APD/GBA (Belgium) - 07/2024: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 81: Line 81:
}}
}}


The Belgian DPA fined a data broker €174,640. The controller was found to have breached several GDPR articles due to its unlawful processing of personal data collected indirectly.
The Belgian DPA fined a data broker €174,640. Among other violations, the controller could not rely on legitimate interest to collect data from third parties and infringed [[Article 15 GDPR|Article 15(1)(c) and (g) GDPR]] by not disclosing specific information about sources and recipients of the data in the context of an access request.


== English Summary ==
== English Summary ==
Line 90: Line 90:
On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].


Following the information provided, on 28 January 2021, the complainants filed a joint complaint with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating [[Article 13 GDPR|Article 13]] or [[Article 14 GDPR|14 GDPR]]. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, incorrect. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached [[Article 12 GDPR#3|Article 12(3) GDPR]] by providing the requested information on paper.
Following the information provided, on 28 January 2021, the complainants filed complaints with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating [[Article 13 GDPR|Article 13]] or [[Article 14 GDPR|14 GDPR]]. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, outdated. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached [[Article 12 GDPR#3|Article 12(3) GDPR]] by providing the requested information on paper, whereas the request was made electronically.


On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023.
On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023.


=== Holding ===
=== Holding ===
Following the information provided, the Belgian DPA found several GDPR infringements, mainly to be divided into three sections.
To begin with, the DPA found that there could be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change, as disputed by the controller. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing.  


Unlawful and unfair processing of personal data.
Following the information provided, the Belgian DPA found several GDPR infringements, which it divided into three sections.


* The DPA concluded an infringement of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] since the controller did not properly demonstrate that its interests, supplying the personal data to its customers and maintaining updated records of the data subjects, would outweigh the interests and fundamental rights of the complainants. Moreover, the DPA noted that the controller processed different types of data, raising doubts over whether all these personal data were systematically necessary for the representation of the intended interests under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
The first category of violations concerns the unlawful and unfair processing of personal data.
* The DPA brought into question the storage limitation of the data processed under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] since the controller stated to keep personal data in its databases for 15 years from the last entry. Moreover, the DPA found a breach of [[Article 12 GDPR|Articles 12]] and [[Article 14 GDPR|14 GDPR]] as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed [[Article 14 GDPR]].
* Additionally, the DPA found that there could be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change, as disputed by the controller. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing. The DPA noted that [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 24 GDPR|24 GDPR]] provide general accountability and compliance requirements with the general principles to controllers. Since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of [[Article 5 GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]], as well as [[Article 25 GDPR|Articles 25(1) and (2) GDPR]].


* The DPA found an infringement of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] since the controller did not properly demonstrate that its legitimate interests, supplying the personal data to its customers and maintaining updated records of the data subjects, would outweigh the interests and fundamental rights of the complainants. Moreover, the DPA noted that the controller processed different types of data, raising doubts over whether all these personal data were systematically necessary for the representation of the intended interests under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].


* The DPA brought into question the storage limitation of the data processed under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] since the controller stated to keep personal data in its databases for 15 years from the last entry.
* Moreover, the DPA found a breach of [[Article 12 GDPR|Articles 12]] and [[Article 14 GDPR|14 GDPR]] as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed [[Article 14 GDPR]].
* Additionally, since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of [[Article 5 GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]], as well as [[Article 25 GDPR|Articles 25(1) and (2) GDPR]].


Secondly, the DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. [[Article 15 GDPR#3|Article 15(3) GDPR]] states that when the data subject submits his request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated [[Article 12 GDPR|Articles 12(1) and (2) GDPR]] since the controller did not facilitate the complainants’ rights, as well as [[Article 12 GDPR#3|Article 12(3)]] in conjunction with [[Article 15 GDPR#3|Article 15(3) GDPR]]. Furthermore, the DPA stated that the controller infringed [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]] due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the [https://gdprhub.eu/index.php?title=CJEU_-_C-154/21_-_RW_v_%C3%96sterreichische_Post CJEU C-154/21 case Österreichische Post], the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed [[Article 15 GDPR#1c|Article 15(1)(c) GDPR]].


Lastly, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]] explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]].
Secondly, the DPA addressed the access request violations. The DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. [[Article 15 GDPR#3|Article 15(3) GDPR]] states that when the data subject submits their request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated [[Article 12 GDPR|Articles 12(1) and (2) GDPR]] since the controller did not facilitate the complainants’ rights, as well as [[Article 12 GDPR#3|Article 12(3)]] in conjunction with [[Article 15 GDPR#3|Article 15(3) GDPR]]. Furthermore, the DPA stated that the controller infringed [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]] due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the [https://gdprhub.eu/index.php?title=CJEU_-_C-154/21_-_RW_v_%C3%96sterreichische_Post CJEU C-154/21 case Österreichische Post], the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed [[Article 15 GDPR#1c|Article 15(1)(c) GDPR]].


Taking into consideration the above-mentioned infringements, the DPA issued a fine on the controller of €174,640.
Lastly, on the issue of the records of processgin activities, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]] explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]].
 
Taking into consideration these infringements, the DPA issued on the controller three fines for each one of the above-mentioned sections, which cumulatively amount to €174,640.


== Comment ==
== Comment ==

Latest revision as of 09:25, 31 January 2024

APD/GBA - 07/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 14 GDPR
Article 15(1)(c) GDPR
Article 15(1)(g) GDPR
Article 15(3) GDPR
Article 24(1) GDPR
Article 25 GDPR
Article 30(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 174,640 EUR
Parties: Black Tiger Belgium
National Case Number/Name: 07/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: ar

The Belgian DPA fined a data broker €174,640. Among other violations, the controller could not rely on legitimate interest to collect data from third parties and infringed Article 15(1)(c) and (g) GDPR by not disclosing specific information about sources and recipients of the data in the context of an access request.

English Summary

Facts

On 23 October 2020 and 27 November 2020, two complainants submitted two separate access requests under Article 15 GDPR to Bisnode Belgium, a direct marketing and data specialist company, which was subsequently taken over by the French Black Tiger Group and renamed Black Tiger Belgium (the controller).

On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under Article 6(1)(f) GDPR.

Following the information provided, on 28 January 2021, the complainants filed complaints with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating Article 13 or 14 GDPR. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, outdated. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached Article 12(3) GDPR by providing the requested information on paper, whereas the request was made electronically.

On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023.

Holding

To begin with, the DPA found that there could be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change, as disputed by the controller. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing.

Following the information provided, the Belgian DPA found several GDPR infringements, which it divided into three sections.

The first category of violations concerns the unlawful and unfair processing of personal data.

  • The DPA found an infringement of Article 6(1)(f) GDPR since the controller did not properly demonstrate that its legitimate interests, supplying the personal data to its customers and maintaining updated records of the data subjects, would outweigh the interests and fundamental rights of the complainants. Moreover, the DPA noted that the controller processed different types of data, raising doubts over whether all these personal data were systematically necessary for the representation of the intended interests under Article 5(1)(c) GDPR.
  • The DPA brought into question the storage limitation of the data processed under Article 5(1)(e) GDPR since the controller stated to keep personal data in its databases for 15 years from the last entry.
  • Moreover, the DPA found a breach of Articles 12 and 14 GDPR as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA stated that the controller infringed Article 14 GDPR.
  • Additionally, since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of Article 5 GDPR, Article 24(1) GDPR, as well as Articles 25(1) and (2) GDPR.


Secondly, the DPA addressed the access request violations. The DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. Article 15(3) GDPR states that when the data subject submits their request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated Articles 12(1) and (2) GDPR since the controller did not facilitate the complainants’ rights, as well as Article 12(3) in conjunction with Article 15(3) GDPR. Furthermore, the DPA stated that the controller infringed Article 15(1)(g) GDPR due to not communicating to the complainants all available information on the sources from which it received their personal data. Mentioning the CJEU C-154/21 case Österreichische Post, the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed Article 15(1)(c) GDPR.

Lastly, on the issue of the records of processgin activities, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, Article 30(1)(c) GDPR explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed Article 30(1)(c) GDPR.

Taking into consideration these infringements, the DPA issued on the controller three fines for each one of the above-mentioned sections, which cumulatively amount to €174,640.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/114




                                                                          Dispute Chamber


                                     Decision on the merits 07/2024 of 16 January 2024



File number: DOS-2021-01224



Subject: Complaint regarding unlawful processing and commercialization

of personal data by a data broker



The Disputes Chamber of the Data Protection Authority (hereinafter, GBA), composed of

Mr Hielke Hijmans, chairman, and Mr Dirk Van Der Kelen and Yves Poullet, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;

In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:



Complainants: [X], [...], hereinafter “the complainants”, represented by [...], with social

                   registered office in [...], registered with the Crossroads Bank for Enterprises under the

                   number [...].


The defendant: BLACK TIGER BELGIUM (former BISNODE BELGIUM NV), with social

                   registered office in [...], registered with the Crossroads Bank for Enterprises under the

                   number [...], hereinafter “the defendant”, represented by masters

                   DOCQUIR and CORNETTE, with offices in [...]. Decision on the merits 07/2024 - 2/114



I. Facts and procedure 3
II. Justification 9

 II.1. Competence of the Belgian Data Protection Authority 9

 II.2. Description of the disputed processing activities by the defendant 11

    II.2.1. Processing responsibility 12
    II.2.2. Data processing 14

 II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR) 16

    II.3.1. Position of the Inspection Service 16
    II.3.2. Position of the parties 16
    II.3.3. Judgment of the Disputes Chamber 28

 II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2, Article 14.1
        and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR) 57

    II.4.1. Position of the Inspection Service 57
    II.4.2. Position of the parties 57

    II.4.3. Judgment of the Disputes Chamber 59
 II.5. Handling requests from data subjects to exercise their rights (Article 12.1

        and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR) 68

    II.5.1. Position of the Inspection Service 68
    II.5.2. Position of the parties 68
    II.5.3. Judgment of the Disputes Chamber 71

 II.6. Use of cookies on the defendant's websites (Article 4.11), Article 5.1.a) and 5.2,
        Article 6.1.a), as well as Article 7.1 and 7.3 GDPR) 76

    II.6.1. Position of the Inspection Service 76
    II.6.2. Position of the defendant 76
    II.6.3. Judgment of the Disputes Chamber 77

 II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as Article 25.1 and
        25.2 GDPR) 77

    II.7.1. Position of the Inspection Service 77
    II.7.2. Position of the defendant 78
    II.7.3. Judgment of the Disputes Chamber 79

 II.8. Register of processing activities (Article 30.1, 30.2, and 30.3 GDPR) 81

    II.8.1. Position of the Inspection Service 81
    II.8.2. Position of the defendant 81
    II.8.3. Judgment of the Disputes Chamber 82

 II.9. Involvement of the DPO (Article 38.1 and Article 39.1 GDPR) 83

    II.9.1. Position of the Inspection Service 83
    II.9.2. Position of the defendant 84
    II.9.3. Judgment of the Disputes Chamber 84

 II.10. Additional considerations regarding the inspection report 85

III. Sanctions and corrective measures 87

 III.1. Established infringements 87

 III.2. Measures imposed by the Disputes Chamber 89

    III.2.1.Corrective measures to bring processing into compliance with GDPR 89
    III.2.2.Administrative fines 91

 III.3. Other grievances 112

IV. Publication of the decision 112 Decision on the merits 07/2024 - 3/114



I. Facts and procedure


 1. The subject of the complaint concerns the alleged unlawful processing and

      commercialization of personal data of the complainants by the former NV
                                                                         1
      B ISNODE BELGIUM, now known as “B LACK TIGERB ELGIUM”.

 2. B ISNODE BELGIUM is, in its own words, a direct marketing and big data specialist that already...

      has been active on the B2B market in Belgium for several decades. This was for several years

      company active in the field of data broking (broker in data), where

      B ISNODE B ELGIUM purchased data from sources and processed this data for

      account of its customers, who themselves carried out direct marketing activities, either for

      companies, either for private individuals or consumers.


 3. On October 23, 2020 and on November 27, 2020, the two complainants must, each separately,

      submit a request to the defendant, to exercise their right of access accordingly

      Article 15 GDPR.

 4. On November 13, 2020 and December 23, 2020, they will each receive an answer to their

      request. Both responses are sent by regular mail by the defendant, and

      provide further explanation about the various files in which the personal data of

      the complainants are included or not, as well as a summary of the categories of

      personal data available to the defendant, the processing purposes and the

      legal basis (Article 6.1.f) GDPR). Furthermore, the defendant provides a list “of the

      (potentially) involved sectors” within which companies are active that may be

      may receive personal data of the complainants from the defendant. The defendant

      then clarifies that the complainants' personal data will be kept for 15 years from

      the last registration is kept in its database, and lists the sources of the

      personal data in the consumer file [the Z8 company] resp. It

      company database (Belgian Official Gazette and Crossroads Bank for Enterprises). Also
      the defendant emphasizes that he does not use automated decision-making,

      but assesses the so-called “marketing potential” of those involved for each

      user to create a marketing segmentation profile. The defendant states

      also that he, or “one of his customers”, “includes” the personal data of the complainants

      certain cases” to countries outside the EEA. Finally, the

      defendant to the complainants the opportunity to exercise their other rights and more

      Information about this can be consulted on the website www.bisnodeenu.be as well as on the website www.bisnodeenu.be

      possibility to file a complaint with the Data Protection Authority.






1See edge no. 36 in this decision.
2Conclusions of the defendant dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 4/114



 5. On January 28, 2021, the complainants will submit a joint complaint to the

       Data Protection Authority, against the defendant. The complainants complain about it
       that as a data broker it processes a large number of their data, but without

       their knowledge, and therefore in violation of Article 13 or 14 GDPR, nor the preceding

       consent. According to the complainants, these data were held by different parties

       purchased, if necessary enriched, and then resold to third parties for

       commercial purposes.The complainants also object to the fact that some personal data

       are more than 15 years old, and are therefore incorrect. In addition, the complainants believe that the

       defendant applies profiling to their data before passing on this profile data

       to sell. In conclusion, the complainants state that the defendant has Article 12.3 GDPR

       violated by providing the requested information on paper while exercising

       of their rights by data subjects necessarily had to be done electronically

       to happen.


 6. On March 15, 2021, the complaint will be declared admissible by the First Line Service on the grounds
       of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG

       transferred to the Disputes Chamber.


 7. On March 22, 2021, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG

       to request an investigation from the Inspection Service.


 8. On March 24, 2021, the request from the
       Disputes Chamber to conduct an investigation and transfer it to the Inspection Service,

       together with the complaint and the inventory of the documents.


 9. On March 31, 2021, B ISNODE B ELGIUM will be acquired by [the parent company Z1] 3

       and the former directors will be replaced by new directors, including [...]

       who also sits as chairwoman on the board of directors of [the parent company Z1].

 10. The investigation by the Inspection Service will be completed on May 20, 2021, and the report will be

       is added to the file and the file is transferred by the Inspector General to

       the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).


       The report contains findings regarding the subject of the complaint and decision

       that the defendant has committed violations of the following provisions of the GDPR:

           i. Articles 5.1.a) and 5.2, as well as Article 6.1 GDPR;


          ii. Articles 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR;



3[Z1], established in […], registered on the National Trade and Companies Register (Registre national du commerce
et des sociétés) of France with SIREN number […]. At the General Meeting of […] June 2023, the name of the
company changed to “Z2”; the minutes of this General Meeting were recorded on […] November 2023

registered with the Commercial Court of Paris (see paragraphs 28 and 34 in this decision).
4B.S., April 21, 2021 – https://www.ejustice.just.fgov.be/[...].
5See the French government website L'Annuaire des Entreprises: https://annuaire-entreprises.data.gouv.fr/[...]. Decision on the merits 07/2024 - 5/114



         iii. article 12.1, article 13.1 and 13.2, article 14.1 and 14.2, article 5.2, article 24.1, and article
               25.1 GDPR.


       The report also contains findings that go further than the subject of the complaint

       In particular, the Inspection Service determines that the defendant complies with the following provisions of the

       GDPR has violated:

         iv. Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR;


          v. Article 5, Article 24.1, as well as Articles 25.1 and 25.2 GDPR;

         vi. Articles 30.1, 30.2, and 30.3 GDPR;


         vii. Article 38.1 and Article 39.1 GDPR.


       Finally, the Inspection Service determines that the processing of personal data leads to the

       core activities of the defendant, and that these are systematic and on a large scale
       processes personal data for, among other things, direct marketing purposes.


 11. On June 15, 2021, the name of B ISNODE BELGIUM will be changed to B LACK T IGERB ELGIUM6.

       However, the company number […] remains unchanged.

 12. On September 30, 2021, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and

       Article 98 WOG states that the file is ready for substantive treatment. The involved

       Parties will be notified by registered mail of the provisions such as:

       mentioned in Article 95, § 2, as well as in Article 98WOG. They are also stated on the basis of

       Article 99 WOG of the deadlines for submitting their defenses.


 13. On October 4, 2021 and October 8, 2021, the defendant respectively the complainant a copy of

       the file (Article 95, § 2, 3° WOG), which was sent to them on October 8, 2021.

       Both parties accept further exchanges of documents electronically.

 14. On October 13, 2021, the defendant indicates that he wishes to make use of the

       opportunity to be heard, in accordance with Article 98 of the WOG, and he requests it

       to be able to express in French, both in the context of his conclusions and during the

       hearing before the Dispute Chamber, since the defendant has its seat in bilingual

       Brussels Capital area, is registered in French with the Crossroads Bank of

       Companies, has its articles of association in French, and is part of the French “B LACK
                    7
       TIGER GROUP”.

 15. On November 3, 2021, the parties will be informed of the suspension of the previous

       communicated conclusion periods, pending a decision by the

       Dispute chamber regarding the language of the procedure. The complainant will let us know on November 6, 2021




6B.S., June 30, 2021 – https://www.ejustice.just.fgov.be/[...].
7See edge no. 36 in this decision. Decision on the merits 07/2024 - 6/114


     that he opposes the change of the procedural language to French, as he

     insufficient command of French, nor the means to write French-language documents

     to have it translated. On November 13, 2021, the complainant reports that he is allowing […]

     represent.

16. On November 29, 2021, the Disputes Chamber decides not to respond to the request of the

     defendant to change the language of the proceedings to French, for the following reasons

     reasons:

          - The position of the defendant - The Dispute Chamber determines that the defendant

              should be classified as a large company, with more than 100 full-time employees

              employees in 2020. The Disputes Chamber also notes based on the documents

              of the file that the defendant is a Dutch-speaking as well as a

              French-speaking target audience.

          - The position of the complainant—The Dispute Chamber determines that the complainant is directly

              has an interest in a decision of the Disputes Chamber as the complaint relates

              has to exercise his rights in relation to him

              personal data collected and processed by the defendant.

          - Abuse of the option to object to complicate the procedure - In view of the

              bilingualism of the defendant, as evidenced, among other things, by the answers given by the

              complainant received in Dutch as well as the bilingual website of the

              defendant, also located in the bilingual area of Brussels-Capital, judges
              the Disputes Chamber that the defendant's request to change the procedural language

              change, unnecessarily complicates the procedure before the Disputes Chamber.


          - Other specific circumstances in the case - The Disputes Chamber takes note
              of the fact that the defendant during the investigation by the

              Inspection Service has always expressed in French; the Disputes Chamber considers this

              argument, however, is insufficient to justify a change in the procedural language

              justified, taking into account the previous elements. Finally wishes

              the Disputes Chamber to emphasize that it also does not understand to what extent the

              takeover of B ISNODE BELGIUM by the French group B LACK TIGER. A change is possible

              justifying the language in which the dispute settlement procedure will be conducted
              become.


     Consequently, both parties must submit their defenses in Dutch. It

     However, the parties are free to provide any supporting documents in their original language

     without the GBA being responsible for its translation. Decision on the merits 07/2024 - 7/114


     The parties involved will also be notified by registered mail

     new deadlines for submitting their defenses, in accordance with Articles 98 and

     99 WOG.


     With regard to the findings regarding the subject of the complaint, the

     deadline for receipt of the defendant's response

     recorded on January 24, 2022, this for the conclusion of the complainant's reply on 14
     February 2022 and finally this for the conclusion of the defendant's rejoinder on March 7

     2022.


     With regard to findings that go beyond the subject of the complaint, the

     deadline for receipt of the defendant's response

     recorded on January 24, 2022.

17. On January 24, 2022, the Disputes Chamber will receive the response conclusions from the

     defendant with regard to the findings regarding the subject of the

     complaint. The Disputes Chamber hereby establishes that the defendant has not objected further

     against the use of Dutch by the Disputes Chamber and its written statements

     has drawn up comments in Dutch.

18. On February 15, 2022, the Disputes Chamber will receive the complainant's response conclusions,

     with regard to the findings regarding the subject of the complaint.


19. On March 7, 2022, the Disputes Chamber will receive the conclusions of the defendant's rejoinder

     with regard to the findings regarding the subject of the complaint.

20. On August 3, 2022, the Disputes Chamber decides to issue an appeal pursuant to Article 56 GDPR

     to initiate a procedure to identify the lead supervisory authority

     as well as, where appropriate, other relevant supervisory authorities. The reason for this

     is the possible transfer of data processing responsibility in the context

     of the acquisition of B ISNODE BELGIUM by B LACK T IGER on March 31, 2021, as well as the

     statements by the defendant that his services were explained to the French

     supervisory authority (CNIL). There is also the possibility that those involved in
     other Member States are materially affected by the controversial processing of

     personal data by B ISNODEB ELGIUM, now LACK T IGERBELGIUM.


21. On October 6, 2022, the CNIL confirmed that it is investigating to what extent it is leading

     supervisory authority will act as a result of the takeover by B LACK TIGER. On 19 and

     October 27, 2022 the Polish and Italian supervisory authorities respectively

     inform the GBA that they wish to act as the relevant authority.

22. On November 15, 2022, the CNIL confirmed to the GBA that B LACK TIGER contacted the CNIL

     has included, but only with regard to the development of the “Data

     Quality” platform, which contains a specific module dedicated to GDPR compliance. Decision on the merits 07/2024 - 8/114



      The CNIL, on the other hand, clarifies that it cannot yet confirm whether there will be any exchanges

      have taken place between its services and B LACK T IGER regarding the possible
      cross-border nature of B LACK TIGER's processing operations. What hair

      authority for the processing of the group B LACK T IGER, the CNIL confirms this

      it is trying to determine whether the group's headquarters has changed in the period after

      takeover of the Belgian company by the French company. The CNIL closes

      with the comment that it is awaiting additional information on this point.


 23. On December 22, 2022, the CNIL will inform the GBA that, pursuant to the

      information provided by B LACKT IGER has led to the conclusion that B LACK TIGERB ELGIUM

      has retained its decision-making bodies following the acquisition of B ISNODE in March 2021

      B ELGIUM by [Z1], the French parent company of the BLACK TIGER group. The CNIL states

      more specifically, that the executive body of B LACK TIGER B ELGIUM despite the

      acquisition remained responsible for the formal decision to terminate the Data Delivery

      to cease data broker activities. Therefore, the CNIL concludes, it is Belgian
      BLACK TIGERB ELGIUM branch is the main branch for the disputed processing and remains the

      authority of the GBA as lead supervisory authority unchanged.


 24. On January 19, 2023, the parties will be notified that the hearing will

      take place on February 22, 2023.


 25. On February 22, 2023, the parties will be heard by the Disputes Chamber.

 26. The minutes of the hearing will be submitted to the parties on March 2, 2023.


 27. On March 10, 2023, the Disputes Chamber will receive some information from the defendant

      comments regarding the official report, which it decides to include

      her deliberation.

 28. On […] June 2023, the General Meeting of [the parent company Z1] will approve unanimously

      the tenth decision is good, changing the name of the company to “[de

      parent company Z2]”.


 29. On August 7, 2023, the Disputes Chamber decides to reopen the debates regarding

      specific points related to the case at hand.

 30. On August 8, 2023, the supervisory authorities concerned will be informed by means of a

      request for mutual assistance 8 formally informed of the withdrawal of the

      cooperation procedure in accordance with Article 60 GDPR, given the lack of






8Article 61.1 GDPR — “The supervisory authorities shall provide each other with relevant information and mutual assistance to
implement and apply this Regulation in a consistent manner, and take measures to effectively
working together. Mutual assistance mainly covers information requests and supervisory measures, such as
requests for prior authorization and consultations, inspections and investigations.” Decision on the merits 07/2024 - 9/114



      determination in the present case of cross-border data processing
      the meaning of Article 4.23) GDPR.


 31. On 6 September 2023, the Disputes Chamber received the conclusion of the response due to

      complainant.

 32. On September 11, 2023, the Disputes Chamber will receive the response statement

      defendant, which she decides to include in her deliberations.


 33. On October 31, 2023, the Disputes Chamber informed the defendant of its intention to transfer

      to impose an administrative fine and its amount

      made known, in order to give the defendant the opportunity to defend himself,

      before the sanction is actually imposed.

 34. On […] November 2023, the Registrar of the Commercial Court of Paris shall register

      under file number […] the deed of company containing the official report of the

      General Meeting held on […] June 2023 as well as the articles of association of [de

      parent company Z2], as updated following the decisions of the General

      Meeting.


 35. On November 24, 2023, the Disputes Chamber will receive the defendant's response to the
      intention to impose corrective measures and an administrative one

      fine, as well as the amount thereof. The Disputes Chamber accepts this response

      consideration in the context of its deliberation.




II. Justification


    II.1. Competence of the Belgian Data Protection Authority


 36. Between 2007 and 2020, B ISNODE B ELGIUM was part of [the company Z3], hereinafter

      '[Z3]'), an international holding company consisting of entities mainly in North and East

      Europe. On October 8, 2020, the Swedish private equity firm [Z4], also announced

      majority shareholder (70%) of B ISNODE AB, the sale to [the company Z5]

      of all its shares in the holding company ISNODE AB, excluding the operational activities of

      B ISNODE BELGIUM .

 37. The Disputes Chamber notes that B ISNODE BELGIUM was taken over on March 31, 2021

      by the French company [Z1]—now [Z2]—, trading under the commercial name

      B LACK TIGER GROUP . As a result of the takeover, the name B ISNODE BELGIUM was changed to 15

      June 2021 changed to BLACK T IGERBELGIUM.





9See edge nos. 28 and 34 in this decision. Decision on the merits 07/2024 - 10/114


 38. The Disputes Chamber rules that this takeover of B ISNODE BELGIUM by the French group

      B LACK TIGER as well as the name change to BLACK TIGERB ELGIUM have no impact on the

      jurisdiction of the GBA with regard to alleged infringements of the GDPR, because

      the following reasons.


 39. First of all, the Disputes Chamber points out that the original complaint was directed against

      B ISNODE BELGIUM NV, established in Belgium, as well as the website https://bisnodeandyou.be,

      currently no longer accessible, on March 31, 2021 still explicitly B ISNODE BELGIUM

      stated as controller for the processing of personal data. 10



















 40. Under Article 55 GDPR, each supervisory authority has the power to:

      territory of its Member State to perform the tasks and exercise the powers

      that have been assigned or granted to it in accordance with the GDPR. It follows that the

      Belgian data protection authority was competent at the time of the complaint

      of the processing activities carried out by ISNODE B ELGIUM. The fact thatISNODE BELGIUM
                                                                                         11
      was still owned by the Swedish listed group [Z4] until March 31, 2021, can

      do not lead to a lack of jurisdiction under the GBA. The defendant's contention that

      B ISNODE BELGIUM only had “little room for maneuver to […] its own strategies

      and determine policy regarding personal data” 12 is also not convincing to the Disputes Chamber.

      After all, after the transfer of the parent company B ISNODE AB to [the Z5 company].

      October 2020, B ISNODE B ELGIUM could no longer be considered bound by the

      former policy choices imposed by B ISNODE AB.


 41. That the defendant was taken over by a French group at the time of the investigation,

      nor does it lead to the conclusion that the GBA is not competent for the processing of

      personal data until the aforementioned date of takeover. In this case, the Disputes Chamber

      established that the processing activities of the defendant, including the various

      websites managed by him are aimed at a Belgian target audience and



10
  Item 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 4.
1In October 2020, [Z4], a Swedish listed group and majority shareholder (70%) of the
BISNODE group ISNODE ASWEDEN), the sale of all its shares to [the company Z5], with the exception of
operational activities in verISNODBELGIU.
12
 Conclusion in the defendant's rejoinder dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 11/114



      relate to the person concerned and established in Belgium. The defendant's statement that

      “Bisnode Belgium [before and after the entry into force of the GDPR] ensured that
      [the company] had an appropriate internal organization to meet its requirements

      obligations towards the persons whose personal data it holds,”

      as well as that “the new buyer was in no way involved and[sic]in the course of

      these events [the alleged infringements]” also confirms the jurisdiction of

      the GBA.


 42. Finally, and for the sake of completeness, the Disputes Chamber notes that the defendant in no way

      currently questions the authority of the GBA to deal with the complaint on the merits

      stated. On the contrary, both during and following the hearing of February 22

      2023, the defendant disputed that there was a cross-border situation

      processing within the meaning of Article 4.23) GDPR, with the result that the application of

      According to the defendant, Article 60 GDPR is not relevant. The mere circumstance that the

      website of B LACK TIGER BELGIUM mentions a branch in Poland, according to the
      defendant is in no way sufficient as such to establish the existence of a cross-border

      to make processing plausible. In connection with the above, the GBA has

      circumstances, the cooperation procedure pursuant to Article 60 GDPR is terminated. 13


 43. The Disputes Chamber will hereafter review the data processing activities carried out by the

      defendant, before summarizing each of the findings included in the report

      to assess the Inspection Service in the light of the relevant information provided by the parties

      resources supplied.



    II.2. Description of the disputed processing activities by the defendant


 44. Based on the documents submitted, the Disputes Chamber understands that the defendant

      at the time of the complaints, it managed three different databases with personal data

      had:

          i. the consumer file Consu-Matrix (hereinafter, “CMX”), which contains personal data

               of consumers that the defendant contains from various external sources (“source

               partners”) has collected. These sources create their own customer databases

               disposal to B ISNODE B ELGIUM for commercialization with a view to direct

               marketing purposes. CMX is a B2C information database intended for







13
 See edge no. 30 in this decision.
1 Document 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service, p.4; Piece 8 (“Bisnode
Belgium GDPR Governance B2C de 2019”) submitted to the Inspection Service; Part 9 (Bisnode Belgium GDPR Governance
B2B de 2019) submitted to the Inspection Service. Decision on the merits 07/2024 - 12/114



               marketing, analysis, profiling, statistics, verification and audit purposes
                                                                                     15
               (data quality), as well as for reference and “other” purposes.

          ii. the Spectron company file, which contains company and contact details of

               Belgian companies that the defendant acquired through

               public/government sources (Crossroads Bank for Enterprises, National Bank

               of Belgium) as well as via commercial data sources. Spectron is a B2B

               information database intended for marketing profiling, analysis,

               credit purposes, statistics, verification and control purposes
                                                                                   16
               (data quality), as well as for reference and “other” purposes.

         iii. the Permesso direct marketing file, which contains personal data from

               “Permesso members” that the defendant has via an online marketing platform

               collected. Personal data included in Permesso is intended for:

               marketing and direct marketing purposes (marketing, analysis, profiling and

               statistics).


 45. Unlike Permesso, which contains personal data collected directly from the

       data subjects have been collected for direct marketing purposes, based on consent

       of the data subjects (Article 6.1.a) GDPR), CMX and Spectron are exclusively supplemented with

       personal data collected indirectly, on the basis of

       legitimate interest of the defendant and its customers (Article 6.1.f) GDPR).


        II.2.1. Processing responsibility



 46. A controller is defined as “a natural person or

       legal entity, a public authority, a service or another body that, alone or

       together with others, the purpose and means of processing personal data
       determines” (Article 4.7) GDPR). This is an autonomous concept, specific to the regulations

       on data protection, which should be assessed against the criteria that

       are established therein: the determination of the purposes of the data subject

       data processing and the means for that processing.









15Free translation of: “purposes of marketing, analysis, profiling, statistics, verification and control (Data Quality), directory
(reference purposes) and other” in Document 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”) submitted to the
Inspection service.
16
 Free translation of: “purposesofanalysis,creditpurposes,marketingprofiling,statistics,verificationandcontrol(DataQuality),
directory (reference purposes) and other” in Section 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”)
to the Inspection Service.
17Free translation of: “marketing/direct marketing purposes (marketing, analysis, profiling and statistics)” in Section 1 (“DPIA
Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service. Decision on the merits 07/2024 - 13/114


 47. The aforementioned databases were set up and managed by B ISNODE BELGIUM, such as

       irrefutably proven by the internal documentation submitted to the GBA during

       the research (own underlining and filtering):




























 48. In view of the information available, the Disputes Chamber considers this sufficient

       proven that the B ISNODE BELGIUM was the controller at the time of the complaints

       acted for the aforementioned processing activities.

 49. Until March 2021, B ISNODE BELGIUM offered to its customers on the Belgian B2B market


       two separate activities: on the one hand, a “Data Quality” service, which consists of:

       improve the quality or relevance of customer data, and on the other hand, a “Data

       Delivery” service, which consists of providing data to customers

       who do not yet have them and which enable them to carry out direct marketing campaigns

       feed. Both Spectron and CMX were processed by the defendant for Data Quality
                                                  19
       (DQ) and for Data Delivery (DD) purposes. In concrete terms, the data from CMX

       customers of the defendant for enrichment purposes or rented out for

       direct marketing purposes (mainly by post). The Spectron

       company base was also marketed to customers of the

       defendant, who could use the data from this file for his own, directly

       marketing purposes .21





18 Piece 1 ("DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso") and Piece 30 ("Bisnode Belgium - Copy of Record of
Processing”), transferred by the defendant to the Inspection Service in the context of the investigation.
19
  Document 30 (“Bisnode Belgium – Copy of Record of Processing”) submitted to the Inspection Service.
20Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3.
21Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the

defendant, p. 1: “Bisnode compiles data from different sources: […] (ii)via public sources such as, for example, the Crossroads
Bankfor Enterprises. […]ThepurposeofsuchprocessingoperationforBisnodeisincreaseandincreaseitsproprietaryB2B
databaseSpectron, in ordertodeliverbetterservices.Thoseservicesmayinclude […]deliveryofdatasetsfordirectmarketing
purposes on the basis of specific criteria (segmentation) covering offline and digital channels, including social media”. Decision on the merits 07/2024 - 14/114


 50. Following the takeover by B LACK T IGERG ROUP on March 31, 2021, the renewed

      new board of directors of B LACK TIGER BELGIUM on June 25, 2021 opted to

      to discontinue activities in connection with the Data Delivery services. Also became

      decided to destroy the CMX consumer file on July 30, 2021, as well as the

      Permesso direct marketing file . Until that date, the data was taken from CMX

      — including the personal data of the complainants — sold, rented or for sale

      made available to companies with a view to their direct use

      marketing purposes, and in particular for sending advertising messages as well

      for validation, identification and analysis purposes. All customers of the defendant


      additionally received a communication informing them that B LACK T IGER

      B ELGIUM intended to discontinue the “B2CDataDelivery” activity, although it already existed

      contracts with customers of these services were terminated, customers could

      from the defendant who had received data before or on July 30, 2021,

      in accordance with the contractual provisions and data already provided
                                            24
      use until October 30, 2021.


 51. The Data Delivery service for the professional market (“B2B Data Delivery”), which

      related to the Spectron company file, was canceled with effect from 1 December
                                                                             25
      2021 transferred by B LACK TIGER BELGIUM to [the Z6 company]. Customers of the

      defendant who had received data up to November 30, 2021

      contractual right to use this data for another three months, until the end of February
            26
      2022 . This decision also testifies to the responsibility of B LACK TIGER BELGIUM

      with regard to the transferred processing activities.



       II.2.2. Data processing


 52. Article 4.2) of the GDPR defines a processing of personal data as


               “an operation or a set of operations relating to personal data or a

               set of personal data, whether or not carried out via automated processes, such as

               collecting, recording, organizing, structuring, storing, updating or modifying, retrieving,

               consult, use, provide by transmission, dissemination or otherwise

               making available, aligning or combining, shielding, erasing or destroying

               facts ".







22Ibid.
23Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3.

24Ibid.
25Ibid.
26
  Ibid. Decision on the merits 07/2024 - 15/114


 53. Based on this definition and based on the documentation provided in the framework

      of the investigation as well as the conclusion phase, the Disputes Chamber distinguishes four

      various processing activities carried out by the defendant, and in particular:


           A. The processing of consumer data in the CMX database in the context of “B2C

               Data Delivery” service, whereby the defendant pursuant to Article 6.1.f)

               GDPR collects and enriches personal data of consumers for the purpose of
               the commercial supply of data to its customers, who use it

               use personal data for direct marketing purposes, and in particular for

               sending advertising messages, as well as for validation, identification and

               analysis purposes;


           B. the processing of consumer data in the CMX database in the context of “B2C

               DataQuality” service, whereby the defendant is provided on the basis of Article 6.1.f)GDPR
               collects, enriches and consolidates personal data from consumers

               payment, to assign a reliability score to personal data of

               consumers already in possession of the customers of B LACK TIGERBELGIUM, so that these

               can improve the quality of their data by formatting it, too

               to standardize, correct and/or link internally (matching);


           C. the processing of company data in the Spectron database in the context of

               “B2B Data Delivery” services, where the defendant is provided pursuant to Article
               6.1.f)GDPR personal data of natural persons associated with

               companies collects and enriches with a view to commercial delivery

               of the personal data to its customers, who provide this personal data

               use to send advertising messages 27 and for

               segmentation purposes (validation, identification and analysis of profiles);


           D. the processing of company data in the Spectron database in the context of
               “B2B Data Quality” services, which the defendant provides under Article

               6.1.f)GDPR personal data of natural persons associated with

               collects, enriches and consolidates companies to, for a fee, create a

               to assign a reliability score to personal data already in our possession

               by customers of B LACK TIGER BELGIUM, so that they can guarantee the quality of their

               can improve data by formatting, standardizing,...

               correct and/or internally link (matching).

 54. Since B ISNODEBELGIUM in the present case for each of these processing activities

      has determined both the means and the ends, B LACK T IGERB ELGIUM must be

      capacity as legal successor of BISNODE BELGIUM as



27Exhibit 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 38. Decision on the merits 07/2024 - 16/114


      be considered a controller. In light of the foregoing

      elements, the Disputes Chamber will then accept the findings by the Inspection Service

      the investigation report as well as the documents provided by the parties and their

      assess defenses step by step.



    II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR)


       II.3.1. Position of the Inspection Service



 55. According to the Inspection Service, the defendant is wrongly appealing to his
      legitimate interests for the processing of the data of the complainants

      within the framework of his commercial activities, and he therefore infringes

      Article 6.1 GDPR.


 56. The Inspection Service notes in particular that the defendant has collected various personal data

      (including general personal information, contact details, professional details

      and family data) that are partly obtained from the data subjects themselves and partly from other sources

      — so-called “partners” of the defendant — have been obtained, processed on a large scale. This
      According to the Inspection Service, this implies that those involved cannot reasonably do so

      expect their personal data to be collected without their consent, systematically and against

      payment by the defendant to its customers for

      marketing campaigns, or are processed in the context of the freedom to

      actions of the defendant. Consequently, the third cannot be satisfied

      condition of Article 6.1.f) GDPR, the so-called balancing test between the interests of

      the defendant, on the one hand, and the fundamental freedoms and fundamental rights of the
                             28
      stakeholders, on the other hand.

 57. Moreover, according to the Inspection Service, the defendant does not demonstrate that his interests

      by weighing on those of the data subjects, thereby also violating Articles 5.1.a) and 5.2 GDPR.



       II.3.2. Position of the parties


           II.3.2.1. Relying on a legitimate interest (6.1.f) GDPR) as the basis for the

               processing of personal data and weighing of interests by B LACKT IGER
               BELGIUM



 58. The complainants essentially take the position that the processing of their
      personal data by the defendant for commercial purposes unlawfully

      manner, since the plaintiffs were not informed of this




28See Title II.3.3.3 below in this decision. Decision on the merits 07/2024 - 17/114



       never gave their consent. In other words, the complainant posits that the

       defendant cannot rely on a legitimate interest in collecting

       as well as the subsequent commercialization of his personal data.

 59. The defendant, on the other hand, states that he is permitted to do so on the basis of his

       legitimate interest, as well as that of its customers and partners, personal data

       to process complainants as well as other involved parties. According to the defendant, the

       Inspection service did not take into account all the elements that the defendant

       However, it had argued for its legitimate interests and the proportionality of the processing

       to demonstrate. The defendant would specifically have the Inspection Service during the investigation

       pointed out the relevant passages of the various LIA reports 29 that relate

       had on the identification of the data in question, but also on the legality,

       necessity and proportionality test. The Inspection Service's determination that the

       defendant did not take into account the three aforementioned cumulative conditions

       are therefore manifestly incorrect.


 60. The defendant also complains that the Inspection Service made no attempt

       has taken to determine the precise factual circumstances of the case.


 61. Legality test — First of all, the defendant argues that direct marketing as

       such constitutes a lawful purpose, as stated in recital 47 GDPR and reiterated
                                                  30
       in the GBA recommendation 01/2020. The defendant also points out that his

       legitimate interest in the continuation of its services regarding big data

       expertise, which he has been offering to his customers for years, on the basis of his
       fundamental freedom to conduct a business as provided in Article II.3 of the Code of

       economic law and Article 16 of the EU Charter of Fundamental Rights. The 31

       taking into account the freedom to conduct a business when assessing the balance of interests

       by the Disputes Chamber would therefore be indispensable. Therefore, the

       processing activities of the defendant in the context of his Data Delivery activity

       to the purpose or legality test.


 62. In addition, the Data Quality services would serve the legitimate interests of

       customers of B LACK TIGER BELGIUM, in particular to be able to implement effective marketing campaigns

       and to maintain - as the GDPR requires - databases that contain only correct ones

       and contain current information, according to the defendant. Also the Data Quality services

       would therefore meet the legality test.





29Legitimate Interest Assessment Reports; see edge nos. 95 and 130 in this decision.
30
  GBA — Recommendation No. 01/2020 of January 17, 2020 on the processing of personal data for direct
marketing purposes, https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-01-2020.pdf.
31Article 16 Charter of Fundamental Rights of the European Union — “The freedom to conduct a business is recognised
in accordance with Union law and national laws and practices.” Decision on the merits 07/2024 - 18/114



 63. Necessity test — Secondly, the need to process data can be
       nor, according to the defendant, for the intended direct marketing activities

       cannot be disputed, since sending mail is not intrusive under any law

       is prohibited, and direct marketing by post is not subject to any specific regulation

       which requires the prior consent of the recipients (as opposed to direct

       marketing by email). Consequently, the defendant argues, the processing activities are satisfactory

       of BLACK TIGER BELGIUM in the context of its Data Delivery activity also to the

       necessity test. According to the defendant, the report of the Inspection Service

       does not, however, adequately explain why there would be a shortage

       proportionality, as the defendant's activity consists precisely of large-scale

       collect data of various kinds. On the contrary, it would be “completely normal

       and legitimate” are that the defendant “collects various data to protect the family or

       to characterize a person's socio-professional situation”, “since the defendant
       has been professionally active in the sector for many years”. The defendant emphasizes that the

       large-scale processing of personal data falls within his expertise in big data, and

       according to him, no argument could be derived from the fact that data from

       are collected from various sources, nor to the large scale of the processing

       BLACK TIGER BELGIUM in the abstract.


 64. Balancing test — Third, the defendant maintains that, contrary to what the

       The Inspection Service claims to have weighed up interests properly and with the necessary accuracy

       has argued between his interests and the rights and freedoms of the data subjects, with

       taking into account the nature of the processing, its consequences for the data subjects, and
       the interests of the company. The defendant refers in particular to the

       documented considerations of interests 32 — which, according to the defendant, are only of

       apply to direct marketing campaigns by post — which were sent to the

       Inspection Service and taking into account:


           ▪ the economic interest of the defendant and its customers;

           ▪ the defendant's fundamental freedom to conduct a business;

           ▪ the negative and positive consequences of the processing, whereby it is done according to the

               defendant is not necessary to avoid any negative consequences for the data subject,

               but rather the intention is to have a disproportionate impact for this

               prevent those involved;


           ▪ the “rather innocent” nature of the data;





32Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 19/114


           ▪ the reuse and further processing of publicly available

               personal data from, among others, the KBO and the NBB;


           ▪ “the data subject's right to object/opt-out”; and

           ▪ making transparent information public on, among other things, the website of the

               defendant and that of its data sources, as well as the mandatory indication

               of B ISNODEB ELGIUM in the advertising messages sent to them by customers

               goal audience.

 65. The defendant states that he came to the conclusion taking these interests into account

      that the negative consequences for those involved do not outweigh the

      positive consequences for the defendant and his customers, given the freedom of

      entrepreneurship, as well as the positive consequences for those involved themselves, which

      the processing of their personal data will no longer receive irrelevant advertising.

 66. Accordingly, the legitimate interests invoked by the defendant

      according to the defendant, constitute an appropriate basis for the processing of

      personal data of data subjects, since the defendant takes a series of measures

      has taken to maintain the balance at all times in the context of the proportionality test

      guarantees between the relevant interests, as well as to be able to demonstrate this

      in accordance with the accountability obligation resting on the defendant. In that regard

      refers the defendant in particular to the following, which he has already implemented
                   33
      measures:

           ▪ an extensive due diligence of the data sources in terms of

               data protection, including thorough analyzes of licenses of

               public sources regarding the reuse of public data;

           ▪ the obligation for data sources to inform data subjects about the

               transfer of their data to the defendant, so that the defendant or other

               companies can deliver personalized offers to those involved;

           ▪ the mandatory mention of “B ISNODE BELGIUM” in the advertising message and the

               right of review of the defendant regarding the advertising message, in

               combination with conducting campaigns through the media to increase the visibility of

               to raise the defendant with those involved;

           ▪ compliance with the principle of minimal data processing as well as the fact

               that “data enrichment is only applied to data that is already in our possession

               of Bisnode Belgium customers” ;





33Conclusion of response dated January 24, 2022 from the defendant, p. 7.
34Conclusion of response dated January 24, 2022 from the defendant, p. 7 in fine. Decision on the merits 07/2024 - 20/114


           ▪ the effective possibility of data subjects to exercise their rights under the GDPR

               to practice; and


           ▪ taking appropriate technical and organizational measures.

 67. Reasonable expectations of those involved — In the alternative, the defendant posits that the

       assessment of the legitimate interest of the controller

       necessary to take into account the reasonable expectations of the


       person involved. Thus, the Inspection Service's determination that those involved would not

       expect the data to be processed “without their consent” and “for payment”.

       be irrelevant, because the criterion of reasonable expectations stated in
                                   35
       according to the defendant, recital 47 of the GDPR would only relate to the

       hypothesis of further processing of personal data within the meaning of Article 6.4
           36
       GDPR . Due to the reasonable expectations of those involved at the time of collection

       systematically taking into account the lawfulness of the processing

       fully rely — according to the defendant — on the subjective position of the

       those involved at a certain point in time, which changes the other criteria for assessing

       the proportionality of the processing would be reduced to unnecessary

       considerations.Such reasoning would, moreover, “almost necessarily lead to the

       [lead] to the conclusion that LACK TIGER BELGIUM has no overriding legitimate interest, since the

       By definition, those involved cannot or only with difficulty expect their data to be available to them

       will be subject to technical processing such as that carried out by the

       defendant is being executed (and which is also part of his secret know-how)”, 37

       so that in fact any activity of DataDelivery in a broad sense becomes impossible. Thedefendant

       argues that the criterion of reasonable expectations is therefore not the only criterion

       can be used to assess proportionality.


       In addition, the degree of transparency must also be taken into account

       the data processing; (ii) the defendant's efforts to contact those involved

       informing; and (iii) encouraging the data sources and customers of the defendant

       to “make an active contribution to those involved” . The defendant further states that

       the choice of a legitimate interest as a basis for the processing

       personal data “by definition” a certain infringement of fundamental rights and

       fundamental freedoms of those involved, but does not lead to a restriction of the

       obligations of a controller due to the GDPR. Those involved




35Recital 47 GDPR — “[…] In any case, a careful assessment is required to determine whether there is a
legitimate interest, as well as to determine whether a data subject is at the time and in the context of the collection of the
personal data can reasonably expect that processing can take place for that purpose […]”.
36Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 15.

37Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 16.
38Conclusion of response dated January 24, 2022 from the defendant, p. 8.
39
  Conclusion of the defendant's response dated January 24, 2022, p. 9. Decision on the merits 07/2024 - 21/114


     can always exercise their right to object, thanks to the transparency

     information on the defendant's website as well as the mandatory mention of B ISNODE

     B ELGIUM in the advertising messages that its customers send to data subjects.


68. However, if the Dispute Chamber were to accept the arguments put forward by the defendant

     rejected, the defendant requests that the handling of the case be suspended and a

     to submit a preliminary question to the Court of Justice of the European Union, regarding the
     interpretation of Article 6 GDPR and of the freedom to conduct a business under it

     Charter of Fundamental Rights of the European Union. According to the defendant, the

     Dispute Chamber namely:


              “a 'court or tribunal of a Member State' […] within the meaning of Article 267 of the Treaty
              on the functioning of the European Union, in the sense given by the Court of Justice

              autonomous understanding of Union law. It was established by the law of 3

              December 2017, has a permanent character, is certainly independent or at least should be

              according to both EU law and Belgian law, and it issues binding legal orders
              decisions at the end of an adversarial procedure that complies with

              legal rules that are laid down in particular in a clear separation between the

              research function on the one hand, and the judgment function on the other. As such, she has the right
              to request the Court of Justice of the European Union for a preliminary ruling on

              the interpretation and validity of the treaties and acts of the institutions,

              organs and agencies of the U.e

69. Finally, in his conclusions in response, the defendant emphasizes that the following elements

     are indispensable to properly assess the role of the defendant:


         i. B LACK TIGER BELGIUM is a big data specialist, i.e. a technical expert in the

              processing enormous amounts of data.

         ii. The now discontinued Data Delivery activities include:


                   i. purchasing data from different sources;

                  ii. processing this data to generate suitable datasets; and


                  iii. delivering these data sets to professional customers who require them

                      use it to enrich their own data or to try to create new ones

                      reach customers, at their own expense, directly

                      carry out marketing campaigns.

        iii. Since the personal data provided by the partner sources of B LACK TIGERB ELGIUM

              be collected, either directly from the data subjects or from third parties, it is included

              in the first instance to these sources to verify the legality of the initial

              to guarantee processing and to provide data subjects with information about the

              processing, purposes, etc. Decision on the merits 07/2024 - 22/114



         iv. Since B LACK TIGER BELGIUM mainly carried out technical processing
               in order to compile datasets that meet the needs of his professional

               customers complied, the defendant maintains that in this context he acted as

               processor and its customers as controllers. Therefore, the

               role of the defendant as controller strictly limited to the

               aggregation of data, being the technical processing within the context of

               its know-how which became available in its CMX database for direct marketing purposes

               kept for the benefit of its customers.


          v. It is then the defendant's professional clients who, after they receive the

               had received datasets that exactly matched their requests,

               personally sent direct marketing communications to those involved.

               Since the defendant has never conducted a canvassing campaign by post
               for its own needs towards consumers, the customers of the

               defendant, the only ones responsible with regard to the processing

               of personal data in the context of the sent directly

               marketing communications, now that they are the initiators of this, for their own

               needs.


         vi. The activities in the field of Data Delivery were almost exclusively related

               on the channel post, as opposed to emails, cell phone numbers, or

               other digital channels. These activities, described in detail in the

               response letter to the Inspection Service dated April 27, 2021

               governed by clear contractual agreements with both the sources and the
               professional clients of the defendant.



           II.3.2.2. Continuation of the Data Delivery service after the acquisition of B ISNODE

               B ELGIUM by BLACK TIGER


 70. In his conclusions, the complainant refers to the defendant's web page40 on which dated 14

       February 2022, the purposes for processing were still reported

       personal data, in particular: (a) Data Delivery, (b) Data Quality and (c) Internal use.












40https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/waarom-professioneel/.
41The Disputes Chamber emphasizes that the complaints do not relate to internal use and that there are no
investigation was conducted into internal use, with the result that the Disputes Chamber will limit its assessment to the
first two processing operations. Decision on the merits 07/2024 - 23/114





















 71. In particular, the complainant believes that the defendant provided the following explanation in February 2022

       argues with regard to its Data Delivery services:


                In the context of our Data Delivery activities, we commercialize your data

                for prospecting and direct marketing purposes, to make available to our customers

                to enrich established databases, to draw up marketing profiles and/or to
                to conduct market research”.2


       In other words, the complainant posits that the defendant is contradicting himself

       conclusions, in 2022 was still engaged in direct marketing activities in the context

       of its Data Delivery activities — including creating profiles of

       those involved — based on data from public sources such as the Crossroads Bank of

       Companies, while such data is in principle solely intended to assist third parties

       possibility to check company data. Also with regard to processing

       of consumers' data, the defendant would have indicated that this

       processed by him, and in a number of cases also sent to his customers

       provided.

 72. In his summary conclusion, the defendant clarifies that the disputed communication on the

       website is purely the result of the transition periods specified in the agreements with

       customers of the B2B Data Delivery service, which delivers data until November 30, 2021

       Spectron had received. Notwithstanding the transfer of the services to

       [the company Z6] on December 1, 2021, these customers had the right to the

       provided data can be used for another three months, until the end of February 2022

       The defendant has therefore kept information about the categories on its website

       of collected data, the purposes of the processing and the rights of the

       those involved. The defendant states that this is expressly stated on the

       web page https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/, which precedes

       to the web page containing the description of the complaint cited by the complainant


42
  Conclusions of the complainant's reply dated February 15, 2022, p. 2.
43See edge no. 51 in this decision. Decision on the merits 07/2024 - 24/114


       processing purposes. In short, according to the defendant, the complainant is wrong

       positing that B LACK TIGER BELGIUM would still resell personal data in 2022

       to its customers.



            II.3.2.3. Processing government data from the KBO for direct marketing

                purposes, by B LACK TIGER BELGIUM



 73. The complainant states that the contact details of the entities registered with the

       Crossroads Bank for Enterprises both via the “public search” web page and via

       so-called “KBO Web Services” or reuse files are made available.

       Although it is legally possible to purchase a data license from the KBO for

       reuse of company data, according to the complainant it is unclear whether the defendant does

       has the necessary KBO annual subscription to be able to use this data.


       Regardless of this license for reuse, the complainant states that it is in accordance with Belgian law on

       KBO is nevertheless expressly prohibited from using KBO data for direct marketing,

       with the result that the use of KBO data for direct marketing purposes by B LACK

       TIGER BELGIUM constitutes at least a violation of the law.


       The complainant points out that making KBO data available via the "public search"

       functionality is in accordance with Article III.31 of the Economic Code
            44
       law and in accordance with Article 1 of the Royal Decree of March 28, 2014

       implementation of Article III.31 of the Code of Economic Law, in particular the


44
  Code of Economic Law, B.S., March 29, 2013, article III.31 — “All natural persons, legal persons or entities
have access, via the internet, to data referred to in Article III.29, § 1, registered in the Crossroads Bank of
Enterprises. At least a freely accessible website is provided on which this data is available in a readable format
can be found […]”.
45Royal Decree implementing Article III.31 of the Code of Economic Law, in particular the provision of

data from the Crossroads Bank for Enterprises that are accessible via the internet, as well as the conditions for it
consult it, B.S., April 28, 2014, article 1 - Ҥ 1. The following information from the Crossroads Bank for Enterprises is available via
the Internet accessible:
   1° the company number and the establishment unit number(s);

   2° the names of the registered entity and/or its business units;
   3° the addresses of the registered entity and/or its business units;

   4° the legal form;
   5° the legal situation;
   6° the economic activities of the registered entity and its business units;

   7° the qualities according to which the registered entity is registered in the Crossroads Bank for Enterprises;
   8° […];

   9° the surname and first name of the founders and of the persons who exercise a function in the registered entity
   which is subject to disclosure;
   10°the reference to the website of the registered entity, its telephone and fax numbers as well as its e-mail address;[…]

§2.The name and address of the natural person's place of residence are not shown when accessing the paragraph
1 stated data, unless:
   (a) either this name corresponds to the name of the registered entity or its establishment unit;
   b) or the address of the place of residence corresponds to the address of its business unit.

§ 3. Only the active data referred to in paragraph 1 are stated.
§ 4. Data that has a starting date in the future or that has been discontinued is not listed. Decision on the merits 07/2024 - 25/114


       determination of the KBO data that are accessible via the internet as well as the

       conditions for consulting it.


       With regard to the provision of contact details in the context of web services or

       reuse files, the complainant believes that the KBO has a number of data available

       allows data reuse via the entire file. Included in this data

       including information regarding the entity and natural person as well as the names and

       first names of the persons who, within legal entities, perform functions or

       prove entrepreneurial skills.


 74. The complainant adds that as a person responsible for a company, he also has so-called

       can provide “declarative” additional contact details. Providing such

       contact details in the context of the web services or reuse files of the

       In principle, CBO must be carried out in accordance with Article III.33 of the Code of
                           46
       Economic law and the Royal Decree on the reuse of public data
                                                        47
       of the Crossroads Bank for Enterprises, which expressly prohibits public

       to use and/or share data from the KBO for direct marketing purposes

       redistribute:

                 Article 2 — § 1. The public data of the Crossroads Bank for Enterprises can

                 in accordance with the further rules and conditions of this decision, by the management service

                 be passed on to third parties for the purpose of reuse. However, third parties may not

                 use and/or redistribute personal data for direct marketing purposes.


                 § 2. The management service may neither use the identification number in the National Register nor the

                 pass on your identification number in the Crossroads Bank for Social Security to third parties.

                 § 3. The special conditions for reuse are laid down in a

                 license agreement between the licensee and the Belgian State”


       According to the complainant, this prohibition is also included in the privacy statements as well as the

       license agreements from the Crossroads Bank for Enterprises:


                 2.2 The licensee may not use the personal data for direct marketing

                 purposes, in accordance with Article 2 of the Royal Decree of 18 July 2008






Notwithstanding the first paragraph, given that it concerns a discontinued registered entity, the data intended in
paragraph 1, which were active at the time of the cessation of the registered entity”.
46
  Code of Economic Law, B.S., March 29, 2013, article III.33 — “Without prejudice to the provisions of the
Articles III.29 and III.30, the King, after advice from the Supervisory Committee, sets the data of the Crossroads Ban of
Companies that may be the subject of commercial or non-commercial reuse as well as the
modalities regarding their provision. Only the management department is allowed to provide these basic data to companies
provide”.
47Royal Decree of 18 July 2008 regarding the commercial reuse of public data from the Crossroads Bank
van Ondernemingen, B.S., October 29, 2008. Decision on the merits 07/2024 - 26/114


              regarding the reuse of public data from the Crossroads Bank

              Enterprises.”


75. In his rejoinder, the defendant states that he has a data license

     concluded with the KBO and also adheres to the terms of use of this license.

     According to the defendant, it is therefore established that he does not use KBO data directly

     marketing purposes, but processed exclusively for Data Quality purposes. The
     The defendant also emphasizes that “direct marketing” is not intended anywhere

     commercial purpose is stated in the license agreement concluded between B LACK

     T IGERBELGIUM and the FPS Economy.


76. Although he expressly stated in his first defense that the

     company and contact details of Belgian companies in the reference file “Spectron”

     — which have been obtained indirectly via both public/government sources (KBO, NBB) and
     via commercial data sources — also used for direct marketing purposes

     were made, the defendant stated during the hearing on February 22, 2023 that “it

     Nevertheless, it is clear that LACK TIGERB ELGIUM does not contain any data from the KBO

     direct marketing purposes”.


77. In his written comments regarding the report of the hearing dated 22

     February 2023, the defendant further emphasizes that B LACKT IGERBELGIUM itself never did the

     was the sender of promotional messages, nor the designer of the content of
     such messages. It is always the defendant's customers who

     are responsible for selecting addresses and sending

     advertising messages to these addresses.


      In any case, according to the defendant, this does not prevent his customers from doing the same

      may process data ourselves for direct marketing purposes, with the understanding that

      they then carry out processing using data already in their possession, and
      were therefore in no way supplied by B LACK TIGERB ELGIUM.


      Finally, the defendant argues that the only processing operations at issue are:

      promotional campaigns by post, excluding all digital or other

      means of communication.



          II.3.2.4. Mass processing of personal data of minors without
              permission


78. Based on the answers to the requests for access, the complainant determines that the

     defendant processes personal data of minors, in this case the minor

     children of the complainants. This data is said to have been obtained via [the Z7 company],

     as well as other commercial companies such as [the company Z8] and [the company Z9]. Decision on the merits 07/2024 - 27/114



       In this regard, the complainant refers to the alleged 21.10% share of the Belgian
       population of which [the company Z6] processes personal data, in order to conclude

       that the defendant processes an even larger volume of data, partly thanks to the

       data that the defendant purchases from additional suppliers.


 79. In his rejoinder, on the other hand, the defendant points out that he only

       limited data (date of birth and gender of the child, in relation to the information provided in the

       source file identified parent) of minors. This data will be

       used solely for segmentation purposes. In no event has the defendant

       data of minors is provided to its customers, with which they are directly contacted
       minors could send advertising.



            II.3.2.5. Retention periods apply to the collected personal data


 80. During the hearing on February 22, 2023, the complainant regrets the exceptionally long

       retention periods of 15 years after the last registration in the defendant's databases.

       The complainant states that if data is re-registered in any way

       databases of the defendant, a new term of 15 years begins. This would, by the way

       evident from the information that the complainants received in the response from the defendant, in which

       data that is more than 15 years old is included, including data from them

       children and a number of “outdated email addresses dating back to the mid-1990s”.


 81. To the question of the Disputes Chamber during the hearing of February 22, 2023, regarding

       what measures have been taken to assess and guarantee the quality of
       personal data that is 15 years old, the defendant merely replies confirming that the

       personal data will in principle be retained for a period of 15 years. When the

       The complainant then points out that the current privacy statement has a retention period of

       3 or 10 years, depending on the category of the person involved, the defendant answers

       that the current privacy statement is not relevant since the complaint as well as the

       investigation report, both of which are the subject of the present proceedings for

       the Disputes Chamber, relate to the period before June 2021.

                                                                                           48
 82. In addition, the defendant emphasizes this in the context of the reopening of the debates
       the old privacy statement has now been “completely annulled and replaced”.

       defendant that the privacy statement on the website is intended for the general public

       in contrast to the privacy statement that applies to data subjects who directly

       have received marketing communications, which mention the defendant by name





48 Conclusions of the defendant (“Additional Conclusion Black Tiger (1002387.1)”) submitted to the Disputes Chamber on
September 11, 2023.
49https://www.blacktigerbelqium.tech/privacy-policv. Decision on the merits 07/2024 - 28/114


             50
       is becoming . This distinction, which according to the defendant, does not relate to the nature of

       the personal data, is expressly emphasized on the first page of the
       modified general privacy statement — which would nevertheless be insufficient for the

       present case, according to the defendant.



            II.3.2.6. Enriching personal data with personal impact



 83. The complainant posits that the defendant enriches personal profiles on the basis of

       statistical data from the National Institute for Statistics, as well as that the
       the consequences of this enrichment are significant and immediately tangible for those involved. The complainer

       refers specifically to a specific company that has the creditworthiness of

       would determine its customers based on profile data as well as data provided by the

       defendant. The defendant's response to the requests for access would also reveal:

       it appears that the profiles of the complainants are classified as “Social class: elite class”.

       be .1


 84. In his rejoinder, the defendant disputes this claim of the complainant, which does not

       is supported by the documents in the file.

 85. During the hearing before the Disputes Chamber on February 22, 2023, the

       defendant asked the extent to which his Data Quality services are provided - whereby the

       customers of the defendant share their own customer files with the defendant for

       quality control, i.e. to check whether the personal data is sufficient

       are worthy of trust — also entails (a form of) data enrichment. The defendant

       answers that when receiving customer data about a specific data subject, he only

       will check whether more relevant data is now known about the same data subject — at

       As an example, an email address that came into use more recently — before a

       to assign a score with regard to the data supplied and to communicate this score

       to the client. According to the defendant, no new personal data will be collected

       transferred to customers in the context of the Data Quality services.



        II.3.3. Judgment of the Disputes Chamber


 86. Prior to its substantive assessment of the lawfulness of the processing

       of the complainant's personal data by the defendant, the Disputes Chamber wishes to

       emphasize that, contrary to what the defendant stated in his response dated 24




50
  Available on the website https://avg.blacktigerbelgium.tech.
51Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), p. 3 and Piece 3 (“Response to the
request for access dated December 23, 2020 from Bisnode Belgium”), p. 2, as submitted to the Disputes Chamber in
in the context of the response's conclusions. Decision on the merits 07/2024 - 29/114


                                               52
       November 2023 on the sanction form, by no means “an incomprehensible confusion”.
       create “between the activities of Data Delivery and Data Quality”. Also disputes the

       Disputes Chamber the defendant's statement that there was no adversarial debate

       opened regarding the Data Quality services. Neither means convincing,

       for the reasons below.


       First, the complainants' grievances relate to the processing of their data

       personal data by the defendant, without the complainants expressly agreeing

       distinguish between the different services offered by the defendant.

       This is also logical; Data subjects cannot be expected to disclose commercial information
       names that a controller gives to the processing activities

       that he carries out, must expressly mention them in their complaint to the GBA. While also

       that the defendant did not provide any information in his answers to both requests for access

       makes a distinction depending on the service for which the personal data of the

       complainant respectively the complainant were processed. Specific to the complainant is the distinction

       defendant, on the other hand, between the consumer base, on the one hand, and the

       company base, on the other.


       Secondly, the investigation report explicitly refers to the answer dated
       April 21, 2021 from the Data Protection Officer (hereinafter, DPO) of the

       defendant to the questions from the Inspection Service, in which no distinction is made either

       created between the Data Quality and Data Delivery services. That answer shows

       very clear that the defendant considers both services jointly as “commercial activities”

       describes:


               “14.As indicated in the letters in response to the complainants' requests for redress

               access, Bisnode Belgium has processed their data in the context of its commercial
               activities based on Article 6 1 f) va” (free translation) .


       Thirdly, during the hearing on February 22, 2023, questions were asked to the

       defendant that were expressly related to the Data Quality services. The

       However, the defendant never objected to the statement during the hearing

       of these questions, which he, by the way, answered. The defendant was also free

       to mention the alleged “confusion” in his response to the report of the hearing

       to raise and dispute between both services, which again he does not have
       done.


       Finally, the defendant can hardly deny that he is already in his first

       defenses dated January 24, 2022 ex officio explained both services



52Response from the defendant to the sanction form dated October 31, 2023, p. 2, point (i), and p. 3 ,point (iii).
53“14. Comme indiqué dans les lettres en réponse aux demandes de droit d'accès des plaignants, Bisnode Belgium a traité
they do not use the framework for their commercial activities on the basis of the article 6 1 f) of the RGPD”. Decision on the merits 07/2024 - 30/114


       and has hereby referred to the documented considerations of interests for the

       different databases, in which no essential distinction is made

       depending on the Data Quality or Data Delivery services. It stands with others

       states that the defendant acted both during the investigation and in the context of the

       written debates before the Disputes Chamber with regard to the

       Data Quality as well as the Data Delivery services, which is sufficiently demonstrated

       by the documents submitted in the context of the statements of defense.


 87. According to Article 5.1.a) GDPR, personal data must be in a manner with regard to the

       data subjects are processed in a lawful, fair and transparent manner. Furthermore

       Article 6.1 GDPR stipulates that the processing of personal data is only lawful

       if and insofar as it is based on a valid legal basis. The

       Finally, the controller must be able to demonstrate that the processing

       is lawful, in view of the accountability obligation pursuant to Article 5.2 in conjunction with Article 24.1

       AVG rests on him.


 88. Based on the documents provided, the Disputes Chamber determines that the defendant

       Article 6.1.f) GDPR (legitimate interest) is relied on for the collection and processing

       of personal data in CMX and Spectron, while the consent of data subjects such as

       processing basis applies to data processing in the context of Permesso.


       However, in the context of the present case, the Disputes Chamber understands that the
                                                                              56
       personal data of the complainants were not processed in Permesso. Therefore, the

       Disputes Chamber limits its assessment in this regard to data processing operations that:

       relate to the CMX and Spectron databases.

 89. The defendant confirms in his conclusions that he is relying on Article 6.1.f) GDPR for

       the collection of personal data of data subjects from public and private sources,

       as well as for the inclusion and enrichment of the same personal data in different ones

       internal databases, before commercializing these personal data to its customers

       in the context of both Data Delivery and Data Quality services, for direct

       marketing purposes . This is further supported by the defendant's answers


       to both complainants, in response to their requests for access:



54
  Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
55See marginal nos. 64 et seq. in this decision.
56
  Document 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), as submitted to the
Disputes Chamber in the context of the response.
57 Conclusions of the defendant's reply dated 24 January 2022, p. 11; Conclusions of the defendant's rejoinder dated 7 March
2022, p. 21
58
  Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 31/114


                 “Your data is processed by us on the basis of the following legal basis, in particular:

                 pursuit of our legitimate interest (art. 6.1.f of the General Regulation

                 Data protection) in the context of our commercial activities.    ”59


                 “We process as described in the Privacy Policy, available at www.bisnodeenu.be

                 your personal data in accordance with the GDPR. This data processing is

                 on the one hand, necessary to promote the legitimate interest of Bisnode Belgium,

                 on the other hand, to promote the legitimate interests of others. (Article 6.1.f GDPR).”60


 90. Since it is therefore established that the defendant has personal data of the complainants

        processed exclusively on the basis of Article 6.1.f) GDPR, the Disputes Chamber will not bow down

        about the processing of personal data by the defendant on the basis of the

        consent of those involved. 61


 91. In accordance with Article 6.1.f) GDPR and the case law of the Court of Justice of the

        European Union (hereinafter “CJEU”) in its judgment “Rīgas” , serves three cumulative

        conditions must be met for a controller to be legally valid

        rely on this legality ground, namely:


                 “[…] first of all, the promotion of a legitimate interest of the

                 controller or of the third party(ies) to whom the data is provided

                 secondly, the necessity of processing the personal data for the

                 pursuit of the legitimate interest, and, thirdly, the condition that the
                 fundamental rights and freedoms of the data subject

                 do not prevail”


 92. In order to be able to rely on legitimate interests in accordance with Article 6.1.f) GDPR,

        a controller must therefore demonstrate that:


            i. the interests it pursues with the processing can be justified

                 are recognized (the “target test”);


           ii. the intended processing is necessary for the realization of these interests

                 (the “necessity test”); and


           iii. the weighing of these interests against the interests, fundamental

                 freedoms and fundamental rights of those involved weighs in favor of the

                 controller (the “balancing test”).




59
  Answer from the defendant to the complainant, dated November 13, 2020.
60Reply from the defendant to the complainant, dated December 23, 2020.
61
  I.e., in the context of the website www.permesso.be and in the Permesso database.
62CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 28. See also CJEU, 11 December 2019, C-708/18, TK v/ Asociaţia de Proprietari
block M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 40.
63
  See also Decision on the merits 71/2020 of October 30, 2020, edge nos. 68-73 (available on the GBA website). Decision on the merits 07/2024 - 32/114


       The Disputes Chamber will address the controversial data processing operations 64 in the following sections

       test the three aforementioned conditions.




            II.3.3.1. Target test


 93. The Disputes Chamber reminds that the weighing of interests does not play a role if

       interest of the controller is unjustified, since the first

       threshold for the use of Article 6.1.f) GDPR in such circumstances is not

               65
       reaches . The interest pursued by a controller or

       third party must be distinguished from the objectives achieved through a
                                                    66
       certain processing is pursued. In the context of data protection it is

       After all, “purpose” is the specific reason why the data is processed: the

       purpose or intention of the data processing. The “interest”, on the other hand, is one

       broader concept and considers the value to the controller or the benefit

       that the controller, or society, may have in the processing. 67


 94. Since it does not behoove her to judge in the abstract the practice of

       data trading nor about the broader so-called data brokerage or data intermediaries

       industry, the Disputes Chamber will give its judgment in the present case in concrete terms, on

       on the basis of the various documents that the parties received both during the investigation and in


       have handed over the framework of the defenses, including a detailed analysis

       is evident from the various points of interest related to the activities

       defendant as data broker.


 95. As regards the first condition for invoking Article 6.1.f) GDPR, the

       defendant in the legitimate interest laid down
                                                                                                68
       assessment, hereinafter 'LIA') that the processing activities associated with CMX resp.

       Spectron 69 pursues the following goals:


                “[…] improving and expanding its own consumer database Consu-Matrix [resp.

                B2B database Spectron], to provide better services. These services can

                consist of (i) data analysis, (ii) enrichment, validation or other "Data Quality" services that
                aim to improve the quality of Bisnode customers' data, and



64See edge no. 52 in this decision.

65 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 30.
66Ibidem, p. 29.

67Ibidem, p. 29: "For example, a company may have an interest in the health and safety of its employees
nuclear power plant. In connection with this, the company may have as its purpose the implementation of specific
access control procedures that justify the processing of certain specified personal data to ensure the
to help ensure the health and safety of workers.”
68
  Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like
transferred to the Disputes Chamber in the context of the conclusions in response.
69Document 3, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 6, like

transferred to the Disputes Chamber in the context of the conclusions in response. Decision on the merits 07/2024 - 33/114


                (iii) provision of data sets for direct marketing purposes on a specific basis
                                                                                                  70
                criteria (segmentation) that assess offline and digital channels, including social media.


 96. In particular, the defendant would process personal data

       included in the CMX database as well as the Spectron database, so the following specific ones
                                71
       pursue objectives:

           i. the commercialization and optimization of B LACK T IGER's activities

                BELGIUM as data broker;


          ii. improving the quality of data in customer databases

                in particular by validating, correcting and supplementing this data

                on the basis of the personal data that B LACK TIGER BELGIUM already has;


          iii. the grouping of personal data that a company has about a specific person

                possess; and


          iv. the analysis of data and the preparation of market segmentation profiles to

                to infer preferences of data subjects, so that (i) client companies provide them with suitable ones

                can offer products/services that correspond to their professional

                and personal situation and with the products/services they already own, and

                (ii) social networks or other media the advertisements on web pages

                client companies can adapt to the interests of those involved

                shown.

       The Disputes Chamber notes, partly in view of the wording used by the defendant,

       that the objectives pursued are for both Data Delivery and Data Quality

       services apply, regardless of whether the processed personal data is in the CMX

       database (B2C) or in the Spectron database (B2B).


 97. The “legitimate” nature of a pursued interest can generally be

       assumed to the extent that the three following conditions are met:


           i. The interest pursued must first be legitimate, or in other words acceptable

                under EU law or the law of a Member State. So it applies as




70Original text: “[…] to enhance and increase its proprietary consumer database Consu-Matrix [/ B2B database
Spectron], in order to deliver better services. Those services may include (i) data analysis, (ii) enrichment, validation or other
"DataQuality" servicesaimedatiimproving thequalityofthedataheldbyBisnode'scustomers,and(iii)deliveryofdatasetsfor
direct marketing purpose on the basis of specific criteria (segmentation) covering offline and digital channels, including social

media".
71 Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like
transferred to the Disputes Chamber in the context of the conclusions in response (CMX); Document 3, as transferred by the
defendant to the Inspection Service in the context of the investigation; Document 6, as submitted to the Disputes Chamber in
in the context of the conclusions in response (Spectron).
72
  The Disputes Chamber is aware that the question of whether each interest is a legitimate interest, provided that that interest is not
is contrary to the law, and in particular the question whether this also applies to a purely commercial interest, is up to the Court of Justice
submitted in case C-621/22, Royal Dutch Lawn Tennis Association. What is stated here represents the current state of affairs
right again. Decision on the merits 07/2024 - 34/114



               general rule that interests that are recognized by or can be traced back to

               a legislative measure or a legal principle, a legitimate interest

               forms. It goes without saying that the pursued interest must not be in conflict

               the law, including legal restrictions relating to the relevant

               personal data.

          ii. The pursued interest must also be sufficiently clear and precise

               way to be determined: the scope of the legitimate interest pursued

               must be clearly defined so that this interest can be properly addressed

               weighed against the interests or fundamental rights and freedoms of the

               those involved.


         iii. Finally, the legitimate interest must be existing and effective at the time

               of the data processing (and therefore not fictitious or purely hypothetical).


 98. In the present case, the Disputes Chamber is of the opinion that the B2C Data Delivery

       respectively the B2C Data Quality services, namely:

          i. the interest for the defendant to enrich and improve its databases

               commercialize in the context of his freedom of enterprise; and


          ii. the interest of the defendant's customers to have the most current

               obtain personal data in order to enrich their own databases or their
                                                                             74
               to confirm correctness in the light of the principle of correctness, with its purpose

               conducting effective direct marketing campaigns;

       are clearly established, demarcated, real and current, with the result that the desired

       interests are legitimate.


 99. Regarding the specific complaints of the complainant that the defendant KBO data (in

       Spectron) would also use for direct marketing purposes, according to the Disputes Chamber

       however, it is established that the relevant refutations of the defendant 75 are not

       correspond to the documentation provided by him, nor to the

       screenshots from his website :6













73CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 44.
74Pursuant to Recital 39 and Article 5.1.d) GDPR.
75
  See edge numbers 75 to 77 in this decision.
76Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant; Item 12 (“Screenshots from the website https://bisnodeandyou.be/”) in the inventory. Decision on the merits 07/2024 - 35/114





































 100. The Disputes Chamber also notes that the conditions in Appendix 2 to the


       license agreement for the use of data from the KBO for commercial purposes
                  77
       purposes, not only prohibiting your own use for direct marketing, but also the

       prohibit the redistribution of this data for direct marketing purposes:
























       Preliminary decision — To the extent that the defendant in the context of its B2B Data Delivery

       services and B2B Data Quality services, so effective data from the KBO would


       process for direct marketing-related purposes, as otherwise described in
                                                         78
       the weighing of interests for the Spectron database, the Disputes Chamber rules that B LACK





77
  Document 19 ("KBO license agreement Bisnode (790517.1)") filed with the conclusions of the defendant's rejoinder, p.16.
78Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant, p. 1. Decision on the merits 07/2024 - 36/114


       TIGER B ELGIUM cannot possibly rely on Article 6.1.f) GDPR for these processing operations

       since the legality condition has not been met.



            II.3.3.2. Necessity test



 101. In addition to the existence of a legitimate interest, the controller must

       also demonstrate the necessity of the processing for that interest before an appeal

       can do in accordance with Article 6.1.f) GDPR. The Court of Justice has emphasized this

       that the condition regarding the necessity of the processing for the intended interest

       consistency with the principle of minimum data processing, as laid down in Article

       5.1.c) GDPR, needs to be investigated.


       After all, the necessity requirement is important to guarantee that the

       data processing based on legitimate interest does not lead to an overly broad scope

       interpretation of the criterion on the need to process data.

       Personal data must therefore always be sufficient, relevant and limited to

       what is necessary for the representation of the interests for which they are processed.


       In concrete terms, the defendant must ensure that no less intrusive means are used

       terms of impact on the personal privacy of those involved are available
                                                                       80
       this is important to achieve, than to carry out the intended processing. This assessment must

       the principle of storage limitation under Article 5.1.e) must also be taken into account

       GDPR.


 102. In order to be able to assess whether the processing passes the necessity test, eight

       the Disputes Chamber again finds it important to present the defenses submitted

       the documentation provided during the investigation and in the context of the conclusions

       to take into account. The defendant explains the necessity of the disputed case

       processing, by answering three questions in the context of the assessment of the
                                                                                          81
       interests he has regarding CMX resp. Spectron presents as justified:

           i. Why is the processing activity important for the controller?


           ii. Why is the processing activity important for other parties to whom the data

                can be provided if necessary?

          iii. Can the objective be achieved in another way?




79CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 48.
80
  Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 35.
81Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
82
  (1) “Why is theprocessing activityimportant to theController?”; (2) “Why is the processing activity important to other parties
the data may be disclosed to, if applicable?”; (3) “Is there another way of achieving the objective?”. Decision on the merits 07/2024 - 37/114



 103. The Disputes Chamber first determines on the basis of the documentation provided that:

      there is no substantial difference between the assessment of the processing operations

      relate to personal data included in the CMX database (B2C) and the

      assessment of the processing of personal data included in the Spectron

      database (B2B). The following explanation therefore applies to both databases.

 104. In answer to the first question, the defendant refers to the benefit that he himself derives from the

      processing of personal data, and in particular the necessity of the

      processing for the continuation of its economic activities. This position holds

      both for the Data Delivery and for the Data Quality services.


 105. As regards the representation of the interests of third parties (second question), the

      defendant, on the other hand, does make a distinction based on the service provided.


          i. B2C/B2B Data Delivery services — The defendant points out the advantage

               for its customers to reach prospects, consumer or

               select entrepreneurial target groups via various channels (post, telephone,

               social media, ...) and thus increase their turnover. The processing would be with

               in other words, are necessary for the enrichment of the databases

               customers of B LACK TIGER BELGIUM with additional contact details of

               consumers and entrepreneurs, so that these customers can gain access to new ones

               communication channels could contact their own prospects

               and consumers for direct marketing purposes. In addition, the customers would

               of BLACK T IGERB ELGIUM based on the additional attributes of their own
               to better analyze and segment customer databases based on

               enriched profiling data, again for the purpose of sending direct

               marketing communications.


          ii. B2C/B2B Data Quality services — The processing of personal data

               included in the CMX file as well as the Spectron database

               to improve the quality of the databases of B LACKT IGERBELGIUM customers,

               resulting in duplicate entries at individual or household level in the databases

               of customers can be combined and returns due to

               incorrect consumer addresses can be avoided. 85


 106. As to the third question, the defendant summarily posits that other methods of

      interests and would offer less security and would not contribute to it



83“The benefit of the processing for Bisnode Belgium is the continuation of its economic activities”.
84Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the

defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 4.
85“The benefit of the processing for the Bisnode clients is multiple: […] To improve the quality of their database: Avoid postal
returns because of bad addresses […] Be able to group a same person/household that is several times in the database”. Decision on the merits 07/2024 - 38/114



       to deepen the relationship between B LACK TIGER B ELGIUM customers and those involved.

       Accordingly, according to the defendant, there is no less intrusive but still effective

       measures to deepen existing customer relationships and generate more sales than

       direct marketing. This position also applies to both the DataDelivery services
                                             86
       and for the Data Quality services.



                       Minimum data processing — 5.1.c) GDPR


 107. To determine the necessity of these processing activities for the purposes pursued

       To be able to assess this, the Disputes Chamber also collects the processed personal data

       consideration. Relying on the screenshots of the privacy policy on the website, the

       joint data protection impact assessment (GEA) for the three databases, it

       register of processing activities as well as the response from the DPO of BISNODE B ELGIUM

       to the questions from the Inspection Service and the detailed answers provided by the complainants

       defendant - then still B ISNODE BELGIUM - received, the Disputes Chamber establishes 87that

       BLACK T IGERB ELGIUM processes the following categories of personal data

       databases:

                                                                         88
          i. Screenshots of the privacy policy dated March 31, 2021 (CMX, B2C) —Name,

               first name, gender, language, age (or date of birth or presumed

               age group), address, landline phone, mobile phone, email address, date of

               last contact made by the data source with the data subject, statistical

               data at the district or municipality level (average income in the district where people

               housing, percentage of owners/tenants, gardens, unemployment rate...),
               observation data (area of land, presence of solar panels…),

               derived data, marketing profiles.


          ii. Screenshots of the privacy policy dated March 31, 2021 89(Spectron, B2B)


               - Company details — Company name, company and VAT number,

                   contact points, social security number, activity sector according to NACE, joint committee,

                   size of the company, number of employees employed, date of establishment,

                   details of and number of branches/branches/franchisees,

                   web pages, financial information (including any solvency and bankruptcy).



86
  Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant, p. 5; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 5.
87In accordance with a “careful finding of facts”, as emphasized by the Market Court in its interim judgment 2022/AR/292 of
September 7, 2022, p 36 and 39.
88
  Item 12 (Screenshots of the Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory,
p. 45-48.
89 Item 12 (Screenshots of Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory,
p. 31-33. Decision on the merits 07/2024 - 39/114


                - Individual data — Surname, first name, gender, language, contact points

                    professional and sometimes private address, professional fixed and/or mobile

                    telephone number, professional email address, date of birth, position or title

                    (incl. date of appointment), derived data, marketing profiles, date

                    on which the information was communicated to B ISNODE B ELGIUM or on which

                    changes have been made.


          iii. Joint GEB (CMX, B2C) 90 — Contact details, personal data about

                minors (over 16 years old), consumer interests, family typology,

                lifestyle data, identification data, personal characteristics.


         iv. Joint GEB (Spectron, B2B) 91 — Contact details, collection details,

                electronic identification data, financial data, identification data,

                memberships, other data, personal characteristics, professional training

                and training.

                                                                        92
          v. Register of processing activities (CMX, B2C) — Contact details,

                date of birth, age, socio-demographic and lifestyle data,
                                                                            93
                family typology, presence of children, neighborhood data.

                                                                         94
         vi. Register of processing activities (Spectron, B2B) — Contact details,

                company data (CBE number, number of employees, turnover, NACE, ...), financial
                          95
                facts .

         vii. Letter to the GBA (CMX, B2C) 96 — General personal information (name,


                first name, gender, language and age or date of birth or presumed age),

                contact details (postal address, landline telephone number, mobile telephone number and e-mail)

                email address), typologies such as family (young couple, single with or without

                children), housing (single-family or multi-family home), statistical data

                neighborhood and/or municipality level (average income, percentage

                owners/tenants, percentage of gardens, unemployment rate, etc.), and

                general physical information at neighborhood level (average plot size or the

                presence of solar panels, etc.).








90Part 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service.
91
  Ibid.
92Piece 30 (“Piece 30 - Bisnode Belgium - Copy of Record of Processing”) submitted to the Inspection Service.
93“Contact Data, Date of Birth, Age, Socio-demo and Lifestyle data, Family typology, Presence of children, Neighborhood
data”.

94Part 30 (Bisnode Belgium - Copy of Record of Processing) transferred to the Inspection Service.
95“Contact Data, Firmographics (CBE number, number of employees, turnover, NACE, ...), Financial data”.
96
  Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory. Decision on the merits 07/2024 - 40/114



         viii. Letter to the GBA (Spectron, B2B) 97 — Surname, first name, gender, language, business

                 address, business telephone number (landline and/or mobile), business email address,

                 date of birth, position or title within the company, date of appointment or

                 entry into force.

                                                         98
          ix. Responses to the access requests — Surname, first name, address, gender, language,

                 date of birth, email address, child (incl. date of birth and gender), family

                 typology, statistical data at neighborhood level (urbanization, social class,

                 percentage of higher education, percentage of unemployed, percentage of gardens,

                 percentage of owners).

 108. The personal data processed at the time of the complaints therefore included several

       categories, which the Disputes Chamber explains below per database:


          CMX (B2C) Spectron (B2B)


          Identification data Identification data
          Name, first name Name, first name

          Contact details Contact details
          Address, landline and/or mobile telephone number, e-Business address, business landline and/or mobile
          email address, telephone number, business email address

          Personal data about minors (> 16 years) Electronic identification data

          Date of birth and gender Not further defined
          Personal characteristics Personal characteristics

          Gender, language, age (or date of birth or Gender, language, date of birth, position or
          probable age group) title (incl. date of appointment)
          Consumer interests Financial specifications

          Not further defined Solvency, bankruptcy
          Lifestyle data Vocational education and training

          Not further defined Not further defined

          Family composition Collection data
          Family typology (single with or without Not further defined

          children, young couple, etc.), date of birth and
          gender of child(ren)
          Housing Memberships

          Single-family or multi-family home Not further defined
          Statistical data by district or Other data

          municipal level Not further defined
          Average income in the neighborhood, percentage
          owners/tenants, gardens, social class,

          percentage of higher education,
          unemployment rate
          Observation data (at neighborhood level) Derived data

          Average plot size, presence of Not further defined
          solar panels




97Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory.
98
  Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”) and Part 3 (“Response to the
request for access dated 23 December 2020 from Bisnode Belgium") lodged with the conclusions of the response of the
defendant. Decision on the merits 07/2024 - 41/114



            Derived Data Marketing Profiles

            Not further defined Not further defined
            Marketing profiles

            Not further defined


                                                                                                                      99
 109. Although the Disputes Chamber will return to this further in the present decision,

        The question still arises to what extent all these personal data are systematically equal

        are necessary for the promotion of the intended interests.


        In the context of the Data Delivery service 100, compliance with the

        correctness principle under recital 39 and article 5.1.d) GDPR namely by the

        defendant put forward as an interest in the processing. According to that principle, a


        controller - in this case the defendant or its customers — all necessary

        take measures to ensure that the personal data that is inaccurate, taking into account the

        purposes for which they are processed, deleted or rectified without delay

        In this regard, the Litigation Chamber is of the opinion that the principle of correctness 102

        has a narrower application than the quality of the information 103, which in addition to the

                                                                                                               104
        accuracy and correctness also includes the completeness of the information. The

        In other words, the Disputes Chamber rules that compliance with the principle of correctness

        under no circumstances the unlimited collection of personal data, for the main purpose

        it would be possible to draw up a profile of the data subject that is as complete and accurate as possible

        justify 105. The necessity of the collection and enrichment of personal data


        included in the CMX and Spectron databases, for compliance with the correctness principle

        in the context of the Data Delivery services, has therefore not been demonstrated.


 110. In a subordinate order, the Disputes Chamber notes that an “excessive”

        accuracy of the personal data — in light of the purposes pursued



99See edge nos. 150 et seq. under Title II.4 in this decision.

100Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant, p. 2; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
vandedefendant, p.2: “[…]referenceismmadetothelegitimateinterestofBisnode'scustomers […]tocomplywiththeaccurate
[sic] principle of the GDPR that sets forth that data controllers must make efforts to maintain accurate personal data of theirs

data subjects”.
101EDPB — Guidelines 4/2019 on Article 25 - Data protection by design and by default (v2.0,
October 20, 2020), p. 26.
102
   In French “exactitude”; in English “accuracy”; in German “Richtigkeit”.
103 Working Party on Data ProtectionArticle 29 – Guidelines on automated individual decision-making and profiling

for the application of Regulation (EU) 2016/679 (WP251, February 6, 2018), p. 14. See also D. D IMITROVA, “The Rise of the
Personal Data Quality Principle. Is it Legal and Does it Have an Impact on the Right to Rectification?”, EJLT, 2021, p. 5-6.
104See Article 7.2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of data by competent authorities with

for the prevention, investigation, detection and prosecution of criminal offenses or the execution of
penalties, and regarding the free movement of such data; and Article 74 of Regulation 2018/1725 of October 23, 2018
on the protection of natural persons with regard to the processing of personal data by the
institutions, bodies, offices and agencies of the Union and on the free movement of such data, to which reference is made
the need to check the quality of data for accuracy, completeness and topicality.
105
   GBA — Recommendation 01/2020 of January 17, 2020 regarding the processing of personal data for direct
marketing purposes, edge no. 111. See also A. JIEGA & M. FINCK, “Reviving Purpose Limitation and Data Minimization in Data-
Driven Systems”, Technology and Regulation, 2021, p. 56. Decision on the merits 07/2024 - 42/114


       as well as the context of the processing 106—in certain situations also to the detriment of the

       involved can play, especially when involved in an inappropriate and

       be profiled or segmented in an opaque manner based on their

                                                        107
       (indirectly collected) personal data .

       The right to the protection of personal data from Article 8 of the

       After all, the Fundamental Rights Charter assumes that data subjects, in addition to the right to


       information included in Articles 13 and 14 GDPR also requires a certain amount of control

       have control over “how accurately” their personal data is collected. The

       Dispute Chamber also refers to the opening words of the Convention for the Protection of
                                                                                             108
       persons with regard to the processing of personal data (Convention 108) who

       talks about “personal autonomy based on a person's right to control of his or her personal

       data and the processing of such data” 10, which translates, among other things, into the information

       and transparency obligation towards data subjects, as well as in the rights granted by the GDPR

       awards to them .10


 111. The defendant does not make any comments regarding the B2C Data Quality services either

       plausible to what extent the lifestyle data, the derived data 11or the statistical

       data at district or municipal level were necessary to ensure that

       customers of B LACK T IGER BELGIUM would not have duplicate entries in their own

       databases, or to prevent returns.


 112. With regard to the B2BDataQuality services, the defendant does not prove that the

       processing the financial specifications, memberships and vocational training in the

       Spectron database is necessary for the realization of non-marketing related activities

       interests — in view of the prohibition on processing KBO data for marketing purposes 11 —


       such as preventing returns or double entries.



                        Storage limitation — 5.1.e) GDPR


 113. In addition to the principle of minimal data processing, the

       controller also in the context of the necessity test

       principle of storage limitation contained in Article 5.1.e) GDPR




10CJEU, December 20, 2017, C-434/16, Peter Nowak v. Data Protection Commissioner (ECLI:EU:C:2017:994), edge no. 53.

10See, among others, HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1-2018, p. 36–52;
G. ONZALEZFUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics and Information Technology, Springer, 2010, p. 87-88.
108
  Council of Europe – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28
January 1981.
10 Loosely translated as "personal autonomy based on a person's right to control his or her personal
data and the processing of such data”.
110
  J. HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1/2018, p. 43.
11“Other variables” in Document 5 and Document 6 included in the defendant's conclusions in response, p. 5.
112
  See edge no. 74 in this decision. Decision on the merits 07/2024 - 43/114


       the Disputes Chamber has established that the defendant has not clarified at any time, nor

       when he was asked the question during the hearing on February 22, 2023, nor in the

       in the context of the reopening of the debates, why the personal data for 15 years

       be kept in the databases from the last registration and how such

       retention period - an essential element to consider in the framework

       of the weighing of interests 114— actually contributes to the objective so accurately

       and process current possible personal data.


       The Disputes Chamber also notes that the justification for this significant

       retention period of 15 years from the last recording in the database in the joint GEB

       for CMX, Permesso and Spectron was identified as “requiring improvement”

       (“improvable”) and a term that requires “further justification” (“Addjustification for 15

       years owned data retention”). Furthermore, it is unclear to what extent there are in addition to the most

       recent home addresses, e.g., also a history of the previous domiciles of

       involved was kept up to date and, if necessary, what the need for this would be, the

       intended objectives in mind.


 114. In his response to the sanction form dated October 31, 2023, the defendant argues that the

       statement that the unlawful processing took place for at least 15 years

       occurred would be incorrect. According to the defendant, the disputed activities

       therefore have taken place for a maximum of three years, and in particular between

       entry into force of the GDPR and the filing of the complaint.


       In this regard, the Disputes Chamber reminds that the principle of storage limitation
                                            116
       already existed under the previous Directive 95/46 and is irrefutably the case in this case

       processing that continued after May 25, 2018. The defendant's argument that

       the controversial activities only for the limited period between the entry into force of

       the GDPR and the date of the complaint took place, therefore makes no sense.

 115. Preliminary decision — The foregoing elements bring the Litigation Chamber to the

       conclude that the processing of their data accused by the complainants

       the Spectron and CMX databases, for Data Delivery respectively. the Data Quality


       services did not meet the necessity test or to fulfil. The

       Disputes Chamber considers the defendant's argumentation regarding the necessity of

       after all, the processing is not very convincing.





11Exhibit 17 (“Bisnode Belgium Retention Policy”) filed with the defendant's response.

11See Title II.3.3.3 Balancing test in this decision.
11Part 1 ("DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso") transferred to the Inspection Service, p. 6 and p. 15 in fine.
116
  Article 6.1.e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of natural persons with regard to the processing of personal data and with regard to free movement
of that data (OJ L 281, 23 November 1995). Decision on the merits 07/2024 - 44/114



       First of all, it goes without saying that the processing of personal data is not possible

       justified by simply citing the necessity of this processing
                                                  117
       to continue economic activities. Accepting such circular reasoning

       would otherwise be the relevance and usefulness of the assessment adopted by the Court
                  118
       Rīgas judgment will inevitably be compromised, since the necessity test

       precisely aims to determine and demonstrate to what extent the collected data in

       are concretely necessary to achieve the interests pursued. The

       The Litigation Chamber is therefore of the opinion that the analysis carried out by the defendant on this

       point does not meet the conditions of a proper necessity test.

       Secondly, the compliance with the principle of correctness under Article 5.1.d) GDPR, which by

       the defendant is brought forward in connection with the processing of

       personal data from CMX and Spectron for the Data Delivery services,

       as already stated11 under no circumstances be used as an interest in creating databases

       fill with missing personal data.


       Third, the Litigation Chamber is not convinced — and the documentation that the defendant

       also does not make it at all plausible — that there is no alternative, less drastic

       measures exist for the intended interest, namely compliance with the principle of correctness

       to be achieved by the customers of the defendant 12. The Disputes Chamber eight

       namely, it is insufficiently proven that the defendant's customers have no other

       could take measures to obtain the missing personal data, e.g

       collect this data directly from the data subjects - which means:

       could have had a say in their 'degree of accuracy'

       personal data. For the foregoing reasons, the Disputes Chamber decides that the

       defendant could not rely on Article 6.1.f) GDPR for the data processing

       the context of the B2C and B2B Data Delivery services.

 116. The Disputes Chamber does not consider this to be the case either with regard to the B2C Data Quality services

       it is likely that all consolidated personal data in both databases are strict

       would be necessary to ensure the quality and reliability of the personal data

       already in the possession of the customers of LACK TIGER BELGIUM, in the light of it

       correctness principle under Article 5.1.d) GDPR. The defendant's customers — those in

       unlike the latter, they will indeed come into contact with those involved

       moreover, they already have (part of) their personal data - after all, this is possible



117
  Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response
of the defendant, p. 4.
11 CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 30.
119
  See edge nos. 109 and 110 in this decision.
12See edge no. 109 in this decision. Decision on the merits 07/2024 - 45/114



      inquire directly with the data subject to what extent their personal data still remains

      are current or need to be changed or supplemented. The
      Disputes Chamber: the retention period of 15 years is disproportionate to the intended

      interests.


 117. With regard to the B2B Data Quality services, the Disputes Chamber rules that

      principle of necessity can only be complied with on the condition that the

      retention period of 15 years is shortened, as well as the service provision is limited to

      assigning a reliability score and the Data Quality service is not provided

      used to indirectly transfer data to third parties in order to:

      increase data quality. Consequently, the current B2B Data Quality is satisfactory

      services do not meet the necessity test.



           II.3.3.3. Balancing test


 118. In order to rely on Article 6.1.f) of the GDPR, the controller must

      finally to make a consideration of the interests, and to demonstrate, that his own

      interests — or those of third parties — outweigh the interests or

      fundamental rights and freedoms of those involved.

 119. The Disputes Chamber reminds that the assessment test is not aimed at preventing

      any effect on the interests and rights of data subjects, but on the prevention of

      disproportionate consequences as well as the assessment of the mutual weight of these

      interests . The fundamental rights and freedoms of the data subjects referred to in Article

      6.1.f)GDPR does not only include the right to data protection and privacy, but

      also other fundamental rights, such as the right to liberty and security, the freedom of

      expression and information, freedom of thought, conscience and religion, freedom

      of meetings, association, the prohibition of discrimination, property rights or law

      on physical and mental integrity, either directly or indirectly through the processing
                                122
      can be affected.

      The wording of Article 6.1.f) GDPR also assumes that, in addition to the fundamental

      rights of data subjects and other interests are also taken into account, such as

      social, financial or personal interests. In short, from a controller

      is expected to consider all relevant interests raised by the

      data processing can be influenced, including - but not limited to -





121
  Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 49.
12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 35-37. Decision on the substance 07/2024 - 46/114



       legal interests, financial interests, social interests or personal interests of the

       those involved.


 120. Once these interests have been identified, it must then be determined which ones

       consequences the intended data processing could have for this
                                     123
       interests. The EDPB states:

                 “32. […] The reference to abstract situations or the comparison of similar cases is

                 not enough. The controller must assess the risks of infringement of rights

                 of those involved; The determining factor here is how far-reaching the infringement is

                 rights and freedoms of persons.

                 33. The intrusiveness can be determined, among other things, on the basis of the type of information

                 collected (information content), its scope (information density,

                 spatial and geographical range), the number of people involved, either in absolute numbers, or as

                 percentage of the population involved, the concrete situation, the actual interests of the
                 group of people involved and the available alternative means, as well as on the basis of the nature and

                 the scope of the data assessment [by the controller].”



                         Nature of the personal data processed



 121. According to the EDPB, the controller must take into account the

       categories of personal data that data subjects generally regard as more private
                                                           124 125
       or rather of a more public nature. In the present case it is established that

       the defendant processes data related to the family composition of

       data subjects, as well as their private email address or private mobile telephone number, which

       data that is rarely made publicly available by those involved. Also

       the exact date of birth and social class belong to, according to the Dispute Chamber

       categories of information that are generally considered more private by the

       data subjects than data of a public nature, such as their professional capacity.


 122. The Disputes Chamber is also of the opinion that the position taken by the defendant

       about the non-processing of special categories of personal data, any

       requires nuance in the light of the case law of the Court of Justice. In his judgment

       In C‑184/20, the Court focused on certain information which, although not intrinsic

       are “sensitive” within the meaning of Article 9 GDPR, may reveal potentially sensitive information,

       such as the sexual orientation of those involved. For example, the Court ruled that “the concepts

       'special categories of personal data' and 'sensitive data' should be broad



123EDPB – Guidelines 3/2019 on the processing of personal data using video equipment (v2.0, 29
January 2020), edge nos. 32-33.
124 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the

data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 46-47.
12See edge no. 108 in this decision. Decision on the merits 07/2024 - 47/114



      be explained”, with the result that the processing of “personal data that is indirect
      may reveal sensitive information about a natural person” as well as “a

      processing of special categories of personal data within the meaning of those provisions

      constitutes” 12.


 123. In the absence of specific elements available to the Disputes Chamber regarding the

      how those involved who belong to the same household become concrete

      characterized and linked together in the defendant's databases, and given the

      In the absence of a specific determination by the Inspection Service in this regard, the

      However, the Disputes Chamber may authorize the processing of special categories of
      personal data not to be taken into account in the context of the assessment test and none

      infringement of Article 9 GDPR by the defendant in the present case.


 124. Finally, and notwithstanding the defendant himself acknowledges that he has the data of

      minors who belong to the same household as the complainants
                                            127
      has processed segmentation purposes, the Disputes Chamber first determines that the

      data concerned are limited to the gender and date of birth of the child. The

      Furthermore, the Dispute Chamber has no indications that the defendant

      has effectively transferred personal data of these minors to its customers.


                      Context of data processing



 125. In addition to the nature of the personal data, the controller must also:

      taking into account the amount of personal data processed, whether or not to combine it
      of these personal data with other databases, the extent of

      accessibility and/or publicity of the data after processing, the status of the

      controller (e.g., his market position, his relationship with the data subjects) and the like

      status of those involved (e.g., if vulnerable persons are involved).


 126. In his defense the defendant states that as a data broker he is virtually

      does not maintain a direct relationship with those involved, but his expertise in big data
                                           129
      makes available to its customers. The Disputes Chamber believes that this specific

      context, where the defendant does not come into direct contact with those involved, there
      inevitably contributes to characterizing the processing activities it carries out

      be reduced by more limited transparency towards those involved,

      notwithstanding the various initiatives and measures taken by the




12CJEU, August 1, 2022, C-184/20, OT v. Vyriausioji tarnybinės etikos komisija (ECLI:EU:C:2022:601), marginal nos. 125-128.
127
  See edge no. 79 in this decision.
12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 47-49.
12Conclusions of the defendant's rejoinder dated March 7, 2022, p. 15 Decision on the merits 07/2024 - 48/114


       defendant. From the foregoing it also follows that the person concerned is in fact forced to do so

       to consult the privacy statement on the defendant's website on their own initiative

       — or to carefully keep track of which companies they have sold to whom over the past 15 years

       have provided their personal data, have indicated these personal data

       to be transferred to B ISNODE BELGIUM — in order to be able to comprehend the extent of the

       personal data that the defendant processes about them. In addition, the

       large-scale130 processing activities of the defendant, in his capacity as

       data broker, inherently involves combining personal data with other data

       data files. This is by no means refuted by the defendant.


 127. In view of these elements, the Disputes Chamber finds that the context of the processing in

       is essentially more disadvantageous for the data subjects, whose personal data is provided in an opaque manner

       be processed, compared to the benefit that the defendant and its customers receive from the

       get processing. In other words, the interests of those involved weigh more heavily

       through the weighing of interests.



                       Impact of the processing for the data subjects


 128. In addition, the controller must pay particular attention to the


       consequences — both positive and negative — for those involved, including possible

       future decisions or actions of third parties; situations in which the processing would

       may lead to the exclusion or discrimination of persons or defamation; or, in a broader sense,

       situations where there is a risk of damaging reputation, it
                                                                       131
       negotiating capacity or the autonomy of those involved. Important again

       that this assessment relates to the different ways in which those involved have a

       may experience a positive or negative impact due to their processing

       personal data.

 129. During the hearing on February 22, 2023, the complainant refers to the assessment of his

       creditworthiness by a company, based on data provided by the defendant,

                                                          132
       without the complainant being informed in advance. In response to a request for

       inspection directed to that company, which the complainant adds to his response conclusions, is clear

       to see that the information used to determine the company's creditworthiness
                                      133
       comes from the defendant. Certain authors have already warned about the

       risks related to invisible discrimination based on profiling data



13The defendant does not dispute this classification of the scope of the data processing in his rejoinder.

13 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 45-46.
13See edge no. 83 in this decision.
133
  “Creditworthiness (based on the street where you live – source = bisnode” in the appendix to the Conclusions of the reply of
the complainant, transferred to the Disputes Chamber on February 15, 2022. Decision on the merits 07/2024 - 49/114


        such as the income of those involved, but also for the general loss of control

        data subjects experience with regard to their data 13. This represents the


        Disputes Chamber established that the non-transparent processing of personal data of

        by the defendant can have significant consequences for those involved

        who would like to purchase certain services from the defendant's customers.


 130. In the so-called “Legitimate Interest Assessments” (LIAs) for both databases

        the defendant describes the consequences of the processing for data subjects as follows.

        By offering the defendant's customers the opportunity to create direct marketing profiles

        sets that would otherwise be difficult or impossible to create, the

        privacy of those involved is affected, which can cause annoyance, irritation or stress

        with them (“perceived or real lack of transparency and illegitimacy of processing” 13). Thereby

        In addition, the defendant acknowledges that those involved have only limited or none

        have more control over the processing of their personal data, as well as that it


        bypassing the sources that transfer their personal data to the defendant

        may require significant adjustments to their lifestyle. Accepted along the same lines

        the defendant that those involved are actually denied the opportunity to

        to refuse processing of their personal data by the defendant; instead

        they must make the effort themselves to exercise their right to object

        defendant (opt-out) 13.


 131. Furthermore, the Disputes Chamber notes that the disadvantage identified by the defendant

        consequences for the data subject and, however, do not take the aforementioned risks into account

        discrimination by the defendant's customers, based on the information provided

        personal data. The Disputes Chamber refers in particular to contractual matters

        provisions with the defendant's customers, which only prohibit them from the

                                                                                         137
        to use personal data provided for the benefit of a third party. For the rest

        the defendant's customers are therefore permitted to use the personal data for their own,

        to use direct marketing-related purposes, which are not further specified

        be defined in the agreement.



134
   H. USCHMEIER , “Data Brokers and European Digital Legislation”, EDPL, 2023-1, p. 30 ISHR, “The dark industry of
databrokers:needforregulation?”,InternationalJournalofLawandInformationTechnology,Volume29,Issue4,2021,p.395–
410; G. ONZÁLEZ FUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics Inf Technol, 2010, p. 91 et seq.
13In Dutch, “perceived or actual lack of transparency and illegality of the processing” (free translation),

in Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) in the conclusions of the response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant.
136Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the
defendant, point 3 under title “2.3 The Balancing Test”; Part 6 (“Legitimate Interest Assessment Spectron 27082020”)

laid down in the defendant's response, point 3 under title “2.3 The BalancingTest”.
137 Document 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the
Inspection service in the context of the investigation: “3.1. The license d'utilization is approved by Bisnode Belgium for one
utilization propre auClient, pour one action de type "marketingdirect" etdonc al'exclusiondetoutes prestations, directes or
indirects pour des tiers (commepar exemple, toute forme de vente, de commercialisation, de cession, direct or indirect, à

titre onéreux or gratuit, the license à des tiers or toute autre utilization par des tiers)”. Decision on the merits 07/2024 - 50/114



 132. In this regard, the Disputes Chamber considers it remarkable that the defendant is his customers
       contractually prohibited from (in)directly informing the data subjects

       refer to the selection criteria that were applied, and that the defendant in addition

       monitors the content of the messages from his customers, which he must approve in advance

       approve138. In concrete terms, this means that the defendant guarantees the transparency of its customers

       has expressly and therefore consciously hindered the data subjects. In the

       In the context of the reopening of the debates, the defendant briefly confirms that:


               “with regard to professional customers[…]a licensing agreement[was]concludedfor
               the use of B2C data, which indeed places different obligations on the customers

               were imposed in order to safeguard the defendant's commercial interests. Thus

               the template agreement stipulated, among other things, that the selection criteria were not given to consumers

               could be communicated”.

       The Disputes Chamber rules that this restriction of the provision of information is contrary

       against the fundamental rights of those involved, if they receive more information

       wish to obtain information about the precise circumstances in which their personal data

       processed, are obliged to exercise their right of access towards the sender

       of the direct marketing messages or with the defendant.


 133. In summary, the Disputes Chamber is of the opinion that the consequences of the
       data processing for the data subjects were not sufficiently taken into account

       by the defendant in the context of the balancing test, since the analysis by the

       defendant has limited itself to receiving direct marketing advertising by post

       as well as the exercise of their rights (including their right to object) and thus

       has not taken into account the known risks regarding hidden or

       indirect discrimination against complainants based on their profiling data, including

       of their creditworthiness. The Disputes Chamber must conclude in this regard that the

       interests of the defendant and his clients do not outweigh the interests, ten

       with regard to the interests of those involved.



                       Reasonable expectations of those involved


 134. To determine whether the third condition (balancing test) has been met, in addition to the

       Finally, the impact of the intended data processing must also be taken into account

       with the reasonable expectations of the data subjects, in accordance with Recital 47 GDPR.

       In particular, the controller must determine to what extent the


13Piece 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the
Inspection service in the context of the investigation: “3.3.IlestinterditauClientdeseréférerauxcriteresdessélectionsutilisésdans
sa communication commerciale aux consommateurs, directment or indirection. Avant chaque campaign, Bisnode
Belgium doit recevoir, àbrefdélai, unexemplaire, par langue, du message commercial quiseraadressé au consommateur (à la
fois sur l'enveloppe, la lettre, les pièces jointes et le script telephonique). Dans le cadre de la campaign déterminée, que le
message soumis à et approuvé par Bisnode Belgium peut être diffuser [sic].”. Decision on the merits 07/2024 - 51/114


       data subjects at the time and in the context of the collection of personal data

       can reasonably expect that data processing will be carried out for the intended purpose

       can take place.


 135. Data brokers collect and aggregate numerous data points in order to create comprehensive

       and compiling detailed numerical profiles of the individual people involved. Afterwards

       they offer this profile data to customers (Data Delivery) or, as for the defendant

       since the termination of the Data Delivery services, to assess and improve the quality

       confirming data already in the possession of these customers (DataQuality). In the majority

       In most cases this happens without the prior consent of those involved


       — as in the present case — or without them becoming fully informed

       of the scope of these processing operations.

 136. The Inspection Service, referring to previous case law of the Court of Justice 139

       and following guidelines adopted by the EDPB 140, essentially establishes that the defendant

       various personal data, partly from the data subjects themselves and partly from other sources


       are obtained, on a large scale and beyond the reasonable expectations of the

       data subjects processed. The defendant always disputes this in his defenses

       the reasonable expectations of users must be taken into account

       different interests at stake. Referring to the legal doctrine posits

       the defendant, on the contrary, states that “the reasonable expectation criterion only relates

       on further processing within the meaning of Article 6(4) GDPR” 141 and is therefore not necessary

       is relevant with regard to the weighing of interests in the context of Article 6.1.f) GDPR.


 137. The Disputes Chamber rules that the argument raised by the defendant, and with

       because the reasonable expectations of those involved cannot be taken into account

       are not used when assessing the legitimate interest of B LACK T IGER BELGIUM

       convinces. In this regard, the Disputes Chamber first refers to the answer of the

       DPO of B ISNODE B ELGIUM dated April 27, 2021, in which the defendant expressly declares the

       to take into account reasonable expectations of those involved (free translation and

       own underlining)142:





13CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge nos. 56-

58.
140 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, 9 April 2014); EDPB – Guidelines 3/2019
on the processing of personal data by means of video equipment (v2.0, January 29, 2020), p. 10 et seq.
141
  D. DEBOT, The application of the General Data Protection Regulation in the Belgian context, Kluwer, 2020,
p. 448-449, no. 1094 et seq.
14“Bisnode Belgium ensures that the preparation and attention of the persons concerned is taken into account
exigeantdesesclientsqu'ilsluifournissentsystématiquementleprojetdetextedesmailings qu'ilsenvisagentd'adresser.Ceci
the manner in which the procedure is followed by the assurance of the ceux-ci sont conforme à nos deontologie internal rules, the rules according to which
sont toutes entières axée sur le respect des attentivees raisonnables des personnes concernées. Toujours dans le but de tenir

compte des attentivees raisonnables des personnes concernées, Bisnode Belgium veille également être mentionnée dans la
politique de confidentiality de ses partenaires sources de données.” Decision on the merits 07/2024 - 52/114



               “Bisnode Belgium also ensures that reasonable considerations are taken into account

               expectations of the people involved by asking its customers to inform us systematically
               to deliver the draft text of the mailings they want to send. That's what we can do about it

               ensure that these are in accordance with our internal rules of conduct, which all

               aimed at respecting the reasonable expectations of those involved. To

               Bisnode ensures that the reasonable expectations of those involved are taken into account
               Belgium also ensures that this is stated in its privacy policy

               data source partners”


 138. Furthermore, the Disputes Chamber recalls that Article 5.1.a) GDPR - which stipulates that

      personal data must be processed in a manner that is lawful, fair and proper

      is transparent towards the data subject — must be read in conjunction with

      Recital 39 GDPR, which stipulates that it must be transparent to data subjects “that they

      concerning personal data is collected, used, consulted or otherwise

      processed and to what extent the personal data are or will be processed”.

      This core principle of the GDPR therefore means that any processing of personal data,

      regardless of the legal basis put forward by the controller, it

      transparency principle must be adhered to.

 139. Having said this, the Disputes Chamber considers it important to make the distinction for the time being

      to emphasize between the information that data subjects receive regarding the processing, and

      the reasonable expectations that those involved may or may not assume with regard to a

      specific data processing. As already stated 14, those involved have no

      direct relationship with the defendant, with the result that they cannot act reasonably

      expect the indirect collection of their personal data by B ISNODE

      B ELGIUM and then B LACK TIGER BELGIUM . From the policy documents and

      model agreements that the defendant has submitted to the Inspection Service

      nowhere to be inferred that the data sources 144proactively and individually

      data subjects must inform them about the effective transfer of the personal data

      available to the defendant. In other words, the defendant can quit

      no guarantees whatsoever that those involved, that the privacy policy of the data source

      would no longer consult after such an adjustment to the privacy policy of the

      data sources in order to mention B ISNODE BELGIUM by name among the possible

      data recipients, are actually notified of the collection and

      subsequent processing of their data by the defendant. Such

      gap in the defendant's transparency policy therefore means that a

      negligible number of data subjects whose personal data are in the databases of the

      defendant were processed for the Data Delivery service only after receipt of


143
  See edge no. 126 in this decision.
14These are the partners of the defendant, who provide him with personal data. Decision on the merits 07/2024 - 53/114


       the first direct marketing communications by a customer of the defendant

       could be alleged of the processing of their data by the defendant.


       Due to the nature of the Data Quality services, which according to the defendant

       no personal data will be transferred to the defendant's customers

       on the other hand, the data subjects may never be informed of the processing and

       commercialization of their personal data by the defendant 14.


 140. The Disputes Chamber therefore decides that the services provided by the defendant are

       offers customers anything but within the reasonable expectations of those involved and frameworks,

       even more so because these reasonable expectations must specifically relate to

       the processing by the defendant. The argument that those involved can adhere to it

       expect that their personal data will sooner or later be collected by a third party and

       will be exchanged, as this became part of a national media campaign in 2019

       announced 14, is far from convincing in this regard.

                                                                    147
 141. In subordinate order, the Disputes Chamber again notes that, with the exception of:

       position of the defendant that “B2B stakeholders” reasonably expect that their
                                                                                          148
       personal data are processed by third parties in a professional context, none

       There is a substantial difference between the two assessments regarding the Spectron

       database (B2B) resp. the CMX database (B2C). This alone testifies according to the

       Disputes Chamber will conclude that there has been a lack of proper consideration of all relevant matters

       circumstances of the data processing, as well as its consequences for B2C

       those involved, in the context of the weighing of interests carried out. The Dispute Chamber

       therefore rules that the analysis conducted by the defendant in any case does not meet the requirements

       meets the conditions of a proper assessment test.


 142. If, after the weighing of interests, it is unclear whose interest prevails, then

       it is of course possible for the controller to provide additional guarantees

       to prevent the undesirable consequences of the processing for the data subjects

       mitigating 14. Such safeguards include, according to the Disputes Chamber

       necessarily proactive information to the individual involved about how



145I.e., except for the limited information that may have been communicated when the personal data were collected by the sources
were passed on to the defendant, which the Disputes Chamber has already ruled to be insufficient
guarantees in the light of the transparency obligation.
146
   Document 14 (“Copie d'extraits de la campaign de presse de juillet 2019”) as submitted by the defendant to the
Inspection service in the context of the investigation.
14See edge no. 102 in this decision.
148
   Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the
defendant: “It is likely or, at least, reasonable to assume that in a B2B context, data subjects are aware that personal data is
being collected and commercialized (= reasonable expectations of the data subject). Indeed, it is even possible that the data
subjects may even use the services of Bisnode themselves. At any rate, data brokerage is a common activity in a professional
setting and the various official database ensure a large, public propagation of professional data, including personal data.
Therefore, impact should be given a lesser weight in relation to the Spectron database” (own underlining).
149
   Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the
data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 21. Decision on the substance 07/2024 - 54/114



        their personal data are processed, as well as simple and accessible

        mechanism through which those involved are given the opportunity to express themselves

        oppose (opt-out) the processing of their data by the defendant, and

        possibly also to exercise their right to erasure of data.


 143. Finally, the Disputes Chamber rules that it is not within its powers to

        since the Disputes Chamber is a (non-autonomous) dispute resolution body of a

                                        150 151
        administrative authority, to submit preliminary questions under Article 267 TFEU

        to the CJEU. After all, in order to ensure the uniform application of Union law

        guarantees, this provision provides an instrument of judicial cooperation between

        the CJEU and the national courts, with a so-called preliminary ruling


        question may emanate from a court ruling in the context of a
                                                                    152
        procedure leading to a judicial decision. When assessing whether a referral

        body is a “judicial authority” within the meaning of Article 267 TFEU, the CJEU holds

        taking into account the legal basis of the body that submitted a request

        permanent character and its mandatory jurisdiction, the fact that the body is ruling


        After an adversarial procedure, the body applies legal rules and regulations
                                                   153
        the independence of that body. However, the Disputes Chamber rules that the GDPR

        makes a clear distinction between the supervisory authorities and the

        judicial authorities 154. Where Article 267 TFEU through the preliminary ruling procedure for

        the CJEU aims to obtain a uniform interpretation during the judicial phase, as provided by the GDPR


        in the coherence mechanism, where the Disputes Chamber specifically points to the
                                               155
        procedure provided for in Article 64.2 thereof, with a view to a similar purpose but for the

        supervisory authorities under the GDPR. In any case, the Disputes Chamber considers this



150
   HofvanBeroepBrussel (Marktenhof section), X t.GBA, Judgment 2023/AR/184 of 8 March 2023, p. 12; Court of Appeal Brussels
(Marktenhof section), X t. GBA, Judgment 2022/AR/292 of September 7, 2022, p. 36; Brussels Court of Appeal (Markten Court section),
X t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 24; Court of Appeal Brussels (Markten Court section), X t.GBA, Judgment 2020/AR/329
of September 2, 2020, p. 13.
151
  Article 267 of the Treaty on the Functioning of the European Union—“The Court of Justice of the European Union shall have jurisdiction,
by way of preliminary ruling, to rule (a) on the interpretation of the Treaties, (b) on the validity and
interpretation of acts of the institutions, bodies, offices or agencies of the Union.

If a question in this regard is raised before a court of one of the Member States, that court may,
if it considers a decision on this point necessary for the delivery of its judgment, it shall request the Court to answer this question
to make a statement.
If a question in this regard is raised in a case pending before a national court or tribunal

decisions are not subject to appeal under national law, this authority is obliged to refer the matter to the Court
turn.” (own underlining).
152K. ENAERTS and P.VAN NUFFEL, European Law, Antwerp-Cambridge, Intersentia, 2011, edge nos. 836-837.

153CJEU, 31 May 2005, C-53/03, Syfait (ECLI:EU:C:2005:333), edge no. 29; CJEU, June 30, 1966, C-61/65, Vaassen-Göbbels
(EU:C:1966:39); CJEU, December 10, 2009, C-205/08, Umweltanwalt von Kärnten (EU:C:2009:767), edge no. 35. See also K.
LENAERTS ,I.MASELI&K.G UTMAN , EU Procedural Law, Oxford University press, 2015, p. 53.
154
   See, among others, Article 78.3 GDPR (right to institute effective legal remedies against a supervisory authority)
authority) and 79.2 GDPR (right to bring an effective remedy against a controller
or a processor).
155
   Article 64.2GDPR—“2. A supervisory authority, the chairman of the Committee or the Commission may request any
that matters of general application or having legal effects in more than one Member State are examined by it
Committee in order to obtain advice, in particular where a competent supervisory authority has fulfilled its obligations
mutual assistance in accordance with Article 61, or to joint actions in accordance with Article 62.” Decision on the merits 07/2024 - 55/114


                                                                                      156
       is in no way obliged to submit a preliminary question to the CJEU in this regard, as the

       decisions of the Disputes Chamber of the GBA are subject to appeal

       Marktenhof, and since the present case does not concern the validity of
                                                                                157
       an act of an institution, body or agency of the European Union.



        II.3.3.4. Decision


 144. In view of the previous elements, the Disputes Chamber concludes that

       an infringement of Article 5.1.a), 5.2 and Article 6.1 GDPR, as the defendant has not properly

       has demonstrated that its interests as well as those of its customers are legitimate or that the

       processing is necessary for the realization of the interests pursued, and

       that these interests would outweigh the interests and fundamental rights of the

       those involved. In particular, the Disputes Chamber rules:

               ▪ that the processing of company data, insofar as this is personal data

                   concerns, in the Spectron database in the context of “B2B” Data Delivery

                   services, where the defendant has personal data of natural persons

                   collects and enriches people from the KBO, with a view to it

                   commercial supply of personal data to its customers

                   direct marketing-related purposes, is expressly prohibited by law and

                   can therefore not rely on the basis provided for in Article 6.1.f) GDPR;


               ▪ that the processing of consumer data collected in the CMX database in the

                   within the framework of the “B2C” Data Delivery service, where the defendant

                   personal data of consumers is collected and enriched with a purpose

                   on the commercial supply of personal data to its customers,

                   could not rely on the basis provided for in Article 6.1.f) GDPR due to the
                   lack of necessity and the disproportionate impact on those involved. The

                   commercial benefits that the defendant and its customers derive from the processing

                   achieved do not outweigh the fundamental right of the

                   those involved to respect their private sphere, given the nature of the

                   personal data, the duration of the processing, and the limited

                   provision of information to those involved. Finally, the defendant makes

                   insufficiently plausible that such processing is within reason

                   expectations of those involved could fall.


               ▪ that the processing of consumer data collected in the CMX database in the

                   within the framework of the “B2C” Data Quality services, where the defendant


156
  Article 267(2) TFEU.
15F. PITALE, “Chapitre VI. La faculté et l'obligation de renvoi ERRARO& C.ANNONE, Le renvoi préjudiciel,
Bruxelles, Bruylant, 2023, p. 183. Decision on the merits 07/2024 - 56/114


    collected, enriched and consolidated personal data of consumers

    to assign a reliability score to, for a fee

    personal data of consumers already in the possession of the customers of the

    defendant, so that they could improve the quality of their data by
    to format, standardize, correct and/or internalize them

    linking (matching), could not rely on the basis provided for in Article 6.1.f)

    GDPR. It has not been demonstrated that the processing was necessary for the

    compliance by the defendant's customers with the principle of fairness

    in accordance with Article 5.1.d) GDPR. The Dispute Chamber considers it to be insufficiently proven

    that the customers of BLACK T IGERB ELGIUM exclusively through the Data Quality
    services their interest in complying with the aforementioned principle

    or, in short, that the disputed processing is indeed carried out

    was necessary to ensure the completeness and accuracy of the personal data

    already in the possession of the defendant's customers. The

    Finally, the defendant does not sufficiently prove that such processing

    could fall within the reasonable expectations of those involved.

▪ that the processing of company data in the Spectron database in the

    within the framework of the “B2B” Data Quality services, where the defendant

    personal data of natural persons affiliated with companies

    collects, enriches and consolidates to, for a fee, a
    to assign a reliability score to personal data already in the

    possession of by the defendant's customers, so that they can ensure the quality of their

    can improve data by formatting, standardizing,...

    correct and/or internally link (matching), cannot rely on the

    basis provided in article 6.1.f) GDPR. Personal data originating from the

    After all, KBO may not be used or distributed for direct
    marketing related purposes. In addition, the Disputes Chamber considers it

    insufficiently demonstrated that the processing of personal data in

    Spectron is necessary to ensure the completeness and accuracy of the

    personal data already in the possession of the defendant's customers

    insurance, as well as to protect non-direct marketing related interests

    accomplish. Finally, the Disputes Chamber rules that the parties involved:
    cannot reasonably expect, partly due to the lack of

    proactive information provision, to the processing of all in the Spectron

    database included categories of personal data. Decision on the merits 07/2024 - 57/114



    II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2,
         Articles 14.1 and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR)


        II.4.1. Position of the Inspection Service


 145. As part of its investigation, the Inspection Service has two websites of the defendant

       analyzed and determined that the link to the privacy statement on the first website was 158

       redirects visitors to the second website 15, where they read the privacy statement

       can consult. However, the Inspection Service notes that the information provided by the

       defendant makes available on the second website is neither transparent nor easy

       accessible to the data subjects, the information about the processing about it

       has been distributed on various web pages, and also contains incorrect information.


 146. Furthermore, the Inspection Service notes that the information provided by the defendant
       is incomplete, as not all are required by Articles 13 and 14 of the GDPR

       information is communicated effectively. There is nothing in particular anywhere

       referred to the right of data subjects to withdraw given consent, and

       nor the right of data subjects to file a complaint with the GBA. Furthermore

       the contact details of the defendant's DPO are not stated on the website,

       although the DPO has a personal email address.



        II.4.2. Position of the parties


 147. The complainant states that B LACK TIGER BELGIUM has stored personal data in a non-transparent

       processed, as he was not informed of the fact that the defendant is

       personal data had been collected and processed for its own objectives. The complainant posits

       that he only became aware of the extent of this processing in the context of the exercise of his duties

       right to inspect his personal data. With regard to the manner in which the defendant

       has fulfilled its obligation to provide information to those involved,

       in particular, the complainant points out that during the past 17 years and not since

       entry into force of the GDPR was not contacted at any time by the

       defendant or its processors, or by joint controllers
       who would have received personal data from the complainants, with a clear

       explanation of exactly which personal data they process. Thus, the

       defendant, as well as any other recipient of the personal data in question, according to

       the complainant systematically failed to notify those involved in accordance with Articles 13 and 13

       14 GDPR about the processing of their data. In this regard states

       the complainant that the defendant cannot possibly rely on the exception provided



15https://www.permesso.be/nl/privacybeleid.
15https://bisnodeandyou.be. Decision on the merits 07/2024 - 58/114


       in Article 14.5.b) GDPR, as he has the necessary data to contact

       with those involved in order to be able to fulfill his information obligation. During the

       hearing of February 22, 2023, the complainant also emphasizes that the defendant

       uses different privacy statements, which makes it difficult for those involved

       to find out which rules apply to the processing of their data

       personal data.

 148. The defendant disputes the finding that it would not be easy for those involved

       to find concrete information about data processing, and states that he made a conscious choice

       for a layered approach to its privacy statement, depending on the capacity of the

       data subject (consumer/professional), in order not to work with too extensive and

       information that is incomprehensible for these reasons. According to the defendant, this method leaves the

       allows those involved to navigate directly to the part of the statement that they

       want to read. Regarding the Inspection Service's argument that “a data subject does not

       can reasonably expect that his data will be commercialized simply by

       the existence of a cooperation agreement with certain public or commercial entities

       sources” the defendant argues that he has taken the necessary measures to
       ensure that data subjects are aware of the processing carried out. The

       Defendant also refers to the privacy statement of the KBO, “which explicitly states:

       informed that the personal data are processed for the purpose of reusing the data

       data, whether or not for commercial purposes”.


 149. During the hearing on February 22, 2023, the Disputes Chamber asks what the

       responsibility of the defendant if the sources or partners fail to do so
       to provide data subjects with information about the processing of their data

       personal data by B LACK T IGERB ELGIUM. According to the defendant, this concerns first of all

       a contractual matter between the defendant and his sources respectively. customers,

       although the defendant always checks whether the standard wording is actually included

       the privacy statement of the sources respectively. customers of the defendant. Also prior to

       the sending of commercial messages by post by the defendant's customers,

       the defendant has a right to inspect the draft communication as well as the right

       to request adjustment of the communication, if necessary. For the rest,

       the defendant has concerns about the appropriate level of control that the

       Litigation chamber of the defendant would expect with regard to his partners and
       customers, and more specifically whether the defendant must regularly check with each partner and customer

       whether the privacy statement contains the standard wording. Finally, the defendant opines

       to be aware of certain shortcomings in its privacy statement, although this

       shortcomings have now been resolved in the new privacy statement160. The fact that the



16https://www.blacktigerbelgium.tech/privacy-policy/. Decision on the merits 07/2024 - 59/114


       defendant does not mention the right for those involved to collect their consent

       would also be irrelevant, as the defendant only relies on his

       legitimate interests for the disputed data processing.




        II.4.3. Judgment of the Disputes Chamber


 150. As regards the lawfulness of the disputed processing, it is established that the reasonable

       expectations of those involved are relevant — contrary to what the

       defendant puts forward in his defense — to assess to what extent this may be the case

       of lawful data processing that would be based on the legitimate interest

                                                              161
       interests of the defendant or his customers. Those are reasonable expectations

       also to be taken into consideration when determining the time at which the information is provided
                                                                     162
       about the processing is communicated to the data subjects, taking into account the generality

       principle that those involved should not be surprised by the purpose of the

       processing of their personal data 16. The Disputes Chamber has in previous cases

       decisions has repeatedly emphasized that transparency is of crucial importance to those involved

       control over their personal data and to ensure effective protection of it

       to safeguard personal data 16. The transparency obligation in the GDPR requires

       namely that all information or communication regarding the data processing of

       must be easily accessible and understandable to those involved, 165 but also timely

       provided to those involved 16.


 151. In the present case it is first of all established that the data processed by the defendant

       personal data were not collected directly from the complainants. Consequently, single

       Article 14 GDPR applies 16, the first two paragraphs of which record the information


       to be provided to data subjects:

           a. the identity and contact details of B LACK T IGER B ELGIUM and, in

               where appropriate, of his representative;


           b. where applicable, the contact details of the DPO;


           c. the processing purposes for which the personal data are intended;


           d. the legal basis for the personal data processing;



161
  See edge nos. 134 et seq. in this decision.
16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 28.
163
  Ibidem, edge no. 45 in fine.
16See, among others, Decision 04/2021, edge no. 167; Decision 47/2022, edge no. 127 ff.; Decision 84/2022, edge no. 76.
165
  Recital 39 GDPR.
16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 48.
167
  Ibidem, edge no. 26 in fine. Decision on the merits 07/2024 - 60/114


          e. the categories of personal data concerned;


          f. where applicable, the recipients or categories of recipients of the

              personal data;

          g. where appropriate, that B LACK TIGER BELGIUM intends to:

              to transfer personal data to a recipient in a third country or to

              an international organization; whether or not there is an adequacy decision

              the Commission exists or BLACK T IGERBELGIUM appropriate or suitable

              has taken guarantees in the case of the situations referred to in Article 46, Article 47 or

              Article 49.1.2°GDPR refers to the transfers, as well as the data subject and a copy
              can obtain these or where these guarantees can be obtained

              consulted;


          h. the period during which the personal data will be stored

              stored, or if that is not possible, the criteria to determine that period;

          i. the legitimate interests of B LACK TIGER BELGIUM or a third party,

              if the processing is based on Article 6.1.f) GDPR;


          j. that the data subjects have the right to request B LACK T IGERBELGIUM
              access to and rectification or deletion of personal data or request restriction

              of the processing concerning them, as well as the right against processing

              to object and the right to data portability;


          k. when the processing is based on Article 6.1.a) GDPR or Article 9.2.a) GDPR, it

              given that the data subjects have the right to give their consent at any time
              to withdraw, without this affecting the legality of the

              processing based on consent before its withdrawal;


          l. that data subjects have the right to file a complaint with a

              supervisory authority;

          m. the source from which the personal data comes, and where applicable,

              whether they come from public sources;


          n. the existence of automated decision-making, including the in

              profiling referred to in Articles 22.1 and 22.4 of the GDPR, and — at least in those cases —
              useful information about the underlying logic, as well as the importance and

              expected consequences of that processing for the data subjects.


152. Pursuant to Article 14.3 GDPR, which relates more specifically to the modalities of the

     provision of information and as such forms an inherent addition to the

     core obligations arising from the two preceding paragraphs of Article 14 GDPR,
     the aforementioned information must be communicated to the decision on the merits within certain periods 07/2024 - 61/114



       those involved. In general, the rule applies that the controller:

       those involved within a reasonable period, but no later than one month after acquisition

       of their data must be informed about the processing, depending on the specific nature

       circumstances thereof (14.3.a) GDPR). According to the Transparency Guidelines under
               168
       However, under the GDPR, this period can be shortened to the extent that the data collected

       personal data are intended for contacting the data subjects, in which case

       case the information is required at the time of first contact with the data subject

       are provided (14.3.b) GDPR). Finally, the one-month period can also be shortened

       if the personal data is communicated to a recipient within the meaning of

       Article 4.9) GDPR. In such circumstances, those involved must be informed

       be processed no later than the time at which their personal data is provided (14.3.c)

       GDPR).

 153. In its defenses, B LACK TIGER BELGIUM states that those involved were informed

       on the basis of the mandatory indications of the name of the defendant in the

       advertising messages that his customers addressed to those involved 16. Concrete means

       This means that in most cases those involved only meet for the first time through the — often

       unwanted — advertising messages were informed of the existence of the

       defendant, as well as the fact that the defendant may have their personal data at some point

       collected and processed. The Disputes Chamber presupposes such an approach

       aims to comply with the time provided under 14.3.b) GDPR, i.e. to inform the data subjects

       inform at the time of actual contact with the data subject, without

       that this necessarily takes into account the time period between

       initial data collection and initial contact. In the guidelines on this matter

       transparency under the GDPR it is nevertheless expressly stated that the period of one

       month provided under Article 14.3.a) GDPR, a maximum period is 170, which is not possible

       can be extended but can only be limited depending on the purposes of the

       processing.


 154. The Disputes Chamber is well aware that the data sources of the defendant

       have an obligation to provide information in accordance with Article 14.3.c) GDPR, in particular when they

       provide personal data in their possession to B LACK TIGERB ELGIUM. The Dispute Chamber

       emphasizes, however, that it is in principle up to the controller who

       transfers data — and therefore not to the recipients, in this case the customers of the

       defendant — belongs to Article 14.3.c) GDPR to provide the information as provided under

       Articles 14.1 and 14.2 GDPR to the data subjects. In concrete terms, all serve


16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), adopted by the EDPB.
169
  See edge nos. 64, 66 and 137 in this decision.
17Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), edge no. 28. Decision on the merits 07/2024 - 62/114



       successive controllers — i.e., the defendant's partners who

       provide him with personal data, the defendant himself, respectively. the customers to whom the

       defendant, if necessary, transfers personal data - i.e. separately

       to inform data subjects about the data processing they carry out themselves.

                                                                                     171
 155. Moreover, it follows from an a contrario reading of Article 14.5.b) GDPR that the

       provision of information in accordance with Articles 14.1 and 14.2 GDPR is logically proactive

       should be done, in contrast to the rather passive provision of information in which

       Article 14.5.b) GDPR provides an exception. The indirect collection of

       After all, personal data of the data subjects does not presuppose that the

       provision of information to those involved also only serves indirectly

       to happen. On the contrary, from the case law of the Court of Justice as well as from the
                                      172
       provisions of the GDPR, it follows that it is exclusively applicable to the

       controller who determines the means and purposes of the processing,

       has the right to inform those involved in a loyal and transparent manner. The

       The Dispute Chamber therefore concludes that it is primarily up to the

       defendant has the right to proactively inform those involved about the processing of

       their personal data by B LACK TIGER BELGIUM, in accordance with Article 14 GDPR.

 156. The fact that the partners of the defendant, who in the context of their agreement, the by

       transfer personal data collected from them to the defendant himself for a fee

       Providing information to those involved does not affect the foregoing. The

       After all, the Dispute Chamber is not convinced by the organizational measures taken by the

       defendant has taken steps to “indirectly” comply with his transparency obligation,

       whereby the data sources are obliged to include this in their privacy statement

       to expressly refer to the personal data processing carried out by the

       defendant. In that respect, the Disputes Chamber refers to the template for the

       agreements with data sources 173 that stipulate the following (proper

       underline)7:




171
  See edge no. 157 below.
17Recital 60 — “In accordance with the principles of fair and transparent processing, the data subject should
be informed of the fact that processing is taking place and its purposes. The
The controller must provide the data subject with the further information necessary to act against the data subject
to ensure proper and transparent processing for the data subject, taking into account the specific circumstances
and the context in which the personal data are processed. […]”; Article 14 GDPR — “1. When personal data does not belong to
have been obtained from the data subject, the controller shall provide the data subject with the following information: […]” (de
Dispute Chamber underlines). See also CJEU, October 1, 2015, C-201/14, Smaranda Bara et al. v. Președintele Casei Naționale de

Asigurări de Sănătate (ECLI:EU:C:2015:638), edge no. 31.
173 Document 10 (“Piece 10 – Template contracts source – voir article 5”) as submitted by the defendant to the
Inspection service in the context of the investigation, p. 4.
17“Vosdonnéesàcaractèrepersonnelpeuventêtretransmisesesàdespartenairesextérieurs,quipeuventles utiliserpourvous
envoyer des informations commerciales ou des promotionalnelles ou pour les commercialiser à ces fins. Nous ne

Transmitting the characteristics of the external parts guaranteeing the correct characteristics of the external parts
Bisnode Belgium SA (Allée de la Recherche 65, 1070 Anderlecht). Toutefois, [X] ne sera en aucun cas responsable de Decision on the merits 07/2024 - 63/114



                “Your Personal Data may be transferred to external partners who may

                use it to send you commercial information or promotional offers or for these
                commercial purposes. We only pass on such data to external parties

                partners who ensure the correct processing of this data, including Bisnode

                Belgium NV (Researchdreef 65, 1070 Anderlecht). However, [X] is not in any case

                liable for the use of this data by external partners.


                Your personal data can be used or commercialized by Bisnode Belgium
                to be able to provide you with personalized [sic] offers (possibly

                based on your marketing profile), to conduct market research or for data

                already present in the database of other companies to validate, correct or combine

                link (for more information about the processing of personal data by Bisnode Belgium

                consult www.bisnodeenu.be)”.

       The Disputes Chamber rules that such wording (“can be used”),

       does not provide sufficient certainty to those involved about the nature and extent of the

       processing of their personal data by the defendant. Accordingly, none can be done here

       there is a transparent and honest provision of information to those involved

       by the data sources.


 157. The next question that arises is to what extent the defendant can rely on the

       exception to the information obligation, as provided for in the same provision. Article 14.5 GDPR

       provides that the obligation to provide information to data subjects does not apply

       is when and to the extent that 17:


            (a) the data subjects already have the information;

            b) the provision of that information proves impossible or disproportionate

                would require effort, or to the extent that the provision of information

                achievement of the purposes of the intended processing is likely to be impossible

                or threatens to seriously jeopardize it. In such cases

                the controller takes appropriate measures to protect the rights, the

                protect freedoms and the legitimate interests of data subjects,

                including making the information public;


            c) obtaining or providing the data is expressly prescribed by

                Union or Member State law to which the controller is subject





l'utilisation de ces données par des partenaires externes. Vos données à caractère personnel être utilisées ou
commercialization by Bisnode Belgium according to the proposal of the personalized offers (event and function of the
profilmarketing), d'effectuerdesétudesdemarchéoudevalider, correcterourelierdesdonnéesdéjàprésentesdanslesbases

the young entrepreneurs (pour more information about the characteristics of the young personnel of Bisnode Belgium,
consultez www.bisnodetvous.be.”
17See also Data Protection Working Party Article 29 – Guidelines on transparency under Regulation (EU)
2016/679 (WP260, April 11, 2018), edge nos. 58 et seq. Decision on the merits 07/2024 - 64/114


               and that law provides for appropriate measures to protect the justified person

               protect the interests of the data subject; or


           d) the personal data must remain confidential pursuant to a

               professional secrecy under Union or Member State law, including a

               statutory duty of confidentiality.


 158. The Disputes Chamber determines that exceptions [c] and [d] do not apply to the

       processing by the defendant. Exception [a] is also not met since the
                                                        176
       privacy statement on the website is incomplete and the standard paragraphs in the
                                                                                  177
       privacy statements of the data sources are generically worded. What the

       exception [b], the Disputes Chamber refers to the categories of

       defendant processed personal data as well as for the intended purposes, already

       were explained above 17. It cannot be denied that the defendant

       is at least in possession of the contact details of those involved, since such

       data as well as the “identification data” form a common “attribute”.

       for the three databases 17, and the business model of B LACK T IGERB ELGIUM calculated

       consists of collecting, aggregating and then making available

       so-called “contact points” with which the defendant's customers subsequently communicate

       can improve their marketing and communication strategies. So the

       Disputes Chamber has sufficiently proven that the provision of the information provided

       under Article 14 GDPR to data subjects whose personal data the defendant has

       collects and processes is not impossible.


 159. Furthermore, it is not clear, and the defendant does not make it at all plausible, to what extent

       compliance with the principle of transparency with regard to those involved

       would seriously jeopardize objectives. The only reference to the necessary

       efforts that the defendant would have taken and raises in his defenses,

       is furthermore not further substantiated by the documents submitted. When asked if

       those involved would receive a privacy statement individually, answers the

                                                   180
       defendant in both LIAs submitted concisely that an individual

       provision of information would “require a disproportionate effort”:









17See edge no. 107 and 108 in this decision.
17See edge no. 156 in this decision.
178
  See edge nos. 107 and 108 in this decision.
17CMX; Permesso and Spectron.
180
  Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the
defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from
the defendant. Decision on the merits 07/2024 - 65/114















       However, this position cannot be accepted in light of Article 14 GDPR. The

       impossibility or disproportionate effort must be directly related

       with the fact that the personal data have not been obtained from the data subjects. In addition

       A controller who wants to make use of the exception must

       Article 14.5.b) GDPR based on the argument that provision of the information

       would require a disproportionate amount of effort, the effort it would take to get the information

       to be provided to the data subject against the effect and consequences for the data subject

       data subject when he or she does not receive the information .181


 160. The Disputes Chamber hereby emphasizes that Article 14.5 of the GDPR is an exception

       the right of data subjects in that sense must be interpreted restrictively. It is established in this case

       that BLACK T IGERB ELGIUM must have contact details of the data subjects in order to

       to be able to achieve the intended objectives of the various databases.

       The Disputes Chamber further emphasizes that the defendant does not necessarily have the

       contact details of all parties involved must be available before they can be shared together

       to be informed once; as soon as BLACK TIGER BELGIUM has a postal address or an e-mail

       has, the company is in principle able — and therefore obliged — to provide the specific

       to directly inform data subjects about the collection and processing of their data

       personal data, in line with Article 14 GDPR.


 161. In this regard, the Disputes Chamber refers to the decision of the Polish

       data protection authority (Urząd Ochrony Danych Osobowych, hereinafter “UODO”), which

       on 25 March 2019 imposed a fine on B ISNODE POLAND for failing to

       to directly inform data subjects for whom the company had contact details about the
                                              182
       processing of their personal data. The Disputes Chamber rules that the defendant

       could have taken this 2019 decision into account in the present case

       analysis dated August 27, 2020 regarding the obligation to provide information to those involved

       in Belgium, although he apparently did not do so. Whatever the case, the

       Disputes Chamber states that it is unacceptable 5 years after the entry into force of the GDPR



18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, April 11, 2018), edge nos. 62 and 64.
182
  Urząd Ochrony Danych Osobowych – Decision ZSPR.421.3.2018 of March 15, 2019, available on the website of the
Polish Data Protection Authority (UODO): https://uodo.gov.pl/decyzje/ZSPR.421.3.2018#. Despite the profession
dISNODPOLAND was subsequently imposed, the UODO's decision remained intact, but the administrative fine was imposed
EUR 220,000 reduced. Decision on the merits 07/2024 - 66/114



       to those involved whose contact details are already known, and especially when

       concerns electronic contact data, not to inform you directly about the processing

       of their personal data.


 162. Although the Disputes Chamber acknowledges that the defendant has made efforts to

       lack of direct, individual provision of information at least
                                         183
       to make it public on its website, the Disputes Chamber rules that this failure to comply with the

       informing those involved in a timely and individually constitutes a violation of the obligation

       to provide transparent — and therefore complete — information pursuant to Articles 12 and 14 GDPR

       to provide data subjects with information about the processing of their personal data, in the

       particularly when the data such as these are collected indirectly.

       In such a circumstance it is certain that data subjects cannot be involved

       expects them to consult the defendant's website regularly or not.

 163. In addition, the Disputes Chamber has already established 184 that the categories

       “marketing profiles”, “consumer interests” and “family composition” not mentioned

       were intended for consumers 18 in the privacy statement dated March 31, 2021, nor in

       the explanation on the current website of LACK TIGERB ELGIUM186. The fact that the defendant

       in his defenses dated September 11, 2023, filed in the context of the limited

       reopening of the debates, clarifies that the privacy statement on the LACK website

       TIGERB ELGIUM only indicates which personal data are in the context of its current

       activities are processed does not prevent the privacy statement for

       consumers at the time of the investigation was not complete — which the defendant

       incidentally, recognized in his rejoinder dated March 7, 2022 - and therefore in

       was a violation of Article 14 GDPR.


 164. In his response to the sanction form, the defendant states that the obligation to

       to inform those involved individually and proactively, was not extensively discussed in the

       written conclusions and no contradictory debate has been opened on this point by the

       Dispute Chamber 18. The defendant also disputes the claim that he deliberately did not

       would provide complete and sufficiently detailed information to those involved.


 165. In this regard, the Disputes Chamber first notes that the manner in which the

       those involved are informed by the defendant or by the data sources

       about the processing of their personal data, was indeed discussed in both the

       written conclusions as during the hearing on February 22, 2023. In the



18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679
(WP260, April 11, 2018), edge nos. 64.
184
  See edge nos. 107 to 109 in this decision.
18Part 12 (“012 Screenshots of Bisnode Belgium website”) in the inventory, pp. 45-48.
186
  https://avg.blacktigerbelgium.tech/uw-consumentengegevens/wat-consument/, accessed on August 4, 2023.
18Response from the defendant to the sanction form dated October 31, 2023, p. 1. Decision on the merits 07/2024 - 67/114


      investigation report, the defendant is sufficiently informed that the

      transparency obligation, both in the case of direct and indirect

      data collection applies.


      The Disputes Chamber also emphasizes that the transparency obligation under the GDPR

      ensues, already applied under Directive 95/46, and as such requires no further interpretation

      required by the Disputes Chamber. Furthermore, the complainant refers in his complaint as well as in
      his written defenses to the fact that the processing of his

      personal data took place “without [his] knowledge”, “without contact” (due to the

      defendant), and that he “has not received any notice or notification from her

      according to Art 13 and 14 of GDPR, when they have collected [his] data”8.


      The defendant was also informed through the conclusion letter dated November 29, 2021

      of the possible infringement of Article 14 GDPR, of which paragraphs 1 to 4 together
      must be read and adhered to, as well as Article 5.2 in conjunction with 24.1 GDPR, “regarding

      to the obligation for the controller to provide data subjects with concise information

      yet provide complete, transparent and understandable information about the

      personal data that are processed, as well as the requirement for the defendant to

      to guarantee and be able to demonstrate compliance with these obligations”.

      written procedure before the Disputes Chamber, the defendant was therefore free to express his views

      defenses with regard to the grievances of the complainant as well as those raised by the Inspection Service

      established lack of evidence that the defendant has fulfilled its obligations under Article 14 GDPR

      had been complied with appropriately.

      Also during the hearing, after the complainant expressed his dissatisfaction about “the collection

      of numerous personal data without being informed of this”8, the

      defendant the opportunity to express his position regarding the obligation imposed on B ISNODE

      B ELGIUM and subsequently B LACK T IGER BELGIUM rested, in accordance with the regulations of

      Article 14 GDPR, to be explained. The Disputes Chamber also noted that the defendant then

      merely replied that “the sources as well as the customers of B LACK TIGER B ELGIUM

      become contractually obliged to inform the data subject about the transfer of their

      personal data to resp. its communication by B LACKT IGERBELGIUM ”.

      Finally, the defendant was given one last opportunity to sign his position

      to the Disputes Chamber, in response to the sanction form dated October 31, 2023.

      In view of the foregoing elements, the Disputes Chamber rules that the defendant

      has indeed been given several opportunities to defend himself against

      the allegation that he did not inform the data subjects in an appropriate manner — i.e., in a complete manner

      transparent and proactive manner, taking into account the context of the processing


18 Complaint form as submitted by the complainant on January 28, 2021.
18 Official report of the hearing dated February 23, 2023, p. 13. Decision on the merits 07/2024 - 68/114



       informed, in accordance with Article 14 GDPR. The argument that the defendant

       in his response to the sanction form is therefore manifestly unfounded.

 166. Given the lack of a complete privacy statement190 as well as the conscious — as stated

       the considerations of interests submitted to the Disputes Chamber appear to be sufficient. 191— choice

       of the defendant for not directly informing those involved about the processing

       of their personal data by B LACK TIGER BELGIUM, despite the fact that the defendant

       has the contact details of the majority of those involved, according to the opinion

       Dispute Chamber that the defendant at least vis-à-vis the parties involved

       contact details were known, is subject to Article 14 GDPR due to serious negligence

       violated.



    II.5. Handling requests from data subjects to exercise their rights

         (Article 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR)


        II.5.1. Position of the Inspection Service


 167. According to the Inspection Service, the defendant does not demonstrate that he - in the context of the

       handling of their request for access — has informed the complainants effectively and transparently

       about all available information about the source of their personal data accordingly

       Article 15.1.g) GDPR. After all, the complainants were not informed about how the defendant

       obtained their personal data from the stated sources, and when. In addition

       the Inspection Service determines that the information provided is too vague and based on too much

       a general type answer, with the result that the complainants do not receive a sufficient answer

       have received the measure. Finally, according to the Inspection Service, the defendant does not indicate

       that in his letter to both complainants he stated the right to erasure of data and the right to object

       effective and transparent; the Inspection Service determines that

       existence of these rights was communicated to only one of the complainants.



        II.5.2. Position of the parties


 168. The complainant states that B LACK T IGER BELGIUM has violated Article 12.3 GDPR by

       to provide electronically requested information on paper. The complainant argues that the

       defendant has not complied with its obligation under Article 12.3 GDPR, as the

       responses to the requests for access via paper mail were submitted to the

       those involved, notwithstanding the fact that the defendant requires that those involved



190
  See edge no. 163 in this decision.
19See screenshot at edge no. 159 in this decision: “Isafairprocessingnoticeprovidedtotheindividual,ifso,how?Arethey
sufficiently clear and up front regarding the purposes of the processing? We don't inform each and every data subject
personally as this would involve a disproportionate effort. However, our sources must explicitly mention the possible use of
data by Bisnode in their privacy notices, we are mentioned in every mail […]” (own underlining). Decision on the merits 07/2024 - 69/114


       request access to their personal data via the defendant's website

       submission, in other words in an electronic manner, whereby data subjects also

       provide their email addresses. Regarding the mention of the sources of his

       personal data, the complainant states during the hearing — referring to the

       response to his request for access — that the defendant reports statistical and

       neighborhood data about the bearing, which, however, cannot possibly come from the sources
       which the defendant lists in his answer. However, during the hearing the complainant leaves:

       know that he has deliberately not requested the erasure of his data

       to avoid these being removed prior to a decision by the

       Dispute Chamber. In addition, the complainant believes that he was unable to simply

       reply to the defendant's response as the information was sent to him by post

       provided, rather than electronically. The complainant also refers to the recent one
                                                       192
       case law of the Court of Justice, which established that
       controllers are obliged to inform data subjects about the

       precise identity of the recipients of their personal data, while the defendant

       would have merely mentioned the categories of personal data in his response to the

       requests for inspection submitted by the complainants. During the hearing, the complainant rejects

       incidentally, to the lack of contact details of the DPO in the answer to his

       request for access, and he is annoyed that he made the aforementioned on his own initiative

       had to look up contact details on the website.

 169. With regard to the requests for information submitted by the complainants, the

       defendant that he received letters from his DPO on November 13, 2020 respectively. December 23, 2020

       has provided information “about the processing of their personal data: the files

       in which they are included and the purposes of the processing, as well as the legal basis
       for the processing, the existence of a right to object, the categories of data processed

       data and information kept about the complainants, the recipients of the

       data, the period for which they are kept, the source of the data,

       and so forth". The defendant disputes that the answers he provided to both

       complainants can be regarded as a so-called “general type answer”, since

       the defendant has informed both complainants separately about (i) the specific source of

       their data, (ii) the fact that these data were sourced by the complainants themselves
       provided in their capacity as a customer, and (iii) the question or cooperation with

       relevant sources are still active. The use of a form letter testifies

       according to the defendant, moreover, of the good internal organization of the defendant

       respond to requests from data subjects.





192
  CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 70/114


In addition, the defendant refutes the Inspection Service's finding that one of the

the complainant was not informed of the existence of his right to erasure and

opposition. The defendant refers to the letter addressed to the complainant, of which the second point

explicitly states the two aforementioned rights.

In response to the complainants' grievance regarding the sending of the response by post,

the defendant clarifies that he does not require proof of identity from those involved, of all places

to promote the exercise of the rights of data subjects. In order to reduce the risk of

to avoid unauthorized disclosure of data in case of identity theft,

the defendant has therefore opted for sending by post, as known to him

address of the data subject.

With regard to compliance with its obligation to provide information to those involved, the

defendant during the hearing to the standard wording that the sources of B LACK

TIGER BELGIUM in their privacy statement, and with which those involved

be informed of the collection of their personal data by the defendant.
The defendant also states that those involved and detailed information about the sources of

can obtain their data in the context of a request for access. because of this

the defendant is not obliged to provide the precise identities of all sources

in the privacy statement, as it may contain dozens of sources

can be listed while the personal data of an individual data subject

only come from a limited number of the listed sources.

With regard to the mention, in the response to a request for access, of the

categories instead of the specific recipients to whom data from the complainants

were effectively transferred, the defendant posits that this approach at the time was after internal

consultation and with due observance of the case law at the time. According to

the defendant cannot therefore be blamed for not having taken this into account
subsequent case law of the Court of Justice.


In addition, the defendant emphasizes that the complainants' requests for access are detailed

were answered, and the complainants subsequently have no additional request

submitted in order, among other things, to obtain additional information about the precise details

sources of the personal data, the specific recipients of his personal data,
or have possibly incorrect information corrected. Finally, the defendant recalls

Please note that the complainants have never requested the deletion of their data. Decision on the merits 07/2024 - 71/114



        II.5.3. Judgment of the Disputes Chamber


                        Reply by post


 170. The Disputes Chamber determines on the basis of the documents submitted that both complainants have a

       received a response by post, although their original access requests were electronic

       were sent. The defendant does not dispute this, nor in the context of the written statement

       defenses nor during the hearing.


 171. However, Article 12.3 GDPR expressly states:

                “3. The controller shall provide the data subject without undue delay and in any event

                within one month of receipt of the request under Articles 15 to 22

                information about the action taken on the request. Depending on the complexity
                oftherequestsandofthenumberofrequests,thatdeadlinecanbeadditionaltwoifnecessary

                months are extended. The controller informs the data subject

                one month after receipt of the request of such extension. When

                the data subject submits his request electronically, the information will be provided if possible
                provided electronically, unless the data subject requests otherwise.


 172. Article 15(3) in fine GDPR states that when the data subject submits his request electronically,

       and does not request any other arrangement, the information in a common electronic form

       must be provided, whereby the usage must be determined from the
                                                                                   193
       position of the data subject and not of the controller. Therefore,

       the Disputes Chamber has sufficiently proven the infringement of Article 12.3 of the GDPR.

       Notwithstanding the investigation report, only violations of articles 12.1 and 12.2 GDPR

       determines, Article 12 GDPR must be read and complied with in its entirety, including

       Article 12.3 GDPR. The manner in which a controller grants a request,

       after all, it always falls within the general obligation to exercise their rights

       to facilitate the data subjects as provided for in Article 12.2 GDPR, as well as within the

       complementary obligation in Article 12.1 GDPR to ensure the communications referred to in Article 15 to

       with 22 GDPR “if appropriate” to be provided by electronic means. Mutatis

       The foregoing also applies mutandis to Article 15.3 GDPR, which in conjunction with the

       other paragraphs of Article 15 GDPR must be complied with.

       Finally, the Disputes Chamber emphasizes that the defendant is in the context of the proceedings

       has indeed been given and used the opportunity to discuss this matter

       defenses, as is clear from the conclusions in the rejoinder of the defendant respectively. are

       response to the sanction form:





19EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 32, 134 and 148 et seq. Decision on the merits 07/2024 - 72/114



                “To promote the exercise of the rights of data subjects, Black Tiger Belgium demands

                There is no proof of identity from the persons involved. As a result, she sends her answers by post

                to the address of the data subject known to her, which increases the risk of unauthorized
                                                                                           194
                disclosure of data in case of identity theft is avoided'.

                “With regard to the answers, further mail was sent to those involved

                Black Tiger Belgium already explained that this was necessary to ensure that no

                there was an unauthorized disclosure of personal data, which testifies to this
                                                  195
                a high degree of care.”

 173. Although it cannot be ruled out that dispatch by post would be more secure

       then offer an electronic transmission if no proof of identity is requested,

       the Disputes Chamber is of the opinion that in addition to regular e-mails, there are also other, more secure ones


       communication channels exist to provide the requested information electronically

       delivery, in accordance with Article 12.3 GDPR. We also offer shipping by e-mail

       According to the Disputes Chamber, post no longer necessarily guarantees that the sent

       information ultimately ends up with the 'right' person involved, since the defendant cannot

       rule out that the person concerned has moved in the meantime. In a more general sense, the

       Disputes Chamber that the defendant does not act carefully by not providing proof of identity

       questions or to check the identity of applicants in advance.

       The Disputes Chamber determines in this regard that the defendant has not received the (electronic)

       contact details of the data subjects are already required 196 so that they can exercise their rights

       exercise on the defendant's web page. All except the telephone number

       fields required to be completed. Consequently, the Disputes Chamber rules that the defendant has

       has sufficient information to check whether the e-mail address corresponds to the

       contact details of the data subject that are already included in the database(s).

       defendant, prior to further processing of the request. When in doubt

       If necessary, the defendant could contact the person concerned via the already

       known contact details in the databases, to ask him/her for confirmation whether the

       access request is legitimate.


       By consciously providing answers to requests from data subjects by post

       the defendant also makes it more difficult for them to follow suit, if deemed desirable

       to submit an additional request to the first response. The former and current

       websites do not allow the first answer to be attached as an example

       to be added to a new request submitted via the online contact form. The foregoing




19Conclusions of the defendant's rejoinder, submitted to the Disputes Chamber on March 7, 2022, p. 25-26
19Response from the defendant to the sanction form dated November 24, 2023, p. 2, (iii).
196
   First name, last name, telephone number, email, street name, number, zip code and city of the data subject:
https://avg.blacktigerbelgium.tech/uw-rechten/. See also Piece 12 (Screenshots of the Bisnode Belgium website taken by
the Inspection Service on March 31, 2021) in the inventory. Decision on the merits 07/2024 - 73/114



       was also expressly stated by the complainant during the hearing on February 22, 2023
                   197
       raised and the defendant did so during the same hearing as well as in the context

       was given the opportunity to object to his response to the official report

       defend.

 174. In short, the reasons given by the defendant for sending answers

       requests for access via regular mail are not only unconvincing for the

       Dispute Chamber, but also in violation of Article 12.1 as well as 12.3 GDPR in conjunction with 15.3

       GDPR. In addition, the defendant does not act in line with its obligation to exercise

       to facilitate their rights by data subjects, in accordance with Article 12.2 GDPR.


       In view of the foregoing, the Disputes Chamber decides that the defendant violates Articles 12.1 and

       has violated 12.2 GDPR as well as 12.3 in conjunction with 15.3 GDPR by providing answers to the

       not to send requests for access from the complainants electronically but only by post,

       which unnecessarily hindered the complainants from exercising their rights.



                       Sources of the personal data


 175. With regard to the failure to indicate the precise sources of the personal data

       of the complainant, the Dispute Chamber notes that the defendant only reports the
                                                                                             198
       company ELE T ICKET SERVICE as a data source for the consumer database (CMX).

       However, during the hearing and in his defenses, the defendant does not provide any explanation

       for the lack of information about the source of the “statistical data on neighborhood

       level".

 176. According to Article 15.1 GDPR, the data subject has the right to obtain from the

       controller to obtain clarity about whether or not to process

       data concerning him. If the latter is the case, the data subject has it

       right to inspect those personal data and information referred to in Article

       15.1.a) to 15.1.h), such as the purpose of the processing of the

       data as well as the sources and possible recipients of the data. The purpose of

       the right of access is to enable the data subject to understand how his

       personal data are processed and what the consequences are as well as the accuracy

       of the processed data without having to confirm his intention

       justify 19.






19 Official report of the hearing dated February 23, 2023, p. 5.
198
  “The source of your data is Tele Ticket Service, which provided us with the addresses of its customers. Meanwhile, this one
collaboration with Tele Ticket Services has been terminated.” in Section 2 (“Response to the request for access dated 13 November 2020 from
Bisnode Belgium”) lodged with the defendant's response.
19See decision on the merits 57/2023 of 16 May 2023, edge no. 44 (available on the GBA website). Decision on the merits 07/2024 - 74/114


       Since it is not likely that ELE TICKET SERVICE provides (has provided) residential data

       to the defendant and the defendant has not given any explanation regarding the

       origin of the “statistical data at neighborhood level”, although the aforementioned data

       probably come from the National Institute for Statistics, the Disputes Chamber believes

       it is sufficiently proven that the defendant does not mention all relevant data sources

       has in his reply to the complainant.

       In view of the foregoing, the Disputes Chamber therefore decides that the defendant is a

       has committed an infringement of Article 15.1.g) GDPR by not providing all available information about the

       immediately communicate the sources of the complainant's personal data.



                       Contact details of the DPO


 177. Regarding the lack of DPO contact details in the response as well as the

       alleged lack of indication of the rights of opposed data erasure, rules

       the Disputes Chamber that the complainant's grievance was not determined by the Inspection Service

       well-founded or is not supported by the documents before us. After all, Article 15 GDPR requires this

       in no way that the contact details of the DPO are stated in the response to a

       request for access, and it is certain that the aforementioned rights are effectively listed in

       the response to the complainants' request. Furthermore, the Disputes Chamber notes that

       the contact details of the DPO are clearly stated at the top of the contact form
       on the defendant's website, as from the screenshots by the Inspection Service

       It turns out that the GDPR does not require the controller to provide an e-mail address

       the DPO shares with the parties involved. The communication of a postal address in combination with

       contact form to handle requests in a structured manner is sufficient

       as long as this does not hinder the exercise of their rights by the data subjects.

       The Disputes Chamber therefore determines that the defendant does not have the GDPR on this point

       violated.



                       Recipients of the personal data


 178. With regard to the precise identification of the recipients to whom the defendant has transferred the

       has handed over the complainant's personal data, the complainant points out the judgment

       Austrian Post of the Court of Justice. In this case the Court ruled that

       controllers are obliged to provide the actual information at the request of data subjects
       to provide the identity of the recipients to whom data are or will be

       provided. It is only possible when it is not (yet) possible to identify these recipients





20See edge no. 83 in this decision. Decision on the merits 07/2024 - 75/114


       the controller is allowed to limit the information communicated

       to the relevant categories of recipients 20.


 179. In this case, the Disputes Chamber notes that the defendant at the time of the hearing

       the complainants' requests has limited its response to the categories of

       receivers. Notwithstanding the requests for access to the present proceedings

       basis, precede the ruling of the Court of Justice, is the opinion


       Disputes Chamber that the defendant was obliged to provide the precise identity of the recipients

       to be communicated to the complainants from the first request for access. It rules in its judgment

       After all, the CJEU states that the right of access of data subjects is indispensable to enable them to
                                                                               202
       to exercise other rights granted by the GDPR. This explanation proves

       also from the EDPB's Right of Access Guidelines 20, as well as in the

       guidelines on transparency, adopted by the Data Protection Working Party in 2017 Article

       29 were approved and revised on April 11, 2018 204, well before the

       defendant received the access requests.


       It is therefore established that the right of access provided for in Article 15 GDPR

       contrary to the right to information under Articles 13 and 14 GDPR, yes

       requires the controller to provide specific information about the

       processed personal data, with a sufficient degree of accuracy to ensure the

       to enable the data subject to acquire “informational self-determination” 205and to,

       where appropriate, to assess the compliance of the practice with the GDPR. It


       sufficiently transparent and accurate nature of the information provided in the context of a

       right of access is communicated also contributes to data subjects exercising their rights

       can more easily exercise this under the GDPR in accordance with Article 12.2 GDPR.

       By specifically indicating who the recipients are of the personal data held on them

       data subjects can then exercise their rights directly

       receivers.


       Contrary to what the defendant stated in his response to the official report

       hearing, so there is no retroactive effect of the judgment of 12 January

       2023 of the CJEU, since that judgment merely provides interpretation of an obligation that

       arises directly from Article 15.1.c) GDPR, which was already applicable beforehand.




20CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge nos. 39, 43 and 48.
202
  CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge no. 38.
20EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 116-117.
204
  Data Protection Working Party Article 29 – Guidelines on transparency in accordance with Regulation (EU) 2016/679
(WP260, rev. 01, April 11, 2018), pp. 43-44: “The (names of the) actual recipients of the personal data, or categories
personal data must be provided in accordance with the principle of propriety
controllers provide information about the recipients that is most meaningful to the data subjects
is. In practice, these will usually be named recipients, so that those involved know exactly who they are
has personal data.”
205
  See Decision on the merits 15/2021 of February 9, 2021, edge no. 165 (available on the GBA website). Decision on the merits 07/2024 - 76/114


     In view of the foregoing, the Disputes Chamber decides that the defendant has committed an infringement

     committed on Article 15.1.c) GDPR, by not providing all available information about the specific

     recipients of the complainants' personal data.



   II.6. Use of cookies on the defendant's websites (Article 4.11), Article
        5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR)


       II.6.1. Position of the Inspection Service


180. The Inspection Service has established that the information provided by the defendant about the use

     of cookies provided to website visitors, in the cookie window at the bottom of the

     home page of the website https://bisnodeandyou.be, is only available in English.

     In addition, the two options on the home page of the website are not available

     a similar way is suggested, and the cookie window disappears after clicking on the
     language button at the top right of the website homepage. Finally, the defendant provides

     no explanation to website visitors about how they can withdraw their given consent.


181. With regard to the website https://www.permesso.besteltde Inspectiedienstvastdatde

     information about the use of cookies is available in both Dutch and French
     and makes it clear that in addition to essential cookies, other cookies are also placed.

     In addition, the two options on the home page of the website are not available

     an equivalent way is proposed, and the Dutch version of it disappears

     cookie window after clicking the language button. Finally, the defendant provides no explanation

     to website visitors about how they can subsequently withdraw their given consent.

182. Based on the previous findings, the Inspection Service concludes that the defendant

     does not obtain legally valid consent within the meaning of Article 4.11) GDPR, and therefore also

     cannot demonstrate that those involved have given valid consent for the

     placement of cookies on their devices.


       II.6.2. Position of the defendant


183. The defendant acknowledges that there were certain shortcomings in its previous cookie policy,

     but emphasizes that following the publication of the guidelines on the GBA website, in

     2020, it was decided to conduct an analysis of the existing cookie practice of the

     defendant in order to identify and remedy shortcomings. Due to the

     However, this has faded into the background after several takeovers, according to the defendant, and

     it was ultimately decided by BLACK T IGERBELGIUM to only use
     strictly necessary cookies. Decision on the merits 07/2024 - 77/114


       II.6.3. Judgment of the Disputes Chamber



 184. The Disputes Chamber is solely based on the screenshots of

      https://bisnodeandyou.be/ resp. https://www.permesso.be/ unable to reach the
      to determine a violation of the regulations regarding the placement of cookies.

      After all, with regard to the first website, it can only be deduced that the website is a

      places a consent cookie (“OptanonConsent”), linked to the domain

      bisnodeandyou.be, with an expiry period of one year. Therefore, the Disputes Chamber can

      not decide that this cookie supports an unnecessary function. With respect to

      the second website also cannot be deduced that the defendant uses unnecessary cookies

      would post without the prior consent of those involved. The only cookies

      that the Inspection Service has established are in addition to those already mentioned

      Optanon also consents to two session cookies (PHPSESSID and wml_browser_redirect_test). This

      are both functional cookies, linked to the permesso.be website. Furthermore, he stated
      After its own research, GK has determined that the website https://bisnodeandyou.be/ is no longer

      accessible, and the website https://www.permesso.be/ has not been accessible since at least July 25, 2021

      in use longer.


      Consequently, the Disputes Chamber decides to uphold the findings of the Inspection Service

      are related to the placement of cookies on the two aforementioned websites

      defendant, cannot be restrained.



    II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as
         articles 25.1 and 25.2 GDPR)


       II.7.1. Position of the Inspection Service


 185. In his answer to the Inspection Service's questions, the defendant refers to various

      data protection initiatives and documents. The Inspection Service emphasizes

      however, that the defendant has committed, among other things, a violation of Article 5.2, Article 24.1

      and Article 25.1 GDPR, as well as with regard to certain articles of the GDPR on the

      rights of the data subject. The uncompleted and unsigned model agreements

      to which the defendant refers in his answers 206, according to the Inspection Service

      does not indicate that these templates are used effectively and systematically. In addition
                                                                207
      it does not appear from the documents provided by the defendant that they are effective

      approved by the highest level of management of the defendant, nor that the






20 Pieces 10 to 12 transferred by the defendant to the Inspection Service.
20 Pieces 1 to 38 transferred by the defendant to the Inspection Service. Decision on the merits 07/2024 - 78/114


     compliance with the rules and guidelines stated therein is effectively monitored and that

     infringements are effectively sanctioned.



      II.7.2. Position of the defendant


186. The defendant argues that the findings by the Inspection Service with regard to the

     data protection documents are unfounded. Thedefendant

     argues that during the investigation by the Inspectorate he always provided complete, precise,
     has provided detailed and completely transparent information to all questions asked,

     and points out that the shortcomings found are in any case minor and of no consequence

     appear to be. Furthermore, the defendant regrets that there is no information in the inspection report

     the more global implementation of the GDPR was taken into account by the

     defendant to comply with its obligations under the regulation. The fact that he

     has model agreements and standard documents, according to the

     defendant just indicates that he has a reasonable level of internal compliance and preparedness
     implemented in the event of the exercise of their rights by data subjects, or

     of an investigation or audit by the GBA. The defendant also states that he

     is in no way “obligated to prove that these templates are actually used,

     especially since the Inspection Service does not mention any specific cases in which they have not been used

     the defendant also demonstrates that he does indeed use standard answers to

     respond to data subject access requests”.

187. The defendant then refutes the Inspection Service's findings

     effective and systematic use of model agreements, approval

     of policy documents by the highest levels of management, as well as the lack of

     proof of the implementation of the control and sanction measures provided for in the event of

     breaches of internal procedures. The defendant states that there is none

     there is a legal obligation to prepare a report for each meeting of the
     board of directors, in which the precise decisions are determined. He also refers

     to the contradictory statements of the Inspection Service, which on the one hand accuses that

     standard letters are used, and on the other hand the defendant does not accuse any

     to use the standard documents submitted. The defendant believes that he

     nor is it obligatory to prove that the templates transferred are actually used

     be, especially because the Inspection Service does not mention any concrete cases in which the

     templates would not have been used.

188. Furthermore, the defendant refers to the fact that BLACK TIGER BELGIUM in no way

     was involved in the course of the events that the complainants accuse, and himself

     moreover, very quickly reported to the GBA to make its position known.

     In addition, the defendant emphasizes once again that the CMX database has now been decided on the merits 07/2024 - 79/114



     is removed and the activities of Data Delivery continue three months after the takeover
     BLACK TIGER have been terminated, and therefore asks the Disputes Chamber to carefully review this

     to choose an appropriate sanction. In short, the defendant requests the Disputes Chamber for privilege

     to declare that no sanction is necessary, as the defendant has committed the disputed

     has permanently terminated processing on his own initiative. The defendant clarifies

     that BLACK TIGERBELGIUM has exclusively since discontinuing the Data Delivery activities

     still acts as a processor in the context of the Data Quality services to customers.

     However, this does not prevent B LACK TIGER B ELGIUM from providing appropriate technical and

     take organizational measures and maintain necessary documentation, such as

     incidentally, it was transferred to the Inspectorate during the investigation. In addition, the

     defendant to the letter from the CEO of LACK TIGER BELGIUM addressed to the GBA,

     in which the changed strategy as well as the decision to switch to a pure one

     Data Quality services were explained, but remained unanswered by the
     Inspection service.



      II.7.3. Judgment of the Disputes Chamber



189. The Disputes Chamber rules that there can be no doubts:LACK TIGERBELGIUM
     must be held responsible for the processing activities that took place

     before the takeover of B ISNODE BELGIUM by BLACK TIGER GROUP and subsequent ones

     name change. This responsibility, which is separate from the involvement of the

     'new' company in the controversial processing activity, is a direct result

     the transition from BISNODE B ELGIUM to B LACK TIGER B ELGIUM, where the

     decision-making power over the means and purposes of the processing of

     personal data was taken over without further ado. Adopting the opposite would be the case

     imply vacuum with regard to responsibility over transferred

     personal data, to the detriment of the protection of fundamental rights and

     freedoms of those involved, especially when the 'acquirer' takes over the

     processing activities for a certain period after the acquisition.

     In addition, the Disputes Chamber emphasizes that the company numbers of B ISNODE

     BELGIUM resp. LACK TIGERBELGIUM are identical.

190. Article 5.2 and Article 24 GDPR impose general accountability obligations and

     compliance requirements for data controllers. Article 5.2 GDPR states the

     controller liable for compliance with the general principles

     regarding their processing of personal data. Pursuant to Article 24 GDPR

     controllers in particular, taking into account the nature, size,

     the context and purpose of the processing, appropriate technical and organizational Decision on the merits 07/2024 - 80/114


       to take measures to ensure and be able to guarantee the right to data protection

       demonstrate that the processing is carried out in accordance with the GDPR.


 191. In the present case, the Disputes Chamber has now ruled that the defendant

       could not demonstrate that the disputed data processing complied with the provisions of the GDPR

       appropriate methods of compliance. The Disputes Chamber has determined that the defendant is unjustified

       relies on Article 6.1.f) GDPR as the basis for the CMX and Spectron databases

       in which the personal data of the complainants are also processed. The defendant hereby has

       has not properly weighed its own interests against those of its customers,

       on the one hand, the interests as well as the fundamental rights and freedoms of those involved,

       on the other hand208. Furthermore, the defendant unlawfully disregards his obligation to provide information

       regarding the data subjects, to the data sources as well as to its customers,

       as a result of which those involved are not informed in a timely manner of the processing of their data

       personal data in the context of the commercial services offered by the

       defendant 209. With regard to the handling of requests by those involved, the

       Disputes Chamber also concluded that the chosen course of action, and with


       in particular sending responses to requests for access by post, although the

       requests can be submitted electronically is not in accordance with the regulations
                         210
       of Article 15 GDPR. In addition, the Disputes Chamber notes that a number of submitted

       policy documents have not been updated since their last change in 2018, although

       a series of points an active follow-up of the controller's requirements

       Disputes Chamber refers in particular to the established storage period of 15 years,

       for which the controller indicated that he still needed a justification

       to document. This finding is also supported by the statement “See

       Data Retention Policy (under review)” in the register of processing activities

       transferred to the Inspection Service by the defendant 21.


       Accordingly, the Disputes Chamber considers the infringement of Article 5, Article 24.1, as well as Article

       25.1 and 25.2 GDPR proven, with regard to the inability to guarantee nor

       demonstrate that the processing takes place in accordance with the principles governing

       data protection laid down in Article 5.1 GDPR and with due respect for the

       fundamental rights and freedoms of those involved, as laid down in, among others

       Articles 12, 14 and 15 GDPR.






20See marginal nos. 134 to 141 in this decision.
20See marginal nos. 151 to 162 in this decision.
210
  See edge nos. 170 up to and including 173 in this decision.
21Article 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) as transferred by the defendant to the
Inspection service in the context of the investigation, p. 15 in fine.
212
  Loosely translated: “See Data storage policy (currently being revised)” in Piece 30(“BisnodeBelgium - Copy of Record
of Processing”) as transferred by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 81/114


192. The Disputes Chamber, on the other hand, decides to uphold the other findings of the

     Inspection service regarding the handing over of uncompleted and unsigned documents

     model agreements, as well as the lack of control and sanction measures in one
     number of documents, as well as formal approval by top management

     level of the defendant, should not be taken into consideration. The Inspection Service makes

     insufficiently plausible that the defendant actually committed an infringement in this regard

     has committed the provisions of the GDPR related to the

     accountability of the controller. Finally, these frame

     findings not within the scope of the initial complaint.


   II.8. Register of processing activities (Article 30.1, 30.2, and 30.3GDPR)


      II.8.1. Position of the Inspection Service



193. The defendant considers itself a processor for various processing activities
     included in its register of processing activities. However, the Inspection Service states:

     determines that this register does not meet the minimum requirements as the description of the

     categories of data subjects and categories of personal data is incomplete,

     the retention periods of the personal data are not stated, a general one

     description of the technical and organizational security measures (“TOMs”)
     is missing, and finally the name and contact details of each

     controller on behalf of whom the defendant acts as processor

     are not listed in the register.



      II.8.2. Position of the defendant


194. The defendant states that Article 30.1.c) GDPR does not oblige him in any way to inform the data subjects

     identified form in its register of processing activities. According to the
     defendant, it is sufficient to appoint the persons concerned as consumers,

     customers (clients), employees (staff), etc. Furthermore, Article 30.1.c) GDPR merely obliges

     provide a description of the categories of personal data processed. The

     The defendant believes that this is satisfied by, among other things, listing the following categories

     in the data register: identification data (contact data), social demographic and
     lifestyle data (socio-demo andlifestyle data) and family typology. The

     The defendant also disputes that he violated Article 30 of the GDPR because of it

     merely refer to internal policy documents stating the intended retention periods

     as well as a description of the technical and organizational measures

     are. The defendant believes that the register of processing activities mainly
     is intended for internal use as a supporting document, and must be in accordance with Decision on the merits 07/2024 - 82/114



       agree with the operational reality of the controller. Finally

       the defendant that his activities as a processor are included in the internal register of

       processing activities are included, but are only accessible “for certain

       persons”. Since the Inspection Service did not request it, the defendant

       this information, which is available, is not provided.



        II.8.3. Judgment of the Disputes Chamber


 195. The Disputes Chamber notes that the submitted register of processing activities

       limited to mentioning the categories of data subjects, without these categories

       nearing definition. Article 30.1.c)GDPR expressly requires that the register “a

       description of the categories of data subjects and of the categories of

       personal data” (own underlining). Since the requirement to obtain the relevant

       categories to actually describe, also in the English and French translation of the

       AVG is present 21, so according to the Disputes Chamber there can be no doubt about the

       scope of this provision. As mentioned earlier in this decision, the differences differ

       descriptions of the categories of personal data processed by the defendant

       depending on the policy document referred to 21. However, it is extreme

       It is important that each controller clearly defines for himself which

       personal data are processed exactly under his supervision, and this too

       documents in the register of processing activities, as required under the
                                                      215
       accountability(article5.2juncto24GDPR) . An appropriate granularity internally

       register of processing activities is all the more important because the information that

       controllers under Articles 13 and 14 GDPR must provide to

       data subjects are limited to the categories of personal data concerned. As soon as

       However, a data subject exercises his right of access

       controller in accordance with the guidelines of the EDPB, nevertheless

       to communicate a complete picture of the processed personal data to the requester, with

       including the precise personal data concerning him or her that the
                                                                    216
       controller actually processes. Accordingly, the

       Dispute Chamber the infringement of Article 30.1.c) GDPR by the defendant as proven.

 196. With regard to the reference to external policy documents containing the retention periods

       as well as the technical and organizational measures are described, the

       Dispute Chamber, in contrast to the Inspection Service, which does not provide such information




21“(c) a description of the categories of data subjects and of the categories of personal data;” and “c) une description des
categories of persons concerned and the categories of données à caractère personnel;'
21See edge no. 107 in this decision.
215
  Decision on the merits 15/2020 of April 15, 2020, edge no. 142 (available on the GBA website).
21EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge no. 115. Decision on the merits 07/2024 - 83/114


     must be systematically included in the register of processing activities

     the different wording of Article 30.1.f) and 30.1.g) GDPR. As long as the register is up

     refers appropriately to the policy documents containing the aforementioned information
     can be easily verified, according to the Disputes Chamber there is no such thing

     infringement of Article 30.1 GDPR.


197. In his conclusions, the defendant takes the position that the Inspection Service

     could have received a register of processing activities as a processor
     if he had requested this. From further investigation of the relevant register, the

     Disputes Chamber, however, notes that it is possible to conduct activities as a processor ("processor")

     filter under the column “Controller or processor?”. The Disputes Chamber decides accordingly

     that the defendant uses one central processing register, in which the

     data processing as controller as well as the processing that the
     defendant is responsible for processing on behalf of another person,

     are documented.


198. However, the Disputes Chamber notes that the processing activities that belong to the second
     category, do not indicate “a) the name and contact details […] of

     any controller on whose behalf the processor acts, and, in

     where applicable, from the representative of the controller […] and

     of the data protection officer;' The infringement of Article 30.2.a) GDPR is

     so fixed.

199. Finally, the Disputes Chamber rules that no infringement of Article 30.3 GDPR can be

     retained, solely due to the determination that the register of processing activities

     does not contain all mandatory information.



   II.9. Involvement of the DPO (Article 38.1 and Article 39.1GDPR)


      II.9.1. Position of the Inspection Service


200. Although the role of the DPO is clearly defined and supported in the

     performance of its duties, the Inspection Service determines that the defendant does not provide any information
     and/or advice from the DPO on (a) transparent information to data subjects and (b) the

     has provided a register of processing activities to the Inspection Service, and the

     defendant therefore does not recognize the involvement of the DPO in the aforementioned subjects

     has shown. Most of the documents the defendant cites to prove the

     activities of his DPO do not show how and when the DPO
     concrete intervention has been made, or what concrete measures the defendant may have taken

     has taken in response to advice from his DPO. Decision on the merits 07/2024 - 84/114


       II.9.2. Position of the defendant



 201. The defendant declares that compliance with Articles 38.1 and 39.1 GDPR is

      demonstrated by the evidence of the commitment and key role played by DPOs since 2018
      to play. This includes maintaining GEBs for each of the databases, creating them

      website of www.bisnodeetvous.be as well as the creation of a process for

      requests from data subjects to exercise their rights, the revision of the

      technical and organizational measures and finally the rollout of the GEB process.

      More generally, it describes the role of the DPO, its duties and its importance within the company

      demonstrated by the production of two essential documents from the B ISNODE GROUP , which

      the then B ISNODE BELGIUM mutatis mutandis took over after their departure from the

      group. The defendant refutes the Inspection Service's finding that he

      would not have shown that the DPO was indeed, together with other legal

      advisors within the company, were involved in recording the data to those involved
      provide information, as well as in the preparation of the register. According to the defendant

      After all, it is sufficiently clear from the documents sent that the DPO at all levels

      was, and is, involved in the projects, decisions as well as the daily operations regarding it

      the processing of personal data. The fact that specific documents do not meet the

      Inspection service has been provided, according to the defendant, does not prove that the DPO was not present

      has been involved. The defendant refers in this regard to the lack of questions

      addressed to the defendant in this regard during the investigation. In addition, the

      defendant points out that the GDPR nowhere prescribes how a

      controller can or must demonstrate the involvement of the DPO. The

      indication of the different functions involved in a project or to a
      document have contributed, is not only usual, but according to the defendant

      at least a beginning of evidence, or a reasonable indication of the involvement of

      the aforementioned functions.



       II.9.3. Judgment of the Disputes Chamber


 202. The Disputes Chamber understands from the documents submitted and the arguments put forward

      by the defendant that B ISNODEB ELGIUM already before the entry into force of the GDPR

      has started an extensive implementation process217, as well as that the then DPO and his

      substitute were involved in drafting related policy documents

      with the processing of personal data by the controller.

      In addition, the Disputes Chamber notes that the Inspection Service in the context of





21Document 32 as submitted by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 85/114


     investigation did not ask the defendant any additional questions, in order to

     obtain evidence of the DPO's involvement in concrete projects.

     The Disputes Chamber therefore does not have sufficient elements to substantiate this

     the violation of Articles 38.1 and 39.1 GDPR retained by the Inspection Service. Consequently

     the Disputes Chamber can investigate the violations of the

     GDPR regarding the involvement of the DPO.



   II.10. Additional considerations regarding the inspection report

203. The inspection report lists three circumstances that concern the Inspection Service

     would play a role in assessing the seriousness of the alleged infringements.


         i. the defendant processes personal data systematically and on a large scale as
              core activity;


         ii. the nature of the infringements found is serious, and the defendant makes his

              promises not true;

        iii. the register of processing activities is incomplete and unclear.


204. The defendant believes that these circumstances are wrongly put forward.
     Firstly, the defendant cannot be blamed for large-scale

     processes personal data, as long as he complies with the rules on the protection of

     personal data. In addition, the defendant emphasizes that the size and

     scope of the processing and not further qualified or characterized in it

     report from the Inspection Service, which is limited to establishing that the defendant is
     profiles itself as a specialist in direct marketing.


     The Disputes Chamber, on the other hand, rules that the determination of a large-scale

     data processing should not be regarded solely as an aggravating circumstance
     be taken, but certainly as part of the balancing test between the

     fundamental rights and freedoms of those involved, on the one hand, and the submitted

     interests of the defendant and its customers, on the other.

205. Secondly, the defendant argues that the investigation report identifies the infringements as such

     would confuse with the aggravating circumstances of the same infringements. So would the

     Inspection Service have not presented any concrete circumstances, apart from the

     alleged infringement itself, on the basis of which the seriousness of the infringement could be assessed

     become. With regard to the privacy statements on the website, the defendant disputes the

     allegations, which are not even proven, that the defendant has the confidence of
     deliberately wanted to mislead those involved. Decision on the merits 07/2024 - 86/114


       The Disputes Chamber has already ruled in the present decision that there is sufficient

       there are indications that the defendant consciously opted out of the information obligation

       with regard to the data subjects, mainly with its partners (who process the personal data

       supply) and its customers (who receive the personal data). The

       The Disputes Chamber has also come to the decision that such a course of action is not acceptable

       comply with the requirements of Article 14 GDPR 218.


 206. Thirdly, according to the defendant, it cannot reasonably be disputed that he is robust and

       has put in place adequate internal procedures, policies and rules to

       to protect personal data, nor whether the defendant has attempted in good faith

       to comply with the GDPR in both its spirit and its letter. The defendant refers to his

       choice to discontinue Data Delivery activities on its own initiative — which choice

       had not yet been published at the time the inspection report was issued —

       as well as to limit its current activities to data analysis and services that do not

       role as a data broker. This reorientation would, according to the defendant, be a

       must play a decisive role in assessing the seriousness of the alleged infringements

       as well as the good faith of the defendant.


       The Disputes Chamber will consider the fact that the defendant decided after the takeover to

       number of services to be discontinued, to be taken into account in the context of the

       the following determination of sanctions and corrective measures.


 207. Fourth, the defendant claims that he, even without knowledge of the investigation reports

       made several attempts before it was released on May 20, 2021

       to contact the Inspector General and the then chairman of the

       GBA, in order to inform them of this important adjustment to the

       business activities, and to enter into a constructive dialogue with him such as the

       defendant had also done the same with the CNIL in France. The defendant believes that he

       However, it was not possible to obtain a meeting with the GBA.

       In this regard, the Dispute Chamber reminds that a party during an ongoing

       investigation cannot in principle demand to be heard, given the specific nature of the investigation

                                                                  219
       powers granted to the Inspection Service. The Marktenhof has in its own right

       judgment of March 1, 2023 also ruled that the GBA is the supervisory authority

       pursuant to Article 52 GDPR is completely independent in the performance of the tasks and
                                                                          220
       powers assigned to it in accordance with the GDPR.






21See edge no. 166 in this decision
219 See point 4.1.e of the Charter of the Inspection Service available on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/charter-van-de-onderzoekdienst.pdf.

22Court of Appeal Brussels (Markten Court section), X t. GBA, Judgment 2022/AR/1085 of March 1, 2023, p 7. Decision on the merits 07/2024 - 87/114


III.Sanctions and corrective measures



    III.1. Established infringements


 208. The Disputes Chamber is of the opinion that the present case is serious

      violations of the fundamental rights of those involved. The Disputes Chamber will judge
      furthermore, that these violations must be classified separately

      conduct 22. More specifically, the Disputes Chamber finds violations of the following

      provisions of the GDPR, relating to three different ones, set out below

      conduct of the controller:

          i. Infringement of Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; article 24

               GDPR and Article 25 GDPR — The Disputes Chamber rules that the defendant op

               indirectly, on a large scale and for a period of at least 15 years

               collected personal data of data subjects, without providing a

               individual information to those involved by the defendant

               nevertheless had contact details for both Data Delivery and Data

               Quality services.

               The processing involved or are going to be with these services

               after all, contrary to Article 5.1 GDPR, and more specifically the principle of

               legality, propriety and transparency (5.1.a) GDPR), the principle of

               minimum data processing (5.1.c) GDPR) and the principle of storage limitation

               (5.1.e) GDPR). By opting for an indirect one due to serious negligence
               provision of information to those involved, either 'upstream' by the

               data sources of the defendant, either 'downstream' by the customers of

               the defendant when meeting the persons involved for the first time

               communicate, the defendant also violates his obligation to provide information, such as

               laid down in Articles 14.1 and 14.2 GDPR, read in conjunction with Article 12.1 GDPR.

               For the processing of personal data without proactive

               the defendant is therefore unable to provide information to those involved
               legitimately rely on its legitimate interests or those of its customers

               (6.1.f) GDPR), as these interests do not outweigh the interests

               and fundamental rights of data subjects, and the

               data processing activities that support these interests are not

               fall within the reasonable expectations of those involved. Also has the

               defendant violated Article 25 GDPR due to the lack of appropriate

               technical and organizational measures to ensure compliance with the



221
  “Conducts” in the EDPB –Guidelines 04/2022 on the calculation of administrative fines under theGDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 88/114


               data protection principles, and in particular the principles of minimum

               data processing and storage limitation, in an effective manner

               guarantees. Finally, because the defendant does not provide sufficient evidence — such as

               however required under the accountability obligations imposed on each

               controller rests — that the processing of data

               of those involved in the context of the aforementioned services
               in accordance with data protection principles and with

               respect for the fundamental rights and freedoms of those involved

               the defendant also committed an infringement of Article 5.2 GDPR, read in

               connection with Article 24.1 GDPR.

          ii. Infringement of Article 12 GDPR as well as Article 15 GDPR — The Disputes Chamber decides

               that the defendant improperly processed the complainants' requests for access

               has handled, in violation of the obligation to protect the rights of data subjects

               facilitating and the requirement to provide full access and information to those involved

               regarding the processing of their personal data.

               The defendant has opted for his written answers

               to the complainants' requests for access by post instead of in a conventional manner

               electronic form, which constitutes a violation of Article 12.1 and

               12.2 GDPR as well as Article 12.3 in conjunction with 15.3 GDPR. In addition, the defendant has

               failed to identify the source of the statistical information regarding the complainants

               mention in the answers to their requests for access, with the result that the
               defendant has also violated Article 15.1.g) GDPR. Finally, it is certain that the

               defendant has committed an infringement of article due to serious negligence

               15.1.c) GDPR, read in light of the guidelines of the Article 29 Working Group

               and the EDPB as well as the case law of the Court of Justice in its judgment C-154/21,

               by only communicating the categories of recipients in the reply to

               the complainants, although the respondent was able to identify the specific recipients
                            222
               identify .

         iii. Infringement of Article 30GDPR—The defendant has finally failed to do so

               indication of the categories of data subjects and of those processed

               personal data also include a description of these categories

               register of processing activities, as prescribed in Article
               30.1.c)GDPR.The defendant has also violated Article 30.2.a)GDPR by

               to be included in the centralized processing register, in which the

               processing activities as a controller as well as in the

               capacity of processor is documented, the identity of


222
  CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 89/114



               data controllers for whom the defendant is considered
               processor acts.


209. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:


       “1° to dismiss a complaint;

       2° to order the dismissal of prosecution;

       3° order a suspension of the ruling;

       4° to propose a settlement;

       5° formulate warnings and reprimands;

       6° order that the data subject's requests to exercise his rights be complied with;


       7° to order that the person concerned is informed of the security problem;

       8° order that processing be temporarily or permanently frozen, restricted or prohibited;

       9° to order that the processing be brought into compliance;

       10° the rectification, restriction or deletion of data and its notification to the

       to order recipients of the data;

       11° order the withdrawal of the recognition of certification bodies;

       12° to impose penalty payments;

       13° to impose administrative fines;

       14° the suspension of cross-border data flows to another State or a

       international institution;

       15° to transfer the file to the public prosecutor's office in Brussels, who will file it in

       informs you of the follow-up given to the file;

       16° decide on a case-by-case basis to publish its decisions on the website of the

       Data Protection Authority.”



   III.2. Measures imposed by the Disputes Chamber


       III.2.1. Corrective measures to bring the processing into compliance with

              the GDPR


210. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the

      Disputes Chamber issues an order to the defendant for the violation of Article 5.1 GDPR,

      Article 6.1 GDPR, Article 12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B

      Data Quality services to be terminated and kept terminated until processing commences

      is brought into line with the GDPR.

       The defendant can comply with this by processing personal data in the

       Spectron database, before the persons involved from whom the defendant has access

       has contact details to proactively and individually inform you of the processing Decision on the merits 07/2024 - 90/114


       of their personal data by the defendant. The defendant must also:

       those involved for a period of 3 months from the provision of information

       to provide the opportunity to object to the objection in a simple and effective manner

       processing their personal data before resuming processing.


       As for the other categories of data subjects of which the defendant does not

       contact details in its possession, the Disputes Chamber will decide to suspend the processing of their
       to permanently ban personal data, in the absence of a lawful right

       processing ground.


       Considering the fact that the defendant already had the CMX (incl. Permesso) database on July 30, 2021

       destroyed, the B2C Data Quality services are therefore no longer available since that date

       is offered, and the B2C Data Delivery service since October 30, 2021
                           223
       has been completely stopped, the Disputes Chamber does not consider it necessary in the present case
       to order the defendant to stop data processing in connection with the

       to bring the aforementioned services into compliance with the GDPR 224.


 211. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the

      orders the defendant to commit the violation of articles 5.1 and 5.2 GDPR, article

      24.1 GDPR, as well as Articles 25.1 and 25.2 GDPR, by appropriate technical and

      to take organizational measures to ensure that the retention period of the data

      — which the defendant may only process further on the condition that the previous
      order has been complied with — is proportionate to the purposes of the processing, and

      so that the defendant, in the context of its current Data Quality services, only

      maintains the most up-to-date data of data subjects, as required by the principle

      of minimal data processing.


      In addition, the Disputes Chamber orders the defendant to submit the current documentation

      in connection with the processing of data and compliance with the GDPR
      or adapt it to take account of actual circumstances

      in which the defendant processes personal data and thus accountability

      which rests with the defendant.


 212. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the

      orders the defendant to comply with the violation of Articles 30.1 and 30.2 GDPR

      remedy by supplementing the register of processing activities with a clear
      description of the categories of personal data and data subjects, as well as by

      all controllers for whom the defendant acts as processor

      intends to act, to be mentioned by name.




22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (ii), (iii) and (iv) a.
22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (iv) d. Decision on the merits 07/2024 - 91/114


 213. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the Disputes Chamber lays

        the order to the defendant within a period of three months after notification

        of the decision the proof of the achievement of the aforementioned compliance measures

        to be submitted to the Disputes Chamber.



         III.2.2. Administrative fines



 214. In addition to the corrective measure to bring the processing into compliance with

        Articles 5, 6, 12, 14, 15, 24, 25 and 30 GDPR, the Disputes Chamber also decides to impose

        of administrative fines that do not serve to correct a violation

        end, but are imposed with a view to vigorous enforcement of the

        rules of the GDPR. As is clear from recital 148 GDPR 22, the GDPR states

        first and foremost that in the case of every serious infringement - including the first detection of an infringement -

        penalties, including administrative fines, in addition to or instead of appropriate ones

        measures are imposed. In the same sense, the CJEU recently confirmed 226that


                 “the principles, prohibitions and obligations set out in the GDPR are specifically addressed

                 are among the 'controllers' who - as stated in Recital 74 of the GDPR

                 emphasized — be responsible for any processing carried out by them or on their behalf

                 of personal data and therefore not only appropriate and effective measures
                 must take, but must also be able to demonstrate that their processing activities

                 comply with the GDPR, which means, among other things, that the

                 measures are effective to ensure that compliance. When an in

                 Article 83, paragraphs 4 to 6, of this Regulation, the infringement referred to has been committed, this constitutes

                 responsibility is the basis for an administrative decision in accordance with Article 83

                 impose a fine on the controller”.

 215. As regards the administrative fine that may be imposed under Article 83 of

        the GDPR and Articles 100, 13° and 101 WOG, Article 83.1 and 83.2 GDPR stipulates:


                 “1. Each supervisory authority shall ensure that the administrative fines imposed

                 imposed under this article for the infringements referred to in paragraphs 4, 5 and 6

                 this Regulation shall be effective, proportionate and dissuasive in each case.




225Recital 148 GDPR states: “In order to ensure stronger enforcement of the rules of this Regulation,
penalties, including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in

instead of appropriate measures imposed by the supervisory authorities under this Regulation.
If it concerns a minor infringement or if the expected fine would impose a disproportionate burden on one
natural person, a reprimand can be chosen instead of a fine. However, this must be taken into account
taken into account the nature, seriousness and duration of the infringement, the intentional nature of the infringement, with
damage mitigation measures, with the degree of responsibility, or with previous relevant infringements, with the manner
upon which the infringer has come to the notice of the supervisory authority, with compliance with the measures taken
taken against the controller or the processor, with the connection with a code of conduct and other others
aggravating or mitigating factors. The imposition of penalties, including administrative fines, must
are subject to appropriate procedural guarantees in accordance with the general principles of Union law and
Charter, including effective judicial remedy and fair administration of justice” (own underlining).
226
   CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 38. Decision on the merits 07/2024 - 92/114


                 2. Administrative fines will be imposed, depending on the circumstances of the specific case

                 case, imposed in addition to or instead of those referred to in Article 58(2)(a) to (h) and (j)

                 measures referred to. When deciding whether to impose an administrative fine
                 imposed and the amount thereof will be duly taken into account in each specific case

                 taking into account the following:


                 a) the nature, severity and duration of the infringement, taking into account its nature, extent or

                 the purpose of the processing in question as well as the number of data subjects affected and the
                 extent of the damage they suffered;


                 b) the intentional or negligent nature of the infringement;

                 (c) the measures taken by the controller or processor to ensure the

                 limit damage suffered by those involved;


                 d) the extent to which the controller or processor is responsible

                 given the technical and organizational measures he has implemented
                 in accordance with Articles 25 and 32;


                 e) previous relevant infringements by the controller or processor;

                 f) the extent of cooperation with the supervisory authority to resolve the infringement

                 remedy and limit the possible negative consequences thereof;


                 g) the categories of personal data affected by the breach;

                 h)the manner in which the supervisory authority became aware of the infringement, with

                 name whether, and if so to what extent, the controller or processor committed the infringement

                 has reported;

                 (i) compliance with the measures referred to in Article 58(2), to the extent that they have been implemented earlier

                 with regard to the controller or processor in question with regard to

                 the same matter have been taken;

                 j) adherence to approved codes of conduct in accordance with Article 40 or of

                 approved certification mechanisms in accordance with Article 42; and


                 k) any other aggravating or

                 mitigating factor, such as financial gains made, or losses avoided, whether or not

                 arise directly from the infringement”

 216. The Disputes Chamber points to the guidelines regarding the calculation of administrative costs

       fines 227which the EDPB adopted on May 24, 2023 after a public consultation, and

       that the Disputes Chamber takes into account when determining the fine amounts

       the case at hand.


 217. It is important to place the defendant's shortcomings in context in order to determine the

       to determine the most appropriate sanction. The Disputes Chamber will take this into account




227EDPB — Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, May 24, 2023). Decision on the merits 07/2024 - 93/114



       with all relevant circumstances of the case, including - within the limits they

       indicates below — of the defendant's response to the proposed sanctions imposed on him

       were communicated by means of the sanction form 22.


 218. The Disputes Chamber would also like to point out that it is its sovereign responsibility as

       is an independent administrative authority — subject to the relevant Articles

       of the GDPR and the WOG — to determine the appropriate corrective measure(s) and sanction(s).

       set. This follows from Article 83 of the GDPR itself, but the Market Court has also stated this

       case law establishes the existence of a broad discretionary power of the Disputes Chamber

       emphasizes regarding the choice of the sanction and its scope, including its
                                                                           229
       judgments of July 7, 2021, September 6, 2023 respectively. December 20, 2023 .

 219. Below, the Disputes Chamber shows that the main infringements committed by the defendant

       committed violations that are by no means minor. The fact that it is a first

       determination of an infringement of the GDPR committed by the defendant, does so

       in no way prejudices the possibility for the Disputes Chamber to resolve a

       to impose an administrative fine in application of Article 58.2.i) GDPR. The instrument

       of an administrative fine is by no means solely intended to end infringements;

       GDPR and the WOG provide for a number of corrective measures, including:

       orders referred to in article 100, § 1, 8° and 9° WOG.


 220. In the following marginal numbers, the Disputes Chamber motivates the imposition of a

       administrative fine in concrete terms, for each of the three distinguished above

       conduct of the defendant, taking into account Article 83 GDPR and case law

       vanhet Marktenhof 230, as well as with the criteria laid down in the guidelines of the

       EDPB on the calculation of administrative fines 23.



            III.2.2.1. Annual turnover of the controller


 221. For the purpose of imposing fines that are effective, proportionate and dissuasive

       the supervisory authorities should change the definition of the term “undertaking”.

       as established by the Court of Justice of the European Union for the

       application of Articles 101 and 102 TFEU, namely that the concept of undertaking becomes

       understood as an economic entity created by the parent company and all involved

       subsidiaries can be formed. In accordance with EU law and the

       case law, an undertaking must therefore be seen as an economic entity



228
  Sanction form dated October 31, 2023; Response from the defendant to the sanction form dated November 24, 2023.
22Court of Appeal Brussels (Markten Court section), Xt. GBA, Judgment 2021/AR/320 of 7 July 2021, p.37-47; Court of Appeal Brussels
(section Marktenhof),
Marktenhof), X t. GBA, Judgment 2023/AR/817 (2023/8986) of 20 December 2023, edge nos. 61 et seq.
230
  Brussels Court of Appeal (Markten Court section), X t. GBA, Judgment 2020/1471 of February 19, 2020.
23EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 94/114


       that carries out commercial/economic activities, regardless of its legal form 23.

       After all, according to the case law of the ECJ, there is a rebuttable presumption that this is the case

       parent company actually exercises decisive influence on the behavior of a

       subsidiary of which it holds 100% of the capital 23.


 222. Furthermore, Articles 83.4 and 83.6 GDPR prescribe that the total worldwide annual turnover of the

       previous fiscal year must be used for the calculation of administrative

       fine, partly to prevent the fine from having a disproportionately heavy impact

       on the defendant. In this regard, the term “prior” is in accordance with

       the case law of the CJEU in competition law must be interpreted,


       so that the relevant event for the calculation is the fine decision of the
                                                                                               234
       supervisory authority, and not the time of the sanctioned violation.

 223. When the Disputes Chamber relies on the powers it has under Article

       58.2 GDPR, decides to indict the defendant - who is currently part of B LACK TIGER

       G ROUP 235 within the meaning of Articles 101 and 102 TFEU — an administrative fine


       in accordance with Article 83 GDPR, the Disputes Chamber must therefore act accordingly

       the latter provision, read in the light of recital 150 GDPR, in the calculation

       of the administrative fines due to the offenses referred to in Articles 83.4 to 83.6 of the GDPR

       base infringements on the concept of “undertaking” within the meaning of Articles 101 and 102
              236
       TFEU .


 224. In accordance with the foregoing, the Disputes Chamber therefore rules that

       can base on the consolidated turnover figures of the 2022 financial year of B LACK TIGER

       BELGIUM as well as of the parent company [the parent company Z1] (B LACK TIGER

       G ROUP ) — now “[the parent company Z2]” — or […] for determining the

       amount of the administrative fine that it intends to impose on the

       defendant. The Disputes Chamber refers to:


                - the report with registration number […], as filed with the Registry of

                    Commercial Court of Paris on […], which shows that [the






23Recital 150 of the GDPR; EDPB – Guidelines on the application and setting of administrative fines
the meaning of the GDPR (WP 253), p. 6-7. The definition in the case law of the European Court of Justice is: “the concept
enterprise includes any entity that carries out an economic activity, regardless of its legal form and the manner in which it is carried out
is financed' (CJEU, C-41/90, Höfneren Elser v Macrotron, (ECLI:EU:C:1991:161, paragraph 21). Under the concept of undertaking
“must be understood as an economic unit, even if this economic unit is formed from a legal point of view

by different natural or legal persons” (CJEU, C-217/05, Confederación Española de Empresarios de Estaciones
de Servicio, ECLI:EU:C:2006:784, paragraph 40).
23CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t. Commission, ECLI:EU:C:2009:536), marginal nos. 60-61.
234
  EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 131. See
alsoCJEU, 5 December 2023, C-807/21, Deutsche Wohnen SE v. StaatsanwaltschaftBerlin (ECLI:EU:C:2023:950), edge nos. 55
up to and including 58.
23See edge no. 37 in this decision.
236
  CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 59. Decision on the merits 07/2024 - 95/114



                   parent company] — now “[the parent company Z2]” — 100% of
                                                              237
                   owns the capital of BLACK T IGERBELGIUM;


               - the annual accounts of B LACK T IGERB ELGIUM as filed with the National

                   Bank of Belgium (NBB) on June 19, 2023, from which a report for the 2022 financial year

                   turnover appears to be […]; and

               - the annual accounts of [the parent company Z1] — now “[de

                   parent company Z2]” — as filed with the Registry of the Court

                   van Koophandel in Paris 23, which shows turnover for the 2022 financial year

                   by […].


 225. The Disputes Chamber specifies in this regard that at the time of sending the

       sanction form dated October 31, 2023 did not yet have the turnover figures for the year

       2022 and therefore had to take the turnover figures of 2021 into account. Since the

       turnover of [the parent company Z1] — of which public since November 16, 2023

       it is known that the name was changed to “[the parent company Z2]”, which is the

       defendant has also not mentioned in his response to the sanction form — for the year

       2022 has increased slightly compared to 2021, the Disputes Chamber will reduce its administrative

       calculate fines based on the most recent available turnover figures.


       Since the defendant has failed to provide the turnover figures as stated in the
                                                    239
       if necessary, refute the sanction form on the basis of more recent annual accounts,

       the Disputes Chamber assumes that there are no other turnover figures available than these

       which it takes into account in the present decision.



            III.2.2.2. First conduct — Unlawful and unfair processing of
               personal data, without the data subjects being proactive, individual and op

               transparent manner, and lack of guarantees for compliance with the
               core principles of the GDPR



                       Categorization in the abstract of the violation under Article 83.4 to
                       83.6 GDPR



 226. The Disputes Chamber has already decided that the defendant is a

       has infringed Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR;

       as well as Article 24 GDPR and Article 25 GDPR. The Disputes Chamber rules that the first

       conduct is characterized by a single act of several violations,




23Cf. Annex III.
238
  https://commandes.greffe-tc-paris.fr/fr/societe/[...].
239Sanction form dated October 31, 2023, p. 10; Response from the defendant to the sanction form dated November 24, 2023,
p. 3-4. Decision on the merits 07/2024 - 96/114


     that arise from a uniform will and are so closely related both spatially and temporally

     are connected, that they must be regarded as one coherent act.

227. After all, due to the conscious choice not to proactively or individually inform those involved

     inform them about the indirect collection of their personal data from third parties,

     as well as on the subsequent processing of their personal data in the context of

     commercial services, for a period of 15 years and in violation of the

     core principles of data minimization and storage limitation, the defendant can

     cannot legally rely on his or her legitimate interests
     data sources or customers, as a basis for data processing.


228. For a violation of the basic principles of processing in accordance with Article 5

     and 6GDPR, as well as the rights of the data subject in accordance with Articles 12 and 14GDPR,

     the Disputes Chamber may order an administrative
     impose a fine of up to EUR 20,000,000 or, for a company, up to 4% of the total

     worldwide annual turnover in the previous financial year, whichever is higher. A violation

     of the aforementioned provisions therefore gives rise to, in accordance with Article 83.5 GDPR

     the highest fines.



                     Seriousness of the violations in the case at hand


229. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should
     authorities to take due account of the nature, severity and duration of the

     violation, taking into account the nature, extent or purpose of the violation in question

     data processing, as well as the number of data subjects affected and the

     extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent

     nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data

     to which the infringement relates (Article 83.2.g) GDPR).

230. Nature, seriousness and duration of the infringement (Article 83.2.a) GDPR) — Regarding the seriousness

     of the violation, the Disputes Chamber notes that the principles of legality

     (Article 5.1.a) and Article 6 GDPR) and transparency (Articles 12 and 14 GDPR) fundamental

     are the principles of protection guaranteed by the GDPR.

     The provisions laid down in Article 5.2 GDPR and further elaborated in Article 24 GDPR

     accountability principle is also central to the GDPR and reflects the

     paradigm shift that the GDPR brings about, namely a shift from a

     arrangement that is based on prior declarations and authorizations by the
     supervisory authority towards greater accountability and

     responsibility of the controller. Compliance with its decision on the merits 07/2024 - 97/114



      obligations by the controller and its ability to fulfill them

      have therefore only become more important.

      A valid legal basis and transparent information are among the core elements of

      the fundamental right to data protection. After all, the principle of transparency constitutes the

      “gateway” that strengthens data subjects' control over their data

      and enables the exercise of other rights granted by the GDPR to data subjects

      grants, such as the right to object and the right to have data erased.

      Breaches of the certain principles therefore constitute serious infringements, which are the highest

      administrative fines provided for in the GDPR may be punished.


      The controversial processing in the context of Data Delivery and Data Quality

      services that form the basis of the present decision were resp.

      are still part of the defendant's core activities, which means that the

      The Dispute Chamber is forced to give more weight to violations of the GDPR

      arising from these core activities.

      The defendant has also acknowledged in policy documents that the processing of

      personal data could have negative consequences for the data subjects,

      such as annoyance, irritation or stress, but also the feeling that they had to change their lifestyle

      adjust if they agree to any processing of their personal data by the defendant and

      its customers wanted to prevent 24. The Disputes Chamber also emphasized that the

      controversial processing activities could potentially lead to invisible discrimination

      on the basis of the profiling data compiled by the defendant 24.


      Regarding the scope of processing, the EDPB guidelines for

      data protection impact assessments are recommended to include in addition to the number of data subjects
      also the volume of data, the duration or the permanent nature of the

      data processing, as well as the geographical scope of the processing

      to determine whether personal data are processed on a large scale 24. In this regard

      the Disputes Chamber first establishes that the defendant's activities

      Belgian market. The fact that the defendant is a significant market player and that

      in addition, the disputed processing activities related to two different ones

      markets (B2C and B2B), the Disputes Chamber comes to the conclusion that in this case it is indeed the case

      there is a large-scale processing of personal data.


      As regards the duration of the infringement, the Disputes Chamber notes that the

      defendant, after the takeover of BISNODE B ELGIUM, has decided to


24See edge no. 129 in this decision.
241
  See edge nos. 129-133 in this decision.
24 Working Party on Data Protection Article 29 – Guidelines on data protection impact assessments and determination whether
a processing ''is likely to involve a high risk'' within the meaning of Regulation 2016/679 (WP248, rev01, October 4
2017), p. 12. Decision on the merits 07/2024 - 98/114


       to stop processing activities associated with Data Delivery. This

       However, this does not prevent the personal data from being processed prior to the

       takeover of B ISNODE BELGIUM by B LACK T IGER has been non-transparent for a long time

       were processed unlawfully, and that the defendant remains responsible for the

       processing of the acquired B ISNODE BELGIUM, including the

       processing activities that, due to contractual agreements, also occur after the official

       date of discontinuation remained intact. Also taking into account the established retention period

       of 15 years and the fact that the defendant is still publicly announcing his

       website 244 states that the company “has been active in the Belgian and Belgian markets since the early 1970s.”


       European market” and “has built up more than 30 years of expertise in data quality and

       data management” when it was part of “several international groups ([…]en

       Bisnode), before becoming part of the Black Tiger group,” the Disputes Chamber concludes

       that the disputed processing took place for at least 15 years, until
                        245
       by July 30, 2021 .

 231. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — The Dispute Chamber


       recalls that “intent” usually involves both knowledge and willfulness regarding the

       includes characteristics of a criminal offense, while “unintentional” means that there is no intent

       was to cause the infringement, although the controller or the
                                                                               246
       processor has violated the duty of care prescribed by law. There are others

       words two cumulative elements required for an infringement to be deemed intentional

       consider, i.e., the knowledge of the violation and the intentionality with regard to it
                 247
       act .


       As to whether or not the infringement was intentional or negligent

       committed by a controller, the CJEU stated in its recent judgment

       clarifies that a supervisory authority under Article 83 GDPR a

       administrative fine due to the infringement referred to in Articles 83.4 to 83.6 GDPR

       can impose, if it has been demonstrated that the controller has committed this infringement

       committed intentionally or negligently. To impose such a fine
                                                                                  248
       The condition therefore applies that the infringement in question was committed culpably.


       With regard to the intentionality component, the Dispute Chamber also reminds this

       that the CJEU has set a high threshold for an act to be considered intentional


24See also edge no. 114 in this decision.
244
  https://www.blacktigerbelgium.tech/wie-zijn-wij/?lang=nl, accessed December 15, 2023.
24On this date, according to the defendant, the CMX database was destroyed.
246
  Working Party on Data ProtectionArticle 29 – Guidelines for the Application of Administrative Fines
within the meaning of Regulation (EU) 2016/679 (WP253, October 3, 2017), p. 12.
24See also EDPB – Binding Decision1/2023 on thedispute submitted by the IE SA on datatransfers byMeta Platforms Ireland
Ltd (Facebook), edge no. 103, available at https://edpb.europa.eu/system/files/2023-
05/edpb_bindingdecision_202301_ie_sa_facebooktransfers_en.pdf.
248
  CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 75. Decision on the merits 07/2024 - 99/114


       consider. For example, the CJEU has ruled in criminal cases that there is “serious

       negligence” rather than “intention” when “the person liable is a qualified

       commits a violation of his duty of care that he should and could have observed

       take into account his capacity, his knowledge, his skills and his

       individual situation”49. Even if it is a company whose processing is carried out

       personal data is the core of the business activities, expect it to be sufficient

       takes measures to protect personal data and that it has its obligations in this

       thoroughly recognized, does not show such a qualified violation

       necessarily indicates that there is an intentional violation250.


       In other words, this means that a controller can also become

       punished with an administrative fine under Article 83 GDPR for a

       conduct falling within the scope of this Regulation, where it

       controller could not have been unaware of the fact that his conduct

       constituted an infringement, regardless of whether he was aware that he was violating the provisions of the GDPR

       violated 251.


       In this case, the Dispute Chamber notes that B ISNODE POLAND was in 2019 by the Polish
                                                                                                 252
       Data protection authority was fined for a breach of the information obligation.

       There is therefore no doubt that the defendant was aware of that decision

       but did not consider it necessary to subsequently provide information to Belgian data subjects

       who the defendant indirectly collected the personal data, on a

       (more) proactively. Although the Disputes Chamber cannot with certainty

       can establish that the defendant has deliberately violated Article 14 GDPR, for his part

       However, the Dispute Chamber has sufficient indications that there is evidence in this regard, in particular

       the nature of the disputed processing activities, there is the highest degree of

       negligence on the part of the defendant, who consciously chose not to fulfill his obligation to provide information

       pursuant to Article 14 GDPR mainly to third parties.


       The foregoing means that there is no infringement of the processing basis

       is of an intentional nature, because the defendant has indeed made an extensive analysis

       has to determine which legal basis would be the most appropriate in the present case. Er

       there is therefore no - apparent - intention on the part of the defendant to fully comply with the GDPR






24CJEU, 3 June 2008, C-308/06, Intertanko and others (ECLI:EU:C:2008:312), edge no. 77
250
   See also EDPB – Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority
regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, July 28, 2022, edge no. 204.
25CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 76.
See alsoCJEU, 18 June 2013, C‑681/11, Schenker& Co. and others (ECLI:EU:C:2013:404), edge no. 37;CJEU, March 25, 2021, Lundbeck v.
Commission, C‑591/16 P (ECLI:EU:C:2021:243), marginal no. 156; and CJEU 25 March 2021, C‑601/16 P, Arrow Group and Arrow
Generics t. Commission (ECLI:EU:C:2021:244), marginal no. 97.

25See edge no. 161 in this decision. Decision on the merits 07/2024 - 100/114


       knowledge of the facts and intentionally violate it through an inappropriate processing basis

       to be used, but at least there is serious negligence.


 232. Categories of personal data affected by the breach (Article 83.2.g)
       GDPR) — As established earlier in this decision, the disputed processing is wrong

       the contact details of those involved and also on data with which those involved

       could be segmented for direct marketing-related purposes. The nature

       of the personal data processed therefore includes different categories, including

       financial information (average income), housing, family composition, as well as

       socio-demographic and lifestyle data such as the social class of those involved

       belong.

       Although such personal data are prima facie not of a sensitive or special nature,

       the Disputes Chamber rules that they nevertheless belong to categories of

       personal data of such a nature that they may affect the privacy of those involved

       and which those involved would generally not reasonably expect
       collected indirectly from and subsequently processed by third parties.



                       Categorization in concrete terms of the seriousness of the violations and determination

                       of the correct starting amount


 233. Based on the evaluation of the criteria set out above, the infringement is deemed

       of low, medium or high severity. These categories do not detract from
       ask whether or not a fine can be imposed.


           ▪ When calculating the administrative fine for minor infringements

               severity, the supervisory authority will set the basic amount for further calculation

               set at an amount between 0 and 10% of the applicable legal amount

               maximum.

           ▪ When calculating the administrative fine for infringements of

               medium severity, the supervisory authority will determine the starting amount

               further calculation determine an amount between 10 and 20% of the

               applicable legal maximum.

           ▪ When calculating the administrative fine for infringements with a high

               severity level, the supervisory authority will determine the starting amount for further

               set the calculation at an amount between 20 and 100% of the applicable amount
                                  253
               legal maximum .





253
  EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60. Decision on the merits 07/2024 - 101/114



 234. In this case, the Disputes Chamber rules that the violations of legality, propriety

      and transparency principles (Article 5.1.a) GDPR), as well as the accountability principle

      (Article 5.2 GDPR), in combination with the violations of the obligation to provide information regarding the

      those involved (Article 12 in conjunction with 14 GDPR), are of high seriousness. The Dispute Chamber serves

      therefore for the violations related to the first conduct (falling under

      Article 83.5 GDPR, with a high degree of severity) a theoretical starting amount for the further

      calculation of the administrative fine to be used between EUR 4,000,000 and

      EUR 20,000,000.

 235. Based on the previous assessment of the circumstances in the light of Article

      83.2.a), b) eng) GDPR25, the Disputes Chamber decides to set a theoretical starting amount of

      EUR 10,000,000 to be taken into account.


 236. Taking into account the minimum and maximum amounts set in the directives

      per level, on the one hand, and the relevant annual turnover of the controller,

      on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for

      the first category of infringements (falling under Article 83.5 GDPR, with a high degree of severity).

      reduce to an adjusted starting amount of EUR 185,000 EUR 255.



                      Aggravating and mitigating factors


 237. After assessing the nature and severity of the infringement, as well as the intentional or negligent

      nature of the infringement and the categories of personal data involved, the

      supervisory authority shall also take into account the remaining aggravating and

      mitigating factors, as listed under Article 83.2 GDPR.


 238. Measures taken to limit the damage suffered by those involved

      (Article 83.2.c) GDPR) — The Disputes Chamber takes into account the efforts made by the

      defendant has provided to ensure transparency towards those involved

      by means of web pages as well as the mandatory indication of identity

      from B ISNODE BELGIUM , now LACK TIGERB ELGIUM, at the bottom of the direct marketing communications

      that the data subjects receive from the defendant's customers.

      The Disputes Chamber also takes the initiative of the defendant into account

      acquisition of B ISNODE BELGIUM to discontinue the Data Delivery activities and the CMX

      to destroy the database prior to the substantive treatment by the

      Dispute room 25.






25See marginal nos. 230 up to and including 232 in this decision.
255
  EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65.
25Response from the defendant to the sanction form dated November 24, 2023, p. 1, (i). Decision on the merits 07/2024 - 102/114



239. Extent to which the defendant is responsible in view of the technical and organizational aspects
     measures it has implemented in accordance with Articles 25 and 32 GDPR (Article

     83.2.d) GDPR) — In the context of the substantive proceedings, and in particular during the

     hearing of 22 February 2023, the defendant has always taken the position

     that the provision of information by the recipients of the personal data, being the

     customers of B LACK T IGER B ELGIUM, was sufficient to meet the information and

     to meet transparency obligations. It is also established that B LACK TIGER BELGIUM after the

     takeover bears full responsibility for establishing an appropriate

     retention period for the processed personal data, as well as compliance with the

     basic principles of the GDPR in the context of continued data processing. To

     For these reasons, the Disputes Chamber considers it proven that B LACK T IGER BELGIUM

     can be held responsible for the further processing of personal data

     of those involved, including the complainants, after the takeover of BISNODE BELGIUM.

      In view of the documents submitted as well as the defenses submitted, the

      However, the Disputes Chamber is not sufficiently convinced that the defendant has appropriate technical

      and organizational measures, notwithstanding that he has sufficient

      had the means and influence to do so to ensure compliance with the basic principles of the GDPR

      — such as the principles of storage limitation and data minimization — too

      guarantees.

240. Previous relevant breaches by the controller or processor

     (Article 83.2.e) GDPR) — Although the facts in the present case are very similar

     exhibit with the circumstances in the decision regarding B ISNODE POLAND of the

     Polish Supervisory Authority, the Disputes Chamber shall, however, take it into account

     given that B ISNODE BELGIUM, now LACK TIGERB ELGIUM, was declared not guilty of

     previous violations of the GDPR.

241. The extent to which there was cooperation with the supervisory authority to investigate the infringement

     remedy and limit its possible negative consequences (Article 83.2.f) GDPR) —

     The Disputes Chamber determines that the defendant, by letter dated April 27, 2021

     from the DPO of B ISNODE BELGIUM addressed to the Inspector General, in an early phase of

     the procedure has made known its position on the complaints of the complainants. Also

     the Disputes Chamber acknowledges the goodwill of the defendant in the investigation

     handed over extensive policy documents to the Inspection Service and expressed its willingness

     to answer further questions from the Inspection Service.

242. Other aggravating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber holds

     first take into account the fact that the defendant made a profit arising from the

     unlawful processing, as an aggravating circumstance. The argument of the

     defendant that the Disputes Chamber would not take into account the business loss of Decision on the merits 07/2024 - 103/114


     B LACK TIGER BELGIUM in 2022, following the discontinuation of the Data Delivery activities, is

     not sufficient in this regard because the adjusted starting amount is already sufficient

     takes into account the operating loss suffered in 2022. In addition, the Disputes Chamber notes that

     the defendant both in his written defense and during the hearing

     has maintained the position that B LACK TIGER BELGIUM was in no way forced to

     to inform data subjects directly and individually about the processing, although

     Article 14 GDPR prescribes that communications to data subjects are subject to the
     responsibility of the controller and in principle proactive

     must be done.



                     Decision of the Disputes Chamber with regard to the first conduct


243. All of the elements set out above justify an effective,

     proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account

     the assessment criteria specified therein. The Disputes Chamber will set the right order for this

     that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would

     lead to a different administrative fine than that imposed by the Disputes Chamber

     framework of this decision.

244. In view of the previous assessment of the relevant documents as well as the circumstances

     specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR

     as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR

     to impose an administrative fine of EUR 129,500 on the defendant.

245. The Disputes Chamber rules that the defendant's serious negligence

     personal data of complainants and other involved parties has been processed for years

     has commercialized without respecting the core principles of the GDPR, and

     in particular, information and transparency obligations are imposed on data subjects

     appropriate manner should be punished with an administrative fine.

     In addition, the further processing of personal data must be carried out without proactive measures

     individual information provision to those involved should be vigorously discouraged.
     Finally, the Disputes Chamber is of the opinion that the amount of the fine is, by the way

     remains well below the maximum amount within the permitted range, is proportional to the

     seriousness of the infringements contained in the first conduct. Decision on the merits 07/2024 - 104/114


          III.2.2.3. Second conduct — Failure to act appropriately

              the requests from data subjects to exercise their right of access


                     Categorization in the abstract of the violation under Article 83.4 to
                     83.6 GDPR


246. The Disputes Chamber recalls that the right of access is in addition to Article 15 GDPR

     is included in Article 8.2 of the European Charter and is therefore one of the

     constitutes core elements of the fundamental right to data protection. By following

     omit to cite all sources to the complainant, the defendant has committed an infringement

     committed under Article 15 GDPR. It is also established that the defendant in this case deliberately acted

     failed to process the requests for access, which were nevertheless submitted electronically,
     also to be answered electronically, in violation of Article 12 in conjunction with 15 GDPR.

     Naturally, Article 15 GDPR must be read in conjunction with Article 12 GDPR,

     whereby the controller can exercise rights under the GDPR

     those involved must facilitate. Finally, the Disputes Chamber rules that the

     defendant has also violated Article 15 GDPR by merely specifying the categories of

     recipients in the response to the complainants, notwithstanding the defendant
     was then able to identify the specific recipients.


247. For a violation of the rights of data subjects in accordance with Articles 12 and 15

     GDPR, the Disputes Chamber may, on the basis of Article 83.5.a) and 83.5.b) GDPR, issue a

     impose an administrative fine of up to EUR 20,000,000 or, for a company, up to 4% of
     the total worldwide annual turnover in the previous financial year, if this figure is higher. A

     violation of the aforementioned provisions therefore results in accordance with Article 83.5 GDPR

     lead to the highest fines.



                     Seriousness of the violations in the case at hand


248. In accordance with the GDPR, as explained in the EDPB Guidelines, the

     supervisory authorities should take due account of the nature, the seriousness
     duration of the violation, taking into account the nature, scope or purpose of the violation

     relevant data processing, as well as the number of data subjects involved

     affected and the extent of the damage suffered by them (Article 83.2.a) GDPR); It

     intentional or negligent nature of the infringement (Article 83.2.b) GDPR); and the categories of

     personal data to which the infringement relates (Article 83.2.g) GDPR).

249. Nature, severity and duration of the violation (Article 83.2.a)GDPR) - The right of access constitutes the

     gateway and therefore also the cornerstone for the exercise of other rights

     provided by the GDPR, such as the right to object to the processing of

     personal data (Article 21 GDPR) and the so-called right to be forgotten (Article 17 Decision on the merits 07/2024 - 105/114


      GDPR). It is therefore extremely important that data subjects exercise their right of access

      to actually obtain access to all data relating to them

      collected by the controller, as well as concise, transparent and

      receive understandable information about the circumstances in which their personal data

      are processed. By not providing complete and sufficiently detailed information

      to the data subjects, the controller deprives them of the

      ability to exercise an appropriate degree of control over their own
      personal data.


       In addition, the complainant rightly notes that the failure to comply immediately after the first request

       to provide relevant information, the further exercise of their rights by the

       unnecessarily complicates those involved. Although the Disputes Chamber determines that the

       defendant has responded to the requests in a timely manner, the fact that the defendant has provided bears responsibility
       answers were not complete from the start and that it was not for those involved

       was easy to respond to — e.g., in order to verify the information provided

       dispute or request further explanation — contributes to unnecessary harm to those involved

       were prevented from exercising their rights.

                                                                         257
 250. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — With regard to
      the manner in which the defendant in this case granted those involved access to the data

      processing of their personal data, and in particular by only the categories of

      recipients although the defendant has the specific identity of these

      recipients must have; by not communicating the sources in an exhaustive manner; and

      by delivering the responses by post even though the requests became electronic

      submitted, the Disputes Chamber considers it sufficiently proven that the defendant has violated the articles

      12 and 15 GDPR due to serious negligence.

 251. Categories of personal data affected by the breach (Article 83.2.g)

      GDPR) — As established earlier in this decision, the disputed processing operations were successful

      in addition to the contact details of those involved, also on various personal data

      with which the data subjects can subsequently be segmented for direct marketing purposes

      related purposes. The nature of the personal data processed therefore includes

      different categories, including financial information (average income),

      housing, family composition, as well as socio-demographic and lifestyle data such as
      the social class to which those involved belong.


       Although such data are primafacie not of a sensitive or special nature,

       the Disputes Chamber rules that they nevertheless belong to categories of





25See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 106/114



       personal data that data subjects would generally not reasonably expect
       that they are collected indirectly from and subsequently processed by third parties.



                       Categorization in concrete terms of the seriousness of the violations and determination

                       of the correct starting amount based on the annual turnover of the
                       controller



 252. Based on the evaluation of the criteria set out above, the infringement is deemed
       of low, medium or high severity. These categories do not detract from

       ask whether or not a fine can be imposed.


           ▪ When calculating the administrative fine for minor infringements

               severity, the supervisory authority will set the basic amount for further calculation

               set at an amount between 0 and 10% of the applicable legal amount

               maximum.

           ▪ When calculating the administrative fine for infringements of

               medium severity, the supervisory authority will determine the starting amount

               further calculation determine an amount between 10 and 20% of the

               applicable legal maximum.


           ▪ When calculating the administrative fine for infringements with a high

               severity level, the supervisory authority will determine the starting amount for further
               set the calculation at an amount between 20 and 100% of the applicable amount

               legal maximum 258.


 253. In this case, the Disputes Chamber rules that the violations are related to the law

       access by data subjects (Article 15 GDPR), are of medium seriousness. The

       Disputes Chamber therefore serves for violations related to the second

       conduct (falling under Article 83.5 GDPR, with a medium degree of seriousness) a theoretical

       starting amount for the further calculation of the administrative fine

       between EUR 2,000,000 and EUR 4,000,000.

 254. Relying on the foregoing assessment of the circumstances in the light of Article

       83.2.a), b) eng) GDPR59, the Dispute Chamber decides to set a theoretical starting amount of

       EUR 2,800,000 to be taken into account.


 255. Taking into account the minimum and maximum amounts set in the directives
       per level, on the one hand, and the relevant annual turnover of the controller,

       on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for





25EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60.
25See marginal nos. 230 up to and including 232 in this decision. Decision on the merits 07/2024 - 107/114



       the second category of infringements (falling under Article 83.5 GDPR, with medium
                                                                                  260
       severity level) to an adjusted starting amount of EUR 51,800.



                       Aggravating and mitigating factors


 256. After assessing the nature and severity of the infringement, as well as the intentional or negligent

       nature of the infringement and the categories of personal data involved, the

       supervisory authority shall also take into account the remaining aggravating and

       mitigating factors, as listed under Article 83.2 GDPR.

 257. Extent to which the defendant is responsible in view of the technical and organizational aspects

       measures it has implemented in accordance with Article 25 (Article 83.2.d) GDPR)

       — It is established before the Dispute Chamber, and is not disputed by the

       defendant, that BLACK T IGERB ELGIUM is fully responsible for the management of the

       website, including the online contact form with which data subjects exercise their rights

       can exercise with regard to the defendant, as well as the manner in which the

       requests from those involved are granted, if necessary.


 258. Other mitigating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber states

       established that the defendant offers a centralized contact form on its website,

       with which data subjects request to exercise their rights under the GDPR

       can submit. This shows that the defendant fully intends to have the submission of
                                                261
       to facilitate requests by those involved.

       Furthermore, the Disputes Chamber is of the opinion that every controller must always:

       is obliged to communicate all specific information to those involved who require it

       questions in the context of their request for access. However, the Disputes Chamber is of the opinion

       aware that the CJEU only confirmed the disputed facts under what circumstances

       controller and the exact identity or categories of recipients

       must be communicated.


       Finally, the Dispute Chamber decides to evaluate the efforts of the defendant, i.e., the fact that

       the defendant actually — but not completely nor in a common electronic format

       form — and has responded in a timely manner to the requests for access
             262
       to take    .

 259. Other aggravating circumstances (Article 83.2.k) GDPR) — The foregoing means

       that the defendant also determines which personal data, in this case identification and

       contact details are collected and include both the means and purposes of the



26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65.
261
  Response from the defendant to the sanction form dated November 24, 2023, p. 2, (ii).
26Ibid. Decision on the merits 07/2024 - 108/114


     processing. However, the Disputes Chamber notes that the defendant is in addition to

     postal address of data subjects also collects their electronic contact details,

     notwithstanding that the defendant consciously opted to send the requests exclusively by post

     to answer. Thus, the defendant violates the principle of minimum
     data processing under Article 5.1.c) GDPR as well as the principle of

     data protection by design provided for in Article 25 GDPR. Since this observation

     however, was not subjected to adversarial debate in the context of the proceedings

     grounds, the Disputes Chamber decides not to pay the adjusted starting amount

     to increase.


                     Decision of the Disputes Chamber with regard to the second conduct



260. All of the elements set out above justify an effective,
     proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account

     the assessment criteria specified therein. The Disputes Chamber will set the right order for this

     that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would

     lead to a different administrative fine than that imposed by the Disputes Chamber

     framework of this decision.

261. In view of the previous assessment of the relevant documents as well as the circumstances

     specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR

     as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR

     to impose an administrative fine of EUR 41,440 on the defendant.

262. The Disputes Chamber considers it justified, in view of the specific

     circumstances as well as the conscious choice of the defendant regarding the manner in which

     requests from those involved have been processed, to impose an administrative fine

     with the aim of appropriately sanctioning this behavior and in order to
     to encourage the defendant to request the exercise of rights granted under

     the GDPR, no longer to comply in such a manner in the future. The Dispute Chamber is

     also believes that the amount of this fine, which is well below the

     maximum amount remains within the permitted range is proportional to the severity of the

     infringements contained in the second conduct. Decision on the merits 07/2024 - 109/114


          III.2.2.4. Third conduct — Failure to provide a description of the categories of

              data subjects and the categories of personal data, as well as to
              identity of the controllers for whom the defendant is considered

              processor acts, to be included in the processing register


                     Categorization in the abstract of the violation under Article 83.4 to
                     83.6 GDPR


263. The Disputes Chamber establishes that the defendant has failed to add:

     of the categories of data subjects and of the personal data processed

     to include a description of these categories in its register of processing activities,

     as expressly prescribed in Article 30 GDPR. In addition, the

     defendant violated Article 30 GDPR by failing to disclose the identity of

     controllers, for whom the defendant acts as processor
     document in the centralized processing register. In this regard, the

     Dispute Chamber reminds that the register of processing activities is an essential and

     central file, that every controller who is obliged to do so under

     Article 30 GDPR must be drawn up and supplemented in an appropriate manner and upon request

     must be able to submit to the supervisor. This is why the EU

     The legislature has expressly provided for the possibility of imposing a fine for
     failure to comply with the aforementioned provision, contrary to other policy documents

     which rather fall under Article 24GDPR, for which no penalty is provided for

     Article 83.4 GDPR nor Article 83.5 GDPR.


264. For a breach of the obligations of the controller and the
     processor in accordance with Article 30 GDPR, the Disputes Chamber may, on the basis of Article

     83.4.a) GDPR impose an administrative fine up to EUR 10,000,000

     or, for a company, up to 2% of the total worldwide annual turnover in the foregoing

     financial year if that figure is higher.



                     Seriousness of the violations in the case at hand


265. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should
     authorities to take due account of the nature, severity and duration of the

     violation, taking into account the nature, extent or purpose of the violation in question

     data processing, as well as the number of data subjects affected and the

     extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent

     nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data

     to which the infringement relates (Article 83.2.g) GDPR). Decision on the merits 07/2024 - 110/114


 266. Nature, severity and duration of the violation (Article 83.2.a) GDPR) — The Disputes Chamber rejects

       points out that, in order to effectively implement the obligations contained in the GDPR, the

       It is essential that the controller and processors are complete

       and maintain an accurate overview of the processing of personal data that they

       to carry out. This register is therefore primarily an instrument to

       to assist the controller or processor in complying with the GDPR for the

       various data processing operations that it carries out because the register is the most important
       makes its features visible. The Disputes Chamber is of the opinion that this

       processing register is an essential instrument in the context of the already mentioned

       accountability (Article 5.2 GDPR and Article 24 GDPR) and that this register is the basis

       is subject to all obligations that the GDPR places on the controller and processor

       imposes. It is therefore extremely important that this is complete and correct.

 267. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) 263—In the present

       case, the Disputes Chamber rules that the infringement of Article 30 GDPR is due to a

       serious negligence on the part of the controller, given the nature of the

       core activities of the defendant as well as the statements made by the defendant

       activities are in accordance with the GDPR.



                       Categorization in concrete terms of the seriousness of the violations and determination
                       of the correct starting amount based on the annual turnover of the

                       controller


 268. Based on the evaluation of the criteria set out above, the infringement is deemed

       of low, medium or high severity. These categories do not detract from

       ask whether or not a fine can be imposed.

           ▪ When calculating the administrative fine for minor infringements

               severity, the supervisory authority will set the basic amount for further calculation

               set at an amount between 0 and 10% of the applicable legal amount

               maximum.

           ▪ When calculating the administrative fine for infringements of

               medium severity, the supervisory authority will determine the starting amount

               further calculation determine an amount between 10 and 20% of the

               applicable legal maximum.

           ▪ When calculating the administrative fine for infringements with a high

               severity level, the supervisory authority will determine the starting amount for further





26See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 111/114



               set the calculation at an amount between 20 and 100% of the applicable amount
                                   264
               legal maximum .

 269. In this case, the Disputes Chamber rules that the violation regarding the register of

       processing activities (Article 30 GDPR) is of low severity. The Dispute Chamber serves

       therefore for the violations related to the third conduct (falling under

       Article 83.4 GDPR, with a low degree of severity) a theoretical starting amount for the further

       calculation of the administrative fine of a maximum of EUR 1,000,000.


 270. Relying on the foregoing assessment of the circumstances in the light of Article

       83.2.a), b) eng) GDPR26, the Disputes Chamber decides to set a theoretical starting amount of

       EUR 200,000 to be taken into account.


 271. Taking into account the minimum and maximum amounts set in the directives

       per level, on the one hand, and the relevant annual turnover of the controller,

       on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for

       the third category of infringements (falling under Article 83.4 GDPR, with a low degree of severity)
                                                                      266
       to be reduced to an adjusted starting amount of EUR 3,700.



                       Aggravating and mitigating factors


 272. After assessing the nature and severity of the infringement, as well as the intentional or negligent

       nature of the infringement and the categories of personal data involved, the

       supervisory authority shall also take into account the remaining aggravating and

       mitigating factors, as listed under Article 83.2 GDPR.

       Given the specific nature of this violation, and in the absence of any comments

       In this regard, on behalf of the defendant, the Disputes Chamber will not take any further aggravating action

       or mitigating circumstances into account.



                       Decision of the Disputes Chamber with regard to the third conduct



 273. All of the elements set out above justify an effective,

       proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account

       the assessment criteria specified therein. The Disputes Chamber will set the right order for this

       that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would

       lead to a different administrative fine than that imposed by the Disputes Chamber

       framework of this decision.




26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60.
265
  See edge nos. 230 up to and including 232 in this decision.
26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65. Decision on the merits 07/2024 - 112/114



 274. In view of the previous assessment of the relevant documents as well as the circumstances

      specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR
      as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR

      to impose an administrative fine of EUR 3,700 on the defendant for

      the violation of Article 30 GDPR for failure to keep an exhaustive and

      sufficiently detailed register of processing activities.




    III.3.Other grievances


 275. The Disputes Chamber decides to consider the other grievances and findings of the
      Inspection Service267, as the Disputes Chamber based on the facts

      documents from the file cannot lead to the conclusion that there has been an infringement

      the GDPR. These grievances and findings by the Inspection Service are therefore regarded as:

      considered manifestly unfounded within the meaning of Article 57.4 of the GDPR26.




IV. Publication of the decision


 276. Considering the importance of transparency with regard to the decision-making of the

      Dispute Chamber, this decision will be published on the website of the

      Data protection authority indicating the identification details of the
      defendant, in view of the public interest of this decision, on the one hand, and the

      unavoidable re-identification of the defendant in case of pseudonymization,

      on the other hand. On the other hand, it is not necessary that the identification details of the complainants are included

      this publication will be announced.



























26See marginal nos. 192, 196, 199 and 202 in this decision.
268 See point 3.1.A.2 of the Dismissal Chamber's dismissal policy dated June 18, which can be consulted via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 07/2024 - 113/114




FOR THESE REASONS  ,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the

    to order the defendant to commit the violation of Article 5.1 GDPR, Article 6.1 GDPR, Article
    12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B Data Quality

    services, to terminate and to keep them terminated until the processing in

    is brought into compliance with the GDPR, through the processing of

    to enter personal data in the Spectron database before informing those involved of

    proactively and individually inform the defendant who has contact details
    of the processing of their personal data by the defendant. Hereby

    the defendant must also serve the persons involved for a period of

    three months from the date of information provision

    to object to the processing of their data in a simple and effective manner

    personal data before resuming processing. What the other categories
    of data subjects for whom the defendant has no contact details

    has, the Disputes Chamber decides, in the absence of a lawful

    processing ground, to permanently prohibit the processing of their data.


- Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant

    order to commit the violation of articles 5.1 and 5.2 GDPR, article 24.1 GDPR as well as
    Articles 25.1 and 25.2 GDPR by appropriate technical and

    to take organizational measures to ensure that the retention period of the

    personal data — which the defendant may only further process on

    condition that the previous order has been complied with - is proportionate to the

    purposes of the processing, and so that the defendant can, in the context of his current
    Data Quality services only maintain the most current personal data

    data subjects, as required by the principle of data minimization.

    In addition, the Disputes Chamber orders the defendant to submit the current documentation

    in connection with the processing of data and compliance with the GDPR

    fill or adjust to take into account the actual data

    circumstances in which the defendant processes data
    accountability imposed on the defendant. Decision on the merits 07/2024 - 114/114





  - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant

      order to remedy the violation of Article 30.1.c) GDPR as well as Article 30.2 GDPR

      remedy by supplementing the register of processing activities with a

      clear description of the categories of personal data and of
      data subjects, as well as by all controllers on behalf of

      which the defendant believes to act as processor.


  - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant

      order within a period of three months after notification of the

      decision provides evidence of the achievement of the aforementioned compliance measures
      to be submitted to the Disputes Chamber.


  - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,

      in accordance with Article 83.2 GDPR, an administrative fine amounting to:

      EUR 129,500 to be imposed on the defendant for the violation of Article 5 of the GDPR;

      Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; Article 24 GDPR and Article 25 GDPR.

  - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,

      an administrative fine in accordance with Article 83.2 GDPR

      of EUR 41,440 to be imposed on the defendant for the violation of Article 12

      GDPR and Article 15 GDPR.

  - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG,

      in accordance with Article 83.2 GDPR, an administrative fine amounting to:

      to impose EUR 3,700 on the defendant for the violation of Article 30 GDPR.


  This decision can be appealed on the basis of Article 108, § 1 WOG

  by registered letter within thirty days of the notification
  Marktenhof, with the Data Protection Authority as defendant.









(get). Hielke IJMANS

Chairman of the Disputes Chamber