APD/GBA (Belgium) - 04/2021

From GDPRhub
Revision as of 11:39, 11 March 2021 by Cvl (talk | contribs) (→‎Facts)
APD/GBA - 04/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 6 GDPR
Article 7 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 28 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.01.2021
Published:
Fine: 50000 EUR
Parties: Anonymous (Complainant)
National Service for the Promotion of Childcare products (Defendant)
National Case Number/Name: 04/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: Mathieu Desmet

The Belgian DPA (APD/GBA) issued a fine of €50,000 against a private company for collecting personal data from its target audience (pregnant mothers) without valid consent. Personal data collected was then transferred to this company's network of partners which processed the data for direct marketing purposes and sold it to other third parties in breach of the GDPR.

English Summary

Facts

Background:

The defendant is a marketing company that distributes "pink boxes" which targets pregnant mothers that include samples, special offers and information sheets for future parents.

The offers and samples contained in the "pink boxes" where made available by the network of partners of the defendant.

As to the data processed, the personal data of (future) mothers collected by the defendant included : the mother's name, mother's first name, date of birth of the baby, sex of the baby, name of the baby, e-mail address, street and house number, zip code and city.

This personal data was then transferred by the defendant to third parties (so-called "structural partners") in exchange for the aforementioned offers and samples.

These partners where in fact data brokers which processed the data for marketing campaigns and sold it to other third parties.

Facts:

The complainant filled in a registration form with the defendant - when she received a pink box from - and authorized the processing her personal data. She was not informed clearly of the processing and possible subsequent processings (with regards to the defendant's network of partners).

The complainant subsequently decided to withdraw her consent as she no longer desired to be contacted by third parties concerning promotions for childcare products.

However, even after having exercised her right, the complainant still received unwanted phone calls from partners of the defendant in connection with certain promotions.

The complainant then lodged a complaint with the Belgian data protection authority alleging the defendant transferred personal data to third parties, including data brokers, without valid consent on the part of the customer, and without the provision of sufficient information.

Dispute

The discussion mainly mainly revolved around the (lack of) information given by the defendant about the sale and processing of personal data by its the network of partners as well as the scope and validity of the consent given by consumers to the processing(s).

Holding

The Inspection Service and the Litigation Chamber of the Belgian DPA held that:

1) Lack of information and transparency about the processing(s)

The defendant had breached article 5, paragraph 1, a) of the GDPR as well as article 13 (lack of transparency) as the defendant was renting and/or selling personal data for commercial purposes via its partners without informing the consumers about these processings in a clear and comprehensible manner.

An aggravating factor is the fact that the pink boxes were distributed via gynecologists and hospitals combined with the company name of the defendant, which could have led clients to believe that the initiative came from the public sector, and not from a private company whose core business is trading data.  

2) Lack of valid consent to process the data

Article 6 GDPR, in particular Article 6(1)(a) and (f) GDPR (Free consent) was also breached by the defendant, as there could be no free, specific, informed and unambiguous consent given by the customers as consent was in this case :

a) - clearly not informed (about further processings by the network of partners);

b) - not specific (as consent for receiving the boxes automatically involved the transfer of data) ;

c) - not freely given (as the lack of consent involved the loss of some benefits).

3) Lack of appropriate technical and organizational measures and disproportionate retention period

Article 25 GDPR, given that the defendant has not taken appropriate technical and organizational measures to ensure that only personal data is processed that is necessary for each specific purpose of the processing. The retention period of 18 years is disproportionate to the initial consent and reasonable expectations of the complainant and other parties involved. Moreover the defendant had not concluded the necessary processing agreements.

Decision of the Belgian DPA:

Taking into consideration the number of data subjects (the company processes data relating to 21.10% of the Belgian population), the seriousness of the breach and the nature of the data processed (in particular data relating to children), the Litigation Chamber of the BE DPA decided to impose a fine of 50,000 euro on the defendant, and ordered the company to comply with the GDPR within a 6 months period.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Decision on the merits 04/2021 - 1/46

Litigation chamber

Decision on the merits 04/2021 of 20 January 2021

File number: DOS-2019-04798

Subject: Complaint as a result of the transfer of personal data by a
organization that makes offers to (expectant) mothers.

The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs. Jelle Stassijns and Dirk Van Der Kelen, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;

In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;

Having regard to the rules of internal procedure, as approved by the Chamber of
People's representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15
2019;

Considering the documents in the file;

has taken the following decision regarding:
- Ms X, hereinafter “the complainant”,
- Family Service / The National Service for Promotion of Children's Articles, NV (hereinafter: NV NDPK),
hereinafter “the defendant”, represented by mr. Jean-François Henrotte and mr. Fanny
Coton.

1. Facts and procedure

The complaint

1. The circumstances surrounding and the subject of the complaint can be summarized
as follows. The defendant is a private company, more specifically an advertising agency
provides media representation. The defendant offers so-called “Pink Boxes”,
on behalf of (expectant) mothers in which offers and samples of products
and services can be found. These boxes are distributed by a network of partners.
The defendant also offers (expectant) mothers information about the
pregnancy, birth, etc. She also gives discounts that are temporarily offered
to registered members. The details of (expectant) mothers are passed on
to third parties (so-called structural partners) in exchange for the aforementioned offers
and samples and with a view to the trade in personal data and direct marketing by
these third parties. The complaint mainly points to the fact that the defendant is a supplier
is of personal data.

2. The complainant has at the time - upon receiving a box from the defendant
- signed up with the defendant and given permission to process
certain personal data belonging to it. However, the complainant later decided
to lodge an objection with the defendant because she no longer wished to be contacted
by third parties / partners of the defendant. Nevertheless, the complainant received after filing
from an objection to the defendant, telephone calls from third partners of the
defendant in connection with certain promotions.

3. On September 19, 2019, the complainant files a complaint with the Data Protection Authority
against the defendant.

4. The object of the complaint concerns the hiring or selling of personal data
for direct marketing reasons, without the explicit consent of the data subjects and
at least after withdrawal, resulting in unwanted advertising. The complainant
was called by a Dutch company for advertising purposes. The Dutch company would have indicated that it obtained the complainant's details from the
defendant. The complainant argues that the transmission of the data is non-transparent
way. At the same time, she indicates that she received a form from the defendant at the time
but that she does not remember her consent
to pass on her data.

5. On September 23, 2019, the complaint will be declared admissible on the basis of the articles
58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the
Litigation chamber.
The report of the Inspection Service

6. On 8 October 2019, the Disputes Chamber will decide on the basis of art. 63, 2 ° and 94, 1 ° GBA Act to send a request to conduct an investigation to the Inspection Service. The
The litigation chamber found some points too unclear to proceed to the treatment
on the merits.

7. On 28 January 2020, the report was submitted by the Inspectorate to the
Disputes Chamber in accordance with Article 91, §2 WOG.

8. The report states that the following personal data are rented to third parties
companies by the defendant: mother's name, mother's first name, date of birth
of the baby, gender of the baby, name of the baby, email address, street and
house number, zip code and city.

9. The Inspectorate states that it is not authorized to carry out useful investigative actions
for the Dutch company that called the complainant on 17 September
2019 with an offer for children's books. After all, the Dutch company has
no establishment in Belgium. The Inspection Service thus limited itself to een research ten
the defendant as controller.

10. According to the Inspectorate, the Dutch company would use the data of “de Roze
box ”. The complainant had subscribed for the first time on “the pink box”
of the defendant during her pregnancy via a form “reservation card for
my gift packages ”. The first box was delivered according to the complainant on April 12, 2019
delivered through a store specializing in baby products.
 Decision on the merits 04/2021 - 4/46

11. According to the complainant, an employee of this shop invited her to complete the form
to be completed if she also wishes to receive the other boxes from the defendant,
of which the complainant indicates that she has indeed completed the form and
transferred to the defendant. The complainant also received a “purple box” with her
gynecologist who contained a QR code inviting her to register online
to write. On admission to maternity, she obtained a third pink box without the
ask to fill in a form.

12. On 21 May 2019, the complainant received an email thanking her for her
registration and in which she was invited to sign up for one
welcome gift. The complainant then submitted its objection to the defendant, who issued the
acknowledged receipt thereof on September 19, 2019. Despite this, the complainant remained afterwards
received repeated e-mails from a partner of the defendant during the period
between September 26 and November 12, 2019, while under the terms of the
information received by defendant may not be used more than once by
this type of partner (a 'loose partner', infra).

13. The defendant has different types of partners:
- Structural partners to whom the personal data is transferred.
- Loose partners: With one type of loose partners, the defendant sends out emails himself
their name. Another type of loose partners receive personal data for one-off
use to be able to broadcast postal items or to make contact by telephone
with those involved.

14. The defendant's first activity, as set out in the report of the
Inspection service, concerns the distribution of gift boxes through the partners of the
defendant. The distribution of the pink boxes supports according to the Inspection Service
conducting an activity of trafficking in personal data of mother and child with
with a view to direct marketing by partners of the defendant not mentioned exhaustively. There
are different partners depending on the type of box:
- “my pregnancy” and “my birth” boxes with maternity and gynecologists like
partners;
- “my first months” box with a supermarket (Y1), day care centers and
childminders as partners;
- “my first birthday” box with a clothing company (Y2), participating
daycare centers and childminders as partners;
- “my first school memories” box with a clothing company (Y2) as a partner
 Decision on the merits 04/2021 - 5/46

15. With regard to compliance with art. 5 (1) (a) GDPR (legality, propriety and
transparency) the defendant replies that it “for whatever its personal use
concerns "does not collect data" for direct marketing purposes. " The Inspection Service
could not identify the defendant to promote its own services or
would send goods direct marketing messages to the mothers and / or their minor
children. But the Inspectorate states that:
- the documents demonstrate that the intention is to transfer the personal data of mothers
to rent for direct marketing by the defendant's customers;
- the defendant in the period around 2014 associated her name with the slogan “N ° 1 in
young family marketing ”;
- the defendant is active in profiling data subjects. Becoming mothers
classified according to the age of their child;
- it is noticeable that the defendant in her communication with the parties involved and the GBA but
emphasizes part of its activities (dividing the box) and communication
not explicit about the other activity (trade in personal data / rental)
describes in normal language but only in vague terms. This method
creates potential confusion and goes against the principle of fairness. There is not
clearly communicated that if one subscribes to the pink box one can advertise
receive from third parties who are sufficiently clearly defined (in terms of category);
- repeatedly concealing (explicit words such as profiling, advertising,
marketing in external communication) or play with words
To communicate "half truths" - such as, for example, stating that oneself
does not collect data for direct marketing and only emphasizes the benefits -
evidence is that the risks and consequences for those involved are becoming aware
are concealed or undervalued by the defendant;
- the principles of transparency and fairness are not respected;

16. The second activity of the defendant as set out abovebattle of the
Inspection service concerns the trade in personal data (with a view to direct
marketing). Pursuant to art. 12 and art. 13 GDPR, there is an obligation to provide information and one
accountability to meet the requirement of transparent processing.


17. The defendant as controller must take appropriate action
so that the data subject obtains information referred to in Articles 13 and 14 GDPR.
The information about the rights of data subjects must also be provided accordingly
articles 12 to 22 and art. 34 GDPR in connection with the processing
be in a concise, transparent, understandable and easily accessible form
and in plain and simple language.
 Decision on the merits 04/2021 - 6/46

18. According to the accountability in art. 5 (2) GDPR, the
controller can demonstrate the activity of trading in
personal data is made sufficiently clear by the partners to the
involved.

19. According to the Inspectorate, the defendant disguises the objective of “trade in
personal data and profiling ”by not in the same (clear) way about her
Communicate trading activities as about receiving “free” benefits through
the boxes. The information about the profiling of affected mothers and the trade in
personal data is provided in legal terms and lower case letters on the
side of the paper reply cards and on the defendant's website.

20. The Inspectorate finds that the main commercial activities of the defendant
(in particular advertising, media representation, trade in personal data) is not satisfactory
communicated transparently to the (expectant) mothers as required
by Articles 5 (1) (a) and 12 (1) GDPR.

21. With regard to the lawfulness of the processing (Art. 6 GDPR), the defendant bases it
relies on art. 6 (1) (a) and (f) GDPR, depending on whether the collection of
personal data dates from resp. after and before May 25, 2018.

22. Article 6 paragraph 1 a) concerns the consent of the data subject as the legal basis for the
processing of personal data. The defendant uses an online
registration procedure. The online subscription to a pink box is always linked to it
compulsory giving of the “agreement” for at least one form of transfer with a view
on direct marketing. However, the data subject is not left a choice to determine
which trade in personal data and profiling can take place in which context. The
The person concerned cannot continue with the enrollment if a box is not selected
checked. It is not possible to receive the benefits without permission. There
there can therefore be no question of “free consent” within the meaning of the GDPR, concludes
the Inspection Service.

23. The right of withdrawal, which is inseparable from the giving of the
consent is only stated in the online privacy policy. It gets right
in addition not facilitated by the representation in lower case. The Inspectorate states
Accordingly, it is clear that withdrawal is not as simple as giving consent
expires, which is contrary to art. 7 (3) GDPR. If the consent is given by a
 Decision on the merits 04/2021 - 7/46
the person concerned is withdrawn, the personal data of the defendant is not
deleted or deleted, but only set to “inactive”.

24. Furthermore, there is no granular nature of the consent. All purposes are becoming
aggregated in the communication by the defendant. This limits the control of
data subjects about their personal data. Likewise, the categories of the
recipients of the personal data not sufficiently clearly defined. Data subjects
cannot estimate the impact or nature of passing on their data
thus compromising their free choice.

25. The Inspection Service deduces from the combination of the aforementioned findings that no
there is a valid consent within the meaning of the GDPR
of the data subjects for themselves (mother) or as legal representative of the
child (minor).

26. Article 6 (1) (f) GDPR concerns the legitimate interest of the
controller as the legal basis for processing the
personal data. In the assessment of whether the legitimate interest is sufficient if
legal basis, reasonable expectations should be taken into account,
interests and rights of those involved (mother and child). The complainant's response
illustrates, according to the Inspection Service, the legitimate interest of the defendant
inconsistent with the reasonable expectations of those involved. The defendant wields
abstract terms and conditions and no explicit terms such as advertising, direct marketing and
trade in personal data. It is impossible for those involved to estimate
how many other companies use their personal data further.

27. The Inspectorate states that the defendant does not provide sufficient information about the type
farworkings that can follow after the trading of the personal data. At the
hospitals and gynecologists are called in for distribution of the boxes, which
according to the Inspectorate, can generate a wrong perception among those involved
the defendant would be a non-profit organization or government initiative instead of a private one
company that trades personal data.

28. To prove that the defendant took into account and thought about the relevant ones
and effective safeguards under this legal basis, it has a document
established that incorporates a risk-based approach. It is the Inspection Service
it is not entirely clear how this document should be used in practice
to protect. According to the Inspectorate, the defendant cannot provide sufficient evidence
 Decision on the merits 04/2021 - 8/46
which concrete technical or organizational measures provide adequate protection
offer. The Inspectorate concludes that the defendant does not demonstrate that
this document is actually applied in practice.

29. The defendant further argues that there is a limitation on the number of times the
data is used through the use of control addresses. The Inspectorate states
however, note that the use restriction and the receipt of an objection in practice
does not (always) work. The lack of evidence of effective technical and organizational
implies measures to safeguard the interests of data subjects according to the
Inspection service that the defendant is acting in violation of the principle of
accountability / accountability.

30. According to the Inspectorate, the partners of the defendant follow their obligation to provide information
with regard to data subjects on (Art.14 (2) point f) GDPR). For example, between the
defendant and its partners have not contracted anything in relation to the
communication of the source of the personal data to data subjects on the basis of Art.
14 (2) point f) GDPR.

31. On the basis of the aforementioned findings and considerations, the Inspectorate determines
that the defendant could not rely on Article 6 (1) (f) GDPR, given the
lack of effective safeguards it provides to safeguard the interests and rights of
respect the data subjects under the GDPR. The Inspectorate also decides that a
double legal basis for the same processing cannot be regarded as one
fair processing. According to the Inspectorate, it cannot be more general
determined that the defendant has an adequate legal basis to declare the
justify the processing of personal data under Art. 6 (1), point (a)
(consent) or art. 6 (1) (f) (legitimate interest), now not fulfilled
the conditions imposed by the GDPR.

32. Concerning the principles of proportionality and data protection by design
according to art. 5 and art. 25 (1) GDPR, the Inspectorate determines that the
purposes of the processing cannot be distinguished. When subscribing to a
additional box implies an agreement to trade in personal data.
According to the Inspectorate, the defendant also does not demonstrate that an objection received
is always communicated to the defendant's partners against direct marketing.

33. With regard to the conclusion of the processor agreement in accordance with art. 28, paragraph 3
AVG determines that the Inspection Service is a store specializing in baby items
 Decision on the merits 04/2021 - 9/46
receives fill-in cards and acts as a so-called "letterbox" through those fill-in cards
to be kept only until an employee of the defendant comes to collect them. This one
According to the Inspectorate, activity should be regarded as a processing of
personal data. A processor agreement therefore had to be concluded.
The Inspectorate is of the opinion that it has been sufficiently demonstrated that the defendant
art. 28 para. 3 GDPR.

34. With regard to compliance with the duty to cooperate under art. 31 GDPR, the
Inspectorate noted that no exhaustive list of partners has been provided and thus no
effective compliance with this duty.

35. The Inspectorate then decides to transfer its report as part of the file
to be submitted to the Chairman of the Disputes Chamber in accordance with article 91, §2 WOG.
The proceedings before the Dispute Chamber

36. On April 20, 2020, the Disputes Chamber will decide in accordance with Article 95, §1, 1 ° and Article
98 WOG that the file is ready for consideration on the merits.

37. The complainant and the defendant will be informed of the
decision of the Dispute Chamber. In the letter with the notification of that decision
The closing deadlines are also communicated to the parties in accordance with Articles
98 and 99 WOG.

38. On May 8, 2020, the Secretariat of the Disputes Chamber will receive an e-mail from
the defendant's attorneys with the message that certain documents accompany it
report from the Inspectorate is missing. Defendant vhunts for these pieces
still receive and also adjust the closing periods. In addition, early
the defendant to deal with the file in French from now on, since the
main contacts and responsible persons at the defendant are French-speaking.

39. On May 20, 2020, the Disputes Chamber will reply to the message confirming that
it was indeed established that documents were missing when the file was transferred from
Inspection service to Dispute Chamber and therefore an incomplete inventory
drawn up. This includes, but is not limited to, duplicates. For this reason
the closing deadlines were then interrupted and the parties get the full
file forwarded with a correct inventory.
 Decision on the merits 04/2021 - 10/46

40. With regard to the request for French-language handling of the case, the
Disputes Chamber according to art. 57 WOG who has the discretion of the
Data Protection Authority (and the Dispute Chamber as its body)
regarding the language of the proceedings. For that reason, the Disputes Chamber is free to submit a
use the language of the procedure that takes into account the specific circumstances
on the House.

41. In this case, the investigation by the Inspectorate of the
Data Protection Authority conducted entirely in Dutch. Likewise there is in
no objection regarding use has been lodged in the previous stages of the procedure
of Dutch. For these reasons, the Disputes Chamber does not consider it appropriate
continue the procedure in French. Given the adjustment of the
The Disputes Chamber considers that there is sufficient time and space for the
defendant to take the necessary organizational measures to protect it
prepare a defense properly. The Disputes Chamber underlines that the complainant
Dutch is spoken, just like a large part of the data subjects whose personal data
the defendant processes and in respect of whom the defendant is a Dutch-speaking person
communication continues.
The defendant's claims

42. On 8 July 2020, the defendant lodged its first claim. On August 19, 2020
the defendant lodges a reply. Following is the synthesis of the content of
those conclusions.

43. The introductory remarks deal first and foremost with respect for the
rights of defense. The defendant finds that there are more possible infringements on it
the GDPR are raised than that it has been examined by the Inspectorate.
According to the defendant, these infringements have been insufficiently proven for lack of further
details and evidence to support these infringements. Because of this, the
defendant not to be able to exercise its rights of defense as set out in Article
6 of the European Convention on Human Rights are prescribed. According to
the defendant also provides the Disputes Chamber insufficiently in its decision of 20
April 2020 in which the violations, which were investigated by the Inspection Service,
would exist in concrete terms. Because of this, the defendant asserts its defense
insufficient preparation.
 Decision on the merits 04/2021 - 11/46

44. Second, it addresses the incompleteness of the documents received. The
defendant argues that certain documents were not added to the report of the
Inspection service. The documents were also incorrectly numbered and incomplete
according to the defendant. As a result, the defendant found the file
unclear and patchy eyes. The defendant alleges that only the
incriminating elements are included in the file. The defendant asks for this
exclude pieces from the debates on the grounds that they are incomplete.

45. Third, it examines the irrelevant nature of the earlier elements imparted
by the Inspection Service. According to the defendant, this always concerns earlier ones
grievances against the Commission for the protection of privacy
(the legal predecessor of the GBA, hereinafter also the Dutch DPA) has not followed up. The
according to the defendant, the documents do not show that it would not have complied with the
requests from the former CPP. According to the defendant, these things can be done in this way
are not considered precedents.

46. ​​Fourth, the defendant addresses the need to split prosecutions. The
defendant proposes to split the case into:
 a case concerning the subject-matter of the complaint, in particular whether there is
direct marketing is carried out without legally valid consent
is (complaint about a possible infringement of Articles 6 j ° 7 GDPR) and;
 a case concerning the other grounds, following the findings made by
the Inspection Service outside the scope of the complaint, in particular possible
violations of Articles 5, 6, 12, 13, 14, 25, 28, 31, 37 and 38 GDPR.

47. In the description of the facts, the defendant explains things in more detail, including
the operation of its service and the compliance steps taken. The defendant
claims zich to only address (expectant) mothers and not their children. She
states that its activity revolves around four major axes:
“1. It offers free boxes with offers and samples of products and services
for expectant mothers and mothers, boxes provided by a network of partners
divided;
2. She informs expectant mothers and mothers.
3. It offers the opportunity to enjoy discounts that are offered temporarily
to members registered on its website, by means of printing
vouchers;
4. It makes it possible to receive offers directly from
partner companies, of products and services for expectant mothers and mothers. ”
 Decision on the merits 04/2021 - 12/46

48. The defendant then explains how the data of (expectant) mothers will be
shared with third parties:
1. First type of partners: the structural (or long-term) partners.
“As for the e-mail addresses, the defendant only transfers them to her
long-term partners. Thanks to this long-term cooperation, the defendant can
expectant mothers and mothers in particular in obtaining their consent
said informing the communication to these recipients. It then arrives
the recipients of that data to comply with the GDPR in their capacity as
controller.
2. Second type of partners: the loose partners. There are two subtypes of these.
In the first subtype, the defendant submits to other companies that products and
offer services to expectant mothers and mothers, of those who do so
have given permission, the data is available on a temporary basis and
for single use only.
Due to the fact that these are one-time requests, it is not for the defendant
possible to name all potential partners by name when they enter the
ask permission from expectant mothers and mothers. Only the
areas of activity can be indicated. This always involves companies
which may be of interest to expectant mothers and mothers who have their consent
have given to receive these offers, not just to the request to
to respect the information provided by the mothers, but also from
commercial point of view for the defendant, to the membership of the mothers-members
to be able to keep. ”

49. The defendant further clarifies:
“The second sub-type of casual partners concerns other companies that are also located
address the defendant in a one-off manner, but where:
 the e-mail addresses are not communicated to them. It is they who set the criteria
determine according to which they want the email to be addressed to which
expectant mothers or mothers, and that email is sent by the
defendant on the head of De Roze Doos. That makes it possible for the
defendant to ensure the single use of the data
and of the fact that they are not following the relevant promotional campaign
being kept;
 the defendant provides a list of information for postal addresses and telephone numbers
for single use indicates to the receiving company (after checking that they are not
on the "don't call me" list for phone numbers).
 Decision on the merits 04/2021 - 13/46
.
The defendant does not have the necessary infrastructure to own the papers
handle communications or telephone calls. With the recipients of the
data, however, is contractually agreed that the data only once
may be used.
It is then up to the receiving companies to, in addition to fulfilling
their contractual obligations, to comply with the applicable legal framework, in
in particular the GDPR and the verification, if applicable, of the “don't call me anymore”
list."

50. Regarding the compliance steps, the defendant states that it has achieved compliance
with the help of her previous counsel. The data protection policy and the
general and special conditions have been revised, as has the registration process via the
website. The right to rectification and the right to erasure can be directly
exercised by the data subjects through the page “my account”, as shown
set out under the “FAQs” web page. Contracts have also been concluded with
processors who, according to the defendant, meet the requirements of Article 28 GDPR.

51. The defendant declares, following the exchange of e-mails with the complainant, that he is there
spontaneously committed to re-examining internal processes and them
to try to improve. Since the end of October 2019, the registration process has changed on
the website and data protection policy was also updated in March 2020
completed. Furthermore, the defendant reminded the recipients of the data
importance of complying with their own legal obligations regarding protection
of personal data.

52. Regarding the connection via postcards, the defendant states that the
relevant partner has been using the reply cards since mid-November 2019not anymore
saves.

53. The defendant has also appointed a data protection officer, too
she believes that she is not obliged to do so under the conditions set out in the GDPR.

54. With regard to the complainant's requests, the defendant bears some pleas
On.

55. As a first plea, the defendant argues that the complaint is unfounded. The complaint concerns one
possible infringement of Article 6 (1) point a) j ° 7 GDPR. The defendant alleges that she
 Decision on the merits 04/2021 - 14/46
the registration process already before receipt of the report from the Inspectorate
would have corrected the complaint regarding the non-free nature of the
consent is no longer current at the time of handling the file
on the merits by the Disputes Chamber.

56. The defendant refers to the judgment of the Marktenhof.
1
In this judgment it states
Marktenhof that it cannot be considered a "disadvantage" if a customer does not enter
is able to create a loyalty card because he has the required processing
of the data on his identity card (“eID”). According to the Marktenhof
this just a potential additional benefit that is lost, not legal or
contractual law.

57. The defendant concludes that the consent given by the complainant is valid
constitutes the legal basis for the communication of its data to the recipients. Further
the defendant claims to be the data subject in giving the consent
has been informed about the recipients of the personal data (making it a
“Informed consent”). A single consent for the communication
of data to third parties for the purpose of receiving commercial offers
the defendant considers a valid consent, as it concerns one and
the same objective, irrespective of whether several third companies have the
receive personal data.

58. With regard to the Inspectorate's comment that the right to request the
withdraw consent is not indicated on the screen when consent
is obtained, the defendant states that it has amended this process. She does mention
that there is no formal requirement foreseen by the GDPR to separate this withdrawal
mention.

59. Finally, the defendant maintains that its website does not offer a practical possibility to
immediately withdraw consent. According to the defendant, the withdrawal of the
consent in any case is as easy as granting consent,
since the data subjects give their consent for the different types
withdraw notices in their “my account” section of the website. The
consent can also be withdrawn by sending an e-mail, letter or
by telephone call to the defendant.

1 Judgment of the Brussels Court of Appeal (Chamber 19 A, Marktenhof) of 19 February 2020, 2019 / AR / 1600.
 Decision on the merits 04/2021 - 15/46

60. The defendant points out that the fact that the online unsubscribe page is only in English
and French had meanwhile been corrected.

61. With regard to the determination of the Inspection Service that a large part of the
personal data relates to minor children, which makes recital 38
GDPR would apply, the defendant states that only the data of the
mothers, along with a child's date of birth are required. There is no obligation
to provide neither the name nor the sex of the child. For that reason, the
respondent that it does not process data of minors; just the fact that the
mother has a child under the age of 18 is important. According to the defendant
Recital 38 GDPR does not apply as it relates to services
that are offered directly to a child, while defendant's boxes and
notices addressed to mothers only.

62. Next, the defendant addresses the other alleged violations of the GDPR:
art. 5.1 a, 12.1, 13, 14, 6, 7, 5.1.c in conjunction with 25, 5.2, 28.3, 31, 37 and 38 AVG.

63. With regard to Article 5 (1) (a) GDPR, the defendant states that they do not have the boxes
used as a “pretext” to obtain the data of (expectant) mothers.
The use of that data by third parties is only part of its business. The
data is also needed to invite the mothers to pick up their next box,
close to their residence. That way the defendant knows how many boxes each
distributor needs approx. This purpose is clearly stated in the
data protection policy of the defendant and reflects according to the defendant
the reality that does not constitute a violation of the duty of loyalty.
The defendant further explains that the name “Family Service” is not used to mean “a
impression of family services ”, as she uses this name in her B2B relationships.
64. The defendant argues that no vague wording is used regarding the activity
of data sharing. She just doesn't use the term “direct marketing” yetdoes describe what this purpose entails, in particular: “with a view to sending
products, offers and information ”. The defendant is in this case
sufficiently transparent, so that there is no infringement of the GDPR on this point.

65. Furthermore, it is not clear to the defendant how the terminology and an alleged
difference in language level and font size between the presentation of the distribution service
of the boxes and the request for permission to receive communications
 Decision on the merits 04/2021 - 16/46
partners of the defendant would be a breach of the GDPR. Art. 5 (1) point
a) According to the defendant, AVG does not stipulate that a particular language level is prohibited
nor that it is prohibited to insist on the benefits of a service.
Only the correctness of the information provided to the persons concerned must be entered
be taken into account.

66. The defendant emphasizes that it did not collect any personal data for its own use
for direct marketing purposes as it does not use it for its own
promote activities. The defendant does not allege the nature of its activities
the benefit of the beneficiaries. According to her, she gives the marketing goal
in its data protection policy and provides a list of its partners and a
list of potential recipient categories.

67. Regarding Articles 12 (1) and 13 GDPR, the defendant argues that it is not
can blame categories of recipients for having stated this explicitly
provided for in Article 13 (1) (e) GDPR. The defendant alleges that a
detailed and complete publication of the list of partners would constitute an infringement
on its trade secrets. According to the defendant, there is a conflict between them
two equivalent rights: the right to data protection and the right to
protection of business secrets, in accordance with Directive (EU) 2016/943.
2 How then
the defendant also has (before obtaining the report from the Inspectorate)
supplemented its data protection policy and completed the wording.
The defendant also undertakes to further clarify the beneficiaries.

68. The defendant argues that Article 13 GDPR only requires information about the categories
of data recipients, not about the legal transaction
supports the communication of the data (in particular the “renting” or “selling” of
data). The respondent further states on the basis of Article 14 of the GDPR that the
receiving third party is to indicate to the data subjects which data they
when they have obtained the defendant's personal data. The
defendant argues that the GDPR does not require it to specify how long and how the
business partners who hold data. Furthermore, the defendant does not claim that either
legal obligation exists to send in the email confirming the registration
state which fields the data subject had completed because this can be consulted
be via “my account”.

2 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of private
know-how and business information (trade secrets) made against unlawful acquisition, use and disclosure
thereof, OJ L 157/1.
 Decision on the merits 04/2021 - 17/46

69. According to the defendant, there is thus no infringement of the
accountability and its activity is sufficient according to the defendant
communicated transparently to data subjects as the requirements of
Article 13 GDPR are respected by it.

70. The UK precedent cited by the Inspectorate, namely the
Bounty UK Case 3
, according to the defendant, is based on the former in the United Kingdom
Kingdom legislation in force and not the GDPR. According to the defendant, the infringement is not
comparable. Thus no precedent can be drawn from it.

71. The defendant finds that there is no violation of Article 12 (1)
nor from Article 13 GDPR.

72. Regarding Article 14 GDPR, the defendant argues that, since mothers-to-be
register themselves with De Roze Doos, they receive the personal data directly from them
obtains and that Article 14 GDPR does not apply. The defendant thinks there is
accused of its shortcomings that would accrue to third parties. How
the defendant is also in the process of adapting its contractual documents to the
recall obligations of the GDPR for its customers in order to meet them
address the concerns of the Inspectorate.

73. The fact that a partner of the defendant would not have informed the complainant
of the source from which it obtained its personal data is according to the
defendant a conduct of a controller that does not comply with the
defendant is imputable. This also applies to the erasure of personal data from
complainant by a partner. In addition,the fact that the complainant still receives reports from partners
is because she has registered elsewhere.

74. Regarding Articles 6 and 7 GDPR: the defendant makes the arguments regarding
consent (Art.6 (1) point a) GDPR) to what has already been stated in relation to the
Inspection service. With regard to the legitimate interests of the
controller or of a third party (Article 6 (1) point f GDPR) states the
defendant that the conduct of a third party controller is not
can be prevented from establishing a shortcoming on its part,
nor for the balance between its legitimate interests and those of the

3 Reference to the administrative fine imposed by the Information Commissioner's Office on the Bounty company,
for clarity, the Dispute Chamber adds a web link to the press release regarding that decision in the United Kingdom
at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/bounty-uk-fined-400-000-for-sharing-personaldata- unlawfully /.
 Decision on the merits 04/2021 - 18/46
to assess those involved.

75. The defendant emphasizes that it does not in any way give the impression that it is a public
or subsidized entity or non-profit organization. She also claims that the members are joining
at the Pink Box because of the offers and therefore it cannot be said that
they would be surprised in their consent given the transfer of their data
takes place to send them other offers.
76. With regard to reasonable expectations regarding children's data
defendant repeats that it does not process the data of the children, but only the
data from mothers where the date of birth of the child is processed every
needs of the mothers.

77. The defendant proposes the appropriate and effective safeguards
correct processing of personal data that (as already mentioned) the recipients
of the personal data must comply with the GDPR and it is not legally necessary for the
defendant reminds them of this in the contractual documents. It makes according to
the defendant does not exclude that the use restriction (single use) is part of
its offer and that it also checks its application from a commercial point of view.
The defendant cannot be accused of having made her offer
designed in accordance with Articles 5 and 25 of the GDPR.

78. The defendant reports - about the agreement that binds it to its processor Y3
- ensuring that the entries required by Article 28 (3) GDPR therein
were recorded. This agreement is supplemented by specific technical ones
appendices that, according to the defendant, go beyond what is required
by Article 28 (3) GDPR.

79. Regarding the dual legal basis, the defendant denies relying on it
on two different legal bases. She states that she is legal on one
basis per situation. It is based on Article 6 (1) (a) GDPR for the
mothers who have given their consent since May 25, 2018 (date of entry into force of GDPR) and
on Article 6 (1) (f) GDPR for mothers who gave their consent before 25 May 2018
and whose previously expressed consent does not meet the requirements of
the GDPR. Regardless, the defendant even claims the use of two legal
foundations cannot justify an administrative sanction. The defendant decides that
it does not infringe Article 6 by providing two different legal grounds
for the processing of data from different data subjects.
 Decision on the merits 04/2021 - 19/46

80. With regard to Articles 5 (1) (c) and 25 GDPR, the defendant argues that the
data is deleted before the child reaches the age of 18, if the mother does
want. That retention period is so fixed because a large number of children after reaching
from the age of compulsory education enter active life and no longer part
be part of the parental household. All data of the mother will be deleted
when she no longer has a child under the age of 18. The defendant concludes that from this
it complies with the principle of data minimization.

81. With regard to the possibility of making a (granular) choice between the
For processing purposes, the defendant states that it has not been demonstrated that the data is not
adequate, relevant and limited to what is necessary for the purposes
for which they are processed. According to the defendant, there is no shortcoming
demonstrated regarding the implementation of appropriate technical and organizational
measures. The defendant claims that only personal data is processed
necessary for each specific purpose of the processing.

82. In addition, the defendant argues again that it cannot become responsible
for the behavior of third party recipients. The referfurther decides that none
violates Articles 5 (1) (c) and 25 GDPR.

83. Regarding Article 5 (2) GDPR: no registration was made by the defendant
keeps track of the number of requests for rectification and it is not possible to
prove that an effective erasure took place. The defendant maintains that no
some provision of the GDPR requires it to keep such records. The
the only obligation that exists is to handle the request for rectification itself. The
defendant could prove that the complaining party was no longer in its mailing list database. After further investigation, the defendant has also been able to provide evidence
obtain the erasure.

84. The defendant states that they have requested the e-mail addresses of the mothers
to delete their data, but just to make sure that later
no new account can be created with the same email address. Regarding this
According to the defendant, the issue exists neither in the GDPR nor in case law and
doctrine of law a clear answer. Hence, she could not be blamed for that
she could not immediately do the act of erasing the complainant's data
prove.
 Decision on the merits 04/2021 - 20/46

85. Regarding Article 28 (3) GDPR, the defendant does not consider that they have a contract with the
Y4 should have closed because there is no relationship with a data processor in the
meaning of the GDPR. According to the defendant, no classification is carried out
by that partner before handing over the postcards to her. The defendant argues
furthermore, that before they receive the data handwritten by the (expectant) mothers
it is not a file. That phase therefore does not fall under the equipment
scope of the GDPR. According to the defendant, this partner is thus not
processor within the meaning of Article 4 (8) GDPR. Consequently, Article 28 (3) GDPR does not apply
application.

86. With regard to Article 31 GDPR, the defendant states that he cooperated well with the
Inspectorate and that service to have provided detailed information about her
network of box dividers. The reason why one of her partners is not listed,
according to the defendant, can be traced back to the limited activity that that partner for
executes her. The defendant argues that it has confirmed the list in good faith
exhaustive, as she was not aware of having forgotten a distributor.
According to the defendant, no shortcoming could have been committed in the
duty of cooperation since the cooperation with this partner is not subject
is subject to the GDPR (see above). Furthermore, the defendant understands the alleged shortcomings
not regarding the customer list (the “partners” who receive the personal data). The
defendant claims to have responded correctly to the questions of the Inspectorate.
The defendant concludes that there is no infringement of Article 31 of the GDPR
demonstrated.

87. Regarding Articles 37 and 38 GDPR, the defendant does not require to be based
of Article 37.1 GDPR to have to be a data protection officer
appoint. After all, it is not a government body. Furthermore, the core activity of the
according to its defense, the respondent does not follow up on (expectant) mothers
regular, systematic and large-scale basis. The defendant alleges that there is no
proof is that they meet the conditions that require the appointment of an official
for data protection.

88. The alleged profiling of which the Inspectorate refers has also not been proven
according to the defendant. The defendant decides that it does not carry out any processing operations within the meaning of
one of the cases referred to in Article 37 (1) GDPR. Furthermore, according to
there is also no violation of Articles 37 (5) and 37 (7) GDPR
because there is no indication that they fall within the scope of Article 37,
paragraph 1 point b) or c) GDPR. With regard to Article 38 GDPR, the
 Decision on the merits 04/2021 - 21/46
defendant that the Inspection Service has not identified the shortcoming
her would be charged. In any case, the defendant voluntarily has one
appointed data protection officer.

89. The defendant claims:
- In the main: violation of the rights of defense as a result of which the defendant does not
can be punished for the alleged violation of any of the articles mentioned
in the decision of April 20, 2020.
- In secondary order: no offense and no penalty. According to the defendant, there is
has not demonstrated any infringement by the Inspectorate that is targeted in the
aforementioned decision.
- In a more subordinate order: no fine should be imposed
to become. The defendant undertakes the adjustments made by the Dispute Chamber
necessary to implement within three months of the decision and a report on this
To deliver.
- In even more subordinate order: such an administrationeve would be fine
be: opportunity for the defendant to make comments about the
amount thereof. The defendant wants to be able to defend itself regarding the amount of the
envisaged fine.
- Finally: No need to publish the decision; if there is one
any reference to her activities should be published
deleted.
The complainant's conclusion

90. In accordance with Article 98 of the WOG, the complainant also submits a conclusion.

91. The complainant argues that it mainly wants the defendant to change its working method so that
it is clear to everyone that they resell / rent out data and certain
retains data for 18 years. According to the complainant, the communication (also via the
website) of the defendant more transparent so that a data subject knows all the parameters,
before registering.

92. Furthermore, the complainant argues for the publication and publication of this file as this
for this file “necessary” is “because of the tactics used on the website
applied are an example of how it should not be done […]. ”
 Decision on the merits 04/2021 - 22/46

93. The complainant alleges that De Roze Doos's website is not protected against leakage
from existing email addresses via the registration form.

94. The complainant clarifies that the cards held by one of the defendant's partners
available, are fill-in cards and not postcards as the defendant argues.
Currently no more papers / cards are received by this partner
is logical, since an agreement must be drawn up for this because
data is processed and stored. The complainant also calls for reply cards
to be deleted completely as these are not formatted according to the guidelines of the
AVG.

95. The complainant points out that in the event of the death of the mother and / or child, the defendant does not report the
is informed and that this information will continue to be sold / rented.

96. The complainant concludes that the defendant continues to infringe several
legal provisions within the GDPR.
The hearing

97. In accordance with Article 51 of the Rules of Internal Order of the
Data protection authority, as approved by the Chamber of
People's representatives, the parties are invited to the by the defendant
requested hearing (on the basis of article 98 WOG).

98. The complainant is not present at the hearing.

99. The defendant is present at the hearing and is represented by the two of them
counsel, as well as a representative of the executive board.

100. The hearing will take place on November 25, 2020.

101. An official report of the hearing has been drawn up for the sole purpose
additions and clarifications with regard to the previously submitted conclusions
to give. As always, the parties were also given the opportunity to submit factual comments
formulate the minutes without reopening the debates
implies. The defendant submitted such observations, which were attached to the file as an annex to the official report.
 Decision on the merits 04/2021 - 23/46
The penalty form of December 9, 2020

102. On December 9, 2020, the Disputes Chamber submitted a penalty form to
the defendant, stating that the Disputes Chamber intended to impose a fine
of EUR 50,000 to be imposed on the defendant following the infringements of several
provisions of the GDPR in this file (the same infringements as in the present
decision are withheld from imposing an administrative monetary penalty
pursuant to Article 83 GDPR).

103. In its response to the fine form on December 29, 2020, the defendant points out
a number of elements that are taken up by the Dispute Chamber in her
deliberation, and the following elements are particularly important for this
the determination of the sanction in this decision:
o regarding the duration of the breach: the Y4 held in mid-November
2019 with the collection of fill-in cards;
o with regard to the number of data subjects: the defendant states that there are
in reality only 1,140,725 adults have personal data
are processed and that the Inspectorate incorrectly received the information from
the children (according to the defendant a "characteristic of the mother" and none
personal data) to those children as data subjects and so on
the much larger number of people involved comes from 2,439,492. In addition, achieves
the defendant indicates that there are many overlaps due to duplication
registration, which makes the actual number of data subjects “well below
1,000,000 ”would lie;
o the defendant states that the Dispute Chamber is only competent for the
collection of personal data between May 25, 2018 and the end of October
2019;
o with regard to the company's financial strength, the
defendant insists that it is dealing with deficiencies as a result of the COVID-19 crisis
income that will undoubtedly make the defendant “the year with (a large)
loss [will] shut downand." The defendant points out that the imposition of a
high fine endangers the company and its personnel;
o with regard to the amount of the fine, the defendant considers
that only the proceeds from the
data transfer (39% of the activities in the 2019 financial year) and that in line
with the previous case law of the Disputes Chamber, a percentage must
It is assumed that the outcome would be a fine of EUR 2,500.
 Decision on the merits 04/2021 - 24/46

2. Justification
2.1. Procedural aspects

104. The defendant raises a number of alleged problems in its defense
regarding the procedure.
The material scope of the file

105. First, the defendant argues that the rights of defense would not be
respected, as it is unclear what possible infringements it is targeting
to defend.

106. However, the Disputes Chamber stated in its letter dated. April 20, 2020 to the parties
informed of which legal provisions the defendant must comply with
defenses and where potential infringements could be identified; she refers
for the findings in this regard, refer to the report of the Inspectorate that
was conducted in response to the complaint.

107. All legal provisions listed there by the Dispute Chamber there, were adopted by the
Inspection service cited in its report. It is true that, for example, Articles 37 and 38
AVG per se are not mentioned in the findings of the report, but it is
determined by the Inspectorate that there is no data protection officer
was reported to the Data Protection Authority by the defendant.4 It is for that
reason that the defendant is also given the opportunity to comment on this in her
defense.

108. The defendant was able to inspect the entire file, and in particular
of the integral report of the Inspectorate. The Dispute Chamber has
of course not about more documents than the defendant regarding this file. When
the Disputes Chamber in the report of the Inspection Service reads that there may be
there is a lack of clarity about the official's registration for
data protection, it is also an issue that the defendant is concerned about this
can defend extensively, and more specifically on the basis of all (exceptions)
provisions in said legal provisions, not merely those provisions implicit
could be onerous for the defendant.

4 Report of the Inspectorate, page 14.

 Decision on the merits 04/2021 - 25/46

109. It may be noted here that in the proceedings before the Dispute Chamber of
the Data Protection Authority does not provide for any kind of Public Prosecution Service or
Parquet, let alone that role was assigned to the Inspectorate. The Inspection Service
knows only those powers that have been assigned to it under the WOG. The
The procedure for the Data Protection Authority cannot therefore be compared with
these in criminal proceedings, although there are of course safeguards that the
rights of defense in the light of Article 6 ECHR.

110. Nor can it be that the Dispute Chamber would appear biased by a
priori an infringement that she would read in the file specifically identify in her
decision to invite the parties to file and hear defenses
in accordance with Article 98 of the WOG. On the contrary, the Dispute Chamber has the
provisions of the law where potential (based on the complaint and the investigation
and subsequent report from the Inspectorate) poses a problem or presents problems,
precisely indicated, precisely with a view to safeguarding the rights of defense
and not to appear biased.
Incompleteness of the documents received and the alleged irrelevant nature of those documents

111. It is true that initially the file that the parties received was inconsistent with
the documents as indicated by the Inspectorate in its report. This one
situation was remedied, after which the parties created a new inventory and a new one
received a file (which includes all documents known to the Disputes Chamber) and
the closing deadlines were extended. The rights of defense were thus
fully guaranteed.

112. Furthermore, the defendant also cites that certain documents were added to the file
by the Inspectorate are irrelevant and should not be taken into account
with these documents on the basis of articles 104 and 105 WOG. In addition, the
defendant to the lack of jurisdiction in this regard before the Data Protection Authority
with regard to infringements prior to May 25, 2018.

113. It is true that the documents to which the defendant refers in its claims are documents
the Disputes Chamber is not or not about which for one or more reasons
can say more about it. However, the Inspectorate's investigation attempts to (factual)
to inquire who wouldn may be relevant to the file, under
article 72 WOG. This does not mean that with such elements - within the meaning of Article 104
WOG as "onerous element" in the legal sense - is taken into account by the
Disputes chamber if it would take sanctions. Well
 Decision on the merits 04/2021 - 26/46
these facts may be relevant to the construction of the Inspectorate's file.
It cannot be that the Inspection Service is limited in its discretion in this regard.
The Disputes Chamber is responsible for deciding on the relevance of the
Inspection service pushed forward elements.
Need to split up “the prosecutions”

114. The defendant argues that a distinction should be made between the
findings with regard to the complaint on the one hand, and the other findings of the
Inspection service outside the scope of the complaint.

115. Now that the file was brought before the court in accordance with Article 63, 2 ° WOG
The Disputes Chamber at the Inspection Service, the latter of course has the power to
to continue the processing operations related to the subject of the complaint
to investigate. The Disputes Chamber emphasizes that the powers of investigation
of the Inspectorate (Articles 64 to 90 WOG) are not limited to one
mere determination of the accuracy of the content of the complaint. The
investigative powers must, after all, serve to ensure compliance with the
examine provisions on personal data protection. The investigation must
for that reason can at least also discuss elements that are ancillary to the
subject of the complaint.

116. The Disputes Chamber also points out that when the Inspection Service is in the course of
of an investigation into a complaint finds that there are serious indications of it
existence of a practice that could give rise to an infringement of the principles of
the protection of personal data, the Inspectorate in accordance with Article 63,
6 ° WOG can investigate new elements of its own accord. The Dispute Chamber
points out, however, that in the present case all the findings of the Inspectorate
directly or indirectly related to the subject of the complaint. All
findings form part of one file that was submitted to the Inspectorate
made on the basis of Article 63, 2 ° WOG.

117. In addition, all legal aspects of the file are relevant to the complainant and her
minor child, now that their personal data has been processed by the defendant or
to become. It is these processing operations that have been subject to extensive investigation
subject. All findings of the Inspectorate are therefore closely linked
with the subject of the complaint.
 
 Decision on the merits 04/2021 - 27/46

118. Nor can it be argued in this regard that the size of the file for the
defendant was unclear, now that the decision of the Dispute Chamber dated April 20, 2020,
inviting both parties to submit defenses accordingly
Articles 98 and 99 WOG, clearly refers to the complaint and the findings of the
Inspection service.

119. The Dispute Chamber's request to the Inspection Service therefore in no way restricts the
scope of the research and research possibilities of the latter. This shows
clear from the legal text. For that reason, the defendant's request for “the
prosecutions to split ”are not retained. It is also worth noting
that the complainant has the right to follow-up in accordance with Article 77 (2) GDPR
of his complaint and the subsequent file, to which the national
legislator has also comprehensively followed up procedurally, through the role of the complainant in
complete the procedure in detail, in accordance with the European provision
about this.
The size of the number of people involved

120. In its response to the penalty form, the defendant cites that the Dispute Chamber
is solely responsible for the collection of personal data between May 25, 2018
and at the end of October 2019. The Disputes Chamber points out that it is without doubt competent
to pronounce on all personal data processing that took place after 25 May
2018. It is therefore not limited to processing operations related to
personal data collected after May 25, 2018, but is also authorized for
processing of personal data collected before May 25, 2018.
2.2. Consent and the lawfulness of the processing (Article 4, point 11,
Article 6 (1) in conjunction with Article 7 GDPR)

121. With regard to the lawfulness of the processing (art. 6 GDPR), the defendant bases its arguments
relies on art. 6 (1) (a) and (f) GDPR, respectively for the processing operations on the basis
of personal data collections that date after and before May 25, 2018.
 Decision on the merits 04/2021 - 28/46

122. Article 6 paragraph 1 a) concerns the consent of the data subject as the legal basis for the
processing of personal data. The definition of “consentg ”of the
data subject in the GDPR is the following: 5
“Any free, specific, informed and unambiguous expression of will with which the
data subject by means of a statement or an unambiguous active action
accepts him concerning the processing of personal data ”

123. Recital 42 in fine clarifies in relation to that legal provision:
“Consent should not be considered to have been freely given if the data subject
has no real or free choice or cannot refuse or withdraw consent
without adverse consequences. ” (the Dispute Chamber underlines)
3.2.1 The free nature of consent

124. The defendant alleges that the objections in the file regarding the free nature of
the consent is unfounded because only a potential additional benefit
would be lost 6
. The defendant refers to a judgment of 19 February 2019 of
the Marktenhof 7
to the point. The defendant cites some elements:
o According to the Marktenhof, it cannot be considered a “disadvantage” that
a customer is unable to create a loyalty card because he has the
processing of the data on his identity card, required for the
loyalty card, declined.
o According to the Court, this is just a potential additional benefit that is lost
no legal or contractual right.
o According to the Marktenhof, there is thus not so much a disadvantage as a result of losing
- but losing a limited benefit - when someone
refuses to give permission to process his personal data.

125. The case referred to cannot in fact be compared with the present file. It concerns in
in this case, a different situation because the benefits that those involved can acquire (the
received from i.a. boxes and benefits) can also be effectively missed if none

5 Art. 4 (11) GDPR.
6 Marktenhof judgment 2009 / AR / 1600.
7 Marktenhof judgment 2009 / AR / 1600.
 Decision on the merits 04/2021 - 29/46
consent is given. After all, the defendant uses an online
subscription procedure in which the subscription to the benefits is always linked to the
compulsory giving of the “agreement” for at least one form of transfer with a view
on direct marketing. This concerns the essence of the service through
defendant, not for an additional benefit, such as a customer card.

126. In addition, the Disputes Chamber points out that the loss of an advantage for a
data subject as a result of a breach of a provision of the GDPR - such as defective
information provision - by a controller, where a data subject
would have acquired the advantage without that infringement, without further ado in a causal context
state of the infringement.8 This should be taken into account when assessing
the "free" nature of the consent within the meaning of Article 4, point 11 GDPR.

127. The data subject is left no choice as to which trade in
personal data can take place in any context. The data subject (including the
complainant) cannot proceed with the registration if the box is not checked.
The question is therefore whether the consent in this matter is a sufficiently “free” consent in the
meaning of the GDPR.

128. According to the European Data Protection Board (hereafter in English
abbreviation: EDPB), consent is only valid if the person concerned makes a genuine choice
can create and maintain control over their own personal data.

9 In accordance
Article 70 (1) (e) GDPR, the EDPB is empowered to issue guidelines to
Promote consistent application of the GDPR. These guidelines bind the
Data protection authority as a member of the EDPB. If the EDPB guidelines
members of the EDPB may be expected to comply with them
keep guidelines.
10

129. In the guidelines on consent, the EDPB underlines that consent
on grounds of "disadvantage" cannot be free, if for the data subject "significant
negative consequences. ”11 Consent must be an autonomous act of the individual

8 For the sake of completeness, the question could be raised whether, if a data subject pursuant to Article 82 GDPR (for
a judge) would claim damages for the loss of the aforementioned benefit, not as adverse damages
the data subject could be regarded as for which the data subject - on the basis of the aforementioned European provision
- receive compensation; for an in-depth discussion of the concepts, read J. HERBOTS, “Why It Is IllAdvised to Translate Consequential Damage by Dommage Indirect” in European Review of Private Law, 2011, Vol. 19 (6), 931-
949.
9 EDPB Guidelines 5/2020 on consent under Regulation 216/679 (v. 1.1.), 4 May 2020, available at:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf (hereinafter Guidelines 5/2020), marg.
13.
10 Compare AG Bobek's reasoning in case C-16/16 P, Belgium v ​​Commission, ECLI: EU: C: 2017: 959, paras 89-90.
11 Guidelines 5/2020, 14-15.
 Decision on the merits 04/2021 - 30/46
contents, free from external manipulations.12 Consent according to the regulation is allowed
are not considered released when the individual has no real choice
or is unable to refuse her or his consent without adverse consequences. 13

130. The defendant not only offers products and discount coupons, but also grants
a service in the provision of information with regard to data subjects. The defendant offers
information sheets about pregnancy and the period to (expectant) mothers
subsequently. Neither of the products and other benefits nor of the information sheets would
can be enjoyed if the data subject does not transmit personal data and
agrees to dozens of further transfers and other processing operations, making this clear
constitutes a disadvantage for the data subject.

131. The EDPB has also provided examples in this regard in its Guidelines 5/2020. If
example it is discussed there that there appears to be no disadvantage in the case of the
benefits can also be obtained in another way.
14 A contrario are the
benefits to this are not obtainable in any other way, and does not confer
consent is a disadvantage for the data subjects, including the complainant.

132. Moreover, there is no granular nature of the consent. All purposes for
further processing is bundled when granting the consent by
data subjects with regard to the defendant. Likewise, the categories of the
recipients of the personal data are not sufficiently clearly defined and the
partners of the defendant are not fully identified by those involved.
In this way, those involved cannot estimate the impact or nature of it
passing on their data. Data subjects' control over their personal data
is consequently taken from them.

133. The GDPR states in recital 43 that consent “is considered not to be free
granted if separate consent cannot be given for different
personal data processing, despite the fact that this is in the individual case
is appropriate, or if the performance of an agreement, including the
provision of a service depends on the consent despite the fact that
such consent is not necessary for that performance. " So it is possible that
a data subject merely wishes to obtain the boxes presented by the defendant and
therefore wants to transfer the contact details to the defendant, but this is not possible because

12 Compare KOSTA, E., Consent in European Data Protection Law, Leiden, Martinus Nijhoff Publishers, 2013, p. 169.
13 Recital 42 GDPR.
14 Guidelines 5/2020, 14-15.
 Decision on the merits 04/2021 - 31/46
the defendant also inextricably has other purposes for the
personal data through the consent (selling and renting the
personal data for commercial purposes).

134. When the controller has multiple purposes (and in addition
multiple processing operations) when collecting the same personal data,
according to the EDPB, “those concerned should be free to choose which purposes
they accept, instead of having to consent to a package
processing purposes. "
15

135. If only for the non-free nature of the consent, it is consent
not legally valid in accordance with Article 6 (1) point a) j ° 7 GDPR.
3.2.2 The “informed” nature of a consent

136. Exercising positive pressure (such as offering discounts on products)
does not invalidate the consent provided that the data subject has all necessary information
has received with regard to the processing of his personal data and him
a real choice is given to decide. In the present case, however, the person concerned
not receive all necessary information. The complaint has precisely this aspect as its object.

137. Moreover, it is clear from the file and the arguments of the defendant in the proceedings
on the basis that not even all partners could be known to those involved on the basis of
of the information available to them at the time of consent, now the
defendant does not disclose all its partners for reasons based on the Directive
2016/943 on Business Secrets. 16

138. The EDPB literally writes in its Consent Guidelines “that if
several (joint) controllers respond to the requested
consent or if the data will be passed on to or
processed by other controllers who are on the original
consent, all these organizations should be mentioned. ”
17

15 Guidelines 5/2020, marg. 42.
16 Cited in footnote 4.
17 Guidelines 5/2020, marg. 65.
 Decision on the merits 04/2021 - 32/46

139. The complaint emphasizes the non-transparent provision of information whereby a
incorrect perception is created by the complainant and other parties involved. Thus the
complainant that the initiative of the boxes honoredthere seems to be linked to a government initiative.

140. If a company wants to rely on the legal basis of consent must
data subjects clearly know all parameters when giving this consent.
After all, informed consent means that it must be based on a
appreciation, understanding of the facts and implications of an action. This means that the
data subject in a clear and comprehensible manner, accurate and complete
must be provided with information on all relevant issues such as the nature of the processed
data, the purposes of the processing, the recipients of possible transfers
and the rights of the data subject.18 In this case, the consent is neither sufficient
neither informed nor sufficiently specific.

141. Two more aspects are important in giving valid consent. First
and above all, the quality of the information must be sufficient. The way the
information provided by the defendant is not sufficient. The Inspectorate stated
noted that the communication about the activity trading in personal data is not explicit
is in normal language but only in vague terms such as “with
for the purpose of sending products, offers and information ”. The defendant
in this way camouflages the activity of trade in personal data by not ending
communicate the same clear way as about receiving the “free”
benefits.

142. The information regarding the trade in personal data is additionally
provided in legal terms. Explicit terms such as advertising and marketing
are avoided in external communication, for example. The defendant serves
be clear and understandable in its communication for those involved, “for the
average person, and not just for lawyers. ”
19 The defendant's working method
however creates confusion and does not sufficiently take into account the impact on (the
rights of) the data subjects.

143. Second, the accessibility and visibility of the information is important.
Information must be given directly to individuals. It is not enough to
make it "available" elsewhere (for example through a privacy policy on the

18 Guidelines 5/2020, marg. 64 ..
19 Guidelines 5/2020, 18.
 Decision on the merits 04/2021 - 33/46
website).
20 In the online reality, it is not uncommon for information to be provided to data subjects
is given through a privacy policy21
, but it does serve enough
be clear so that it is understandable for data subjects to be informed
consent.22 The reference must be visible on the form / reply card
where the consent is given, and not in small letters on the side,
as is the case with the defendant.

144. Also on the basis of the insufficient “informed” nature of the consent, is
the consent in accordance with Article 6 (1) point a) j ° Article 7 GDPR is not legally valid.
This defect is already sufficient to constitute an infringement of Article 6 (1) point a) j ° Article 7 GDPR
to establish.
3.2.3 The conditions of "specificity" and "unambiguity" for a legally valid one
permission

145. Informed consent is associated with specific consent. When
data processing activities that require consent
specific and therefore unclear, the data subject cannot make informed decisions about
these activities.23 Here, too, the lack of granularity in itself points to the
inadequacy of the specific nature of the consent.

146. It can also be pointed out that the gradual blurring of the objectives
for which personal data are processed, this is a risk for data subjects
in this specific file. There is when describing the purposes by the
defendant speaks of the phenomenon of "function creep", which means
leads to the unforeseen use of for the complainant and other parties involved
personal data for purposes that were not clear or insufficiently clear to them,
and by partners who were not or not sufficiently known to them. 24

147. To be specific, consent must refer very precisely to both the
scope as the consequences of the data processing.25 The consent is because of this
moreover, not unambiguous because those involved do not know what they agree to.

20 Guidelines 5/2020, 18-19.
21 KOSTA, E., Consent in European Data Protection Law, Leiden, Martinus Nijhoff Publishers, 2013, p. 215.
22
 SCHERMER, CUSTERS, VAN DER HOF, Ethics Inf Technol, 2014/16.
23 Guidelines 5/2020, 15-16.
24 Guidelines 5/2020, marg. 56.
25 Guidelines 5/2020,.
 Decision on the merits 04/2021 - 34/46
3.2.4 Additional Conditions for Obtaining Legally Consent

148. The withdrawal of consent in accordance with Article 7 paragraph 3 GDPR is inseparable
associated with giving the consent. The defendant argues that there are several
there are possibilities to revoke the consentek. At the time of submission
of the complaint, however, it was clearly not that easy to obtain the consent
draw as if to give it.

149. The withdrawal was not sufficiently facilitated because it was single
stated in the defendant's online privacy policy and, moreover, only there
lowercase. The right to withdraw consent was thus not indicated on
the screen when the permission was given. Furthermore, the unsubscribe page was ten
only available in English or French at the time of the complaint. With the use of
consent as a legal basis it is essential that it is clearly stated that
the consent can always be withdrawn and this in a simple manner (on the
time of giving consent). The withdrawal is thus not as easy
if giving consent contrary to Article 7 (3) GDPR.

150. An additional problematic element is the fact that when the consent is effective
is withdrawn by a data subject, the personal data of the defendant is not
deleted or deleted but only set to “inactive”. A
However, the controller must - as soon as the consent has been withdrawn -
ensure that the data is erased, unless there is another legal ground to do so
to process the data 26

151. The Disputes Chamber therefore also stipulates with regard to the other conditions
regarding a legally valid consent, in particular that contained in Article 7 (3) GDPR,
an infringement.
3.2.5 The lawfulness of the processing of personal data of the minor child

152. The Disputes Chamber also notes that at least the date of birth of the
child is collected and further processed by the defendant. Also, the

26 Compare: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-groundsprocessing-data/grounds-processing/what-if-somebody -withdraws-their-consent_en.
 Decision on the merits 04/2021 - 35/46
option provided by the defendant to other personal data of the child
to make known to third parties, as also stated in the privacy statement.
27

153. Recital 38 of the GDPR states:
“Children have the right to specific with regard to their personal data
protection, as they may be less aware of the risks involved,
consequences and safeguards and of their rights in connection with
the processing of personal data. That specific protection must in particular
apply to the use of children's personal data for marketing purposes
or for creating personality or user profiles and collecting
personal data about children when using directly to children
services provided. In the context of preventive or advisory services directly
offered to a child is the consent of the person holding the parental
bears responsibility, not required. "

154. Although the child's date of birth is linked to the identity of the parent, is
also allocate the date of birth specifically to the individual child. That is also the case
the case for the child's surname and first name. It's not because it
personal data is attributed to the parent ("the date of birth of their child")
that it does not (also) belong to the minor child. So there is indeed
of personal data referred to in Article 4 (7) GDPR that are processed from the
minor child. This child is a data subject whose personal data must be
processed in accordance with the provisions of the GDPR.

155. According to the defendant, such processing takes place at a certain age of the
child to send a specific box to the parent. When processing that
personal data must therefore have a legal basis within the meaning of Article 6 (6)
1 GDPR are indicated by the defendant as the controller, which is something
she fails. 28

156. Although in the present case the child's mother gave her consent, it is in theory
she may not retain parental authority over the child, and thus no consent
can provide for the processing of that child's personal data. In addition

27 https://www.derozedoos.be/privacy#3.
28 Article 5 (2) GDPR and Article 24 GDPR require the controller to comply with the provisions of the GDPR.
organize and be able to indicate.
 Decision on the merits 04/2021 - 36/46
There are other reasons why a parent might agree to own
to process personal data, but not that of her or his child (ren). The one who
exercises parental authority, must therefore also grant permission for the
process the child's personal data.

157. The Disputes Chamber concludes that in any case there is no lawful processing of
the personal data of the minor child exists because the defendant fails to do so
to indicate a basis, which is an infringementk constitutes on Article 6 (1) GDPR.
2.3. Lawfulness of processing of personal data collected for
25 May 2018 on the basis of legitimate interests (Article 6 (1) (f))
GDPR)

158. Article 6 paragraph 1 f) concerns the legitimate interest of the
controller as the legal basis for processing the
personal data. The question is whether the further processing of personal data
collected before May 25, 2018 are lawful under the aforementioned legal provision in the
AVG.

159. In accordance with the case law of the Court of Justice (EU), the
controllers to demonstrate that:
1) the interests they pursue with the processing may be justified
be recognized (the “target test”);
2) the intended processing is necessary for the realization of those interests
(the “necessity test”); and
3) the balancing of those interests against the interests, fundamental
freedoms and fundamental rights of data subjects weighs in favor of the
controllers or of a third party (the “balancing test”) 29

160. First of all, it can be established that the further processing of personal data is that
were collected before May 25, 2018 can be found in accordance with the
legitimate interests of the defendant and therefore the target test in itself
endures. The commercial interest of the defendant is apparent within the present

29 CJEU judgment of 4 May 2017, Rigas satiksme, C-13/16, EU: C: 2017: 336, paragraph 28.
 Decision on the merits 04/2021 - 37/46
legal situation to be a legitimate interest under the GDPR. It
however, it must be investigated whether the processing also complies with the necessity test and
passed the assessment test.

161. First of all, the Disputes Chamber establishes that, although a commercial interest is
can properly be considered a legitimate interest in the spirit of the GDPR,
on the other hand, there is no need to process certain personal data
exists, if there are other possibilities for the processing to be lawful
expire and thus safeguard the legitimate interests. It's not on the
Litigation chamber to determine the defendant's litigation strategy or
to provide some advice in this regard. However, the Disputes Chamber concludes that from the
defense does not show that the defendant has sufficiently investigated whether and why there is
no other options exist to determine the lawfulness of the processing
assure, whereby the processing operations are based on the legitimate interest
become necessary. For that reason, the aforementioned processing of the
respondent does not carry out the necessity test.

162. The defendant's legitimate interest must be in accordance with the
balancing test are weighed against reasonable expectations, interests and rights
of those involved. The defendant uses conditions that are too abstract and does not mention any
explicit terms such as advertising, direct marketing and trade in personal data. It
is impossible for data subjects to estimate how many other companies their
further use personal data.

163. In addition, the defendant does not provide sufficient information about the types of processing operations
that can follow after the trading of the personal data. When distributing
the boxes are used by hospitals and gynecologists. This could be the wrong one
to generate perception among those involved, namely that the defendant is a non-profit organization or
government initiative and not a private company providing personal data
trades. The Disputes Chamber finds that the defendant has insufficient transparency
concerned about the benefits offered in relation to the transfer of
personal data. There is a clear mismatch between the promised benefits and
the activities that are not clearly highlighted, being the reselling / selling of the data
personal data to third parties. In itself, those involved can perhaps still expect
that, in a case where data subjects transfer personal data to a company and
receive certain benefits for this, this company can afterwards the parties involved
approach for marketing reasons. In the present case, however, the problem is that it is a retransmission
 Decision on the merits 04/2021 - 38/46
of the personal data by the defendant to third parties. This does not belong to
the reasonable expectations of those involved.

164. To prove that the defendant took into account and thought about the
there is only one relevant and effective safeguards in the context of Article 6 paragraph 1 f)
document prepared containing a risk-based approach. The defendant
cannot sufficiently demonstrate which concrete technical or organizational measures
provide adequate protection. It has not been shown that this document is actually in
practice is applied. As long as there is no additional evidence of the actual
application in practice, such documents cannot be retained as
proof of effective and relevant safeguards. The defendant arguesfurther to that
there is a limitation on the number of times the data is accessed through use
of control addresses. However, the Inspectorate determined that the use restriction
and receiving an objection does not (always) work in practice. Based on
the aforementioned considerations and the lack of evidence of effective technical and
organizational measures to safeguard the interests of data subjects, the
Disputes Chamber finds a violation of Article 6 (1) f) GDPR.

165. The Disputes Chamber concludes that there has been a violation of article 6, paragraph 1, point f)
of the fact that it cannot establish that the defendant has an adequate
legal basis to justify the processing of personal data under art.
6 (1) point f) GDPR (legitimate interest). The conditions have not been met
which the GDPR imposes for this purpose. This is in line with case law that states that a
processing activity can only be allowed if it complies with the rules
on the lawfulness of the processing. 30
2.4. With regard to the transparency obligation (art. 5, paragraph 1, point a) j ° art. 12 and
art. 13 GDPR)

166. The Disputes Chamber rejects the defendant's assertion that the
transparency requirements under Article 5 (1) (a) GDPR.

30 ECJ, cases C-465/00, C-138/01 and C-139/01, Rechnungshof v. Österreichischer Rundfunk and others; Neukomm and Lauermann v.
Österreichischer Rundfunk, para. 65; CJEU, C-524/06, Huber v. Germany, December 16, 2008, para. 48.
 Decision on the merits 04/2021 - 39/46

167. Transparency is crucial to give data subjects control over them
personal data and to provide effective protection of personal data
31 The transparency obligation in the GDPR requires that all information or
communication regarding the data processing of data subjects easily accessible and
understandable.32 The aim is to create such a trusted environment for
create data processing for data subjects.33 These problems are related
with the judgment of the Disputes Chamber on the validity of the consent. The
The complainant and other parties involved are not sufficiently clear about the exact ones
involve the defendant's activities. The fact that the complainant thinks the defendant
a non-profit organization or government initiative illustrates this fact. There needs to be more transparent
information is offered to data subjects, for example about the fact that
data subjects obtain certain benefits only if they receive their
provide personal data.

168. The defendant argues that Article 13 GDPR only requires information about the categories
of data recipients, not about the legal transaction
supports the communication of the personal data (in particular “renting” or
selling ”data). The Disputes Chamber rejects this statement because of the
fact that pursuant to Article 13 (1) c) GDPR, the purposes of the processing must become
state what the personal data are intended for. This means that the defendant
should have indicated that these personal data would
rented / sold to third parties.

169. The defendant further suggests that a detailed and complete publication of the
list of partners would infringe its trade secrets. According to the
defendant, there are two equal rights in conflict with each other: on the one hand, the right
to data protection and on the other hand the right to protection of trade secrets,
in accordance with the aforementioned Directive 2016/943. This reasoning cannot
are retained, given the right to the protection of personal data
a fundamental right protected in the EU treaties and the GDPR, that is only possible
are limited in cases provided for by the legislator. Neither European legislation,
nor the Belgian legislation implementing Article 23 GDPR provides for a restriction
of the publication of the name of recipients of personal data.

31 Communication European Commission, An integrated approach to the protection of personal data in the European Union, COM
(2010) 609 final, p. 6.
32 Recital 39 GDPR.
33 DE HART, PAPAKONSTANTINOU, Computer Law & Security Review 2016, p. 134.
 Decision on the merits 04/2021 - 40/46

170. In addition, the Disputes Chamber finds that the core of the activities in this
file consists in the transfer of personal data, and the policy of the defendant
about this. It cannot be decided at the expense of those involved that the commercial
the interests of the defendant or its partners sometimes do, and sometimes not weigh
against the rights of those data subjects. By adding more and more partners
moreover, the list still does not seem to be exhaustive. In any case, it is true that over
at the time of the report of the Inspectorate, the complainant brought to light that
boxes and fill-in cards were distributed by a then unnamed partner.

171. The activities of the defendant are affectedat the core of the GDPR. It is from
fundamental that those involved know which partners can contact
record with them.
34 This would be different if the partners only supply goods
without asking for anything in return. Here, however, it is the case that the personal data is
sold. In such situations it is by definition the duty under article 5 j ° article
13 GDPR for the defendant to display / mention the partners.

172. The Disputes Chamber concludes from this that the commercial activities of the
defendant focused on advertising, media representation and trade in personal data does not
communicated in a sufficiently transparent manner to those involved. The
Disputes Chamber considers a violation of Articles 5, paragraph 1, point a), 12 and 13 GDPR
proven.
2.5. Regarding the retention period under art. 5, par.1, point c) j ° art. 25
AVG

173. The defendant does not have the appropriate technical and organizational measures
taken to ensure that only personal data is processed
necessary for each specific purpose of the processing. However, this practice belongs
to the core of the responsibility of the processor with the introduction of the
GDPR has become all the more important. 35

34 This view was also taken by the Information Commissioner's Office in the Bounty UK case.
(https://ico.org.uk/media/action-weve-taken/mpns/2614757/bounty-mpn-20190412.pdf) This case also involved very
parallel information. Here too, data was collected from the mother as a parent and their newborn child. beside
this similar case shows that the aforementioned practice is not unique in Europe. There is a real need to enforce
the GDPR to protect a vulnerable population.
35 QUELLE C., Privacy, Proceduralism and Self-Regulation in Data Protection Law 2017, p. 6.
 Decision on the merits 04/2021 - 41/46

174. The defendant does not clearly distinguish the purposes of the processing. If a
the person concerned subscribes to an additional box, this implies one for the defendant
agreement with the trade in personal data. Furthermore, the defendant does not
demonstrated that a received objection to direct marketing is always becoming
communicated to the defendant's partners. The retention period is 18 years
also disproportionate to the initial consent and the reasonable
expectations of the complainant and other parties involved. The originally offered
after all, products (benefits) mainly concern baby items. Finally, the
defendant that its website does not offer a practical possibility to use the granted
immediately withdraw consent. All these aforementioned elements go against it
the principles of proportionality and data protection by design.

175. At the hearing, the defendant compares the situation with that of a subscription
for a newspaper, which must also be explicitly canceled. However, these situations are not
comparable. When subscribing to a newspaper, the person concerned knows, through it
obtain and the systematic payment for that newspaper that becomes its relationship with the newspaper
continued. This is not the case in the present situation. At least the
respondent explicitly state that the personal data will be kept for 18 years
and regularly remind the person concerned of this, as well as of the possibility
to end the relationship.

176. The Disputes Chamber concludes from the above considerations that Article 5 paragraph 1 c) j °
25 GDPR.
2.6. Regarding accountability under Art. 5.2. j ° art. 24 GDPR

177. The defendant, taking into account the nature, scope, context and purpose of the
processing, as well as with the different risks in terms of likelihood and severity
the rights and freedoms of natural persons, not the appropriate technical and
organizational measures to ensure and be able to demonstrate that the
processing is in accordance with the GDPR. There was no clear evidence of this
effective technical and organizational measures to protect the interests of those involved
within the framework of article 6 paragraph 1 f).

178. Accountability in accordance with Articles 5 (2) and 24 GDPR requires that the
controller takes measures to prevent the
comply with data protection principles and obligations and upon request
 Decision on the merits 04/2021 - 42/46
show that they have been complied with.36 However, the defendant has not shown that the
activity of the trade in personal data by the partners in an adequate manner
is clear to those involved. Furthermore, no records were kept either
of the requests for rectification and the defendant could not (immediately) prove that
an effective erasure of the personal data had taken place. In fact, the
Respondent claims that it has the email addresses of the data subjects requesting the erasure
have requested their personal data to be retained anyway to ensure it later
no new account can be created from the same email address. However, this goes
completely ignores the letter and spirit of the right to erasure.

179. The Disputes Chamber concludes from the above considerations that Article 5 paragraph 2 j °
24 GDPR.
2.7. Regarding art. 14 GDPR

180. The Disputes Chamber does not find an infringement of Article 14 of the GDPR as the defendant
obtains the personal data directly from the data subjects and that Article 14 GDPR
thus does not apply. It is the defendant's partners who make the requirements
of Article 14 GDPR, as they contain the personal data of the
the defendant and not directly from those involved.
2.8. Regarding art. 28 para. 3 GDPR

181. The defendant failed to enter into a processor agreement between
herself and one of her partners, who kept fill-in cards at the time of the complaint
for the defendant. This is a processing of personal data as referred to in Article
4 1) and 2) GDPR.

182. According to the defendant, this retention by the Y4 did not fall under the equipment
scope of the GDPR, now the mere storage of the fill-in cards no
would constitute processing of personal data within the meaning of Article 2 GDPR.

183. Article 2 (1) GDPR states that the GDPR applies “to the whole or in part
automated processing, as well as the processing of personal data contained in

36 Article 29 Working Party, "Opinion 3/2010 on the principle of accountability", p. 3.
 Decision on the merits 04/2021 - 43/46
are included in a file, or are intended to be included therein. "
(the Dispute Chamber underlines)

184. Now the fill-in cards ab initio are intended to be included in a file
(by the defendant), the Y4 keeping the fill-in cards is indeed one
processing within the meaning of the GDPR.

185. The Disputes Chamber thus establishes a violation of Article 28 paragraph 3 GDPR on the ground
of the defendant, now that the latter should have concluded a processing agreement
with the Y4, which the defendant failed to do.
2.9. Regarding art. 37 and 38 GDPR

186. The defendant does not state that it is obliged on the basis of Article 37.1 GDPR to submit a
as a data protection officer because they are not
government body. Furthermore, according to her, her core activity is not follow-up
of (expectant) mothers on a regular, systematic and large-scale basis. The
defendant alleges that there is no evidence that it would meet these conditions. In
in each case, the defendant has appointed an officer in the meantime.

187. The Disputes Chamber does not address the question to what extent the defendant was obliged
to appoint a data protection officer, also in view of the fact
that a data protection officer has since been appointed and that's the gist
of the infringements in the present case is independent of the position of the official
for data protection. In general, the Disputes Chamber points out that
it attaches great importance to compliance with the obligations surrounding the officer for
data protection.
 Decision on the merits 04/2021 - 44/46
3. Breaches of the GDPR and the complainant's requests

188. The Disputes Chamber considers that the defendant has infringed the following provisions
proven:
a.Article 5 (1) (a) GDPR, given the lack of transparent information provision
whereby an incorrect perception is created with regard to the data subjects, including the
complainant. The initiative of the boxes is more often linked in the perception of those involved
to a non-profit organization or a government initiative that does not include the complainant
it is clear that it concerns a private company which, moreover, as an activity
trading of personal data. There is a clear mismatch between them
the promised benefits and that not clearly explained activity;
b. Article 5, paragraph 1, c) j ° Article 25 GDPR, in view of the defendant not the appropriate one
has taken technical and organizational measures to ensure that
only personal data are processed that are necessary for each specific purpose
of processing. The retention period of 18 years is disproportionate to the initial one
consent and reasonable expectations of the complainant and other stakeholders. The
After all, originally offered products (benefits) mainly concern
baby stuff.
c. Article 6 GDPR, in particular Article 6 (1) (a) and (f) GDPR, given there
cannot be free, specific, informed and unambiguous
consent of the complainant (see Article 4, point 11) GDPR). After all, the complainant did not know
all parameters when giving the consent which prevents the consent
informed. In addition, the further processing of
personal data collected before May 25, 2018 is not necessary for the
to promote the legitimate interests of the defendant - also weigh them
legitimate interests do not swords over interests, grond rights and
fundamental freedoms of those involved;
d. Article 7 (3) GDPR, given the consent at the time of the complaint, not that easy
could be withdrawn than it could be given;
e. Article 13 GDPR, in view of the inadequate, non-transparent provision of information.
f. Article 24 GDPR, given the defendant taking into account the nature, scope,
context and purpose of the processing, as well as the likelihood and severity
various risks to the rights and freedoms of data subjects are not appropriate
has taken technical and organizational measures.
g. Article 28 (3) GDPR, given the lack of a processor agreement between the
defendant and one of their partners who kept fill-in cards at the time of the complaint
for the defendant, which constitutes a processing of personal data as intended
in Article 4 (2) GDPR.
 Decision on the merits 04/2021 - 45/46

189. The Disputes Chamber considers it appropriate to recommend that the processing is in accordance
is accompanied by the provisions of the GDPR, in particular Article 5 (1) GDPR,
article 24 and article 28 GDPR, all this based on article 58.2, d) GDPR and article
100, §1, 9 ° WOG, within six months after the notification of this decision and the
To inform the disputes chamber about this within the same period. This relatively long
time limit is set, knowing that this decision may be a
requires significant adjustment of business operations on the defendant's behalf.

190. Furthermore, the Disputes Chamber considers it appropriate, in addition to this corrective measure, to
impose an administrative fine (Article 83 (2) GDPR; Article 100, §1, 13 °
WOG and article 101 WOG). The Disputes Chamber points out that an administrative fine
in many cases - including the present case - the appropriate measure is that in
sufficiently effective, proportionate and dissuasive. The enforcement of
Union law by Member States must meet these requirements, in order to implement the
obligation to cooperate in good faith (Article 4, paragraph 3, of the EU Treaty). These requirements
therefore do not only apply to the imposition of a fine in accordance with Article 83 (1)
GDPR, but also when choosing between the different types of sanctions provided in
Article 58, paragraph 2 GDPR and Article 100 WOG. Where the Disputes Chamber considers it appropriate
sanction an action that has already taken place, the GDPR and the
WOG has only very limited alternatives, which in many cases even more
insufficiently effective, proportionate and dissuasive.

191. Taking into account article 83 GDPR and the case law37 of the Marktenhof,
the Disputes Chamber motivates the imposition of an administrative fine in concrete terms:
a. The seriousness of the breach:
Violations of Articles 5, 6 and 7 GDPR give rise to the highest fines
Article 83 (5) GDPR.
The combined infringements of Articles 13, 24, 25 and 28 GDPR show that the
controller has failed to process its processing in accordance
data protection legislation, although the
processing of those personal data forms the core of its business activities.

37 Brussels Court of Appeal (section Marktenhof), X t. GBA, Judgment 2020/1471 of 19 February 2020.
 Decision on the merits 04/2021 - 46/46
All elements of the file show that insufficient account was taken
with the expectations of the citizen and the implications for the
personal data protection.
b. Duration of the infringement:
The defendant has been operating for a very large number of years and is there
during all these years has not been able to adapt its business model to the
legislation on personal data protection, which nevertheless gets to the core
of its activities.
c. The scope of the infringement:
The number of data subjects affected is considerable. It concerns according to
after all, the findings of the Inspectorate at the time of its investigation
personal data from 21.10% of the Belgian population, and in any case
a significant number of those involved.
The Disputes Chamber has taken note of what the defendant has made
this is objected to in its response to the fine form (supra,
paragraphs 101 and 102). First of all, the Disputes Chamber has already established that the data
of minor children used by the defendant solely as personal data of the
parent ("characteristic of the mother") are considered, including to the children as
those involved should be attributed. It is indeed about
personal data processing of those children.
Subsequently, the Disputes Chamber determines that the defendant himself is not the correct number
can indicate data subjects whose personal data it processes (“well below
1,000,000 ”), which is striking in itself, in the light of the technical and
organizational measures that the defendant must take to ensure that
the personal data comply with the processing principlesg of
personal data, including the accuracy of personal data, the obligation
on storage limitation and the minimum data processing obligation.
The Disputes Chamber considers the Inspectorate's estimate to be the most
reliable and establishes that the defendant does not provide additional elements
which may contradict this figure as an estimate.
 Decision on the merits 04/2021 - 47/46
d. The necessary deterrent to prevent further infringements:
This file shows that insufficient account is taken of the
personal data protection of data subjects which should actually be central
given the defendant's business model. The processing of
after all, personal data is a core activity of the defendant. In fact,
the defendant trades this personal data with third partners. So it is from
crucial that such data brokers / companies comply with the provisions of
the GDPR function.
The facts, circumstances and established infringements therefore require a fine
meets the need to have a sufficiently deterrent effect ("effet
dissuasif '), with sufficient sanction to the defendant,
lest practices involving such violations be repeated, and that the
the respondent would from now on pay more attention to personal data protection.

192. The Disputes Chamber points out that the other criteria of art. 83.2. AVG in this case is not
are of a nature that they lead to an administrative fine other than that which the
Dispute Resolution Chamber has established within the framework of this decision.

193. The Disputes Chamber takes note of what the defendant's response to it
penalty form, and takes into account in particular the economic
precarious conditions for the company, and the potential impact of a high
administrative pecuniary sanction on the company and its employees. The
The disputes chamber emphasizes, however, that economically sound entrepreneurship is never at the expense
can go from fundamental rights of citizens, as enshrined in Article 8 Charter of the
European Union and as specified in the GDPR. It is also up to the defendant if
controller to take its responsibility to ensure that
it takes sufficient technical and organizational measures to ensure that its
processing takes place in accordance with the GDPR, which is not the case in this case
evidencing the defendant's negligence.

194. The Disputes Chamber is of the opinion that in some sectors of the economy there is reason to,
given the exceptional circumstances of the COVID-19 health crisis, a
to reduce administrative money penalties to a certain extent, without this being detrimental
to the necessary deterrent effect of the fine. For the activities of
defendant, where the proceeds are mainly related to the trading of
 Decision on the merits 04/2021 - 48/46
personal data, however, there is no specific reason for this. Considering it
the above, the Disputes Chamber will lower the amount proposed in the fine form
of the fine and sets the fine at EUR 50,000.
4 Publish the present decision

195. It is in the public interest to notify the
public, given the nature of the infringements, and the large number of people involved in the
Belgian society.
196. Given the importance of transparency with regard to the decision-making process of the
Disputes Chamber, this decision is made in accordance with Article 100, §1, 16 ° WOG
published on the website of the Data Protection Authority with reference to
the identification data of the defendant, and this because of the specificity of the
activities of the defendant and their public awareness, which is a meaningful omission
of the identification data, as well as in general
importance of the present decision, but with the omission of the identification data of
the complainant, given that these identification data are not necessary and relevant to the
publication of the decision. The identification data of defendant's partners
are also omitted.
 Decision on the merits 04/2021 - 49/46

FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority will, after consultation, decide to issue the
defendant:
- pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG, to order the
to make processing in accordance with the provisions of the GDPR, in the
in particular Article 5 (1) GDPR, Article 24 and Article 28 GDPR, within six months
after notification of this decision and the Dispute Chamber about this
same term.
- on the basis of Article 83 GDPR and Articles 100, 13 ° and 101 WOG one
an administrative fine of EUR 50,000 to be imposed on the defendant for
violation of Articles 5, 6, 7, 13, 24, 25 and 28 GDPR.

Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one
term of thirty days, from thenotification, at the Marktenhof, with the
Data protection authority as defendant.
(get.) Hielke Hijmans
Chairman of the Disputes Chamber