mentions that he is happy
to have “worked” on the project. The Inspection Service “has not been able to establish any
motivation for a personal interest of the person concerned.” The Inspection Service further states:
“In the absence of transparency about Noyb’s working methods . . . the
perception is therefore created that Noyb . . . uses its employees to submit . .
requests/complaints in the interest of Noyb . .
instead of[…] a personal interest of a complainant.” And
further: “ . . . confirms the indication that this constitutes an improper use of the
procedure under Article 80 GDPR. The Inspection Service notes that interns . . . for the aforementioned
4Ibid., investigation report p. 19.
5Ibid., investigation report p. 20.
6Ibid., investigation report p. 21.
7
Ibid., investigation report p. 21.
8Ibid., investigation report, p. 24.
9
Ibid., investigation report, p. 24. Decision on the merits 112/2024 — 5/33
requests of 2021 were systematically entered as “complainant” in the activities of Noyb
– European Center for Digital Rights. The above may possibly be an indication of the
mixing of interests.” 10
11. The substantive findings of the Inspectorate are, in function of the
readability of the decision, resumed under section III of this decision.
12. On 13 March 2024, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG.
They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG.
13. In the art. 98 WOG letter, the parties are requested at this stage of the procedure only to
explain their position with regard to the legality of the submission of the complaint and the way in which the mandate was granted by the complainant to the representative in a
specific context (investigated and explained by the Inspectorate),
specifically in light of articles 80.1 and 77.1 GDPR. In addition, the Dispute Chamber
requested the parties to take a position on the question of whether the possible unlawful nature
of the creation of the mandate ‘impacts’ the file as a whole.
14. On 10 May 2024, the Dispute Chamber receives the conclusion of the answer from the two
defendants with regard to these procedural aspects.
15. On 29 May 2024, the Dispute Chamber receives the conclusion of the reply from the complainant,
with regard to these procedural aspects.
16. On 21 June 2024, the Dispute Chamber receives the conclusion of the reply from the defendant
regarding these procedural aspects.
17. On 12 June 2024, the parties are informed that the hearing will
take place on 1 July 2024.
18. On 1 July 2024, the parties are heard by the Dispute Chamber. Following a request
to that effect from the complaining party, and the subsequent express agreement of both
defendants, the hearing takes place in a hybrid form. One person from Noyb is
physically present, and one person from the same association via video connection from
Austria.
19. On 8 July 2024, the minutes of the hearing are submitted to the parties.
20. On 12 July 2024, the Dispute Resolution Chamber receives from the complainant, on 16 July 2024
from the second defendant, and on 17 July 2024 from the first defendant,
10Ibid., investigation report, p. 24-5; the Dispute Resolution Chamber emphasised and underlined in the first sentence. Decision on the merits 112/2024 — 6/33
comments on the minutes, which it decides to include in
its deliberations.
II. Reasons
II.1. Preliminary points
21. A first preliminary issue concerns a document filed by the representative
of the complainant after the conclusion rounds have been completed. Three days before the
hearing takes place, a document is filed by the representative of the complainant. The defendants both oppose the admissibility of this
document, since it was submitted after the conclusion rounds. The complainant does not clarify at
the hearing whether there are valid reasons for the late submission.
In view of the opposition of the defendants, the document dated 28 June 2024 is
excluded from the debates in its entirety and will not be included in the
deliberations for this file.
22. A second preliminary issue concerns new documents that are submitted at the
hearing by the representative of the complainant. Both defendants oppose the submission of these documents and their
addition to the file. Given the
extremely late nature of the submission of the documents, the opposition of the
defending parties to the submission, and in the absence of any
well-founded reason for the late nature of the submission, the documents
are excluded from the debates in their entirety and are not included in the
deliberations of the Dispute Chamber.
23. In connection with these first two preliminary points, the Dispute Chamber
points out that, as a body of a supervisory authority, it must be able to
take into account all the elements that have come to its attention, in order to
be able to guarantee a high level of data protection. This does not alter the fact that the
procedure must meet the requirements of adversarial proceedings and equality of
parties. The procedure provided for under the subsection “deliberation and decision on the merits” in
art. 98 et seq. WOG is precisely intended to
provide for an adversarial procedure. In administrative law, special account must be taken of the duty to hear and the rights of defence.
24. A third preliminary point concerns the legally valid appearance of the person who appears (physically) for the
representative of the complainant at the hearing. When the hearing
takes place, both defendants indicate that they have questions about the
11Opdebeek I. and De Somer S., General Administrative Law: Foundations and Principles, Ed. 2, Antwerp, 2019 Intersentia,
specific part V, Chapter III, Section 7 regarding the duty to hear. Decision on the merits 112/2024 — 7/33
mandate of the person to act for Noyb in accordance with the articles of association of
this association.
25. It should be noted that Noyb has registered as a representative with the
Dispute Chamber, by sending a message via a specific e-mail address. For the presence
of the person in question at the hearing, prior to the hearing the representative had reported via the e-mail address that the employee
of Noyb would be present as representative. The Dispute Chamber is not obliged to
investigate ex officio or at the request of the parties how the designation of this
employee took place in concreto. The notification by the organisation Noyb by e-mail of the
identity of the employee in question is sufficient. This employee has thus legally
appeared at the hearing for the representative of the complainant.
26. As a fourth and final preliminary point: at the hearing the complaining party, for the
first time and without prior notice, but not in limine litis, questions in its pleadings the
“independence” of the chairman of the Dispute Chamber for the handling
of this case. Furthermore, the complaining party asks the chairman of the
Dispute Chamber to withdraw. The complainant refers to
anonymous “sources” who allegedly heard in private conversations that there was a strategy
to reject complaints “from Noyb”, and to a public event where the
chairman of the Dispute Chamber was present. No further concrete
elements are provided to substantiate the lack of “independence” of the sitting member.
27. The Dispute Chamber understands from the wording of the complainant that it is more (or
at least also) about the impartiality than the independence of the
Dispute Chamber. Such ‘requests for disqualification’ must in any case be handled with caution and
accurately by the requesting parties. Expressing dissatisfaction
about (the outcome or course of) a procedure is something different than
raising requests for disqualification with regard to members of public institutions, whose
14
legitimacy is precisely based on their independence and impartiality.
28. Specifically with regard to the oral request of the complaining party to withdraw
from the chair, the chair decides not to grant this request for the following reasons.
1L. Van Den Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP,
2024, Ed. 4, 215-230, specifically section 2.1 “types of (im)partiality and evidence”; Compare with regard to the confusion of concepts in the context of the judiciary: Ooms A., “Judicial impartiality is not always what it seems. A historical and
prospective analysis of the boundary between objective and subjective impartiality.”, Croniques de droit public, 14(2010)4, p.
499-524; Opdebeek I. and De Somer S., General Administrative Law: foundations and principles, Ed. 2, Antwerp, 2019
Intersentia, specifically part V, Chapter III, Section 8 regarding the principle of impartiality for the administration.
13
Comparison art. 835 Judicial Code for disqualification requests with regard to members of the judicial order, which states, among other things, that
such disqualification requests with the reasons for the disqualification must be filed with the registry in a formal document,
and that only by lawyers with more than 10 years of experience at the bar.
14 In this regard, the legislator anchors a number of measures in art. 44 WOG. Decision on the merits 112/2024 — 8/33
29. First and foremost, the complainant was sufficiently aware that the chairman was handling this file
(jointly), at least as recently as 13 March 2024 when the parties were
invited to submit their defences in this file in a letter signed by
that chairman. The complainant had the opportunity to take the necessary steps.
The late nature of the request for withdrawal is in itself sufficient to
not grant this request.
30. In addition, reference can be made to the following facts. The remarks regarding
the (procedural) interest of the complainant and the mandate were raised
on their own initiative by the Inspection Service of the GBA. The Inspection Service
operates as a separate and autonomous body within the GBA and has in this way highlighted
the possible problems regarding the mandate and the (procedural) interest, not the Dispute
Chamber, nor its chairman. It is therefore not correct to suggest a bias
that can be traced back to a person or a strategy of the Dispute Chamber or its
chairman.
31. The Dispute Resolution Chamber cannot then be asked not to address
the findings of that Inspection Service and the arguments of the parties. Moreover,
it is precisely the task of the Dispute Resolution Chamber to address the submitted
arguments, which must be assessed on a case-by-case basis. 16
32. After the findings by the Inspection Service in the
Dispute Resolution Chamber, the parties were given the opportunity to first submit
their arguments regarding these procedural elements in the interest of the efficient course of the
proceedings.
33. The Dispute Resolution Chamber will of course rule in an independent and
impartial manner, without fear or favour for one party or the other.
34. In the course of these proceedings and related
procedures, the Dispute Resolution Chamber has cooperated with other supervisory authorities
within the European Economic Area, in accordance with Chapter VII of the GDPR. This is publicly
known information. The fact that
in the context of the confidentially organised cooperation and the loyal sharing of
information within and between supervisory authorities, information could be
15 See also Dispute Chamber, decision 22/2024 of 24 January 2024, available via:
https://gegevensbeschermingsautoriteit.be/publications/besluit-ten-gronde-nr.-22-2024.pdf, §§ 11 and 35.
16Cf. Judgment of the Brussels Court of Appeal (Market Court Section) of 16 September 2020, 2020/AR/1160, §5.7: “It is not appropriate in a
constitutional state that the Dispute Chamber of the GBA could ‘choose’ which argument it does or does not provide an answer to.” 17
European Data Protection Board, EDPB promotes consistent approach for 101 NOYB data transfers
complaints, 19 April 2023.
It also appears from document 4 in the first defendant's summary conclusion that precisely this information sharing "à charge" was publicly regarded as positive by NOYB - in the light of, among other things, the present file.
18Cf. Article 54.2 GDPR and Article 48 § 1 WOG.
19
See in particular Article 70.1.u GDPR. Decision on the merits 112/2024 — 9/33
provided that would raise critical legal questions on a particular issue is an inherent
element of the cooperation procedure in Chapter VII of the GDPR. 20
35. In a credible dispute, one arrives at a fact-finding
based on facts and qualitative arguments in a considered manner. In this context,
(legal) questions must of course be able to be asked without this in itself
entailing partiality.
36. The mere fact that a previous case 21 before the Dispute Chamber with similar
circumstances, entails a possible adverse outcome for the same party or its
representative, does not of course in itself justify the recusal of a sitting member in another
(i.e. this) case.
37. If a party does not agree with a decision of an authority, it is
free under Article 78 GDPR to institute proceedings against that decision. In the
Belgian legal system, this can also be done by any interested third party at the
Market Court in accordance with Article 108, §3 WOG. If Noyb therefore believes it has an
interest in appealing against such a decision, it has such access to
justice if necessary. The fact that no appeal could be lodged in an earlier case because
the complainant concerned did not wish this – as raised at the hearing – is not an argument
that is attributable to the Disputes Chamber (or the GBA) and is not further relevant.
II.2. Complaint lodged under art. 80.1 GDPR
38. Article 80 GDPR reads as follows:
Representation of data subjects
1. The data subject shall have the right to mandate a non-profit body, organisation or association
which has been properly constituted in accordance with the law of a Member State,
the statutory objectives of which are in the public interest and which is active in
the field of the protection of the data subject's rights and freedoms with regard
to the protection of his or her personal data, to lodge the complaint on his or her behalf,
to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf,
and to exercise the right to compensation referred to in Article 82 on his or her behalf,
where Member State law so provides. 20
The principle of impartiality cannot be applied contra legem in this regard in connection with the circumstances of
international information sharing, cf. Judgment of the Council of State of 23 June 2020, Lossau, no. 224.038; discussion in L. Van Den
Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP, 2024, Ed. 4,
(215)219, §11.
21 In this sense, reference is made in the conclusions and pleadings by various parties in the proceedings to Decision
22/2024 of 24 January 2024 of the Disputes Chamber, against which no appeal was lodged with the Market Court.
22 In the comments of the complainant in the Minutes of the hearing, it is written: “. . . since the failure to appeal against this decision was not in the interest of noyb itself.” Decision on the substance 112/2024 — 10/33
2. Member States may provide that a body, organisation or association referred to in paragraph 1
of this Article, independently of a data subject’s mandate, has the right to lodge a complaint in that Member State with the supervisory
authorities competent in accordance with Article 77 and to exercise the rights referred to in Articles 78 and 79,
if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.
In this light, recital 142 of the preamble is also relevant:
Where a data subject considers that his or her rights under this Regulation have been infringed, he or she should have the right to authorise a non-profit-making body, organisation or association,
established in accordance with the law of a Member State, which has statutory objectives that are in the public interest and which is active in the field of
the protection of personal data, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right
to a judicial remedy on behalf of data subjects, or to receive compensation on behalf of data subjects, where provided for by
Member State law. Member States may provide that these bodies, organisations or associations have the right
to lodge a complaint in that Member State, irrespective of any authorisation by a data subject, and the right to an effective judicial remedy, if
they have reason to believe that the rights of a data subject have been infringed
as a result of the processing of personal data in breach of this
Regulation. It may be determined for these bodies, organisations or associations that they
do not have the right to claim compensation on behalf of a data subject without the
authorisation of the data subject.
39. The circumstances in which Noyb lodged the complaint on behalf of the complainant can
be visualised as follows. Decision on the substance 112/2024 — 12/33
The Litigation Chamber finds that there was no explicit coercion
against the complainant; the Dispute Chamber emphasises that the complainant indicates that this
person filed the complaint voluntarily, and that the person still supports the
filing of the complaint. This does not alter the fact that the initiative lies with Noyb, not
with the complainant. The representative of the complainant also indicates at the hearing that in
the present case a “model case” is being used for which interns and
employees are asked whether they wish to file a complaint in such model cases and whether they
wish to become a data subject in this regard.
42. Thirdly, at the time of the allocation of the project and the
commitment of the data subject to allow an infringement of the complainant’s rights and
subsequently file a complaint in this regard, there was a working relationship (in this case an internship)
between the complainant and Noyb.
Noyb emphasised at the hearing that this internship was extremely voluntary,
whereby the intern could go wherever he wanted. A workspace and materials were made available, and there was a limited compensation of 30 euros.
43. Fourthly, the complainant believes that there has been a breach of the GDPR and that the person's rights have been harmed. In addition, it is unclear to what extent damage has occurred
with regard to the complainant. The Inspection Service has been able to establish that the breach(es)
would have actually occurred, and that the complainant can therefore be genuinely aggrieved by
a breach.
44. Fifthly, the complainant mandated Noyb after the project guidelines had been
set out, and the controllers had been identified (by Noyb) and
assigned (to the complainant).
45. Sixthly, a complaint was filed on behalf of the complainant by Noyb's
representative. The complaint was formulated in consultation with the complainant and
submitted to the Data Protection Authority.
46. All this is clear from the report of the Inspectorate and the debates. The entire course of events is therefore indisputably established.
II.3. Dismissal: reasons and consequences
47. In this case, the Litigation Chamber essentially identifies two main problems with
the delegation and subsequent representation:
1) the prior coordination by the representative, in which the subject matter, content (including the identity of the controller) and
the “type of infringements” of complaints were determined to a far-reaching extent, without full autonomy for the
25 Mentioned in English at the hearing as a “model case”. Decision on the substance 112/2024 — 13/33
complainant, which prevents free delegation, especially in the case of an internship
relationship between the complainant and his representative. 2) the trick that the representative performs in order to be able to rely on the
objectives of the procedure provided for under art. 80.2 GDPR, whereby the distinction with art.
80.1 GDPR that the European legislator has explicitly established is
stripped of all content.
48. These main problems are divided into three grounds for dismissal. Each of these grounds
separately is sufficient to establish problems with the lodging of a complaint in accordance with art. 80.1
in conjunction with art. 77 GDPR, and to proceed to dismissing the complaint.
II.3.1. Ground for dismissal I: lodging a complaint on the basis of a pre-constructed
"model case" by Noyb creates artificial (procedural) interest and constitutes
abuse of rights
49. First of all, the infringements of the processing of the complainant's personal data
are at least partly artificially constructed by Noyb. Noyb determines the manner in which
the complainant must provoke (alleged) infringements by processing his/her personal
data with a view to filing the complaint (apart from any
26
‘general’ infringements that do not require the processing of personal data in
concreto).
50. Without Noyb’s project, the alleged infringements that are offensive
to the complainant would not have occurred. In this regard, it is expressly acknowledged at the hearing
that Noyb “asks” persons such as the complainant (in any case interns and possibly
other members of Noyb’s staff) whether they wish to “become” a “data subject”.
51. The artificiality of the situation is further illustrated by the short visits; 28
these visits are apparently intended solely to allow the infringements to take place or
to establish them, as the defendants rightly emphasise in their conclusions. The representative does not even state at any stage of the procedure that the complainant
would have been a regular or even occasional visitor to the website pages concerned. All this indicates that the complaining party artificially creates its own (procedural) interest in
favor of the representative.
52. The Dispute Chamber points out in general terms that the right to complain under the GDPR provides broad and easy access to involved complainants to reach supervisory
authorities, where desired via an order to a representative. The importance of the right to complain for an involved citizen has recently been
reaffirmed in
26An example could be an infringement of Article 25 GDPR.
27At the hearing, the word “staff” is used in English by the representative of Noyb.
28Compare Decision 22/2024 of the Dispute Chamber dd. 24 January 2024, §§53 et seq.
29The website pages are in French and Dutch. Decision on the merits 112/2024 — 14/33
30
the case law of the Court of Justice. This broad access to justice requires that the
right to complain must be protected against its abusive use by
companies or associations with their own policy objectives and associated projects.
a) Abuse of rights in the European legal order
53. As regards the non-compliance with Article 80.1 in conjunction with Article 77 GDPR, reference is made to the settled
case law of the Court of Justice in connection with the abusive use of a subjective right under
EU law, as a general principle of EU law. In addition,
abuse of rights is based on circumvention, which distinguishes the concept from fraud –
which is based on deception.32
54. The Court of Justice of the EU itself frames the prohibition of abuse of rights as follows:
“In this regard, it is settled case-law that there is a general
legal principle in EU law according to which individuals cannot rely on EU law by
fraud or abuse . . .
(…)
It follows from that principle that a Member State must refuse to apply the
provisions of EU law if they are not invoked to achieve the objectives of those
provisions but to obtain an advantage under EU law, while the conditions for claiming that
advantage are only formally met. (…)
It follows that the general principle of prohibition of abuse must be invoked
against a person who relies on certain EU-law rules
which provide an advantage, in a manner that is not in accordance
with the objectives of those rules.
30Judgment of the Court of Justice of the EU, 7 December 2023, UF v. Schufa, C-26/22 and C-64/22, ECLI:EU:C:2023:958, specifically paragraph 58; see
also Judgment of the Court of Justice of the EU of 16 July 2020, DPC v. Facebook Ireland and Maximilian Schrems (‘Schrems II’), c-311/18.
31Velaers J. “Rechtsmisbruik: betekenis, gronden en legitimiteit” in Rozie J., Rutten S., Van Oevelen A. (eds.), Rechtsmisbruik,
Antwerpen, Intersentia, (1)4, verwiin vn. 19 naar o.m. Hof van Justitie 5 mei 2007, Hans Markus Kofoed v.
Skatteministeriet, C-321/05, ECLI:EU:C:2007:408.;
Danon R. et al, “The Prohibition of Abuse of Rights after the ECJ Danish Cases” in Intertax, Vol. 49, Is. 6/7, 2021, 482-516,
https://doi.org/10.54648/taxi2021050 ; López Rodríguez J., “Some Thoughts to Understand the Court of Justice Recent Case-Law in the Danmark Cases on Tax
Abuse”, Ec Tax Review, Vol. 29, Is. 2, 71-83, https://doi.org/10.54648/ecta2020009.
32
Cf.: “If both frauds and abuses of law aim at wrongfully obtaining a benefit from the legal system, frauds involve
misrepresentation, whereas abuses of law rely on circumvention.” in A. SAYDE, Abuse of EU Law and the Regulation of the
Internal Market, Oxford, Hart Publishing, 2014, 24; free translation of the quote: “Where both frauds and abuses of law
aim at wrongfully obtaining a benefit from the legal system, fraud involves
misrepresentation, whereas abuses of law rely on circumvention.” Decision on the substance 112/2024 — 15/33
(…)
. . . this provision cannot be interpreted as excluding the application of the
general principle of EU law prohibiting abuse, since the
application of that principle does not require its transposition . . .
(…)
The fact that a taxpayer seeks the tax scheme that is most advantageous
to him is not sufficient in itself to establish a general presumption of fraud or abuse . . .
but that does not alter the fact that that taxpayer is not eligible
for a right or advantage arising from EU law if the arrangement in
question is purely artificial from an economic point of view and is intended to circumvent the
legislation of the Member State concerned . . . “
(the Dispute Chamber underlines)
33
55. The Court’s case law puts forward two cumulative elements in order to speak of
a violation of the prohibition on abuse of rights, on the one hand a subjective and on the other
34
objective element.
56. As regards objective element 35: the intended purpose of the right to complain
under mandate (art. 77 in conjunction with art. 80.1 GDPR) in this case is not respected: art. 80.1 GDPR
states that it is the data subject who retains the right to represent an
person commissioning an organisation. The wording “data subject” shows first of all that
personal data and associated processing in the context of the complaints cited
must have existed before (the coordination prior to) the mandate.
57. The wording “to give an order” indicates that the order goes in one direction: from the complainant to the representative, not the other way around. 36
33
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, respectively §§ 96, 97, 102, 105 and 109;
See the followingJudgments of the Court of Justice of the EU:1) 14 December 2000, Emsland-Stärke, C-110-99;2) 21 February 2006, Halifax, C-255/02; 3) 22 November 2017, Cussens, C-251/16.
34Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §139; Meirlaen M.,
Unwritten legal boundaries – Prohibition of evasion of legal rules, fraus omnia corrumpit and prohibition of (legal) abuse,
Antwerp, Intersentia, 2022, 353: “The subjective element means that, despite formal compliance with the conditions imposed by the
Union regulation, the objective pursued by that regulation was not achieved. The objective element requires
that it is apparent from a set of objective circumstances that the essential purpose of the conduct is to
obtain an unjustified advantage.”
35Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §139: “... a set of
objective circumstances showing that the conditions of the Union regulation have indeed been formally complied with, but
that the objective pursued by that regulation has not been achieved . . .”
36
The complaint is also lodged in the name of the data subject, so it is the data subject who forms the central starting point.
Cf. Frenzel E.M., “Art. 80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030)1033: “However, in comparison with the English language, it is noted that . . . from the concept of
“Beauftragung” and from the meaning a purpose of Article 1, that the Organisation for the purpose of determining the rights in the name of the
person concerned must be entitled to sue.” Decision on the substance 112/2024 — 16/33
58. Furthermore, recital 143 of the GDPR clarifies that the data subject must first “consider”
that there is a problem under the GDPR, and not following a specific
instruction from the representative, before the mandate takes place. The infringement
is provoked by Noyb in order to be able to qualify the complainant as a data subject.
59. As regards the subjective element: the representative wishes to create a
standing to bring proceedings with the GBA; standing to bring proceedings cannot exist without the complainant
as an individual on the basis of Belgian legislation. This shows the artificial
38
nature of fulfilling the conditions under art. 80.1 GDPR.
60. In this way, the representative attempts to circumvent national law, since art.
39
80.2 GDPR was not activated in Belgian legislation. This is also
indirectly apparent from the arguments put forward by the complainant in the reply and the pleadings at the
hearing: it is stated that this complaint should actually also be allowed under art. 80.2 GDPR and that the non-activation of this provision
could be discriminatory. 61. In this context, the Dispute Resolution Chamber emphasises that the GDPR leaves the national legislator a discretionary margin to activate or not Article 80.2. The choice of the Belgian legislator is obvious. According to the wording of Article 80.1 and the existence of Article 80.2 GDPR, the GDPR does not intend the representative to exercise such a right of complaint on the basis of Article 80.1.
62. According to the Dispute Resolution Chamber, the artificiality of the construction is established since the
identity of the controllers and the grievances raised were not determined by the
complainant concerned (although in advance by the representative), and by the
short visits of the complainant concerned, established by the Inspection Service and mentioned
by both defendants in their defences. The representative himself publicly indicates that this complaint
is part of a general project concerning data transfers. It is stated1
at the hearing that trainees can “become” a data subject without obligation.
Free translation: “However, a comparison with the English version shows that . . . the wording ‘to give an order’ and the role and purpose of paragraph 1 show that the organisation is entitled to exercise the rights on behalf of the data subject.”
37
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §124: “. . . subjective
element, namely the intention to obtain an advantage granted by the Union legislation by artificially
creating the conditions under which the right to that advantage arises. . .”
38On the artificial nature of the fulfilment of the conditions, see A. SAYDE, Abuse of EU Law and the Regulation of the
Internal Market, Oxford, Hart Publishing, 2014, 25.
39 On the distinction, see Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale
Bundesverband e.V., C-319/20; cf. the related issues under point c in this section.
40
Infra, section II.3.3; the discrimination here would be based on art. 10-11 GW in the relationship between art. 220 GBW and art. 17
Ger. W.
41
Summary conclusion of the second defendant, document 5 ("101 Complaints on EU-US transfers filed", freely translated: "101 complaints
filed about <data>EU-US transfers"). Decision on the merits 112/2024 — 17/33
63. The inducement to create access to justice entails an unjustified advantage
which constitutes the subjective element of abuse of rights under EU law on the part of
Noyb. In this case, the advantage is aimed at pursuing the general (policy)
objectives of the association Noyb. 42
64. The two conditions for speaking of abuse of rights under EU law are thus
met and, in accordance with the case-law of the Court, it follows that the Litigation Chamber
must refuse the use of the right (i.e. the lodging of a complaint) by Noyb. 43
b) Abuse of rights applied in the Belgian legal order
65. Secondly, the lodging of a complaint must take place in accordance with the procedural rules established
nationally, of course within the limits set by EU law. As the Court of
Justice has already stated, “in accordance with the principle of procedural autonomy, it is a matter for the
domestic legal order of the Member States . . . to determine the procedural rules
for legal actions brought for the protection of the rights of individuals . . .”
66. The fact that the legal rule from which the subjective right to complain derives (in this case, art. 77j°art. 80.1
GDPR) does not expressly exclude the possibility of lodging a complaint on the basis of a
created grievance does not of course mean that the legal rule is being used properly.
As this is framed in recent Belgian legal doctrine: “The unqualified interpretation of the
legal rule seems to allow the subjective right to be exercised in any way and
in any circumstances. The prohibition of abuse of rights . . . makes it clear that this is not the case.”
67. The Court of Cassation has already ruled on the application of the
prohibition of abuse of rights on several occasions. 46 The link with the interpretation of this legal principle
by the Court of Justice for its application in a national context is evident. 47The
Court of Cassation is also clear about the fact that ignoring the objective of a
42Cf. the section ‘abuse of rights as a gain-seeking choice of law’: A. SAYDE, “I. The Basics: Abuse of Law as Gain-
Seeking Choice of Law” in Abuse of EU Law and the Regulation of the Internal Market, Oxford, Hart Publishing, 2014, 24
43
Judgment of the Court of Justice of the EU, 26 February 2019, joined cases C-115/16, C-118/16, C-119/16 and C-299/16, §110. “It follows that
national authorities . . . the enjoyment of the rights . . . must be refused if these rights are claimed
by means of . . . abuse.”
44Judgment of the Court of Justice of the EU, 4 May 2023, Österreichische Post, C-300/32, §53.
45Meirlaen M., o.c., 277; see also the discussion of the legal origin in Velaers J. “Rechtsmisbruik: betekenis,
grondslag en legitimiteit” in Rozie J., Rutten S., Van Oevelen A. (eds.), Rechtsmisbruik, Antwerpen, Intersentia, (1)1-4; For
illustrative purposes, cf. art. 1.10, paragraph 2 of the new Civil Code: “Anyone who exercises his right in a manner that clearly exceeds the limits of the normal exercise of that right by a prudent and reasonable person in the same circumstances
is abusing his right.”.
46Recently in the judgment of the Court of Cassation of 16 November 2023, Docpharma v. Belgian State, C.23.0053.N.
47
Cf. Conclusion of the Public Prosecutor at the Court of Cassation of 11 January 2024, K. v. Belgian State, F.23.0008.N:
here the application of the objective and subjective element is discussed in full. Decision on the merits 112/2024 — 18/33
subjective right, can constitute a form of abuse of rights. The Court of Cassation clarifies in a judgment of 15 February 2019:
Abuse of rights consists in the exercise of a right in a manner that clearly
exceeds the limits of the exercise of the right by a prudent and
prudent person. Such abuse may also consist in the use of legal rules or legal institutions
contrary to the purpose for which they were established.48
68. The Litigation Chamber notes that the concept of abuse of rights may also
apply to the exercise of procedural rights. Noyb's conduct in this case appears to
exceed the limits of a normal and proportionate exercise of the right to representation, as
provided for in Article 80.1 GDPR.
69. A legal subject who exercises a subjective right must also adhere to
the general standard of care when reading and interpreting the objective standard
on which it bases its subjective right, and take into account the “ […] implicit,
49
material limits that are also contained therein”. A legal subject may not disregard the
50
objective of the legal provision from which the subjective right follows.
The existence of art. 80.2 GDPR is important in this respect.
70. The fact that the representative determines in what way an infringement must be
endured, in order to be able to grant a mandate to be able to exercise the right to complain under art. 77 j°
art. 80.1 GDPR before the Belgian authority, means that the general
standard of care is disregarded by the representative and thus constitutes
abuse of law. It is not the objective of art. 80.1 GDPR to ‘create’ complainants in this way. 51 The Disputes Chamber does not pass judgment on the fact that there may be well-intentioned motives behind the method; it merely states that
48Judgment of the Court of Cassation of 15 February 2019, G.C. v. KBC Bank NV, C.18.0428.N, §1; cf. also Judgment of the Court of Cassation of 1
October 2020, C.18.0584.F, which essentially explains that abuse of rights consists in the exercise of a right in a manner that clearly exceeds the limits of the normal exercise of that right by a prudent and deliberate
person and that this is the case, among other things, when the damage caused is disproportionate to the benefit that the holder of that right intends or has obtained. 49
Meirlaen M., o.c., 282; Rozie J., Rutten S., Van Oevelen A.(eds.), Abuse of Law, Antwerp, Intersentia, 12.
50 Meirlaen M., Unwritten legal boundaries – Prohibition of evasion of legal rules, fraus omnia corrumpit and prohibition of
(legal) abuse, Antwerp, Intersentia, 2022, vn. 898: “Cass. 15 February 2019, ARC. 18.0428. N; Cass. 28 September 2018, AR
C. 18.0058. N; Cass. 2 April 2015, AR C. 14.0281. F; Cass. 13 January 2012, AR C. 11.0135. F; Cass. September 7, 2006, AR
C.04.0032.F; Cass. September 24, 2001, AR S.00.0158.F; Cass. April 28, 1972, Arr.Cass. 1972, 815; Pas. 1972, 797; RW 1972-73,
noteR.Butlzer.”;ibid.p.323:“Whenitcanbedemonstratedthatthelegalrule,thesubjectiverightarisingtherefrom,
canonlybeusedforaspecificpurpose,itsufficientforabusetoestablishthatthe(intended)useisnotdirectedtothispurpose.” 51
Regarding abuse of rights by using a right whose purpose is disregarded, see: Cornet L., “L’abus
de droit et le nouveau droit des contrats” in Kohl B. (eds.), L’abus de droit, Liège, Anthemis, 2024, (1)25-6. Decision on the substance 112/2024 — 19/33
the right to complain is used improperly and in particular not in accordance with
national legislation, which has excluded an appeal by an organisation in its own name, independently
of a data subject.
71. The Court of Cassation states that when there is abuse of rights, the exercise of
the right must be limited to its normal use. In this case, the complaint
was lodged by Noyb as representative. For that reason, this fact alone
already requires the entire file to be closed. II.3.2. Reason for dismissal II: fictitious mandate by pre-established grievances and
controller within internship relationship
72. The grievances are determined in advance in the name of the complainant, just as the method of
working with mandates within the meaning of Article 80.1 GDPR is determined in advance. In addition,
the identity of the requested controller is also determined by
the representative before the complainant accepts the “model case” and grants a
mandate in this regard.53
73. Although it is certainly not excluded that the complainant, as the person concerned, had a say in
determining the project’s guidelines, these guidelines were at least not solely
established by the complainant as the person concerned, as evidenced by the fact that identical (read:
quasi-identical) complaints were filed by different complainants in the context of the project. This
is evident from the findings of the Inspectorate in connection with the “bulk” method.
74. In this context, the Dispute Resolution Chamber points out that it is difficult for an employee to question the overall design of a project and not to agree to grant the mandate according to the guidelines set out, just as it is difficult for a data subject to give consent under many circumstances in an employment relationship to the processing of personal data within the meaning of Article 6.1.a GDPR. 54
75. In particular, the European Data Protection Board (“EDPB”) has indicated in its
Guidelines 5/2020 on consent that, given the disproportion
between an employer and its employees and the resulting hierarchical dependency, it is unlikely that an employee could freely respond to a request from his employer without feeling obliged to consent. 55
The same applies mutatis mutandis to trainees, however non-binding the commitment may be:
52Judgment of the Court of Cassation of 23 May 2019, V.M. v. P.B., C.16.0474.F, paraphrasing the French text: "The penalty for an
abuse of the right may be resider in the reduction of this right to its normal use."
53
In its summary conclusion, the first defendant cites on p. 6 a press release from the representative of the complainant,
which explains how the identification took place: "The websites were selected on the basis of the TLD of the Member State . . . We searched on
major websites in each EU Member State . . . “ (free translation by the first defendant from English of document 3 in her
summary conclusion; the Litigation Chamber edits the layout and underlines).
54Compare here with the Decision 22/2024 of the Litigation Chamber dated 24 January 2024, §§46-52.
55EDPB, Guidelines 5/2020 on consent under Regulation (EU) 2016/679, points 21-23. Decision on the substance 112/2024 — 20/33
it can indeed be pointed out that a successful or unsuccessful internship
can have consequences for a person's career.
76. It should also be noted once again that the legal provision on delegation (Article 80.1 GDPR),
which states that it is the data subject who retains the right to mandate an organisation
to represent the person. The wording "data subject" firstly shows
that personal data and associated processing in the context of the cited
grievances had to exist before (the coordination prior to) the
delegation. The wording "to give an order" then again points to the fact that the
mandate goes in one direction: from the complainant to the representative, not the other way
around. Moreover, recital 143 GDPR indicates that the data subject must first "believe" that there is a
problem under the GDPR, and not as a result of a specific instruction from the
representative, before the delegation takes place. 77. It should be noted that this fictitious mandate also entails a problem
of potential damage to the complainant concerned, which could not arise if
the representative did not initiate the project and induce those involved
to allow infringements to be committed and subsequently file a complaint about that infringement. This applies
firstly to the processing of the complainant's personal data,
possibly in conflict with the provisions of the GDPR.
78. Whatever the case, it is clear that the grievances are recorded in advance by the
representative of the complainant, and that the legitimate and free mandate by the complainant
who is also a trainee with the representative is thus compromised. This is sufficient to
establish that the mandate is problematic and more specifically fictitious, and
not in accordance with Article 80.1 of the GDPR.
II.3.3. Reason for dismissal III: trick to raise global and accessory issues for policy objectives of an association
79. The third and final reason for dismissal concerns the way in which the representative Noyb –
beyond the artificially created interest in the proceedings and the fictitious mandate – also tries to raise global and accessory issues by means of the
access to the proceedings, and in particular the allegedly unlawful data transfers to the US from the European
Economic Area after the Schrems II judgment of the Court of Justice of the EU. This is7
closely related to policy objectives of the association Noyb. As the Inspectorate
rightly notes, this involves a problem of possible conflicting or
56
See also art. 1984 BW, which states that a person gives another person the power to do something for the principal and
in his name. Also art. 1989 BW may be mentioned, which stipulates that the proxy may not do anything that exceeds the limits of his mandate; this supports the argument that the complainant himself must determine the limits of the mandate.
57Synthesis conclusion of the second defendant, document 5: “101 Complaints on EU-US transfers filed”, freely translated as “101 complaints
filed about <data>EU-US transfers”. Decision on the merits 112/2024 — 21/33
at least other types of interests. In a representation assignment, the
representative must put the interests of the complainant concerned first, and not pursue his own
policy objectives.
80. Art. 80.2 GDPR (not art. 80.1 GDPR) serves as a provision for associations to independently
58
report certain practices.
81. The European legislator has therefore indeed provided the possibility to file
complaints on one’s own initiative for organisations such as Noyb, but only if the
59
national legislator allows this. The Belgian legislator has, however, excluded this. For
the Dispute Resolution Chamber, this choice of the legislator deserves some context.
82. Indeed, it is important that Article 80.2 GDPR is drafted separately from Article 80.1 GDPR
and must be activated separately in the national legal sphere. The national
legislator is given the opportunity to determine the ‘activation’ of the article, for example to
avoid an unmanageable influx of complaints, just as the GDPR provides for
complaints from individual data subjects and the possibility for supervisory authorities to
refuse to deal with them in the event of excessive use. According to the Court of
Justice, Article 80.2 GDPR has a preventive function, whereby the
organisations involved are given the opportunity to raise issues in a global manner, if they
believe that the rights of a data subject under the GDPR have been violated
as a result of the processing. 83. The fact that Noyb acted in a case 62 before the Court of Justice in which it represented an involved (ex-)employee, and that therefore acting before the GBA would be permitted,
63
is anything but a correct conclusion. Even if the circumstances were exactly
the same as in the present case - which is not the case - access to justice through the
courts and tribunals is still different from that through the supervisory authority. In addition,
trademarks, defendants are right to have the preliminary issue in question brought before the Court
in vain.
58About art. 80.2 GDPR, one author writes: “The right to complain is therefore accessory to the (alleged) violation of
subjective rights, and the association is therefore merely a ‘complainant behind the complainant’.” Free translation from: Frenzel E.M., “Art. 80 DS-GVO” in
PaalB.P.andPaulyD.A.,DatenschutzgrundverordnungBundesdatenschutzgesetz,C.H.Beck,Ed.3,(1030)1034:“The right to complain
is therefore essential to (actually) injury to subjective rights, the relationship being only ‘the complainant hunts the complainant’
59Both defendants refer to the legislative preparations of the Belgian Chamber:
1) summary conclusion of the first defendant, p. 18, and;
2) summary conclusion of the second defendant, par. 69 – referring in footnote to: Bill of 11 June 2018 on the
protection of natural persons with regard to the processing of personal data, Parl. St. Chamber, 2017-18, no. 54-3126/001, 226. 60Cf. art. 57.4 GDPR.
61Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale Bundesverband e.V., C-319/20, § 76;
Judgment of the Court of Justice of 11 July 2024, MetaPlatforms Ireland Ltd. V. Bundesverbandder Verbraucherzentralene.a., C-757/22, ECLI:EU:C:2024:598, §64.
62 Judgment of the Court of Justice of 4 May 2023, CRIF, C-487/21.
63In the reply, the complainant states as follows: “If even the CJEU considers such representation to be
legally valid, the DPA must also allow it.” Decision on the merits 112/2024 — 22/33
had to do with the power of representation for an authority within the meaning of
Article 80 GDPR.
84. When complaints are filed on a large scale that reflect actual infringements
on the basis of fictitiously drawn up complaints under Article 80.1 GDPR, the task of the
supervisory authority to take action may become de facto impossible, and its supervisory tasks in the
public interest are compromised. 64 This disregards the intention of the
European legislator, which leaves the autonomy to the national legislator to judge
the desirability of such access to justice for interest groups. 85. It should be noted that the low-threshold right to complain prompts hundreds of individual data subjects to file a complaint with the GBA as a complainant. Many of these complaints are dealt with substantively, are thoroughly investigated and lead to (corrective) measures. In any case, complaints from individuals have already led to hundreds of decisions by the Dispute Resolution Chamber.
86. Within the European Economic Area, (well) over 100,000
66
complaints are filed annually under the GDPR complaints regime, and according to the most recent publicly available figures, just under
67
4,000 employees would be employed within all supervisory authorities in 2024. The handling of complaints from
individual data subjects deserves the necessary attention and careful handling with the limited resources available to the
authorities.
87. All this outlines the context within which it is important that the limits of the legislator
must be respected. These limits were also confirmed by the Court of
Justice.8
88. This does not mean, of course, that civil society should not play a role in
data protection law litigation, or in filing complaints. Moreover, organisations as representatives can
also be involved in the obligations for the supervisory authority to take measures when establishing infringements
during the administrative procedure, see CJEU, Opinion Advocate General Pikamäe of 11 April 2024, TR v Land Hessen,
C-768/21.
65
The proposal of the European Commission would not make national ‘activation’ mandatory; this shows that
it is a deliberate and important consideration of the European legislator to leave this choice to the national legislator.
COM 2012, 11 final, Art 73.2;
see also Frenzel E.M., “Art.80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030) 1032: “In accordance with Art. 76 Abs. 2 DS-GVO-E (Rat), the right to lodge a complaint was no longer
provided for as a basic situation for an association, but the transposition was left to the Member States . . .”
66Communication of the European Commission of 25 July 2024, Second report on the application of the General Data Protection Regulation, COM(2024) 357 final, section 2.3, see also section 2.5.2 on the “processing of large numbers of complaints”.
67Based on the sum of the projections provided by the supervisory authorities in EDPB, Contribution of the EDPB
to the report on the application of the GDPR under Article 97, 12 December 2023, p. 28-9.
68
Judgment of the Court of Justice of the EU of 28 April 2022, Meta Platforms v. Verbraucherzentrale Bundesverband e.V., C-319/20, § 59. Decision on the substance 112/2024 — 23/33
Belgium certainly plays a role in facilitating the lodging of complaints through
representation and informing data subjects and controllers
of their rights and obligations. However, this is something different from drafting complaints for
non-existent complainants at that time.
89. The method whereby the complaint, at the initiative of the representative, attempts to address a general
pre-established practice, by dealing with this accessory in a complaint
from an individual data subject, shows that an artifice has taken place in the light of
Article 80.1 GDPR in lodging this complaint, in order to be able to
address practices in a manner exclusively provided for under Article 80.2 GDPR.9This method
may also give rise to potential conflicts of interest during the
representation assignment. The Dispute Chamber finds that the use of art.
80.1 GDPR by the representative in this case is not lawful for these reasons.
II.3.4. Dismissal
90. The reasons given above illustrate that this case is not a purely
semantic issue, but that the method used in the present case also causes or
can cause real problems. Each of the reasons is sufficient to prove non-compliance with the
choices of the European and Belgian legislators: the method used in this case
by the complaining party is contrary to the law in several ways. The Dispute Chamber
has carefully and objectively examined the case and cannot but conclude
that the complaint lodged must be dismissed for the aforementioned reasons.
II.3.5. Consideration of the consequences of the discontinuation
91. The fact that the mandate and the (procedural) interest in this case are fundamentally
problematic elements has been proven on the basis of several aforementioned
reasons. This leads to the discontinuation under art. 100, §1, 1° WOG. However, this does not
exclude the possibility that the complainant, as the person concerned, feels aggrieved after an
alleged infringement has been committed, since that alleged infringement can also effectively
take place as a result of the actions prior to and as a result of the fictitious
mandate.
92. Firstly, the representative argues that the complainant could also have filed a complaint
without representation, which would have resulted in the file being
continued in full; in addition, the representative also argues that the
‘autonomous’ representation without the complainant concerned under art. 80.2 AVG
may simply be an option for the representative in Belgium.
69 EU law may not be abused to circumvent national legislation, cf. Judgment Court of Justice, Halifax, C-255/02. Decision on the merits 112/2024 — 24/33
93. In this case, it is precisely the improper use of the right to complain (including the
use of a fictitious mandate that creates the infringement on the part of the person concerned) that
gives rise to the dismissal of this complaint file.
94. The Dispute Resolution Chamber rejects the argument that the infringement or damage had already taken place,
and that the file should therefore be continued. The Dispute Resolution Chamber considers that
procedural – just like substantive – rules must be complied with, regardless of whether
a particular outcome in terms of policy objectives of one party seems most favourable
or desirable. 95. In other words: the complainant did not file a complaint without representation, so the Dispute Chamber does not treat the complaint file as such. The Dispute Chamber cannot requalify a complaint in a manner in which it was not filed.
96. The representative also did not invoke art. 80.2 GDPR for filing a complaint, so the Dispute Chamber does not treat the file as such. For this last point, the
representative does not refer to the existing legal standards, but to the possible (under the constitution) discriminatory situation
in which Noyb can represent the courts and tribunals in this
‘independent’ manner under art. 17 Judicial Code, but not for the GBA. However, the GDPR leaves the
possibility to the Belgian legislator to activate art. 80.1 GDPR separately, so
there is no reason to consider this situation as discriminatory for the Dispute Chamber. 70Unequal cases do not have to be treated equally.
97. The mere fact that these infringements would have taken place, or that damage would have occurred in that context, does not justify accepting the fictitious mandate and the artificially created procedural interest. Procedural rules are in the interest of the quality and fairness of a procedure.
98. Secondly, the Dispute Chamber emphasises that this does not mean that an employee of an organisation such as Noyb could never file a complaint with Noyb as a representative.
II.4. Delegation under Article 80.1 GDPR: form and components.
99. Firstly, various elements emerge during the procedure that indicate
possible problems with the formulation of the mandate. The representative
of the complainant states at the hearing that the provision of EU law should be interpreted autonomously
70DeBotD., The application of the General Data Protection Regulation in the Belgian context: commentary on the
AVG, the Data Protection Act and the Data Protection Authority Act, Mechelen, Wolters Kluwer, 2020, 1164-5
(§2998-9). Decision on the merits 112/2024 — 25/33
to state that a mandate does not contain any formal requirements71
, referring to the purely oral possibilities to do so. The
defendants, on the other hand, argue, like the Inspection Service, that there are certain formal
or substantive defects, which relate to the essential elements72 of the mandate agreement, as well as its sufficiency as evidence73 of the
representation. In her mandate agreement enclosed with the complaint, the
first defendant is not explicitly named.
100. In the agreement enclosed with the complaint, the complainant refers to 25 different
(Noyb) file numbers in the one document for the mandate, which further
confirms what was previously stated about the artificially created procedural interest within
the project with model cases of Noyb. The fact that 25 complaints are filed already
raises the question of the applicability of the excessive use of the right to complain - for the sake of clarity, without the Disputes Chamber deciding to do so in this case.
101. The complainant has attempted to rectify the criticism of the initial mandate by attaching to its summary conclusion another document concerning the granting of a mandate, in which the individual controllers (in particular also the first defendant) are identified – together with the identification of controllers in three other complaint files with the DPA which are not formally related to the present complaint file. This document is signed solely by the complainant in this file (unlike the document attached to the complaint). 75
102. Given that in this file the decision to discontinue the proceedings is already based on several other
grounds for discontinuance, the Dispute Resolution Chamber will not proceed hic et nunc to the further
71
As regards the form, the European legislator does not clarify whether the “order” in Article 80.1 GDPR refers to the instrumentum (the written agreement or other) or to the negotium (the agreement). As regards the instrumentum, classical national legal doctrine has held that a mandate agreement can be solo consensu (Tilleman B., “Titel V: Vorm van de Endgevingsovereenkomst” in Lastgeving, Gent, Story-Scienta, 1997, §§139 et seq.).
In the specialized legal doctrine concerning the GDPR, it is doubted whether a mandate under Article 80.1 GDPR does not require a written document:
cf. Frenzel E.M., “Art. 80 DS-GVO” in Paal B.P. and Pauly D.A., Datenschutzgrundverordnung Bundesdatenschutzgesetz, C.H.
Beck, Ed. 3, (1030)1033-4: “This requires – at least for reasons of certainty in legal transactions and the exclusion of the risk of abuse – an explicit, written statement . . .” (the Litigation Chamber is editing the drafting);
free translation: “This requires – at least for reasons of certainty in legal transactions and the exclusion of the risk of
abuse – an express, written statement . . .”
72
The legal acts that the representative must perform could be regarded as an essential element,
but arguably also the identity of the data controller targeted in a GDPR complaint. See also: Van
OevelenA.,PrinciplesofBelgianPrivateLaw.10:Agreements.2:Specialagreements.E:Contractingwork
– power of attorney, Mechelen, Wolters Kluwer, 2017, §389;
See also article 1988 of the Civil Code: “Power of attorney, expressed in general terms, only includes acts of management;”
73It is up to the person who relies on a power of attorney agreement to prove its existence, see: Tilleman B., O.c.,
§172; Van OevelenA., o.c., §417: “In addition, the power of attorney contract shows this special feature that the agent, in
executing his mandate, performs legal acts in relation to a third party in relation to whom he must be able to demonstrate his
power of representation.”; ibid, §419.
74Cf. art. 57.4 GDPR.
75
In civil law, the representative's expression of intent can also be demonstrated by his or her actions, cf. Van Oevelen A., o.c.,
§416 in fine: "The signature of the proxy is not necessary . . . but does have the advantage that it proves the proxy's express acceptance of his or her mandate and therefore also the existence of the mandate." Decision on the merits 112/2024 — 26/33
examining the legality of the correction of the allegedly inadequate
aspects of the mandate in the document attached to the complaint by
the document filed with the reply of the complaining party. These concern only
considerations in the context of transparency regarding the pleas and
arguments raised. 103. Secondly, both defendants allege a shortcoming on the part of the complaining party under Belgian law. This concerns article 220 § 2 GBW, whereby the defendants note that the representative has not been active in the field of personal data protection for "at least three years" or that she has at least not provided the correct evidence to that effect (submission of evidence required under article 220, §3 GBW), as well as under the same legal provision that she is not an association established "in accordance with Belgian law".
104. With regard to this point, the complainant states at the hearing that it was established more than
three years before the complaint was filed; its objectives are aimed at
promoting and enforcing the rights of data subjects and natural persons in the digital sphere.
105. In addition, the Dispute Resolution Chamber points out that the requirement that an association within the meaning of
Article 80 GDPR must be established under “Belgian legislation” in accordance with
Article 220 GBW is not in line with European Union law, and in particular the exhaustive
nature of Article 80.1 GDPR and the wording of the accompanying recital 142 of the preamble.
In this sense, the primacy of EU law obliges the Dispute Resolution Chamber to disregard
national legislation that is clearly in conflict with EU law. Art. 80.1
GDPR is directly applicable in the Belgian legal order. The complainant rightly raises this, referring to the relevant case law in this regard. 76
106. In any event, the Dispute Chamber cannot submit preliminary questions, neither to the Court of Justice nor to the Constitutional Court.7
107. Given the multiple reasons on which this decision to discontinue the case is already based, the
Dispute Chamber will not proceed to further investigation of these aspects and these only concern
considerations in the context of transparency regarding the pleas and
arguments raised. 108. Thirdly, the defendants argue that the person who signed the agreement 78with the complainant
on behalf of Noyb would not be authorised under the articles of association to do so –
76The complainant refers to the ECJ judgments of 9 March 1978, C-106/77 (Simmenthal), of 19 June 1990, C-213/89
(Factortame), para. 13, and of 22 June 2010, C-188/10 and C-189/10 (Melki).
77The Litigation Chamber is an administrative body, albeit with quasi-jurisdictional powers; cf. also the wording
“semi-judicial” in the judgment of the Brussels Court of Appeal (Chamber 19A, Market Court section) of 28 October 2020, 2020/AR/582, § 7.4.
78This concerns the document that was attached to the complaint (document 1 administrative file). Decision on the merits 112/2024 — 27/33
and for that reason the representative in this case could not be validly bound in law.
In this regard, the Dispute Chamber merely notes that there is no written evidence in the
administrative file that shows that the person in question could validly bind the
representative. Given the multiple motives on which this
decision to discontinue the proceedings is already based, the Dispute Chamber will not proceed to further
examine this aspect and this is merely a consideration in the context of transparency
regarding the resources and arguments raised.
III. The substantive findings of the Inspectorate
109. This decision deals solely with aspects relating to the correct
representation and the (procedural) interest of the complaining party, which can be
traced back to procedural issues concerning the complaint. It does not
make binding decisions with regard to the two defendants, other than to the extent that the
file, which was initiated with regard to them on the basis of a complaint, is
closed.
110. Nevertheless, the Dispute Chamber considers it appropriate to
include the findings of the Inspectorate in this decision, as part of the
statement of facts, since the extensive investigation by the Inspectorate (the final report
of which alone contains 191 pages) must also demonstrate that the complaint
has been thoroughly investigated in its entirety. 111. The findings are presented below by the Dispute Chamber as a
concise summary of what was established by the Inspection Service to
present the general lines of the report, without wishing to present a complete overview of all
incriminating or mitigating elements from the report.
- Finding 1: the personal data of the data subject are exported to the
processor (second defendant) by using the functionality "Google Analytics" on the website
https://www.flair.be/:
o The Inspection Service has framed these findings in a comparison based on
technical findings (in the period after the aforementioned decision 21/2021 of the
Dispute Chamber) for the cookie settings between 9 August 2022 and 15 September 2022; it was noted that
several adjustments were made to the cookie banner (such as the
addition of a “reject all cookies” button) and that use is made of
the Didomi “consent management platform”.
79
cfr. reference supra, part I decision. Decision on the merits 112/2024 — 28/33
o Furthermore, the Inspection Service has established that also in the most recent situation
the cookies “Google Advertising Products” and “Google Analytics” are listed
with the partners, and reference is made to the fact that these partners
are supplied via the “Transparency and Consent Framework” of
vzw IAB Europe.
o The processing register of the first defendant shows, among other things, that
“Google Analytics” is described as “reporting and analysis of digital
visiting and reading behaviour (only aggregated anonymous statistics)” and that the
controller bases himself on the legitimate interest for
the processing.
o With regard to the Google Analytics tool, the first defendant states
to the Inspection Service that, in accordance with the terms of use
of that tool, the first defendant “has no other choice than to
transfer personal data, if and to the extent that the data can be qualified as
personal data, to the US.”
o The Inspection Service refers to various decisions of foreign
supervisory authorities that raised a similar issue, and this in connection with
transfers to the second defendant in the US, with the latter as “data importer”.
- Finding 2: regarding the first defendant - infringements of Articles 5.1.a, 12.1,
13.1.b), 13.1.c), 13.1.d), 13.1.e), 13.1.f), 13.2.a, 13.2.c), 13.3, 14.1.a), 14.1.b), 14.1.c), 14.2.a) and
14.2.b) and an infringement of Article 10/2 1° GBW: the right to transparent information.
o In preparation for this finding, the Inspection Service examined various
historical versions with – at that time – the most current version (version 7 of 23 August 2022) of the first defendant's
privacy policy. In this context, the Inspection Service notes that new facts have emerged compared to a previous investigation into the first defendant.
o The Inspection Service has established that there was no transparency about new versions and version management of the cookie policy and the privacy policy for 23
August 2022. In the version of 23 June 2021, the first defendant made
"substantial additions", according to the Inspection Service, with regard to the information provided in the "cookie tables".
o In accordance with the new version of 23 August 2022 of the privacy policy in
combination with a cookie policy, the Inspection Service notes that the information
offered in the Didomi "consent management platform" corresponds to Decision on the merits 112/2024 — 29/33
that in the aforementioned policy overviews. The Inspection Service states that it "welcomes" the
adjustments. Nevertheless, the Inspection Service still found several
"imperfections" after the changes of 23 August 2022,
including the use of the English language on the Didomi CMP (while the
website pages are in Dutch and French), and the inaccessible nature of the
policy when no choice has yet been made via the cookie banner.
o In general, the Inspection Service indicates that vague wording is sometimes used in
the privacy policy, such as the use of the wording "some", "etc" and "among others" without further
specification: according to the Inspection Service, this information is less vague in the cookie policy.
Specific information about the data protection officer is also missing, as is
information about processing based on art. 6.1.c) and 6.1.f) GDPR,
information on the (categories of) recipients of personal data and
information on the transfer of persons to a third country cf. articles
46, 47 or 49.1 GDPR. In addition, according to the Inspectorate, the
retention periods for certain personal data (per type) are missing, as is
specific information on the withdrawal of consent and the
resale or commercialisation of certain personal data. Finally,
information on received personal data that were not collected
directly from the data subject, within the meaning of article 14 GDPR, is missing.
- Finding 3: regarding the first defendant - infringement of articles 13.1.b), 37.7 and
38.4 GDPR: the contact details of the data protection officer.
- Finding 4: regarding the first defendant - infringements of Articles 30.1.a), 30.1.b),
30.1.c), 30.1.d), 30.1.e) GDPR regarding the register of processing activities.
o The Inspection Service points out in this regard that the processing activities of the
first defendant are incompletely presented, referring to
findings regarding processing concerning personnel activities,
processing via camera surveillance aimed at visitors to its buildings and
the presentation of processors in the register.
o In addition, the Inspection Service refers to missing elements in the
processing register, including the list of all possible processing purposes of personal
data cf. Article 30.1.b) GDPR, a
description of the categories of recipients to whom the personal data
have been or will be provided cf. Article 30.1.d) GDPR. Decision on the merits 112/2024 — 30/33
- Finding 5: infringement for invoking art. 6.1.f) GDPR for invoking the
legitimate interest for placing non-strictly necessary analytical
cookies – use of Google Analytics from 25 May 2018 to 20 August 2020.
o In this context, the Inspection Service points out that the legislation on placing
cookies has been in place for quite some time, and that the first defendant also
sat idle for two years after 25 May 2018, i.e.
blocking non-strictly necessary cookies from the website
pages without permission. Here, the Inspection Service notes as an additional fact that no
documented assessment was made when starting (or continuing) the processing
activity after the GDPR came into force.
- Finding 6: infringements of Articles 5, 6 and 4.11 in conjunction with Article 7 GDPR and Article 10/2
GBW: the principles of processing personal data and the lawfulness of processing for the DIDOMI CMP since 20 August 2020
o Since 20 August 2020, the first defendant has relied on the consent
for (the personal data processing following) the placement of non-essential analytical cookies; in this respect, the Inspection Service considers the
transparency insufficient and the consent ambiguous, referring to the "misleading colours" used - the Inspection Service refers in this
case to the difference in colours and contrast ratio based on the "rgb code or
hex code".
o Furthermore, the Inspection Service states that the "withdrawal of consent" is not
valid due to the placement of the "reject all" button on the second
information level.
- Finding 7: Infringement of Articles 5 and 6 GDPR: the principles for the processing of
personal data and the lawfulness of the processing for the cookie _gat_UA-#
of the second defendant
o The Inspection Service points out that the aforementioned cookie is listed as a
necessary cookie, where the Inspection Service states that Google Analytics is not
strictly necessary for the website to function.
- Finding 8: Infringement of Articles 5.1.e) and 25 GDPR: principles for the processing of
personal data: storage limitation and data protection by design and by
default settings.
o The Inspection Service points out that relatively long retention periods are still used for several cookies that "can be seen as disproportionate": during the consultation on 15 September 2022, the Inspection Service specifically questions whether the retention period is proportionate to the purpose of the processing, particularly for 21 of the 298 cookies examined.
- Finding 9: infringement of Article 32.1 GDPR: Security of processing - no
pseudonymisation from 25 May 2018 to 30 September 2022.
o In this context, the Inspection Service also indicates that the defendants cannot
strongly demonstrate that certain processing in the context of the cookies at issue is
anonymous. - Finding 10: infringement of Articles 5.2, 13.1.f), 24.1, 28.1, 32.2 GDPR on the points where
there is cooperation with a processor.
o The second defendant has confirmed to the
Inspection Service in the context of the investigation that it is the processor in light of the
processing at issue (in connection with analytical cookies).
o The Inspection Service further states with regard to the first defendant that it has
taken the appropriate organizational and technical measures that specifically relate to the processing
agreement and the conclusion of "Standard Contractual Clauses" ("SCC") or Model Contractual Clauses
regarding Data Protection ("MCB"). On the other hand, the Inspection Service states that the
first defendant nevertheless failed to be appropriately transparent with regard to the
data subjects in this regard. - Finding11: InfringementsofArticle32.2,44and46.1GDPR: assessmentoftheadequatelevelofsecurityandprovidingappropriatesafeguardsensuringdata subjectshaveenforceablerightsandeffectivelegalremediespriortothetransferofpersonaldatatoathirdcountryoraninternationalorganisation
byacontroller.
o Inthiscontext,theInspectoratepoints–inthelightofthecaselawoftheCourtof JusticeoftheEUonthismatter–tothefirstdefendant’sdutytoinvestigate.
o AfterreferringtoseveralindependentinvestigationsontheissuesconcerningdatatransferstotheUSA,theInspectoratefindsthatatransferofpersonaldataistakingplacetotheUSA(totheseconddefendantas“dataimporter”)outsidetheEEAthroughtheuseofGoogleAnalytics. When in this context reliance is placed on
Article 46 GDPR (appropriate safeguards) and so-called "model contractual
clauses", the Inspection Service considers this insufficient to meet the legal requirements
in light of the interpretation of the Court of Justice. The Inspection Service also refers in this context to the lack of evidence regarding
Decision on the merits 112/2024 — 32/33
the implementation of organizational measures for the assessment of the
legislation of the third country.
o Furthermore, the Inspection Service points out that the second defendant did publish new
SCC on 21 March 2022, but that the last examined privacy statement
does not contain any information about those (alleged) adjustments.
112. Furthermore, the Inspection Service submits a number of “additional considerations”,
including the interaction of the findings with the earlier decision of
the Dispute Chamber concerning the first defendant. In addition, the Inspection Service also points
to the presence of several elements in the file that belong to the strategic priorities
of the GBA, and the listed nature of the first defendant in particular.
113. In any case, the defendants have been made aware of the findings by the Inspection Service, and
they are advised – in accordance with their obligations in this regard under Articles 5.2 and 24 GDPR –
to take proper educational note of the findings by the Inspection Service. The defendants are also in possession of the integral investigation report and
the administrative file with all the substantive and technical elements that precede and underlie
that report.
IV. Publication of the decision
114. Given the importance of transparency with regard to the decision-making of the
Dispute Resolution Chamber, this decision is published on the website of the
Data Protection Authority.
115. Given that the representative of the complainant has already proceeded to
publish the entirety of the 80
data of the defendants in this dispute, and given the size of the
defendants and the unaddressed findings of the Inspectorate regarding
their activities pursuant to procedural issues, the Dispute Resolution Chamber decides to
publish the data of all parties.
116. However, it is not at all necessary for
social or any other reason that the identity of the complainant be made
known. 80Synthesis of conclusion of the first defendant, document 5: “Overview of NOYB cases, 101 complaints”; synthesis of conclusion of the second defendant,
document 7: “Overview drawn up by the defendant of all 101 complaints submitted by NOYB in the context of transfers of
personal data.”
