APD/GBA (Belgium) - 57/2021

From GDPRhub
APD/GBA (Belgium) - 57/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(d) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 06.05.2021
Published: 06.05.2021
Fine: 30.000 EUR
Parties: n/a
National Case Number/Name: 57/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 57/2021 van 06 mei 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA states that a separate and clearly defined purpose is necessary for transfer to a third party. Multiple, different processing can take place for the same purpose, but each requires a legal basis.

English Summary

Facts

This decision is a reconsideration of the decision 24/2020 and executes the appeal of the Market Court of 18 November 2020 (2020/AR/813), it gives the defendant the possibility to defend itself against all infractions on the GDPR for which the initial sanction was based on.

To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.

Holding

Legal basis of legitimate interest The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes: - conducting computer tests; - monitoring the quality of service; - training of personnel; - monitoring and reporting; - storing recordings of video surveillance for the statutory period; and - compiling statistics from coded data, including big data. For each of these purposes, a balancing test was done.

The DPA recites the requirements for relying on Article 6(1)(f), namely purpose test, necessity of the processing and a balancing test.

As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as the data controller can in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.

In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.

In order to verify whether the third condition of Article 6(1)(f) - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."

Conducting computer tests

The DPA holds that this satisfies the first, second and third criteria. It does state that the data subject could be more informed about the tests.

Monitoring the quality of service and compiling statistics from coded data, including big data

This topic has three parts: "statistics and quality tests", "satisfaction questionnaires" and "quality tests operations", each legitimate interest basis was assessed by the DPA:

Statistics and quality tests

All criteria have been fulfilled.

Satisfaction questionnaires

All criteria have been fulfilled.

Quality tests operations

All criteria have been fulfilled.

Training of personnel

The first criteria has been fulfilled. The necessity test has not been fulfilled, as it is not necessary to use client data in order to provide training cases for personnel, this is a breach of data minimisation of Article 5(1)(c). The balancing test is also not fulfilled as it is not within the reasonable expectations of a person taking an insurance for their information to be used as an example.

Monitoring and reporting

The first criteria has been fulfilled.The second criteria has been fulfilled as a minimum of data is necessary to fulfill legal obligations. Said legal obligations however, did not foresee in an explicit legal basis for the processing.The third criteria has also been fulfilled as it is a reasonable expectation of a data subject that the insurance company must fulfill its legal obligations.

Storing recordings of video surveillance for the statutory period

The first and second criteria have been fulfilled. The third criteria has not been fulfilled as a data subject signing an insurance contract cannot reasonably expect that their data will be used for video surveillance. This falls under the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects.

Model of balancing test

The defendant states that all these balancing tests scored less than 30 on the model that they used, which means legitimate interest can be used as a legal basis. The DPA holds that this is purely instrumental and no legal value can be given to a model.

Legal basis for transfer to third parties

The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of Article 4(2).

The DPA states according to Article 5(1)(a), personal data must be processed processed for a specific purpose and the processing must be legitimate within the meaning of Article 6(1). It is possible to do multiple processing for the same purpose, but this must be done in compliance with the above.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(c), there is a breach of the GDPR.

Transparency principle

Notwithstanding Article 13(1)(d) regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.

Those legitimate interest are not public as they contain company sensitive information and the documents are very 'heavy', not suited for a privacy notice.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(d), there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.

Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                         1/36









                                                                       Dispute Chamber



                                      Decision on the merits 57/2021 of 06 May 2021





File number: DOS-2019-02902



Subject: Lack of transparency in a privacy statement

insurance company (reconsideration of decision 24-2020)







The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;



Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Considering the documents in the file;







                                                                                                 .
                                                                                                 .

                                                                                                 . Decision on the merits 57/2021 - 2/36



has taken the following decision regarding:

    - Mr X, hereinafter “the complainant”;

    - Y, represented by Masters Benoit Van Asbroeck and Simon Mortier, hereinafter “de

        defendant".




    1. Facts and procedure




  1. This decision is a reconsideration of decision 24/2020 of the Disputes Chamber of 14

      May 2020, and implements the judgment of the Marktenhof of 18 November 2020, with

      roll number 2020 / AR / 813.



  2. This decision must be read in conjunction with decision 24/2020 and contains a

      review to give the defendant the opportunity to defend himself

      regarding all breaches of the GDPR for which a sanction was imposed in the initial decision,


      insofar as these infringements are contested by Y. With this review, the

      The disputes chamber thus falls within the framework of the initial decision, also with regard to the

      administrative fine that cannot exceed the amount of the initially determined fine.

      With regard to the allegations concerning the Disputes Chamber in the initial decision

      ruled that there was no breach of the GDPR, that judgment is preserved. The

      infringements identified in the initial decision and not contested by Y remain

      equally preserved.




  3. On June 14, 2019, the complainant lodged a complaint with the Data Protection Authority against

      defendant.



      The object of the complaint concerns the use of health data that the

      insurance company of the person concerned has obtained under a

      hospitalization insurance for other purposes without the express consent of the

      insured person concerned. The complainant states that he has no problem with his

      health data is processed for the performance of obligations under

      the hospitalization insurance taken out with the defendant, but a problem

      when those same health data are processed for the purposes listed

      in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9

      of the same privacy statement (it concerns point 6, but the reference to point 9 is a

      material mistake) as stated in the defendant's privacy statement. He asks that

      specifically for those purposes, as well as for the transfer the defendant gives the choice to the

      data subject to consent or not to the processing of his health data. Decision on the merits 57/2021 - 3/36



    Finally, the complainant indicates that he wishes to receive a data protection impact assessment

    of the defendant as there is a high-risk data processing involved

    The involved.




4. On 26 June 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of

    the WOG, the complainant will be informed of this on the basis of art. 61 WOG and the complaint becomes

    on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.



5. On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it

    file is ready for treatment on the merits.



6. On July 24, 2019, the parties concerned will be notified of

    the provisions as stated in article 95, §2 and in art. 98 WOG. The were also involved

    parties on the basis of art. 99 WOG of the time limits for their defenses

    to submit. The deadline for receiving the complainant's reply was

    recorded on 7 October 2019 and 7 November 2019 for the defendant.



7. On July 29, 2019, the defendant reports to the Disputes Chamber that it has taken note of

    the complaint, it requests a copy of the file (art.95, §2, 3 ° WOG) and accepts it electronically

    all communication regarding the case (art. 98, 1 ° WOG).



8. A copy of the file will be sent to the defendant on 30 July 2019.



9. On August 2, 2019, the Disputes Chamber will receive a letter in which the defendant indicates

    that he wishes to be heard by the Disputes Chamber (art. 98, 2 ° WOG).



10. On September 6, 2019, the Disputes Chamber will receive the statement of defense from the

    defendant. Respondent argues, first, that processing special categories of

    personal data, in this case health data by health insurer Y in a lawful manner

    happens. The processing of these special categories of personal data (Art.9 GDPR)

    is prohibited in principle. The respondent invokes the exception for the processing

    of Article 9 (2) a GDPR, the express consent of the data subject. Second, argues

    respondent that no separate consent is required for each transfer of

    personal data. Thirdly, according to the respondent, there is no question of asking

    consent to the processing of data other than health data. Finally it was

    according to the respondent, a data protection impact assessment is not necessary in this case

    since it concerns existing processing operations and not new processing operations

    commences after May 25, 2018. Decision on the merits 57/2021 - 4/36





11. The complainant has not exercised the right to submit a reply.



12. The defendant does not submit a new claim and only submits exhibits on 7 November 2019


    in support of the statement of defense submitted on 6 September 2019.



13. On January 9, 2020, the Parties will be notified that the hearing will take place

    on January 28, 2020.



14. On January 28, 2020, the defendant will be heard by the Disputes Chamber. The complainant, though

    duly summoned, did not appear. Among other things, the defendant answers questions from

    the Disputes Chamber on the legal basis for the processing of personal data, no

    being health data. After this, the debates are closed.



15. On January 29, 2019, the official report of the hearing will be presented to the parties.



16. On January 31, 2020, the defendant will provide the annual turnover as requested during the hearing

    of the last three financial years. For the years 2016-2018, these always amount to a turnover between

    the 500 and 600 million Euros.



17. On 6 February 2020, the Disputes Chamber will receive a number of comments from the defendant

    with regard to the official report, which it decides to include in its deliberations.



18. On March 25, 2020, the Disputes Chamber will notify the defendant of its intention to do so

    to impose an administrative fine, as well as the amount thereof

    in order to give the defendant the opportunity to defend himself before the sanction becomes effective

    is imposed.



19. On May 8, 2020, the Disputes Chamber will receive the respondent's response to the intention

    to impose an administrative fine, as well as the amount thereof.

    The defendant alleges that the alleged infringements as contained in the intent of

    the Disputes Chamber would be completely new and he was unable to do so

    to defend. However, the Disputes Chamber must establish this from the documents in the file

    it is indisputable that the defendant does have full rights of defense

    can exercise.

    The defendant also claims to disagree with the imposition of a fine, or the

    intended amount of the fine. However, he does not put forward any (new) arguments

    substantiation of this thesis. The response of the defendant gives before the Dispute Chamber Decision on the merits 57/2021 - 5/36




      therefore no reason to adjust the intention to impose a

      administrative fine nor to change the amount of the fine such as

      intended.



  20. On May 14, 2020, the Disputes Chamber ruled as follows in its Decision on the merits 24/2020:

       - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in


       is brought into line with article 5.1 a), article 5.2, article 6.1, article 12.1, article

       13.1 c) and d) and 13.2 b) GDPR.

       - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine

       of EUR 50,000 as a result of the violations of article 5.1 a), article 5.2, article 6.1, article

       12.1, article 13.1 c) and d) and article 13.2 b) GDPR.



  21. On 17 June 2020, the Disputes Chamber will receive the

      notification of an application against the GBA, lodged at the Registry of the Court.



  22. The introductory session for the Marktenhof will take place on 24 June 2020, at which the


      conclusion deadlines for the parties are set, as well as the case is set for

      pleadings at the session on October 21, 2020.

      The Marktenhof will pass judgment on 18 November 2020.

      The judgment contains the following points for attention with regard to the assessment of

      the subject of the petition:



      • Annulment of decision on the merits no. 24/2020 of 14 May 2020 of the Disputes Chamber.

      • The Marktenhof argues that the defendant should be given the opportunity - after the complaint is ready

          and clearly formulated in writing - in order to reach a written conclusion on this


          take. The fact that the defendant was asked on the occasion of the hearing

          (which was stated in the minutes of the hearing) to take a position

          on the general question of the legitimate interest on which the defendant

          is relying on processing other than health data and that the defendant

          only formulated a brief answer to this without any reservations or objections

          does not adequately justify decision no. 24/2020 of 14 May 2020.


  23. Following up on the judgment, the Disputes Chamber will decide on November 27, 2020 to proceed

      to retake the file with a view to taking a new decision. The

      The underlying consideration is that the Disputes Chamber notwithstanding the





1
   The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 57/2021 - 6/36




    annulment of the aforementioned decision by the judgment of the Marktenhof, is still contained

    by the initial complaint filed on June 14, 2019 as declared admissible by the

    First-line service on June 26, 2019. Therefore, the debates will be reopened

    and new closing deadlines are set, so that parties can take a stand

    regarding the legitimate interest on which the defendant relies on other than

    process health data.



  The parties are notified of the following settlement deadlines:

  • the deadline for the complainant's reply is set at 8

       January 2021;

  • the deadline for the defendant's reply is set at 19

       February 2021;


  The date of the hearing will also be determined, which will take place on March 22, 2021.



24. On 27 November 2020, the Disputes Chamber will receive the notification from the complainant that the

    because of the clear arguments it seems unnecessary to add additional arguments to him.

    On the same day, the Disputes Chamber will inform the defendant that it informs the complainant

    has stated that it will not submit a conclusion. At the request of the defendant, the

    The Disputes Chamber also states that the initially determined date for the statement of reply of the

    defendant, as well as the date of the hearing.



25. On February 19, 2021, the Disputes Chamber will receive the conclusion with accompanying documents from

    the defendant. In it, the defendant puts forward the following pleas:

           • The respondent can rely on its legitimate interests for the processing

               of personal data for purposes in accordance with Article 4.3 of its old

               privacy statement (no violation of article 5.1 a); 5.2, 6.1 f) and 13.1 c) and d)

               GDPR.

           • Respondent can rely on an applicable legal basis for transfers to

               third parties in accordance with Article 6 of the old privacy statement (no

               violation of articles 5.1 a), 5.2, 6.1 and 13.1 c) and d) GDPR.

           • If defendant cannot invoke all legal grounds under Article

               6.1 GDPR for the processing purposes in accordance with Article 4.3 of the old

               privacy statement and transfers to third parties in accordance with Article 6 of the old

               privacy statement, this constitutes an infringement of the freedom to conduct a business of the

               defendant.

           • Respondent argues that a reprimand is sufficient and that the administrative fine of

               € 50,000.00 is disproportionate. Decision on the merits 57/2021 - 7/36



26. On March 22, 2020, the parties will be heard by the Disputes Chamber. The complainant, though

    duly summoned, did not appear. The defendant will explain his defense during the hearing

    to. No elements other than those that already form part of this are applied

    File. After this, the debates are closed.




27. The minutes of the hearing will be presented to the parties on 25 March 2021

    in accordance with Article 54 of the Rules of Procedure. The defendant delivers on April 5

    2021 the Disputes Chamber some comments with regard to the official report, which

    she decides to include it in her deliberation.



28. On April 6, 2021, the Disputes Chamber announced its intention to the defendant

    to proceed to impose an administrative fine, as well as the amount

    in order to give the defendant the opportunity to defend himself before the sanction

    is effectively enforced.



29. On April 27, 2021, the Disputes Chamber will receive the respondent's response to the intention

    to impose an administrative fine, as well as the amount thereof.

    In summary, the defendant states in his response to the intention to impose a

    administrative fine the following:



  - With regard to the lack of a demonstrated legitimate interest as a legal basis for the

       purposes “training personnel” and “storage of video surveillance recordings

       during the legal period, ”the defendant argues that there was no

       questions were asked regarding legality, necessity or the

       proportionality of these processing purposes.



       In this regard, the Disputes Chamber notes that the defendant in the claims already

       The legality, necessity and proportionality of all have been discussed extensively


       processing purposes, including those for “staff training” and “storage

       of video surveillance recordings during the legal period ”, so that no

       additional clarification was requested during the hearing. Be at a hearing

       only punctual questions were asked about any remaining uncertainties in order to clarify them

       and to allow the Disputes Chamber to form an opinion.

       At present, the Disputes Chamber can only establish that the respondent's response to the

       intention to impose an administrative fine as a result of the infringement of

       Article 6.1 GDPR with regard to the purposes “training personnel” and “storage

       of video surveillance recordings during the legal period ”in the absence of a Decision on the merits 57/2021 - 8/36



    demonstrated legitimate interest as legal basis, does not contain any new elements that of

    nature to change the judgment of the Disputes Chamber.



- With regard to the amount of the fine, the defendant is of the opinion that no fine is possible


    be charged for charging that personal data would have been processed without it

    to have a legitimate interest. At the very least, the defendant believes that a

    amount of EUR 30,000 is disproportionately high. The defendant argues that from the

    written conclusions and the hearing revealed that general training material

    in principle, it is always anonymized and there is virtually no personal data of customers

    are processed via CCTV. The documents in the file do not show that either

    any personal data of the complainant would have been processed for this

    processing purposes. For that reason, the complainant (and by extension the other customers of

    defendant), have in principle not been personally harmed by any lack of

    legitimate interests for the processing activities “staff training” and

    “The storage of video surveillance recordings during the legal period”.



    The Disputes Chamber emphasizes whether or not experiencing any personal harm

    does not constitute a criterion for imposing an administrative fine, as this is not

    included in Article 83.2 GDPR. It will therefore motivate this sanction in its decision below

    without taking into account whether or not the complainant has any personal disadvantage

    ago. The criteria for imposing an administrative fine are clearly defined

    in article 83.2 GDPR, on which the Disputes Chamber will make its decision regarding the administrative

    fine.



    To the extent necessary, the Disputes Chamber adds that the complainant is

    has provided personal data to the defendant for processing under a

    hospitalization insurance and the defendant then on the basis of the then

    privacy statement indicated that the personal data of the complainant was also processed for all

    purposes stated in the privacy statement. Based on the then privacy statement

    the defendant processed the complainant's data for each of the purposes included

    in the privacy statement. This is also evident from the conclusion that underlies the current one

    decision, in which the defendant himself defines the allegations arising from the complaint

    (see marginal 33) and the allegations under points f), g) and h) are the subject of

    his defense. The allegations arising from the complaint and as made by the defendant himself

    described in his conclusion, concern defects in the privacy statement issued by the complainant

    concern, as well as ipso facto any other customer of the defendant who has a

    take out hospitalization insurance. After all, the privacy statement is not exclusively for the complainant

    drawn up, but for each client of the defendant who takes out hospitalization insurance. Decision on the merits 57/2021 - 9/36



    This also explains why the defendant in his claim the legality, necessity

    and proportionality of all processing purposes, without distinction of whether or not

    concerns a processing purpose for which personal data of the complainant will be made

    processed, tries to demonstrate. The defendant verifies whether it is for all processing purposes


    has a legitimate interest, because for each of those processing purposes the

    personal data of the complainant were processed in accordance with the then

    privacy declaration.



- In addition, the defendant is of the opinion that an amount of EUR 30,000 is disproportionate to

    the infringement.

    More specifically, as regards the seriousness of the infringement, the defendant does not agree with the

    statement of the Disputes Chamber that, solely because of the fact that an infringement of Articles 5

    and 6 of the GDPR, the infringements are therefore automatically “serious” and

    Would be “serious”. The defendant argues that on the one hand these articles are the basis

    lie with almost the entire GDPR and therefore virtually any violation of the other GDPR

    articles can be reduced to an infringement of articles 5 and 6 GDPR.

    On the other hand, these infringements are classified as being “serious” and “serious”.

    prevent a differentiation from being made with infringements that are actual

    weighty and serious, such as, for example, the complete absence of one

    privacy declaration. However, this is not at all relevant here.

    The defendant argues that it has indeed stated these processing purposes in its

    privacy statement and has extensive weighing of interests with due diligence

    to determine whether it can rely on its legitimate interests.



    Regarding the defendant's contention that a breach of the basic principles of the GDPR

    included in Articles 5 and 6 GDPR would not automatically be considered serious and serious

    can be considered, the Disputes Chamber notes that Article 83.5 GDPR itself provides for

    a more severe punishment for this infringement for which there is the highest maximum fine

    determined precisely because of the fact that these are basic principles that lie at the heart of a

    concern data processing. The defendant's claim that any breach of the GDPR

    can be traced back to a breach of basic principles, does not stand as the

    The Disputes Chamber is caught by the complaint and carries out the assessment against the GDPR within those limits

    and therefore by no means, contrary to what the defendant maintains, any infringement could be possible

    are "reduced" to violations of the basic principles. Since the complaint is exactly the

    basic principles, the Disputes Chamber will rule on the

    application of those principles. Where the defendant cites as an example that the

    a complete absence of a privacy statement would be serious and important, states the

    Disputes Chamber that the total lack of a privacy statement is not only a serious and Decision on the merits 57/2021 - 10/36



      would be a serious infringement, but a total disregard of the GDPR. However, this increases

      does not mean that a defective privacy statement, such as in the present case, which contains the

      does not respect basic principles of the GDPR, if it must be serious and weighty

      classified.




      Regarding the duration of the breach, the defendant points out that it already has its privacy statement

      during the initial procedure at the beginning of 2020 and has amended its privacy statement to

      following the initial decision of the Disputes Chamber at the beginning of 2021

      adjusted and this should be taken into account as an attenuating circumstance.

      As to the deterrent effect, the defendant points to her again

      willingness to constantly adjust its privacy statement, which they do

      twice has done so in a very drastic manner, thus the purpose of these proceedings

      this has been achieved according to the defendant.



      The Disputes Chamber has already announced its intention to impose an administrative one

      fine, as well as the amount thereof, that it is already done by the defendant

      efforts to bring the new privacy statement into line with the GDPR,

      evidence of his willingness. Hand must be

      noted that although the changes made to the new privacy statement are beneficial

      are an element in the assessment of the administrative fine, they do not serve it

      that the infringements established would be rectified (see marginal 120).

      The Disputes Chamber gives more detailed reasons for the imposition of the administrative fine

      in section 3 of this decision.



    It follows from the foregoing that the respondent's response to the Disputes Chamber is none

    gives rise to an adjustment of the intention to impose an administrative one

    fine, nor to change the amount of the fine as intended.





  2. Justification



    1. Legitimate interest


      a) Preliminary remark



30. It follows from the judgment of the Marktenhof that the Disputes Chamber in its decision 24/2020 of

    May 14, 2020 would have ruled without the defendant being able to fully comply

    because the decision of the Disputes Chamber would not have been limited to the

    allegations that are the subject of the complaint. Decision on the merits 57/2021 - 11/36





31. However, the complainant explicitly states in the complaint that the customer should be given the choice whether to use

    agrees to the processing operations listed in points 4.3 and 6 and does not receive them. After all, once

    he has given his consent to the processing of his personal data in the context of


    hospitalization insurance, according to the complainant, data processing should be limited to

    to perform the obligations arising from that insurance. The complainant argues

    that the defendant does not use his data for any other purpose, more specifically the

    the purposes stated in points 4.3 and 6 of the old privacy statement, can be processed without

    permission. The complaint thus becomes the legal basis of the processing for the purposes

    listed in section 4.3. The complainant believes that those purposes are mentioned in point 4.3

    consent is required and the defendant therefore does not automatically obtain the data obtained on the basis

    of permission in the context of a hospitalization insurance can also be used for others

    purposes, for which the defendant relies on his legitimate interest.



32. The complaint thus essentially relates to the legal basis on which the defendant can rely

    appeal to process the personal data obtained from the complainant for the purposes

    listed in points 4.3 and 6 of the defendant's old privacy statement.



33. In the present claim of the defendant, the allegations are listed in the paragraphs

    a) to h):




   “A) Y would consent to the processing of medical data for the purpose of closing

   and executing insurance contracts under duress, eliminating these

   consent would be invalid (violation of Article 5 (1) (a))

   (legality principle); 6 (1) (a) and 9 (2) (a) GDPR)



   b) Y must grant the Complainant access to the DPIA

   (“GBEB”) that it allegedly carried out for the processing of medical data related

   with the performance of insurance contracts with its customers (violation of articles

   35 and 36 GDPR)



   c) Y should, in Articles 4.3 and 6 of the old Privacy Statement, make a better distinction

   between the processing of medical data on the one hand and the processing of other "ordinary"

   personal data on the other hand (violation of Article 13 (1) (c) GDPR);



   d) Y should take additional steps to inform data subjects of their

   right to object pursuant to Article 21 (2) GDPR (violation of Article 12 (1)

   and 13 (2) (b) GDPR) Decision on the substance 57/2021 - 12/36





  e) Y serves the legal grounds referred to in Article 6 of the Y old Privacy Statement for the

  transfer of personal data to third parties, to be further clarified (violation of Article 13,

  para.1 lit.c) GDPR)




  f) Y would process personal data without proven legal basis (including her

  legitimate interest within the meaning of Article 6 (1) of the GDPR) for a number of in Article 4.3 of the

  the purposes stated in the old Y Privacy Statement and in Article 6 of the old Y Privacy Statement

  said transfers to third parties (violation of Article 5 (1) (a))

  (principle of legality) and 6 (1) GDPR)



  g) Y would have provided insufficient information about her in her old Privacy Statement

  legitimate interests, where Y invokes this legal basis (violation of

  Articles 5 (1) (a) (principle of transparency) and 13 (1) (c) and (d) GDPR)



  h) Y, where Y relies on this legal basis, would not have sufficiently demonstrated why

  its legitimate interests would exist and would have failed to demonstrate in

  to what extent her interests would outweigh the interests and fundamental rights of the Complainant

  (Violation of Article 5 (2) GDPR). "



34. The defendant also confirms that the allegations set out in points a) to h)

    arise from the complaint by stating the following in the conclusion:

    “Should the Dispute Chamber consider the above allegations and alleged violations

    on the GDPR by Y (points a to h) do not arise from the complaint […], becomes the Disputes Chamber

    invited to inform Y of this […]. ”



35. The Disputes Chamber notes in this regard that already in the complaint the allegations as now

    described by the respondent in points a) to h) and

    about which the defendant now indicates that these do indeed arise from the complaint,

    but about which he nevertheless put forward no defense in respect of f), g) and h) in the

    procedure prior to decision 24/2020 of 14 May 2020.

    As to the allegations under a) to e) of his Opinion, the defendant states

    indicates that he has either been able to defend himself and has been upheld by the

    Disputes Chamber (this concerns allegations a) and b)), or has not disputed the allegations

    and has been corrected in the new privacy statement (this concerns the allegations under c), d) and

    e)). Regarding the established infringement of Article 13.1 c) GDPR regarding the allegation under

    c), the breach of Article 12.1 and Article 13.2 b) GDPR on allegation under point (d) and the Decision on the merits 57/2021 - 13/36




      infringement of article 13.1 c) GDPR regarding the allegation under e) refers the Dispute Chamber

      to the motivation for this in decision 24/2020 of 14 May 2020.

      The defense in the present Opinion focuses only on the allegations under points f), g)

      and H).



  36. To the extent that there would be some uncertainty about the subject of the complaint

      on behalf of the defendant prior to the decision 24/2020, the

      The litigation chamber nevertheless offered the defendant the opportunity to submit itself

      and the Disputes Chamber will then check whether, and if necessary, to what extent the

      defendant has infringed the GDPR with regard to allegations such as

      described in points f), g) and h) of his opinion and whether the administrative fine should be applied

      are maintained.






        b) Legal basis for the purposes stated under 4.3 of the privacy statement



  37. The defendant argues that it can rely on its legitimate interests for the

      processing of non-sensitive personal data for the following purposes

      under point 4.3 of the old privacy statement:

          • performing computer tests;

          • monitoring the quality of the service;

          • training of personnel;

          • monitoring and reporting;

          • the storage of video surveillance recordings during the legal period; and

          • compiling statistics on coded data, including big data.







  38. For each of these purposes, the defendant has carried out a balancing of interests. The


      The Disputes Chamber below assesses the weighing of interests for each of these purposes
                                                         2
      in accordance with the firm decision-making it uses to assess the

      legitimate interest.



  39. In accordance with article 6.1 f) GDPR and the case law of the Court of Justice of the European

      Union must meet three cumulative conditions for a





2 See inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of October 30, 2020;

Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. Decision on the merits 57/2021 - 14/36




      controller can validly invoke this ground of lawfulness, “te

      know, in the first place, the promotion of a legitimate interest of the

      controller or of the third party (ies) to whom the data are provided, in the

      second, the necessity of processing the personal data for the purpose

      of the legitimate interest, and, thirdly, the condition that the fundamental

      rights and freedoms of the person involved in data protection do not prevail ”

      (“Rigas” judgment).



  40. In order to be able to rely on the lawfulness ground of

      in other words, the “legitimate interest” is the responsibility of the controller

      to show that:

    1) the interests pursued by this processing can be recognized as justified

        (the “target key”);

    2) the intended processing is necessary for the realization of these interests (the


        “Necessity test”); and

    3) the balancing of these interests against the interests, fundamental freedoms and

        fundamental rights of data subjects weighs in favor of the

        controller (the “balancing test”).



  41. With regard to the purpose of “performing computer tests”, the defendant argues

      next one:



    “Context of the processing purpose

    This processing purpose includes the tests performed by IT testers and developers:

    • related to "changes", which are minor changes or related to purely functional ones

    aspects; and

    • in the context of any automation projects.

    These tests are carried out as part of:

    • IT and network security;


    • the maintenance, improvement and development of (the quality of) Y products and services;

    or

    • improving the customer experience (eg to make internal processes and systems more efficient

    for back-office activities, to enhance the user experience in Y's digital channels

    improve, etc.).






3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,

recital 40. Decision on the substance 57/2021 - 15/36



  This process does not include the acceptance and emulation phase, which is only specialized by the team

  activities "can be performed before the changes can actually be made

  implemented and can be put into production. ”




42. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



43. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



44. Based on the purpose, being the performance of computer tests, the Dispute Chamber serves

    establish that the defendant asserts that, where possible, dummy data or

    anonymous data is used (e.g. in case of changes where different

    systems or applications are involved and that require a unique reference, such as the

    policy number). Only when there is no other option will personal data be used to collect the

    to be able to realize the intended change or development. Possible possibilities for (a

    further) limitations of data processing are constantly being researched and progressive

    introduced as part of the project 'data anonymization in non-production environments'. Furthermore

    Strict access controls are introduced on the IT environments where the IT tests are carried out

    executed. Procedures are also established for how these IT tests should be carried out

    are carried out, which must be taken into account by all concerned.




45. The Disputes Chamber notes that the defendant states that he only uses personal data

    when there is no other option. During the hearing, Y stated that the tests are always taking place

    based on dummy data, but that the test phase determines the extent to which with

    such data can be tested. After all, in some cases the boundaries of the

    opportunities to do data masking. This has to do with the life cycle of

    the tests, namely gradually dummy data can be used in IT testing, but

    sometimes the processing of personal data is required in order to ensure the interaction between

    to be able to insure applications. The Disputes Chamber is of the opinion that the defendant does so

    reasonably plausible that the computer systems are not always based on Decision on the merits 57/2021 - 16/36




      anonymized or pseudonymized data can be tested. To the second

      condition is thus fulfilled, by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with. Nevertheless, the Disputes Chamber notes

      note that for purposes of clarification as to the customers concerned, the defendant might

      consider providing some brief explanation of the case in the privacy statement

      in which the defendant has no choice but to perform computer tests with personal data.



  46. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the


      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  4
      expect that processing can take place for that purpose ”.



  47. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used to perform computer tests. After all, customers expect a correct one

      execution of their insurance contracts, which is accompanied by a safe and correct

      management of IT systems. The interest of the customers thus requires that the functionalities of


      the IT environment are tested for this purpose.




  48. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the

      Purpose “conducting computer tests” may rely on the legal basis contained in

      Article 6.1 f) GDPR.




  49. Regarding the purpose “monitoring the quality of the service” and “the

      compiling statistics on coded data, including big data ”, states the


      defendant that this comprises three parts and determines that:



    - For the section “Statistics and quality tests”



        “Context of the processing purpose






4 Recital 47 GDPR. Decision on the merits 57/2021 - 17/36



      Y, as an insurer, is subject to prudential supervision. This means, among other things, that they

      is bound to overall control of its company and its performance, including,

      but not limited to, the audit of the sales performance, performance and fees

      certain hospital networks and the coverages / reimbursements. This relates to the


      general control of the quality of the services and the performance of the

      insurance company to ensure its continuity. This processing purpose

      includes both one-off and recurring reports with or without use

      made of big data methodologies. These are mainly aggregated or

      anonymised reports, unless specific statistics are required (by category

      eg per age group). ”




50. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the context of the processing purpose should be as described by the defendant

    are considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



51. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



52. The Disputes Chamber notes that the defendant only justifies that it is for him

    is necessary to compile statistics and perform quality testing, as the

    financial viability, quality of service, premium setting and the

    performance cannot be determined without actively measuring it. The Disputes Chamber misunderstands

    by no means the need for the defendant to have statistics and

    quality tests, but the defendant mainly limits himself to asserting that

    aggregated or anonymized reports are prepared, unless specific statistics

    required (per category such as eg per age group). Moreover, the defendant proposes that

    the format of those reports may or may not be using big data methodologies.



53. To what extent the statistics still contain personal data or allow to proceed with

    re-identification of a data subject will be further explained during the hearing. The

    defendant states that there are still very few statistics containing personal data. The Decision on the merits 57/2021 - 18/36




      statistics do not contain names and certainly no health data. The statistics

      do contain codes, but they are mass aggregated, segmented data.
                                                                                   5
      Also requires the directive (EU) 2016/97 on insurance distribution and the Belgian

      implementing legislation of this Directive that provided for specific reporting

      personal data are processed. Sometimes policy data is processed in the reporting,

      but with that no further processing in the statistics takes place. Each report has one

      purpose and the processing may not go beyond that. A register is kept of

      those reports and their purpose, which are strictly regulated through the data warehouse and

      which requires "approvals" to deviate from it.



  54. The Disputes Chamber decides that the defendant has made the necessary efforts to resolve the

      limit data processing for this purpose to what is strictly necessary. To the second

      condition is thus fulfilled by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.




  55. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”.




  56. The Disputes Chamber follows the defendant's position that if a person has a

      enters into an insurance agreement with Y, he can reasonably expect that Y will be intern

      performs checks and compiles statistics to ensure that Y is contractual

      fulfill obligations.




  57. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the

      Purpose “Statistics and Quality Requirements” can invoke the legal basis included in

      Article 6.1 f) GDPR.



    - For the section “Satisfaction surveys”








5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution

(recast), OJ L 26/19. Decision on the merits 57/2021 - 19/36



      “Context of the processing purpose

      This processing purpose includes determining the NPS ("Net Promoter Score"), the

      satisfaction factor of the customers based on an external survey by a third party to determine the

      to safeguard anonymity of the query. This factor is calculated with regard to the follow-up


      by the Y Contact Center and the claims department (claims handling)



58. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the


    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



59. In order to meet the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



60. Based on the purpose of conducting satisfaction surveys, the

    Disputes Chamber to determine that the defendant asserts that the customer through this questioning

    can give an opinion anonymously and thus assert his interests. The results

    are aggregated and processed by an outside company so that the anonymity of the

    those involved can be indemnified. During the hearing it is added that the

    customers always have the choice whether or not to participate in the survey, as they always have

    have the right to object. The Disputes Chamber finds that the customers thus over

    have the necessary freedom of choice and that the results of those who participate in the

    survey in anonymous form will be made available to the defendant.

    The second condition is thus fulfilled by showing that the principle of

    minimum data processing (Article 5.1. c) GDPR) has been complied with.



61. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

    “Balancing test” between the interests of the controller, on the one hand, and the

    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

    reasonable, in accordance with Recital 47 GDPR

    expectations of the data subject. More specifically, it should be evaluated whether “data subject Decision on the substance 57/2021 - 20/36




      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  6
      expect that processing can take place for that purpose ”.



  62. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be provided by the defendant

      will be used to gauge his satisfaction with the service provided by the

      defendant.





  63. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “conducting satisfaction surveys” can rely on the legal basis

      included in Article 6.1 f) GDPR.



    - For the part “Quality tests operations”


        “Context of the processing purpose

        This processing purpose relates to the general control of the quality of

        the operational services and performance of Y. This is about quality checks where

        every employee involved must perform 2 random checks per week for up to

        the correct underwriting or performance of the insurance contract and applicable

        instructions and procedures for this purpose. "




  64. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

      judgment that the processing purpose should be as described by the defendant

      considered performed for a legitimate interest. The importance that the

      defendant as controller may in accordance with recital 47

      GDPR can be considered justified in itself. The first is therefore satisfied

      condition contained in Article 6.1, f) GDPR.



  65. In order to fulfill the second condition, it must be demonstrated that the processing

      necessary for the achievement of the objectives pursued. This means more

      stipulates that the question should be asked whether the same result can be achieved by other means


      are achieved without processing of personal data or without an unnecessarily invasive one

      processing for data subjects.








6 Recital 47 GDPR. Decision on the merits 57/2021 - 21/36




  66. Based on the purpose, being the general control of the quality of the operational

      services and performance of Y, the Disputes Chamber must determine that the defendant is late

      apply that Y is subject to the insurance distribution directive (EU) 2016/97

      and the Belgian implementing legislation that the insurance companies oblige them

      tailor services to the desires and needs of their customers. As indicated

      during the hearing, the defendant does not invoke his legal obligation (Article 6.1

      c) GDPR) as the legal basis for the processing, given the nature and scope of the reporting

      is not explicitly imposed as such by law. Hence, the defendant for that

      processing its 'legitimate interest under that legislation' as the legal basis.


      The second condition is thus fulfilled by showing that the principle of

      minimum data processing (Article 5.1. c) GDPR) has been complied with. The processing of

      personal data is necessary in order to actively measure the quality of the service.



  67. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”. 7




  68. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used to carry out internal quality control to ensure that Y hair

      comply with legal and contractual obligations.



  69. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “quality testing operations” can rely on the legal basis included in Article

      6.1 f) GDPR.



  70. With regard to the purpose of “training personnel”, the defendant states the following:




    “Context of the processing purpose








7 Recital 47 GDPR. Decision on the merits 57/2021 - 22/36



  This includes the organization and follow-up of training courses, awareness-raising sessions ("awareness") and

  training for Y employees who come into contact with (personal data of) customers.

  Training courses include:

  • insurance technical aspects (eg with regard to Y products);


  • technical aspects (eg the use of Office 365 applications, training on

  information security, etc.);

  • "on the job" training courses (training for new employees as well as training with the aim of increasing the

  to continuously improve service quality); and

  • more general aspects such as compliance topics (eg the GDPR, IDD, etc.). ”



71. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the processing purpose should be as described by the defendant

    considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



72. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



73. Based on the purpose, being the training of personnel, the Disputes Chamber should be established

    to argue that the defendant argues that in exceptional cases the cases are used

    contain, or become, personal data of customers for the training

    personal data of customers used for the preparation of the training material. The

    defendant argues that the underlying material (cases), however, is generally complete

    is anonymized.



74. The Disputes Chamber notes that the defendant states that in the context of training courses the

    cases only contain personal data of customers in exceptional cases or

    personal data of customers are used for the preparation of the training material.

    However, the defendant fails to clarify in which cases he would be required

    offer training to staff based on customers' personal data.

    The defendant does not reasonably demonstrate that staff training is not always on

    could be provided on the basis of anonymised data. To the second Decision on the merits 57/2021 - 23/36




      condition is thus not fulfilled because it has not been demonstrated that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.



  75. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

                                                                  8
      expect that processing can take place for that purpose ”.



  76. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it cannot be assumed that the policyholder takes out insurance

      at that time can reasonably expect that his data will be

      used for staff training. A policyholder can only expect to

      normal management of his customer file, which only requires access to the information contained therein

      information by the personnel who have to perform tasks therein for the benefit of the person concerned

      customer. When information from concrete files is shared in the context of a course,

      the processing of that information is not limited to those who have to perform tasks in

      the relevant file.




  77. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose "training of personnel" cannot rely on the legal basis "justified."

      interest "and there is therefore a violation of article 6.1 f) GDPR. The Disputes Chamber observes

      in addition to that if the defendant nevertheless wishes to receive personal data of customers

      use for staff training, he can rely on another legal basis

      being the consent (Article 6.1 a) GDPR).



  78. With regard to the purpose of “monitoring and reporting”, the respondent states the following:



       “Context of the processing purpose

       This processing purpose includes the preparation of reports for the purpose of checks


       can perform in the context of:

       • IFRS 17 accounting standards for insurance contracts and the Belgian, general

       accepted accounting rules ("Belgian GAAP");






8 Recital 47 GDPR. Decision on the merits 57/2021 - 24/36



     • calculating the reserves (in the context of, for example, the law of 13 March 2016 on

     the status and supervision of insurance or reinsurance companies (Solvency

     II law), etc.); or

     • profitability monitoring or reporting in the context of major damage claims.


     These reports are created for both internal audit and reporting purposes

     to the Y1 Re group (of which Y is a part). This keeps recurring reports as well

     one-off ad hoc reports. Only fully aggregated,

     anonymised, or if not otherwise possible pseudonymized reports prepared in

     in the context of major claims or ad hoc reports regarding specific cases or outliers. ”



79. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judgment that the context of the processing purpose should be as described by the defendant

    are considered performed for a legitimate interest. The importance that the

    defendant as controller may in accordance with recital 47

    GDPR can be considered justified in itself. The first is therefore satisfied

    condition contained in Article 6.1, f) GDPR.



80. In order to meet the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without an unnecessarily invasive one

    processing for data subjects.



81. Based on the purpose, being monitoring and reporting, the Disputes Chamber must determine

    argue that the defendant asserts that the various general financial and

    insurance law regulations (in the context of, for example, the law of 13 March 2016

    on the status and supervision of insurance or reinsurance undertakings

    (Solvency II law)) cannot be complied with without compiling the necessary reports

    or to monitor. As indicated at the hearing, the

    here too, the defendant does not rely on his legal obligation (Article 6.1 c) GDPR) as legal basis

    for the processing, since the nature and scope of the reporting is not explicitly stated as

    imposed by law as such. Hence, the defendant for those processing operations

    Uses "legitimate interest under that legislation" as the legal basis. To the second

    condition is thus fulfilled by showing that the principle of minimal

    data processing (Article 5.1. c) GDPR) has been complied with. The processing of personal data

    is necessary as legislation cannot be complied with without the

    necessary reports are drawn up or monitoring is carried out. Decision on the merits 57/2021 - 25/36




  82. The defendant adds that only fully aggregated, anonymized, or if

      not otherwise possible pseudonymized reports are prepared in the context of large

      claims for damages or ad hoc reports related to specific cases or outliers. To the

      second condition is thus fulfilled by showing that the principle of minimal

      data processing (Article 5.1. c) GDPR) has been complied with.



  83. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should


      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                 9
      expect that processing can take place for that purpose ”.



  84. The Disputes Chamber is of the opinion that when collecting personal data in the framework

      it can be assumed that the policyholder is taking out an insurance policy

      at that time can reasonably expect that his data will be

      used for the fulfillment of the legal and contractual obligations of the defendant.



  85. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the

      purpose “monitoring and reporting” can rely on the legal basis included in article 6.1


      f) GDPR.





  86. Regarding the purpose “the storage of video surveillance recordings during the

      legal period ”, the defendant states that:



      “Context of the processing purpose

      It concerns the processing of personal data by means of the cameras that are located

      within Y's premises with the aim of customer security, data security and the

      protection of the company's assets. "




  87. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

      judgment that the processing purpose should be as described by the defendant

      considered performed for a legitimate interest. The importance that the






9 Recital 47 GDPR. Decision on the merits 57/2021 - 26/36




      defendant as controller may in accordance with recital 47

      GDPR can be considered justified in itself. The first is therefore satisfied

      condition contained in Article 6.1, f) GDPR.



  88. In order to fulfill the second condition, it must be demonstrated that the processing

      necessary for the achievement of the objectives pursued. This means more

      stipulates that the question should be asked whether the same result can be achieved by other means

      are achieved without processing of personal data or without an unnecessarily invasive one

      processing for data subjects.



  89. Based on the purpose, being the provision of video surveillance, the Disputes Chamber serves

      establish that the defendant asserts that the images are stored in a secure

      surroundings. Both the space and the affected IT servers are subject to strict

      access protection. The images are accessed according to strict procedures. The


      storage of the images is also limited to the legal retention period (in principle 30 days).



  90. The second condition is thus fulfilled in that it was established that the principle of

      minimum data processing (Article 5.1. c) GDPR) has been complied with.



  91. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

      “Balancing test” between the interests of the controller, on the one hand, and the

      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

      reasonable, in accordance with Recital 47 GDPR

      expectations of the data subject. More specifically, it should be evaluated whether “data subject

      at the time and in the context of the collection of the personal data is reasonably permitted

      expect that processing can take place for that purpose ”. 10



  92. The Disputes Chamber is of the opinion that with the collection of personal data in the framework

      it cannot be assumed that the policyholder takes out insurance


      at that time can reasonably expect that his data will be

      used for video surveillance. The purpose of video surveillance is unrelated to the

      conclusion of an insurance contract, so that the policyholder does not adhere to it

      can expect that his personal data is provided in response to a

      insurance contract will be used in the context of video surveillance. Only at

      there is video surveillance when physically entering the defendant's premises and then it suffices






10
  Recital 47 GDPR. Decision on the merits 57/2021 - 27/36



    that the camera law is complied with, including the obligation to affix a

    icon with information to notify the data subject.



93. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the


    purpose “the storage of video surveillance recordings during the legal period” does not

    can rely on the legal basis "legitimate interest" and thus there is an infringement

    to Article 6.1 f) GDPR.



94. For the sake of completeness, the Disputes Chamber adds that if a controller

    wishes to use surveillance cameras, these are legal obligations

    ensuing from the law of 21 March 2007 regulating the placement and use of

    security cameras must comply. As soon as a controller uses

    of surveillance cameras, arise from the aforementioned law obligations regarding

    data processing, so that the controller can rely on article 6.1 c)

    GDPR. In that regard, the defendant stated at the hearing that in

    the necessary pictograms have been affixed in accordance with this law.





      c) Model of balancing of interests



95. For each of the foregoing purposes, the defendant argues that the

    processing purpose is permissible because of the quantitative score calculated by the model

    balance of interests that Y uses is lower than 30. The defendant argues that on the basis of that

    model the processing purposes can be based on the legitimate interests

    of the controller as long as this score does not exceed 30.



96. In this regard, the Disputes Chamber should note that the model used by Y is a

    is a purely internal instrument that can at most act as a guideline within the company,

    but from which no legal arguments can be drawn to support the assessment against the

    legal basis of Article 6.1 f) GDPR. To the scores calculated on the basis of that model

    therefore no legal value can be attached.





      d) All legal grounds included in Article 6.1 GDPR



97. The defendant is of the opinion that the Disputes Chamber in its decision 24/2020 would have stated that

    he can only rely on consent as a legal basis (Article 6.1 a) GDPR) for the Decision on the merits 57/2021 - 28/36



          processing purposes included in point 4.3. of the old privacy statement and not on

          the other legal grounds of Article 6.1 GDPR.



      98. The Disputes Chamber explains that the following was made in this regard in the decision 24/2020


          mention:

          The Disputes Chamber is therefore of the opinion that the violation of art. 6.1. AVG is proven,

          since the data processing is for the purposes stated in sections 1, 2, 3, 4, 6 and

          7 of point 4.3. of the privacy statement, without any demonstrated legitimate interest,

          should be based on the consent of the complainant in the absence of any other possible

          applicable legal basis in art. 6.1. AVG. ”



      99. From this the defendant deduces, albeit incorrectly, that the Dispute Chamber is the only one

          legal basis for the purposes specified therein precedes the consent. The defendant

          however, ignores the fact that the Disputes Chamber reaches that decision, precisely because the

          defendant fails to demonstrate any legitimate interest and thus in

          fails to demonstrate that the applicable conditions have been fulfilled to comply with this

          legal basis in Article 6.1 f) GDPR. The Disputes Chamber stated in its decision

          after all expressly that the defendant has in no way demonstrated from what

          legitimate interest or would exist and also failed to demonstrate to what extent his interest

          would outweigh the interests and fundamental rights of the complainant, although the defendant

          is obliged to do so on the basis of its accountability obligation (Article 5.2 GDPR). The

          Accordingly, the Disputes Chamber could not withhold article 6.1 f) GDPR as a valid legal basis. On base

          of the factual elements leading to the decision 24/2020 was the only remaining

          legal basis the consent.



      100. The Disputes Chamber emphasizes that every controller, including the

          defendant, can invoke any possible legal basis of Article 6.1 GDPR, but that the

          applicable conditions for the legal basis invoked must be fulfilled.





2. Legal basis for transfers to third parties




      101. First, the defendant claims that a transfer to third parties does not have a processing purpose

          is itself, but is merely a form of processing of personal data within the meaning of Article

          4.2 GDPR. The defendant states that he only draws up balances of interests per

          processing purpose, but not per processing. Decision on the merits 57/2021 - 29/36



      102. The Disputes Chamber states that it follows from article 5.1 a) GDPR that personal data must be

          processed for a specific purpose and that such processing must be lawful in the sense

          of Article 6.1 GDPR. So it is clear that any processing must be done within the framework

          of a specific, explicit and justified purpose and that


          processing must be based on a legal ground for it to be lawful

          considered. It is of course possible to perform multiple processing operations within the meaning of Article 4.2 GDPR

          for the same purpose, but this does not alter the fact that the

          data processing for a specific purpose can only be considered lawful

          labeled if there is a legal basis for doing so.



      103. The Disputes Chamber notes that any transfer to third parties must be determined with the

          in view of the purpose for which the transfer takes place. To be able to verify whether the transfer is to

          third parties can be regarded as lawful, it must thus be determined for what purpose

          which is passed on to third parties.




      104. As the defendant rightly points out, the legal basis for the transfer to processors (which

          however, no third parties within the meaning of Article 4, 10) GDPR) are the same as for the

          data processing by the defendant himself. After all, the processing purpose remains

          unchanged, as the processor only processes the personal data for the benefit of the

          defendant as controller.




      105. If the personal data are transferred to a third party within the meaning of Article 4. 10)

          GDPR with a view to the purpose of enabling that third party to provide the relevant personal data

          to process it for your own purposes, then that transfer must cease for that specific purpose

          considered themselves and requires a separate legal basis. With a view to

          transparency should become the processing basis for all transfers in the privacy statement

          stated that the defendant fulfills his obligation under art. 13.1 c) would comply with GDPR. This is

          However, this is not the case, so that the Disputes Chamber is of the opinion that there is a

          infringement of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.





3. Transparency principle




      106. Notwithstanding the fact that Article 13.1 d) GDPR requires the controller to send the

          provides the data subject with information about his legitimate interests, if the processing

          is based on Article 6 (1) (f), the defendant maintains that it suffices

          for the purposes of the privacy statement referred to in point 4.3, as well as for the purposes of 6 of the Decision on the merits 57/2021 - 30/36



    data transfers based on Article 6 (1) (f) GDPR only

    state that personal data is processed on the basis of the legitimate interest of

    the defendant without indicating exactly what that legitimate interest would consist of.




107. The defendant argues that the balancing of interests concerns internal documents that have not been handled by Y

    made public or included in its Privacy Statement, in view of the

    business sensitive information they contain. Moreover, this involves bulky, rather privacy-

    technical documents that are typically not included in a privacy statement.



108. For transmission to “the companies of the group Y1 Re to which Y belongs, for monitoring

    and reporting ”, the defendant confirms that this is a transfer to another

    controller, indicates the defendant demonstrating his legitimate interest

    consists in its conclusion under the processing purpose “monitoring and reporting”, but late

    after clarifying his legitimate interest in the privacy statement.



109. Furthermore, the defendant also refers to recital 48 of the GDPR which states that

    controllers that are part of a concern or group of institutions

    associated with a central body may have a legitimate interest in the

    forwarding of personal data within the group for internal administrative purposes,

    including the processing of personal data of customers or employees.



110. The Disputes Chamber acknowledges that consideration 48 applies to the defendant, but this

    does not prevent the defendant from being transparent about this in his privacy statement and

    also in such a case must indicate the legal basis and must make it clear where it is

    legitimate interest exists, which is not the case in the old privacy statement.




111. Responsible for transfers to “subcontractors in the European Union or abroad

    for processing activities defined by Y ”, the defendant argues that it concerns

    processors of Y.



112. The Disputes Chamber therefore restates the reasoning in this regard from its decision

    24/2020 to decide on an infringement of Article 13.1 d) GDPR in conjunction with Article 5.1 a) GDPR

    and Article 5.2 GDPR. The privacy statement only mentions that for those referred to in 4.3. listed

    purposes personal data are processed on the basis of the legitimate interest of the

    defendant without indicating exactly what that legitimate interest would consist of,

    while art. 13.1. d) GDPR does require the controller to comply

    obliged to provide the data subject with information about his legitimate interests,

    if the processing is based on Article 6 (1) (f). Decision on the merits 57/2021 - 31/36







  113. The Disputes Chamber also refers to the Guidelines of the European Committee for the

      data protection (EDPB) on transparency according to Regulation (EU)

      2016/679, who stress the need to identify the specific interest in question

      for the benefit of the data subject.





  114. Also with regard to point 6. of the privacy statement, the defendant does not indicate why

      legitimate interest, on which he relies, would exist to obtain personal data from the

      to process the complainant for the purpose of transferring it to “The companies of the Y1 RE group

      to which Y belongs, for monitoring and reporting ”and“ Subcontractors in the European Union

      or beyond, responsible for processing activities defined by Y ”. However

      requires art. 13.1. d) GDPR in fact that the controller is the data subject

      must provide information about his legitimate interests, if the processing

      is based on Article 6 (1) (f). The Disputes Chamber refers again to the

      Guidelines on transparency in accordance with Regulation (EU) 2016/679 and the

      stated above in this regard.





  115. The Disputes Chamber stated in its decision 24/2020 that as best practice the

      controller also, before becoming personal data of the data subject

      collected, can provide the data subject with information about the assessment to be made

      created in order to be able to use Article 6 (1) (f) as a legal basis for the processing.

      To avoid information fatigue, this information can be included in a layered

      privacy statement / notice. 12 The information provided to data subjects should make clear

      that these data subjects can receive information about the assessment upon request. This is

      essential for effective transparency when data subjects have doubts about the

      fairness of the consideration made as to whether to submit a complaint to a supervisory authority

      authority.




  116. As the defendant points out, he is unwilling to apply the aforementioned best practice,

      because, according to him, it concerns internal privacy-technical documents with company-sensitive

      information.








11
  EDPB, Guidelines of the Article 29 Working Party on Data Protection on Transparency under Regulation (EU)
2016/679, approved November 29, 2017, last revised and approved April 11, 2018, p. 42.
12See paragraph 35 of the guidelines referred to in footnote 6. Decision on the substance 57/2021 - 32/36




      117. The Disputes Chamber argues that even if the defendant refuses to follow this best practice,

           he is at least obliged to notify the data subject on a

           concise, transparent, intelligible and easily accessible form and in clear and

           provide simple language information about his legitimate interest for each of the


           purposes for which he relies on that legal basis. It is by no means to comply with this

           requires privacy-technical documents to be made public, but it is

           requires that information about the legitimate interest is provided in clear

           wording that can be easily understood by a customer or potential customer of the defendant



      118. The Disputes Chamber finds that the information required by Article 13.1 d) GDPR is in no way whatsoever

           is made available by the defendant, so that the infringement of Article 13.1 d)

           GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.








4. Administrative fine




      119. The fact that the defendant does indeed commit the infringements of Articles 5.1 a), 5.2, 6.1, 12.1, 13.1

           c) and d) and 13.2 b) GDPR, brings the Dispute Chamber to the administrative

           fine. This sanction does not extend to an offense committed

           but with a view to vigorous enforcement of the rules of the GDPR. As


           is clear from recital 148 of the GDPR, the GDPR states that in the event of any serious infringement

           - including when an infringement is first established - penalties, including administrative ones
                                                                                              13
           fines are imposed in addition to or instead of appropriate measures. After this, the

           Disputes Chamber states that the breaches committed by the defendant against Articles 5.1 a),

           5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR in no way concern minor infringements, nor that the

           a fine would cause a disproportionate burden on a natural person as referred to in

           Recital 148 GDPR, whereby a fine can be waived in either case.

           The fact that it is a first finding of an infringement committed by the defendant in the






    13
      Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
    including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
    appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
    for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
    instead of a fine, a reprimand can be chosen. However, the
    nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,

    with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
    supervisory authority has come up with compliance with the measures taken against the
    controller or processor, with affiliation to a code of conduct and any other aggravating or
    mitigating factors. Imposing penalties, including administrative fines, should be subject to
    appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
    effective remedy and due process. [own underlining] Decision on the merits 57/2021 - 33/36




      GDPR, does not in any way affect the possibility for the Disputes Chamber

      to impose an administrative fine. The Disputes Chamber explains the administrative

      fine in accordance with article 58.2 i) GDPR.



  120. The Disputes Chamber emphasizes once again that the instrument of administrative fine

      is in no way intended to end infringements. To this end, the AVG and the WOG provide for a

      number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 °

      WOG. She also emphasizes that the administrative fine is one of the sanctions foreseen

      in article 58.2 GDPR and article 100 WOG. Neither EU law nor national Belgian law

      has a hierarchy with regard to the sanctions to be imposed. It stands as the Dispute Chamber

      body of an independent data protection authority as referred to in Article 51

      AVG is free to choose the most appropriate sanction. The Disputes Chamber is of the opinion that, in view of the

      accountability of the controller, the imposition of a

      administrative fine for violation of the GDPR could be expected. 14



                                                                  15
  121. Taking into account article 83 GDPR and the case law of the Marktenhof, the

      Disputes Chamber imposing an administrative sanction in concrete terms:

        - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.

        - The duration of the infringement: the infringements are assessed for this aspect in

             in light of the date on which the GDPR became applicable, namely May 25

             2018. The defendant's privacy statement appears to have remained unchanged since

             the GDPR becoming applicable until such time as, following the

             complaint, a new privacy statement has been drawn up. The new privacy statement constitutes

             however, not the object of assessment by the Dispute Chamber, so that they themselves

             also does not comment on the extent to which the new privacy statement is consistent

             is with the GDPR.

        - The necessary deterrent effect to prevent further infringements.





  122. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes

      that compliance with the principles set out in art. 5 GDPR - in the present case in particular the

      transparency principle including accountability, as well as the

      principle of legality - essential, because it is fundamental principles of

      data protection. The Disputes Chamber considers the defendant's infringement







14 With regard to the jurisdiction of the Disputes Chamber regarding the imposition of an administrative fine, see also decision no
55/2021 of April 26, 2021, available in French on the GBA website.
15
  Court of Appeal Brussels (section Marktenhof), Judgment 2020/1471 of 19 February 2020. Decision on the merits 57/2021 - 34/36



    the principle of legality specified in art. 6 GDPR and the transparency principle

    which is specifically laid down in Articles 12 and 13 GDPR, therefore as a serious violation.



123. An important element in determining the amount of the fine is the fact that the defendant


    subsequent infringements as motivated in decision 24/2020 not disputed and as a result thereof

    has already made efforts to address the new privacy statement on those points

    to comply with the GDPR:

      - Infringement of Article 13.1 c) GDPR due to lack of clear distinction between the

          processing health data on the one hand, and processing the other 'normal'

          personal data on the other hand and this for each of the purposes of 4.3. of the

          privacy statement, as for each of the 6. transmissions of the privacy statement.

      - Violation of Articles 12.1 and 13.2 b) GDPR in the absence of mention in the privacy statement

          of the possibility for the data subject to exercise his right of retention.

      - Infringement of Article 13.1 c) GDPR due to lack of indication of the legal basis for the

          transfer to each of the distinct categories of third parties in point 6. of the

          privacy declaration.




124. Although the changes made to the new privacy statement are a positive element

    when assessing the administrative fine, the Disputes Chamber emphasizes that it is there

    do not seek to rectify the infringements established. The

    infringements have been identified and cannot be reversed retroactively by the

    controller who still processes his data - albeit too late

    complies with the requirements of the GDPR.







125. In addition, the current decision also identifies infringements:

      - Violation of article 6.1 GDPR with regard to the purposes of “training personnel” and

          “The storage of video surveillance recordings during the legal period”.

      - Violation of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.

      - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.




    Furthermore, the Disputes Chamber also takes into account the finding that the violation of Article 6.1

    AVG is limited to two processing purposes “staff training” and “the storage of

    recordings of video surveillance during the legal period ”and is therefore of a nature to be a

    justify a reduction in the amount of the fine. In addition, the established

    breaches of the principle of transparency and accountability are so serious Decision on the substance 57/2021 - 35/36




          that a substantial fine is required. This applies all the more in view of the large scale

          of the processing of non-health data by the defendant with

          decisive impact on all insured persons who have taken out hospitalization insurance

          affiliated with Y, which concerns a significant number of stakeholders. A decisive element

          this is also due to the fact that Y is a major player in the insurance market that may become

          expects the latter to duly and with the necessary conscientiousness align its privacy policy with the

          GDPR.



      126. With regard to the lack of transparency, the Disputes Chamber also points out that the GDPR is exactly

          has provided for a transition period of 2 years 16 to the end of each controller

          give the necessary time to prepare and adapt to the requirements set by the

          GDPR. The defendant's argument made at the hearing that the changes

          which the GDPR has implemented compared to the previous directive 95/46 / EC of the European

          Parliament and the Council on the protection of individuals with regard to the


          processing of personal data and on the free movement of such data to the

          based on the lack of transparency cannot therefore be accepted. The

          defendant argues that Articles 13 and 14 GDPR, in conjunction with Article 12 GDPR, and the precise manner of

          interpretation of it caused the difficulty. The transparency guidelines of

          Group 29 (now EDPB) were an auxiliary tool. Here too, the Disputes Chamber serves

          state that those guidelines date back to 29 November 2017, have been revised and adopted

          on April 11, 2018 and have remained unchanged since then. The defendant thus disposed of

          sufficient time, as required by its accountability (Article 5.2 GDPR)

          privacy statement to align with the GDPR.



      127. This leads the Disputes Chamber to reconsider the fine and reduce it to € 30,000.



      128. The totality of the elements set out above justifies an effective,

          proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein

          certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.


          GDPR in this case are not such as to lead to a different administrative fine than

          those adopted by the Disputes Chamber in the context of this decision.





5. Publication of the decision








    16
      Article 99 GDPR Decision on the substance 57/2021 - 36/36



  129. Given the importance of transparency with regard to the decision-making process of the

     Disputes Chamber, this decision will be published on the GBA website. However, it is

     does not require that the identification data of the parties be directly

     announced.




FOR THESE REASONS,



the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her

to review decision 24/2020 of 14 May 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG

and art. 101 WOG to impose an administrative fine of € 30,000.00 as a result of the infringements

to Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR.



On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within

a period of thirty days from the notification at the Marktenhof, with the

Data protection authority as defendant.





(Get) Hielke Hijmans

Chairman of the Disputes Chamber