APD/GBA (Belgium) - 46/2024
APD/GBA - DOS-2019-05837 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1) GDPR Article 6(4) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 20.01.2020 |
Decided: | 15.03.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DOS-2019-05837 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | ADP (in NL) |
Initial Contributor: | n/a |
The DPA rejected a complaint concerning the processing of personal data for the purpose of building and training a model which offered personalised discounts, noting that this practice could be understood as a legitimate interest of the controller.
English Summary
Facts
A bank ('controller') used the data subject's personal data, including the content of payment transactions, to build models for their 'personalised discounts' service. The data subject objected to the use of his data to build models which offered the personalised discounts. The controller responded that his request was registered and that his data would no longer be used for model building. The data subject filed a complaint with the Belgian DPA ('GBA') on 10 January 2020.
First, the controller argued that it relied on consent for the activation of the personalised discounts service. However, to build the models on which the service is based, the controller invoked legitimate interest. It also explained that building these models constitutes further processing. Therefore, the controller distinguished between 'tailored information' which was based on the data subject's consent which he could withdraw and the 'model building', which was based on legitimate interest with the data subject's right to object.
Second, the controller argued that the data subject did not have an interest in the case as he never activated the personalised discounts service. The controller also explained that the data subject's right to objection was granted before the complaint was filed and thus, his personal data was no longer processed for the model building. The controller considered that this rendered the complaint inadmissible.
The data subject argued that the processing of personal data in data models was done for a completely different purpose than that for which the personal data was initially collected, namely the handling of transactions in the performance of the agreement between the controller and the data subject. The data subject also explained that the controller's privacy policy of 2 February 2017 stated that the controller used its customers' transaction data to better know and serve its customers for all marketing and commercial purposes as listed in the privacy policy. The controller updated its privacy policy on 1 February 2019 and it indicated that the transaction data was used to build analytical data models for commercial purposes.
Holding
First, the DPA analysed the data subject's interest in lodging a complaint. The GBA pointed out that the GDPR does not prevent a national law from allowing persons other than data subjects to lodge a complaint with DPAs. In accordance with this, Belgian national law allows any person to file a complaint, provided they have a sufficient interest in doing so.
In the present case, the GBA held that the subject of the complaint was the use of the data subject's personal data by the controller to build and train the models which the personalised discounts service was based on. Following the data subject's exercise of his right to object to the processing, the models were modified. Therefore, the current models were no longer based on the data subject's personal data.
However, the GBA considered that this was completely irrelevant: the mere fact that the data subject's personal data was no longer included in the dataset on which the models were based and trained did not mean that the data subject had no interest in filing the complaint. The GBA pointed out that it could not be denied that the data subject's personal data was indeed processed. Thus, the data subject had an interest in challenging the legal basis for such data processing.
Second, regarding the purpose, the GBA confirmed that the processing of personal data for building data models constitutes processing for a new purpose than that of targeting data subjects with personalised discounts. The GBA also pointed out that this purpose was not disclosed to customers, including the data subject, at the time of entering into the customer relationship. With regard to what was claimed by the controller in its privacy policy, the DPA considered that this processing constituted a new purpose distinct form the initial purpose of executing and recording payments.
Concerning the further processing, the GBA assessed whether or not this new purpose could be considered compatible with the initial purpose. Article 5(1)(b) GDPR establishes that processing of personal data for purposes other than those for which they were initially collected may be authorised if the processing is compatible with the purposes for which they were initially collected. In the present case, the GBA considered that when the data subject entrusted his personal and transaction data to the controller, he had no reasonable expectation that the controller would use the same data to build models that offer personalised discounts. Moreover, the DPA held that the purpose pursued by the controller was not motivated by scientific, historical or statistical considerations. The end goal was purely commercial. As such, the GBA concluded that the controller could not benefit from this exception and that there was no compatible further processing.
Concerning the legal basis, the DPA examined the possibility of invoking legitimate interest under Article 6(1)(f) GDPR as a legal basis. This article establishes that the processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail. Recital 47 GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In CJEU, 4 May 2017, Rigas, C-13/16, the Court of Justice held that Article 6(1)(f) GDPR lays down three cumulative conditions: (i) the pursuit of a legitimate interest by the controller, (ii) the necessity of the processing in order to achieve the legitimate interest pursued and (iii) the fundamental rights and freedoms of the data subject must not prevail.
Regarding the pursuit of a legitimate interest, the GBA considered that building models in order to offer personalised discounts to the controller's customers should be considered as carried out with a legitimate interest in mind. The DPA noted that building a data model aimed at offering personalised discounts was part of the controller positioning itself in the market. The controller's starting point was to gain insight into its customers' services while responding to societal evolutions and trends such as digitisation and personalisation of services and diversification of service. The GBA considered that this may be a legitimate interest.
Regarding the necessity of the processing in order to achieve the legitimate interest, the GBA pointed out that the analysis of transaction data to train models is necessary to provide personalised discounts to the controller's customers. Indeed, without the creation of data models, the discounts could not be offered in a personalised manner through a digital application. Therefore, the GBA considered that this processing was necessary to achieve the legitimate interest.
Regrading balancing between the interests of the controller and the freedoms and rights of the data subject, the GBA held that the reasonable expectations of the data subject should be taken into account. This is also emphasised by CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, in which the CJEU found that "the data subject’s reasonable expectations that his or her personal data will not be processed when, in the circumstance of the case, that person cannot reasonably expect further processing of those data, are also relevant for the purposes of the balancing exercise." The GBA considered that it was essential to distinguish between the phase of building and training the models themselves, and the phase of offering personalised discounts through the use of the models built in the previous phase.
The GBA found that it was within the data subject's normal expectation that the controller used its transaction data to train models, without further operationally using them to offer personalised discounts for which consent was sought. The controller removed identifiers and did not apply the model to identify individuals, nor to re-identify them. The GBA also held that the models were merely algorithms that no longer contained personal data. The DPA also took into account the fact that the customers' personal data was not passed on to third parties and no special categories of data were processed by the models. Therefore, the GBA concluded that the impact on the data subject was extremely small and the processing of his personal data was kept to a minimum as it did not give rise to the offering of personalised discounts without the data subject's consent. The GBA also pointed out that the data subject could always exercise his right to object to the use of his data to build models within the meaning of Article 21 GDPR.
Therefore, the GBA concluded that there was a legitimate interest of the controller related to the processing, - namely building data models, aimed at offering personalised services – being an element of positioning itself in the market – a commercial interest of the controller.
Additionally, the GBA pointed out that the controller complied with the transparency obligation by not only updating its privacy policy, but by also informing its customers directly. The data subject was also made aware of the possibility of exercising his right to object, which he did, and the controller responded appropriately.
Therefore, the GBA concluded that the controller complied with its obligations under and did not commit any breach of the GDPR as regards to the construction of the data models.
Comment
Initial contributor's comment: Decision may possess significant importance for usage of training data. While the model in question appears to not have possess the ability to learn, the same reasoning as presented by DPA could be applied to artificial intelligence solutions.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Warning - Page 15 cannot be translated 1/16 Dispute Chamber Decision on the merits 46/2024 of March 15, 2024 File number: DOS-2019-05837 Subject: Use of transaction data for personalized discounts The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, chairman, and Messrs. Frank De Smet and Romain Robert, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Mr. The defendant: Y BANK, represented by master Heidi Waem, hereinafter “the defendant” Decision on the merits 46/2024 - 2/16 I. Facts and procedure 1. On January 10, 2020, the complainant submits a complaint to the Data Protection Authority against defendant. 2. The subject of the complaint concerns the defendant's use of personal data, including the content of payment transactions, for building models for the service "Personalized Discounts". The complainant states that the activation of the personalized discounts service takes place after the data subject has done so has granted permission, but that for building the models on which these service is based and for which the defendant has personal, financial data processes customers, the defendant relies on his legitimate interest, while according to the complainant, permission is required for this. The complainant states that he has resisted against “Customized Information” from the defendant. However, there is no bill taken into account his opposition to the processing of personal data when building models for “Personalized discounts”. Furthermore, the complainant notes that resistance to building models for “Personalized Discounts” with his data is only implemented one month later for technical-organizational reasons. According to the complainant, this leads to the processes that the The defendant's approach is to make resistance de facto impossible. 3. On January 14, 2020, the complaint will be declared admissible by the First Line Service on on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. 4. On February 7, 2020, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for substantive treatment and will be involved parties are notified by registered mail of the provisions as stated in Article 95, § 2, as well as that in Article 98 WOG. They are also subject to Article 99 WOG informed of the deadlines for submitting their defenses. The deadline for receipt of the defendant's statement of defense was recorded on March 11, 2020, this for the conclusion of the complainant's reply on 26 March 2020 and this for the defendant's response on April 10, 2020. 5. On February 12, 2020, the complainant electronically accepts all communications regarding the case, in accordance with article 98 WOG. 6. On February 17, 2020, the defendant requests a copy of the file (Article 95, § 2, 3° WOG), which was transferred to him on February 25, 2020. The defendant electronically receives all communications regarding the case and indicates its use wish to take advantage of the opportunity to be heard, in accordance with Article 98 of the WOG. Decision on the merits 46/2024 - 3/16 7. On March 11, 2020, the Disputes Chamber will receive the response statement defendant in which he relies on the legitimate interest in building data models for the “personalized discounts” service, as well as arguing that it building these models constitutes compatible further processing. The defendant makes a distinction between “customized information” and “building models” on it in terms of legal grounds and the rights of the data subject, where “tailor-made information” is based on consent with the right of the data subject to obtain this consent to withdraw, and “model building” will be based on legitimate interest with the right of the data subject to object. In addition, the defendant that the withdrawal of consent in the context of “customized information” does not extend to the processing of personal data for model building for “Personalized discounts” based on legitimate interest. According to the defendant, the complaint is unfounded. 8. On March 26, 2020, the Disputes Chamber will receive the complainant's response. The the complainant argues that the processing of personal data takes place in data models for a completely different purpose than that for which the data was initially collected collected, in particular for the execution of the agreement that the defendant has with its customers for the settlement of transactions. Therefore, he argues that the processing for this new purpose constitutes incompatible processing and the defendant cannot rely on the legitimate interest in drawing up data models for direct marketing for third parties. According to the complainant, there is also no clear distinction between the services “customized information”, “personalized discounts” and construction of models for these services, ensuring transparency and fairness of the processing is undermined. He argues that it is resistance to building models for “personalized discounts” is misunderstood by giving the illusion to the user that this right was exercised, while this subsequently appears not to be the case. Also According to the complainant, the period of time between the privacy statement dated September 1, 2019 and the in practice give effect to the objection which could only be exercised after notification of the “personalized discounts” service by letter dated September 21 2019, followed by the period of one month that the defendant needs to to delete the complainant's data is problematic. The complainant states that during that period the defendant can use the transaction data to build valuable models and then to offer direct marketing so that the resistance is implemented when it the purpose of the processing has already been achieved and it is therefore de facto impossible for the customer to object to the processing of his data for this purpose. 9. On April 10, 2020, the Disputes Chamber will receive the defendant's response. The defendant further elaborates on the elements as set out in the conclusion of answer. An additional element that is raised is that alleged by the defendant Decision on the merits 46/2024 - 4/16 lack of interest on the part of the complainant resulting in the complaint being filed according to the defendant is inadmissible and therefore not only unfounded. Furthermore, the defendant defines the object of the procedure by pointing out that the complainant never “personalized” the service discounts” and only objected to the use of his data for building models for offering the personalized discounts, which ensures the legality of the processing in the context of offering personalized discounts are not an issue. 10. On March 22, 2023, the parties will be notified that the hearing will take place on April 26, 2023. 11. On April 3, 2023, the parties will be notified that the hearing will take place unforeseen circumstances had to be moved to May 9, 2023. 12. On May 9, 2023, the parties will be heard by the Disputes Chamber. 13. The minutes of the hearing will be submitted to the parties on June 5, 2023. 14. On June 12, 2023, the Disputes Chamber will receive some comments from the defendant with regard to the official report, which it decides to include in its deliberations. II. Justification a) Interest of the complainant 15. First of all, the defendant emphasizes the absence of any personal and current interest on behalf of the complainant. The defendant believes this can be deduced from the fact that the law objection filed by the complainant was granted before the complaint was filed and the complainant's personal data will therefore no longer be processed for the purpose of building models. Also, according to the defendant, the complainant would not have committed a violation of his own rights, but rather denouncing the defendant's practices in name of the general interest of the defendant's other customers and are not aimed at it to safeguard its own rights, but the rights of other customers. 16. In this regard, the Disputes Chamber points out that it is only concerned with those elements of the complaint for which the complainant has an interest. The Dispute Chamber on the following: 17. Article 58 of the WOG states: “Anyone can submit a complaint or complaint in writing, dated and signed submit a request to the Data Protection Authority”. In accordance with article 60, paragraph 2 WOG “a complaint is admissible if it: - is drawn up in one of the national languages; - contains a statement of the facts as well as the necessary indications for the identification of the processing to which it relates; Decision on the merits 46/2024 - 5/16 - it falls within the jurisdiction of the Data Protection Authority”. 18. The preparatory activities of the WOG determine: “The Data Protection Authority may receive complaints or requests from anyone; natural persons but also legal entities, associations or institutions that have a wish to sue alleged infringement of the Regulation. Submit a complaint or request the Data Protection Authority must be in writing, dated and by the appropriate authority authorized person must be signed. A request must be in the broadest sense of the word be interpreted (request for information or explanation, a request to mediate, ...)”1 . 19. The WOG therefore does not rule out the possibility that a person other than the data subject or the person who is authorized by the data subject, as referred to in Article 220 of the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, can file a complaint with the Authority. 20. While the GDPR approaches the 'complaint' from the data subject's point of view, through the supervisory authorities to impose obligations when a person makes a complaint (see Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent national law from gives persons other than those involved the opportunity to file a complaint with the national supervisory authority. The possibility of such a referral is appalling otherwise corresponds to the instructions given to the supervisors by the GDPR promised. In that respect and generally speaking, each regulator ensures: the monitoring and enforcement of the application of the GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to the protection of personal data (Article 57, 1., v) GDPR).2 21. In that respect, the Disputes Chamber rules that Article 58 of the WOG applies to every person opportunity to file a complaint, provided that he has sufficient interest in it in accordance with the aforementioned provisions of the GDPR. 22. The condition is that the complainant demonstrates a sufficient interest. In that regard the Disputes Chamber points out that, based on the documents in the file, it is unmistakable it has been established that the complainant's personal data was used by the defendant for building and training the data models on which the 'Personalized discounts' is based, which is precisely the subject of the complaint. The determination by the defendant that as a result of the exercise of the right of objection by the complainant the data models were adjusted in such a way that the current one 1 Parl. doc., Chamber of Representatives, 2016-2017, DOC 54 2648/001, p.40 (comment on article 58 of the original bill). 2 In its decision of June 8, 2020, the Disputes Chamber has already allowed, under very strict conditions, that a submits a complaint other than the person concerned (Decision on the merits 30/2020, published on the GBA website). Decision on the merits 46/2024 - 6/16 models are no longer based on the complainant's data is absolute irrelevant. The mere fact that the complainant's personal data is no more included in the set of personal data on which the models will be created based and trained and the complainant's right to object was granted before the complaint was filed does not in any way mean that the defendant can claim that the the complainant would have no interest in submitting the complaint and his complaint solely on it is aimed at safeguarding the general interest of other customers. Not only were the the complainant's personal data will only be removed from the dataset on which the models are used trained after he had taken the initiative and had his right to object exercised, but in addition it cannot be denied by the defendant that the the complainant's personal data were indeed processed and the complainant has an interest in this has to contest the legal basis for this data processing. The mere determination that in the current situation the defendant does not have the personal data of the complainant more processed for building the data models on the basis of which the personalized discounts are offered, does not change this and therefore implies in no way that the complainant no longer has an interest at present. b) Rights of defense and principles of good administration 23. The defendant states that the notification by the Disputes Chamber that the relevant complaint was filed without mentioning the articles of law that may be involved would have been violated, has the consequence that the principles of good administration and the rights of defense vis-à-vis the defendant have been violated. 24. From the claims submitted by the defendant, which are accurately addressed However, on each of the points raised by the complainant, it appears that the complaint and the possible infringements charged to him by the complainant were clear from the outset for the defendant. 25. Furthermore, the Disputes Chamber points out that the procedural guarantees must be maintained in full are complied with and if there may already have been a disadvantage to the defendant by the manner in which he was informed of the complaint and the defendant charged infringements, this disadvantage has been completely removed in the follow-up process3, as a result there can be no question of any violation of the principles of good conduct management. The procedural elements raised by the defendant have no effect that the rights of defense have been violated, as the defendant has the opportunity given the opportunity to fully present his argument through the conclusion 3 See in this context: Decision on the merits 18/2020 of April 28, 2020; Decision on the merits 71/2020 of October 30, 2020; Decision on the merits 133/2021 of December 2, 2021. Decision on the merits 46/2024 - 7/16 of answer. In addition, the defendant has fully exercised his right to appeal exercise during the hearing of the Disputes Chamber. The defendant thus has no only suffered a disadvantage and the rights of defense are therefore valid respected. c) Legal basis 26. According to the complainant, the use of the transaction data of the customers of the defendant for building and training models used for the offering personalized discounts for third party services and products to be considered as processing for a purpose other than the original one purpose consisting of the handling of transactions, namely the execution and registering payments. This leads the complainant to the conclusion that the defendant is responsible for the uses transaction data obtained for the purpose of achieving the initial purpose other, incompatible purpose. 27. The Disputes Chamber examines to what extent the defendant has access to customer transaction data can use to build data models based on which personalized discounts are offered. 28. The Disputes Chamber states that the processing of customer transaction data for building data models constitutes processing for a new purpose, since no document present in the file shows that this was already the case at the time of collection the transaction data, i.e. information at the time of entering into the customer relationship was provided for this purpose. Article 13.1. c) GDPR requires that before started the processing activities the data subject is informed about the processing purposes for which the personal data are intended, including the legal basis. Building data models for commercial purposes is one purpose that was not brought to the attention of the customers, including the complainant, on the moment of entering into the customer relationship. The complaint shows that the complainant did not comply with the was informed of this purpose when entering into the customer relationship with the defendant, which is also not denied by the defendant. The defendant claims However, the use of the transaction data in the data models must be processed be regarded as not incompatible with the original purposes of the sentence of article 5.1. b) GDPR. 29. The defendant's privacy statement dating from February 2, 2017 states that the defendant also uses the transaction data of its customers to better serve its customers to get to know and be able to operate for all marketing and commercial purposes purposes, as listed in the privacy statement. Explicit reference is made to Decision on the merits 46/2024 - 8/16 the purpose that the defendant pursues in order to function as a company, as well as to the purpose of doing direct marketing for their own banks insurance activities of the defendant and also for these activities of partners of the defendant who offer products or services in the banking and insurance sector. On Based on this, the Disputes Chamber can determine that the reuse of the transaction data at that time is limited to the commercial activities that directly related to the range of products and services within the banking and insurance sector4 . 30. The privacy statement of February 1, 2019 states that the transaction data used for building analytical data models for commercial purposes5 , also this time limited to banking and insurance activities². 31. The Disputes Chamber notes that in any case from the moment of the privacy statement from September 1, 2019 building data models for commercial purposes the context of banking and insurance products and services, since from that moment on it is mentioned that data models are created to provide personalized discounts for to offer third party products and services to the defendant's customers. This constitutes a new purpose that is distinguishable from the initial purpose, namely making and registering payments. The Disputes Chamber will check whether this is the case new purpose may or may not be considered compatible with the initial one purpose as stated when entering into the customer relationship with the complainant. 32. In accordance with Article 5.1. b) GDPR may allow the processing of personal data for others purposes other than those for which the personal data was initially collected be permitted if the processing is compatible with the purposes for which the personal data was initially collected. Taking the criteria into account included in article 6.4. GDPR and recital 50 GDPR6 it must therefore be determined whether the further processing, in this case building data models for offering personalized discounts for third party services and products, whether or not is compatible with the initial processing consisting of the execution and registration of payments on behalf of the complainant. The Disputes Chamber concludes that the complainant 4 […] 5 […] 6 Recital 50 GDPR: […] In order to determine whether a purpose of further processing is compatible with the purpose for which the personal data have initially been collected, the controller must, after having complied with all regulations relating thereto legality of the original processing has been met, taking into account, among other things: a possible link between those purposes and the purposes of the intended further processing; the framework in which the data is collected; in particular the reasonable expectations of those involved based on their relationship with the controller regarding its further use; the nature of the personal data; the consequences of the intended further processing for the data subjects; and appropriate safeguards for both the original and the intended further processing. Decision on the merits 46/2024 - 9/16 has entrusted his personal data and transaction data to the defendant within the framework of his contractual relationship with the bank (being the defendant) to which he when a customer calls for the settlement of his banking affairs and there is no way could reasonably expect that the bank would use the same data, without that the complainant can oppose this, to train data models that the banking and exceed the defendant's insurance activities and are purely aimed at it products or services from third parties that are not at all related to the activities of the defendant. 33. Moreover, the defendant's additional argument that it can be analyzed internally of data and building data models in this case can be equated with one processing for research purposes or statistical purposes within the meaning of Article 5.1 b) GDPR, which means that the respective further processing is not considered incompatible with the original purposes can be considered, not convincing and therefore not leading to one lead to another decision. Article 5.1 b) GDPR specifies further processing for the purpose of scientific or historical research or statistical purposes7 , where this purposes in themselves. The purpose pursued by the defendant is not motivated by scientific, historical or statistical considerations. The building of the data models is not aimed at any scientific, historical or statistical purpose as an end goal (e.g. publication of the results in scientific journals), but on the other hand, are built solely for a commercial purpose, namely the have models that offer personalized third-party discounts can facilitate. 34. This leads to the conclusion that there is no compatible further processing, so that a separate legal basis is required to allow building data models with the purpose of offering products or services from third parties as could be lawful are labeled. 35. Processing of personal data, including incompatible processing After all, processing as in the present case is only lawful if there is a right to do so legal basis exists. For incompatible further processing 7 Article 5.1 b) GDPR: Personal data must: a) […] b) collected for specific, explicit and legitimate purposes and subsequently not allowed further processed in a manner incompatible with those purposes; further processing for the purpose of archiving public interest, scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1, not considered incompatible with the original purposes ('purpose limitation'); […] Recital 50 GDPR. […] The further processing for the purpose of archiving in the public interest, scientific or historical research or statistical purposes, must be regarded as a legitimate legitimate purpose compatible with the initial purposes processing are considered. […] Decision on the merits 46/2024 - 10/16 reverted to Article 6.1. GDPR and recital 50 GDPR. In recital 50 GDPR8 is states that a separate legal basis is required for the processing of personal data for other purposes that are incompatible with the purposes for which the personal data was initially collected. That separate one legal grounds for processing, including incompatible ones further processing, which can be considered lawful, is determined in Article 6.1. GDPR. 36. To this end, the Disputes Chamber examines the extent to which the legal grounds as provided in Article 6.1. GDPR can be invoked by the defendant in order to further processing of the personal data relating to the complainant. 37. The defendant himself relies on the legitimate interest, the legal basis such as included in article 6.1 f) GDPR, which would allow him to proceed with the data processing that is the subject of the complaint, being the construction of data models for the “personalized discounts” service. 38. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European Union (hereinafter “the Court”), three cumulative conditions must be met so that a controller can legally rely on this legal basis, “namely, in the first place, the promotion of a legitimate interest of the controller or of the third party(ies). to whom the data is provided, secondly, the necessity of the processing the personal data for the pursuit of the legitimate interest, and, thirdly place, the condition that the fundamental rights and freedoms of the data protection of the person concerned does not prevail” (judgment “Rigas”9 ). 39. In order to be able to rely on the legality ground in accordance with Article 6.1 f) GDPR of the “legitimate interest”, the controller must cooperate with other words to show that: 1) the interests it pursues with the processing can be justified recognized (the “target test”); 2) the intended processing is necessary for the realization of these interests (de “necessity test”); and 8 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data are intended initially collected should only be permitted if the processing is compatible with the purposes for which it is intended the personal data was initially collected. In that case, no separate legal basis other than that at basis on which the collection of personal data was permitted. […] 9 CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA “Rīgas satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK v/Asociaţia de Proprietari bloc M5A-ScaraA, recital 40. Decision on the merits 46/2024 - 11/16 3) the weighing of these interests against the interests and fundamental freedoms and fundamental rights of those involved weighs in favor of the controller (the “balancing test”). 40. With regard to the first condition (the so-called “target test”), the Disputes Chamber is of judgment that building data models in order to benefit the defendant's customers offer personalized discounts on third-party products and services are considered to be carried out for a legitimate interest. It leaves the defendant to make a similar service available to its customers, just like other banks that also grant discounts in the form of cashbacks. The building of the data model for which the defendant has the transaction data of the customers, including so also the one used by the complainant is aimed at offering personalized discounts offer, which is part of positioning oneself on the market. The premise of the defendant is thus gaining insight into the services provided to its customers which responds to social evolutions and trends such as digitalization and personalization of services and diversification of service offerings, which is motivated by a commercial interest. Such commercial interest can be a legitimate interest in accordance with Recital 47 GDPR10 and is also supported in Opinion 06/2014 of the Article 2911 Data Protection Working Party . Becomes the first condition contained in Article 6.1, f) GDPR is therefore met. 41. In order to meet the second condition, it must be shown that the processing is necessary for the achievement of the purposes pursued. This specifically means that the question must be asked or by other means the same result can be achieved without processing personal data or without unnecessarily intrusive processing for those involved. 42. It should be taken into consideration that data analysis of the transaction data for training models is a necessary tool to achieve the ultimate goal 10 Recital 47 states that the processing of personal data may be for direct marketing purposes considered to be carried out for the purposes of a legitimate interest. Direct marketing is thus an example of one commercial interest that is considered a legitimate interest. See also: the judgment of the European Court of Justice of 29 July 2019 (case -40/17 Fashion ID) 11 Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC: “The fact that the controller has such a legitimate interest in the processing of certain data, does not mean that he can rely on Article 7(f) as a legal basis for the processing. The fairness of the interests of the controller is only a starting point, one of the elements to be analyzed in accordance with Article 7(f). Whether Article 7(f) can be used depends the outcome of the subsequent assessment. By way of illustration: a data controller may have a legitimate interest in the preferences of his customers so he can better personalize offers and, ultimately, deliver products and services that better meet the needs and wishes of its customers. In view of this, Article 7(f) may be an appropriate legal basis are for some types of marketing activities, both online and offline, provided that appropriate safeguards are in place (including a useful mechanism through which such an objection can be lodged in accordance with Article 14(b). processing, as will be demonstrated in section III.3.6 The right to object and further).”[own underlining] Decision on the merits 46/2024 - 12/16 intended purpose, namely offering digital applications for offering personalized discounts to the defendant's customers. The data models form a necessary intermediate step between the transaction data as such and, on the other hand, the offer of personalized discounts via digital means. After all, discounts cannot be made without drawing up data models are offered in a personalized manner via a digital application. This leads to it decides that the second condition of Article 6.1 f) GDPR has also been met. 43. In order to determine whether the third condition of Article 6.1, f) GDPR - the so-called “balancing test” between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand is met, the reasonable expectations of the data subject. More specifically, it needs to be evaluated or “data subject at the time and in the context of the collection of the personal data can reasonably expect that processing can take place for that purpose” 12 . 44. This is also emphasized by the Court in its judgment “TK v/ Asociaţia de Proprietari bloc M5A-ScaraA” of December 11, 201913, in which it states: “Also relevant to this assessment are the reasonable expectations of the person concerned or her personal data will not be processed when, in the given circumstances of the case, the data subject cannot reasonably do any further processing can expect the data”. 45. The Disputes Chamber examines whether the interest of the defendant is proportionate impact it has on the fundamental rights and freedoms of those involved, including the complainant. In this context it is essential to distinguish between on the one hand, the phase of building or training data models themselves, and on the other hand, the phase of operationally offering personalized discounts via digital applications use the models built in the previous phase. 46. Based on the documents present in the file, the Disputes Chamber determines that the method of the defendant in the context of building the models conceptually and largely constitutes an application of Phase 1 in Figure 1 as shown below recommendation 18 of the Big Data Report14 . Regarding this aspect in particular, the Disputes Chamber is of the opinion that it is within the normal expectations of the complainant finds that the defendant uses his transaction data - unless the complainant objects complainant - to train data models (without further using them operationally for the 12 Recital 47 GDPR. 13 CJEU, December 11, 2019, C-708/18, TK v/ Asociaţia de Proprietari bloc M5A-ScaraA, recital 58. 14 https://www.gegevensbeschermingsautoriteit.be/publications/big-data-rapport.pdf Decision on the merits 46/2024 - 13/16 offering personalized discounts, for which permission is requested). The The defendant may only process data using as many identifiers as possible of those involved have been removed to train a model, an algorithm, without this model in this phase is applied to identified in an operational context persons. Furthermore, no attempts should ever be made to – if anything would be possible after removing as many data subject identifiers as possible – re-identify the people in the training set. Also, according to the defendant, the resulting models are only algorithms that no longer contain personal data contain, and the Dispute Chamber has no evidence to the contrary. This should also be submitted to be taken into account that no personal data of customers at any time are passed on to third parties. Moreover, no document shows that there is anything special categories of personal data within the meaning of Article 9 GDPR are included in the data models incorporated. The Disputes Chamber is therefore of the opinion that the impact on the complainant is: is extremely small and the processing of his personal data is limited to a minimum in the sense that its data is indeed reused, but at the construction stage of the models do not give rise to the offering of personalized discounts if the complainant does not actively give permission for this. Moreover, the complainant can also always exercise his right to object to the use of his data for the building the models for offering personalized third-party discounts within the meaning of art. 21 GDPR. 47. With regard to the offer of personalized discounts for products and services from third parties to identified customers in an operational context (see Phase 2 in Figure 1 as included under recommendation 18 of the Big Data Report) the defendant appeals after all, expressly relies on Article 6.1 a) GDPR as a separate legal basis, so that in the absence of to consent, the complainant will not experience any further consequences from the use of his transaction data in the data model that serves purely as an intermediate step considered for the ultimate intended purpose, the offer of personalized discounts. This ensures that only the defendant's customers will have agreed in advance and have expressly opted to use the service If you want to take advantage of “personalized discounts”, you will enjoy a certain advantage which is made possible by the defendant through the reuse of the transaction data from its customers in the development of data models. 48. The combination of the above elements leads the Dispute Chamber to conclude that this is also the case the third condition is met and the defendant is therefore rightly relying on the legal basis of Article 6.1 f) GDPR for the construction of data models for the purpose of offering personalized discounts for third-party products and services, which this incompatible further processing must be considered lawful. Decision on the merits 46/2024 - 14/16 49. In addition, the defendant has complied with the obligation of transparency (Article 5.1 a) GDPR in conjunction with Article 12.1 GDPR) because not only the privacy statement was updated on September 1, 2019 adapted, but also by addressing itself directly to its customers and also to the complainant. These were allowed to receive a letter on September 21, 2019 stating these informed about the various aspects included in article 13.1 GDPR through reference to the amended privacy statement, following the preparation of and therefore prior to the launch of the personalized discount offer from third parties. The complainant is also informed of the possibility of exercising this right of the right to object, which he also exercised on September 22, 2019 and to which the defendant is notified in a timely and appropriate manner in accordance with Article 12 GDPR in conjunction has complied with Article 21 GDPR by confirming on September 30, 2019 that its objection was registered and that his data will no longer be used for building models. 50. The fact that the defendant indicates in the same letter of September 30, 2019 that at technical-organizational reasons, this method can only be applied after expiry of one month does not affect this. As the defendant states in the conclusions and As the Big Data Report15 also shows, training data models is complex process that takes some time. The Disputes Chamber considers the period of one month as reasonable to implement the complainant's objection. 51. A final point that the complainant raises is that he has already stated that the defendant that he does not wish to receive “tailor-made information”, but that the facts give rise to the complaint demonstrate that the defendant is nevertheless personal data used to build models for offering personalized discounts from third parties. The defendant shows in the conclusion and accompanying documents show that there is a clear distinction between the construction of data models on the one hand and on the other hand, “tailor-made information”, consisting of tailor-made advertising relating to the services within the banking and insurance sector. This concerns the classical personalized direct marketing for which the defendant has the foregoing consent (Article 6.1 a) GDPR) and this on the basis of a transparent explanation of what exactly “tailor-made information” means. From the defense and the accompanying privacy statement of February 2, 2017, as well as that of February 1, 2019, shows that the defendant has acted in accordance with Article 5.1 a) GDPR in conjunction with Article 12.1 GDPR. With regard to the “Customized Information”, the complainant has granted his initial consent permission withdrawn. The Disputes Chamber determines that the complainant has withdrawn this permission with regard to “Customized information” cannot be extended to “construction of data models for personalized third-party discounts” which, as above 15 https://www.gegevensbeschermingsautoriteit.be/publications/big-data-rapport.pdf Decision on the merits 46/2024 - 16/16 Such an appeal can be lodged by means of an inter partes petition must contain information listed in Article 1034ter of the Judicial Code16. It an objection petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Ger.W.17, or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (get). Hielke HIJMANS Chairman of the Disputes Chamber 16 The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 17 The petition with its appendix will be sent by registered letter in as many copies as there are parties involved. deposited with the clerk of the court or at the registry.