APD/GBA - 31/2020 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 8 GDPR Article 12(1) GDPR Article 13 GDPR Article 35 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 16.06.2020 |
Published: | |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | 31/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Belgian APD/GBA (in NL) |
Initial Contributor: | n/a |
The APD/GBA (the Belgian DPA) found that a schoolboard violated the data minimisation and transparency principles of the GDPR, and processed data unlawfully by submitting a detailed "wellbeing" survey to a group of 12 year old pupils at a school without obtaining the consent of their parents.
English Summary
Facts
A schoolboard submitted a "wellbeing" survey to its first year pupils via the Smartschool system. The complainant reacted by filing a complaint with the APD/GBA on the basis that there was a lack of information provided about the survey, that parental consent was required, no data minimisation was applied to the processing (students were asked about bullying, pupils and their situations but their identifying data was allegedly not anonymised) and that the defendant should have carried out a data protection impact assessment but had failed to do so.
In response, the defendant (the schoolboard) contended that: -sufficient information had been provided, -the consent of the underage data subjects and their parents was not required for the processing because another legal basis (processing for a necessary legal basis) applied, -no special categories of personal data were being processed, -future surveys would respect the principle of data minimisation. The defendant also proposed sending a letter to allow the school to better inform parents and pupils in the future about the purpose of the survey.
Dispute
Is the legal basis for the processing in this case under Article 6(1)(a) or 6(1)(c)? If Article 6(1)(a) applies, do the requirements for parental consent under Article 8 GDPR also apply? Did the defendant, as the controller, fail to adhere to the data transparency (Article 5(1)(a) GDPR) and the data minimisation (Article 5(1)(c) GDPR) principles? Was the defendant required to carry out a data protection impact assessment (DPIA) pursuant to Article 35 GDPR?
Holding
-Legal basis was Article 6(1)(a): The Belgian DPA considered that because the survey was offered to a pupil under 13 years of age at the time of the facts, processing would only have been lawful under Article 6(1)(a), ie where permission has been given for the processing of the pupil's data. As the defendant had relied on Article 6(1)(c), the processing was unlwful.
-Therefore Article 8 also applies: The Belgian DPA decided that Article 8 applied because the criteria for requiring the authorisation of the holder of parental responsibility was met, ie the pupil was under the age of 13 (the age of consent for processing in Belgium), and the Smartschool tool was an information society service. As the controller had failed to obtain this parental consent, the Belgian DPA also held that the controller had infringed Article 8(1).
-Infringement of the data minimisation principle (Article 5(1)(c)): The Belgian DPA held that the controller failed to fulfil its responsibilities under Article 5(1)(c) because the data was not anonymised, despite there being a way for the survey to be offered in an anonymous form at the time of the facts.
-Infringement of the transparency principle (Articles 5(1)(a), 12(1) and 13): The Belgian DPA held that the controller failed to fulfil its responsibilities under Article 5(1)(a), as the controller failed to demonstrate that the pupils were adequately informed in line with the requirements in Articles 12(1) and 13.
-No requirement for a DPIA under Article 35 GDPR: The Belgian DPA was satisfied that there was no infringement of Article 35 GDPR, and subsequently no obligation on the controller to have carried out a DPIA before commencing processing. It cited the small number of data subjects and the low risks to the rights and freedoms of the data subjects as its reason for not considering the controller in breach of Article 35 GDPR.
Comment
Transparency rights for parents when their children are data subjects
In this case, the complainant argued that the controller should have informed the parents in advance about the conducting of a survey among schoolchildren under 13 years of age. However, the Belgian DPA rejected this argument on the basis that Article 8 only requires compulsory consent from parents, and does not provide for transparency measures addressed to the holder of parental responsibility giving consent.
However, this raises a question regarding the standard of consent required from parents on behalf of their children; the DPA's decision suggests a lower threshold may be required in Article 8 cases, particularly in terms of the consent being sufficiently "specific" and "informed."
Further Resources
Other in-depth commentaries and analyses can be found here:
- Surveys, transparency and DPIAs: tips from the Belgian DPA (23 June 2020)
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dispute chamber Decision on the merits 31/2020 of 16 June 2020 Dossier number: DOS-2019-03499 Subject: Complaint about the use of Smartschool to carry out a 'well-being' survey among underage pupils without parental consent. The Disputes Chamber of the Data Protection Authority, composed of Mr HielkeHijmans, chairman and Mr Christophe Boeraeve and Mr Jelle St assijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the AVG; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has taken the following decision regarding: -Mr X; hereinafter 'the complainant' -Y, hereinafter 'the defendant’. Facts and procedure 1.On 22 July 2019, the complainant filed a complaint with the Data Protection Authority against the defendant. The subject of the complaint concerns the 'well-being' survey that was submitted to Z pupils via the Smartschool system. A number of provisions of the AVG were allegedly infringed. The complainant argues that there is a lack of information, parental consent is required to conduct the survey, an information society service is used and more data are processed than necessary for the purposes for which they are processed. According to the complainant, a data protection impact assessment should also have been carried out by the defendant, but this was not done. 2. On 6 August 2019, the complaint will be declared admissible under Articles 58 and 60 of the Act of 3 December 2017, the complainant will be notified under Article 61 of the Act of 3 December 2017 and the complaint will be transferred to the Dispute Chamber under Article 62(1) of the Act of 3 December 2017. 3 On 27 August 2019, the Disputes Chamber decides on the basis of art. 95, §1, 1° and art. 98 of the law of 3 December 2017 that the file is ready to be dealt with on the merits. 4 On 28 August 2019, the parties concerned will be informed by registered mail of the provisions mentioned in article 95, §2, as well as those mentioned in art. 98 of the law of 3 December 2017. The parties concerned were also informed of the deadlines for submitting their defences under Article 99 of the law of 3 December 2017. 5. On 9 September 2019, the defendant notifies the Chamber of Disputes that he has taken note of the complaint, requests a copy of the file (art. 95, §2, 3° of the law of 3 December 2017) and accepts electronically all communications concerning the case (art. 98, 1° of the law of 3 December 2017). 6. On 11 September 2019, a copy of the file will be sent to the defendant. 7. on 26 September 2019, the Disputes Chamber will receive the conclusion of the response from the defendant. On 26 September 2019, the Supreme Court will receive the defendant's response. In its conclusion, the defendant states that it is basing its investigation on a legal obligation and that no consent is required, which, according to the defendant, would also imply that article 8 of the AVG would not apply. The defendant also denies that special categories of personal data within the meaning of Article 9.1 of the AVG would be processed on the basis of the survey. The defendant also explains how the data will be processed after taking the survey (who has access to the individual survey, storage of the general data (anonymised) at class level, deletion of the completed surveys at the end of the school year). The next survey would be based on the 'questionnaire well-being' used by the Education Inspectorate in order to respect the principle of minimum data processing. Finally, a proposal for a letter would be added to allow the school to better inform parents and pupils in the future about the purpose of the survey. 8.On 23 October 2019, the Chamber of Disputes receives the conclusion of the reply of the complainant. It gives a detailed answer to the conclusion of the reply of the defendant and mentions a number of new elements that were not yet addressed in the complaint: -According to the complainant, Y is the organizing power over school Z and the Centre for Pupil Guidance W, but since a CLB must be able to act independently, they seem to act as joint controllers.-The complainant provides an overview of the provisions on which, according to him, an infringement has been committed. He also requests:1.that a fine should be imposed on the defendant, 2.that all parties concerned should be informed of the offences committed (in 2016 and 2018, and if necessary also for the 2017 survey) that would involve a personal data breach,3.and that the decision of the Disputes Chamber should be published on the websites of the defendant and CLB, as well as to all parents via Smartschool. 9.On 8 November 2019, the Disputes Chamber will receive the conclusion of the respondent's reply, in which the lawfulness of the processing; the designation of the data controller; the consent requirement and the non-application of Article 8 of the AVG; the principle of minimum data processing, the obligation of the data controller to provide transparent information and argumentation in support of the assertion that no data protection impact assessment is necessary. 10. On 4 May 2020, the Disputes Settlement Chamber notified the defendant of its intention to impose an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to defend itself, before the sanction is actually imposed. 11 On 22 May 2020, the Disputes Settlement Chamber receives the defendant's response to the intention to impose an administrative fine, as well as the amount thereof. The defendant reiterates the reasoning set out in the conclusions to state that the processing is lawful on the basis of the Decree of 27 April 2018 on pupil guidance in primary and secondary education and centres for pupil guidance, as well as to state that article 8.1 AVG would not apply. The defendant also stresses that it has already responded to earlier observations. Finally, the defendant also argues that the Chamber of Disputes cannot impose an administrative fine, since the defendant, being an educational institution financed by the Flemish Community, has as its objective the provision of education, which is a task of general interest. It follows, according to the defendant, that he must be regarded as a 'public authority' within the meaning of Article 5 of the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, and Article 221(2) of the same Law would therefore apply. Legal basis -Rightness of processing Article 6.1. AVG 1. Processing is lawful only if and to the extent that at least one of the following conditions is fulfilled: a) the data subject has given consent to the processing of his personal data for one or more specific purposes; [...]c) processing is necessary to comply with a legal obligation to which the controller is subject; [...]-Conditions for the consent of children with regard to information society services Article 8 AVG 1. Where Article 6(1)(a) applies in relation to a direct offer of Information Society services to a child, the processing of a child's personal data is lawful when the child is at least 16 years of age. Where the child is under 16 years of age, such processing shall be lawful only if and to the extent that the consent or authorisation is given by the holder of parental responsibility for the child. Member States may provide by law for a lower age in this respect, provided that it is not less than 13. 2. Having regard to available technology, the controller shall make reasonable efforts to verify whether the holder of parental responsibility has given consent or authorisation in such cases. 3. Paragraph 1 shall be without prejudice to the general contract law of the Member States, such as the rules on the validity, formation or effect of agreements in relation to children. Minimum data processing Article 5(1)(c) AVG1. Personal data must be (c) be adequate, relevant and limited to what is necessary for the purposes for which they are processed ('minimal data processing'). Transparent information Article 5(1)(a) AVG1. (a) personal data must be processed in a manner that is lawful, adequate and transparent as regards the data subject ('lawfulness, adequacy and transparency');[...]. Article 12.1. AVG 1. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication related to the processing referred to in Articles 15 to 22 and Article 34 in a concise, transparent, comprehensible and easily accessible form, in clear and simple language, in particular when the information is specifically intended for a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. If the person concerned so requests, the information may be provided orally, provided that the identity of the person concerned has been proven by other means. Article 13 AVG 1. Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when the personal data are obtained: (a) the identity and contact details of the controller and, where applicable, of the controller's representative; (b) where applicable, the contact details of the Data Protection Officer; (c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; (d) the legitimate interests of the controller or of a third party where the processing is based on Article 6(1)(f); (e) where applicable, the recipients or categories of recipients of the personal data; (f) where applicable, that the controller intends to transfer the personal data to a third country or an international organisation; whether or not there is an adequacy decision by the Commission; or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), what are the appropriate or appropriate safeguards, how a copy can be obtained or where it can be accessed. 2 . In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information when the personal data are obtained in order to ensure proper and transparent processing: (a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; (b) that the data subject has the right to request the controller to access, rectify or erase the personal data or to restrict the personal data relating to him/her (c) where processing is based on Article 6(1)(a) or Article 9(2)(a), that the data subject has the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent prior to withdrawal; (d) that the data subject has the right to lodge a complaint with a supervisory authority; (e) whether the disclosure of personal data is a legal or contractual obligation or a necessary precondition for the conclusion of a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences are if those data are not provided; (f) the existence of automated decision making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic and the importance and the expected consequences of that processing for the data subject. 3 . Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information on that other purpose and any relevant further information referred to in paragraph 2 prior to such further processing. Paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has the information. 3. Grounds for the decision a)The competence of the Disputes Settlement Chamber 12. Since the Flemish Supervisory Committee has already intervened on the basis of a complaint with the same object that was previously submitted by the complainant, and since the Flemish Supervisory Committee took a position in this respect on 17 June 2019 pursuant to Article 10/7 of the Flemish Decree of 18 July 2008 on electronic administrative data traffic, the Disputes Settlement Chamber is of the opinion that it should clarify the mutual relationship between the Flemish Supervisory Committee on the one hand and the Data Protection Authority on the other hand. 13 Although the defendant does not in any way dispute the competence of the Disputes Chamber belonging to the Data Protection Authority, the defendant assumes that the decision of the Disputes Chamber will be in line with the response of the Flemish Supervisory Commission. The defendant is of the opinion that it can be assumed on the basis of Article 10/1 §2, paragraph 2 of the Flemish Decree of 18 July 2008 on electronic administrative data traffic, which stipulates the following: The Flemish Supervision Commission requests the Data Protection Authority, referred to in Article 3 of the Act of 3 December 2017 establishing the Data Protection Authority, to delegate a member to attend every deliberation of the Flemish Supervision Commission as an observer.The defendant suspects on the basis of that provision that the observer of the Data Protection Authority would have intervened if the Flemish Supervision Commission had drawn wrong conclusions. 14 The Disputes Chamber considers it necessary in this respect to clarify the role of the observer of the Data Protection Authority, as well as the relationship between the Flemish Supervision Commission and the Data Protection Authority 15 . It should be stressed that the member of the Data Protection Authority acting as an observer (currently: the chairman of the Data Protection Authority) is obliged to limit himself to the role assigned to him by the legislator, namely merely attending every deliberation of the Flemish Supervisory Commission, but this in no way implies that the latter intervenes in the decision-making process, and certainly not that the observer could decisively influence the decision of the Flemish Supervisory Commission. The Data Protection Authority, of which the Disputes Chamber is part, is therefore in no way bound by a decision of the Flemish Supervision Commission.16 The Disputes Chamber also states that the interpretation by the Legislation Section of the Council of State and by the Constitutional Court of the constitutional competence concerning the protection of privacy clarifies that it is the federal legislator who lays down the general rules in this respect.1 The Council of State specified that the federal supervisor for the protection of privacy "has a general competence over all processing of personal data, including those carried out in matters for which the Communities and Regions are competent. "2 The Litigation Chamber refers to the powers of the Data Protection Authority as laid down by the federal legislator by virtue of Article 4 WOG.3 For the supervision of compliance with the directly applicable provisions of the AVG - as general rules - the Data Protection Authority is therefore the competent authority. (b) Processing manager The complainant has lodged a complaint against Z whose organizing power is Y. In the course of the proceedings he argues that Y is the organizing power above Z and the Centre for Pupil Guidance W. 18.The defendant refutes this by stating that although Y is the organizing power above Z, the Centre for Pupil Guidance W falls under a separate organizing power, namely the Centre for Pupil Guidance Antwerp Central Area vzw. 19.The Disputes Chamber directs its decision to Y, as the organizing authority. Moreover, Y, the school board of Z, is the processing manager who alone determines the purpose and means of pupil counselling. It is true that the processing manager can appeal to the centre for pupil guidance for substantive support, but this does not make the centre for pupil guidance a processing manager, together with Y . c)Lawfulness of the processing (article 6.1. AVG) 20. In order to carry out the "well-being" survey, the defendant invokes the Flemish Decree of 27 April 2018 on pupil guidance in primary and secondary education and the centres for pupil guidance, which imposes a policy on pupil guidance on schools. In article 3, 17°/1/1 of the codex secondary education4 , pupil guidance is understood to mean a set of preventive and accompanying measures. Pupil counselling is situated in four domains: the educational career, learning and studying, psychological and social functioning and preventive health care. The measures always start from an integrated and holistic approach for the four domains of guidance and this from a continuum of care;" . This leads the defendant to state that the 'well-being' survey is based on Article 6.1. c) AVG, in particular that the data processing based on the survey would be necessary to comply with a legal obligation incumbent on the data controller. 21. The complainant contests this legal basis invoked by the defendant and argues that it is not Article 6.1. c) AVG that provides the legal basis for the data processing based on the 'well-being' survey, but rather Article 6.1. a) AVG. 22.The Disputes Chamber notes that, although there is a decretal obligation on the part of the respondent to provide pupil counselling, this does not imply any obligation on the part of the respondent to reply 'wellbeing' to the questions asked in the survey and in no way justifies the way in which the respondent seeks to fulfil its obligation, namely by conducting a survey which allows identification of the person concerned. It is an autonomous decision on the part of the school to fulfil its own obligation by means of a survey and for which the school relies on the cooperation of the pupils. 23.However, contrary to what the defendant claims, the cooperation of the pupils by means of participation in such a survey cannot be justified on the basis of the defendant's obligation to provide pupil guidance. Indeed, the obligation to provide guidance does not require the defendant to carry out a survey in the form presented to the pupil under 13 years of age. 24.The defendant itself states in this respect that the Codex secondary education determines the purpose, but does not impose which personal data of the pupil must or may be processed. The Disputes Chamber adds that the Codex secondary education also does not stipulate that the data collection for the purpose of pupil counselling should take place on the basis of a survey that would require the cooperation and identification of all pupils. According to the Disputes Chamber, the data processing by means of the survey "well-being" as it was offered to the pupil under 13 years of age at the time of the facts is therefore only lawful if permission has been given for the processing of the personal data of the pupil concerned and the processing is only lawful on the basis of article 6.1. a) AVG. 25.However, for the personal data obtained on the basis of the "well-being" survey, the defendant relies solely on article 6.1 c) AVG, not on article 6.1 a) AVG. The Disputes Chamber is therefore of the opinion that the infringement of Article 6.1. AVG is proven, since the data processing by means of the survey "well-being" should be based on consent in the absence of any other potentially applicable legal basis in art. 6.1. AVG. (d) Conditions for the consent of children with regard to information society services (Article 8 GTC) 26.According to the complainant, Article 8 of the AVG applies to the 'well-being' survey offered to underage pupils via Smartschool. 27.The respondent, on the other hand, denies that Article 8 would apply by arguing thatSmartschool did not itself offer these services directly to the pupil. 28.In order to be able to assess whether or not Article 8 AVG applies in the present case, the Disputes Chamber will examine whether or not the conditions laid down in this provision have been met. Consent as legal basis 29.Article 8 AVG can only be invoked if Article 6.1 a) AVG applies. The aforementioned explanation of the lawfulness of the processing shows that the Disputes Settlement Chamber is of the opinion that consent is the only valid legal basis for the data processing by means of the survey "well-being". This condition is thus met. -Age limit of 13 years 30.First of all, account must be taken of Article 7 of the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, which stipulates the following: "Pursuant to Article 8.1 of the Regulation, the processing of a child's personal data relating to a direct offer of information society services to a child shall be lawful if the consent is given by children of 13 years of age or older. If this processing concerns the personal data of a child under 13 years of age, it shall only be lawful if the consent is given by the child's legal representative". 31.Applied to this complaint, it concerns an underage pupil who was 12 years old at the time he was confronted with the "well-being" survey. It follows from this that the consent of his legal representative is required in so far as the other conditions of Article 8 are also met. Information society service 32. It is then essential to determine whether or not, by conducting a survey of a pupil younger than 13 years of age by means of Smartschool, there is a "service of the information society". The Chamber of Disputes refers for its definition to Article 4. 25) AVG stipulating that an 'information society service' is a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council. 33.Article 1(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on information society services states that 'service' shall mean any information society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition, (i) 'at a distance' means that the service is provided without the parties being simultaneously present, (ii) 'by electronic means' means that the service is sent and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means, (iii) 'at the individual request of a recipient of services' means that the service is provided through the transmission of data on individual request. 34.An indicative list of services not covered by this definition is set out in Annex I5 to the aforementioned Directive (EU) 2015/1535. While this list is indicative and not exhaustive, it gives, according to the Disputes Chamber, a clear indication of the scope which the European regulator wanted to give to the concept of an information society service6. 35: 1.no physical presence of provider and customer is associated with the provision of the survey via Smartschool. 2.it has been established that the survey is offered electronically, since Smartschool is a digital schoolpl atform with tools for administration, reporting and communication between management, teachers, pupil supervisors, pupils and parents. It is offered as a service, i.e. software offered as an online service ('Software as a Service') and can be used via the browser or via associated apps.3.it is a service provided on individual request via the transmission of data, since the individual pupil is required to log on to the Smartschool platform in order to take part in the 'well-being' survey. Thus, the service is offered directly to each individual learner and the survey is called up by the individual learner. It is therefore certainly not a transmission of data intended for simultaneous reception by an unlimited number of recipients (point-to-multipoint transmission) as referred to in Annex I of the aforementioned Directive (EU) 2015/1535. 36.Article 1(b) of Directive (EU) 2015/1535 also states that this is any service normally provided for remuneration. The defendant only states that a processing agreement has been concluded with Smartschool and does not dispute that this is done for remuneration. 37. The fulfilment of these cumulative conditions leads the Disputes Chamber to state that the Smartschool tool must indeed be regarded as a service of the information society. 38.The Disputes Chamber decides that all conditions for the application of Article 8 GCC have been met. Because of the misunderstanding of the applicability of this provision by the defendant and the consequent failure to obtain the consent of the person having parental responsibility for the pupil under the age of 13 to carry out the 'well-being' survey, the Disputes Chamber finds that the infringement of Article 8 AVGis has been proved. (e) Minimum data processing (Article 5(1)(c) AVG) 39. The complainant points out that, by asking the question in the survey7 , the defendant is processing data about other pupils, about bullying, the home situation of the pupil concerned and that such processing is disproportionate to the purpose of pupil counselling. The defendant argues that the Codex secondary education determines the purpose, but does not impose which personal data of the pupil should or may be processed. The defendant would have sought an appropriate way to obtain sufficient information in order to provide the best possible guidance to the pupil. In the conclusion of reply, the defendant states that it was opted to add a number of open questions, also around bullying, but the pupils were not obliged to fill in these questions. However, appendix 5 of the Conclusion of Reply, which explains the Well Being Survey 2018, mentions: "Pupils should answer all questions. It is a digital version, you can only go to the next question once you have completed the previous one". Nevertheless, the defendant indicates that he has already adjusted the survey in the sense that it will henceforth be offered in an anonymous form, so that not all the AVG's obligations will have to be met. 40 When assessing whether data obtained from the survey are adequate, relevant and limited to what is necessary for the purpose of pupil guidance, the Disputes Chamber establishes that the purpose of 'pupil guidance' could have been achieved in a different way - in particular anonymously8 - than the way in which the survey was offered at the time of the facts, in particular with the processing of identification data. After all, the respondent himself indicates that the purpose can also be achieved by offering the survey in an anonymous form. 41 The Disputes Chamber already notes that with regard to the taking of the survey in the future, it is required that it is anonymous9 within the meaning of the AVG. It must be data that do not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a way that the data subject is not or no longer identifiable. In so doing, account shall be taken of all the means likely reasonably to be used to identify, directly or indirectly, the pupil concerned. In order to determine whether means can reasonably be expected to be used to identify the natural person, account should be taken of all objective factors, such as the cost and time required for identification, taking into account the available technology at the time of processing and technological developments. In particular, it is important to examine to what extent the provision of an anonymous survey through Smartschool allows or does not allow the pupil concerned to be identified. 42.It is certain that there was no anonymous data processing at the time of the facts, because identification data were collected from both the pupil who filled in the survey and the names of other pupils whom the pupil concerned mentioned in the survey in response to some questions. It appears from the records that the processing did not respect the principle of minimum data processing. This leads the Disputes Chamber to establish that the infringement of Article 5.1 c) AVG has been proven. f)Transparent information (Article 5.1(a); Article 12.1. and Article 13.1. and 13.2. AVG) 43.The complainant alleges that the defendant should have informed the parents in advance that a non-anonymous survey would be conducted among pupils under 13 years of age. He states that he was only informed of the survey by his son, a pupil under 13, while the complainant believes that the parent should be informed by the defendant himself about the purpose, who can see it, what the consequences are, what all rights are, what consequences are linked to not filling in the survey, (etc). 44.The Litigation Chamber points out that while Article 8 AVG provides for compulsory consent on behalf of a child who has not yet reached the age of 13, it does not provide for transparency measures addressed to the holder of parental responsibility giving consent. 45.Therefore, in line with the transparency measures specifically addressed to children referred to in Article 12.1 AVG (and supported by recitals 3810 and 5811), the defendant has an obligation to ensure that when addressing children specifically, all information and communication is provided in simple and understandable language or through a medium that children can easily understand12 . 46. As a general rule, such information should be given in written form, but the information may be given orally at the request of the person concerned. The defendant argues13 that in each class of the first year, the purpose of the survey was explained, who can read it, as well as a clarification of the questions asked in the survey. The information about the purpose of the survey and who can read it was also provided in the letter given to the pupils, which also included a step-by-step plan for completing the survey. However, this letter in no way contains all the elements required by Article 13 of the AVG in such a way that it has not been demonstrated that the written information was provided in a proper manner. It is true that the information can also be provided verbally, but this can only be done at the request of the person concerned, which is not the case in this case. 47. The defendant also refers to her privacy statement, as well as to the school regulations that would contain the information required by Article 13 of the AVG, which led the defendant to assume that the complainant was aware and that the letter to the pupils did not explicitly mention all this information, and invokes Article 13.4 of the AVG for this purpose. Again, the Disputes Chamber stresses that a child younger than 13 years of age does not lose his or her right to transparency in a situation to which Article 8 AVG applies. The Litigation Chamber is of the opinion that the position taken by the defendant whereby the pupil is deemed to already have knowledge of the privacy statement and the school regulations in order to justify that this information should no longer be provided to him or her in the context of the survey does not correspond to the intention of the AVG to provide special protection to minors, so that the information and communication to the minor should be in such a clear and simple language that the child can easily understand it. According to the Disputes Chamber, it cannot be assumed that the request for participation in the survey, made by the defendant to the pupil, makes the pupil under 13 years of age himself/herself linked to the privacy statement and the school regulations. At least the defendant should have referred to the applicable provisions of the privacy statement and the school regulations in the letter to the pupils. Indeed, Article 13 AVG requires the defendant to provide the pupil concerned with the information and to actively take steps to provide the information to the person concerned or to actively direct the person concerned to the location of the information14 , especially in view of the target group consisting of pupils under 13 years of age. 48. The defendant does not demonstrate that the pupil concerned was adequately informed in accordance with Articles 12.1 and 13 of the AVG. 49.Pursuant to the obligation of the controller to inform the data subject in a concise, transparent, comprehensible and easily accessible form and in clear and simple language, the Disputes Chamber states that the defendant has failed to comply with this obligation and that the infringement of Articles 5.1 a), 12.1 and 13 of the AVG has been proven. Conclusion on the sanction to be imposed 50.The Disputes Chamber is therefore of the opinion that an infringement of Articles 5.1. a), 5.1. c), 6.1, 8, 12.1 and 13 of the AVG has been proven and it is appropriate to order that the processing be brought into conformity with these articles of the AVG (Article 58. 2. d) AVG and art. 100, §1, 9° WOG), as well as to impose an administrative fine in addition to this corrective measure (art. 83.2. AVG; art. 100, §1, 13° WOG and art. 101 WOG). The defendant qualifies for the imposition of an administrative fine, notwithstanding the fact that it claims to be an authority within the meaning of Article 5 of the Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data, and therefore Article 221, §2 of the same Act would be applicable 51 . The Disputes Chamber notes that Article 83.7 of the AVG states the following: 'Without prejudice to the powers of the supervisory authorities to take corrective measures in accordance with Article 58(2), each Member State may lay down rules concerning whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State'. Although the AVG does not specify the scope of what is to be understood by 'public authorities and public bodies', it is clear that this exception must be interpreted strictly. 52.In the opinion of the Disputes Chamber, a private organisation such as Y does not fall under this, even if this organisation carries out tasks in the public interest in the field of education. 53.Indeed, specifically with regard to European data protection rules, the Court of Justice has ruled that the exceptions laid down in European legislation must be interpreted strictly 'since they set aside the system of protection of personal data provided for in this Directive [now Regulation] and thus derogate from the objective underlying the latter, which is to ensure the protection of the freedoms and fundamental rights of natural persons with regard to the processing of personal data, such as the right to respect for private and family life, laid down in Article 7 of the Charter of Fundamental Rights of the European Union (...). ...), and the right to the protection of personal data, which is guaranteed by Article 8 thereof.'15 The sanction of the administrative fine provides an effective means of exerting pressure and thus an additional guarantee for citizens that data protection rules will be respected, which justifies a restrictive interpretation of Article 83.7 of the AVG. 54. With regard to the nature and seriousness of the infringement (Article 83(2)(a) AVG), the Litigation Chamber stresses that compliance with the principles set out in Article 5 AVG - in particular, the principles of transparency and lawfulness, as well as the principle of minimum data processing - is essential, since they are fundamental principles of data protection. The Chamber therefore considers the defendant's breach of the principle of lawfulness laid down in Article 6 of the APC and the principle of transparency laid down in Articles 12 and 13 of the APC as a serious breach. In addition, there is an infringement of a provision (Article 8 of the AVG) aimed at offering special protection to young people. 55. Although the complainant argues that despite his earlier complaint submitted in 2016 to the then Commission for the Protection of Privacy and which related to the same survey, the defendant will conduct the survey again in 2018 and, according to the complainant, there is a repeat offence, the Disputes Chamber does not take the 2016 complaint into account when determining the administrative fine. First of all, no consequences were linked to the 2016 complaint by the Commission for the Protection of Privacy and at that time the AVG was not yet applicable. However, when determining the administrative fine, the Chamber of Disputes does take into account the fact that the defendant declares itself willing and has already made efforts to provide for a survey to be conducted in an anonymous form in the future, provided that the defendant takes the necessary measures to ensure its anonymity (as noted by the Chamber of Disputes above under 'd) Minimum data processing'). Moreover, when determining the amount of the fine, the Disputes Chamber takes into account the fact that this is an educational institution, not for profit. 56.The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Article 83 AVG, taking into account the assessment criteria laid down therein. The Disputes Chamber points out that the other criteria set out in Article 83.2. AVG in this case are not such as to lead to an administrative fine other than that established by the Disputes Chamber in the context of this decision. (g) Data protection impact assessment 57. The complainant considers that the defendant should carry out a data protection impact assessment (hereafter: DPIA), as it would involve a processing operation posing a high risk to the rights and freedoms of natural persons and refers in particular to Article 35.3(b) AVG which provides that a data protection impact assessment is required in the case of a large-scale processing of special categories of personal data such as referred to in Article 9(1) or of information relating to criminal convictions and offences referred to in Article 10. 58.However, the defendant stresses that it is not obliged to carry out an EIO, since the survey has been carried out for many years - 15 years are mentioned - and existing processing operations are in principle only required if the risks to rights and freedoms for natural persons change after 25 May 2018. The defendant argues that there has been no such change. The defendant relies on the Data Protection Authority's Recommendation No 01/2018 of 28 February 2018 on Data Protection Impact Assessment and Prior Consultation16 and the Data Protection Authority's Manual on Data Protection Impact Assessment dating from April 2019 17. 59.The defendant also claims that the sensitive data it is processing would not be covered by Article 9.1 of the AVG18 . In this respect, the Disputes Chamber notes that according to the Codex secondary education includes pupil counselling: psychological and social functioning and preventive health care. The privacy statement, to which the defendant himself refers in connection with the obligation of transparency, states that the pupil data processed also include health data: physical, psychological, risk situations and behaviour (with a view to guidance). Data on health are considered to be a special category of personal data. Some questions from the survey probe for information about health data as defined in the defendant's privacy statement, so that Article 9.1 of the AVG applies. However, this is not a large-scale processing in the sense of recital 91 AVG.19 The Disputes Chamber notes that it only concerns the personal data of the defendant's first-year pupils and that it is therefore difficult to argue that this is a processing of a considerable amount of personal data at regional, national or supranational level, which could affect a large number of data subjects. 60.In addition, the Disputes Chamber is of the opinion that to the extent that the defendant is processing health data, it is indeed an existing processing with a high risk, but that there is no indication that the risks to the rights and freedoms of natural persons after 25 May 2018 are modified, taking into account the nature, scope, context and purposes of the processing, which would necessitate an EIA. There is therefore no question of any infringement of art. 35 AVG. h)Publication of the decision 61.Given the importance of transparency in relation to the decision of the Disputes Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identification details of the parties to be published directly for this purpose. For these reasons, the Data Protection Authority's Disputes Chamber, after deliberation, will decide: - Pursuant to art. 100, §1, 9° WOG, order the defendant to bring the processing in conformity with art. 5.1.a); art. 12.1. and 13.1. c) and d) and 13.2. b) AVG. - to impose an administrative fine of 2000 EUR on the basis of art. 100, §1, 13° WOG and art. 101 WOG. An appeal against this decision can be lodged with the Data Protection Authority as defendant, within a period of thirty days from the notification, at the Market Court, pursuant to art. 108, §1 WOG. (get.) Hielke HijmansChairman of the Disputes Chamber