APD/GBA (Belgium) - 87/2024
APD/GBA - 87/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 17 GDPR Article 21 GDPR Article 21(2) GDPR Article 38(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 14.02.2023 |
Decided: | 03.06.2024 |
Published: | |
Fine: | 172,431 EUR |
Parties: | n/a |
National Case Number/Name: | 87/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | nzm |
The DPA fined a controller for, among other things, failing to erase a data subject’s personal data in the context of direct marketing and for having an overloaded part-time DPO, which could not effectively perform their tasks. The DPA initially issued a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation.
English Summary
Facts
On 30 June 2022, the data subject purchased a product from the controller and discovered an unexpected charge of €1,50 relating to an ‘energy contribution’ on his bill of May 2022. The data subject asked to be reimbursed of this surcharge and that all his personal data be deleted. The controller refused to reimburse this surcharge but acknowledged receipt of the deletion request and confirmed it would be dealt with promptly.
The data subject continued to receive advertising communications from the controller. On 18 November 2022, the data subject requested mediation from the Belgian DPA (‘APD’). On 14 February 2023, in the absence of any response from the controller, the Mediation Service of the APD informed the data subject that he could convert his request for mediation into a complaint. The data subject did so on the same day.
During the hearing, the controller explained that regarding the erasure of the data subject’s data, the process took place in several stages: the data subject initially complained about an excessive energy charge but this complaint evolved into an erasure request to terminate the customer relationship. The former DPO misunderstood that this was a GDPR issue. They then ordered their German processor to delete the data subject’s data using ‘code 43’. However, this code was used to restrict the processing rather than delete the personal data. The controller acknowledged this mistake made by the former DPO and also explained that (i) the absence of response to the DPA during the mediation was due to the former DPO, and that neither the current DPO, nor the management were aware of these problems and (ii) the former DPO did not process correspondence with the DPA or the data subject, nor did they share this information internally. They took measures to limit the processing of the data subject’s data without communicating with the latter, or with the DPA.
Despite the use of ‘code 43’ to limit the processing and the cessation of commercial calls to the data subject, newsletters continued to be sent until December 2022. In December 2022, the former DPO rectified the situation.
The controller also explained that it took initiatives to improve its responsiveness and comply with the DPA’s decisions, in particular with the hiring of a new DPO who worked full-time with a team of two people, and the current DPO regretted that the former DPO had not informed the data subject of this rectification.
On 11 November 2023, the controller informed the APD that it had received an email from the German processor confirming that the data subject’s data had been deleted, and that it had sent an email to the latter informing him of this deletion.
On 15 March 2024, the APD informed the controller of its intention to impose an administrative fine and the amount of the fine, in order to give the controller, the opportunity to defend itself. On 5 April 2024, the APD received the controller’s response.
Holding
Violation of Articles 17 and 21 GDPR
Regarding the breach of Articles 17 and 21 GDPR, Article 17 GDPR establishes the right to erasure which allows data subjects to request deletion of their personal data if certain conditions are met. However, the right to erasure is not absolute: Article 17(3) GDPR provides for certain exceptions in which this right does not apply.
Article 21(2) establishes that the data subject has the right to refuse any processing of their personal data for direct marketing purposes by indicating that they do not consent to receive marketing communications. The APD indicated that when the purpose pursued by the controller is ‘direct marketing’, the right to object is automatic and the controller may no longer process the data for such purposes once the data subject has expressed their objection. The APD added that Article 21(2) GDPR applies at all times and is not subject to any conditions. The DPA considered that withdrawing consent and objecting to the processing for direct marketing purposes should, in principle, lead to the same end: the immediate cessation of the processing of data for direct marketing purposes and the automatic deletion of those data.
In the present case, the data subject made an erasure request by revoking his consent, under Article 17(1)(b) GDPR. The APD considered that it was clear from reading the data subject’s request that he expressed a firm desire to end all commercial relations with the controller. In addition to requesting the total deletion of his personal data, the data subject firmly objected to his data being processed for the purposes of direct marketing, which was later confirmed during the request for mediation he submitted.
First, the APD noted that on the basis of the statements made by the controller at the hearing, the controller had still not taken any concrete steps to respond to the data subject’s request for erasure and objection. The controller sent an email on 11 November 2023 informing the DPA that the data had been deleted, but the APD decided not to take this information into account as the proceedings had already been closed.
Second, the APD held that the application of ‘code 43’ restricted access to the data subject’s data within its system, but did not lead to their deletion. Therefore, certain processing operations such as telephone calls were restricted, however it did not stop the sending of newsletters.
Third, the controller implicitly invoked the exception provided for in Article 17(3)(b) GDPR, namely the retention of personal data in order to comply with legal obligations (‘tax audits’). The APD stated that the controller should have invoked this exception to justify the non-erasure. Nevertheless, the DPA found that this exception could not justify the processing of data for direct marketing purposes, whether by telephone or by email.
Therefore, the APD concluded that the controller failed to comply with Articles 17 and 21 GDPR.
Violation of Article 5(1)(a) GDPR
Regarding the breach of Article 5(1)(a) GDPR, the APD indicated that the principle of fairness, lawfulness and transparency laid down in this article is not limited to the simple information and transparency obligations listed in the GDPR, but is a general principle and philosophy which must be respected for all processing.
First, the APD took into account the fact that the sending of advertising messages and newsletters was based on the data subject’s consent by ticking a box. However, the DPA found that there was a contradiction in the timelines regarding the processing: the data subject exercised his right to erasure and objection in June 2022. Nonetheless, the controller used ‘code 43’ only in April 2023 which suggested that the data subject’s data was processed, even in a limited manner, at least until April 2023. Therefore, the processing of his personal data continued without any legal basis since the data subject withdrew his consent, thus, violating Article 6 GDPR. The APD did not take into account the argument that the consent box ticked by the data subject suggested perpetual consent.
Second, the APD noted that on the day of the hearing the controller had still not informed the data subject of the measures taken in response to his requests. Hence, the controller did not comply with its information and communication obligations under Article 12 GDPR.
Therefore, the APD concluded that the controller breached the principles of lawfulness and transparency set out in Article 5(1)(a) GDPR by failing to comply with the requirements of Articles 6 and 12 GDPR.
Violation of Articles 5(2) and 24 GDPR
Regarding the breach of Articles 5(2) and 24 GDPR, the APD indicated that the controller must implement appropriate technical and organisational measures to ensure that it is able to demonstrate that the processing is carried out in accordance with the GDPR.
First, the APD explained that with regard to Article 38(2) GDPR, which states that the controller shall assist the DPO by providing the resources necessary to carry out their tasks, among other things, the following must be taken into account: (i) the DPO must be involved, where appropriate, in all matters relating to data protection, (ii) the controller must recognize and enhance the DPO’s role by management, (iii) the controller must allocate adequate time for the DPO to carry out its duties, (iv) the controller must communicate the appointment of the DPO to all staff to ensure that their role within the organisation is widely known, (v) the controller must ensure ongoing training to keep the DPO’s knowledge up to date.
Second, the APD considered that in the present case, the inability of the controller to verify or conclusively confirm the actual deletion of the data subject’s data raised concerns about the effectiveness of the technical and organisational measures in place. Additionally, the DPA also took into account the fact that the former DPO worked part-time and was overloaded, which prevented him from responding effectively to the requests and considered that this highlighted the failure to put in place measures to ensure compliance with the GDPR. The APD also noted that the controller’s decision to hire a new full-time DPO was taken in response to the DPA’s investigation. However, such measures should have been put in place prior to the DPA’s intervention.
Therefore, the DPA concluded that the controller failed to comply with Articles 5(2) and 24 GDPR.
Alleged violation of Article 31 GDPR
Regarding the alleged breach of Article 31 GDPR, which states that the controller must cooperate with the DPA at its request, the DPA noted that the controller did not respond to the APD’s requests. The DPA indicated that this negligence appeared to result mainly from a confusion due to the fact that the controller was also subject to an investigation by another service of the APD. However, the latter held that the controller is obliged to cooperate with all the departments of the DPA. The APD considered that although the controller increased the number of staff and replaced the former DPO, these measures did not appear to be fully effective, in particular with regard to the examination of all the previous requests from the DPA.
Therefore, the DPA held that the controller did not fully cooperate with the DPA during the mediation procedure, but it was not able to determine whether this lack of response was the result of confusion generated by the ongoing inspection or the result of a deliberate intention or gross negligence not to cooperate.
Imposition of a fine
Regarding the imposition of a fine, the DPA indicated that although it was not able to establish that the infringements had an impact on several of the persons concerned, it emphasized that the controller’s negligence justified the imposition of a fine. Therefore, the APD decided to impose a €245,000 fine, which was reduced to €172,431 due to the controller’s difficult financial situation which would have devastating consequences for it, namely putting the jobs of 400 people at risk, and even leading to the cessation of activities in Belgium.
Comment
This decision was quite interesting in two regards:
1) The Belgian DPA recalled what a controller is supposed to do with its DPO, particularly with regard to ensuring the DPO's ongoing training. Moreover, the extra workload of the DPO does not exempt the controller from his obligation to cooperate with the DPA's services.
2) This decision is also interesting for its considerations on the principle and methods of calculating an administrative fine (§§97-165) for which the Belgian DPA extensively used the EDPB guidelines on the calculation of administrative fines under the GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/55 Litigation Chamber Decision on merits 87/2024 of June 3, 2024 File number: DOS-2022-04748 Subject: Complaint for non-compliance with the right to erasure and opposition after the receipt of commercial messages for direct marketing purposes The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president, and gentlemen Romain Robert and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), (hereinafter “GDPR”); Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “LCA”); Considering the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: The defendant: Company Y, hereinafter “the defendant”. Decision on merits 87/2024 — 2/55 I. Facts and procedure 1. On November 18, 2022, the complainant filed a request for mediation with the Authority of data protection (hereinafter “DPA”) against the defendant, which is transformed filed a complaint on February 14, 2023 due to his lack of response. 2. The complaint relates to the receipt of regular, unsolicited commercial messages to direct marketing purposes on the part of the defendant, despite the exercise by the plaintiff of its right to erasure and opposition. 3. On June 30, 2022, the plaintiff, having purchased the defendant's products from his representative, discovers an unexpected charge of €1.50 linked to an “energy contribution” on his invoice dated May 31, 2022. Faced with the refusal to reimburse this surcharge by the defendant, the complainant requests the deletion of all of his data personal. He sends this request by email to the address “…”, indicating that he does not no longer wishes to be a client of the defendant. 4. On July 1, 2022, the defendant acknowledges receipt of the plaintiff's requests and confirms rapid processing of these. Despite the assurance given by the defendant regarding the consideration of requests made on June 30, 2022, the complainant continues to receive communications advertising by the defendant. 5. On November 18, 2022, the complainant requests a mediation procedure with the Service of First Line (hereinafter “SPL”) of the APD. In the request form addressed to ODA, the complainant reiterates his wish to no longer have commercial relations with the defendant, explaining: “[...] I therefore requested a reimbursement which I did not have obtained I then requested, on July 1st, that all my data be erased which I do not would never order from them again. [...] Today, 4 and a half months later, I receive always advertising messages. » . 6. On November 24, 2022, the SPL confirms receipt of the request for mediation and declares it admissible. 7. On December 7, 2022, the SPL informed the defendant of the request for mediation, inviting her to respond to the complainant's request regarding the exercise of his rights, and to transmit a copy of his response to the SPL. 8. On January 11, 2023, the complainant requested the status of the request for mediation and informal SPL that he continues to receive calls and emails from the defendant. THE January 13, 2023, the SPL responds by indicating that the file is being processed, that a 1Exhibit 1 – The request for mediation and its annexes. Decision on merits 87/2024 — 3/55 letter was sent to the defendant on December 7, 2022, granting it a period of one months to respond, and that a reminder would be issued to the defendant. 9. On January 17, 2023, the SPL sends a registered letter with acknowledgment of receipt to the defendant, inviting it to respond to the initial request of December 7, 2022. 10. On February 14, 2023, due to the lack of response from the defendant, the SPL informed the complainant that he can commute his request for mediation into a complaint in accordance with article 62, §2, paragraph 4 of the LCA. The complainant requests this transformation on the same day. 11. On February 20, 2023, the SPL notified the defendant that the mediation had failed due to his lack of reaction, then transmits the complainant's complaint to the Litigation Chamber in accordance with article 62, § 1 of the LCA. 12. On May 15, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and Article 98 of the LCA, to process the file on its merits. The parties concerned are notified by registered mail of the provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are also informed, under article 99 of the LCA, of the deadlines for transmitting their conclusions. That same day, the Litigation Chamber clarified 3 that the language of the proceedings would be French, in accordance with the language policy. On May 15 and 19, 2023, the defendant and the plaintiff respectively acknowledged receipt some mail. The deadlines are June 26, 2023 for the submissions in response to the defendant; by July 17, 2023 for the complainant's reply conclusions; and August 7 2023 for the defendant's reply submissions. 13. On September 29, 2023, in the absence of conclusions filed by the parties, the Chamber Litigation summons, in accordance with article 52 of the ROI, the parties concerned to a hearing on October 12, 2023, to allow them to present their arguments orally. The defendant confirms its presence on October 3, 2023, while the plaintiff expresses his inability to attend the hearing in an email dated October 11, 2023. 14. On October 12, 2023, the defendant was heard by the Litigation Chamber. During of this hearing, the defendant presents the following arguments: a) The responsibility of the data protection officer (hereinafter “DPO”): the problems with the APD began under the management of the former DPO, Mr. Z1 (hereinafter after “the former DPO”). Neither the current DPO, Mr. Z2 (hereinafter “the current DPO”) nor the management were not informed of these problems. The defendant justified the absence 2Art. 95, § 1, 1° and art. 98 of the aforementioned law of December 3, 2017. 3Data Protection Authority, “Note relating to the linguistic policy of the Litigation Chamber”, 01/07/2021, available at https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-politique-linguistique-de-la- chamber-contentious.pdf. Decision on merits 87/2024 — 4/55 response from the former DPO due to his work overload, emphasizing that the management was not informed of this overload. b) Inadequate management of letters: the former DPO did not process letters from the APD nor the complainant and did not share this information internally. The former DPO has taken measures to limit the processing of the complainant's data, without contact the complainant or the APD. c) The data erasure process: the defendant described the process erasure of the complainant's personal data, explained the error of the former DPO, mentioned the confusion around data localization and “code 43”, and undertook to comply with the GDPR by informing the complainant of the erasure of its data. d) Responsibility for data processing: responsibility for processing data between “Y B ELGIUM” (hereinafter “the defendant”) and “Y LLEMAGNE” (hereinafter after “the German subcontractor”) was discussed, with reference to a contract of subcontracting. e) Organizational improvements: the contract of the old DPO ended, and the DPO currently works full-time with a team of two people to manage the company email “privacy@Y.be”. The defendant is committed to taking initiatives to improve its responsiveness and comply with APD decisions. 15. On October 27, 2023, the Litigation Chamber submits the minutes of the hearing to the parts. 16. On November 3, 2023, the defendant provided details in the minutes at the Litigation Chamber, which will be taken into consideration in this decision. The defendant further requests that, taking into account the circumstances specific to the case, the Litigation Chamber opts either for a suspension of the pronounced, as permitted by article 100, § 1, 3° of the LCA, either for a warning or a reprimand according to article 100, § 1, 5° of the same law. 17. On November 11, 2023, the defendant notifies, after the close of the debates, the Chamber Litigation having received an email from the German subcontractor, confirming the deletion of data of the complainant, and having sent an email to the complainant to inform him of this deletion. 18. On March 15, 2024, the Litigation Chamber informed the defendant of its intention to proceed with the imposition of an administrative fine as well as the amount thereof, in order to give the defendant the opportunity to defend herself before the sanction is actually inflicted. Decision on merits 87/2024 — 5/55 19. On April 5, 2024, the Litigation Chamber received the defendant's reaction concerning the intention to impose an administrative fine and the amount thereof. This response is examined by the Litigation Chamber as part of its deliberations. II. Motivation II.1. Introductory points II.1.1. On the joining of files 20. During the hearing, the defendant emphasized that she was the subject of an investigation carried out by the Inspection Service (hereinafter “SI”) of the APD as part of a file distinct. This assertion was reiterated as part of his reaction to the hearing minutes of 3 4 November 2023. 21. On April 5, 2024, as part of its reaction to the sanction form of March 15, 2024, the defendant requested the joinder of the file (…)(subject of the IS investigation) with the file currently subject to this decision. 22. Firstly, the defendant should be reminded that the IS is required to maintain secrecy the investigation, in accordance with article 64§3 of the LCA, which specifies that “the investigation is secret unless there is a legal exception, until the time of submission of the inspector general's report to of the Litigation Chamber”. 23. Secondly, the Litigation Chamber emphasizes that it does not have the power to self-report an ongoing investigation carried out by the IS. It refers the defendant to Article 92 of the LCA for the conditions of referral. This article specifies that the IS can enter the Litigation Chamber after the closure of an investigation in accordance with article 91 §2 of the LCA. 24. Thirdly, the Litigation Chamber recalls that the sanction form aims to allow the alleged perpetrator of the offense, in this case the defendant, to give his views on the amount of the proposed fine before its imposition and its effective execution. This defense process, provided through the sanction form on the amount of the proposed fine, does not open new debates on the findings already established by the Litigation Chamber, the latter being closed. 25. In conclusion, the Litigation Chamber rejects the request to join the file (…) with the current file which is the subject of this decision. 4In its reaction to the hearing minutes of November 3, 2023 and the sanction form of April 5, 2024, the defendant specifies that the file being inspected corresponds to the referenced file number (…). 5Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 6/55 II.1.2. On the interpretation of article 21.2 of the GDPR 26. In this case, the Litigation Chamber notes that the complainant made his request erasure (total deletion of their data) on June 30, 2022 by revoking their consent, in accordance with article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading of the complainant's request, that the latter expresses a firm desire to put an end to any commercial relationship with the defendant. To the extent that the complainant exercised his right to erasure under Article 17.1.b) of the GDPR, by revoking consent, the defendant should have granted the erasure request, delete all of the personal data of the complainant and stop direct marketing, since the legal basis invoked for this data processing is consent. 27. Next, the Litigation Chamber emphasizes that article 21 of the GDPR covers two forms different from the right of opposition. On the one hand, in article 21.1, a possibility of opposing processing based on the legitimate interest of the data controller or on a public interest mission of the data controller (general opposition subject to weighting of interests). 28. Furthermore, in accordance with article 21.2, the person concerned has the right to refuse any processing of their data for direct marketing purposes (opposition to marketing direct), thus indicating that it does not consent to receive marketing communications. When the purpose pursued by the data controller is direct marketing, the right of opposition is automatic: the data controller can no longer process data for such purposes, including profiling, to the extent it is related for this purpose, when the person concerned has expressed their opposition. 29. The Litigation Chamber takes the position that article 21.2 applies at all times, since Article 21.2 grants an unconditional right to the data subject to object “at any time” to the processing of their personal data for the purposes of prospecting, including profiling to the extent that it is linked to such prospecting. 6 The exercise of the right under Article 21.2 is not subject to any conditions. This item applies independently of the legal basis of the processing, and without any weighting interest is required. This position can also be deduced from the distinction between recitals 69 and 70 of the GDPR. 30. The Litigation Chamber admits that a different reading of article 21.2, according to which this provision would be limited to the same legal bases for processing as Article 21.1 GDPR [Article 6.1(e) and Article 6.1(f)], is not excluded. However, such a reading 6See WP29, Guidelines for automated individual decision-making and profiling for the purposes of regulation (EU) 2016/679, WP251, rev.01, p21; Zanfir-Fortuna in The EU General Data Protection Regulation (GDPR): A Commentary, OUP 2000, p. 518. Decision on merits 87/2024 — 7/55 would change nothing in the defendant's obligations, because the withdrawal of consent under of article 17.1.b of the GDPR implies that all processing must cease. 31. The preceding points show that the withdrawal of consent (legal basis invoked by the defendant to justify direct marketing) and the opposition to the processing of data for direct marketing purposes should in principle lead to the same purpose: immediate cessation of data processing for direct marketing purposes and the automatic deletion of this data. II.2. As for the alleged breaches of the GDPR II.2.1. Alleged violation of Articles 17 and 21 of the GDPR II.2.1.1. Position of the defendant 32. The following arguments were raised by the defendant only during the hearing: a) Regarding the erasure of the complainant's data, the process was carried out in several stages. Initially, the complainant complained about energy costs excessive, but this complaint evolved into a request to terminate the relationship customer and erasure of data. The former DPO misinterpreted the situation, did not not understanding that this was a GDPR issue. The former DPO then ordered the German subcontractor to erase the data from complainant, using “code 43”. However, this code did not result in the removal complete data. The current DPO admitted that “code 43” was intended to limit processing rather than deleting data, recognizing an error of the former DPO. Despite the implementation of “code 43” to limit the processing of data and the cessation of commercial calls to the complainant, the sending of newsletters continued until December 2022. The defendant specified that the plaintiff had consented to receive these newsletters, which were managed by a separate network. It was not until December 2022 that the former DPO rectified the situation in response to SPL mail, making the data inaccessible to the defendant, but they were always present and accessible to other entities, notably to purposes of tax audits. The current DPO regretted that the former DPO did not informed the complainant of this rectification. On the day of the hearing, the defendant could not guarantee that the data had been actually deleted, due to lack of written confirmation from the German subcontractor to this subject. The current DPO offered to contact the German subcontractor to verify the deletion of the complainant's data. Decision on merits 87/2024 — 8/55 b) Regarding the request made by the current DPO on the obligation to inform the complainant of the measures taken in response to his request for deletion of data, the Litigation Chamber recalled the provisions of Article 12 of the GDPR. In response, the defendant undertook, during the hearing, to regularize the situation in accordance with article 17 of the GDPR and inform the complaining about the erasure of his data. c) With regard to the location of the complainant's data and the identification of the responsible for the processing, the defendant raised that the IS was investigating these questions in a separate file. Finally, the defendant indicates that it is the “sole” controller, according to the information available to it. 33. On November 3, 2023, as part of his reaction to the minutes of the hearing (hereinafter “ reaction to the PV)"), the defendant specified that the former DPO had requested activation of “code 43” for the complainant’s data from the German subcontractor on April 11 2023, a fact that he recorded in a correspondence addressed to SI on April 18, 2023 in the context of the current Inspection (see Title II.1.1). However, the former DPO failed to inform the complainant and the SPL. II.2.1.2. Position of the ChamberContentious 34. Article 17 of the GDPR establishes the right to erasure which allows data subjects to request the deletion of their personal data if one of the conditions following is fulfilled: the data are no longer necessary for the purposes for which they were have been collected or processed (art. 17.1.a) of the GDPR); the person concerned withdraws their consent on which the processing was based, and there is no other legal basis for processing (art. 17.1.b) of the GDPR); the data subject objects to the processing under article 21.1, and there is no overriding legitimate reason for the processing (art. 17.1.c) of the GDPR); the data was processed unlawfully (art.17.1.d) of the GDPR); data must be deleted to comply with a legal obligation (art. 17.1.e) of the GDPR); THE data has been collected from a child in connection with the company's services information (art. 17.1.f) of the GDPR). However, the right to erasure is not absolute. Article 17.3 of the GDPR provides for certain exceptions in which this right does not apply, in particular when the processing of data is necessary to guarantee the exercise of the right to freedom of expression and information (art. 17.3.a) of the GDPR), to comply with a legal obligation or carry out a mission of public interest (or relating to the exercise of public authority vested in the responsible for the processing) (art. 17.3.b) of the GDPR), to carry out a mission of interest 7See point 21 of this decision. Decision on merits 87/2024 — 9/55 public in the field of public health (art. 17.3.c) of the GDPR), for archival purposes (art. 17.3.d) of the GDPR), or to establish, exercise or defend legal rights (art. 17.3.e) of the GDPR). 35. Pursuant to Article 19 of the GDPR, the data controller is required to notify each recipient to whom the personal data has been communicated any rectification or erasure of personal data or any limitation of the processing carried out in accordance with Articles 16, 17.1 and 18 of the GDPR, unless a such communication proves impossible or requires disproportionate effort. THE controller provides the data subject with information about these recipients if they request it. 36. Article 21 of the GDPR governs the right of opposition of data subjects. When the personal data are processed for prospecting purposes, the person concerned “has the right to object at any time to the processing of personal data personal data concerning it (...)” (art. 21.2 of the GDPR). If the data subject “objects to the processing for prospecting purposes, personal data is no longer processed for these purposes. » (art. 21.3 of the GDPR). When a person objects to the processing of data for prospecting purposes (opposition to direct marketing), it must not provide any justification for its request opposition. Consequently, the opposition must immediately result in the cessation of all processing of personal data for direct marketing purposes for the individual concerned, without the need for additional examination (see Title II.1.2). 10 37. Articles 15 to 22 of the GDPR are intrinsically linked to article 12 of the GDPR which imposes obligations of the data controller, particularly with regard to the transparency of information and communications as well as the methods of exercise of the rights of the data subjects (art. 17 juncto 12 of the GDPR and art. 21.2 juncto 12 of the GDPR). The exercise of these rights, in this case the right to erasure (art. 17 of the GDPR) and the right opposition to direct marketing by the complainant (art. 21.2 of the GDPR) as well as respect for these rights by the data controller, who must demonstrate his response to the requests of the 8 In the absence of a legal definition of the notion of prospecting, the APD has defined it as “Any communication, solicited or unsolicited, aimed at promoting an organization or a person, services, products, whether paid or free, as well as brands or ideas, sent by an organization or a person acting within a framework commercial or non-commercial, directly to one or more natural persons in a private or professional context, by any means, involving the processing of personal data. », see Recommendation No. 1/2020 of January 17, 2020 relating to the processing of personal data for direct marketing purposes, page 8, available on the APD website. 9 CJEU, Google Spain and Google, C-131/12, May 13, 2014, ECLI:EU:C:2014:317; CJEU, Manni, C-398/15, March 9, 2017, ECLI:EU:C:2017:197; CJEU, Google), C‑507/17, September 24, 2019, ECLI:EU:C:2019:772; APD, Litigation Chamber, Decisions 28/2020 of May 29, 2020, 32/2020 of June 16, 2020, 19/2021 of February 12, 2021, 109/2023 of August 9, 2023, 157/2023 10 November 27, 2023”, available on the APD website. See Recommendation No. 1/2020 of January 17, 2020 relating to the processing of personal data for the purposes of direct marketing, page 53,. Decision on merits 87/2024 — 10/55 persons concerned, must be assessed and examined in accordance with the provisions of article 12 of the GDPR. 38. Article 12 of the GDPR imposes on the data controller the obligation to take appropriate measures to communicate concisely, transparently, understandable and easily accessible, in clear and simple terms, all information relating to data processing to the data subject, in particular when it comes to responding to the rights set out in articles 15 to 22 of the GDPR (art. 12.1 of the GDPR GDPR). When a data subject makes a request in accordance with Articles 15 to 22 of the GDPR, the data controller is required to respond within one month, with the possibility of a two-month extension, while informing the person concerned the reasons for this extension (art. 12.3 of the GDPR). If no response is provided to the request of the data subject, the controller must promptly inform, and at the latest within one month of receipt of the request, the person concerned of the reasons for his inaction but also of his right to file a complaint to a supervisory authority or to seek legal recourse (art. 12.4 of the GDPR). 39. In conclusion, non-compliance by the person responsible for processing a request made in under Articles 15 to 22 of the GDPR, in particular the right of erasure when the conditions of article 17 of the GDPR are met, or of the right of opposition when the conditions of article 21.2 of the GDPR are satisfied, may result in a violation not only Articles 17 and 21 of the GDPR, but also Article 12 of the GDPR due to non-compliance with communication and information obligations. 40. In the present case, as mentioned above in Title II.1.2. of this decision, the Chamber Litigation notes that the complainant made his request for erasure (deletion total of his data) on June 30, 2022 by revoking his consent, in accordance with Article 17.1.b) of the GDPR. Furthermore, it is clear, upon reading the complainant's request, that this expresses a firm desire to end any commercial relationship with the defendant. In addition to requesting the total deletion of their data (art. 17.1.b) of the GDPR), the complainant strongly objects to his data being processed for the purposes of direct marketing (art. 21.2 of the GDPR). To dispel any doubt regarding the requests of the complainant, the request for mediation introduced on November 18, 2022 and communicated on November 7 December 2022 to the defendant clarifies the plaintiff's demands. These requirements relate both to the erasure of their data under Article 17.1.b) of the GDPR and to opposition to the processing of their data under articles 21.2 and 21.3 of the GDPR, 1GDPR, art. 12.1. ; This information may be provided in writing or by other means, including, where appropriate, by electronic. Decision on merits 87/2024 — 11/55 which may lead to the application of articles 17.1 b) of the GDPR, as requested by complainant. 41. In the present case, firstly, the Litigation Chamber finds, on the basis of the statements made by the defendant during the hearing which took place on October 12, 2023, i.e. more than a year after the complainant exercised his rights, the defendant has not still not taken concrete measures to respond to the erasure request and opposition of the complainant. The Litigation Chamber would like to point out that as of November 11, 2023, the defendant has notified the sending of an email to the complainant informing him of the overpressure of his data, without provide proof and clearly specify whether the opposition request had been processed. Litigation Chamber decided not to take this information into account in its deliberations because the debates had already been closed. 42. Secondly, the Litigation Chamber notes that the application of “code 43” by the defendant on April 11, 2023 limited access to the plaintiff's data within its system, but did not lead to their deletion. This measure restricted certain treatments, including telephone calls, but she did not interrupt the sending of newsletters, which persisted until December 2022. Finally, the promise made by the defendant in an email of November 3, 2023, even after the close of the debates, concerning the erasure of the complainant's data, remains unsatisfactory in relation to to the complainant's requests. The latter had expressly opposed any treatment later of its data, in particular for prospecting purposes and had required the deletion full of its data. 43. Thirdly, the Litigation Chamber notes an inconsistency in the chronology of the events, as presented during the hearing of October 12, 2023 and in the email in reaction to the hearing minutes. It seems unlikely that data processing for direct marketing purposes ended in December 2022 while the defendant indicates that “code 43”, at the origin of the limitation of data processing, is not only occurred in April 2023 (see point 33). This suggests that the complainant's data were accessible at least until April 2023 and not until December 2022. Litigation Chamber adds that the complainant indicated, on January 11, 2023, either after December 2022, continue to receive calls and emails from the defendant (see point 8). 44. Fourth, the Litigation Chamber emphasizes that the continuous sending of newsletters, lasting at least until December 2022, or even until April 2023, despite the requests for erasure and opposition made by the complainant on June 30, 2022, under 1Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes. 13Email dated November 3, 2023 sent by the defendant in reaction to the hearing minutes. Decision on merits 87/2024 — 12/55 pretext of the existence of a separate system for the management of advertising emails, do not can justify the continued processing of the complainant's data for marketing purposes direct. 45. Fifthly, the Litigation Chamber understands that the defendant invokes implicitly the exception provided for in article 17.3.b) of the GDPR, namely the conservation of data of the complainant in the German IT system to respond to legal obligations, in this case “tax audit”. The Litigation Chamber recalls that it was up to the defendant to invoke one of the exceptions under article 17.3 of the GDPR, to justify this invocation, and to inform the complainant of the non-deletion in precisely reason for this exception (art. 12.1, 12.3 and 12.4 of the GDPR and art. 17.3 of the GDPR), which she did not do at that time. Nevertheless, the Litigation Chamber notes that this exception cannot justify the continued processing of the complainant's data for direct marketing purposes, whether by telephone canvassing or mail electronic. 46. The above-mentioned information reveals that the processing of the complainant's data continued for prospecting purposes despite the request for erasure and opposition. This lawsuit indicates that the defendant not only did not stop all treatment personal data of the complainant for prospecting purposes, but did not clearly not deleted the complainant's data as soon as possible nor informed him of the response given to his requests. 47. In view of the above, the Litigation Chamber concludes that the defendant does not complied with Articles 17 and 21 of the GDPR, while neglecting to respect the obligations of prompt, explicit and transparent response and communication as set out in Articles 12.1, 12.3 and 12.4 of the GDPR. II.2.2. Alleged violation of article 5.1.a) of the GDPR (principle of lawfulness, fairness and transparency) II.2.2.1. Position of the defendant 48. During the hearing, the defendant argued that direct marketing activities and the sending of newsletters was based on the consent of users, obtained via a Proactive opt-in mechanism with easy unsubscribe option. Other types of processing were mainly based on the need to carry out the CONTRACT. 14See minutes of hearing of October 12, 2023, B.2., p.6. Decision on merits 87/2024 — 13/55 II.2.2.2. Position of the ChamberContentious 49. The principle of lawfulness is one of the key principles of the GDPR and alone conditions the triggering of the other principles of the GDPR governing the processing of data personal character. According to this principle, personal data must be processed lawful, fair and transparent manner with regard to the person concerned. So that a processing of personal data is recognized as lawful, the processing must be based on the consent of the data subject or rely on another basis provided for by the GDPR in its article 6. 15 50. Article 6.1 of the GDPR lists six legitimate grounds for processing: in addition to the consent (art. 6.1.a) of the GDPR), the processing of personal data may be necessary for the execution of a contract (art. 6.1.b) of the GDPR), to comply with an obligation legal (art. 6.1.c) of the GDPR), for the execution of a mission of public interest or relating to the exercise of public authority (art. 6.1.e) of the GDPR), for the purposes of legitimate interests pursued by the data controller or by a third party (art. 6.1.f) of the GDPR), or is necessary to safeguard the vital interests of the person concerned (art. 6.1.d) of the GDPR). In the absence of an adequate legal basis, the processing of personal data is prohibited. 51. The continued processing of personal data for prospecting purposes, as cold calling or sending newsletters, despite a request for erasure without any exception provided for in article 17.3 of the GDPR being able to be invoked, or despite a request for opposition in accordance with articles 21.2 and 21.3 of the GDPR, may lead to a violation of article 6 juncto 5.1.a) of the GDPR when the processing of data continues without basis of lawfulness. In other words, non-compliance with requests erasure and/or opposition may go beyond the simple violation of Article 17 and/or 21 of the GDPR. 52. The principle of loyalty and transparency established in Article 5.1.a) of the GDPR is not limited to to the simple information and transparency obligations listed in the articles of the GDPR, but consists of a general principle, the scope and philosophy of which must be respected for any treatment. This principle, enshrined in particular by article 12 of 15GDPR, art. 5, paragraph 1, a); art. 6 to 9; recital 40. 16See EPDB decision 01/021 in which it is stated: “Based on the above considerations, the EDPB underlines that the principle of transparency is not circumscribed by the obligations arising from Articles 12 to 14 of the GDPR, although these The latter are a concretization of the first. Indeed, the principle of transparency is a general principle that only reinforces other principles (e.g. fairness, accountability), but from which many other provisions flow of the GDPR. Furthermore, as noted above, Article 83(5) of the GDPR provides for the possibility of establishing a violation of the transparency obligations regardless of the violation of the principle of transparency. Thus, the GDPR distinguishes the broader dimension of the principle of more specific obligations. In other words, transparency obligations do not do not define the full scope of the principle of transparency. ". (Free translation from the Litigation Chamber) EDPB, Binding decision1/2021onthedisputerisenonthedraftdecisionoftheIrishSupervisoryAuthorityregardingWhatsAppIrelandunder Article 65(1)(a) GDPR, July 28, 2021, §192. Decision on merits 87/2024 — 14/55 17 GDPR aims to ensure that the people concerned are informed in a concise manner, transparent, understandable and easily accessible regarding the processing of their personal data. In addition, it obliges the data controller to take appropriate measures to respond effectively to requests made by data subjects pursuant to Articles 15 to 22 of the GDPR. This involves providing complete information, written in clear and simple language, and presented in a manner concise, easily accessible and easy to understand, with regard to the treatment of 18 their data. By guaranteeing total transparency in data processing personal, this principle reinforces confidence in the processing of data and ensures the respect for fundamental rights regarding data protection. 53. Finally, in accordance with article 5.2 of the GDPR, read in conjunction with article 24 of the GDPR, 19 which enshrines the principle of responsibility (or “accountability”), the person responsible for processing is responsible for compliance with the principles of data protection personal, in this case the principle of lawfulness and transparency. He must take appropriate technical and organizational measures in order to guarantee and be able to to demonstrate that the processing of personal data complies with the legal obligations provided for by the GDPR; which implies that it must be able to provide proof of its compliance in response to any request from the authorities of control. 54. In the present case, firstly, the Litigation Chamber took into account the explanations provided by the defendant concerning its direct marketing activities, including telephone calls and sending newsletters, which were based on the consent of customers under Article 6.1.a) of the GDPR. Furthermore, the Chamber Litigation noted that the defendant argued that the plaintiff had initially given consent by checking the “consent” box to receive messages advertising, and that the sending of newsletters was the subject of a separate management system. 55. The Litigation Chamber noted that the complainant had exercised his right of erasure and opposition on June 30, 2022. During the hearing, the defendant confirmed that the complainant continued to receive commercial messages until December 2022. paradoxically, the defendant also indicated that the limitation of processing data using “code 43” was only implemented on April 11, 2023, which suggests that the complainant's data was processed, even in a limited way, at least until April 2023, and not December 2022. Thus, the processing of the complainant's data at 17 18See points 38 to 40 of this decision. Recitals 58 and 60 of the GDPR specify that “the principle of fair and transparent processing requires that the person concerned is informed of the existence of the processing operation and its purposes" and that "the principle of transparency requires that any information addressed to the public or the person concerned be concise, easily accessible and easy to follow understand, and formulated in clear and simple terms (...)”. 19See Title II.2.3. of this decision. Decision on merits 87/2024 — 15/55 direct marketing purposes continued without basis of lawfulness, or withdrawal by the complainant of his consent. Since this consent has been withdrawn by the complainant (by the exercise of its right to erasure and opposition), the continued processing of its data for direct marketing purposes was carried out without basis of lawfulness, violating the principle of lawfulness set out in article 5.1.a) of the GDPR. 56. Furthermore, the Litigation Chamber does not find the argument put forward by the defendant according to which the complainant continued to receive messages commercial due to a so-called “consent box” initially checked, suggesting perpetual consent. The complainant had clearly revoked his consent by exercising your rights of erasure and opposition, and by declaring explicitly no longer purchase the defendant's products. Therefore, the defendant no longer had a legal basis to justify the processing of the data for direct marketing purposes, upon exercising your rights of opposition and erasure by the complainant. Furthermore, the argument put forward by the defendant, according to which the sending of advertising emails was justified by the existence of a separate management system, cannot convince the Litigation Chamber, as long as it is up to the person responsible for processing to organize yourself in such a way as to comply with the obligations of the GDPR. 57. Secondly, the Litigation Chamber notes that on the date of the hearing, the defendant had still not informed the complainant of the measures taken in response to the exercise of his rights of erasure and opposition. Furthermore, although she committed on November 3 2023 to regularize the situation in accordance with article 17 of the GDPR, this declaration confirms the defendant's non-compliance with the principle of transparency set out in article 5.1.a of the GDPR resulting from non-compliance with its obligations to provide information and communication, as defined in article 12 of the GDPR. Furthermore, the Chamber Litigation highlights that the opposition request remains unprocessed to this day. 58. Considering the time elapsed between the exercise of rights in June 2022 and the commitment to inform the plaintiff in November 2023, it is established that the defendant did not take the appropriate measures to communicate all information relating to the processing data, including responses to the rights of erasure and opposition, such as as required by Article 12.1 of the GDPR. Furthermore, the defendant did not provide information on the actions taken following erasure and opposition requests within the period of a month prescribed by article 12.3 of the GDPR, nor provided any justification to the complainant for its inaction contrary to what is required by Article 12.4 of the GDPR. 59. In conclusion, the defendant continued to process the plaintiff's data at direct marketing purposes, whether via telephone calls or emailing advertising, without legal basis within the meaning of Article 6 of the GDPR, for a period ranging from six to ten months after the latter made his request for deletion and opposition, Decision on the merits 87/2024 — 16/55 violation of the principle of lawfulness. Furthermore, the defendant did not comply with the request deletion and opposition of the complainant, these requests having remained unanswered for more than one year and five months with regard to the erasure request, and still remaining unanswered regarding the opposition request. 60. In view of the above, the Litigation Chamber concludes that the defendant violated the principles of lawfulness and transparency set out in article 5.1.a) of the GDPR by not respecting not the requirements of Articles 6 and 12 of the GDPR. II.2.3. Alleged violation of Articles5. 2 and 24 of the GDPR (principle of liability) II.2.3.1. Position of the defendant 61. The following arguments were raised by the defendant only during the hearing: a) Regarding the former DPO and his role, the defendant described him as competent in communication and labor law, but noted gaps in its management of communications with the IS, the SPL and the Litigation Chamber. These shortcomings have generated problems and highlighted weaknesses in its management of internal communications within the defendant, which ultimately led to his replacement. b) Regarding the complainant's request for erasure, although the former DPO has taken internal measures to deal with the complainant's requests, including using “code 43” and, according to the defendant, informing the IS within the framework of the inspection to which it was subject (see Title II.1.1), he however failed to respond to the SPL and inform the complainant. The former DPO thought that the data placed under the “code 43” category resulted in the deletion of data, and not a data limitation. The defendant also clarified that it does not could not verify or confirm the deletion of the complainant's data by the German subcontractor because no written confirmation had been provided by this last. The defendant confirmed that it no longer had control of this data. On November 3, 2023, in reaction to the hearing minutes, the defendant clarified that the misunderstanding with the German subcontractor regarding the categorization of data under “code 43” was the result of a mistaken belief by the former DPO and management who believed that this code resulted in the erasure of data personal while it actually resulted in their non-accessibility by the front desk of their system. This situation would be being rectified with the assistance of the new DPO (current DPO). c) With regard to the responsibility for data processing between the sub-contractor dealing with German and herself, the defendant expressed uncertainty as to the merits of the Decision 87/2024 — 17/55 structure of this responsibility, while noting a tendency to consider oneself as the sole controller. In reaction to the hearing report, the defendant clarified that it is linked to the sub- German processor through a subcontracting contract (art. 28 GDPR). d) Regarding the exclusive access of the former DPO to the “privacy@Y.be” mailbox, the defendant explained that this created difficulties, particularly during absences due to illness or leave, affecting its ability to process requests for efficient manner. She pointed out that the former DPO, being employed part-time for three days a week, was often overloaded. The defendant announced the end of the contract of the former DPO following a notice period, specifying that since July 11, 2023, his successor has operated full time, supported by two other collaborators, for shared management of the mailbox which contains all emails, including those from APD. This new organization aims to guarantee better responsiveness. The defendant undertook to comply with the decisions of the APD and not to retain customer data unnecessarily. In reaction to the hearing minutes, the defendant reaffirmed its desire to reduce the risk of unprocessed correspondence, by taking administrative measures, namely the establishment of a team of three people, including the new DPO (current DPO), to manage the email box. II.2.3.2. Position of the ChamberContentious 62. With regard to the principle of liability (art. 5.2 of the GDPR), the Chamber Litigation reminds that the data controller must implement measures appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR and other laws of protection of personal data (art. 24.1 of the GDPR). These measures are reviewed and updated if necessary. Then, article 24.2 of the GDPR establishes that “when it is proportionate to the processing activities, the measures [referred to in Article 24.1. of the GDPR] include the implementation of appropriate policies regarding protection of data by the data controller” (this is the Litigation Chamber which underlines). 63. Recital 74 of the GDPR adds that “it is important, in particular, that the person responsible for the processing is required to implement appropriate and effective measures and is even demonstrate compliance of processing activities with the [GDPR], including the effectiveness of the measures. These measures should take into account the nature, scope, and substance of the decision 87/2024 — 18/55 context and purposes of the processing as well as the risk that it presents for the rights and freedoms of natural persons”. 64. In execution of the principle of responsibility, it is therefore up to the data controller to develop internal procedures allowing the persons concerned to exercise effectively their rights, and to integrate respect for GDPR rules into their processing and procedures, for example, by ensuring the existence and effectiveness of procedures for processing of requests from data subjects (art. 25 of the GDPR). 65. Measures implemented in accordance with the principle of accountability, read jointly with the principle of transparency (art.5.1.a) of the GDPR), aim to enable 20 data subjects to control the processing of their data. 66. With regard to the data protection officer (DPO), Chamber 21 Litigation reminds that the GDPR clearly defines the responsibilities of the manager data processing, in particular Article 38.2 of the GDPR. This article states that “ the data controller and the processor assist the data protection officer data to carry out the missions referred to in Article 39 by providing the resources necessary to carry out [its] missions, as well as access to personal data personnel and processing operations, and allowing it to maintain its specialized knowledge” (emphasis added by the Litigation Chamber). 67. In this regard, the Litigation Chamber is of the opinion that the following aspects, in particular, 22 must be taken into consideration: - The association of the DPO or, where applicable, his team, in all questions relating to data protection. This includes informing and consulting the DPO as soon as that a data processing project is envisaged, thus promoting compliance with the GDPR and encouraging an approach oriented towards data protection from design (known as “by design”). The DPO must naturally become a central interlocutor within the organization, for example by participating to working groups dedicated to data processing activities within the company; - Recognition and promotion of the DPO function by management senior (e.g. board level); - Adequate time allocation so that the DPO can perform effectively of its tasks is essential. This aspect is of particular importance when The DPO carries out his role part-time, whether internal or external to the organization. 20See recital 78 of the GDPR. 21Litigation Chamber, decision 41/2020, paragraphs 87 and 88. 22WP29, “Guidelines for Data Protection Officers (DPDs)”, 16/FR WP, 243 rev.01, April 5, 2017, p. 16. Decision on merits 87/2024 — 19/55 The lack of time allocated to the DPO to carry out his duties could cause conflicts of priorities and compromise its ability to accomplish its missions. To remedy this situation, WP29 recommends determining, jointly with the DPO, the estimate of the time necessary to exercise its function (the need is greater when entering the function). He can be useful to establish a work plan that prioritizes the DPO's tasks to ensure that he has the time necessary to fully assume his responsibilities. Of Furthermore, it is essential that the allocation of resources for the DPO be proportional the size, complexity, structure and risks associated with the activities of data processing. As a result, the more processing operations are complex or sensitive, the more resources allocated to the DPO must be substantial; - An official communication of the designation of the DPO to all staff to ensure that its role within the organization is widely known; - Adequate support in terms of financial resources (including budget for awareness-raising actions or recruitment of a team temporary or permanent), and infrastructure (premises, installations, equipment) and personnel, if applicable; - Default access to legal documentation related to data processing personal involving the organization with third parties, in particular partners and The subcontractors ; - Access to internal communication tools in the accomplishment of its missions in order to be able to raise awareness and train on the requirements of the GDPR, including raising awareness of good practices and managing incidents such as e- fraudulent emails or data breaches; - Access to other services, such as human resources, legal department, IT department, security, etc., to enable the DPO to receive the support, contributions and essential information from these other services 23; - Continuing training to maintain the specialized knowledge of the DPO day ; - Depending on the size and structure of the organism, it may be necessary to constitute a team around the DPO. In such cases, it is appropriate to clearly establish the internal structure of the team as well as the tasks and responsibilities of each member.Similarly, when the DPO function is outsourced to a service provider services, a team of people working on behalf of that entity can 23Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number 20 (C.H. Beck 2020, 3rd Edition). Decision on merits 87/2024 — 20/55 assume the missions of the DPO as a group, under the responsibility of a designated primary contact person for the customer. 68. Ultimately, the DPO function must be exercised effectively to ensure effective management practices. effective and GDPR-compliant data protection. The data controller is legally required to put in place the necessary structures and measures to facilitate the work of the DPO and guarantee the protection of personal data. This involves provide the DPO with adequate resources depending on the nature of the processing data carried out and the associated risks, as well as the provision of time and access necessary to facilitate and support the role within the organization. 69. On the basis of the factual elements present in the file, the Litigation Chamber notes the following: a) With regard to the request for deletion and opposition made as of June 30, 2022: i. The defendant restricted the processing of data by using the “code 43”, thus making the data inaccessible from the front desk of their system. However, this measure does not respond to initial requests of the complainant, who requested the total deletion of his data and objected to any further processing for prospecting purposes, placing thus highlighting a clear gap in technical measures and organizational structures in place. ii. The complainant's personal data was, in any event until the date of the closure of the debates, always kept by the deputy German treatment of the defendant despite his request for deletion and opposition. The inability to conclusively verify or confirm the effective deletion of this data raises concerns about the effectiveness of the internal procedures currently in place, both in regarding the deletion of data that coordination between various entities of the defendant to comply with the GDPR. b) With regard to responses to requests for deletion and objection of the complainant: i. Until the date of the close of the proceedings, the defendant had still not not responded to the complainant's requests for deletion and opposition, thus revealing a major flaw in the implementation of measures appropriate technical and organizational measures to ensure compliance with rights of data subjects under the GDPR. Decision on merits 87/2024 — 21/55 ii. The justification for receiving newsletters based on the consent of the complainant, even when he has exercised his right erasure and opposition, reveals a failure in the measures aimed at guaranteeing transparency, respect for consent, and deletion and opposition of data, including in entities distinct within the defendant's network, in contradiction with the GDPR requirements. c) With regard to the DPO and the new measures taken by the defendant, i. The defendant admitted that the former DPO worked part-time and was in an overload situation, which prevented him from responding effectively multiple letters. This situation is worrying, because the DPO plays a vital role in ensuring GDPR compliance. In accordance with the GDPR, the data controller must provide the DPO with all the necessary means to enable him to accomplish its tasks and obligations adequately in accordance with Article 38 of the GDPR (see points 66 to 68). The fact that the former DPO worked on time partial while being overloaded highlights a failure in the implementation appropriate organizational measures to ensure the GDPR compliance. ii. The Litigation Chamber notes that the defendant's decision to hire a new full-time DPO was taken following the inspection carried out by the IS (see Title II.1.1). These corrective measures taken in reaction to the IS investigation (see Title II.1.1), highlight a breach of the principle of liability arising from article 5.2 juncto 24 of the GDPR. Such measures should have been put in place prior to APD intervention to ensure compliance continues with the GDPR. iii. Despite the communication problems of the former DPO, the lack of response to requests from the SP and the investigation carried out by the SI (see Title II.1.1), the defendant did not adopt a more cautious approach by taking adequate measures to improve its processes and ensure compliance to the GDPR, both for past and future requests from individuals concerned. For example, it would have been wise to ask the new DPO, engaged since July 11, 2023 and assisted by two administrators, consult all the emails still present in the mailbox « 24See also points 64 to 70. Decision on merits 87/2024 — 22/55 privacy@Y.be” in order to process unresolved requests. To hide behind behind an alleged ignorance of the content of the emails precedentand lay the responsibility on the formerDPWe do not exonerate it in any way responsibility of the defendant, especially since it was, according to the declarations of the defendant, the subject of an investigation by the SI and was immediately aware of the problems of the former DPO. Although the defendant has taken certain measures to remedy the situation, in particular by hiring a new full-time DPO and strengthening the team, these measures remain insufficient in the eyes of the Litigation Chamber. The defendant, by virtue of the principle of liability, should have taken into account given the contentious context and the need to respect the provisions of the GDPR, take proactive measures to improve its processes and ensure GDPR compliance. 70. Furthermore, the absence of technical or organizational measures, such as the absence of measures limiting the retention of data beyond what is necessary or the lack of knowledge of the codes used in requests for deletion of data or opposition, may compromise the confidentiality and security of the data personal data of the persons concerned. Consequently, the Litigation Chamber attracts the defendant's attention to the imperative of respecting the principle of security and confidentiality set out in Article 5.1.f) of the GDPR, in conjunction with Article 32 of the GDPR. Finally, the Litigation Chamber strongly encourages the defendant to continue its efforts in implementing measures to effectively support the function of the DPO. 71. In view of the above, the Litigation Chamber concludes that the defendant does not complied with articles 5.2 and 24 of the GDPR. II.2.4. Alleged violation of Article 31 of the GDPR (cooperation with the data protection authority control) II.2.4.1. Position of the defendant 72. During the hearing, the defendant raised several arguments: a) The problems with the APD began under the management of the former DPO. Neither the DPO nor management were informed of the APD requests (see Title II.2.3) b) The current DPO discovered the correspondence from the Litigation Chamber only two weeks before the hearing, and only the former DPO was informed of the ODA correspondence. Decision on merits 87/2024 — 23/55 c) The defendant clarified that the former DPO had not transmitted internally the information including the invitation to conclude and the mediation emails sent by the SPL, thus hindering any appropriate response. d) The former DPO had not properly processed letters from the APD nor those from the complainant, and had not shared this information internally, due to his work overload (see Title II.2.3). e) Despite measures taken to limit the processing of the complainant's data, no contact has been made with the complainant or the APD, and the emails from the APD are remained unprocessed in the “privacy@Y.be” mailbox. 73. In reaction to the minutes, the defendant specified that the former DPO had not responded to the APD communications due to its workload from December 2022 to March 2023, a justification emanating from the former DPO himself, and not from the defendant. Of Furthermore, the former DPO would not have informed management of this work overload. This same argument of non-reaction was also invoked to justify the lack of response to the IS communications during this period. II.2.4.2. Position of the ChamberContentious 74. Article 31 of the GDPR states that the controller, the processor, and the case Where applicable, their representatives must cooperate with the supervisory authority, upon request. the latter, in the execution of its missions. This cooperation is of crucial importance to enable the supervisory authority to effectively carry out its functions and missions in the field of data protection. In this regard, it is appropriate to read article 31 of the GDPR in conjunction with Articles 57 and 58 of the GDPR, which define the missions and the investigative powers of the supervisory authority. 75. The general duty of cooperation set out in Article 31 of the GDPR is reinforced by Article 83.4.a) of the GDPR which qualifies this cooperation as “an obligation incumbent on the person responsible for the treatment and the subcontractor. ". Failure to comply with this obligation of cooperation furthermore constitutes a full-fledged infringement of the GDPR, as set out in Article 83 of the GDPR. GDPR: “Violations of the following provisions are subject, in accordance with paragraph 2, administrative fines of up to EUR 10,000,000 or, in the case of company, up to 2% of the total annual worldwide turnover of the preceding financial year, the the highest amount being retained: a) the obligations incumbent on the person responsible for processing and the subcontractor under Articles 8, 11, 25 to 39, 42 and 43; […]”. 25Article 57 of the GDPR defines the extended missions assigned to supervisory authorities, while Article 58 of the GDPR specifies the broad investigative powers conferred on them under the Regulation. Decision on merits 87/2024 — 24/55 76. Article 83 of the GDPR also sets out the criteria used to decide on the imposition a fine and its amount. Significantly, the degree of cooperation is explicitly mentioned as one of the eleven criteria influencing the determination of these sanctions (art. 83.2 of the GDPR). 77. Recital 82 of the GDPR also reinforces this obligation of cooperation by requiring including the keeping of records of processing activities, as well as the obligation to make these records available to the supervisory authority upon request. This consideration aims to enable the supervisory authority to verify and control the operations of processing, as well as to carry out its missions in accordance with Article 57 of the GDPR. 78. The Litigation Chamber recalls that both those responsible for processing and those responsible for processing processors report directly to the supervisory authorities under the obligations to maintain and provide appropriate documents upon request, to cooperate with investigations and to comply with administrative injunctions. More precisely, the duty general cooperation 26 implies that the controller and the processor must : a) Respond to requests from the supervisory authority: When the supervisory authority, such as ODA, requests information, data or responses relating to to the processing of personal data, the controller and the subcontractor processing party must provide this information completely and on time. outsourced; b) Collaborate actively: The controller and the processor must work closely with the supervisory authority to help it carry out its missions, in particular by providing information on the practices of processing of data and taking measures to remedy possible GDPR violations; c) Comply with the instructions of the supervisory authority: If the supervisory authority gives specific instructions for complying with the GDPR, the controller processing and the subcontractor must follow them appropriately. It is important to note that this list is not intended to be exhaustive. 79. In summary, the fundamental objective of this general obligation of cooperation imposed on each controller and processor aims to ensure effective supervision and scrupulous compliance with data protection rules. THE controllers and processors must actively cooperate and collaborate fully with the supervisory authority to ensure compliance with the provisions of the 26CEPD, Guidelines 07/2020 concerning the notions of controller and processor in the GDPR, Version 2.0, Adopted on July 7, 2021, point 9. Substantive decision 87/2024 — 25/55 GDPR and protecting the data rights of data subjects personal. This obligation, combined with the principle of responsibility set out in article 5.2 of the GDPR, reinforces the role of the supervisory authority in the exercise of its powers with a view to effective application of the rules for the protection of personal data. 80. Failure to comply with this obligation exposes you to separate administrative fines. in accordance with article 83.4.a) of the GDPR. Finally, the violation of this obligation to cooperation can also be considered a violation of the principle of liability (art. 5.2 of the GDPR). 81. In this case, the Litigation Chamber notes that the SPL has taken steps to the defendant with a view to mediation. More specifically, the SPL addressed two requests dated December 7, 2022 and January 17, 2023, to which the defendant did not respond. Furthermore, the SPL included the complainant's request in the request for mediation, thus reminding the defendant of its duty to respect in particular the right to erasure of the complainant. However, despite these steps, the SPL had to notify the failure of mediation on February 20, 2023, due to the lack of reaction of the defendant, both at mediation and at the request of the plaintiff (see points 4 to 11). 82. Concerning the emails and letters from the SPL addressed to the defendant, the Chamber Litigation notes the absence of technical and organizational measures which would allow the defendant to have an overview of the issues related to the GDPR processed by the former DPO and/or to verify the correct processing of requests addressed to the former DPO, which highlights the negligence of the defendant (see Title II.2.3). 83. On the one hand, the Litigation Chamber notes that this negligence seems to result mainly from confusion due to the fact that the defendant was subject to a inspection carried out by the IS (see Title II.1.1), which remains secret in accordance with article 63§3 of the LCA. In this context, the Litigation Chamber emphasizes that the defendant is required to cooperate with all APD services. Lack of response to a letter sent by one of the APD services, in this case an invitation to cooperate in mediation by the SPL, could be interpreted as a refusal of cooperation and potentially be considered a violation of Article 31 of the GDPR. 84. On the other hand, the Litigation Chamber observes that the defendant is trying to clear its liability by attributing negligence for not responding to SPL communications, of the IS, the Litigation Chamber and the complainant to his former DPO. The defendant maintains that she was not informed of the latter's excessive workload, which would have hampered its ability to respond favorably to requests for ODA and complainant. Decision on merits 87/2024 — 26/55 It should be remembered that the GDPR sets out several articles establishing the obligations of a data controller or a subcontractor, in particular articles 5, 6, 9, 25, 32, 33, 37 or even 38 of the GDPR. By virtue of the principle of responsibility (see Title II.2.3), the data controller must demonstrate compliance with the provisions of the GDPR by adopting appropriate technical and organizational measures to protect the rights and freedoms of natural persons. In the event that the data controller would appoint a DPO for its litigation department or use an email address generic like “privacy@Y.be” to respond to people’s requests concerned, it is our responsibility to ensure that emails are addressed to this address are regularly consulted and processed, even in the event of resignation of a person having worked in the department in question and/or the DPO, or in the event of work overload of the DPO. On this last point, the Litigation Chamber recalls that it is up to the person responsible for processing to comply with the provisions of Article 38 of the GDPR. 85. Taking into account the particular context surrounding the current inspection (see Title II.1.1) and the overload of work observed at the former DPO, the Litigation Chamber notes that the defendant did not properly verify the processing of requests addressed to the former DPO. Although measures were taken, such as increasing the workforce and the replacement of the old DPO, they did not seem fully effective, in particular regarding the review of all previous ODA requests, including including those of the complainant, which remained unanswered, as well as potentially other previous requests. To remedy this situation, the defendant could have consider taking additional measures, such as upgrading with the new data protection team, emphasizing the need to examine the contents of the aforementioned email address, with the aim of correcting possible breaches of the former DPO and to guarantee an adequate response to all the requests of the people concerned. In any case, compliance with the GDPR is the responsibility of the data controller, and not the skills and responsibilities of a DPO. 86. Concerning the absence of submission of conclusions, the Litigation Chamber considers that the defendant has the freedom to choose whether she wishes to defend herself, present her arguments and support its position in a formal and structured manner. In the absence of such approach, the Litigation Chamber could be forced to render a decision by default. In this case, the defendant had the opportunity to orally present its arguments when summoned to the hearing. 87. In view of the above, the defendant did not fully cooperate with the APD, in particularly with the SPL, during the mediation procedure. However, the Chamber Litigation was not able to determine whether this lack of response was the result of confusion generated by the inspection in progress (see Title II.1.1), or the result Decision on merits 87/2024 — 27/55 a deliberate intention or gross negligence not to cooperate, which leads to conclude that there is no violation of Article 31 of the GDPR. III. As for corrective measures and sanctions III.1. Corrective measures and sanctions 88. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to: 1° close the complaint without further action; 2° order the dismissal of the case; 3° pronounce a suspension of the sentence; 4° propose a transaction; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise these rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or definitive ban on processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the approval of certification bodies; 12° give fines; 13° issue administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the follow-up given to the case; 16° decide on a case-by-case basis to publish its decisions on the website of the Authority of Data protection. 89. The aforementioned article 100 specifies the list of sanctions in article 58.2 of the GDPR. 90. As for the administrative fine which may be imposed in execution of article 83 of the GDPR and articles 100, 13° and 101 LCA, article 83 of the GDPR provides: Decision on the merits 87/2024 — 28/55 "1. Each supervisory authority shall ensure that administrative fines imposed in under this article for violations of this regulation, referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive; 2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or in place of the measures referred to in Article 58(2), points a) to h), and j). To decide whether to impose an administrative fine and to decide the amount of the administrative fine, it is duly taken into account, in each case of species, of the following elements: (a) the nature, seriousness and duration of the violation, taking into account the nature, scope or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) the fact that the violation was committed deliberately or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; (d) the degree of responsibility of the controller or processor, taking into account technical and organizational measures that they have implemented under the articles 25 and 32; (e) any relevant breach previously committed by the controller or the subcontractor ; (f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and to mitigate possible negative effects; g) the categories of personal data affected by the violation; (h) the manner in which the supervisory authority became aware of the violation, in particular whether, and to what extent the controller or processor has notified the violation; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or subcontractor concerned for the same purpose, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; And k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.” Decision on merits 87/2024 — 29/55 III.2. Violations noted 91. The Litigation Chamber notes that there are, in this case, serious violations of the rights fundamentals of the persons concerned (see Title II.2). More specifically, the Chamber Litigation notes the violations of the following provisions of the GDPR, all attributable 27 to a single behavior of the defendant giving rise to several violations described below : a) Violation of articles 17 and 21 of the GDPR (see Titles II.1.2 and II.2.1) The defendant violated Articles 17 and 21 of the GDPR by failing to respond within deadlines for a request for erasure of personal data and opposition to the processing of this data for direct marketing purposes, 28 more than a year after the complainant exercised his rights. Note that these data were still present on the defendant's servers at the time of hearing, including those processed for direct marketing purposes. b) Violation of Article 5, paragraph 1, point a) of the GDPR (see Title II.2.2) The defendant did not inform the plaintiff of the measures taken in response to his requests for erasure and opposition, as required by its obligations information and communication set out in Article 12 of the GDPR, violating the principle of transparency set out in article 5.1.a) of the GDPR. Furthermore, the pursuit processing data for direct marketing purposes in the absence of a basis legal, as required by GDPR, constitutes a violation of the principle of lawfulness established in article 5.1.a) of the GDPR. In this case, the defendant invoked consent as a legal basis. However, since this consent has been removed by the complainant (by exercising his or her right of opposition and erasure), the continued processing of their data for direct marketing purposes is unlawful, violating the principle of lawfulness set out in Article 5.1.a) of the GDPR. c) Violation of articles 5.2 juncto 24 of the GDPR (see Titles II.2.3 and II.2.4) 27EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24 2023 (v2.1), available on the website https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022- calculation-administrative-fines-under fr. 28See points 5 and 40 of this decision. 29 Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 1, 7 or 54; These Article 29 Working Group (G29) Guidelines provide practical guidance and assistance to the interpretation concerning the new obligation of transparency applicable to the processing of personal data personnel under the General Data Protection Regulation (hereinafter “GDPR”). Transparency is an obligation global within the meaning of the GDPR which applies to three central areas: 1) communication to data subjects information relating to the fair processing of their data; 2) the way in which data controllers communicate with data subjects about their rights under the GDPR; and 3) the way in which those responsible for treatment facilitates the exercise by the persons concerned of their rights. These guidelines set out the general principles relating to the exercise of the rights of the persons concerned rather than dealing with specific modalities for each of the rights of these people under the GDPR. In other words, they provide guidance on the concepts and principles underlying rules to be respected when exercising the rights of data subjects, rather than providing instructions details on how to exercise each specific right in a practical manner. Decision on merits 87/2024 — 30/55 To the extent that the defendant did not respond within the prescribed time limits to the requests for erasure of personal data and opposition to processing of this data for direct marketing purposes, this resulted in the maintenance of the processing of the complainant's personal data without respecting the data protection principles set out in article 5.1 of the GDPR (see above). This failure highlights faulty management of requests from data subjects, in particular with regard to the right of erasure and opposition of the complainant. In addition, this gap in the management of requests from persons concerned is reinforced by the inadequacy of the measures taken by the defendant, such as the use of “code 43” to restrict processing data, deemed inadequate to respond to the initial requests of the complainant. This situation also highlights a lack of control over possible codes used to respond to requests from data subjects. By elsewhere, the persistence of data in the defendant's servers as well as the problems linked to the DPO highlight a defect in the implementation of technical and organizational measures necessary for compliance with the GDPR, thus revealing an additional gap in technical procedures and organizational. Consequently, the defendant violated Article 5.2 juncto 24 of the GDPR. III.3. Corrective measures and sanctions imposed by the Litigation Chamber. 92. As an independent administrative authority, the Litigation Chamber has the power exclusive right to determine appropriate corrective measures and sanctions in accordance with the relevant provisions of the GDPR and the ACL. This skill arises specifically from Articles 58 and 83 of the GDPR, as confirmed by the jurisprudence of the Court of Markets in its judgments of July 7, 2021, September 6, 2023 30 or even December 20, 2023, which clearly highlighted the extent of power discretion of the Litigation Chamber concerning the choice and scope of sanctions. 93. In this perspective, the Litigation Chamber will take into consideration all the relevant circumstances of the case, including – within the limits set out below in Title III.3.2. – the reaction of the defendant dated April 5, 2024 to the sanctions envisaged which were communicated to him via the sanction form of March 15 31 2024. However, the Litigation Chamber recalls that the sanction form aims to allow the alleged perpetrator of the offense, in this case the defendant, to 30Cour des Marchés, 2021/AR/320, p. 37-47; 2020/AR/1160, p. 34; 2023/AR/817, p. 57, 61 and 62. 31Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 31/55 defend against the amount of the proposed fine before its imposition and execution effective. The defense process provided for through the sanction form on the amount of the proposed fine does not open new debates on the findings already established by the Litigation Chamber, the latter being closed. In addition, the mail accompanied by the sanction form does not constitute a decision likely to appeal before the Market Court under article 108 of the law of December 3, 2017 establishing the Data Protection Authority. 94. Continuing this explanation, the Litigation Chamber invites the defendant to consult section “Title II.1.1” of this decision for further explanations detailed and recalls that it rejects the request to join the file (…) with the file subject to this decision. Likewise, the Litigation Chamber rejects the considerations set out in points 2.2.1 to 2.2.4 of the reaction to the sanction form submitted on April 5 by the defendant, arguing that the debates are closed; and that the corrective measures envisaged and pronounced are compliant in concreto. However, these considerations will be taken into account when calculating the fine, because the fine form sanction aims to allow the defendant to contest the amount of the fine proposed. III.3.1. Corrective measures 95. In reaction to the sanction form, the defendant claims to have carried out the erasure data and have notified the recipients concerned, in particular the subcontractor German ; it also supports setting up processing operations in compliance with the provisions of the GDPR. Consequently, it requests the deletion of the warning issued. However, the Litigation Chamber reminds the defendant that these notifications were received on November 11, 2024 or April 5, 2024, after the closing debates. Consequently, the Litigation Chamber is not able to verify the veracity of the arguments put forward by the defendant and is forced to reject these arguments, the debates being closed. 96. The Litigation Chamber adopts the following corrective measures: a) In accordance with article 58.2. c) of the GDPR and article 100, § 1, 6° of the LCA, order the defendant, due to the violation of articles 17 and 21 of the GDPR, to satisfy the complainant's requests for erasure and opposition, and this within 30 days from notification of this decision. 32Sanction form dated March 15, 2024; reaction of the respondent to the sanction form dated April 5, 2024. Decision on merits 87/2024 — 32/55 b) In accordance with article 58.2.g) of the GDPR and article 100, §1, 10° of the ACL, to order the defendant to erase the data and notify them here to the recipients of the data, in accordance with article 19 of the GDPR. c) In accordance with article 58.2. d) of the GDPR and article 100, § 1, 9° of the LCA, order the defendant, due to the violation of Article 5.1 a) as well that of articles 5.2 juncto 24 of the GDPR, to put the processing operations in compliance with the provisions of the GDPR. d) In accordance with article 58.2. a) of the GDPR and article 100, § 1, 5° of the LCA, issue a warning to the defendant party, due to the violation of the articles17,21,5.1. a), 5.2 juncto24 of the GDPR, aiming to improve the management of future processing of requests from data subjects made under the articles 15 to 22 of the GDPR. III.3.2. Administrative fines 97. According to Article 83 of the GDPR, the supervisory authority has the discretionary power to impose a fine. This power is explained in the EDPB guidelines. 33 98. In accordance with recital 148 of the GDPR, sanctions, including fines administrative measures, may be imposed in addition to or in place of measures appropriate in the event of a serious breach, even when it is a first finding of a breach. Thus, the fact that this is a first observation of a infringement does not prevent the Litigation Chamber from being able to impose a fine administrative, in accordance with article 58.2. i) GDPR. The administrative fine does not aim 33EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), points 15, 20, 69, 84, 144. See also the judgment of 7 December 2023, SCHUFA Holding C-26/22 and C-64/22, ECLI:EU:C:2023:958), conclusions of Advocate General Pikamae in the TR case (C-768/21, EU:C:2024:291), as well as “Guidelines on the application and setting administrative fines for the purposes of the [GDPR]” of the Article 29 Data Protection Working Group, adopted on October 3, 2017, p.5 (hereinafter the “guidelines on the application and setting of administrative fines to purposes of the GDPR). 34Recital 148 of the GDPR states that: “In order to strengthen the application of the rules of this regulation, sanctions, including administrative fines, should be imposed for any violation of the Regulation, in addition to or instead of appropriate measures imposed by supervisory authorities under this Regulation. When the offense is minor or that the likely fine would impose a disproportionate burden on a natural person, blame may be preferred to fine. However, it is appropriate to take into account the nature, seriousness and duration of the violation, and the intentional nature the violation, harm reduction measures, degree of liability or relevant prior violations, the manner in which the violation was brought to the attention of the supervisory authority, compliance with the measures taken against the controller or subcontractor, compliance with a code of conduct and any other circumstances aggravating or mitigating. The imposition of sanctions, including administrative fines, should be subject to appropriate procedural guarantees in accordance with the general principles of Union law and the Charter, including a effective remedy and due process” (emphasis added). 35CJEU, December 5, 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 38: “[…] the principles, prohibitions and The obligations set out in the GDPR are aimed in particular at "data controllers" who, as highlighted in the recital 74 of the GDPR, are responsible for any processing of personal data carried out by them or for their account and who must therefore not only implement appropriate and effective measures, but also be in able to demonstrate that their processing activities comply with the GDPR, which includes the effectiveness of the measures they have taken to ensure this compliance. Where an infringement referred to in Article 83(4) to (6) of this Regulation has been committed, this responsibility constitutes the basis for the imposition of an administrative fine on the controller in accordance with this article 83. » Decision on the merits 87/2024 — 33/55 36 in no way to put an end to the offenses, but above all aims to guarantee rigorous respect rules set out in the GDPR. 99. The GDPR requires each supervisory authority to ensure that fines administrative measures imposed are effective, proportionate and dissuasive in each case in point (art. 83.1 of the GDPR). In addition, when determining the amount of the fine, the supervisory authority must take due account, for each specific case, of several specific elements, such as the nature, seriousness and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered (art. 83.2. a) of the GDPR); as well as the intentional or negligent nature of the violation (art.83.2.b) of the GDPR) ; and the categories of personal data affected by the violation (art. 83.2. g) GDPR). Consequently, article 83.2 provides that in order to decide whether it is appropriate to impose an administrative fine and to decide the amount of the administrative fine, a authority must take into account all the factors set out in Article 83.2(a) to k), without exceeding the legal maximum amount set in article 83.4 to 83.6 of the 37 GDPR. III.3.2.1. Grounds for imposing a fine 100. The Guidelines on the application and setting of administrative fines for the purposes 38 of Regulation (EU) 2016/679 emphasize that, to ensure a harmonized approach to sanctions, supervisory authorities must assess the appropriateness of imposing a fine in based on a set of criteria specified in article 83.2 of the GDPR. These lines guidelines specify that administrative fines are “remedial measures” whose objective may be “to restore respect for the rules or to sanction a unlawful conduct (or both).” 101. As the CJEU highlighted in its judgment in case C-311/18 (Facebook Ireland and Schrems), “the choice of the appropriate and necessary means falls to the supervisory authority”, which must make this choice taking into account all the circumstances of the concrete case, which the Litigation Chamber makes throughout its development in Title III.3 of the this decision. 102. In its Deutsche Wohnen judgment, the CJEU ruled as follows: 36 To this end, the GDPR and the LCA provide for several corrective measures, including the orders mentioned in article 100, § 37 5°, 6° and 9° of the LCA. In two judgments of December 5, 2023, the CJEU answers these questions by specifying the conditions allowing national supervisory authorities to impose an administrative fine on one or more controllers: Deutsche Wohnen, C-807/21, ECLI:EU:C:2023:950, and Nacionalinis visuomenės sveikatos centras, C-683/21, ECLI:EU:C:2023:949. 38WP29, “Guidelines Guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679), 17/FR, WP 253, October 3, 2017 (hereinafter “WP253 Guidelines”), p.6. Decision on merits 87/2024 — 34/55 “The existence of a system of sanctions making it possible to impose, when circumstances specific to each specific case justify it, an administrative fine in application of article 83 of the GDPR creates, for data controllers and subcontractors, a incentive to comply with this regulation. Through their dissuasive effect, fines administrative measures contribute to strengthening the protection of individuals with regard to the processing of personal data and therefore constitute an element key to guaranteeing respect for the rights of these people, in accordance with the purpose of this regulation to ensure a high level of protection of such persons with regard to the 39 processing of personal data. » 103. In the same judgment, the CJEU notes “that Article 83 of the GDPR does not allow the imposition of an administrative fine for a violation referred to in paragraphs 4 to 6 thereof, without it being established that this violation was committed deliberately or negligently speaking responsibly of the processing, and that, therefore, a culpable violation constitutes a condition for the imposition 40 of such a fine. » 104. In his conclusions in the Land Hessen case, Advocate General Pikamae explains that the GDPR allows supervisory authorities to impose sometimes very high fines, constituting an effective element of their arsenal for enforcing regulations, in in addition to the other corrective measures provided for in Article 58.2 of the GDPR. So, the supervisory authority enjoys a margin of maneuver and is free to choose among these measures to remedy the violation noted. 41 105. Although the Litigation Chamber was unable to note that the offenses impact several people concerned, she emphasizes that the negligence of the defendant justifies the imposition of a fine. 106. In accordance with the obligation of Article 83.2 of the GDPR, the Litigation Chamber examined all the factors set out in Article 83.2, points a) to k), to justify both the fine that its amount. This detailed examination is presented in Title III.3.2.2 of this decision. For the sake of clarity and readability, the Litigation Chamber refers the defendant to this 39CJEU, 5 December 2023, C-807/21, Deutsche Wohnen (ECLI:EU:C:2023:950), paragraph 73. 40Paragraph 75 of the judgment. 41Conclusions of Advocate General Pikamäe in the Land Hessen case, C-768/21, ECLI:EU:C:2024:291. The general advocate underlines that when a supervisory authority finds a personal data breach when examining a complaint, it is obliged to intervene to respect the principle of legality and define appropriate corrective measures to remedy the violation. This obligation is in accordance with article 57.1 a) of the GDPR, which tasks the authority with controlling application of the regulations and ensuring compliance. Ignoring an established offense would be inconsistent with this mandate. He also recalls that the supervisory authority acts in the interest of the person or entity whose rights have been infringed (§41). To effectively deal with infringements, article 58.2 of the GDPR provides for a “catalogue of corrective measures” which the authority must use to re-establish a situation consistent with Union law, regardless of the seriousness of the offense (§42). The Advocate General specifies that Article 58.2 of the GDPR must be interpreted in the light of recital 129 of this regulation, according to which “any measure[must][...]be appropriate, necessary and proportionate in order to guarantee compliance with this Regulation, taking into account the circumstances of the case.” In other words, the power conferred on the supervisory authority to use corrective measures is subject to the condition that the measure is “appropriate”, that is to say that it must be able to restore a situation consistent with Union law (§45). The Advocate General also indicates that Article 58.2 of the GDPR is limited to state that each supervisory authority “has the power” to adopt all of the corrective measures listed. Decision on merits 87/2024 — 35/55 title, specifying that the results of this examination not only justify the amount of the fine, but also the decision to impose a fine on the defendant. Bedroom Litigation summarizes below the reasons why it decides on the imposition of a fine and refers the defendant to Titles II.2 and III.3.2.2 of this decision. a) Nature, seriousness and duration of the violation (art.83.2.a) of the GDPR): The case subject to the Litigation Chamber concerns a prolonged violation of the provisions essential elements of the GDPR, affecting the fundamental rights of the complainant in matters data protection. i. The request for erasure and opposition was still not respected more than a year after the exercise of the rights by the complainant, thus violating the articles 17 and 21 of the GDPR. ii. The lack of response to these requests led the defendant to process the data of the complainant to send promotional emails during a period of at least six months. iii. Despite the absence of conclusions filed by the defendant, the Chamber Contentieuse summoned the latter to a hearing where she confirmed Her presence. The defendant was informed of the matter and could not ignore the complainant's requests recalled by the invitation to the hearing sent by the Litigation Chamber. Upon receipt of this summons, the defendant should have been proactive in consulting her email containing all exchanges, check the status of requests and respond.The Litigation Chamber recalls that the defendant indicated during the hearing that she had access to the electronic mailbox of the former DPO, managed since then by the new DPO, and that she held all the emails sent by ODA. However, today at the hearing, the defendant still had not did not respond to the complainant's requests and even questioned the need to respond to it, ultimately promising to do so as soon as possible. promptly. This approach is interpreted by the Litigation Chamber as a demonstration of flagrant negligence, in violation of the articles 17 and 21 of the GDPR. The defendant had, thanks to this summons, an additional period to respond to requests from the complainant, and attempt to demonstrate, even belatedly, compliance with the provisions of the GDPR. b) Negligence or intentional nature of the violation (art. 83.2. b) of the GDPR): Several elements demonstrate manifest negligence on the part of the defendant in the management of requests from data subjects. This negligence is aggravated by prolonged non-compliance with erasure requests Substantive decision 87/2024 — 36/55 and opposition of the complainant, the inappropriate use of “code 43” to limit the processing of data and the prolonged maintenance of processing of data of the complainant for direct marketing purposes, even after their erasure requests and opposition. During the hearing, the defendant had still not taken any appropriate measures to remedy the situation, indicating the seriousness and persistence of the violation. This manifest negligence results from procedures inadequate internal systems and ignorance of GDPR obligations, particularly in blaming his former DPO. c) Degree of responsibility of the defendant taking into account the measures technical and organizational measures implemented in accordance with Articles 25 (art. 83.2. d) of the GDPR): The defendant is entirely responsible for the management of requests from data subjects, including requests erasure and opposition of the complainant. i. The defendant places responsibility on the former DPO, which does not justify under no circumstances prolonged non-compliance with an erasure request and opposition, nor non-compliance with the provisions of the GDPR in a more general. This attitude raises serious questions about the management responsibilities and internal governance of the defendant. ii. The Litigation Chamber recalls that a data controller cannot can evade its obligations by invoking the responsibility of the DPO to justify breaches of the GDPR. Even if the House Litigation had to follow the defendant's argument, it recalls that the defendant had been alerted of the situation on two occasions : on the one hand, by being the subject of an investigation by the IS (as part of a other file), and on the other hand, by the invitation to the hearing sent by the Litigation Chamber. In such a context, continuing to claim that the DPO is responsible raises serious doubts about the management by the defending its obligations under the GDPR and calls into question its ability to meet these obligations. iii. By using “code 43”, the defendant demonstrated a lack of mastery of its own codes and nomenclatures, which led to limitation of processing instead of responding adequately to requests erasure and opposition of the complainant. Such a lack of control is concerning. Furthermore, the defendant was unable to determine the existing link between it and the German subcontractor before concluding that there was a subcontracting contract. This confusion over the role of the subcontractor and inability to determine whether data has been erased raises merits Decision 87/2024 — 37/55 doubts about the management of future requests from data subjects and compliance with articles 15 to 22 of the GDPR. d) Other aggravating and mitigating circumstances (art. 83.2. k) of the GDPR): time of the hearing, the defendant had still not responded to the requests from the complainant, despite the obligation to respond within one month. For the remainder, in particular the categories of personal data concerned by the violation (art. 83.2. g) of the GDPR) or the measures taken to mitigate the damage suffered by the complainant (art. 83.2. c) of the GDPR), the Litigation Chamber refers the defendant in Titles II.2 and III.3.2.2 of this decision, as well as the summary in section III.3.2.2.7. All the factors set out in Article 83.2, points a) to k), were examined there, and it appears that the result of this examination ultimately applies, in the present case, to justify the imposition of the fine as well as its amount. 107. The defendant thus adopted behavior giving rise to several violations of the provisions of the GDPR (art. 83.3 of the GDPR), these violations being precisely identified in 42 Article 83.5 of the GDPR: Non-compliance with requests for a significant period erasure and opposition of the complainant, leading to continued processing of his personal data for direct marketing purposes, even after its requests erasure and opposition; and highlighting the absence of guarantees allowing to ensure compliance with the fundamental principles of the GDPR. 108. These elements fully justify the imposition of an administrative fine to guarantee respect for the rights of the people concerned and strengthen the dissuasive effect of sanctions provided for by the GDPR. III.3.2.2. Starting amount of calculation 109. To determine the amount of the fine in the case submitted to it, the Chamber Litigation recalls that it takes into account the EDPB guidelines on the calculation of 43 administrative fines. 110. In order to impose an effective, proportionate and dissuasive fine in all circumstances cause, the supervisory authorities, of which the Litigation Chamber is a part, are supposed to adjust administrative fines while remaining within the range provided for in the EDPB guidelines up to the legal maximum amount. This can lead to significant increases or reductions in the fine, depending on the circumstances of the case of species. 42CJEU, Judgment of December 5, 2023, Deutsche Wohnen, C-807/21, ECLI:EU:C:2023:950, points 61 to 79. 43EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24 2023 (v2.1), in particular points 49 and 50. Decision on the merits 87/2024 — 38/55 III.3.2.2.1. Classification of violations under Article 83.4 and 83.5 of the GDPR 111. The GDPR distinguishes two categories of violations: those punishable according to article 83.4 of the GDPR, on the one hand, and those punishable under Article 83.5 and 83.6 of the GDPR, on the other go. The first category of violations carries a maximum fine of 10 million EUR or 2% of the company's annual turnover, whichever is higher. retained. As for the second category, it can give rise to a maximum fine of 20 million EUR or 4% of the company’s annual turnover, the highest amount also being retained. 112. In this case and based on the violations set out in Title III.2 of this decision, the Litigation Chamber notes that the highest fine applies in accordance with in article 83.5 of the GDPR. Indeed, in the event of violation of the basic principles of processing under article 5 of the GDPR as well as the rights of the persons concerned in accordance with Articles 17 and 21 of the GDPR, the Litigation Chamber may impose a fine administrative tax of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total global annual turnover for the previous financial year, the highest amount high being retained, as provided for in the provisions of section 83.5. a) and b) of the GDPR. III.3.2.2.2. Seriousness of the violation in the present case 113. Nature, seriousness and duration of the violation (art. 83.2.a) of the GDPR) – The case subject to the Litigation Chamber concerns a prolonged violation of the essential provisions of the GDPR, which aim to protect the fundamental rights of individuals with regard to concerns the processing of their personal data. The GDPR establishes a solid framework for responsibility for data controllers, in particular in Chapter III, which is dedicated to the rights of data subjects. These rights, set out in articles 15 to 22, give individuals direct control over their personal data, ensuring thus effective protection of their privacy. Thus, violations of articles 17 and 21 of the GDPR are particularly serious because they infringe fundamental rights of individuals regarding the protection of personal data. 114. Despite the rights exercised by the complainant, who expressly requested the deletion of his personal data and objected to the processing for direct marketing purposes, the defendant did not respond to these requests for more than a year, lacking this manner to its obligations established by the GDPR. This behavior resulted in the maintenance the processing of the complainant's data for direct marketing purposes, whether via telephone calls or sending advertising emails, over a period of six to ten months, even after his requests for erasure and opposition, thus violating the principles set out in article 5.1.a) of the GDPR. Decision on merits 87/2024 — 39/55 115. In reaction to the sanction form and therefore after the closure of the debates, the defendant underlines that the complainant did not “explicitly mention Article 21 of the GDPR in his request ". On this point, the Litigation Chamber, on the one hand, refers the defendant to paragraph 34 of its present decision, and on the other hand, adds that it would be excessive to ask a concerned person to explicitly mention the articles of the GDPR because this could make the exercise of rights more difficult for individuals who are not familiar with legal terminology. The main thing is that the request is formulated in a clear and understandable manner, what a data controller, or his DPO, should be able to clarify in case of doubt, and thus treat it in accordance with the provisions of the GDPR. Next, the defendant emphasizes that after following up on the erasure request based on Article 17(a), (b) and (c) of the GDPR, there is no additional obligation to notification to the data subject of the further use of the data for purposes direct marketing. Unfortunately, as noted by the Litigation Chamber, the defendant was late in responding to the plaintiff's erasure request, which allowed the continuation of the processing of data for direct marketing purposes for a period significant, in contradiction with his request for opposition. Even following the defendant's reasoning, according to which the plaintiff would not have formulated as a request for erasure without explicit mention of Article 21 of the GDPR, concerning the right to object to the processing of data for prospecting purposes, the Chambre Litigation underlines that the right of erasure has been ignored for more than a year, thus resulting in a continued violation of the complainant's rights. This finding is crucial, because even in the absence of an explicit mention of Article 21, the processing of data for prospecting purposes – as for other purposes – should have been interrupted as soon as receipt of the erasure request. Consequently, maintaining the processing of data of the complainant for direct marketing purposes – even following the arguments of the defendant according to which this period would have only been 2 weeks (see point 118) – violates the rights of the complainant. For the remainder, the Litigation Chamber returns the defendant in paragraph 36 of its decision. 116. The Litigation Chamber emphasizes that direct marketing is crucial for the activities of the defendant, which sells its products nationally. The treatment data for direct marketing purposes therefore represents an essential component of its commercial model, directly affecting its customer relations and therefore its turnover business. Failure to respect the rights enshrined in the GDPR, such as the rights erasure and opposition, can lead to harmful consequences for life privacy of the persons concerned. This results in exposure to advertisements Decision on merits 87/2024 — 40/55 targeted and intrusive, as well as by disruptions in their daily lives caused by unsolicited telephone calls or emails. 117. It appears from the hearing that the use of incorrect codes was systematic and does not appear be limited to the complainant. However, the number of people whose data would have been processed in violation of the aforementioned provisions (see Title II.2) remains unknown. By Consequently, the Litigation Chamber cannot determine the exact number of people concerned, which could have confirmed the systemic nature of the violations mentioned above and increase their severity. Thus, the Litigation Chamber is limited to examine the case of the complainant, the only person concerned identified as being affected by violation of the provisions in question. In response to the sanction form, the defendant confirms that the violation did not affect only one person concerned and that they are limited to a single territory, in this case Belgium. 118. Concerning the duration of the violation (see Title II, as well as paragraph 61 of this decision) the Litigation Chamber notes that the latter continued for a significant period, which increases the seriousness of the infringement. In reaction to the sanction form, the defendant emphasizes that the impact on the person concerned during this period was very limited since the complainant would not have received only a few advertising messages by e-mail and a limited number of attempts of telephone contacts, i.e. “+/- 5 during a very limited period of 2 weeks at more (24.11.2022 – 7.12.2022) » . The Litigation Chamber refers the defendant to points 8, 21, 30, 31, 33 and 42 of this decision, emphasizing that the defendant has made a promise to respond to the complainant's requests dated June 30, 2022 only on November 3, 2023. This period of silence is undeniably long and does not does not respect the one-month time limit provided for in Article 12 of the GDPR. Finally, the Litigation Chamber notes that the defendant has not implemented “code 43” to delete data from the complainant until April 11, 2023 (see paragraph 33). This suggests that the complainant's data were not deleted but remained accessible and were processed, even limited manner, at least until April 2023, and not until December 2022 (see points 32, 33, 40, 43, 42). In this context, the question of the duration of the violation remains factually objective, allowing the Litigation Chamber to conclude that the period infringement is significant. 119. Negligence or intentional nature of the violation (art. 83.2.b) of the GDPR) – Several elements testify to manifest negligence on the part of the defendant in the management of requests from the people concerned. On the one hand, the prolonged non-compliance with 44Reaction of the defendant to the sanction form dated April 5, 2024, p.7. Decision on merits 87/2024 — 41/55 requests for erasure and opposition by the complainant, in particular by not responding within the prescribed deadlines; as well as the inappropriate use of “code 43” which resulted in a limitation of processing, not only reveal the unsuitable nature of the internal procedures, but also ignorance of the rights set out in articles 15 to 22 of the GDPR and the obligations incumbent on the data controller. 120. This negligence is aggravated by the prolonged continuation of the processing of the data of the complainant for direct marketing purposes, even after their requests for erasure and opposition. At the time of the hearing, the defendant had still not taken the appropriate measures to remedy the situation and respond to the request of erasure and opposition of the complainant which demonstrates the serious and persistent nature of the violation. 121. All of these elements illustrate serious negligence in the management of requests from complainant, indicating that the violation of articles 17, 21, 5.1.a) and 5.2 juncto 24 of the GDPR actually arises from negligence on the part of the defendant. 122. In reaction to the sanction form, the defendant emphasizes that she was not negligent because she trusted her DPO, who did not inform her of her problems resources. Furthermore, given that only the DPO had access to the mailbox and that the defendant was not the recipient of the initial correspondence sent by mail electronic to the former DPO, she considers that she cannot be accused of negligence. However, the Litigation Chamber reminds the defendant that she received a letter recommended dated January 17, 2023 (see point 9). Then, the Litigation Chamber refers the defendant to points 54 to 57 of this decision before adding that, in accordance with article 38.b) of the GDPR which states that “The data protection delegate data reports directly to the highest level of manager management treatment or subcontractor", the defendant could have identified the problem(s) and the resolve rather than placing blind trust in the DPO. Consequently, the Litigation Chamber cannot agree with the arguments put forward by the defendant for the aforementioned reasons (Title II.I.3, in particular points 55 and 57.c) of this decision). The Litigation Chamber confirms that serious negligence in the management of claims of the complainant are established, which indicates that the violation of articles 17, 21, 5.1.a) and 5.2 juncto 24 of the GDPR does indeed arise from the negligence of the defendant. 123. Categories of personal data affected by the violation (article 83, paragraph 2 (g) GDPR) – The data in question concerns contact details of the complainant, including his or her last name, first name, postal address, telephone number and email address. Although this information is not considered “data sensitive” within the meaning of article 9 of the GDPR, they make it possible to identify or contact a specific person. Decision on merits 87/2024 — 42/55 124. Classification of the seriousness of the violation and setting the appropriate starting amount – The assessment of the above elements – namely the nature, seriousness and duration of the violation, as well as the deliberate or negligent nature of the violation and the categories of data to be personal nature concerned – helps determine the degree of seriousness of the violation in its entirety. According to this assessment, the seriousness of the violation can be described as “ low”, “medium” or “high”. a) For violations of low severity, when calculating the administrative fine, the supervisory authority sets a starting amount for the subsequent calculation including between 0 and 10% of the applicable legal maximum amount. b) For violations of medium severity, when calculating the administrative fine, the supervisory authority sets a starting amount for the subsequent calculation including between 10 and 20% of the applicable legal maximum amount. c) For violations of high severity, when calculating the administrative fine, the supervisory authority sets a starting amount for the subsequent calculation including between 20 and 100% of the applicable legal maximum amount. 125. In this case, the seriousness of the violation is considered “medium”, for the reasons summarized below: the complainant's rights of erasure and opposition do not have been respected; the principle set out in article 5.1.a) of the GDPR was not respected; the violation 46 has lasted for a prolonged period of at least one year; several elements reveal manifest negligence on the part of the defendant, which aggravates the seriousness of the offense; although the data in question is not considered sensitive, they constitute identification or contact information. 126. In this context, it is difficult to maintain that the degree of the violation is “low”, but rather that it is “medium” or “strong”. It should also be taken into account that that only one person is affected by this violation. This circumstance allows the Chamber Contentious to deduce that the violation is of “medium” seriousness. 127. In response to the sanction form, the defendant requests that the violations be reclassified as “low” rather than “medium”. Furthermore, it underlines that the former DPO took measures and communicated with the APD in April 2023: apparently, the former DPO was wrongly convinced that her communication in the context of the inspection she was carrying out the subject (see Title II.1.1) would be inserted in the file currently processed by the Chamber Contentious. The Litigation Chamber cannot accept the argument according to which a response to the SI could be interpreted as a response to requests made in under Articles 15 to 22 of the GDPR, as prescribed by Article 12 of the GDPR, which mentions 45EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), fn. 60. 46See in particular Title III.3.2.2.2 of this decision. Decision on merits 87/2024 — 43/55 a direct response to the people concerned. Otherwise, a violation could be repaired while waiting for a supervisory authority to be informed of a potential violation by complaint or on its own initiative. This conclusion is not only erroneous in law but would void the exercise of rights by the persons concerned of their substance. In this context, it is difficult for the Litigation Chamber to qualify the violation of “low”, thus once again confirming the “medium” character of the breach. 128. Consequently, the Litigation Chamber should apply, for violations arising of the unique behavior of the defendant (falling under article 83.5 of the GDPR, with a medium severity), a theoretical starting amount for the subsequent calculation of the fine administrative costs of between €2,000,000 and €4,000,000. 129. Taking into account the circumstances assessed in light of Article 83.2 a), b) and g) of the GDPR, the Litigation Chamber decides to consider a theoretical starting amount of 2,000,000 EUR. III.3.2.2.3. Turnover of the controller and considerations additional factors taken into account by the Litigation Chamber for determine the amount of the fine 130. The GDPR requires each supervisory authority to ensure that fines administrative measures imposed are effective, proportionate and dissuasive in each case in point (art. 83.1 of the GDPR). 131. To achieve this, supervisory authorities should apply the definition of the concept as adopted by the Court of Justice of the European Union (hereinafter “CJEU ") for the purposes of Articles 101 and 102 of the TFEU, namely that the concept of enterprise means as an economic unit which can be constituted by the parent company and all subsidiaries concerned. In accordance with EU law and case law, a company must therefore be considered as an economic unit carrying out activities commercial/economic, whatever its legal form 47. The objective is to ensure that the sanctions are adapted to the size and economic power of the company 132. Supervisory authorities are expected to adjust administrative fines based on the seriousness of the violation, while respecting the range provided in the guidelines 47Recital 150 of the GDPR; WP Guidelines 253, pp. 6-7. The case law of the CJEU gives the following definition: “the concept of enterprise covers any entity carrying out an economic activity, regardless of its legal status and its method of financing" (case C-41/90, Höfneret Elser/Macrotron, ECLI:EU:C:1991:161, point 21). The notion of business" must be understood as designating an economic unit, even if this economic unit is constituted, from a point of view legal, by different natural or legal persons" (case C-217/05, Confederación Española de Empresarios de Estaciones de Servicio, ECLI:EU:C:2006:784, paragraph 40). ; CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t. Commission, ECLI:EU:C:2009:536), points 60-61. Decision on merits 87/2024 — 44/55 of the EDPB up to the legal maximum amount. This may lead to surcharges or significant reductions in the fine, depending on the circumstances of the specific case 133. In addition, Articles 83.4, 83.5 and 83.6 of the GDPR provide that the annual turnover global total for the previous financial year must be used to calculate the fine administrative. In this regard, the term “precedent” must be interpreted in accordance with the jurisprudence of the CJEU in matters of competition law, so that the event relevant for the calculation of the fine is the decision of the supervisory authority relating to the fine, and not the time of the sanctioned offense.48 134. Consequently, as an extension of the above, the Litigation Chamber considers that it can be based on the consolidated turnover figures for the 2023 financial year of the defendant is more than 50,000,000 EUR 49to determine the amount of the fine administrative burden that it intends to impose on the defendant. The Litigation Chamber hereby refers to the annual accounts of the defendant (company Y) as deposited with the National Bank of Belgium (BNB) on September 25, 2023, making appear a turnover of more than 50,000,000 EUR for the financial year 2023. 135. Taking into account the minimum and maximum amounts per level set in the directives, on the one hand, and the annual turnover of the controller, on the other hand, the Litigation Chamber decides concretely to lower the final starting amount for the category of offenses (falling under article 83.5 of the GDPR, with a degree of seriousness average) to a starting amount adjusted to 245,000 EUR. III.3.2.2.4. Aggravating and mitigating circumstances 50 136. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons the imposition of an administrative fine and its amount in concrete terms, taking into account take into account other aggravating or mitigating circumstances listed in article 83.2 of the GDPR: a) Measures taken to mitigate the damage suffered by the complainant (art. 83.2.c) of the GDPR) i. With regard to the measures taken to mitigate the damage suffered by the complainant, the Litigation Chamber recognizes the efforts undertaken by the defendant to remedy the problems encountered with the former DPO, in particular by reacting to its inaction or incompetence. This happened materialized by the establishment of a new team dedicated to the management 48EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), paragraph 131. 49Annual account for the 2023 financial year available on the website: https://consult.cbso.nbb.be/consult-enterprise. 50Cour des Marchés 2020/1471 of February 19, 2020. Decision on the merits 87/2024 — 45/55 requests from the people concerned but also to any questions relating to data protection. The objective of this initiative is to strengthen the responsiveness of the defendant in matters of protection of data and guarantee its compliance with the GDPR. ii. However, it should be noted that the Litigation Chamber emphasizes that the defendant had an annual turnover of more than 51 50,000,000 EUR for the financial year 2023, which illustrates that it had the financial means necessary to establish and set up a team dedicated to managing requests from data subjects as well as any questions relating to data protection, consisting of more of somebody. Likewise, these financial resources could have allow a quicker reaction to the incompetence of one's former DPO. iii. In addition, the Litigation Chamber takes into consideration the commitment taken by the defendant during the hearing, where they undertook to regularize the situation in accordance with Article 17 of the GDPR and to inform the complainant the erasure of its data. The Litigation Chamber emphasizes that this commitment only covered part of the complainant's requests (for recall, a request for erasure and opposition), which gives rise to concerns about the defendant's total commitment to respect fully the rights of the persons concerned. iv. Although steps have been taken to remedy the problems previous agreements with the former DPO and to regularize the situation, there are still gaps in the defendant's response to the plaintiff's requests. b) Degree of responsibility of the defendant taking into account the measures technical and organizational measures implemented in accordance with Articles 25 (art. 83.2.d) of the GDPR) i. The Litigation Chamber, assessing the level of responsibility of the defendant, notes that it is entirely responsible for the management requests from data subjects, including requests erasure and opposition of the complainant. 5The annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a turnover increasing: ([.. EUR] EUR on February 29, 2020, [.. EUR] on February 28, 2021 [.. EUR] on February 28, 2022. With a turnover always exceeded 50 million euros over this period, it is obvious that the defendant had the resources financial necessary to set up a team or department (including several employees and/or DPO) dedicated to managing requests from data subjects and data protection issues. ; Account annual available on the site: https://consult.cbso.nbb.be/consult-enterprise. Decision on merits 87/2024 — 46/55 ii. This responsibility encompasses various aspects, including the effectiveness of execution of requests, definition of specific codes for respond appropriately to requests made under the articles 15 to 22 of the GDPR, as well as the understanding and implementation clear and effective procedures by all staff, directors to internal staff. iii. The defendant, by using “code 43”, demonstrated a lack of mastery of its own codes and nomenclatures, which resulted in a limitation of processing instead of responding adequately to requests erasure and opposition of the complainant. Furthermore, the fact of not respond to the complainant's requests for more than a year after the exercise of his rights demonstrates an excessively long waiting period for process the requests, but above all, this leads the defendant to process data in contradiction with the fundamental principles of the GDPR set out in Article 5 of the GDPR. c) Other aggravating and mitigating circumstances (art. 83.2.k) of the GDPR) i. Regarding the aggravating circumstances, the Chamber Litigation notes that at the time of the hearing, the defendant had not still not responded to the complainant's requests, despite his aware of the obligation to respond within one month to all requests made under articles 15 to 22 of the GDPR, in accordance with Article 12 of the GDPR and the principles of transparency and of loyalty set out in article 5.1.a. of the GDPR. Furthermore, the Chamber Litigation emphasizes that the defendant undertook only to regularize the situation in accordance with article 17 of the GDPR, without mention article 21 of the GDPR, which concerns the right to object to processing of personal data. This omission raises concerns about the defendant's commitment to respect fully the rights of the data subjects, as provided for in the GDPR. 137. The assessment of the elements listed in Article 83.2 of the GDPR – namely the measures taken to mitigate the damage suffered by the complainant; the degree of responsibility and all other aggravating and mitigating circumstances – are neither likely to increase or reduce the amount of the administrative fine. Decision on merits 87/2024 — 47/55 III.3.2.2.5. Effective, proportionate and dissuasive 138. The EDPB guidelines recall that the administrative fine for violations of the GDPR referred to in Articles 83.4 to 83.6 must be effective, proportionate and dissuasive in each specific case. The supervisory authorities must verify whether the amount meets these criteria and adjust if necessary. 139. Effectiveness – A fine is deemed effective if it achieves the objectives for on which it was imposed, such as restoring respect for the rules, sanctioning 52 illicit behavior or both. In this case, the fine acts as an essential tool to restore compliance with GDPR rules, by sanctioning negligent behavior and serious of the defendant. Additionally, it aims to deter other violations similar to 53 the future . The prolonged violation of the complainant's fundamental rights, despite his requests for erasure and opposition, demonstrates the need for a firm response from the from the Litigation Chamber. Thus, a fine of 245,000 EUR constitutes a effective measure to achieve these objectives, while taking into account the seriousness of the breach. 140. Proportionality – The principle of proportionality, as defined in the GDPR, states that the measures adopted must not exceed what is appropriate and necessary to achieve the legitimate objectives of the regulation in question. In the case of fines, this means that their amount must not be disproportionate to the intended goals, 54 the seriousness of the violation, as well as the size and financial capacity of the company concerned. Therefore, supervisory authorities must ensure that the amount of the fine is proportionate to the violation, assessed as a whole, in taking into account various factors such as the financial capacity of the company to pay. 141. In certain exceptional circumstances, a reduction in the fine may be considered if its imposition would irremediably endanger the viability economics of the company concerned. This possibility is possible when objective evidence demonstrates an inability to pay. Furthermore, it is essential analyze risks by considering the specific social and economic context. 142. In the present case, several criteria, such as the financial capacity of the defendant and the economic and social context in which it operates, indicate that the fine proposed is proportionate 56: 52WP 253 Guidelines, p. 6. 53See the development concerning the “dissuasive nature” of this decision, starting from paragraph 145. 54Case T-704/14, MarineHarvest v Commission, paragraph 580, referring to Case T-332/09, Electrabel v Commission, paragraph 279. 55See, to this effect, Case C-387/97, Commission v Greece, paragraph 90, and Case C-278/01, Commission v Spain, paragraph 41, in which the fine had to be “on the one hand, adapted to the circumstances and, on the other hand, proportionate to the breach 56nstated as well as the payment capacity of the Member State concerned. EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), point 140. Substantive decision 87/2024 — 48/55 a) Economic viability and financial capacity of the company: With a figure consolidated annual business of more than 50,000,000 EUR for the financial year 2023, la7 defendant has sufficient financial capacity to support the proposed fine without compromising its economic viability. Therefore, a fine of 245,000 EUR remains proportionate to this capacity financial. This measure therefore remains sufficiently dissuasive without compromise the economic integrity of the company. b) Proof of loss of value: No indication suggests that the imposition of the fine would endanger the viability of the company, leading to a loss significant to the value of its assets or threatening its ability to continue its activities in a viable manner. There must be a direct link between the fine and this loss of value, and it is not automatically accepted that bankruptcy or insolvency lead to such a loss. In the absence of such tangible evidence demonstrating this correlation, a reduction in the fine may not be justified. c) Economic and social context: The defendant operates in the sector of products “..” in Belgium. In addition, the defendant distributes its products through the whole country, which suggests that it is not solely dependent on the situation local economy. This national presence also reduces its dependence on respect for the local workforce. Therefore, it is unlikely that the payment of the fine has a significant impact on the economy or social fabric, given that the defendant operates on a national scale and is not entirely linked to a specific region. 143. In response to the sanction form, the defendant requests a reduction in the amount of the fine due to the exceptional circumstances she encountered during of the last five years, attributable to external factors over which it had no control control. These conditions affected its turnover, costs and profitability. 144. The defendant then presents its financial development from 2019 to 2022, marked by a negative growth in turnover and losses in 2019, an increase in 2020 despite increasing costs, reduced turnover and losses in 2021, and further deterioration in 2022 due to the economic crisis, leading to a further reduction in turnover and financial losses. For the current financial year 2023-2024, the defendant still anticipates a significant financial loss, with prospects of a difficult financial recovery until 2026-2027. Faced with this 57As a reminder, the annual accounts of company Y, filed with the National Bank of Belgium (BNB), reveal a turnover increasing: [.. EUR] on February 29, 2020, [.. EUR] on February 28, 2021 and [.. EUR] on February 28, 2022. With a turnover always greater than 50 million euros over this period, it is obvious that the defendant had the financial resources necessary to set up a team or department (including several employees and/or DPO) dedicated to managing requests from data subjects and data protection issues. ; Annual account available on the website: https://consult.cbso.nbb.be/consult-enterprise. Decision on merits 87/2024 — 49/55 difficult financial situation, a fine of 245,000 EUR would have consequences devastating for the defendant. This would compromise the implementation of the measures reorganization necessary to guarantee its future viability, putting jobs at risk of 400 people and even risking leading to the cessation of activities in Belgium. 145. Taking into account all these circumstances, the Litigation Chamber agrees that a reduction in the amount of the fine appears appropriate to support the defendant and prevent endangering the jobs of 400 people as well as the continuity of activities in Belgium. 146. To reach this conclusion, it seems relevant for the Litigation Chamber to take into account two essential elements: on the one hand, the use of the contribution of shareholders; on the other hand, the evaluation of cumulative losses over a period of three years (2023-2024, 2024-2025, 2025-2026) to reduce the amount of the initial fine. This approach aims to adequately consider the real financial capacity of the defendant to bear this administrative sanction. 147. The Litigation Chamber notes that the shareholders injected a cash contribution of more than 3,000,000 EUR, a sum established taking into account past losses, present and future, as well as other financial commitments to which the defendant 58 will have to respond, with the aim of ensuring the financial recovery planned for 2026-2027. Furthermore, the Litigation Chamber emphasizes that the defendant seems to have anticipated the risk of a possible fine, as indicated by the Statutory Auditor in the following terms: “we draw attention to note VOL - inb 6. 19 of the financial statements (“risks”) which describes the uncertainty associated with the resolution of the GBA investigation. The result of This investigation could have a significant impact on the financial situation of the company. ". 148. Next, the Litigation Chamber considers it relevant to assess the cumulative losses over a period of three years (2023-2024, 2024-2025, 2025-2026) since the shareholders have paid a cash contribution of more than 3,000,000 EUR based on planning multiannual strategy presented in October 2023 (see paragraph 147), aimed at guaranteeing financial recovery planned for 2026-2027. It is important to note that losses projected for the years 2024-2025 and 2025-2026 are hypothetical, and that the year 2024-2025 saw the highest loss since 2019 (…EUR). 149. In this context, the Litigation Chamber, as previously mentioned in its paragraph 145, considers it appropriate to reduce the amount of the fine by applying the remaining percentage of the more than 3,000,000 EUR contributed by the shareholders, after having excluded cumulative losses over a period of three years in relation to this contribution, periods 5The defendant mentions in its email of April 5, 2024 that a multi-year strategic plan was presented to shareholders in October 2023, resulting in a cash contribution of more than EUR3,000,000 from shareholders in February 2024. ; page 5 of the email sent by their Council in reaction to the sanction form. Decision on merits 87/2024 — 50/55 for the most part hypothetical. This approach aims to align the reduction of the initial fine with the financial situation of the defendant. Thus, the Litigation Chamber considers have correctly assessed the financial impact of the fine in relation to the funds provided by the shareholders, and considers that the reduction of at least 30% of the initial fine takes into account the actual financial capacity of the defendant to bear the fine administrative. 150. Following the preceding reasoning, the Litigation Chamber reduces the fine by 245,000 EUR to 172,431 EUR objectively: The loss for the year 2023-2024 amounts to [-..EUR], while that forecast for the year 2024-2025 is [-..EUR], and that foreseeable for the year 2025-2026 is [-..EUR]. By adding these losses, the loss cumulative for the year 2023-2024 as well as those planned for the years 2024-2025 and 2025-2026 represents a total of more than 1,000,000 EUR [(-.. EUR)] + [(-.. EUR)] + [(-.. EUR)] = more than 1,000,000 EUR. The contribution of shareholders to ensure viability is more than 3,000,000 EUR The percentage of the cumulative loss over a period of three years, i.e. 2023-2024, 2024-2025 and 2025-2026 (the last two years being hypothetical) compared to the shareholders' contribution amounts to +-30% [(more than 1,000,000 EUR / more than 3,000,000EUR)*100=+-30%].After withdrawing the cumulative loss over a period of three years, it is established that the defendant still holds +-70% of the more than 3,000,000 EUR contributed by the shareholders. 151. Consequently, the Litigation Chamber decides to apply the percentage of the loss cumulative over a period of three years (2023-2024, 2024-2025 and 2025-2026, both recent years being hypothetical) as a percentage reduction to the amount initial amount of the fine in order to determine the new amount. Taking into account all specific circumstances surrounding viability economic and financial capacity of the defendant, this represents +- 30% of the 245,000 EUR, a reduction of more than 70,000 EUR. Thus, the new amount of the fine amounts to EUR 172,431, which corresponds to a reduction of approximately 30% per compared to the initial amount. Furthermore, the Litigation Chamber emphasizes that the impact of this fine on a shareholder contribution established on forecasts until 2026-2027 (see point 148) is minimal, representing only 4%. Considering these factors, the Litigation Chamber considers that the reduction of the fine of 245,000 EUR to 172,431 EUR is a proportionate measure to sanction the violations noted in this specific case 152. Dissuasive nature – The dissuasive nature of fines is crucial to guarantee the compliance with the rules established by Union law, in particular in the GDPR. This character deterrent can manifest itself in two ways: general deterrence, which aims to discourage other controllers from committing the same violation in the future, Decision on merits 87/2024 — 51/55 and specific deterrence, which aims to dissuade the data controllers concerned by the fine for breaking the rules again in the future. A fine must be sufficiently dissuasive for data controllers to fear that Supervisory authorities do apply fines for GDPR violations. 153. Several factors determine the dissuasive nature of a fine: the nature and amount of the fine, as well as the probability of its imposition, are elements determining factors in this regard. A fine must be high enough to have an impact significant financial impact on the offending company, while remaining proportionate to the seriousness of the breach. In other words, the criterion of deterrence overlaps with that of effectiveness. 154. If a supervisory authority considers that a fine is not sufficiently dissuasive, it may consider increasing it. In some cases, it may even apply a multiplier deterrence to strengthen its deterrent effect. This multiplier can be adjusted to the discretion of the supervisory authority to ensure that deterrence objectives are fully achieved. 155. In this case, the fine of EUR 172,431 imposed on the defendant aims to deter the defendant to repeat the violation of the rules of the GDPR. Furthermore, she seeks also to deter other companies from committing similar violations. This fine, proportionate to the seriousness of the violation 59 and taking into account the turnover of the defendant, is designed to have both a specific and general deterrent effect. 156. Considering all of these aforementioned factors, the fine of EUR 172,431 seems to meet the dissuasive nature necessary to ensure compliance with the GDPR. III.3.2.2.6. In summary 157. Firstly, the Litigation Chamber notes that the defendant whose figure of business amounts to more than 50,000,000 EUR has not complied for a period significant of a complainant's erasure and opposition requests, resulting in a continuous processing of personal data for direct marketing purposes, and putting highlights the absence of guarantees to ensure compliance with the principles fundamentals of the GDPR, thus violating articles 17, 21, 5.1.a), and 5.2 juncto 24 of the GDPR. 158. Then, after analyzing all the relevant circumstances of the case in question under of Article 83.2, a), b) and g) of the GDPR, the Litigation Chamber considered that the violation was of “medium” severity. To determine the starting amount, the violation of articles 5, 17 and 21 of the GDPR is listed in Article 83.5, a) and b) of the GDPR, which provides that the maximum legal amount is 20 million EUR (20,000,000 EUR) or 4% of the figure 59See in particular Title III.3.2.2.2. of this decision. 60See in particular Title III.3.2.2.2. of this decision. Decision on merits 87/2024 — 52/55 total global annual sales for the previous financial year. In this case, the turnover of the defendant being less than EUR 500 million, the maximum amount and the range Fixed prices apply. Therefore, a starting amount of between 10 and 20% of the amount maximum applicable legal amount, i.e. between EUR 2 and 4 million, is envisaged. Since the violation is considered average, the Litigation Chamber decides that the amount The starting price set according to the seriousness of the violation will be 2,000,000 EUR (2 million EUR). 159. Then, the starting amount set in step 1 is adjusted according to the size of the company. The defendant achieves an annual turnover of more than EUR 50,000,000 for financial year 2023, falling in the range of EUR 50 to 100 million. That results in an adjustment of the starting amount to an amount between 8% and 20%. Given that the defendant's turnover is high within this range, the Litigation Chamber decides that an adjustment of up to 12.25% of the amount starting amount set in step 1 is justified, thus bringing the starting amount after adjustment to 245,000 EUR in this case. 160. To ensure that this starting amount after adjustment complies with the lines guidelines, it is compared with the ranges in the applicable table available in the EDPB guidelines. Since article 83.5 of the GDPR is applicable, that the defendant achieves a turnover of between 50 and 100 million EUR and the severity is medium, the starting amount should be between 160,000 and 800,000 EUR. The Litigation Chamber concludes that an amount of starting of 245,000 EUR is within this range, and therefore it is in line with the lines guidelines. 161. Taking into account article 83 of the GDPR, the Litigation Chamber must also provide reasons the imposition of an administrative fine in concrete terms, taking into account other aggravating or mitigating circumstances listed in Article 83.2 of the GDPR. However, the assessment of these elements does not justify either an increase or a decrease in the amount of the administrative fine. Furthermore, the Litigation Chamber must also justify the imposition of this administrative fine in accordance with the guidelines of the EDPB, which emphasize that fines for GDPR violations must be effective, proportionate and dissuasive in each specific case, in accordance with Articles 83.4 to 83.6 of the GDPR. The assessment of these elements justifies a reduction between the fine initial and the new amount of approximately 30%. Considering all the factors 61EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1), adopted on May 24 2023 (v2.1), see the appendices (p.52). 62Cour des Marchés), 2020/1471 of February 19, 2020. 63See in particular Title 3.2.2.4. of this decision. Decision on merits 87/2024 — 53/55 mentioned above, the reduction of the fine from EUR 245,000 to EUR 172,431 is a measure effective, proportionate and dissuasive necessary to ensure compliance with the GDPR.64 III.3.2.2.7. The decision to impose an administrative fine 162. All of the above elements justify an effective, proportionate and dissuasive under Article 83 of the GDPR, taking into account the assessment criteria therein are set out.The Litigation Chamber underlines that the other criteria set out in article 83.2 of the GDPR are not likely, in this case, to result in an administrative fine other than that determined by the Litigation Chamber within the framework of this decision. 163. The Litigation Chamber considers that it is justified to impose an administrative fine, taking into account the specific circumstances as well as the position taken by the defendant regarding the manner in which the plaintiff's requests were handled, in order to to sanction this behavior appropriately and to encourage the defendant to refrain from responding to requests to exercise the rights granted under the GDPR in this way in the future. 164. In view of the aforementioned assessment as well as the circumstances specific to this case, the Litigation Chamber therefore considers that it is appropriate to impose a fine administrative order of EUR 172,431 to the defendant, pursuant to article 58.2. i) of the GDPR as well as well as articles 100, § 1, 13° and 101 of the LCA, in accordance with article 83.2 of the GDPR. 165. The Litigation Chamber considers that the amount of this fine, which otherwise remains well below the maximum amount of the authorized range, is proportionate to the severity violations noted in the behavior in question. IV. Publication of the decision 166. Given the importance of transparency regarding the decision-making process of the Chamber Contentious, this decision is published on the website of the Authority of Data protection. However, it is not necessary for this purpose that the data identification of the parties are directly communicated. 64See in particular Title 3.2.2.5 of this decision. Decision on merits 87/2024 — 55/55 66 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber the signature of the applicant or his lawyer. 66The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.