APD/GBA (Belgium) - 114/2024
From GDPRhub
| APD/GBA - 114/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 9(1) GDPR Article 9(2)(a) GDPR Article 12(1) GDPR Article 13(1)(c) GDPR Article 13(2)(c) GDPR Article 13(2)(d) GDPR Article 13(2)(e) GDPR Article 15(1) GDPR Article 30(1)(a) GDPR Article 30(1)(b) GDPR Article 30(1)(c) GDPR Article 30(1)(d) GDPR Article 35 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 06.09.2024 |
| Published: | |
| Fine: | 45,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 114/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
A controller was fined €45,000 for unlawful processing of personal data within a system of timekeeping, based on employees’ fingerprints collection.
English Summary
Facts
A company (the controller) introduced a system of timekeeping, based on fingerprints collection, within its two premises. The controller used a software provided by a third party (a processor), a subsidiary of a Japanese company, operating also in the USA and China.
One of the controller's employees filed an access request with the controller twice. The first access request was answered orally, during the meeting with the representative of the union and the controller. The other reply only partially covered the questions asked by the data subject, for example by providing a fragmented list of the processing purposes pursued by the controller or not responding to the possible consent refusal.
The data subject lodged a complaint with the Belgian DPA (APD/GBA). They claimed the processing of their fingerprints violated their right to data protection. The data subject didn’t provide the fingerprints voluntarily and was not informed about the data retention periods. The data subject also expressed doubts regarding the adequate level of data protection in third countries where the data may be transfers.
According to the documents provided by the controller, the processing of fingerprints served the purpose of:
- recording of working time (including the preparation of paychecks);
- fraud prevention;
- safety reasons, including to know at all times how many people are present on the production site in case of fire or in case of monitoring the change of successive shifts; and
- control of access to the employer's building.
During the investigation, the controller did not present a legal basis for the processing, nor the rules regarding the retention period nor could it provide a written security and privacy policy.
Holding
The DPA upheld the complaint.
Initially, the DPA noted the controller processed biometric data under Article 4(14) GDPR, and consequently special categories of personal data under Article 9(1) GDPR, because the biometric data were used to identify the data subject.
The controller didn’t clarify which legal basis of Article 6(1) GDPR and Article 9(2) GDPR was used to process the data at stake. After the investigation, the DPA stated it was a consent. Nevertheless, the consent obtained by the controller didn’t provide the accurate information to the data subject and violated Article 7(1) GDPR. Also, the consent was not freely given, since it was a part of the employment relationship and the controller didn’t implement an alternative timekeeping mechanism. As a result, the controller violated Article 9(1) GDPR, Article 6(1)(a) GDPR and Article 9(2)(a) GDPR.
The DPA found the controller didn’t communicate all the purposes of the data processing. The brochure given to the data subject mentioned only the time recording and site security needs. However, as the processing was not legitimate, there was no legitimate purpose of data processing and the controller violated Article 5(1)(b) GDPR. Moreover, the controller violated Article 5(1)(c) GDPR, because they relied on privacy intrusive mechanism for the employees’ timekeeping, while potentially other, less intrusive solutions were available to pursue the controller’s purposes, for example time clocks or personal card.
The controller used a welcome brochure to inform the data subject and other employees about processing of their fingerprints. Yet, the brochure didn’t contain all the information prescribed by the Article 13 GDPR, especially no information about the legal basis of processing. Hence, Article 12(1) GDPR, Article 13(1)(c) GDPR, Article 13(2)(c) GDPR, Article 13(2)(d) GDPR, Article 13(2)(e) GDPR were violated by the controller.
For the DPA the controller’s answer to the first access request was fulfilled in accordance with Article 12 GDPR. On the other hand, the answer to the other request was incomplete and as such it violated Article 12 (1) GDPR in conjunction with Article 15(1)(d) GDPR.
The investigation also proved the controller violated Article 28 GDPR. There was no due diligence performed over the technical and organisational measures used by the processor. Instead, the controller relied on the brochure for the processor and in-person negotiations with the processor employer. Such a conduct was insufficient under Article 28(1) GDPR.
The controller failed to create internal policies describing the technical and organisational measures used. However, the controller implemented the measures, which met the requirements of Article 32 GDPR, so no violation was found. Notwithstanding that, the controller violated Article 5(2) GDPR by failing to demonstrate, in particular, how the measures were checked or a data breach handled.
Furthermore, Article 35 GDPR was violated. No data protection impact assessment was performed, whilst the processing included sensitive data of employees (being vulnerable data subjects) and constituted a large scale-processing (approximately 200 employees). In addition, the controller’s record of processing activities was lacking of, inter alia, appropriate description of categories of data processed. As a result, the controller violated Article 30(1)(a) GDPR, Article 30(1)(b) GDPR, Article 30(1)(c) GDPR, Article 30(1)(d) GDPR.
Regarding the transfer of data to the third countries, the DPA emphasised the there was no proofs of Chapter V GDPR violation. Equally, the DPA found no violation of Article 28(3) GDPR or Article 37(1) GDPR.
For the violations of:
• Article 5(2) GDPR, Article 30(1)(a) GDPR, Article 30(1)(b) GDPR, Article 30(1)(c) GDPR, Article 30(1)(d) and Article 35 GDPR, the DPA issued the reprimand;
• Article 12(1) GDPR and Article 15(1) GDPR, the controller received a warning;
• Article 5(1)(a) GDPR, Article 5(1)(b) GDPR, Article 5(1)(c) GDPR, Article 5(2) GDPR, Article 6(1)(a), Article 9(1) GDPR, GDPR and Article 9(2)(a) GDPR, , Article 12(1) GDPR, Article 13(1)(c) GDPR, Article 13(2)(c) GDPR, Article 13(2)(d) GDPR, Article 13(2)(e) GDPR the DPA fined the controller €45,00.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/71 Litigation Chamber Decision on the merits 114/2024 of 6 September 2024 File number: DOS-2022-00896 Subject: : Time registration via biometric data at work The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Mr Dirk Van Der Kelen and Mr Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The complainant: X, represented by Mr. Gert Buelens, with offices at 2800 Mechelen, Nekkerspoelstraat 97, hereinafter “the complainant”; The defendants: Y1, represented by Mr. Meester Bernard Dewit, with offices at 1050 Brussels, Albert Leemansplein 20, hereinafter “the first defendant”; Y2, represented by Mr. Jos De Wachter and Mr. Charlotte Peeters, with offices at 3600 Genk, Jaarbeurslaan 19, box 3, hereinafter referred to as "the second defendant"; together referred to as "the defendants". Decision on the merits 114/2024 – 2/71 I. Facts and procedure 1. On 3 February 2022, the complainant filed a complaint with the Data Protection Authority against the first defendant. This was initially inadmissible. The complaint was re-filed and declared admissible on 29 March 2022. The complainant worked for the first defendant from March 2021 to 24 February 2022, initially as a temporary worker and from June 2021 as an employee with a permanent contract. On 16 March 2020, the first defendant introduced a time registration system using fingerprints at both of its sites for all staff members working there. According to the first defendant, the system applies to around 200 employees, of whom 44 are employees, 74 workers, 29 temporary workers and the remainder are "foreign employees". The supplier of the system (the second defendant) is a subsidiary of an international group with its head office in Japan and activities in, among others, the United States and China. The complainant believes that the processing of his fingerprints (one from each hand) violates his right to the protection of personal data because he did not voluntarily provide the fingerprints and because he was not informed of the modalities of the storage of the data and the retention period. Finally, in his complaint, the complainant also expresses his concern about a possible transfer to a third country that does not offer appropriate safeguards, given the geographical location of the registered office of the parent company of the first defendant. 2. On 29 March 2022, the complaint is declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is transferred to the Dispute Resolution Chamber on the basis of Article 62, § 1 WOG. 3. On 21 April 2022, in accordance with Article 96, § 1 WOG, the request of the Dispute Resolution Chamber to conduct an investigation is transferred to the Inspectorate, together with the complaint and the inventory of the documents. 4. On 29 August 2022, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector General to the Chairman of the Dispute Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and makes the following findings in respect of the first defendant: 1. a violation of Article 5.1, a), 6.1 and 9.1 GDPR; 2. a violation of Article 5.1, b) GDPR; 3. no violation of Article 5.1, c) GDPR; 4. a violation of Article 5.1, a) j° 12.1 and 13 GDPR; Decision on the substance 114/2024 – 3/71 5. a breach of Article 5.1, a) j° 12.1 and 15 GDPR; 6. a breach of Article 5, paragraph 2 GDPR; 7. a breach of Article 28, paragraph 3 GDPR; 8. a breach of Article 28, paragraph 1 GDPR; 9. a breach of Article 32 GDPR; 10. a breach of Article 35 GDPR; 11. no indication of any transfers of the biometric data to third countries or international organisations. The report contains findings relating to the subject-matter of the complaint on the part of the second defendant and states that the second defendant has failed to fulfil its obligation under Article 28.3 GDPR to conclude a valid processing agreement. The report also contains findings that go beyond the subject of the complaint. The Inspection Service establishes, in broad terms, that: 1. there is a breach of Article 30 GDPR on the part of the first defendant due to the failure to maintain a processing register prior to the Inspection investigation and due to the defective content of the current processing register; 2. there is a breach of the obligation to appoint a data protection officer pursuant to Article 37.1, b) and c) GDPR on the part of the second defendant. 5. On 1 September 2022, the Dispute Resolution Chamber decides on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for consideration on the merits. 6. On 1 September 2022, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as those in Article 98 of the WOG. They will also be notified of the deadlines for submitting their defences on the basis of Article 99 of the WOG. As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the defendants’ conclusions of reply was set at 13 October 2022, that for the complainant’s conclusions of reply was set at 3 November 2022 and finally that for the defendants’ conclusions of reply was set at 24 November 2022. Decision on the merits 114/2024 – 4/71 As regards the findings outside the subject matter of the complaint, the deadline for receipt of the second defendant’s conclusions of reply was set at 13 October 2022. 7. On 9 September 2022, the second defendant requested a copy of the file (Article 95, § 2, 3° WOG), which was sent to her on 13 September 2022. 8. On 25 September 2022, the complainant requests a copy of the file (Article 95, § 2, 3° WOG), which was sent to him on 5 October 2022. 9. On 25 September 2022, the complainant electronically accepts all communication regarding the case and indicates that he wishes to make use of the possibility to be heard, in accordance with Article 98 WOG. 10. On 28 September 2022, the first defendant electronically accepts all communication regarding the case and requests a copy of the file (Article 95, § 2, 3° WOG), which was sent to him on 5 October 2022 and indicates that he wishes to make use of the possibility to be heard, in accordance with Article 98 WOG. 11. On 13 October 2022, the Dispute Chamber receives the conclusion of the response from the first defendant regarding the findings regarding the subject of the complaint. First, the first defendant outlines the troubled employment relationship with the complainant. The findings of the Inspection Service regarding the lawfulness of the processing, the transparency principle, the principle of purpose limitation and the principle of minimal data processing are not disputed by the first defendant. She states that she has remedied these infringements in the meantime. However, the defendant disputes the findings regarding the complainant's right of access and states that she has responded in accordance with the GDPR. The first defendant also disputes the finding that no sufficient security measures were taken. She has engaged an expert in the matter and received sufficient documentation to convince herself of the seriousness of the measures taken by the supplier (the second defendant). 12. On 13 October 2022, the Disputes Chamber receives the conclusion of the response from the second defendant regarding the findings regarding the subject of the complaint. The second defendant claims to be able to share the correct knowledge about the system. She also states that she has provided the relevant information to the first defendant in a timely manner. Furthermore, the second defendant claims that she does not process personal data, including biometric personal data, since the data subjects are not identifiable to her, since she only has encrypted files. This conclusion also contains the response from the second defendant regarding the findings made by the Inspectorate outside the scope of the complaint. The second defendant argues that it was not obliged to appoint a data protection officer under either Article 37.1.b), Decision on the merits 114/2024 – 5/71 or Article 37.1.c) of the GDPR. In the meantime, the second defendant has voluntarily appointed a data protection officer. 13. On 3 November 2022, the Dispute Chamber receives the conclusion of the reply from the complainant. First, the complainant argues that the situation sketch of the first defendant regarding the employment relationship between the two of them is not relevant in these proceedings. As regards the findings of the Inspection Service regarding the subject of the complaint, he asks the Dispute Chamber to confirm them. 14. On 24 November 2022, the Dispute Chamber receives the conclusion of the rejoinder from the first defendant regarding the findings regarding the subject of the complaint in which she repeats the arguments of her conclusion of the response. 15. On 24 November 2022, the Dispute Chamber receives the conclusion of the rejoinder from the second defendant regarding the findings regarding the subject of the complaint. The second defendant refers to her conclusion of the answer and also requests the Dispute Chamber to take into account the real motives of the parties. 16. On 2 December 2022, the parties are informed that the hearing will take place on 17 February 2023. 17. On 2 December 2022, the complainant indicates that he no longer wishes to be heard. 18. On 17 February 2023, the parties present are heard by the Dispute Chamber. 19. On 22 February 2023, the minutes of the hearing are submitted to the parties present. 20. On 28 February 2023, the Dispute Chamber receives a number of comments from the second defendant regarding the minutes, which it decides to include in its deliberations. 21. On 4 June 2024, the Dispute Chamber notified the first defendant of its intention to impose an administrative fine, as well as the amount thereof, in order to give it the opportunity to defend itself before the sanction is actually imposed. 22. On 26 August 2024, the Dispute Chamber received the first defendant's response to the intention to impose an administrative fine, as well as the amount thereof. II. Reasons for Decision on the merits 114/2024 – 6/71 II.1. Lawfulness of the processing (Articles 5.1, a), 6.1 and 9.2 GDPR) with regard to the first defendant 23. The question arises whether the processing of personal data in the context of the time registration by the first defendant constitutes lawful processing. 24. The starting point of Article 5.1.a) GDPR is that personal data may only be processed lawfully. II.1.1.1. (Special) personal data 25. According to Article 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, for example by reference to one or more factors specific to the physical or physiological identity of that natural person. 26. According to Article 4(14) GDPR, biometric data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data. 27. Article 9.1 of the GDPR defines special personal data as follows: “[...] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation [...]”. The parties do not dispute that the first defendant acts as a controller within the meaning of Article 4, 7) GDPR with regard to the time registration of its employees based on their biometric data. 28. In view of the above, the Dispute Resolution Chamber finds that the fingerprint constitutes a biometric data within the meaning of Article 4.14) GDPR. Since this is used by the first defendant to identify the data subject in the context of time registration, it also constitutes special personal data within the meaning of Article 9.1 of the GDPR in the first defendant's possession. II.1.1.2. Prohibition on the processing of biometric data Decision on the merits 114/2024 – 7/71 29. The Litigation Chamber will assess below whether the first defendant has lawfully processed the special categories of personal data in the context of the time registration of its employees. 30. Personal data that are particularly sensitive deserve specific protection, because their processing can entail high risks for fundamental rights and freedoms. The processing of special categories of personal data is therefore prohibited under Article 9.1 of the GDPR, unless a statutory exception applies. 31. If processing of categories of special personal data takes place in accordance with Article 9.1 GDPR, the controller must indicate a legal basis in accordance with Article 6 GDPR and an exception from Article 9.2 GDPR in order to be able to speak of lawful processing. This combination of legal grounds from Articles 6.1 and 9.2 GDPR was recently confirmed in the judgment of the Court of Justice in Meta (C- 252/21), in which the Court expressly ruled that the processing of sensitive personal data is only permitted if such processing can be considered lawful under Article 6.1 GDPR. The opinion 2/2019 of the European Data Protection Board (hereinafter: EDPB) and the opinion 06/2014 of the Article 29 Working Party also consistently refer to the cumulative application of both Article 6 GDPR and Article 9 GDPR in the case of processing of special personal data. Finally, recital 51 GDPR clearly indicates that Article 6 GDPR must always be applied. 32. It is up to the controller to determine which legal basis is appropriate in relation to the purpose of the processing. Since different legal bases have different consequences, in particular with regard to the rights of data subjects, the controller is not allowed to rely on one or the other legal basis, depending on the circumstances. Once a particular legal basis has been chosen, it is not the intention that there will be any further exchanges or, when the chosen legal basis ceases to apply, that there will be a recourse to another legal basis for the same processing activity, for the same purposes. Article 5.1.b) GDPR requires that personal data be collected “for specified, explicit and legitimate purposes” 1See recital 51 of the GDPR. 2 CJEU Judgment of 4 July 2023, Meta, C-252/21, ECLI:EU:C:2023:537, para. 90. 3 Opinion 2/2019 (EDPB) on the questions and answers on the interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) of 23 January 2019. 4 Opinion 06/2014 (WP 29) on the concept of “legitimate interest of the controller” in Article 7 of Directive 95/46/EC. 5 See also decision 77/2023, para 74, of the Litigation Chamber. 6 See, for example, decisions 38/2021, 54/2023 and 77/2023 of the Litigation Chamber. Decision on the substance 114/2024 – 8/71 and […] not subsequently processed in a manner incompatible with those purposes; […] (“purpose limitation”)”. Where a single processing operation pursues multiple purposes, each purpose must be based on a legal basis.7 33. The question therefore arises as to which legal basis under Articles 6.1 and 9.2 of the GDPR the first defendant relies on for the disputed processing of a special category of personal data. After investigation, the Inspectorate concludes that the documentation provided does not clearly show which legal basis the first defendant relies on for the disputed processing. On the one hand, the first defendant relies on different legal grounds in different documents, and on the other hand, it does not rely on one, but on several legal grounds at the same time. In any case, it is clear that none of the relied on legal grounds can be a valid legal basis for the disputed processing, as the Inspectorate concludes. 34. The first defendant does not dispute the Inspectorate’s findings. In her conclusions, the first defendant states that the HR manager hands out the welcome brochure on the welcoming day of new staff and that the employee then gives permission for time registration based on the fingerprint. The first defendant acknowledges that this is contrary to the recommendation of the Knowledge Centre of the GBA concerning the processing of biometric data dated 1 December 2021, which states that it is unlikely that the data subject could withhold his/her consent to data processing without fear of adverse consequences resulting from that refusal because of the mismatch in the work context. As a mitigating circumstance, the first defendant argues that when the new work regulations were introduced, no employee commented on the additions regarding the biometric system. Comments could be made anonymously. No trade union delegation made comments. Furthermore, the employees themselves have indicated that they prefer the biometric system over a system with access cards. 35. As regards the lawfulness of the processing, the Dispute Chamber finds that the first defendant does not expressly state in its statement of defence on which legal basis under Article 6.1 in conjunction with Article 9.2 GDPR it relies for the processing at issue. The Dispute Chamber also finds that during the investigation, various legal grounds were put forward for the processing of the personal data at issue. Based on the conclusions and the hearing, the Dispute Chamber finds that the first defendant ultimately relies on consent as a legal basis. The Dispute Chamber will assess below whether the first defendant can lawfully rely on the exception of consent as included in Article 9.2.a) GDPR. 7See also decision 77/2023, para 77, of the Dispute Resolution Chamber Decision on the merits 114/2024 – 9/71 36. According to Article 4, 11) of the GDPR, consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies their agreement to the processing of personal data relating to him or her. 37. In order for consent to be given with full knowledge of the facts, the data subject must, among other things, be informed of the identity of the controller, the purpose of the processing, the type of data that is being processed and the existence of the right to withdraw consent. 8 38. In addition, a data subject must be able to give consent freely. The EDPB Guidelines on consent under the GDPR note the following in this regard: “A lack of consistency also occurs in the context of employment relationships. Given the dependency that results from the employer-employee relationship, it is unlikely that the data subject could withhold his/her consent to data processing without fear or real threat of adverse consequences as a result of a refusal. It is unlikely that the employee could freely respond to a request for consent from his/her employer, for example, to activate surveillance systems such as CCTV in the workplace, or to fill in assessment forms, without feeling pressure to consent. Therefore, WP29 considers that it is problematic for employees to process personal data of current or prospective employees on the basis of consent, because it is unlikely to be freely given. For most such workplace data processing, the legal basis cannot and should not be the employees’ consent (Article 6(1)(a)) due to the nature of the employer-employee relationship. However, this does not mean that employers can never rely on consent as a legal basis for processing. There may be situations in which the employer can demonstrate that consent is indeed freely given. Given the imbalance between an employer and its staff, employees may only give their consent freely in exceptional circumstances, and when there are no negative consequences if they do or do not give their consent. [...] Imbalances are not limited to public authorities and employees, they can also occur in other situations. As WP29 has emphasised in several opinions, ‘consent’ can only be valid if the data subject has a genuine choice and there is no deception, intimidation or coercion and the data subject is not at risk of significant negative consequences (for example, significant additional costs) if he or she does not give their consent. 8 See Recital 42 of the GDPR, the Guidelines on consent under Regulation 2016/679 dd. 28 November 2017 p. 15 and Article 7, paragraph 3, of the GDPR. Decision on the merits 114/2024 – 10/71 Consent is not free in cases where there is any element of coercion, pressure or inability to exercise free will”. 39. On this basis, the Dispute Resolution Chamber emphasises that in an employment relationship processing can only be based on consent in exceptional circumstances. It examines to what extent such a circumstance applies here. 40. On the basis of Article 7.1 of the GDPR, the controller must also be able to demonstrate that the data subject has given consent to the processing of his/her personal data. 41. The conditions of Article 7 of the GDPR also apply to the concept of consent in Article 9.2 of the GDPR. In order to meet the requirement of Article 9.2.a) GDPR for an exception to the prohibition of processing biometric data in Article 9.1 GDPR, in addition to the conditions imposed on consent by Article 7 GDPR, the data subject must give explicit consent. In other words, inferring consent from the fact that someone does not act or protest is not permitted. 42. In its response of 5 August 2022, the first defendant confirmed to the Inspection Service that previous versions of the employment regulations dating from before the version of June 2022 did not contain any provision regarding the biometric time registration system. There is therefore no informed consent. 43. The first defendant submits to the Dispute Resolution Chamber the welcome brochure that was provided to new employees upon initial employment as well as the employment regulations. These documents inform the employee about the time registration system. These documents were signed, but for receipt and not for approval. Although these documents provide the employees with some - brief - information about the time registration system, it cannot be concluded on the basis of this that there is unambiguous consent. 44. In addition, the first defendant has not demonstrated that there is a released consent. The welcome brochure states the following: "[y]our pay is based on your ticks, so don't forget this". In addition, article 32 of the employment regulations states that failure to comply with the rules regarding ticking can lead to the imposition of penalties. Based on the Inspection Report, the Dispute Resolution Chamber finds that fingerprint time registration is the only means of time registration in operation. This implies that if a data subject were to refuse to give his consent to fingerprint time registration, he would be exposed to sanctions as provided for in the employment regulations, since no alternative methods for time registration are provided for. On the contrary, the employment regulations even state that all 9 Guidelines on consent pursuant to Regulation 2016/679 of 28 November 2017, p. 23 Decision on the substance 114/2024 – 11/71 staff members are required to register their working time via Z, and that there is no other system for registering working time, which means that there is no freedom of choice on the part of the employees. Consequently, there are negative consequences associated with the employee's refusal to give his consent. The Dispute Resolution Chamber also notes that the complainant was initially employed as a temporary worker, which puts him in an even less favourable position to comment on the time registration system. 45. The first defendant is of the opinion that the employees gave their consent to the use of their fingerprints and that no one ever objected to it. The first defendant states that the badge system was experienced as inconvenient for employees and that she had only good intentions. Moreover, the employees could also indicate that they wanted an alternative method of time registration, as the first defendant argues. The first defendant is therefore of the opinion that the employees could have freely given their consent. 46. The Dispute Resolution Chamber does not follow this view. Given the dependency resulting from the relationship between employer and employee, it is unlikely that the employee can freely give his or her consent. In this context, the Dispute Resolution Chamber refers 10 to the EDPB Guidelines on consent, which state that there may be an imbalance of power in an employment context. Given that the relationship in question is an employer/employee relationship, it is unlikely that the person concerned, as an employee, can refuse his consent without fear or real risk of harmful consequences. The Dispute Resolution Chamber also notes that neither the welcome brochure nor the work regulations at the time of the complainant's employment mention that alternative methods of time registration can be requested. During the hearing, the first defendant nevertheless produces documents showing that the time registration system at issue was stopped following the findings of the Inspection Service. 47. Based on the following facts, the Dispute Chamber concludes that the first defendant has not demonstrated that its employees have given their express consent to the processing of their biometric data. The free, specific, informed and unambiguous expression of will has not been established. 48. The Dispute Resolution Chamber therefore concludes that the first defendant has breached the principle prohibition on processing special categories of personal data in the present case, since it cannot rely on Article 6.1.a) in conjunction with Article 9.2.a) of the GDPR for the disputed processing of special categories of personal data, namely time registration based on biometric data. Consequently, there is a 10https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. Decision on the substance 114/2024 – 12/71 breach of Article 9.1, in conjunction with Article 6.1.a) and Article 9.2.a) of the GDPR. The fact that the disputed processing operations were stopped following the findings of the Inspection Service does not prevent the historical infringement from being established. II.2. Principle of purpose limitation (Article 5.1, b) GDPR) with regard to the first defendant 49. To the extent necessary, the Dispute Resolution Chamber recalls that personal data may only be collected and processed for specific, explicitly defined and legitimate purposes. If the data are subsequently used for another purpose, that new purpose must be compatible with the original purpose of collection. The principle of purpose limitation therefore has two elements: a. the purposes for which personal data are processed must be specific, explicitly defined and legitimate; and b. when personal data are collected, they may not be further processed in a manner that is incompatible with those purposes. In this way, the principle of purpose limitation ensures that limits are set for the use of personal data, taking into account the reasonable expectations of the data subjects and the fact that further use for purposes other than those for which the data were initially collected may also be useful. 50. During the Inspection investigation, the first defendant referred to four purposes: - registration of working hours so that pay slips can be drawn up; - prevention of fraud in time registration; - security reasons, including knowing at all times how many people are present at the production site in the event of a fire or in the event of checking the change of successive shifts; and - checking access to the employer's building. 51. The Inspection Service notes that the fourth purpose (access control to the building) is not found in any other document and that the first defendant's letter shows that processing for this purpose had not yet been realised. This therefore concerns potential further processing, the purpose of which, pursuant to Article 5.1.b) and Article 6.4 GDPR, may not be incompatible with the original purposes. The Inspection Service concludes that processing for access control purposes will only be possible in very limited cases, given that it concerns biometric data, and points out that the initial collection was already unlawful. The Inspection Service refers to the work regulations (version June 2022) in which reference is made in two places to the same three purposes as in the first defendant's answer: time registration (including payroll administration), combating fraud and security. However, in the processing register, Decision on the merits 114/2024 – 13/71 only one purpose can be found, namely time registration. In the welcome brochure, the Inspection Service finds two purposes, namely time registration and security reasons. The Inspection Service argues that the purpose of combating fraud is missing from the welcome brochure. This is important for the Inspection Service because this is the only document that the first defendant can demonstrate was brought to the attention of the complainant prior to processing. The Inspection Service therefore finds that the condition of collection for ‘specific, explicitly described and legitimate purposes’ has not been met. 52. Finally, the Inspection Service concludes that no purpose meets the condition of legitimacy as set out in Article 5.1.b) GDPR. Since the initial processing was unlawful, any purpose for which the data is collected is unlawful. Consequently, the Inspection Report also states that the purposes cited by the first defendant are not justified in all cases, and in some cases are also not specific and clearly described. 53. The first defendant argues that it has taken this conclusion into account and that it intends to follow it. It therefore immediately suspended all future projects relating to the biometric security of its business site. 54. The Dispute Chamber examines below whether the principle of purpose limitation has been met. A specific purpose 55. As already stated, a purpose must be specific, which means that the processing purpose must be determined before the data are obtained. In accordance with Article 13.1 GDPR, the controller must, in the event of obtaining personal data from the data subject, communicate the processing purpose when obtaining it. Consequently, only the two purposes “time registration” and “security of the business site” meet this condition, since they were communicated to the complainant in the welcome brochure. An explicit, well-defined purpose 56. The purposes can be expressed in different ways, such as a 12 description of the purposes in a notification to the data subjects. The Litigation Chamber states that communicating the purposes in the welcome brochure can meet this condition. In addition, the Litigation Chamber states that the average citizen understands what the purposes of “time registration” and “security of the company site” entail. 1https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 17. 1https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 18. Decision on the substance 114/2024 – 14/71 A legitimate purpose 57. The personal data must be obtained or collected for legitimate purposes. In order for the purposes to be legitimate, the processing must be based - at all different stages and at all times - on at least one of the legal grounds referred to in Article 6. 13 Since it has already been established in section II.1 that the processing is not lawful, there is also no legitimate purpose. 58. In view of the above, the Litigation Chamber finds that there is an infringement of Article 5.1.b) GDPR. II.3. Principle of data minimisation (Article 5.1.c) GDPR with respect to the first defendant 59. The principle of data minimisation as set out in Article 5.1.c) GDPR states that the personal data processed must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It follows that personal data may only be processed if the purpose of the processing cannot reasonably be achieved in another way. The processing must be proportionate to the intended purpose. 60. The Inspectorate notes that the first defendant cannot produce any internal document or evidence of deliberation or decision-making that demonstrates the performance of a proportionality test. The Inspection Service therefore concludes that the first defendant failed to investigate whether the objective pursued could not reasonably have been achieved in another way, such as by means of multi-factor authentication. 61. With regard to the purpose of "combating fraud", the Inspection Service finds that the time registration system is not proportionate to the fraud incident that led to the introduction of the system at issue. That incident involved an employee who had left work prematurely and had wrongly signed for the end of the day in the paper attendance register. The Inspection Service argues that a less drastic control system would also have been sufficient to detect and prevent such fraud incidents. 62. As regards the purpose of “staff safety”, namely the assurance that the machines are systematically monitored by an employee, the Inspection Service sees no clear link between the stated purpose and the means (the contested time registration) since the presence of an employee on the company site does not 13https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203 en.pdf, p. 19. Decision on the substance 114/2024 – 15/71 equivalent to the systematic manning of a particular machine, especially since tapping out for breaks is not necessary according to the welcome brochure. In the sense that fire safety must also be included under the objective of "safety of personnel", the Inspection Service does understand the importance of a correct attendance register. However, the Inspection Service points out that in the event of an evacuation it is especially important to know how many people are present in the building and, in subordinate order, their identity. 63. In its conclusions, the first defendant undertakes to immediately stop the time registration system based on biometric data. The first defendant explains that its customers are demanding in terms of security, which is why they require it to obtain a whole series of certifications, which are subject to numerous conditions regarding security. To this end, the first defendant produces two documents. It argues that the environment in which it has to operate is very restrictive and that this has led it to work with the time registration system at issue. 64. The Litigation Chamber recalls that when assessing the need to use sensitive personal data, such as biometric data, to keep working time records, consideration should be given to the means available that achieve the same objective with less intrusion into the privacy of employees. It can be assumed that employers have a wide range of means at their disposal for signing employees in and out of a payroll system that is not based on biometric or other sensitive personal information. Examples include time clocks, staff cards and access codes. Furthermore, the above-mentioned means can be combined with a so-called random check or inspection body at the entrance to the workplace. The Litigation Chamber understands that the first defendant must meet high requirements from its customers, but at the same time considers that the processing of special personal data is not necessary for achieving the purposes of the first defendant - namely time registration, combating fraud or staff safety - and that these purposes can be achieved by other, less stringent measures that do not require the systematic processing of employees' biometric data. 65. The Litigation Chamber emphasises that the use of biometric information to uniquely identify a person is generally subject to very strict restrictions. This is particularly relevant where other, less stringent measures are not sufficient and may be relevant where the processing is intended for the purpose of controlling access to certain areas of the workplace for special safety considerations, such as the handling of foodstuffs or dangerous substances Decision on the substance 114/2024 - 16/71 (Article 9.2.g) GDPR). Such circumstances are not at issue in the present case. Consequently, the Dispute Resolution Chamber finds that there is an infringement of Articles 5.1.c) GDPR. II.4. Principle of storage limitation (Article 5.1.e) GDPR) with regard to the first defendant 66. According to Article 5.1.e) GDPR, personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". In concrete terms, this means that once the purpose of the processing has been fulfilled, or when the legal basis ceases to exist (for example, due to the withdrawal of consent by the data subjects or the loss of the substantial public interest), the biometric data in question must be deleted. However, this does not preclude the data from being retained for a longer period pursuant to a legal obligation or when these data are necessary in the context of legal proceedings. 67. The GBA Knowledge Centre points out that the raw biometric data collected during the first collection phase of a biometric system (registration phase) must in principle be deleted immediately once the biometric template has been created. In addition, the data collected during the second collection phase may not be kept longer than the time required to compare the collected data with the reference information. 14 68. As regards the principle of storage limitation, the Inspection Service does not receive any reference to the retention period of the first defendant. From Annex 10 to the employment regulations (version June 2022) and from the processing register, the Inspection Service infers that the data are kept for as long as the employment relationship lasts. However, these documents do not distinguish between the raw biometric data and the templates derived from them. Based on its investigation, the Inspection Service concludes that the retention periods of the raw biometric data appear to correspond to the principles set out by the Knowledge Centre of the GBA. The Inspection Service states that further investigation is not proportionate, since the processing at issue has already been shown to be unlawful on several points. 69. The Dispute Chamber notes that the Inspection Service has not established any infringement in this regard and sees no reason to take a different position in this regard. The Dispute Chamber therefore finds that there is no infringement of Article 5.1.e) GDPR. 14 Recommendation on the processing of biometric data, p. 35, available at https://www.gegevensbeschermingsautoriteit.be/publications/aanbeveling-nr.01-2021-van-1-december-2021.pdf. Decision on the merits 114/2024 – 17/71 II.5. Information obligations (Article 5.1.a) in conjunction with Articles 12.1 and 13 GDPR) with regard to the first defendant 70. During its investigation, the Inspection Service establishes that the information requirements under Article 12.1 and Article 13 GDPR, which require that the information must be provided to the data subjects when the personal data were obtained, have not been met. 71. Based on Articles 12.1, 13.1 and 13.2 of the GDPR, it is necessary that the first defendant, as controller, provides the data subjects with concise, transparent and comprehensible information about the personal data that are processed. The aforementioned transparency obligations are a concretisation of the general transparency obligation of Article 5.1.a) of the GDPR. The Dispute Chamber will investigate whether the first defendant has complied with its information obligations. 72. The Dispute Chamber reads in the Inspection Report that the Inspection Service concludes that there has been a violation of Articles 12.1 and 13 of the GDPR, since the welcome brochure, the only document containing information on the processing at issue that was provided to the complainant upon entering into employment, did not contain all the information required by the GDPR. Article 13 of the GDPR stipulates which information the controller must provide to the data subject when this data is collected from that person, and this when obtaining the personal data. From the welcome brochure, the Inspection Service can only derive the following information for the data subject: the category of processed personal data, one of the purposes of the time registration explicitly (i.e. time registration via fingerprint) and one purpose implicitly (i.e. the safety of the staff). During a second inquiry in this regard, the first defendant did not provide any new elements. 73. According to the findings of the Inspection Service, the work regulations (version 2020), which were provided to the complainant upon his entry into service, referred only to the use of “electronic recording devices” for the measurement and control of work and it only contains the following reference to data protection law: “The law on the protection of privacy of 8 December 1992 and/or the General Data Protection Regulation (GDPR) will be respected when processing personal data”. 74. According to the Inspectorate, the above information provision did not meet the information obligations under Articles 12.1 and 13 GDPR. The first defendant argues in her conclusions that, as soon as the inspection investigation was underway, she immediately took stock of the obligations she had to meet. That is why she started to adjust her work rules; she will continue to correct them. 75. The Dispute Chamber will assess whether the information obligations under Article 13 GDPR in conjunction with Article 12.1 GDPR have been met. After examining the Decision on the merits 114/2024 – 18/71 conclusions submitted by the first defendant and the accompanying documents, the Dispute Chamber notes that the first defendant has indeed taken steps in this regard. This is evident from the fact that, with her conclusions, she submitted work regulations that were amended in 2022. In view of the Inspection Report, the Dispute Chamber finds that, at the time the complainant entered into employment, the welcome brochure was the only source of information for the employees, until the employment regulations were amended in June 2022 (hereinafter: "employment regulations (version 2022)"). The Dispute Chamber will therefore first discuss the welcome brochure as it was applicable at the time the complainant entered into employment and then the employment regulations (version 2022), including in terms of the disputed time registration system. Welcome brochure 76. The welcome brochure provides the following information about the disputed processing: "We use a time registration system via fingerprint. After the welcome moment, you will be registered and then the intention is to type in and out at the start and end of your shift. We have a short shift handover, so you need to be typed in at least 5 minutes before the start. Your pay is based on your types, so don't forget this. During your break, you should not type out or in, except when you leave the premises. This is for safety reasons." 77. With regard to the mention of the identity of the controller in the welcome brochure, the Dispute Chamber finds that the identity of the first defendant as employer is implicitly put forward as the controller, although the Dispute Chamber notes that it is advisable to explicitly mention this. The Dispute Chamber further finds that the welcome brochure does not meet other information obligations. With regard to, among other things, the retention periods (Article 13.2.e) GDPR), purposes and legal basis (Article 13.1.c) GDPR), the Dispute Chamber finds that these were not (adequately) included in the welcome brochure. Since the first defendant – albeit unlawfully – relies on consent based on Article 6.1.a) and Article 9.2.a) GDPR, the data subjects should also have been informed that they had the right to withdraw their consent (Article 13.2.c) GDPR). As regards the mention of the possibility to file a complaint with the GBA (Article 13.2.d) GDPR), the Dispute Resolution Chamber finds that this is also not mentioned in the welcome brochure. 78. In view of the above, the Dispute Resolution Chamber concludes that the welcome brochure does not meet the information obligations as prescribed by Article 13 GDPR and that the information included in the welcome brochure is not included in a transparent and comprehensible manner as stipulated in Article 12.1 GDPR. Decision on the merits 114/2024 – 19/71 Employment regulations (version 2022) 79. The first defendant argues that it has already taken steps to comply with its information obligations by amending the employment regulations. The Dispute Chamber notes that the employment regulations (version 2022) contain an appendix 10 called “GDPR and privacy policy for employees”. 80. In the employment regulations (version 2022), the Dispute Chamber notes the following with regard to information obligations regarding the processing of biometric data. 81. As regards the purposes of and the legal basis for the processing (Article 13.1.c) GDPR), the Dispute Chamber finds that the employment regulations (version 2022) stipulate that the biometric data and time registration information via fingerprints are processed on the basis of Article 6.1.f) GDPR, namely "the processing is necessary for the pursuit of the legitimate interests of [first defendant], including (i) the protection of the company by means of a solid time registration system, (ii) ensuring the safety of the staff, (iii) controlling and facilitating access to the premises. As regards the lawfulness of the processing basis and the applicable legal basis, the Dispute Chamber refers to section II.1. Furthermore, the Dispute Chamber finds that the employment regulations (version 2022) comply with the information obligations under Article 13 GDPR. The information is also presented schematically, making it accessible to the data subject in a concise, transparent and understandable manner (Article 12.1 GDPR). 82. Based on the above, the Dispute Resolution Chamber finds that the first defendant has infringed Article 12.1 GDPR in conjunction with Articles 13.1.c), 13.2.c), d) and e) GDPR for the lack of transparency in the welcome brochure and Article 12.1 GDPR in conjunction with Article 13.1.c) as regards the work regulations (2022) from the entry into force of the contested time registration system until its discontinuation in December 2022. The fact that the infringements of Article 13.2.c), d) and e) have been remedied does not prevent the Dispute Resolution Chamber from establishing a historical infringement. II.6. Article 12.1 and Article 15 GDPR (right of access) with regard to the first defendant Findings in the Inspection Report 83. In the Inspection Report, the Inspection Service concludes that there has been a violation of Article 5.1.a) in conjunction with Article 12.1 and Article 15 GDPR concerning the right of access. The Inspection Service notes that the complainant has exercised his right of access in writing on two occasions. The first time by email on 21 February 2022, the second time by registered letter dated. March 31, 2022. During the Inspection investigation, the first defendant argues that she responded orally to the first request during a Decision on the merits 114/2024 – 20/71 meeting with the union representative on March 15, 2022. From the e-mail correspondence between the union secretary and the first defendant, with the complainant in copy, the Inspection Service can infer that the requested information was part of the agenda of this meeting and that the initiative for the meeting came from the complainant via his union representative. Since the initiative came (indirectly) from the complainant, the Inspection Service considers that, pursuant to Article 12.1 in fine GDPR, the first defendant could legally comply with the request orally. In view of the power of representation of the trade union delegation established in Belgium by the interprofessional collective labour agreement 15 and prior communication via the trade union secretary in question, the first defendant could reasonably assume, according to the Inspection Service, that the request for inspection could be fulfilled orally via the trade union secretary. The Inspection Service therefore concludes that the first defendant makes it plausible that it responded to the first request for inspection of 21 February 2022 within the period set in Article 12.3 GDPR. 84. In the second request for inspection dated 31 March 2022, the complainant repeats his initial question and requests the first defendant to respond in writing. This answer follows by registered letter on 20 April 2022. The Inspection Service states that certain questions from the complainant related to information elements included in Article 13 GDPR and not in Article 15 GDPR. Since the first defendant had not complied with the information obligation under Article 13 GDPR (at the time of exercising the right of access), the Inspection Service concludes that the first defendant should also have answered these questions. According to the Inspection Service, the first defendant's answer is incomplete on the following points: - Only 2 of the 3 processing purposes are mentioned. The purpose of combating fraud is missing (Article 15.1.a) GDPR). - The complainant asked whether he could refuse his consent for the processing and also stated that he had never given this consent voluntarily. The answer of the first defendant does not address this question, but merely refers to the fact that the consent was validly granted according to the first defendant and that the data has been deleted in the meantime (since the termination of employment). If, according to the first defendant, consent was the applicable legal basis for the processing, it should have informed the complainant, pursuant to Article 13.2.c) GDPR, that this consent could always be withdrawn. 15See CBA no. 5/1. 5.10.2022 Collective Labour Agreement No. 5 of 24 May 1971 on the status of trade union delegations of the staff of undertakings, amended and supplemented by collective labour agreements No. 5a of 30 June 1971, No. 5 of 21 December 1978 and No. 5quater of 5 October 2011. Decision on the substance 114/2024 – 21/71 - If, according to the first defendant, consent was not the applicable legal basis, the response should have specified, pursuant to Article 13.1.c) GDPR, on which legal basis the processing was based. - Depending on the legal basis provided (as explained above, the first defendant relies on several legal grounds at the same time), it should then have respectively stated on which legitimate interests the processing was based (Article 13.1.d) GDPR) and that the complainant had a right to object to the processing (Article 15.1.e) GDPR) or – if the first defendant relies on a legal obligation – that a refusal or objection was not possible because the processing was necessary for the performance of a legal obligation of the first defendant. 85. The Inspection Service notes that the obligation on the part of the first defendant to respond in a complete and correct manner to the request for access has continued to exist despite the fact that between the complainant's initial request dated 21 February 2022 and the response dated April 20, 2022 the processing was stopped (due to the dismissal of the complainant). The Inspection Service could not verify what additional or deviating information was provided orally during the meeting of March 15, 2022 via the union secretary. Position of the first defendant 86. In her conclusions, the first defendant reiterates the request for inspection dated February 21, 2022. The first defendant infers the following questions from the complainant from this: (i) The policy on who has access to the admin section of the time clock; (ii) The possibility to refuse the use of the biometric system; (iii) The disappearance of this administrative access and the person responsible on the outgoing service; (iv) The retention period and the retention modalities; and (v) The security of the data. 87. According to the first defendant, the first two questions were no longer relevant at the time of the second letter dated 31 March 2022, since the complainant was dismissed on 24 February 2022. However, question (i) was answered orally and in writing. With regard to question (ii), the first defendant states that it has not been demonstrated that the complainant would not have had the right to opt for a different time registration system, since the complainant was dismissed on 24 February 2022. The complainant was the only employee who complained that he did not consent to having his fingerprints taken. Consequently, it cannot be assumed that the first defendant would have refused such an alternative Decision on the merits 114/2024 – 22/71 if the complainant had remained on the payroll. The first defendant points out that no other employee made any comments about the biometric system at the time it was introduced in the new employment regulations (version 2022). 88. With regard to question (iii), the first defendant confirms that it was answered orally - during the meeting of 15 March 2022 with the trade union representative - that the complainant would not run any risk. After all, the first defendant no longer had the complainant's biometric data at his disposal. This was also confirmed in writing. 89. According to the first defendant, question (iv) was no longer relevant since the data had already been removed from the system at the time of the response to the right of access. The first defendant points out that the applicant was dismissed 3 days after exercising his right of access. At the same time and since 3 February 2022, he is represented by the trade union representative who confirms an appointment on 15 March 2022 to discuss these specific issues in particular. Question (v) was also, according to the first defendant, no longer relevant. Since his personal data had already been deleted, the complainant would no longer be at risk in this regard. 90. The first defendant therefore concludes that it cannot be blamed for not having answered the complainant's requests of 21 February 2022 and 31 March 2022 insofar as the exercise of this right no longer has a legitimate interest. The complainant's personal data were deleted and he knew this or should reasonably have known this, given the meeting of 15 March 2022. Assessment by the Dispute Chamber 91. In accordance with the Inspection Report, the Dispute Chamber establishes that the complainant exercised his right to access the data for the first time on 21 February 2022. The file contains e-mail correspondence from which the Dispute Chamber, in accordance with the findings of the Inspection Service, can infer that a meeting took place on 15 March 2022 during which an answer was provided to the complainant's questions. However, the complainant himself was not present at these meetings but was represented by the trade union representative, as is also stated by the trade union representative himself. In its Guidelines 01/2022 on the rights of 16 data subjects — Right of access, the European Data Protection Board (hereinafter: EDPB) states that the right of access is usually exercised by the data subject himself, but it is 16 EDPB, Guidelines 01/2022 on the rights of data subjects — Right of access v2.0, 17 April 2023, https://www.edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf. At the time of the complainant’s request for access, the first version applicable was the one available at https://www.edpb.europa.eu/system/files/2022-01/edpb guidelines 012022 right-of-access 0.pdf. Decision on the merits 114/2024 – 23/71 not ruled out that the request may be exercised in the name of the person concerned. Since such power of representation is not regulated in the GDPR, the applicable national rules must be considered, in this case the applicable Belgian collective agreements as explained by the Inspection Service in the inspection report. These rules allow the trade union representative to represent the complainant in exercising the right of access. Given the e-mails dated 28 February 2022 and 2 March 2022 from the trade union representative to the first defendant, the first defendant could legitimately assume that the latter would represent the complainant during the meeting dated 15 March 2022. During this meeting, the system of time registration via biometric data would also be discussed. In the e-mail dated 28 February 2022, the trade union representative indicated that the complainant would like more clarity about the rights he has as an employee and about the functioning of the biometric system. 92. Also in the aforementioned Guidelines 1/2022, the EDPB discusses the manner in which access to personal data should be granted. This should mainly be done by means of a copy of the data, but other modalities, such as oral information may suffice if the data subject requests this. Since the proposal for a interview came from the trade union representative, the first defendant may lawfully provide the requested information orally and therefore lawfully answer the request for access. 93. In view of the above, the first defendant may lawfully assume that the trade union representative, as the complainant's representative, received the information provided by the first defendant during the interview dd. 15 March 2022 to the complainant. 94. In view of the above and in line with the findings of the Inspection Service, the Dispute Chamber concludes that the first respondent lawfully responded to the complainant's right of access, which took place in the manner requested by the complainant's representative. 95. The Dispute Chamber points out that the aforementioned conversation between the first respondent and the complainant's representative took place on 15 March 2022. 96. On 31 March 2022, the complainant exercised his right of access a second time. In this statement, the complainant states that the first respondent had not responded substantively to his email dated 21 February 2022. The failure to respond would have caused the complainant to file the present complaint with the GBA. 97. The Dispute Chamber recalls that the right to access is not absolute. Article 12.5 GDPR states that if requests from a data subject are manifestly unfounded or excessive, in particular Decision on the merits 114/2024 – 24/71 because of their repetitive nature, the controller may either charge a reasonable fee or refuse to comply with the request. As also stipulated in recital 63 of the GDPR, the data subject may exercise his right to access easily and at reasonable intervals. The EDPB identifies four criteria by which a controller may determine whether an exercise of the right of access is excessive: (i) How often the personal data are changed; (ii) The nature of the personal data; (iii) The purpose of the processing, including whether or not the processing has negative consequences for the complainant; (iv) Whether the successive requests concern the same requested information or the same processing, or different ones. 98. In applying the above criteria to the above case, the Dispute Chamber arrives at the following findings. As regards the first criterion, the Dispute Chamber notes that the biometric data are specific to the data subject and are therefore not changed. The sampling times that were carried out on the basis of the fingerprints no longer change and are also no longer supplemented, given the dismissal of the complainant on 24 February 2022. The nature of the personal data, being biometric data, is more sensitive, which may shorten the duration of the above-mentioned “reasonable period”. The purpose of the processing, i.e. the third criterion, is the safety of the staff, time registration for the purpose of calculating wages and the prevention of needle fraud, although this purpose is not always mentioned by the first defendant. These purposes in themselves are not such that they have a negative impact on the data data subject. Moreover, the request dated 31 March 2022 concerns the same information as the information provided on 15 March 2022 as a result of the exercise of the right of access dated 21 February 2022 by the complainant. 99. The Dispute Chamber notes that the Inspection Service stated that the dismissal of the complainant dated 24 February 2022 does not prevent the first defendant from having to respond to the request for access in a complete and correct manner. The Dispute Chamber recalls that the controller must indeed respond in a complete manner; However, if the complainant’s request was limited to a specific processing, the information provided by the controller may also be limited to that specific processing. 17 Since the complainant, through the trade union representative as his representative, limited the request to the 17EDPB, Guidelines 1/2022 on data subject rights, right of access, dd. 18 January 2022, para 35. Available at https://edpb.europa.eu/system/files/2022-01/edpb guidelines 012022 right-of-access 0.pdf. Decision on the substance 114/2024 – 25/71 system of time registration via biometric personal data and the related aspects such as the retention period and the security of these personal data, the Litigation Chamber considers that the information provided by the controller may be limited to this specific processing. 100. As regards the first defendant's position that she no longer had to answer questions 4 and 5 of the complainant because the personal data had already been deleted, the Dispute Resolution Chamber recalls that the right of access is the "gateway" that enables the exercise of other rights granted to the data subject by the GDPR, such as the right to rectification, the right to erasure and the right to restriction of processing. 18The reasoning that certain information no longer needs to be communicated for the past, for example because the data has been erased, cannot be followed. This would prevent the exercise of these rights from being effective. Given that the personal data had recently been deleted before the dismissal and that the system of time registration via fingerprint was still in force at the time of the requests for access, the Disputes Chamber is of the opinion that it did not require any unreasonable efforts from the first defendant to answer questions 4 and 5 of the second request for access. In addition, the Disputes Chamber also points out that, although Article 15 GDPR does not stipulate that information must be provided about the security measures in the context of a request for access, this does not mean that no answer must be given to the right of access. After all, the first defendant could provide information about the security measures to the complainant in a more general manner. 101. In view of the above, the Disputes Chamber finds that the first defendant has lawfully complied with the request for access from the complainant with regard to the first request for access dated 21 February 2022 and to questions 1 to 3. 3 of the second request for inspection dated 31 March 2022. However, the Disputes Chamber finds that the first defendant has not adequately answered questions 4 and 5 of the second request for inspection dated 31 March 2022, which means that there is a violation of Article 12.1 in conjunction with Article 15.1.d) GDPR. II.7. Article 28.1 GDPR with respect to the first defendant 102. In accordance with Article 28.1 GDPR and recital 81 of the GDPR, the first defendant, as controller, has the obligation to “rely exclusively on 18 See recentlyCJEU,12 January 2023, ÖsterreichischePostAG, C-154/21, ECLI:EU:C:2023:3, para 38, but alsoCJEU, 17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16, EU:C:2017:994, para 57, see also decision 15/2021 dd. 9 February 2021, para 141, and decision 41/2020 dd. 29 July 2020, para 47 19CJEU dd. 9 May 2009, Rijkeboer, C-553/07, ECLI:EU:C:2009:293, para 54. Decision on the merits 114/2024 – 26/71 processors who provide sufficient guarantees regarding the application of appropriate technical and organisational measures”. 103. The Inspection Service finds that the first defendant has not complied with the due diligence obligation, namely to assess the suitability of the technical and organisational measures taken by the second defendant. The Inspection Service states that the first defendant only received the sales brochure concerning the time registration system from the second defendant in the phase preceding the contractual relationship. However, the technical information in this document regarding the security is scarce and nothing is added to the summary information from the processing agreement. The only element that was not included in the processing agreement but that does appear in the brochure is the clarification that the encryption when sending data from the terminal to the server is carried out according to the HTTPS protocol, according to the Inspection Report. 104. Following the first letter from the Inspection Service to the first defendant, the first defendant requested additional information from the second defendant in order to demonstrate that the applied security level was adequate. The Inspection Service notes that this documentation should have been requested prior to the processing and not at the time when an inspection by the Inspection Service is announced. The Inspection Service points out that both the first and second defendants confirm that such an exchange of documentation did not take place earlier. Consequently, the Inspection Service concludes that the first controller cannot demonstrate that it has actually satisfied itself of the guarantees offered by the processor regarding organisational and technical measures that are adapted to the risks associated with the processing of biometric personal data at issue, which constitutes a violation of Article 28.1 GDPR. II.7.1. Position of the first defendant 105. The first defendant disputes the finding that insufficient security measures were taken. It has engaged an expert in the matter and has received sufficient documentation to convince itself of the seriousness of the second defendant as a supplier. It claims that an annex to the processing agreement was mistakenly not submitted. This annex forms part of the processing agreement concluded between the parties and contains very specific guarantees concerning the security of the processing. Consequently, the content of the processing agreement is not limited to a simple description of the general security measures of the second defendant, but is in fact detailed about what is actually carried out. The categories of data are displayed on the application, based on the information previously provided to the Inspection Service Decision on the merits 114/2024 – 27/71 . The first defendant has indeed made a choice from the various options offered by the second defendant. There is thus no violation of Article 28, paragraph 1 GDPR. 106. In addition, during the inspection investigation, the second defendant submitted documentation that has been in the possession of the first defendant since the processing agreement was concluded. These documents were submitted because they were the subject of an exchange between the parties, which would show that the first defendant had carried out due diligence. The first defendant argues that the evidence of the Inspection Service does not clearly show that the security documents were only transferred at the end of the Inspection investigation and not prior to the data processing. Furthermore, the first defendant argues that the Inspection Service does not demonstrate that the only document relating to the contractual documentation is the “sales brochure”. The first defendant notes that the Inspection Service did not take note of the first defendant’s full response. In its response, the first defendant had indicated that the commercial manager of the first defendant is no longer employed by the company. II.7.2. Assessment by the Dispute Resolution Chamber 107. The controller has the obligation to use "only processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures", so that the processing meets the requirements of the GDPR - including the security of the processing - and also guarantees the protection of the rights of the data subject. 20The controller is therefore responsible for assessing the measures taken by the processor and must be able to demonstrate that it has taken all the elements mentioned seriously into account for the purposes of the GDPR, the so-called due diligence obligation. This will usually entail an exchange of documents, such as the privacy policy, the general terms and conditions and the register of processing activities. 108. The above assessment must be made by the controller on a case-by-case basis and will depend largely on the type of processing entrusted to the processor, taking into account the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons. 109. The following elements must be taken into account by the controller in assessing the safeguards: the expertise of the processor (e.g. technical expertise regarding security measures and breaches of 20Article 28, paragraph 1 GDPR and Recital 81 GDPR. Decision on the substance 114/2024 – 28/71 21 data), the reliability of the processor, and the resources of the processor. The reputation of the processor on the market may also be a relevant factor for the controller to take into consideration. Furthermore, the adherence to an approved code of conduct or certification mechanism can be used as an element to demonstrate sufficient guarantees. 110. The obligation contained in Article 28.1 GDPR to only use processors that "provide sufficient guarantees" is a permanent obligation. It does not end when the controller and the processor conclude a contract or other legal act. Rather, the controller must verify the processor's guarantees at appropriate intervals, including through audits and inspections where necessary. 111. The Dispute Chamber finds that the processing agreement consists of three parts, as indicated in the conclusions of the second defendant, the main agreement itself with 2 annexes (Enclosure 1 and Enclosure 2). Annex 2 to the main agreement included 2 annexes, namely the Z IT Guide, and a document called “data processing agreement”. As also indicated by the second defendant, the Dispute Chamber notes that the Z IT Guide was missing from the file of the Inspection Service, which meant that it was not taken into account during the investigation. 112. The Dispute Chamber is of the opinion that the description of these security measures enables the first defendant to carry out the necessary due diligence regarding the expertise of the second defendant as a processor. Both the first defendant and the second defendant indicate that there have been various exchanges between both parties prior to concluding the processing agreement, but that the persons involved are no longer employed in the companies. Consequently, no more information can be provided about these exchanges. To the extent necessary, the Dispute Chamber notes that, in the context of the accountability obligation, such exchanges should ideally be documented so that clarity is provided in this regard, even after the departure of the persons involved. 113. In view of the above, the Dispute Chamber finds that the documents submitted, including the processing agreement with annexes, show that the first defendant was able to make the necessary efforts to assess the adequacy of the second defendant as a processor. Consequently, there is no infringement of Article 28.1 GDPR. II.8. Article 32 GDPR with regard to the first defendant 2Recital 81 GDPR. 22Article 28, paragraph 3, h) GDPR. Decision on the merits 114/2024 – 29/71 II.8.1. Findings in the Inspection Report 114. During its investigation, the Inspection Service establishes that there has been an infringement of Article 32 GDPR by the first defendant as controller. 115. Article 5.1.f) GDPR stipulates that “[personal data] shall be processed, using appropriate technical or organisational measures, in such a way that they are protected, inter alia, against unauthorised or unlawful processing and against accidental loss, destruction or damage”. 116. Further elaborating on Article 5.1.f) GDPR, Article 32.1 GDPR states that the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This must take into account the state of the art, the costs of implementation, as well as the nature, scope, context, purposes of the processing and the likelihood and severity of the various risks to the rights and freedoms of individuals. 117. Article 32.1 GDPR also stipulates that when assessing the appropriate level of security, account must be taken of the risks posed to the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 118. The Inspection Service states that the first defendant cannot demonstrate that it has any written information security policy or procedures concerning the protection of personal data. Annex 10 to the employment regulations version 2022 was not provided for in the version of the employment regulations that applied at the time of the processing in question and was drawn up after the first contact with the Inspection Service. The security measures included therein are also, according to the Inspection Service, insufficiently specific to give the Inspection Service any indication of their appropriateness. 119. The register of processing activities that was also drawn up after the first contact with the Inspection Service contains for the processing in question only the description that “only HR has access to this data. The personnel files are secured on the server and are physically stored in a locked cabinet to which only HR has a key. The time registration is processed on a separate computer to which only HR has access”. In a second letter from the Inspection Service to the first defendant, clarification was requested a second time on the implemented technical and organizational information security measures. A second piece of evidence was provided by the first defendant, but the Inspection Service found that this piece of evidence only shows that the software of the second defendant allows the level of access within the first defendant to be refined on the basis of different roles. The Inspection Service cannot determine how access was specifically implemented within the first defendant, which means that an internal policy on logical access management to the data of the time registration system is not demonstrated. The Inspection Service adds that a general information security policy is in any case lacking. Consequently, according to the Inspection Service, there is an infringement of Article 32 GDPR. II.8.2. Assessment by the Dispute Chamber 120. The first step in determining the appropriate level of security for the processing of personal data is to identify the risks of that processing and to weigh them up. On that basis, it must be determined which measures are necessary to provide sufficient security against these risks. The GDPR stipulates that when weighing the data security risks, the necessary attention must be paid to risks that may arise during the processing of personal data, such as unauthorised provision of or unauthorised access to processed data. When identifying and assessing the risks, the consequences that individuals may experience from unlawful processing of personal data are particularly relevant. The more sensitive the data is, or the context in which it is used poses a greater threat to personal privacy, the more stringent requirements are imposed on the security of personal data. 121. Based on the Inspection Report, the Dispute Chamber establishes that there was no general information security policy regarding the processing of biometric data. After initial contact with the Inspection Service, the first defendant adjusted its register of processing activities and included the security measures in it. 122. With regard to the technical measures, the Dispute Chamber establishes that the second defendant, as supplier of the system, provides the necessary encryption (ISO certified). Based on the Inspection Report, the Dispute Chamber establishes that various organizational measures have been taken, such as limiting the number of employees who have access to the personal data, limiting the access area in which the personal data were located, storing personal data on a server in a locked room and storing the paper personnel files in a locked room. 123. As regards the findings concerning the policy on the follow-up of the security measures, the Litigation Chamber points out that a distinction must be made between the security measures themselves and their documentation in the context of the accountability obligation. As regards the security measures themselves, the Decision on the substance 114/2024 – 31/71 Litigation Chamber finds that they meet the requirements of Article 32 GDPR. In view of the above, the Litigation Chamber finds no infringement of Article 32 GDPR. II.9. Data Protection Impact Assessment (Article 35 GDPR) with respect to the first defendant 124. In its Inspection Report, the Inspection Service concludes that it is unclear whether the first defendant claims that it did not have to carry out a Data Protection Impact Assessment (hereinafter: DPIA) because the processing was unlikely to entail a high risk within the meaning of Article 35.1 GDPR, or whether it carried out a DPIA that resulted in no high residual risk within the meaning of Article 36 GDPR. In both cases, the Inspection Service finds that the first defendant did not act in accordance with the GDPR. 125. The first defendant has not taken a position on this. 126. According to Article 35.1 GDPR, the controller shall, prior to processing, carry out an assessment of the impact of the intended processing operations on the protection of personal data where the processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. 127. As is apparent from point 6 of decision no. 01/2019, a DPIA must always be carried out when the processing uses biometric data for the purpose of uniquely identifying data subjects who are in a public space or in private spaces accessible to the public. However, the Knowledge Centre of the DPA emphasises in its recommendation that the processing of biometric data for purposes other than those expressly included in decision no. 01/2019 of the General Secretariat is also subject to the obligation to carry out a DPIA. Moreover, given the high inherent risk to the rights and freedoms of data subjects that the processing of biometric data implies, the failure to carry out a DPIA will only be justified in exceptional cases. 128. In accordance with Article 35 of the GDPR, a DPIA must be carried out when processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects. When assessing the necessity of a DPIA, various factors must be taken into account, such as the nature, scope, context and purposes of the processing, as well as the potential risks to the rights and freedoms of data subjects. 129. In order to provide a more concrete set of processing operations that require a DPIA on the grounds of their inherent high risk, taking into account the specific elements of Article 35.1, and Decision on the substance 114/2024 – 32/71 Article 35.3(a) to (c) GDPR, the list to be established at national level in accordance with Article 35.4 GDPR and recitals 71, 75 and 91, and other references in the GDPR to processing operations that are ‘likely to result in a high risk’, the Working Party29 has developed the following nine criteria that should be taken into account. 23 130. The Dispute Resolution Chamber considers that several of these criteria have been met, namely: - First criterion: evaluation including profiling and prediction, in particular of "characteristics concerning professional performance". This condition has been met since the registration of an employee's working hours is a characteristic concerning a professional performance. - Second criterion: automated decision-making with legal effect or a similar substantial effect. As already explained, there was no demonstrably offered alternative in terms of time registration available for the employees of the first defendants and no wages could be paid if there was no time registration by the employees. - Fourth criterion (sensitive data or data of a very personal nature). This concerns, among other things, the special categories of personal data as described in Article 9 GDPR, including biometric data used for the purpose of identification. - Fifth criterion (persons processed on a large scale). The GDPR does not contain a definition of the term “large-scale” but Group 29 recommends taking the following factors into account, including the number of data subjects, either as a specific number or as a part of the relevant population. In the present case, the time registration via fingerprint concerns all employees of the first defendant, which means that there may be a large-scale processing. - Seventh criterion: data relating to vulnerable data subjects. As stated, employees in this case are vulnerable data subjects because they are in a dependent relationship with the first defendant as their employer. 131. In most cases, a controller can assume that a DPIA must be carried out for a processing that meets two criteria, Group 29 states. As explained above, five of the proposed criteria have been met. The Litigation Chamber adds that the use of biometric data for the 23Working Group 29, “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk’ for the purposes of Regulation 2016/679, adopted on 4 October 2017 (WP 248 rev. 01), p. 9 et seq. 24See WP29 Guidelines for Data Protection Officers 16/EN WP 243 Decision on the substance 114/2024 – 33/71 time registration of employees may entail significant risks to the privacy of the data subjects, such as the high risk of unauthorised access, hacking and identity theft. In view of the above, the Litigation Chamber finds that the first defendant should have carried out a DPIA, which constitutes an infringement of Article 35 GDPR. II.10.Transfer to third countries or international organisations (Chapter V GDPR) with regard to the first defendant II.10.1.Findings in the Inspection Report 132. The Inspection Service notes that the documents show that the servers used are only located on Belgian territory. The first defendant also states in its response and register of processing activities that no transfers take place. According to the response of the second defendant, templates cannot be extracted by the first defendant, which seems to exclude the risk of a possible forwarding of these files by the first defendant. Consequently, the Inspection Service concludes that there are no indications of any transfers of biometric data to third countries or international organisations. II.10.2. Assessment by the Dispute Resolution Chamber 133. As already stated, the Inspection Service has no indications regarding possible transfers of biometric data to third countries or international organisations. The Dispute Resolution Chamber has no indications to judge otherwise in this regard. Consequently, the Dispute Resolution Chamber finds that there has been no infringement of Chapter V of the GDPR. II.11. Register of processing activities (Article 30 GDPR) with regard to the first defendant II.11.1. Findings of the Inspection Service 134. The Inspection Service finds that the register of processing activities provided dates from after the first contact with the Inspection Service. The Inspection Service reaches this conclusion on the basis of the following elements. The register of processing activities mentions the e-mail address dataprotection@benepack.com as the contact address of the controller. However, this address was only created after the first contact with the Inspection Service. Since the first defendant indicates during the Inspection investigation that this is the only version of the register of processing activities, the Inspection Service concludes that the first defendant did not have a register of processing activities prior to the Inspection investigation. The Inspection Service finds that this constitutes an infringement of Article 30 GDPR, since the first defendant must maintain a register of processing activities at least with regard to the processing activities concerning its staff. After all, the processing activities cannot be considered incidental within the meaning of Article 30.5 GDPR. Furthermore, the first defendant processes special categories of personal data and criminal data, the Inspection Service finds. 135. Furthermore, according to the findings of the Inspection Service, the register of processing activities is defective on several points. The CEO and HR manager of the first defendant are proposed as data protection officers (Article 30.1.a) GDPR). The processing purposes in the register of processing activities differ in several respects from the processing purposes included for these processing operations in the employment regulations (version June 2022) (Article 30.1.b) GDPR). The ten categories of personal data appearing in the employment regulations (version June 2022) are not or not fully found in the processing register (Article 30.1.c) GDPR) and internal employees are proposed as processors, while, for example, the processor for the biometric time registration system remains unmentioned (Article 30.1.d) GDPR). II.11.2.Assessment by the Dispute Resolution Chamber 136. Under Article 30 GDPR, each controller must keep a register of the processing activities carried out under its responsibility. Article 30.1(a) - (g) GDPR provides that, with regard to the processing carried out in the capacity of controller, the following information must be available: a) the name and contact details of the controller and any joint controllers and, where applicable, of the controller's representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) GDPR, the documentation on the appropriate safeguards; f) where possible, the envisaged periods within which the different categories of data must be erased; g) where possible, a general description of the technical and organisational security measures referred to in Article 32.1 GDPR. 137. As regards the name and contact details of the data controller (Article 30.1.a) GDPR), the Litigation Chamber, in accordance with the Inspection Report, finds that the register of processing activities does indeed include the details of the CEO and the HR manager with the Data Protection Officer. 138. With regard to the processing purposes (Article 30.1.b) GDPR), the Dispute Chamber finds that the purposes included in the register of processing activities do not correspond to the purposes included in the employment regulations (version June 2022). The register of processing activities states as the processing purpose for the fingerprint: "is registered for time registration. At the start and end of the working day, employees must enter and exit by fingerprint". The employment regulations (version June 2022) not only mention time registration, but also fraud prevention and safety of staff members. The Dispute Chamber also notes a discrepancy between the processing purposes with regard to camera surveillance. The register of processing activities prioritizes “safety and health”, while the work regulations (June 2022) prioritize “workplace control: to ensure the safety of all personnel, combating possible fraud, crimes and possible infringements by third parties; and protecting company assets” as processing purposes. 139. As regards the categories of personal data (Article 30.1.c) GDPR), the Dispute Chamber notes that the employment regulations list various categories of processed personal data that are not included in the register of processing activities. These are the following categories: contact details of any emergency contacts, (former and) current position of the data subjects at the first defendant, salary, bonus and benefits, company assets in the possession of the data subject (mobile phone, company car, laptop, etc.), information about the data subject in the context of performance management, learning and development, health at work and accidents at work, information provided by the data subject or about the data subject in the context of the internal whistleblowing procedure and, finally, information about certain violations, such as traffic accidents for which the data subject or the first defendant can be held liable. The categories of "image recordings by the use of surveillance cameras and information provided by or about the data subject in the context of pension accounts, pensions, hospitalisation insurance and other benefit information" are incompletely included in the register of processing activities. 140. Finally, the Dispute Resolution Chamber notes that the second defendant, in her capacity as a processor in the context of the biometric time registration system, is not listed as a recipient in the register of processing activities (Article 30.1.d) GDPR). 141. In order to be able to apply the obligations contained in the GDPR effectively, it is essential that the controller (and the processors) have an overview of the processing of personal data that they carry out. This register is therefore primarily an instrument to help the controller comply with the GDPR for the various data processing operations that it carries out. The Dispute Chamber is of the opinion that the processing register is an essential instrument in the context of the accountability obligation already mentioned (Article 5.2 and Article 24.1 GDPR) and that this register forms the basis for all obligations that the GDPR imposes on the controller. It is therefore important that the register is complete and correct. 142. The Dispute Chamber finds that the processing register that was submitted by the first defendant is incomplete and partly incorrect, as established in the Inspection Report. In this context, the Dispute Resolution Chamber notes that, although the first defendant is currently taking steps to rectify these infringements, insufficient efforts have been made to update the processing register as provided for in Article 30 of the GDPR. The Dispute Resolution Chamber therefore finds that there has been an infringement of Article 30.1. a), b) c), d) of the GDPR. II.12. Accountability (Article 5.2 of the GDPR) of the first defendant 143. The Dispute Resolution Chamber recalls that every controller must comply with the fundamental principles of the protection of personal data as set out in Article 5.1 of the GDPR and must be able to demonstrate this. This follows from the accountability obligation in Article 5.2 of the GDPR in conjunction with Article 24.1 of the GDPR as confirmed by the Dispute Resolution Chamber. 25 144. Based on Articles 24 and 25 of the GDPR, the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. In doing so, he must effectively implement the principles of data protection, protect the rights of the data data subjects. 25 Decision on the merits 34/2020 of 23 June 2020 available on the webpage https://www.gegevensbeschermingsautoriteit.be/professioneel/publicaties/besluiten. Decision on the merits 114/2024 – 37/71 and only process personal data that are necessary for each specific purpose of the processing. 145. In the context of its investigation, the Inspectorate assessed the extent to which the first defendant has taken the necessary technical and organizational measures to comply with these principles from Article 5.1 GDPR and in particular the principles of legality and transparency, purpose limitation, minimal data processing and storage limitation (see II.1-II.6). 146. Furthermore, the Dispute Chamber notes that the description of the security measures taken under section II.8 does not show how adequate supervision of these measures is organized, nor does it specify the extent to which the first defendant verifies whether the measures are effective and how frequently this is checked. Finally, no policy has been drawn up for the effective handling of information security incidents. The Litigation Chamber considers that the sensitive nature of the biometric data processed on a large scale by the first defendant should have prompted it earlier to better comply with the above-mentioned principles of the GDPR (including data security), in particular by anticipating the risks associated with such infringements. 147. It follows from the above that the installation and commissioning of the time registration system via biometric data indicates that the technical and organisational measures were not suitable to ensure compliance with the fundamental principles of the GDPR, and in particular the principles of lawfulness, purpose limitation, transparency and data minimisation. The first defendant, as controller, has not taken any or has taken insufficient appropriate measures to ensure and be able to demonstrate that the processing at issue was carried out in accordance with the GDPR, which results in a infringement of Article 5.2 GDPR. II.13.Article 28.3 GDPR with regard to the second defendant II.13.1.Findings in the Inspection Report 148. The Inspection Service notes in its report that the processing agreement between the first and second defendants does not meet the conditions of Article 28.3 GDPR, as it would only contain a description of the general security measures, and no detailed description focused on the high security requirements for the processing of biometric data. According to the Inspection Service, the processing agreement itself incorporates the statutory provisions from Article 32.1 GDPR and refers to the Annex for more details. According to the Inspection Service, this Annex B contains a concrete, but still brief and insufficient description focused on the specific nature of the data processed. This Decision on the merits 114/2024 – 38/71 generality and limited level of detail in Annex B, does not allow for clarity on, for example, the level of encryption applied to the raw or template-stored biometric data, the use of a verification function or identification function in the comparison phase of the biometric authentication process, the system used by the processor for the deletion and destruction of the biometric data after the retention period, and the precise modalities of the logical and physical access policy applied by the processor. 149. According to the Inspection Report, the processing agreement is also defective as regards the description of the nature and purpose of the processing and the type of personal data processed as prescribed in Article 28.3 GDPR. 150. As regards the nature and purpose of the processing, the Inspection Service establishes that it is impossible to verify this on the basis of the provisions of the processing agreement. The only purpose that can be inferred is the performance of the service contract between the two defendants. The Inspection Service can at most infer from the service contract itself that fingerprints and time registration data of employees are being processed. The processing agreement does not allow the Inspection Service to obtain clarity about the type of personal data that is processed by the second defendant on behalf of the first defendant. The agreement only contains an open selection list with, in addition to the selection list, 20 fields that the customer can freely fill in. The customer has also not indicated a choice of the categories to be processed. 151. The Inspection Service attaches particular importance to the role of the processor in fulfilling this joint obligation under Article 28.3 GDPR, because the processor is the only one of the parties who has the technical knowledge that allows a complete description of the processing. Without this complete description, neither the controller nor the supervisory authority can make a correct assessment of the content and risks of the processing entrusted to the processor. 152. The Inspection Service notes that, even at its explicit request, the processor (the second defendant) is unable to provide a complete technical description of the processing entrusted to it. This is evident from the minimalist answer to the Inspection Service's question about the operation of the time registration system. Subsequently, the second defendant appears unable to provide further information on certain elements such as: the encryption of the raw biometric data and the templates, the presence of an integrity check linked to biometric data, precise technical modalities of the collection and comparison phase of the biometric authentication process and the technique used for the deletion and destruction of the data after the end of the retention period. Decision on the substance 114/2024 – 39/71 153. In its report, the Inspection Service also refers to paragraph 103 of the Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR 26 of the EDPB, which states that both the controller and the processor have the responsibility to ensure that there is a contract or other legal act governing the processing. The supervisory authority may impose an administrative fine on both the controller and the processor, taking into account Article 83 GDPR and the individual circumstances of each case. Agreements concluded before the date of application of the GDPR should have been updated within the meaning of Article 28.3 GDPR. Failure to do so constitutes a breach of the latter provision. 154. Finally, the Inspection Service states that the second defendant questions the legal qualification of the personal data processed by it as biometric personal data (in the context of the processing at issue). However, the processing agreement refers to the biometric templates of personal data processed by the second defendant. The Inspection Service does not agree with this position. The Inspection Service therefore has doubts about the technical and organisational measures taken by the second defendant, since, on the basis of Article 32.1 GDPR, these must be tailored to the processing risk that was apparently incorrectly assessed by the second defendant. 155. The Inspection Service therefore concludes that the processing agreement does not comply with Article 28.3 GDPR, because the processing agreement does not meet the minimum requirements of this provision, in particular the description of the nature and purpose of the processing, the type of personal data and the technical and organisational measures applied by the processor. II.13.2. Position of the second defendant 156. The second defendant argues in its conclusions that it is able to share the correct knowledge about the system. It provided the first defendant with the relevant information in a timely manner. At the time of the conclusion of the contract, the first defendant had extensive documentation and information in the processing agreement and had access to the online platform, and also received several training courses. In addition, it is the first defendant who will register the persons on the system. The processing of personal data therefore only began when the first defendant started doing so. Consequently, the first defendant was able to familiarise herself with all available information regarding the processes before starting the processing. As for her minimalist answer 26EDPB, Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, v.2.0, 7 July 2021, available at https://www.edpb.europa.eu/system/files/2023- 10/edpb guidelines 202007 controllerprocessor final nl.pdf Decision on the merits 114/2024 – 40/71 to the Inspection Service, the second defendant notes that the Inspection Service immediately after the first questioning of the second defendant closed the investigation and drew up the Inspection report; however, the first defendant was questioned on more than one occasion. 157. Furthermore, the second defendant objects that the Inspection Service compiled an incomplete file. The Inspection Service only requested the processing agreement from the first defendant, which the first defendant had transferred, but without the Z IT Guide. This Z IT Guide forms an integral part of the processing agreement as an appendix. The second defendant was not aware of the fact that an incomplete processing agreement had been transferred and she was also not asked about it. Furthermore, the second defendant denounces the fact that the Inspection Service not only questions her about the processing entrusted to her, but also about the tasks and processing of the first defendant. The second defendant argues that the Inspection Service reproaches her, in the absence of an answer (quod non, according to the second defendant), for not providing a full technical description of the processing by the first defendant, which she does not have to provide. The reference by the Inspectorate to paragraph 103 of Guidelines 07/2020 was only approved in July 2021, while this paragraph was not yet present in the 2020 version. It is important to note that the processing agreement was concluded on 14 February 2020. Consequently, a lack of answers by the first defendant, if such a lack were to be established, cannot be blamed on the second defendant, but the Inspectorate must question the first defendant about this. 158. Furthermore, the second defendant points out that it is accused of not providing information on the technique used for the removal and destruction (e.g. overwriting, demagnetisation, cryptographic erasure, etc.) of the data after the retention period, with a reference to Recommendation 03/2020 of the GBA. The Inspection Service reaches this conclusion after an answer from the second defendant to the question "Which system is used for the removal and destruction of the biometric data/templates after the retention period has expired. Who is responsible for this deletion [first defendant] or [second defendant]?". The second defendant replied that no raw biometric data is stored. The encrypted templates are stored on the ST25 terminal and in the SQL cloud database as long as the employee exists in the SQL cloud database. Distribution on one or more ST25 terminals is carried out based on configuration in the Z Web Application T&A application. This answer was apparently not considered conclusive by the Inspection Service, as the second defendant notes. The second defendant points out that the Inspection Service could have asked an additional question in this regard if it considered the given answer to be insufficient. Decision on the merits 114/2024 – 41/71 159. The legal qualification of the data processed by the processor is a point of contention between the second defendant and the Inspection Service. The second defendant believes that it does not process biometric data or any other special category of personal data under Z. The second defendant points out that biometric data (Article 4.14 GDPR) only constitute a special category under Article 9 GDPR if they are processed for the purpose of unique identification. No comparison is carried out on the online platform that the second defendant makes available, the second defendant states. The comparison of the biometric data only takes place in the specific reader, which is linked to the customer, i.c. the first defendant. Only the reader, as a separate module, contains proprietary software with secret algorithms, the operation of which is only known to the supplier of the module; the technology used constitutes a trade secret. The manufacturer does not reveal how the templates are created, nor which key is used for encryption. The manufacturer does confirm that these are never released. The second defendant adds to this that it is impossible for anyone to identify a person with the data released by the biometric reader when registering a user. The only thing the file makes possible is to return it to a reader of the same manufacturer within the system with the aim of obtaining the verification of an identity (match or no match) as a answer. The only answer a reader will therefore give is a match with a known ID or no match. Anyone who can unlawfully obtain the encrypted file of the data from the biometric reader after registering a user cannot use this file in any other type of biometric tool because they do not have the unique key(s). The second defendant therefore decides that it offers an online storage system, but does not choose which terminals on the premises of the first defendant store certain data linked to biometrics, and it certainly does not organise the comparison phase on its own (online) platform. It is only the service provider of storage for a file that no one can decrypt without hacking the reader of the manufacturer. 160. The second defendant also argues that it is reasonably impossible for her to access the information for deciphering, which raises the question whether the files actually constitute personal data within the meaning of Article 4.14 GDPR. II.13.3. Assessment by the Dispute Resolution Chamber 161. Any processing of personal data by a processor must be governed by a contract or other legal act under EU or Member State law between the controller and the processor, as required by Article 28.3 GDPR. Decision on the merits 114/2024 – 42/71 162. The Inspection Service finds several infringements of Article 28.3 GDPR: (i) the processing agreement between the first defendant as controller and the second defendant as processor does not meet the requirements under Article 28.3 GDPR, in particular as regards the minimum requirements regarding the description of the nature and purpose of the processing, the type of personal data and the technical and organisational measures applied by the processor; (ii) the failure to comply with the obligations of the second defendant under Article 28.3 GDPR, given that it was the only one with technical knowledge of the system and nevertheless failed to adequately describe the processing and, finally, to cast doubt on the legal qualification of biometric data. (i) Description of the nature and purpose of the processing, type of personal data and the technical and organisational measures applied 163. First, the Dispute Chamber assesses to what extent the processing agreement between the first defendant as controller and the second defendant as processor meets the requirements under Article 28.3 GDPR, in particular with regard to the minimum requirements regarding the description of the nature and purpose of the processing, the type of personal data and the technical and organisational measures applied by the processor. 27 164. The Dispute Chamber notes that the processing agreement consists of several parts, as indicated in the conclusions of the second defendant, the main agreement itself with 2 annexes (Enclosure 1 and Enclosure 2). In Enclosure 2 to the main agreement, there were again 2 annexes, namely Attachment 1: “ZITGuide” and Attachment 2 “Dataprocessing agreement”, with again 3 annexes: Attachment A (description of the processing), Attachment B (technical and organizational security measures) and Attachment C (subprocessors). 165. Referring to Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR 28, the Dispute Resolution Chamber recalls that the processing agreement must include, among other things, the following elements: description of the nature and purpose of the processing, and the type of personal data. As regards the nature and purpose of the processing, the EDPB states that this description should be as complete as possible, depending on the specific processing activity, so that external parties (such as a supervisory authority) can understand the content and risks of the processing entrusted 27See finding 12 of the Inspection Report. 28EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dated 7 July 2021, available at https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the substance 114/2024 – 43/71 29 to the processor. The “description of the processing” as determined in Attachment 2 of the processing agreement states that the agreement relates to the storage of different categories of personal data and sensitive data. Indirectly, it can be inferred from the processing agreement with all annexes that there is a question of the processing of fingerprints and time registration of employees, namely from Enclosure 1 to the processing agreement in which mention is made of Fingerprint licenses and in which it is stated that all information provided by the customer (in this case the controller) with regard to the time registration for a certain period is stored in the database of Z. 166. The EDPB states that the types of personal data must be specified in as much detail as possible. Merely specifying whether it concerns personal data within the meaning of Article 4.1 GDPR or special categories of personal data in accordance with Article 9 GDPR is not sufficient.0 The Dispute Chamber notes that the processing agreement in the aforementioned Enclosure 2 “Description of the processing” allows the possibility to indicate which personal data are specifically processed on the basis of the processing agreement [“Please select the categories you intend to use with the Services”]. The processing agreement also provides for four categories of special personal data that are processed by the second defendant on the basis of the processing agreement. Here too, the relevant categories are requested to be indicated [“Please select the categories you intend to use with the services”]. The Dispute Chamber finds that the relevant categories were not indicated for either the personal data or the special personal data. The Dispute Chamber finds that this infringement was only attributed by the Inspectorate to the second defendant, while the obligations under Article 28.3 GDPR apply to both contracting parties. However, the lack of indication could also be attributed to the first defendant, since it determines the purpose and means of the processing as the controller. 167. In conclusion, the Dispute Chamber finds that the required information under Article 28.3. first paragraph (the nature and purpose of the processing and type of personal data) can be derived from the overall reading of the processing agreement, but that it is recommended, for the sake of clarity, that the processed (categories of) personal data, whether or not special are indicated in the annex as provided. 29EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dd. 7 July 2021, para 114, available at https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. 30EDPB, Guidelines 7/2020 on the concepts of “controller” and “processor” in the GDPR v2.0, dd. 7 July 2021, para 114, available at https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the merits 114/2024 – 44/71 168. The Inspection Service also found in its report that there was an infringement of Article 28.3.c) GDPR given the generality and limited level of detail of the enumeration of the technical and organisational measures applied. 169. Article 28.3.c) GDPR requires that all security measures required under Article 32 GDPR be reflected in the processing agreement. This processing agreement may not simply repeat the provisions of the GDPR, but must contain information on the security measures, or references to them. The level of detail must enable the controller to assess the suitability of the measures in accordance with Article 32.1 GDPR. 31 170. Article 32.1 GDPR provides that when assessing the appropriate level of security, account must be taken of the risks posed to the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This must also take into account the special nature of the personal data processed, which is a point of contention between the Inspectorate and the second defendant. 171. As regards the qualification of the personal data processed by the second defendant, the Litigation Chamber recalls the definition of biometric data and the processing of a possible special category of personal data. As the second defendant also states in her conclusions, biometric data do not immediately constitute a special category of personal data under Article 9 GDPR. The purpose of unique identification is required for this. As already stated, the purpose of identification is present in the head of the first defendant as a controller in the context of time registration, but not in the case of the second defendant. She receives data from the first defendant that she processes (i.e. stores) without the purpose of identification or authentication, which means that there is no question of the processing of special personal data as included in Article 9 GDPR. The applicable security measures must therefore be tailored to this. 172. As already explained, the processing agreement consists of the main agreement with 2 annexes (Attachment 1 and Attachment 2). As also indicated by the second defendant, the Dispute Chamber notes that the Z IT Guide (Attachment 2) was missing from the file of the Inspection Service, which meant that it was not taken into account during the investigation. 31EDPB, Guidelines 7/2020 on the concepts of "controller" and "processor" in the GDPR v2.0, dd. 7 July 2021, para 126, available at https://edpb.europa.eu/sites/default/files/consultation/edpb guidelines 202007 controllerprocessor en.pdf. Decision on the merits 114/2024 – 45/71 173. This Z IT Guide sets out the security aspects of the Z application in 13 pages, with concrete information about the security measures taken for the processing entrusted to it, namely the storage of the data in the Z. This guide contains information about the servers on which the data is stored, the security measures (such as anti- virus systems, firewalls, SSL certificates and monitoring services). The Dispute Chamber finds that the level of detail of the description of the security measures meets the requirements imposed in Article 28.3.c) GDPR. (ii) the failure to comply with the obligations of the second defendant under Article 28.3 GDPR, given that it was the only one with technical knowledge of the system and allegedly did not sufficiently describe the processing and the second defendant allegedly questioned the legal qualification of biometric data. 174. The Dispute Chamber notes that these findings do not relate to the content of the processing agreement as stipulated in Article 28.3 GDPR, but rather to the pre-contractual information exchanges with the first defendant (for example on the basis of Article 28.1 GDPR) or to the accountability obligation under Article 5.2 GDPR. 175. As regards the finding that the second defendant did not sufficiently describe the processing, the Dispute Chamber refers to section II.7 in which it finds that the processing agreement was not transferred in its entirety to the Inspection Service by the first defendant. The second defendant was not asked to transfer the processing agreement to the Inspection Service. 176. As explained, the Z IT Guide contains information about the technical knowledge of the system. The second defendant provided all this information to the first defendant, the controller, on the basis of which the latter could carry out the required analysis in this regard (see section II.8). In addition, the second defendant also offered training on the operation of the Z. In addition, the Disputes Chamber notes that there was also additional documentation, a portal and help function available online, as well as a helpdesk. As the second defendant also argues, the registration of the employees only starts when the first defendant starts doing so. Consequently, she could request additional information if necessary before starting the time registration. The Dispute Chamber therefore finds that the processing has been sufficiently described and that the second defendant has provided the necessary information to the first defendant. 177. Furthermore, the Inspection Service finds that the second defendant, even at the explicit request of the Inspection Service, is unable to provide a complete technical description of the processing entrusted to it. In this regard, the Inspection Service refers to the minimalist answers of the second defendant and to the fact that it could not provide further information on certain elements. Decision on the merits 114/2024 – 46/71 178. The Dispute Chamber first notes that a possible minimalist answer to the Inspection Service two years after the conclusion of the processing agreement has no influence on the correct or incorrect compliance with Article 28.3 GDPR, which only stipulates substantive requirements of the processing agreement. 179. The Dispute Chamber further notes that the Inspection Service in its letter dated 6 July 2022 requested the second defendant to explain the technical functioning of the system and in particular how the biometric data collected via the system is handled. The Inspection Service requests that this explanation be accompanied by an overview as schematically as possible of the various phases of the processing from collection to deletion. Furthermore, the Inspection Service requests clarification of the technical and organisational security measures that the second defendant takes to protect the integrity, availability and confidentiality of the data, where it is actually the first defendant who is subject to these obligations. The Inspection Service then asked 12 additional questions. These questions also concern the various phases of time registration. 180. The Dispute Chamber notes that the second defendant answered the 12 questions but could not answer each question in detail. Certain information is not known to the second defendant, since it is not the controller for the entire chain of processing in the context of the time registration in question. The second defendant has formulated an answer to the questions that related to the processing entrusted to it in its capacity as processor. In doing so, the second defendant also indicated why it could not answer the other questions, for example because it did not deal with certain aspects of the time registration chain. 181. In view of the above, the Dispute Chamber concludes that there is no infringement of Article 28.3 of the GDPR on the part of the second defendant. II.14.Data Protection Officer (Article 37.1, b) and c) GDPR) with regard to the second defendant II.14.1.Findings in the Inspection Report 182. The Inspection Service finds in the Inspection Report that the second defendant does not comply with the obligations regarding the appointment of a data protection officer as included in Article 37.1. b) and c) GDPR. Initially, the Inspection Service states that the requirements for appointing a data protection officer have been met as included in Article 37.1. c) GDPR, since it processes biometric data, that it concerns large-scale processing and that it is mainly responsible for this. Consequently, Decision on the merits 114/2024 – 47/71 the Inspection Service concludes that a data protection officer should have been appointed. 183. First, the Inspection Service does not follow the second defendant's view regarding the fact that it would not process biometric data (see II.13). Furthermore, the Inspection Service refers to the standard clause in Annex A of the processing agreement in which the second defendant, as a processor, also opens itself up to the processing of other categories of personal data. Second, with regard to the large-scale nature of the processing, the Inspection Service notes that the report of the board of directors of the second defendant shows that Z is divided into nine European countries, from which the Inspection Service understands a large geographical area. The Inspection Service states that it has no insight into the number of persons involved or the amount of data processed, but further notes that the duration and permanence of the data processing inherent to a working time registration system constitute an additional element for assessing the large-scale of the processing. Thirdly, as regards the criterion of principality, the Inspectorate states that it is clear that data processing constitutes a principal activity of the undertaking and not a necessary supporting function of the principal activity of the organisation. 184. Finally, the Inspectorate notes that the second defendant can also be considered to be obliged to appoint a data protection officer on the basis of Article 37.1.b) of the GDPR, since the daily registration of the times of arrival and departure of employees at a particular workplace constitutes regular and systematic observation of the data subjects. II.14.2. Position of the second defendant 185. In its conclusions, the second defendant argues that it is not obliged to appoint a data protection officer, neither on the basis of Article 37.1.c) of the GDPR nor on the basis of Article 37.1.b) of the GDPR. 186. As regards the applicability of Article 37.1.c) GDPR, the second defendant argues that the Inspectorate's argument is not based on objective findings but that its analysis results from half-assumptions and incorrect interpretations. As regards the processing of a special category of personal data, the second defendant reiterates its position that serious doubts can be raised as to whether there is indeed a processing of biometric data and a special category of personal data in the context of the processing for the first defendant. The second defendant adds that the Inspection Service has extrapolated its findings to the entire operation and all activities of the second defendant. The second defendant points out that its activities are divided between services Decision on the merits 114/2024 – 48/71 concerning parking systems and time registration. The figures for the 2021 financial year show that 74.29% of turnover is attributed to parking system services compared to 25.71% for time registration. Time registration itself also extends beyond the Z services. The share of the second defendant's total turnover for Z in 2021 amounted to only 8.50%. The second defendant denounces that the Inspection Service assumes that the second defendant would always fall back on biometric readers for Z and that it would therefore set up a Z solution for other customers using biometric readers. It points out that only 10.93% of the turnover is specifically generated by Z-related projects where biometric readers are also used. The second defendant wonders whether there are serious indications that these projects in which use biometric readers involve the processing of a special category of data. If there were indeed any processing of a special category of personal data, which the second defendant questions, then this need not be the case for other customers who use the Z application. 187. As regards the large-scale nature, the second defendant denounces that the Inspection Service infers the large-scale nature from the fact that the Z is marketed in 9 countries. The second defendant points out that not all Z solutions work with biometric readers and that for the assessment of the large-scale nature, only those solutions that do process special categories of data can be taken into account. The second defendant disputes that, on the basis of a study in which the Inspection Service concludes that it has no insight into the number of persons involved or the amount of data processed, but does establish that the duration and permanence of data processing inherent to work time registration constitutes an additional element for assessing the large-scale nature of the processing, it can be concluded that the processing is large-scale. 188. Finally, the second defendant refers to the Inspection Service's finding that the main criterion relates to the processor's main activity and not to a secondary activity. It wonders whether the processing of storage of the special category should be regarded as a core task within its activities. In this regard, it refers to the preparatory works of the GDPR, which indicate that main activities mean: "activities in the context of which 50% of the annual turnover resulting from the sale of data or income from the use of this data is earned". A contrario, this means that data processing activities that do not account for more than 50% of a company's turnover are considered secondary activities. The second defendant points out that the turnover resulting from Z and where biometric readers are used represented only 0.93% of its turnover in 2021. Consequently, there is no core task. Decision on the substance 114/2024 – 49/71 189. As regards the alleged obligation to appoint a data protection officer on the basis of Article 37.1.b) GDPR, the second defendant points out that the cumulative conditions of principality and large-scale are not re-examined. In addition, the second defendant points out that it is not the party carrying out the regular and systematic observation in the context of the processing at issue, if any. II.14.3. Assessment by the Litigation Chamber 190. Under Article 37.1 GDPR, the appointment of a data protection officer is mandatory in three specific cases: (a) where the processing is carried out by a public authority or body; b) where the core tasks of the controller or processor consist of processing operations that require regular and systematic large-scale monitoring of data subjects; or c) where the core tasks of the controller or processor consist of processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences. 191. Article 37 GDPR applies to the designation of a data protection officer to both controllers and processors. Depending on who meets the criteria for mandatory designation, in some cases it is only the controller or only the processor that must designate a data protection officer, while in other cases it applies to both. 192. The question arises whether the second defendant falls under one of these 3 cases, so that it is subject to the obligation to appoint a data protection officer. 193. Since the second defendant is not a public authority, Article 37.1.a) GDPR does not apply. 194. As regards Article 37.1.c) GDPR, the Dispute Resolution Chamber recalls that three cumulative conditions apply: (i) processing of special categories, of data or of personal data relating to criminal convictions and offences, (ii) on a large scale and (iii) primarily/core task. 195. As already established above, the Dispute Resolution Chamber follows the position of the second defendant that it does not process special categories of personal data as defined in Article 9 in the context of the processing agreement concluded with the first defendant. The fact that the second defendant offers the possibility to process biometric data in the context of the Z does not automatically mean that the second defendant processes biometric data for all its customers. Furthermore, Decision on the substance 114/2024 – 50/71 processing of biometric personal data does not automatically mean that there is a processing of a special category of personal data under Article 9 GDPR, since it is not demonstrated that there is an identification or verification. It has therefore not been demonstrated that the first condition is met. 196. As regards the condition of large-scale, the GDPR does not provide a definition. According to recital 91, this concerns "large-scale processing operations intended for the processing of a significant amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which could entail a high risk". The Litigation Chamber finds that the Inspection Service has not demonstrated that the processing of special categories of personal data is carried out on a large scale. The fact that Z is distributed in 9 European countries does not demonstrate that special categories of personal data under Article 9 of the GDPR are processed on a large scale. Finally, as regards the criterion of mainness, the Dispute Chamber finds that the turnover of the second defendant, resulting from Z and where biometric readers are used, represented only 0.93% of the turnover of the second defendant in 2021. The Dispute Chamber finds that this is insufficient to speak of a core task. 197. Furthermore, the Inspection Service argues that the second defendant can also be considered to be obliged to appoint a data protection officer on the basis of Article 37.1.b) of the GDPR, since the daily registration of the times of arrival and departure of employees at the workplace constitutes regular and systematic observation of the data data subjects. In this context, the Dispute Chamber follows the position of the second defendant that any regular and systematic observation is carried out by the first defendant in the context of time registration, and not by the second defendant. After all, it only offers storage of pre-encrypted (personal) data. 198. In view of the above, the Dispute Chamber therefore finds that there is no infringement of the obligation under Article 37.1.b) and c) GDPR to appoint a data protection officer. III. Corrective measures III.1. With regard to the first defendant III.1.1. Established infringements and measures taken by the Dispute Chamber III.1.1.1. Established infringements 199. The Dispute Chamber has established the following infringements. First, the Dispute Chamber found that the first defendant unlawfully processed special Decision on the merits 114/2024 – 51/71 categories of personal data in the context of the time registration system and thereby also violated the principles of purpose limitation and data minimization (Article 5.1.a) GDPR, Article 9.1, j° Article 6.1 GDPR, Article 9.2 GDPR 5.1.b) GDPR, Article 5.1.c) GDPR). 200. The Dispute Chamber then ruled that the welcome brochure did not sufficiently inform the data subjects about the processing at issue. More specifically, the welcome brochure fell short in general with regard to the obligation under Article 12.1 GDPR that the controller must take appropriate measures to receive the information referred to in Article 13 GDPR in a concise, transparent, comprehensible and easily accessible form in clear language, and in particular the Dispute Chamber states that the retention periods (Article 13.2.e) GDPR), purposes and legal basis (Article 13.1.c) GDPR) were not (adequately) included in the welcome brochure. Since the first defendant invokes Article 6.1.a) and Article 9.2.a) GDPR – albeit unlawfully – the data subjects should also have been informed that they had the right to withdraw their consent (Article 13.2.c) GDPR). As regards the mention of the possibility to file a complaint with the Data Protection Authority (Article 13.2.d) GDPR), the Dispute Chamber notes that this is also not mentioned in the welcome brochure. 201. Furthermore, the Dispute Chamber found that the first defendant did not provide sufficient information in response to the second request for access, namely information about the retention period and the retention modalities and the security of the data, which is in conflict with the obligation incumbent on the first defendant to inform the data subject in an understandable and easily accessible form and in clear and simple language, as set out in Article 15.1.d) in conjunction with Article 12.1 of the GDPR. 202. Furthermore, the Dispute Chamber ruled that there were multiple breaches of the first defendant's documentation obligations. For the processing of special personal data in the context of time registration, the first defendant did not perform a DPIA before commencing the processing at issue (Article 35 GDPR). 203. The first defendant also failed to include the identity of the data protection officer in the processing register (Article 30.1.a) GDPR). The first defendant also violated Article 30.1.b) and c) GDPR by not including all purposes and categories of personal data in the context of time registration as stated in the employment regulations version 2022 in the register of processing activities. Finally, the Dispute Chamber finds that the second defendant as recipient of the personal data in her capacity as processor in the context of the biometric time registration system is not listed in the register for processing activities (Article 30.1.d) GDPR). Decision on the merits 114/2024 – 52/71 204. Finally, in view of the above infringements, the Dispute Chamber found that the first defendant has committed an infringement of the accountability obligation under Article 5.2 GDPR. III.1.1.2. Measures taken by the Dispute Chamber 205. According to Article 100 of the WOG, the Dispute Chamber has the power to: 1° dismiss the complaint; 2° order that the prosecution be dismissed; 3° order a suspension of the judgment; 4° propose a settlement; 5° to issue warnings and reprimands; 6° to order that the data subject's requests to exercise his/her rights be complied with; 7° to order that the data subject be informed of the security problem; 8° to order that the processing be temporarily or definitively frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10° to order the correction, restriction or erasure of data and the notification thereof to the recipients of the data; 11° to order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° to order the suspension of cross-border data flows to another State or an international institution; 15° to transfer the file to the public prosecutor of Brussels, who will inform it of the action taken on the file; 16° to decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority. 206. With regard to the above-mentioned infringements established with regard to the documentation obligations pursuant to Article 30.1.a), b), c) and d) GDPR and Article 35 GDPR, the Dispute Chamber decides to impose a reprimand on the basis of Article 100, 5° WOG. The importance of drawing up a DPIA pursuant to Article 35 GDPR should not be underestimated. The obligation to carry out a DPIA is intended to describe the process of processing personal data, so that not only the necessity and proportionality of the processing are mapped out, but also the risks to the rights and freedoms of data subjects in the processing of personal data. Failure to carry out a DPIA is therefore in itself (therefore) a violation of the GDPR, while it also increases the chance of new violations of the GDPR because risks of possible (other) violations of the GDPR are not recognized in a timely manner. Decision on the merits 114/2024 – 53/71 207. With regard to the obligations regarding the drawing up of a processing register pursuant to Article 30 GDPR, the Dispute Resolution Chamber points out that, in order to be able to effectively apply the obligations contained in the GDPR, it is essential that the controller and the processors maintain a complete and accurate overview of the processing of personal data that they carry out. This register of processing activities is therefore primarily an instrument to help the controller or processor comply with the GDPR for the various data processing operations that it carries out, because the register makes the most important characteristics of the processing activities visible. The Dispute Chamber is of the opinion that this processing register is an essential instrument in the context of the already mentioned accountability obligation (Article 5.2 GDPR and Article 24 GDPR) and that this register forms the basis for all obligations that the GDPR imposes on the controller and the processor. It is therefore of the utmost importance that it is complete and correct. 208. The Dispute Chamber is of the opinion that there are sufficient elements to impose a reprimand for the infringements of Article 5.2, Article 30 and Article 35 GDPR, which constitutes a light sanction and is sufficient in light of the infringements of the GDPR found in this file. In determining the sanction, the Dispute Chamber takes into account the fact that the first defendant has already taken several steps to comply with its obligations as prescribed by the GDPR and provides evidence of this. 209. With regard to the infringement resulting from the incomplete execution of the second request for access (in Article 15.1.d) in conjunction with Article 12.1 of the GDPR), the Dispute Chamber warns the first defendant for the future on the basis of Article 100, 5° WOG on the one hand that the fact that the personal data of the data subject are no longer processed by the controller does not mean that the right of access must no longer be executed, and on the other hand that if the requested information does not fall under the list in Article 15.1 GDPR, this does not mean that no response must be formulated to a request for access, since the obligation to provide information in a concise, transparent, comprehensible and easily accessible manner also applies to the information obligations under Article 13 GDPR. The fact that this information is requested in a request for access does not mean that this request for information must not be followed up. The Dispute Chamber is of the opinion that a warning is sufficient, given that it is not the case that the first defendant has made it completely impossible for the complainant to exercise his right of access. On the contrary, the first defendant had already responded to the complainant's first request for access, which was partly repeated in its response to the complainant's second request for access. Decision on the merits 114/2024 – 54/71 210. As regards the infringements of Article 5.1.a) GDPR, Article 6.1 GDPR, Article 9.1 and 9.2 GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR) on the principles of lawfulness, purpose limitation and data minimisation and the infringement of Article 13.1.c), 13.2.c), 13.2.d) and 13.2.e) GDPR on the information obligations, the Dispute Chamber decides to impose an administrative fine pursuant to its powers based on Article 83 GDPR and Article 100, §1, 13° WOG. III.1.1.3. Calculation of the fine 211. On 24 May 2023, the EDPB adopted Guidelines 04/2022 on the calculation of administrative fines under GDPR 32 (hereinafter: the Guidelines). The Guidelines are immediately applicable, as they do not provide for transitional law for procedures that were already ongoing at the time of the adoption of the Guidelines. The Litigation Chamber will therefore apply these Guidelines to this case. 212. The Guidelines describe a methodology for determining the amount of the fine as follows: Step 1: which and how many acts and infringements are subject to assessment; Step 2: which amount forms the starting point for calculating the fine for the infringements established (starting amount); Step 3: which mitigating or aggravating circumstances, if any, arise that require an adjustment of the amount in step 2; Step 4: what maximum amounts apply to the infringements and whether any increases from the previous step do not exceed this amount; Step 5: the assessment of whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and if necessary is adjusted accordingly. 213. The Dispute Chamber will determine the size of the administrative fine on the basis of this methodology. III.1.1.4. Step 1: Identifying the acts and determining the infringements 214. In order to determine the starting amount of the fine, as described in the Guidelines, it must first be determined whether there is one or more sanctionable acts. The Litigation Chamber found that the first defendant unlawfully processed special categories of personal data in the context of the 32EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the merits 114/2024 – 55/71 time registration system and also the principles of purpose limitation and data minimization violated (Article 5.1.a) GDPR, Article 6.1 GDPR, 9.2 GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR). 215. Furthermore, the Disputes Chamber ruled that the welcome brochure did not sufficiently inform the data subjects about the processing at issue. More specifically, the welcome brochure was inadequate with regard to, among other things, the retention periods (Article 13.2.e) GDPR), purposes and legal basis (Article 13.1.c) GDPR). The Disputes Chamber considers that these were not (adequately) included in the welcome brochure. Since the first defendant invokes – albeit unlawfully – Article 6.1.a) and Article 9.2.a) GDPR, the data subjects should also have been informed that they had the right to withdraw their consent (Article 13.2.c) GDPR). As regards the mention of the possibility of lodging a complaint with the GBA (Article 13.2.d) GDPR), the Dispute Resolution Chamber notes that this is also not mentioned in the welcome brochure. 216. In the opinion of the Dispute Resolution Chamber, this case concerns one sanctionable conduct. In this context, the Dispute Resolution Chamber refers to the Guidelines, which state that when assessing “the same or related processing activities”, it must not be forgotten that the supervisory authority may, in its assessment of infringements, take into account all obligations prescribed by law for the lawful performance of processing activities, including transparency obligations (e.g. Article 13 GDPR). This is also underlined by the wording “in relation to the same or related processing activities”, which shows that this provision applies to all infringements that relate to and may affect the same or related processing activities. 33 The Litigation Chamber finds that the infringements established above with regard to the principles of lawfulness, purpose limitation, data minimisation, information obligations and accountability relate to the same processing activity, namely the time registration system by means of fingerprints. Consequently, the Litigation Chamber finds that the circumstances constitute a single act, which will result in a single fine being imposed for the infringements resulting from the act in question. III.1.1.5. Step 2: determining the starting amount 217. As described in the Guidelines, the starting amount of the fine must then be determined. This starting amount forms the basis for the further calculation in later steps, taking into account all relevant facts and circumstances. The Guidelines state that the starting amount is determined on the basis of three elements: i) the categorisation of the infringements according to Article 83, fourth 33 EDPB – Guidelines04/2022 for the calculation of administrative fines under theGDPR (v2.1, 24 May 2023), p. 13, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the merits 114/2024 – 56/71 up to and including paragraph 6 of theGDPR (step 2.1); ii) the seriousness of the infringement (step 2.2) and iii) the turnover of the undertaking (step 2.3). III.1.1.5.1. Step 2.1: Categorisation of infringements according to Article 83, paragraphs 4 to 6 218. As stated in the Guidelines, almost all obligations of the controller are categorised in the provisions of Article 83, paragraphs 4 to 6, of the GDPR. The GDPR distinguishes between two types of infringements. On the one hand, infringements that are punishable under Article 83.4 of the GDPR and for which a maximum fine of EUR 10 million applies (or in the case of an undertaking, 2% of the annual turnover, whichever is higher), on the other hand, infringements that are punishable under Article 83, fifth and sixth paragraphs, of the GDPR and for which a maximum fine of EUR 20 million applies (or in the case of an undertaking, 4% of the annual turnover, whichever is higher). With this distinction, the legislator has provided a first indication in abstracto of the seriousness of the infringement: the more serious the infringement, the higher the fine. 219. For the infringements of Article 5.1.a) GDPR, Article 6.1 GDPR, Articles 9.1 and 9.2 GDPR, Article 5.1.b) GDPR, Article 5.1.c) GDPR, Article 13.1.c, 13.2.c), d) and e) GDPR j° Article 12.1 GDPR, an administrative fine of up to EUR 20 million may be imposed, or in the case of an undertaking, 4% of the worldwide annual turnover, whichever is higher (Article 83.5 GDPR). It follows from this categorisation that the infringements of these provisions are considered by the legislator to be serious. III.1.1.5.2. Seriousness of the infringements in the present case 220. In determining the seriousness of the infringement, the Guidelines require that account be taken of the nature, gravity and duration of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data concerned. 221. Nature of the infringement - The Guidelines provide that the supervisory authority may examine the interest to be protected by the breached provision and its place in the data protection framework. The GDPR provides that there are six legal bases for the lawfulness of the processing of personal data. When the controller carries out or plans to carry out processing of personal data, it must give due consideration to the most appropriate legal basis for the intended processing. 34 The applicable legal basis also affects the applicable rights of data subjects or the applicable information obligations. Breaches of these core principles 34 EDPB – Guidelines 5/2020 on consent under Regulation 2016/679 (5 May 2020) p. 5 https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf Decision on the substance 114/2024 – 57/71 therefore constitute serious breaches, which can be punished with the highest administrative fines provided for in the GDPR. Consequently, the Litigation Chamber concludes that the legality is central to data protection and therefore justifies the imposition of a fine. 222. Nature, gravity and duration of the infringement (Article 83.2.a) GDPR) — With regard to the gravity of the infringement, the Litigation Chamber notes that the principle of lawfulness (Article 5.1.a) and Article 6 GDPR), in conjunction with the principles of purpose limitation (Article 5.1.b) GDPR) and data minimisation (Article 5.1.c) GDPR) are fundamental principles of the protection guaranteed by the GDPR. Furthermore, the controller must provide the data subject with the information necessary to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed. 223. As regards the nature of the processing, the Litigation Chamber notes that a valid legal basis and transparent information are core elements of the fundamental right to data protection. Breaches of these core principles therefore constitute serious infringements, which can be punished with the highest administrative fines provided for in the GDPR. 224. In its response to the penalty form, the first defendant does not dispute the seriousness of the infringement, but points out that the seriousness must be assessed in the light of all the circumstances below, specific to this case. It points out that the nature of the processing did not involve a high risk, since the system put in place by the second defendant only allowed a code to be linked to the sensitive data, while the digital fingerprint remained in the hardware. Consequently, when processing sensitive data, only a code could be created which was then linked to the employee's individual file in which only the hours worked were recorded. The sensitive data are not reproduced, communicated or analysed. Only clock times are taken and linked to a code, the digital fingerprint remains in the hardware of the second defendant which, the first defendant argues, does not seem to have been criticised by the Litigation Chamber. The Litigation Chamber takes these circumstances into account in step 3 when assessing any aggravating or mitigating circumstances, as prescribed by the Guidelines. 35According to the Guidelines, each criterion of Article 83.2 GDPR may only be taken into account once. 35 EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023),), p. 29. Decision on the substance 114/2024 – 58/71 225. With regard to the purpose of the processing, the Dispute Chamber finds that the purpose of the processing was to record the employees' working hours and to calculate and pay wages on that basis. As also indicated, no payment could be made if no clockings were recorded, which could lead to measures with negative consequences being taken. In accordance with the Guidelines, the Dispute Chamber attaches more weight to this factor in view of the relationship between the parties concerned as employees and the first defendant as employer. 36 226. In its response to the penalty form, the first defendant states that it is active in the production of light metal packaging products (aluminium cans). In that capacity, it only processes data on working hours, which are obtained by biometric clocking in and out. The sensitive data remains secured and included in the system of the second defendant. The periphery of the main activity is therefore limited to the salary calculation based on the registration of working hours. 227. The Dispute Chamber notes that the intended purpose of the disputed processing would also have been possible without the processing of the biometric personal data in question. The processing of personal data is not a core activity of the first defendant, but it is an important secondary activity in the fulfilment of its core task. The Dispute Chamber attaches great weight to this factor. 228. With regard to the seriousness of the infringement, the Dispute Chamber considers that the unlawful processing in the context of the time registration in question applied to all employees. The same also applies to the information obligations for employees, at least until the adoption of the 2022 employment regulations. Subsequently, the Dispute Chamber does indeed take into account the above-mentioned violations when assessing the seriousness of the infringement. However, it is not the case that the first defendant has not complied with its obligations under the GDPR in any way. The first defendant has unlawfully invoked consent as a legal basis for the processing in question. Although the Dispute Chamber has established several infringements regarding the information obligations regarding the processing in question, it cannot be said that the first defendant has completely failed to inform its employees of the processing in question. Furthermore, it is not apparent that the employees have suffered substantial damage as a result of the processing in question and the inadequate provision of information. The Dispute Chamber attaches a light weight to this factor. 36 EDPB – Guidelines 5/2020 on consent under Regulation 2016/679 (5 May 2020) p. 20 https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf Decision on the substance 114/2024 – 59/71 229. As regards the duration, it was found that the contested time registration system was introduced on 16 March 2020 and was stopped following the Inspection Report at the end of 2022, which represents a relatively short period. As regards the duration of the infringement, the first defendant argues in its response to the penalty form that it is a relatively new company that made an error in its system for recording working hours. It also argues that it stopped the time registration system immediately. The Dispute Resolution Chamber gives a light weight to this factor. 230. As regards the scope of the processing, the first defendant argues that the sensitive data in question, i.e. fingerprints, remain locked and secure in the hardware system of the second defendant. The scope of the processing is therefore very local and shows that the risk is very low or even non-existent, since the sensitive data remain in the second defendant's system, which is secured and encrypted. The first defendant does not itself have the fingerprint, but only the encrypted code linked to the fingerprint and the working time registration data. The first defendant notes that this code is itself produced by the second defendant's equipment and that the encryption key is not known to the first defendant should it wish to obtain the digital fingerprint as such. The extent of local processing made it impossible to exclude any association between the code and the fingerprints stored in the second defendant's hardware, so that the risk of dissemination was very low. The Litigation Chamber takes these circumstances into account in step 3 when assessing any aggravating or mitigating circumstances, as prescribed by the Guidelines. 37 According to the Guidelines, each criterion of Article 83.2 GDPR may be taken into account only once. 231. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — The Litigation Chamber recalls that "intent" generally includes both knowledge and wilfulness with regard to the characteristics of a criminal offence, while "unintentional" means that there was no intention to cause the infringement, although the controller or processor breached the duty of care prescribed by law. In other words, two cumulative elements are required to consider an infringement as intentional, i.e., knowledge of the infringement and intentionality with regard to this act.9 37 EDPB – Guidelines04/2022 on the calculation of administrative fines under theGDPR (v2.1, 24 May 2023), p. 29. 38 Article 29 Data Protection Working Party – Guidelines on the application and setting of administrative fines within the meaning of Regulation (EU) 2016/679 (WP253, 3 October 2017), p. 12. 39See alsoEDPB–BindingDecision1/2023onthedisputesubmittedbytheIESAondatatransfersbyMetaPlatformsIreland Substantive decision 114/2024 – 60/71 232. As regards the element of intention, the Litigation Chamber also recalls that the Court of Justice has established a high threshold for an act to be considered intentional. Thus, in criminal cases, the Court of Justice has held that there is "serious negligence" rather than "intent" when "the person liable commits a serious breach of his duty of care which he should and could have observed, taking into account his capacity, his knowledge, his 40 skills and his individual situation". Even though an undertaking, whose processing of personal data does not constitute the core of its business, is expected to take sufficient measures to protect personal data and to be thoroughly aware of its obligations in this regard, such a serious 41 breach does not necessarily demonstrate that there has been an intentional infringement. 233. In other words, this means that a controller can also be punished with an administrative fine under Article 83 GDPR for an act falling within the scope of the GDPR, if this controller could not have been unaware that his act constituted an infringement, regardless of whether he was aware that he was violating the provisions of the GDPR. 42 According to the Dispute Chamber, there is no — obvious — intention on the part of the first defendant to deliberately violate the GDPR in the context of the introduction of the time registration system by means of biometric data, nor in the context of the inadequate information obligations. In the opinion of the Dispute Chamber, there is, however, negligence in committing the infringements. The infringements found are due to an incorrect assessment by the first defendant. She has taken the combating fraud in the context of time registration as a guiding principle, which is a legitimate objective, but in that context the first defendant should also have assessed compliance with the GDPR. A professional party such as the first defendant may be expected, also in view of the special nature of the personal data, to thoroughly satisfy itself of the standards applicable to it and to comply with them. 234. In its response to the penalty form, the first defendant follows the position of the Dispute Chamber and recalls that it wished to introduce a system to prevent fraud with working hours, since this problem is a problem in the context of the present Ltd (Facebook), paragraph 103, available at https://www.edpb.europa.eu/our-work-tools/our-documents/binding- decision-board-art-65/binding-decision-12023-dispute-submitted and. 40CJEU, 3 June 2008, C-308/06, Intertanko and others (ECLI:EU:C:2008:312), edge no. 77 41See also EDPB – Binding Decision 2/2022 on the dispute arising on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, July 28, 2022, edge no. 204. 42CJEU,5December2023,C-807/21,DeutscheWohnenSEt.StaatsanwaltschaftBerlin(ECLI:EU:C:2023:950),edgeno.76. See also CJEU, 18 June 2013, C-681/11, Schenker & Co. et al. (ECLI:EU:C:2013:404), para. 37; ECJ, 25 March 2021, Lundbeck v. Commission, C-591/16 P (ECLI:EU:C:2021:243), para. 156; and ECJ 25 March 2021, C-601/16 P, Arrow Group and Arrow Generics v. Commission (ECLI:EU:C:2021:244), para. 97. Decision on the merits 114/2024 – 61/71 procedure was indeed present and demonstrated). The first defendant acknowledges that it should have used a different system for recording working time. 235. The Litigation Chamber recognises the need of the first defendant to tackle and/or prevent possible fraud and assigns an average weight to this factor. 236. Categories of personal data concerned by the infringement (Article 83.2.g) GDPR) — The Guidelines point out that the GDPR clearly specifies the types of data that require special protection and which should therefore be subject to stricter penalties. These are at least the types of data referred to in Articles 9 and 10 GDPR. In general, the more of these categories of data are involved or the more sensitive the data, the 43 more weight the supervisory authority can assign to this factor. The Dispute Chamber has designated the personal data processed by the first defendant as special within the meaning of Article 9 GDPR. The established infringements concerning the legality and the information obligations therefore concern the special personal data under Article 9 GDPR, which is why the Dispute Chamber attaches more weight to this factor. III.1.1.5.3. Turnover of the undertaking 237. The Dispute Chamber specifies in this regard that at the time of sending the sanction form dated 4 June 2024, it did not yet have the turnover figures for the year 2023 and should therefore take the turnover figures for 2022 into account. After sending the sanction form, the annual accounts for the financial year 2023 were published on the website of the National Bank of Belgium, in which a turnover of [/] EUR was recorded. i. Conclusion starting amount a. Theoretical starting amount (based on the gravity of the infringement) 238. Under Article 83.5 of the GDPR, the maximum fine is EUR 20 million or, for an undertaking, up to 4 % of the total worldwide annual turnover in the preceding financial year, whichever is higher, which is not the case here. Consequently, the statutory maximum amount is EUR 20 million. 239. Based on the evaluation of the criteria set out above, the Litigation Chamber must determine whether the infringement is considered to be of minor, medium or high gravity. This 43 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 22, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines en 0.pdf. Decision on the substance 114/2024 – 62/71 categories do not affect the question of whether or not a fine may be imposed. 44 240. This assessment is not a mathematical calculation in which the above-mentioned factors are considered separately, but rather a thorough evaluation of the specific circumstances of the case, in which all the above-mentioned factors are interrelated. Therefore, when assessing the gravity of the infringement, the infringement as a whole must be taken into account. ▪ When calculating the administrative fine for minor infringements, the supervisory authority will set the basic amount for further calculation at an amount between 0 and 10% of the applicable statutory maximum. ▪ When calculating the administrative fine for infringements of medium seriousness, the supervisory authority will set the starting amount for further calculation at an amount between 10 and 20% of the applicable statutory maximum. ▪ When calculating the administrative fine for infringements of high seriousness, the supervisory authority will set the starting amount for further calculation at an amount between 20 and 100% of the applicable statutory maximum. 46 241. As a rule, the more serious the infringement within the relevant category, the higher the starting amount is likely to be.47 242. In its response to the penalty form, the first defendant argues that, given the above criteria, the level of infringement could be considered low. It refers to the elements discussed above, such as the nature of the processing, the scope of the processing, the purpose of the processing, the extent of the damage and the duration of the infringement. 243. The Litigation Chamber found that there was an infringement of Article 5.1.a), b) and c) GDPR, Article 9.1 in conjunction with 6.1 and 9.2 GDPR on the one hand and an infringement of Article 13.1, c) and 13.2, c), d), e) GDPR in conjunction with Article 12.1 on the other hand, which are included in the infringements of Article 83.5 GDPR. The Litigation Chamber then made an analysis of the nature of the infringement, the purpose, scope and duration of the processing, as well as the categories of personal data processed and the 48 negligent nature of the infringement. 44 EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf. 45 EDPB – Guidelines04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23, https://edpb.europa.eu/system/files/2024-01/edpb guidelines 042022 calculationofadministrativefines nl 0.pdf. 46 EDPB – Guidelines04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23. 47EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 23. 48 See paragraphs 95 to 102 of this decision. Decision on the substance 114/2024 – 63/71 244. Based on the previous assessments of the above circumstances, the Litigation Chamber finds that the conduct falling within Article 83.5 GDPR is in itself of average seriousness. In doing so, the Litigation Chamber takes particular account, on the one hand, of the sensitive nature of the biometric personal data and their nature, the professional capacity of the first defendant as employer with regard to the complainant and the large scope, given that the time registration system applies to all employees. 245. On the other hand, the Litigation Chamber also takes into account the relatively limited duration of the infringement, the unintentional nature of the negligence on the part of the first defendant and the fact that it informed the data subjects, albeit incompletely, of the processing at issue. 246. Consequently, the starting amount for further calculation must be set at an amount between 10% and 20% of the applicable statutory maximum. The Litigation Chamber decides to set a theoretical starting amount of EUR 2 million per infringement, i.e. 10% of the applicable statutory maximum amount of EUR 20 million (Article 83.5 GDPR). b. Adjustment of the starting amount based on the size of the undertaking 247. The Litigation Chamber must then examine whether the starting amount should be adjusted based on the size of the undertaking. This adjustment only applies to undertakings to which the static statutory scope applies, namely when the undertaking achieved a turnover of less than EUR 500 million in the previous financial year. Since this is the case in the present case, the fine must be adjusted on the basis of the static statutory scope. 248. The Dispute Chamber has already explained that the conduct established above falls under Article 83.5 GDPR and is of average seriousness. For infringements referred to in Article 83.5 GDPR, of average seriousness, applied to an undertaking with a turnover between EUR 50 million and EUR 100 million, the fine amounts to 8 to 20% of the starting amount, whereby the fine may not be less than EUR 160,000 and not more than EUR 800,000. 49 249. Taking into account the minimum and maximum amounts per level set in the Guidelines on the one hand, and the relevant annual turnover of the controller on the other hand, the Litigation Chamber decides to reduce the final starting amount of each of the established infringements (falling under Article 83.5 GDPR with 49 EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023), p. 52. Decision on the substance 114/2024 – 64/71 to an adjusted starting amount of EUR 160,000, i.e. 8% of the theoretical starting amount of EUR 2 million. III.1.1.6. Step 3: assessment of aggravating and mitigating circumstances i) Assessment of the application of any aggravating or mitigating circumstances 250. As stated in the Guidelines, it must then be assessed whether, in the circumstances of the case, there is reason to set the fine higher or lower than the starting amount determined above. The circumstances to be taken into account are listed in Article 83, paragraph 2, introductory phrase and under a to k, of the GDPR. Each of the circumstances listed in that provision may only be assessed once. 50 The previous step has already taken into account the nature, gravity and duration of the infringement, the intentional or negligent nature of the infringement and the categories of personal data. This leaves sections c to f and h to k. 251. Measures taken to mitigate the harm suffered by data subjects (Article 83.2.c) GDPR) – As stated in the Working Party 29 54 Guidelines WP 253, controllers and processors are already required to take “technical and organisational measures to ensure a level of security appropriate to the risk, to carry out data protection impact assessments and to mitigate the risks to the rights and freedoms of individuals resulting from the processing of personal data”. In the event of a breach, the controller or processor must therefore do “everything possible” to mitigate the consequences of the breach for the data subject(s). The first defendant should have failed to process the biometric data of its employees in this case. By doing so, the first defendant violated the essence of this obligation. Since the employees of the first defendant were insufficiently informed about the processing and it has not been established that they (freely) gave their express consent, the first defendant has undermined the protection of the personal data of its employees by doing this processing. 50EDPB – Guidelines 04/2022 for the calculation of administrative fines under theGDPR (v2.1, 24 May 2023), p. 23. 51 See paras 95-98 of this decision. 52 See paras 99-101 of this decision. 53 See para 102 of this decision. 54 Data Protection Working Party 29, Guidelines on the application and determination of administrative fines within the meaning of Regulation (EU) 2016/679 (3 October 2017). Decision on the substance 114/2024 – 65/71 252. The extent to which the controller or processor is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 GDPR (Article 83.2.c) GDPR) – The Litigation Chamber found in II.8 that the first defendant had taken various organisational measures to secure the personal data in question. Furthermore, the first defendant has appealed to the second defendant with regard to the technical security of the personal data. The Dispute Chamber has determined in sections II.7 and II.8 that there is no infringement of Article 32 of the GDPR. Consequently, the Dispute Chamber takes into account the fact that the first defendant did show the intention to adequately protect the processed special personal data and has also concluded a processing agreement with the second defendant to this end. In this regard, the Dispute Chamber takes into account in particular the fact that the fingerprints themselves did not leave the secure environment of the second defendant and the first defendant only had a code that could be linked to the time registration as a mitigating circumstance. 253. Previous relevant breaches by the controller or processor (Article 83.2.e) GDPR) – The Litigation Chamber takes into account that no other proceedings have been brought against the first defendant to date. In accordance with the Guidelines, this factor should therefore be considered neutral. 55 254. The manner in which the supervisory authority became aware of the breach (Article 83.2.h) Since the Litigation Chamber became aware of the breach as a result of a complaint, this element is considered neutral in accordance with the 56 Guidelines. 255. The extent to which cooperation has been provided with the supervisory authority to remedy the breach and mitigate its possible negative consequences (Article 83.2.f) GDPR) — The Litigation Chamber notes that the first defendant has been cooperative towards it. In accordance with the Guidelines, the Litigation Chamber considers the ordinary obligation to cooperate to be neutral in view of the general obligation to cooperate under Article 31 GDPR. 256. In its response to the penalty form, the first defendant points out that it not only fully cooperated, but that it also immediately stopped using the biometric time registration system without a decision from the 55 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 32. 56 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 33. Decision on the substance 114/2024 – 66/71 Litigation Chamber to await. This limited the duration of the infringement, which could have extended to the duration of the entire procedure. 257. The Litigation Chamber acknowledges that the first defendant immediately stopped the biometric working time registration system, but points out that it has already taken this into account when assessing the duration of the infringement (see above). In accordance with the Guidelines, each criterion in Article 83.2 GDPR may only be taken into account once in the context of the overall assessment of Article 83.2 57 GDPR. 258. Any other circumstance of the case applicable as an aggravating or mitigating factor (Article 83.2.k) GDPR) – The Litigation Chamber takes into account the fact that the processing at issue does not generate any financial gain for the first defendant, which the Litigation Chamber takes into account as a mitigating factor when determining the amount of the fine. The Disputes Chamber also took into account, as an additional circumstance, the long period between the completion of the investigation report and the hearing on the one hand and (the publication of) this decision on the other. This component was considered a mitigating factor with regard to the amount of the fine. 259. The first defendant argues that when determining the amount of the fine in the penalty form, account was taken of its turnover figures. It points out to the court that the company has not made a profit since its establishment in 2019, but that it is even making losses that are attributable to the nature of the investments. When drafting the response to the penalty form, the first defendant points out that the annual accounts for 2023 had not yet been completed, but that the financial prospects are not positive. Consequently, it had to carry out a series of redundancies for economic reasons at the end of 2023 and the beginning of 2024. The first defendant explains that its turnover is very high, given the nature of its investments and activities, namely wholesale sales to professionals. On the other hand, the company's profit is modest, or even negative, given the economic climate. The first defendant states that it has not yet achieved the results it was aiming for when it started its activities in Belgium. In addition, it generates a significant number of jobs in Flanders, some of which may be jeopardised by the proposed fine of EUR 90,000. 260. The Litigation Chamber points out that, in accordance with the EDPB Guidelines, it must calculate the amount of the proposed fine on the basis of the turnover figures for the previous financial year, with no deviations from this calculation method being provided for. However, the Litigation Chamber acknowledges the difficult economic climate and the fact that the 57 EDPB–Guidelines04/2022forthecalculationofadministrativefinesundertheGDPR(v2.1,24May2023),), p. 29. Decision on the substance 114/2024 – 67/71 proposed fine would jeopardise a significant number of jobs as mitigating factors in this case. The Litigation Chamber also takes particular account of the fact that the first defendant has already acknowledged the infringement from the beginning of the procedure and has assumed its responsibility in this respect throughout the entire present procedure. 261. Other mitigating or aggravating circumstances - The other circumstances do not apply in this case because the circumstances to which they refer do not apply in this case. ii) Impact on the amount of the fine 262. The specific starting amount of EUR 160,000 was determined above. Subsequently, any mitigating or aggravating circumstances were examined. The Litigation Chamber ruled that various circumstances with a mitigating factor could be taken into account. Consequently, the fine in the penalty form was adjusted to EUR 90,000. 263. In accordance with the elements set out above, including the arguments put forward by the first defendant in her response to the penalty form, the Litigation Chamber decides to reduce the proposed fine from EUR 90,000 to 45,000. III.1.1.7. Step 4: Checking whether the maximum amounts were exceeded 264. As already explained, the maximum fine for the infringement found is 4% of the worldwide annual turnover of the company. Given the turnover of the first defendant ([/] EUR), the statutory maximum of the fine to be imposed is therefore EUR 3,417,778.64. The fine amount determined in the penalty form for the infringements found was set at EUR 90,000, which was below the statutory maximum amount. The reduced amount of the fine of EUR 45,000 is also well below the above-mentioned statutory maximum, meaning that there is no excess thereof. III.1.1.8. Step 5: Assessment of the effective, proportionate and deterrent nature 265. As regards the disproportionate nature of the proposed fine, the first defendant refers in its response to the penalty form to previous decisions of the Litigation Chamber concerning the processing of biometric data, including the decisions concerning the use of thermal imaging cameras at Brussels Zaventem and Charleroi airports. The first defendant states that the fines imposed by the Dispute Chamber were considered disproportionate by the Market Court. According to the first defendant, it is clear that the two judgments in the aforementioned cases apply to the present case, since they concern the unlawful processing of Decision on the merits 114/2024 – 68/71 biometric data. The following points in particular are of importance according to the first defendant: (i) the first defendant does not carry out marketing advertising, unlike the airports in the above cases, and it does not process personal data in the context of its main activity, (ii) the defendant never registered the fingerprint as such, because it remained within the system of the second defendant and it was only given a code to generate the information regarding working hours, which is fundamentally different from the method used at Brussels Airport, and (iii) the turnover of the first defendant is much lower than that of Brussels and Charleroi airports. Given these circumstances, the proposed amount of 90,000 would be disproportionate, according to the first defendant. 266. The Litigation Chamber first points out that, in accordance with Article 83.2 of the GDPR as well as the Guidelines of Group 29 and the EDPB Guidelines 58 on fines are imposed "according to the circumstances of the specific case". In addition, the Litigation Chamber refers in this regard to the case-law of the Court of Appeal of Brussels, Market Court section, according to which "the Belgian legal system does not attribute binding precedent value to either administrative or judicial decisions. Any decision of a judge (and this also applies to any decision of an administrative authority, provided that the principle of equality is not violated) is specific and does not extend to a case other than the one being dealt with". 59With regard to the amount of the administrative fine imposed, the Market Court also referred to the margin of appreciation of the Litigation Chamber: "This means in practice that the GBA can not only decide not to impose a fine on the offender, but also that, if it does decide to impose a fine, it must be between the minimum, starting from EUR 1, and the maximum provided for. The fine to be imposed is decided by the GBA, taking into account the criteria listed in Article 83, paragraph 2 of the GDPR". 60 The Litigation Chamber is therefore not bound by the amounts of previous fines that it has imposed in previous cases. 267. The Litigation Chamber then refers to the fact that the EDPB has issued Guidelines on the calculation of administrative fines, which was not yet the case when the aforementioned decisions on thermal cameras at airports were taken. These Guidelines set out the calculation of these fines on the basis of various factors that the Litigation Chamber must take into account. Therefore, the calculation of the administrative fine prior to the issuance of the 58 Data Protection GroupArticle 29, Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, 3 October 2017, EDPB – Guidelines 04/2022 for the calculation of administrative fines under the GDPR (v2.1, 24 May 2023),), p. 34. 59 Court of Appeal Brussels (section Market Court), NV N.D.P.K. v. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 12. 60 Court of Appeal Brussels (section Market Court), NV N.D.P.K. v. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 42. Decision on the merits 114/2024 – 69/71 EDPB Guidelines cannot be compared with the calculation of the administrative fine based on these Guidelines. 268. On the basis of Article 83.5, introductory phrase and under b, GDPR, the Litigation Chamber may impose an administrative fine for the infringements described above. As described in the Guidelines, the imposition of a fine can be considered effective if it achieves the purpose for which it was imposed. The Litigation Chamber states that the intended purpose is twofold: on the one hand, to punish unlawful conduct and, on the other hand, to promote compliance with the applicable rules. The Litigation Chamber considers that the requirement of effectiveness has been met. As regards proportionality, the Litigation Chamber refers to the nature, seriousness and duration of the infringement, as well as the other factors in Article 83, paragraph 2, GDPR, as assessed in sections III.1.1.2 to III.1.1.6 of this decision. The weighing of the above factors in combination with the taking into account of the turnover of the first defendant, leads the Litigation Chamber to determine that the fine imposed meets the requirement of proportionality. Finally, as regards the deterrent effect, the fine encourages the first defendant to avoid repetition in the future, and the imposed fine also has a deterrent effect with regard to other controllers. 61 Consequently, the Litigation Chamber also considers that the imposed fine of EUR 45,000 meets the requirements of effectiveness, proportionality and deterrent effect. III.1.1.9. Other grievances 269. The Dispute Chamber will proceed to a dismissal of the other grievances and findings of the Inspection Service because, based on the facts and documents in the file, it cannot conclude that there would be infringements of the GDPR in this case. III.2. With regard to the second defendant 270. The Dispute Chamber will proceed to a dismissal of the grievances and findings of the Inspection Service with regard to the second defendant because, based on the facts and documents in the file, it cannot conclude that there would be infringements of the GDPR in this case. IV. Publication of the decision 271. Given the importance of transparency with regard to the decision-making of the Litigation Chamber, this decision is published on the website of the 6The deterrent character should deter the first defendant and others from committing the same infringement in the future, see European Data Protection Board (EDPB), Guidelines 04/2022 for the calculation of administrative fines under the GDPR (version 2.1), 24 May 2023, paragraph 142. Decision on the merits 114/2024 – 71/71 an inter partes application must be lodged with the registry of the Market Court 63 in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of Justice (Article 32ter of the Judicial Code). (signed). Hielke H IJMANS Chairman of the Dispute Chamber 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 63 The application with its appendix shall be sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or lodged with the clerk.
Categories:
- APD/GBA (Belgium)
- Belgium
- Article 5(1)(b) GDPR
- Article 5(1)(c) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 6(1)(a) GDPR
- Article 9(1) GDPR
- Article 9(2)(a) GDPR
- Article 12(1) GDPR
- Article 13(1)(c) GDPR
- Article 13(2)(c) GDPR
- Article 13(2)(d) GDPR
- Article 13(2)(e) GDPR
- Article 15(1) GDPR
- Article 30(1)(a) GDPR
- Article 30(1)(b) GDPR
- Article 30(1)(c) GDPR
- Article 30(1)(d) GDPR
- Article 35 GDPR
- 2024
- Dutch
