APD/GBA (Belgium) - 48/2021

From GDPRhub
APD/GBA - 48/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 3 of the Belgian law for organizing a national register of natural persons
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.04.2021
Published: 08.04.2021
Fine: None
Parties: A private individual (plaintiff)
A notary (defendant)
National Case Number/Name: 48/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Website of the Belgian DPA (in FR)
Initial Contributor: Maïlys Lemaître

The Belgian DPA held that, for lack of a legal basis pursuant to Article 6 GDPR, a notary cannot consult the national register for natural persons in order to obtain personal data for other purposes than those defined by the law and within the scope of their profession.

English Summary

Facts

The plaintiff lodged a complaint with the Belgian DPA after their former employer, the defendant, sent them the remaining money they were owed to an address obtained by consulting the national register for natural persons. The plaintiff argued that the defendant had not processed the data lawfully, since they had not consulted the register within its defined purposes.

To this the defendant replied that they were unsure of their former employees' address and thought that the national register could be consulted in any case, because they had access to it within the scope of their profession.

Dispute

Can the collection by a notary of personal data contained in the national register for natural persons be justified by the sole fact that within the scope of their work they can already access said register?

Holding

The Belgian DPA reminded the defendant that, notwithstanding the fact that notary was one of the professions allowed to consult the national register for natural persons, they should, pursuant to Article 3 of the Belgian law for organising a national register for natural persons, always do so for tasks that fall within their competence and are specific to the performance of their notary assignments.

The register should therefore not be used for tasks that are common to any employer, such as sending mail to their employees or former employees. By consulting the national register for that purpose, the defendant processed data unlawfully, thus going against Article 6 combined with Article 5(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                            Decision on the merits 48 / 2021- 1/15







                                                                          Litigation Chamber

                                             Decision on the merits 48/2021 of 08 April 2021





File No .: DOS-2020-02322



Subject: Complaint against a notary for unlawful consultation of the National Register




The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke

Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this

composition;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of individuals with regard to the processing of personal data and the

free movement of these data, and repealing Directive 95/46 / EC (General Regulation on the

Data Protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);


Considering the Law of August 8, 1983 organizing a National Register of Natural Persons (hereinafter the RN Law);


Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20

2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;





Took the following decision regarding:

The complainant: Mrs X. Hereinafter "the complainant".


The defendant: Mrs Y, Advised by Maître Sari Depreeuw, lawyer, whose firm is

                               established avenue Louise, 81 in 1050 Brussels. Hereinafter "the defendant".





    1. Feedback from the procedure


Having regard to the complaint lodged by the complainant with the Data Protection Authority (APD) on May 14

2020; Decision on the merits 48 / 2021- 2/15



Considering the decision of 11 June 2020 of the Front Line Service (SPL) of the APD declaring the complaint admissible

and its transmission to the Litigation Chamber;



Having regard to the letters of July 14 and August 19, 2020 from the Litigation Chamber informing the parties of

its decision to consider the case as ready for treatment on the merits on the basis of the article

98 LCA and providing them with a timetable for exchanging conclusions;


Having regard to the conclusions filed by the defendant on October 1, 2020;


Considering the conclusions filed by the complainant on October 21, 2020;


Having regard to the final submissions filed by the defendant on November 13, 2020;


Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on January 20, 2021;


Having regard to the hearing during the session of the Contentious Chamber of March 2, 2021 in the presence of Maître S.

DEPREEUW and Maître O. BELLEFLAMME representing the defendant;


Having regard to the minutes of the hearing and the observations made thereon by the counsel of the

defendant which were attached to these minutes.





    2. The facts and the subject of the request


1. The defendant is a notary in Flanders.



2. The defendant, in the course of 2019, hired the plaintiff as a notarial lawyer

    in his study under an open-ended contract which began in August 2019. Under the terms of

    contract, the complainant is identified as being domiciled in Wallonia. A second relative contract

    the allocation of ecocheques was also signed between the parties. According to the latter, the

    complainant is also identified as being domiciled in Wallonia. This contract provides in its

    Article 4 that the ecocheques will be credited monthly to the ecocheque account of the

    complainant. During the hearing (see below), however, the defendant indicated that there has always been

    sending ecocheques by post during the term of the contract with the complainant.




3. The defendant states that the plaintiff had settled in Flanders near the study for

    that she was working with her to limit the travel time between her place of work and her place of

    residence, while retaining its domicile in Wallonia.



4. This employment relationship ended in February 2020 following the resignation of the complainant in

    a climate that the defendant describes as tense, all trust being broken between the parties. Decision on the merits 48 / 2021- 3/15



5. At the end of this employment relationship, the defendant remained liable for an amount of 56.07

    euros in ecocheques vis-à-vis the complainant. After a first reminder, the complainant sent a

    second reminder to the defendant by email on March 16, 2020.



6. These eco-checks were sent by the defendant to the address of the plaintiff's domicile, namely

    in Wallonia, by registered letter of March 16, 2020. Beforehand, the defendant indicates

    have verified the complainant's address in the National Register.



7. On April 19, 2020, the Complainant sent an email to the Respondent complaining of this

    consultation of its National Register on March 14th.



8. In response, the defendant explained to the complainant the reasons for this consultation. The

    defendant thus indicated that she had wanted to verify the exact address to which she was to

    send the ecocheques to the complainant as soon as she knew that the complainant had several

    addresses, in Flanders and Wallonia. The defendant stated that at the end of the relationship

    contract, she was uncertain as to which address it was suitable for, on the eve of

    the entry into force of the containment measures, send the eco-checks to the complainant.



9. On May 14, 2020, the complainant filed a complaint with the APD.



Subject of the Complainant's Complaint


10. According to her complaint, the complainant complains "of a consultation of her national register by

    the defendant without any consent on its part and any legal framework ”as well as

    "The use of access to the population register outside of the specific regulations

    to obtaining information from population registers ".




11. According to her conclusions, the complainant also raises a lack of information in the

    defendant in violation of Article 14 of the GDPR. More specifically the complainant

    asks the Litigation Chamber:

- declare their complaint admissible and well founded;


- to note the violation of the Law of August 8, 1983 organizing a National Register of Persons

         physical (RN Law) and the Royal Decree of 11 September 1986 authorizing access by notaries to

         national register of natural persons;


- to find the violation of the fundamental principles of data protection

         personal;


- to pronounce a sanction. Decision on the merits 48 / 2021- 4/15



Defendant's position


12. Mainly, the defendant asks the Litigation Chamber to declare itself incompetent

    to process the complainant's complaint and dismiss it as inadmissible.



13. In the alternative, the defendant asks the Contentious Chamber to declare the complaint

    unfounded, considering that it did not violate the fundamental principles of data protection

    personal and consequently, order a dismissal.



14. In the alternative, if the Contentious Chamber were to find a violation of the principles

    fundamental principles of the protection of personal data, the defendant seeks the

    suspension of the delivery.



15. Finally, in the very alternative, the defendant requests that account be taken of

    extenuating circumstances to limit the corrective action pronounced to a warning or even to

    a reprimand.



    3. The hearing on March 2, 2021


16. During the hearing, the minutes of which were drawn up, the following elements were brought to light

    light by the defendant, the complainant not being present at the hearing:

- the incompetence of the Litigation Chamber to deal with the complaint;


- the relational difficulties encountered from the outset with the complainant and the loss of confidence

        gradual progress of the defendant with regard to the plaintiff, this rupture finding its climax

        at the time of termination of the contract;


- the fact that it is incorrect to claim that notaries would have access to all the data at

        personal character contained in the National Register, their consultation being limited to

        data referred to in the Royal Decree of 11 September 1986 on the one hand and the mention that

        the application available to notaries does not allow consultation targeting the only data

        "Address" to the exclusion of any other on the other hand;


- the good faith of the defendant who, faced with a conflictual situation, acted out of concern for

        protect against any reproach sending to an address that would not have been the right one;


- the implementation of a series of measures adopted by the defendant aimed at putting

        compliance with the obligations of the GDPR resulting from his capacity as person responsible for

        processing: security policy, register of processing activities, designation of a delegate

        data protection etc. Decision on the merits 48 / 2021- 5/15



PLACE


    4. As to the jurisdiction of the APD, in particular its Litigation Chamber



17. The DPA is the Belgian authority, in particular responsible for monitoring compliance with the GDPR in application

    of Article 8 of the Charter of Fundamental Rights of the European Union (EU), of Article 16 of

    Treaty on the Functioning of the European Union (TFEU) and article 51 of the GDPR. Regarding

    of Article 51 of the GDPR in particular, it requires each EU member state to

    set up one or more independent public authorities, responsible for monitoring

    the application of the GDPR in order to protect the fundamental rights and freedoms of individuals

    with regard to the processing of their data. The GDPR adds to this effect that each authority must

    benefit from a number of missions (listed in Article 57 of the GDPR) including that of dealing with

    complaints (article 57.1.f) of the GDPR) as well as a number of powers (article 58 of the GDPR).




18. Pursuant to Article 3 LCA, the Belgian legislator has instituted the DPA, the Litigation Chamber of which is

    the administrative litigation body (Article 32 LCA).



19. This control by the DPA, via its Litigation Chamber in particular, is an essential element of

    protection of individuals during the processing of personal data concerning them.



20. As the Contentious Chamber has already had the opportunity to express it in its decisions 17/2020 and 1

    80/2020 among others, supervisory authorities - such as ODA - must exercise their powers

    for the effective application of European data protection law. To guarantee


    the effectiveness of European law is one of the major tasks of data protection authorities

    member states under EU law. Control by the contentious chamber constitutes

    In this regard, one of the instruments available to ODA to ensure compliance with the rules relating to

    data protection, in accordance with the provisions of the European treaties, the GDPR and

    of the LCA.



21. In Article 4 LCA, it is provided that the ODA is "responsible for monitoring compliance with the principles

    fundamentals of the protection of personal data, within the framework of this law

    and laws containing provisions relating to the protection of the processing of personal data


    staff ".



22. The explanatory memorandum to the LCA has clearly and unequivocally clarified the interpretation to be

    give Article 4 LCA in the following terms: "Art. 4: The Authority for the Protection of



1https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf


2https: //www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf Decision on the merits 48 / 2021- 6/15



    data is competent to exercise the missions and mandates of monitoring compliance with the principles

    fundamental protection of personal data as established in the Regulation

    2016/679. The Data Protection Authority acts with regard to the regulations which


    contains provisions relating to the processing of personal data such as, for example,

    example, the law establishing a national register, the law relating to the crossroads bank for security
                                                                                        3
    social, the law relating to the crossroads bank for enterprises, etc. (...) "(This is the Chamber

    Litigation which underlines).



23. Under these “laws containing provisions relating to the protection of data processing

    of a personal nature ”, the RN Law is therefore explicitly mentioned.



24. In conclusion, the oversight mission of the ODA encompasses compliance with the GDPR in its entirety.

    This reading is the only one which gives a useful effect to articles 3 and 4 LCA, which must be read in

    in combination with Article 51 of the GDPR. The competence of the APD (and its litigation body


    administrative - the Litigation Chamber) is therefore, in support of the foregoing, in no way limited

    by the concept of "fundamental principles of data protection" read in isolation, whatever

    either the content that some would seek to give to this notion for the needs of one or

    the other cause or attempting to escape the control of the ODA (see point 26 below). Likewise, it is certain

    that the competence of the DPA also encompasses monitoring compliance with the protective provisions

    data contained in specific legislation such as the RN Law or the "Law

    Cameras ”to name just these two examples. Here again, all of these provisions are

    intended and not only those which would participate in "fundamental principles of the protection

    Datas ".








3
 Explanatory memorandum to the Law of 3 December 2017 establishing the Data Protection Authority (DPA),
House of Representatives, DOC 54 2648/001, page 13 under article 4.

4
 Ibidem

5
 Law of March 21, 2007 regulating the installation and use of surveillance cameras (hereinafter the Cameras Law),
M.B., May 31, 2007.

6
   Decision 19/2020 regarding the consultation of the National Register within a city:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf

Decision 16/2020 with regard to surveillance cameras installed at the entrance of a store:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-16-2020.pdf;

Decision 61/2020 relating to a complaint for unlawful processing of personal data after
consultation in the National Register by a public interest body:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf

Decision 80/2020 relating to camera surveillance in a car wash:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf

. Decision on the merits 48 / 2021- 7/15



25. The Contentious Chamber finally draws attention to the fact that Article 4.2 LCA excludes jurisdiction

    of ODA in a very limited number of cases, specifically provided for by the LCA itself or by

    other legislation. The APD is the data protection supervisory authority responsible for

    default, any legal void, any lack of supervisory jurisdiction over one or the other processing

    of personal data to be avoided.



        Application to the present case - the issue of access to the National Register (rather than another

        database)


26. While admitting the competence of the DPA under the RN Law, the defendant nevertheless indicates

    than to avoid conflicts of jurisdiction (with regard to the Minister of the Interior with regard to the

    RN in the present case), the legislature would have limited the competence of the DPA to monitoring compliance with "

    fundamental principles of data protection ”. These "fundamental principles of

    data protection "not being defined by the national legislator, it would be appropriate according to the

    defendant to understand them as being limited to the principles set out in Article 8 of the Charter

    fundamental rights of the Union and, having regard to the structure of the GDPR, the content of Chapter II

    GDPR and the rights of data subjects.



27. In this regard, the defendant puts forward the fact that “If Me Y, [read the defendant], as

    that a notary had access to the National Register and, as an employer, to the Banque-Carrefour de la

    Social Security (BCSS) and whether the National Register and the BCSS both contain the same

    information relating to Ms. X's address [read complainant], the relevant question before the DPA

    is not that of the legitimacy of the processing of personal data but that of access to

    respective databases ”. The defendant adds in conclusion that "what remains to be verified

    is compliance with the conditions for access to the national register resp. the BCSS ”. This verification would fall under

    according to the defendant the competence of the Minister of the Interior, the ODA not having the competence

    decide on the preference for access to one or the other database. The defendant

    indeed considers that this access preference does not participate in the "fundamental principles of


    data protection ”.



28. The Contentious Chamber refutes the arguments developed by the defendant with regard to its

    skill. As it has explained above in paragraphs 21-24, its competence is not at all

    limited to monitoring compliance with "fundamental principles of data protection" such as

    that restrictively interpreted by the defendant.



29. The Litigation Chamber will also demonstrate that there is not, and cannot be, a conflict of

    competence with the Minister of the Interior (point 35). Decision on the merits 48 / 2021- 8/15




30. The Litigation Chamber is therefore of the opinion that the complaint was rightly declared

     admissible by the SPL on the basis of Article 60.1. LCA for the following reasons.



31. The Chamber notes on the one hand that, according to the terms of its complaint, the Complainant accuses the Respondent

     to have consulted his data in the National Register outside any legal framework and in the absence

     basis of legality. Access to the National Register being strictly regulated as will be detailed

     below, its consultation (which constitutes processing within the meaning of Article 4.2. of the GDPR) must,

     in order to be qualified as lawful, meet all the conditions required by both the GDPR and

                                                                  7
     by the RN Law (see point 35 and title 5 below).



32. The Litigation Chamber recalls Article 5.1 of the RN Law which lists in paragraph 4 the notaries

     among professionals authorized to access data in the National Register, including the address,

     with permission. This authorization, now issued by the Minister of the Interior, was

     in the past either by the Sectorial Committee of the National Register (CSRN) or by way of an order

     royal.9




33. The Contentious Chamber underlines that in this case, the Royal Decree of 11 September 1986 specifies in

     its Article 1 that it is for the accomplishment of the tasks which fall within their competence that

     notaries are authorized to access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and

     paragraph 2, of the RN Law among which appears the data "address" (M.B., October 2, 1986).



34. Therefore, it is not indifferent to consult the National Register rather than another database

     although both contain partly similar data. Legally regulated access

     to a database such as the National Register cannot be diverted from its purpose under the pretext of


     that the person who consults it has, in any event, authorized access to the data consulted



7 In the same sense see. Decision 16/2020: "The processing of images filmed by surveillance cameras

is in fact, as soon as these images constitute personal data, subject to the GDPR at
apply in parallel with the Cameras Act ”.


8 Art. 5 § 1. Authorization to access or obtain the information referred to in Article 3, paragraphs 1 to 3]

communication, and authorization to access information on foreigners entered in the register

waiting period referred to in article 1, § 1, paragraph 1, 2 °, of the law of 19 July 1991 on population registers,
identity cards, foreigner's cards and residence documents and amending the law of 8 August 1983

organizing a National Register of Natural Persons, are granted by the Minister of the Interior in
its attributions: (…) 4 ° to notaries and bailiffs for the information they are authorized to provide

know by law, decree or ordinance;

9
 See. Article 5 of the RN law before its amendment by the law of 25 November 2018 (M.B. 13 December 2018) which
granted authorization competence to the Sectoral Committee of the National Register. See. also article 5 of the

initial law of August 8, 1983 (M.B. April 21, 1984) which granted the King the power to authorize access to the Register

national before this competence is entrusted to the Sectorial Committee of the National Register. Decision on the merits 48 / 2021- 9/15



    (the address of the complainant in this case) via another database (the BCSS in this case). In

    this, the consultation of the National Register by the defendant must be examined from the point of view of its

    legality, an examination which is unquestionably within the competence of the DPA.



35. As to the division of jurisdiction with the Ministry of the Interior invoked by the defendant,

    the Contentious Chamber notes that since the abolition of the CSRN in application of Article 109

    LCA, it is indeed the Minister of the Interior who is responsible for issuing access permits

    in the National Register. This authorization competence in no way excludes the control competence

    of ODA. Access to the National Register constitutes, as already mentioned in point 31 below


    above, processing within the meaning of Article 4.2. of the GDPR, by definition subject to the control of a

    independent authority within the meaning of Article 8 of the EU Charter of Fundamental Rights, Article

    16 of the TFEU and article 51 of the GDPR (see above). This control competence, in addition to the fact
                                                                                       10
    that it is not, in concreto, granted by law to the Minister of the Interior, cannot in any case

    hypothesis be exercised by a Minister who, by definition, does not meet the required conditions

    to perform the duties of an independent data protection authority within the meaning of Article

    51 of the GDPR (and which more generally must meet all the conditions set out in Chapter

    VI of the GDPR). There is therefore no question here of "conflict of jurisdiction with the Ministry of

    the interior "contrary to what the defendant claims. On the contrary, Article 17 of the Law

    RN itself refers to the competence of the DPA.



36. Thus, article 17 requires that each public authority, public or private body having obtained

    authorization to access information in the National Register is able to justify the

    consultations carried out and that for this purpose, in order to ensure the traceability of the consultations, each

    user keeps a log of consultations.



37. This article 17 further specifies that this register must contain: (1) the identification of the user

    individual (or process or system) that accessed the data, (2) the data that was

    consulted, (3) the way in which they were consulted, namely in reading or for modification, (4)

    the date and time of the consultation as well as (5) the purpose for which the data were

    consulted.



38. Finally, the same Article 17 also provides that this register of consultations is to be made available


    of the Data Protection Authority (APD) and this, in the opinion of the Litigation Chamber, for him


10 See. also in this regard Decision 61/2020 of the Contentious Chamber, point 40: “By virtue of Article

4 of the LCA, the Data Protection Authority is competent to monitor compliance with "laws containing
provisions relating to the protection of the processing of personal data ".

the case, no other supervisory authority is competent under the legislation in force, and no
jurisdiction has not been withdrawn from the Data Protection Authority in this specific context, it is
the competent supervisory authority (article 4.2. paragraph 2 LCA) ”.

https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2020.pdf Decision on the merits 48 / 2021- 10/15



    allow the exercise of its control mission. It is indeed up to the data controllers

    authorized to consult the National Register to implement the conditions of the authorization in

    compliance with the requirements thereof and in accordance with the principle of accountability set out in

    articles 5.2. and 24 of the GDPR, whose compliance rests with the DPA. 11



39. In conclusion of the above, the Contentious Chamber rejects the argument of inadmissibility

    invoked primarily by the Respondent and continues to examine the merits of the complaint below.



        5. As to the breaches on the part of the defendant


40. As the Litigation Chamber pointed out in point 32 above, Article 5.1 of the RN Law lists

    in paragraph 4 the notaries among the professionals authorized to access the data of the Register


    national, including address, with permission.



41. The Royal Decree of 11 September 1986 specifies in its article 1 that it is for

    the performance of the tasks that fall within their competence that notaries are authorized to

    access the information referred to in Article 3, paragraph 1, 1 ° to 9 °, and paragraph 2, of the RN Law among

    which contains the data "address" (M.B., 2 October 1986) (paragraph 33).



42. The Litigation Chamber is of the opinion that by consulting the "address" data of the complainant, either

    of an employee, the defendant did not consult in the context of

    the performance of a task that falls within his competence as a notary. These tasks must indeed

    be understood as being limited to what falls within the specific performance of the profession of

    notary and not tasks that are common to any employer, whatever it is, such as sending

    one or the other mail to its employees.



43. By virtue of his function, and for the sole accomplishment of the tasks relating to him, the notary has

    access to certain data in the National Register. It is incumbent upon him to scrupulously respect

    the purposes of this access which he prefers because of his profession. The circumstance that in all

    hypothesis, the defendant would have had access to the address data via another source (i.e. the BCSS

    in this case) is irrelevant in this regard. Indeed, the bases of legitimacy authorizing, under

    of Article 6 of the GDPR, access to these databases are separate as are the data

    to which access is therefore permitted are different. This is how the complainant rightly

    highlights the fact that the data contained in the BCSS and in the National Register (article

    3 RN Law) are not identical - even if there are data common to the two databases


    data and that notaries do not have access to all of the data contained in the Register

    national - and that the basis of legitimacy to access it is their own. At most, the fact that the Decision on the Merits 48 / 2021-11 / 15



    defendant would, in any event, have had access to the "address" data via another source

    could it be taken into account in the assessment of the sanction that the Contentious Chamber

    would decide to impose (see. infra).



44. By failing to respect the purpose of the access granted to it, the defendant consulted

    the National Register without an adequate legal basis. Therefore, she proceeded to a treatment of

    data in relation to which it is unable to validly invoke any basis of lawfulness

    required by Article 6 GDPR. In doing so, the defendant was guilty of a

    breach of Article 6 of the GDPR. This breach is combined with a breach of

    Article 5.1.a) of the GDPR according to which the processing of personal data must,

    in particular, to be lawful. This requirement, while not limited to compliance with Article 6, encompasses

    undoubtedly.



45. Nor does it appear to the Contentious Chamber that consultation of the National Register or of

    the BCSS, on the other hand, would have been necessary in this case. Indeed, the official address of the complainant

    appeared in the two contracts which bound it to the defendant. This address had been recalled by

    twice by email on January 23 and February 2, 2020 by the complainant. On the day of dispatch

    ecocheques in the mail on March 16, 2020, the complainant wrote to the respondent. This

    In response, the latter could have inquired about the address to which to send the requested ecocheques.

    In view of the context described by the defendant, the Contentious Chamber limits itself here to recalling

    that the principle of minimization expressed in Article 5.1.c) of the GDPR under which only the

    data processing necessary to achieve the purpose pursued must be respected.




    6. As to corrective measures and sanctions

46. Under Article 100 LCA, the Litigation Chamber has the power to:

1 ° dismiss the complaint;


2 ° order the dismissal;


3 ° pronounce a suspension of the pronouncement;


4 ° propose a transaction;


5 ° issue warnings or reprimands;


6 ° order compliance with the requests of the person concerned to exercise these rights;


7 ° order that the person concerned be informed of the security problem;


8 ° order the freezing, limitation or temporary or definitive prohibition of processing;


9 ° order that the processing be brought into conformity; Decision on the merits 48 / 2021- 12/15



10 ° order the rectification, restriction or erasure of the data and the notification thereof

data recipients;


11 ° order the withdrawal of accreditation of certification bodies;


12 ° give periodic penalty payments;


13 ° issue administrative fines;


14 ° order the suspension of transborder data flows to another State or an organization

international;


15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences

data on file;


16 ° decide on a case-by-case basis to publish its decisions on the website of the

data.


47. It is important to contextualize the breaches for which the defendant has been held responsible with a view to

    to identify the most appropriate corrective measures and sanctions.



48. In this context, the Litigation Chamber will take into account all the circumstances of

    the species.



49. The Litigation Chamber found a breach of Article 6 combined with Article 5.1.a) of the GDPR

    on the part of the defendant, or a breach of one of the founding principles of protection

    data devoted to Chapter II "Principles" of the GDPR: the principle of lawfulness (article 5. 1. a)

    of the GDPR. In the absence of a legal basis, the data processing simply cannot have

    place (article 6 of the GDPR).



50. Without this circumstance alone establishing the seriousness of the breach, the Chamber

    Litigation recalls that the violation of the provisions listed in Article 83.5 of the GDPR (including

    Articles 5 and 6 of the GDPR) may result in a fine of up to 20,000,000

    euros or in the case of a company, up to 4% of the total worldwide annual turnover of

    the previous exercise. The maximum amounts of fine that may be applied in the event of violation of

    these provisions are superior to those provided for other types of breaches listed in article

    83.4. of the GDPR.



51. The quality of the defendant is a factor which contributes to the seriousness of the breach. Indeed,

    as the Litigation Chamber explained above, access to the National Register is strictly

    regulated and limited to certain professions in particular. Indeed, the National Register is not a

    innocuous database. As the Litigation Chamber had the opportunity to point out in its Decision on the merits 48 / 2021- 13/15



    Decision 19/2020, this database including a certain amount of information - admittedly

    limited - relating to more than 11 million people, it requires, by its very nature,

    particularly rigorous, not only given its scope, but also due to its

    the very purpose of recording, storing and communicating information relating to

    (unique) identification of natural persons. It is therefore quite essential that those who


    benefit from access to the National Register, in strict compliance with its conditions. The notary

    is a public officer, appointed by the King. He exercises this public function within the framework of a

    strictly regulated liberal profession. He exercises public power by establishing acts

    authentic which have the force of a judgment in particular. The notary is also subject to a

    Code of ethics. All these elements require him to adopt an exemplary attitude towards

    compliance with the law, including data protection rules. The Litigation Chamber

    has already had the opportunity to underline this requirement with regard to public officials such as

    mayors and aldermen, but also companies benefiting from public concessions of

    parking lot or with regard to bailiffs. The same goes for notaries.



52. The Litigation Chamber further notes that this is a priori isolated breach, committed

    by a notary as part of the activities of his office, which can be qualified as an SME. Said

    breaches only concern an employee in a specific, punctual context, marked by

    loss of confidence and fears. These fears were linked both to the tense climate between the parties

    and the potential difficulties of movement in the event of a shipment to an incorrect address in the


    context of emerging confinement following the covid-19 pandemic. Nothing allows the

    Litigation Chamber to believe that the disputed processing is structurally part of the

    professional practice of the defendant.



53. The fact that the data "address" is relatively innocuous, not considered particularly

    sensitive by the defendant as well as the fact that it was already in the possession of the defendant and

    that this data was in any event accessible to him via the BCSS are also taken into account,




12 See. the Decision 19/2020 of the Contentious Chamber, page 13:

https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf In the same
sense, see. with regard to the Vehicle Registration Directorate (DIV) database, access to which
is also regulated, Decision 81/2020 of the Contentious Chamber (point 82):

https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf

13 See. Decision 10/2019 of the Contentious Chamber:

https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as the
Decision 11/2019: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-11-

2019.pdf and Decision 53/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-
fond-n-53-2020.pdf

14
  See. Decision 81/2020 of the Contentious Chamber:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 48 / 2021- 14/15



    to a certain extent, by the Litigation Chamber in its assessment of the sanction

    adequate. Indeed, by consulting the National Register, the defendant also has

    access to a number of other data - admittedly limited by the Royal Decree of 11 September

    1986 already cited - relating to the complainant. The defendant further states in this regard that it

    has no other choice but to access all of this data, the available application cannot


    do not allow you to target your consultation on the single "address" data. The Litigation Chamber

    takes note of this double consideration.



54. The Litigation Chamber wishes to emphasize that, however, one should not be mistaken about the scope

    of this decision as to the substance and as to the breach sanctioned. It is, as it has been

    described above, access to a datum X (in this case the address) contained in a database

    data for strictly reserved access outside the legal conditions which is at the heart

    of this decision and here sanctioned; and this, much more than knowledge of the data

    "Address" as such. However, the Litigation Chamber is no less sensitive to the

    fact that in this case, the impact of this consultation on the complainant is low and possible prejudice

    in its head not demonstrated.



55. Finally, the Litigation Chamber also takes into account the measures put in place by the

    defendant to comply with the obligations incumbent on him in his capacity as

    processing: appointment of a data protection officer (article 37-39 of the GDPR),


    establishment of a register of processing activities (Article 30 of the GDPR), adoption of a policy

    protection of personal data intended for citizens, adoption of a security policy

    information accompanied by a procedure in the event of a data breach as well as the establishment

    a procedure for managing the rights of data subjects.



56. In conclusion of the foregoing, and in view of all the circumstances of the case, now

    aggravating, sometimes mitigating, the Litigation Chamber considers that the reprimand (i.e. the

    call to order referred to in Article 58.2.b) of the GDPR) 15 is in this case, the effective sanction,

    proportionate and dissuasive which is imposed on the defendant.



57. Finally, with regard to the breach of Article 14 of the GDPR invoked by the complainant by way of

    conclusions, the Contentious Chamber decides to dismiss the complaint with regard to this grievance.

    The Contentious Chamber is in fact of the opinion that this grievance came to be grafted on that of the absence of

    basis of lawfulness of the consultation of the National Register is not such as to modify its decision. The

    defendant explained in terms of its conclusions that the work regulations signed by the




15
  As it has already had the opportunity to specify in several decisions, the Litigation Chamber recalls here
that the warning punishes a breach that is likely to occur: see. Article 58.2.a) of the RPD

in this regard. Decision on the merits 48 / 2021- 15/15



    complainant contains a certain amount of information relating to the data processing carried out

    by the defendant with regard to its employees (Title VIII). The defendant specifies in this regard that

    this regulation dates from 2016 and is currently being updated. The Litigation Chamber recalls

    here the necessary compliance with the obligation of transparency and articles 12, 13 and 14 of the GDPR in

    terms of information to the persons concerned, including by an employer to its employees.



        7. Regarding publicity and transparency


58. Considering the importance of transparency with regard to the decision-making process and

    decisions of the Litigation Chamber, this decision will be published on the website of the APD

    by deleting the direct identification data of parties and persons

    physical cited.




FOR THESE REASONS,


THE LITIGATION CHAMBER


Decided


    - To issue a reprimand against the defendant on the basis of Article 100.1, 5 °

        LCA given the breach noted in Article 6 of the GDPR combined with Article 5.1.a) of

        GDPR;



    - To dismiss the remainder of the complaint on the basis of Article 100.1.1 ° LCA.


Under Article 108.1 LCA, this decision can be appealed to the Court of

contracts (Brussels Court of Appeal) within 30 days of notification, with

the Data Protection Authority as respondent.





(Sé) Hielke Hijmans


President of the Litigation Chamber