APD/GBA (Belgium) - 101/2022

From GDPRhub
Revision as of 13:46, 27 June 2022 by Jg (talk | contribs) (Put everything in simple past; added some relevant arguments of the DPA and the controller; placed some info in the comments that are not directly relevant for the holding of the present case; improved the overall structure; added relevant facts and removed irrelevant information to make it shorter.)
APD/GBA - 101/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32 GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Article 34 GDPR
Art. 122 WEC
Art. 126 WEC
Art. 127 WEC
Type: Complaint
Outcome: Upheld
Started: 23.09.2021
Decided: 03.06.2022
Published: 03.06.2022
Fine: 20.000 EUR
Parties: n/a
National Case Number/Name: 101/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 101/2022 van 3 juni 2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined a communication company €20,000 for not taking adequate measures to verify the identity of a data subject as well as not reporting a data breach of critical risk to just one data subject.

English Summary

Facts

The controller is a telecommunications provider. The data subject is a customer of the provider.

The controller assigned the data subjects phone number to a third party for 4 days. The data subjects SIM card was deactivated during that time. This made the data subjects personal calls and other traffic data, as well as linked accounts visible to a third party. The third party also knew the data subject's SIM card number.

The controller allegedly (1) did not take the necessary technical and organizational measures to prevent a data breach. It further (2) conducted an incomplete and/or incorrect identity verification of the third party before assigning the data subjects phone number to him. Lastly, the controller (3) did not notify the data subject nor the DPA of the data breach.

The controller argued that it cannot collect identification data when switching subscriptions, as this is a commercial purpose (article 127 WEC). It instead asked the third parties phone and SIM card number to verify their identity. The controller also stated that it had sufficient the technical and organisational measures in place. Furthermore, the controller stated that the impact on the data subject's personal life is minimal, as two-step-verification was enabled for most applications. Lastly, there was no obligation to notify the data breach with the DPA according to the controller, as there was only one breach, it did not last long and no sensitive data was involved.

Holding

The DPA rejected the statement of the controller that there is a commercial purpose when selling a postpaid subscription. According to the DPA, the purpose of the identity check is to detect and prevent fraud. This includes the possible misuse of phone numbers by unauthorized parties. The data breach would have been prevented if the controller conducted a proper identity verification.

The DPA further noted the technical and organisational measures in place were insufficient. In this regard, the DPA also rejected the controller's argument that the data breach had little impact in the data subject's personal life. It noted that the two-step-verification does not prevent access to the data subject's personal data by someone in possession of their phone number. The DPA noted that telecommunication data are very high risk (see Digital Rights Ireland), as SMS is used for very personal things such as reminders of meetings. It can also be used to impersonate someone.

The DPA therefore held that the controller violated Article 5(1)(f), Article 5(2), Article 24 and Article 32 as it did not conduct a proper identity verification and had insufficient technical and organisational measures in place.

Regarding the lack of notification, the DPA disregards the controllers arguments that this was not necessary. Possible damages for the usage of a phone number are discrimination, identity theft- and fraud, financial loss and reputation damage. Moreover, SMS data for example can contain special categories of personal data.The fact that it concerns one person and for a very short time are irrelevant as the risk remains very high to this one data subject. T

The DPA held that the controller failed to respect its notification duty under Article 33(1) and Article 33(5). However, the data subject was already informed of the data breach because of the changing of its number, Article 34 was thus not breached.

The DPA imposed a fine of €20.000 on the controller.

Comment

This is a reopening of decision 05/2021. There, the DPA fined the controller €25,000 for the above mentioned data breach. However, the DPA retracted this decision shortly after the provider submitted an elaborate appeal on 19 February 2021 and reopened the case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                              1/29



                                                                            Dispute room



                                           Decision on the merits 101/2022 of 3 June 2022



File number : DOS-2019-04867




Subject: Complaint because of assigning the complainant's telephone number to one third



The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs Dirk Van Der Kelen and Yves Poullet.



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive
95/46/EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of

Members of Parliament on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Having regard to the documents in the file;


has made the following decision:



The complainant: Mr X, hereinafter referred to as “the complainant”.

                                                                                                 †
                                                                                                 †
Defendant: Y, represented by Mr. B. Bruyndonckx and Mr. L. Kuyken, both
                      with offices at Havenlaan 86c b113, 1000 Brussels. hereinafter “the

                      defendant", Decision on the merits 101/2022 - 2/29



I. Facts procedure




Process sequence

 1. On January 22, 2021, the Disputes Chamber made decision 05/2021 against the defendant,

       whereby a fine of EUR 25,000 was imposed on the defendant for violations of the

       Articles 5.1.f, 5.2, 24, 32, 33.1 and 5, 34.1 GDPR.



    • On February 19, 2021, the defendant lodged an appeal against decision 05/2021 of the

        Dispute room.



    • On 20 May 2021, the Disputes Chamber withdrew its decision of 22 January by

        by means of withdrawal decision 61/2021 and thereby decides to reconsider the case
        will take by means of a new procedure on the merits.



    • On June 30, 2021, the Marktenhof ruled in the appeal lodged by Y.



    • On September 23, 2021, the Disputes Chamber sent the new conclusion calendar

        parties in order to initiate new proceedings on the merits.


    • On November 2, 2021, the Disputes Chamber received the statement of defense from the

        defendant.


    • On April 25, 2022, in accordance with Article 53 of the Rules of

        internal order of the Data Protection Authority heard by the Disputes Chamber.


 2. This decision is made on the basis of a new procedure on the merits. The
       The Disputes Chamber has made its primary decision 05/2021 in response to the complaint in

       after all, this file has been withdrawn and has decided to initiate a new procedure

       to the bottom. The present decision is therefore taken on the basis of the complaint, the

       filed defenses and the other relevant documents of the proceedings.













The complaint and the primary decision on the complaint by the Disputes Chamber, Decision on the merits 101/2022 - 3/29






3. The complainant lodged a complaint against Y with the . on 20 September 2019

     Data Protection Authority. The complaint was declared admissible on 30 September 2019

     by the first-line service. The complaint implied that the complainant's mobile telephone number was through
     provider Y would have been assigned to a third party, as a result of which the complainant could no longer access his number

     possess. The complainant's SIM card was deactivated and the third party would therefore have knowledge

     be able to record the complainant's personal GSM traffic and calls, as well as

     linked accounts (such as Paypal, WhatsApp and Facebook) from September 16 to 19

     2019.

4. On April 15, 2020, the Disputes Chamber decided that the complaint was ready for handling

     on the ground, both the complainant and the defendant have been notified by registered letter of

     this decision. The parties were also notified of the provisions set out in
     Article 98 of the WOG and the time limits for submitting their defences. The deadline

     before receipt of the conclusion of the answer from the defendant was determined on May 27, 2020; the

     deadline for receipt of the complainant's statement of reply on 17 June 2020 and the

     final date for receipt of the statement of the respondent's reply on July 8, 2020. On 27

     May2020theweatherpresentedaconclusionofanswer.OnNovember9,2020,

     the defendant heard by the in accordance with Article 53 of the Rules of Internal Order
     Dispute Chamber.On 19 November 2020, the official report of the hearing to the parties

     submitted. The intention is to impose a fine on 7 December 2020

     transferred to the defendant. On December 22, 2020, on this intention, the defendant

     responded extensively.

5. The Disputes Chamber subsequently took decision 05/2021 on 22 January 2021 and the

     imposed a fine of EUR 25,000 on the defendant for violation of Articles 5.1.f,

     5.2, 24, 32, 33.1 and 5, 34.1 GDPR.

6. On 19 February 2021, Y appealed to the Marktenhof against the decision of the

     Disputes Chamber of 22 January 2021. Y argued in the appeal that the Disputes Chamber

     making the decision had disregarded the rights of the defense and the principles of

     had violated good governance. The defendant argued, inter alia, that
     principle of proportionality was violated because the Disputes Chamber did not have an investigation

     requested from the Inspectorate. According to the defendant, the Disputes Chamber also violated the

     principle of reasoning and the principle of reasonableness, by a defendant,

     disproportionate decision with a high fine. The defendant was of the opinion

     thattherightsofdefensewereviolatedbythedefendantnotallowtobe

     express views on the basis of a concrete indictment. The Dispute Room
     had, according to the defendant, wrongly concluded that there had been infringements

     on Articles 5.1.f, 5.2, 24, 32, 33.1 and 5, as well as 34.1 GDPR., Decision on the merits 101/2022 - 4/29




 7. Pending the appeal, the above decision was withdrawn by the Disputes Chamber
       by the withdrawal decision 61/2021. In that decision, the Disputes Chamber considered as follows:


        Whereas the Marktenhof in its rulings 2020/AR/813 of 18 November 2020 and

        2021/AR/1159of 24 February 2021 has pointed out the importance of those involved and prior

        to inform the handling of the file of the exact allegations and/or infringements

        what he might be guilty of; Whereas Y NV during the appeal to the
        Marktenhof has argued against the decision on the merits 5/2021 of 22 January 2021 that it in

        the procedure preceding this decision was insufficiently informed about the exact

        allegations and/or infringements.



        Has decided to:

        † the decision on the merits 5/2021 of January 22, 2021 against Y NV by means of the present

        decision to withdraw.

        † reopen the proceedings before the Disputes Chamber and the parties, subject to the

        to request the submission of new means of defense specified in Article 98 of the GBA Act.”

 8. No appeal was lodged by the defendant against the withdrawal decision of the Disputes Chamber

       set. During the hearing of the appeal against the primary

       decision of the Disputes Chamber, however, that the Marktenhof “Again justice and with

       exercising its fullness of jurisdiction, should assess the merits of the case

       and to substitute its own decision for the Disputes Chamber.”

 9. On June 30, 2021, the Marktenhof ruled. In it, however, the court held as follows:

       the above-mentioned request of the defendant:

        Now that the decision of 19 May 2021 states that it has been decided ”to start the procedure for the

        To reopen the Dispute Chamber and the parties with due observance of the provisions of Article 98

        oftheGBA-Lawrequesttosubmitnewdefense”andnorecourse against this

        has been instituted, Y has agreed that the Marktenhof will not have its own

        decision and that, first of all, the Disputes Chamber must be given the opportunity to
                                 1
        resume proceedings.”

 10. With the above, the Marktenhof has therefore confirmed that the decision of the

       Dispute chamber against which an appeal was lodged by the defendant no longer exists in the

       legal transactions and it is deemed never to have existed by the withdrawal decision. The

       Defendant's claim that the Market Court, by virtue of its full jurisdiction, has its own

       should make a decision by taking the place of the Disputes Chamber was by

       the Marktenhof therefore declared it unfounded. The appeal is without object.




1Recital 7.5 Marktenthof judgment, Decision on the merits 101/2022 - 5/29




 11. The Marktenhof has also noted that the withdrawal of the decision cannot in itself
       shall be regarded as proof that the Disputes Chamber has made a wrong or illegal decision

       Has taken. According to the Marktenhof, there is also no question of any erroneous conduct on the basis of

       of the Disputes Chamber. On the contrary, according to the Marktenhof, the withdrawal testifies to

       respect for the principles of the rule of law by the Disputes Chamber.


        New procedure on the merits

 12. On September 23, 2021, the Disputes Chamber sent a new conclusion calendar to

       parties. In this letter, the Disputes Chamber also summed up:

       the charges against the defendant which read as follows: "The defendant is charged"

       laid that:

        1. he has not carried out any, or has carried out an incomplete or incorrect verification when checking whether the

        third person who requested a migration of his SIM card from . in the defendant's shop

        prepaid to postpaid and indicated that he is the holder of the telephone number actually

        that person was. As a result of the foregoing, his number was assigned to the third

        and could the third party have access to the telephone number and take cognizance of the

        the complainant's telephone traffic as a result of which there was a data breach. Therefore, on

        defendant charged that he did not take the necessary technical and organizational measures

        would have taken in order to prevent a violation of the complainant's privacy (
        Articles 5.1.f, 5.2, 24 and 32 GDPR)



        2. he the data leak that has arisen as a result of the procedure described under 1

        has not reported to the Data Protection Authority nor to the data subject, in this case

        complainant (Articles 33.1, 33.5 and 34.1 GDPR)”

 13. The Disputes Chamber also formulated the following questions in order to provide greater clarity:

       to obtain:


        ”1. Has the defendant taken all necessary technical and organizational measures in accordance with the

        Articles 5.1.f, 24 and 32 GDPR and provided an appropriate level of security

        in order to prevent the -allegedly- assigning of the complainant's telephone number

        could happen to a third party and if so, can it demonstrate this?


        2. Can the defendant demonstrate that it has taken proactive measures in accordance with Article 5.2

        GDPR in order to ensure compliance with the provisions of the GDPR -including the above under 1

        measures mentioned - to guarantee ?






2This refers to the complainant's telephone number, Decision on the merits 101/2022 - 6/29



      3. According to the defendant, was there a data breach, and in that case has the defendant

      complied with the obligation to report that data breach to the

      Data protection authority in accordance with Article 33.1 AVG and has these infringements

      documented in accordance with article 33.5 AVG, as well as a notification thereof to the person concerned

      in accordance with article 34.1 of the GDPR?

14. The time limits for submitting defenses were set at:

   - November 2, 2021 as the final date for receipt of the statement of reply from

      defendant;

   - 23 November 2021 as the final date for receipt of the complainant's reply;

   - 14 December 2021 as the final date for receipt of the statement of reply from

      defendant.

15. The Disputes Chamber received the statement of defense from the defendant on 2 November 2021

     in which the following pleas are put forward:



          • Defendant took all necessary technical and organizational measures in accordance with the

              Articles 5 (1) (f), 24 and 32 of the GDPR and provided an appropriate level of security;

          • Defendant took proactive measures in accordance with Article 5 (2) of the GDPR in order to

              compliance with the requirements of the GDPR, including the technical and
              to ensure organizational measures;

          • Defendant acted in accordance with Articles 33 and 34 of the GDPR;

          • According to the defendant, the Disputes Chamber will have to sit in a completely different

              composition in view of the judgment of the Marktenhof in which this was determined. If the

              composition of the Disputes Chamber in these proceedings would not differ completely

              of the composition of the Disputes Chamber that ruled on January 22, 2021, is
              the composition according to the defendant is irregular and the procedure equally so.


16. On April 25, 2022, the parties will be heard by the Disputes Chamber.

17. The minutes of the hearing will be sent to the parties on 9 May 2022.


18. On May 17, 2022, the Disputes Chamber will receive the comments from the defendant on the

     police report. First of all, the defendant argues that the chairman Hielke Hijmans during the
     hearing would have “admitted” that the decision of the Marktenhof in which it was determined

     that the Disputes Chamber must sit in a completely different composition if a case is a

     is dealt with a second time by the Disputes Chamber, as is the case in this case, not by the

     Litigation room would have been respected. The defendant is also of the opinion that the

     does not adequately reflect verbally what the members would put forward during the session
     to have. It does not specify what would be missing., Decision on the merits 101/2022 - 7/29



 19. The sanction form was sent to the defendant on May 16, 2022.


 20. On May 31, the Disputes Chamber receives the defendant's response to the sanction form.

The content of the case


 21. The complainant has been a customer of the defendant since 11 June 2015 and purchases (prepaid) mobile telephone services.
       The complainant's telephone number is for the duration of four days, namely from 15 to 19

       September 2019, awarded to a third party where the complainant's SIM card has been deactivated.


 22. During these proceedings, the Disputes Chamber has tried to gain insight into the course of
       the events that led to the assignment of the complainant's telephone number to

       a third. It is clear from this decision that a few things about the actual course

       cannot be fully explained.According tothedefendant,thethirdisinone

       of the defendant's stores in order to exchange the complainant's prepaid subscription

       have it converted into a postpaid subscription with the accompanying smartphone device that will be replaced after 24 months
       subscription has been paid. According to the defendant, both the telephone number and the

       SIM card number of the carrier specified by the third party. Changed from September 11, 2019

       the complainant's subscription therefore changes from prepaid to postpaid. The third has its own

       provided identification information that associated it with the postpaid

       subscription so that all costs were billed to the third party's name from that point on.

       However, the third did not yet have a SIM card attached to it on September 11, 2019.
       the complainant's mobile number so that the complainant could continue to use the services himself

       of the subscription. Four days later, on September 15, 2019, according to the defendant, the third

       went to a Y-shop again and asked for a new SIM card attached to

       the same mobile number. So at that moment he got access to the mobile number of the

       complainant and the complainant's SIM card was disconnected. The complainant was no longer in contact with the
       network from then on.


 23. The complainant describes in his complaint that he has had telephone contact with the defendant several times

       and having been in the defendant's shops in order to be able to dispose of again
       about his phone number. It was only on 19 September 2019 that the complainant was able to

       have his phone number.






II. Justification


    2.1 About the composition of the Disputes Chamber

 24. Defendant expressly made reservations both in conclusion and during the hearing

       with regard to the composition of the Disputes Chamber. Defendant orphaned during the hearing

       that the composition of the Disputes Chamber does not consist in its entirety of other physical persons, Decision on the merits 101/2022 - 8/29



     noticed that the two members had been replaced while the chairman was in this proceeding

     stayed seated. In addition, the defendant has stated in his response to the official report:

     given that the chairman would not have yielded to the ruling of the Marktenhof

     to keep. The foregoing statement is incorrect. The Disputes Chamber will state below with reasons

     explain in detail why this composition of the Disputes Chamber was chosen at

     the handling of this file.

25. In its judgment of June 30, 2021, the Marktenhof decided that the Disputes Chamber “in its

     totality would have been composed by physical persons other than those who were part of

     the Chamber when taking the currently contested decision.” Defendant therefore argues that the

     procedure is unlawful if the Disputes Chamber has not been composed by three other
     persons other than those who were part of the Dispute Chamber when taking the

     primary decision.


26. The court further ruled that: “Although the members of the Disputes Chamber are not judges,
     it that this body would comply with the basic rules of good administration including at least

     give the appearance of impartiality”.


27. The Disputes Chamber emphasizes that in this case there is no question of any

     established illegality of the proceedings of the Disputes Chamber. From a judgment in which the
     the impartiality of the Disputes Chamber is not at all questioned. It

     the contrary is true. The Disputes Chamber has chosen to revoke its initial decision

     with the motivation:



       Whereas the Marktenhof in its rulings 2020/AR/813 of 18 November 2020 and

       2021/AR/1159 of 24 February 2021 pointed out the importance of keeping data subjects

       prior to the handling of the file to inform them about the exact allegations and/or

       infringements of which he could be guilty; Whereas Y NV during the

       has appealed to the Market Court against the decision on the merits 5/2021 of 22 January 2021

       stated that it was insufficiently informed in the procedure preceding this decision
       regarding the exact allegations and/or infringements.”


28. There is no indication whatsoever that the Dispute Chamber -as it was first constituted-partisan

     would be and could not (in part or even entirely the same composition) again

     judge the case.

29. Moreover, no appeal was lodged against the withdrawal decision of the Disputes Chamber

     registered by the defendant. Defendant requested the Marktenhof to make its own decision

     to replace that of the Disputes Chamber and to rule on the merits of the

     appeal lodged by it against the primary decision and which is pending
     was withdrawn by the Disputes Chamber. The Market Court rejected the defendant's request, Decision on the merits 101/2022 - 9/29




       occasionally, considering that due to the withdrawal decision of the Disputes Chamber, the contested

       decision was deemed never to have existed in legal transactions. With that, the profession

       become without object. The Court also noted that the withdrawal of the

       decision in itself cannot be regarded as proof that the Disputes Chamber made a wrong decision

       or made an illegal decision. The withdrawal of the decision testifies according to the
       Market Court of respect for the principles of the rule of law by the Disputes Chamber.


 30. In a judgment of 7 August 2018, the Marktenhof ruled in principle on the question whether a

       case, after annulment due to a procedural defect, must be reassessed by a

       differently composed body, or whether the body in the same composition is a new

       may make a decision. It concerned a decision of the Belgian Competition Authority

       (BMA). The Marktenhof ruled in this judgment that a different composition in that case

       was necessary, because Article IV.30 Code of Economic Law (WER) Article 828

       Judicial Code (Ger. W.) applicable to the BMA. In article 828 Jud. W. are the
       grounds for challenge for judges. Of crucial importance in that judgment was that it

       Marktenhof ruled that Article 828 Jud. W. can only be applied to other persons

       than the judges belonging to the judiciary if the law expressly so provides.

       Since the WOG does not contain a provision that Article 828 Ger. W. declares applicable to the

       members of the Disputes Chamber, members of the Disputes Chamber cannot

       provision will be challenged if they have previously taken cognizance of the same dispute.


 31. The Disputes Chamber makes every effort and does everything possible to

       to observe the principle of impartiality as a general principle of good administration,
       to ensure a fair trial for the parties. After all, this principle guarantees both

       the personal impartiality of the members of the Dispute Chamber who make a decision,

       as the structural impartiality of the Disputes Chamber in terms of its organisation,

       the course of the procedure and the making of its decisions. 3


 32. However, according to settled case-law of the Council of State, the principle of impartiality is only

       applies to the bodies of the active management “to the extent that this is compatible with its own”
                                                         4
       nature, in particular the structure of the government”. The application of the principle lean more

       certainly do not make it impossible to take a regular decision, namely
       because this principle would make it impossible for the competent administrative authority to act. in 5

       the extent that the application of the principle would lead, for example, to a body being

       could no longer exercise legal powers, the application of this principle

       be pushed aside.





3See, by analogy, Council of State 26 February 2015, no. 230,338, Deputation of the Antwerp Provincial Council, para. 10.
4
 See, for example, RvS 3 October 2014, no. 228.633, ASBL Unsolicited Artists; December 10, 2020. no. 249,191, recital. 25, Decision on the substance 101/2022 - 10/29




 33. The Disputes Chamber consists of a chairperson and six members, three of whom are Dutch speakers and three

       French speaking. These members all have their own area of expertise. When treating a

       file for the Disputes Chamber, the members are therefore involved on the basis of the language they use

       speak and their expertise that is called upon. The principle of impartiality

       applies as indicated above to the extent compatible with the nature and

       government structure. The two Dutch-speaking members Frank De Smet and Jelle Stassijns

       were sitting together with the chairman at the time of the primary handling of the complaint against

       defendant. This means that only 1 Dutch-speaking member remains. It is for that reason only

       not possible for the Disputes Chamber to sit in a completely different composition

       since this is simply incompatible with the grounding and structure of the Dispute Chamber

       and it would seriously impede the continuity of the Disputes Chamber. Since knowledge of

       the language in which a complaint is handled before the Disputes Chamber is indispensable for a

       efficient way of handling, the members for the handling of a particular file

       initially designated by the chairman – in accordance with Article 33 WOG and Article

       43 of the Rules of Internal Order - based on the spoken language and of course expertise

       on the relevant level. With regard to the language role, the starting point is that - in addition to the chairman who
       meets the language requirements for all national languages – at least one member belongs to the language role of

       the language of the proceedings (and the other member has sufficient factual knowledge of the language).


 34. The Disputes Chamber recalls that the principle of good administration of impartiality

       according to legal doctrine is less far-reaching and less strict than the principle of due

       administration of justice that applies to the court. In any case, the governed always has the

       possibility to lodge an appeal with a judge that meets the requirements of Article 6.1

       ECHR. 7


 35. The Court of Justice ruled that even the composition of a judicial formation does not
                                                             8
       should be changed in full upon referral. According to the Court, “the fact that an en
       the same judge sits in two formations [of the General Court] which

       successively taken note of the same case, in itself, apart from any other objective

       element, do not cast doubt on the impartiality of the General Court.” “There is nothing to indicate that

       the referral of the case to a judicial formation that is in a completely different way

       composed than that which first became aware of the matter, within the framework of the

       Community law must or can be regarded as a general obligation.”


 36. In support of their judgment, the Union judges refer to the case law of the European Court

       for Human Rights (ECtHR), which has already ruled several times that “from the




6Article 40 § 1 Data Protection Authority Establishment Act
7RvS 23 April 2009, no. 192.590, Crauwels, recital. 3.2.4. See also I. OPDEBEEK and S. DE SOMER, General administrative law. Foundations
and principles, Antwerp, Intersentia, 2017, 384-385.

8H.v.J., C-341/06 P and C-342/06 P, Chronopost and La Poste/UFEX and Others, 1 July 2008, EU:C:2008:375, §§ 51-60., Judgment on the merits 101/ 2022 - 11/29




       requirement of impartiality, the general principle cannot be inferred that a judicial
       body that overturns an administrative or judicial decision, obliges the case to a

       other body or to a body of that body composed of other persons

       refer". For example, with regard to a disciplinary court, the ECtHR has ruled that the

       the circumstance that three of the seven members of that college, after a previous ruling in which

       they had been involved, was quashed in cassation, after referral again about the same

       had to judge the case did not give rise to a legitimate fear of bias.9

 37. Although there is no established illegality of the acts of the

       Disputes Chamber or doubts about the impartiality of the Disputes Chamber, the chairman has

       of the Disputes Chamber decides to comply with the request of as much as possible

       defendant and in this case two other members have been appointed - namely Mr Dirk Van Der Kelen and

       Mr Yves Poullet - to attend the debate on the merits of the present proceedings.

       The chairman will therefore continue to sit himself now that it is practical for the Disputes Chamber

       it is unfeasible to sit in a completely different composition, taking into account the number of

       members of both language roles.



2.2 Defenses and analysis Dispute Chamber



First ground: Defendant has taken all necessary technical and organizational measures

in accordance with Articles 5 (1) (f), 24 and 32 of the GDPR and therefore an appropriate level of security
commanded.


 38. Defendant first pleads all necessary technical and organizational measures

       in accordance with Articles 5 (1) (f), 24 and 32 of the GDPR and therefore appropriate

       level of security. That an appropriate level of security was

       According to the defendant, the offer can be demonstrated on the basis of a number of aspects.
       First of all, the defendant applies internal rules regarding the technical and organizational

       measures that must be complied with within the organization. Defendant takes

       at all times the appropriate technical and organizational measures to protect the personal data

       of its subscribers. The measures taken are evaluated every year and

       adjusted if necessary. The Belgian Institute for Postal Services and

       Telecommunications (BIPT) carries out an annual audit of the technical and organizational

       measures within the organisation. Due to its confidentiality, the document may

       in the opinion of the defendant, should not be brought into this proceeding. In addition, the defendant has a
       duty to maintain confidentiality of communications arising from Article 124 of the Electronic Act

       Communications (WEC).




9EHRM, Dienet v. France, September 26, 1995, § 38., Decision on the merits 101/2022 - 12/29




 39. The documents YBelgium overview of Technical and Organizational measures and Group

       Security Standard 10 are new documents that the Disputes Chamber was not previously aware of

       could have taken. The document Group Security Standard contains the mandatory

       security measures of the Y Group. It is a shared reference point of Y Group and

       describes the minimum mandatory security requirements to be implemented by each entity. It

       document contains general principles regarding security, information security and physical security.

       The document Y Belgium overview of Technical and Organizational measures also contains

       general principles.




About the verification of identity



 40. The defendant stated in its statement and during the hearing that it is not possible

       was to verify the identity of the third party and that of the holder of the number associated with the

       to compare prepaid plans. Defendant points out, however, that the internal

       procedure has been changed following the decision of 22 January 2021 of the

       Dispute chamber in which, among other things, it was ordered to comply with the processing

       with Articles 24 and 32 GDPR. Since then, the Defendant therefore uses as

       standard procedure that identity verification is performed upon conversion

       from prepaid to postpaid cards. In addition, employees in the shops have been given access to

       performing that check. The reason no authentication checks were performed before

       according to the defendant has everything to do with the prohibitions imposed by Article 127 of

       the Electronic Communications Act and the executive Royal Decree . the executive

       Decree contains further rules on the identification of the end users of prepaid

       (prepaid) cards.12 According to the defendant, the law and the decrees prescribe that

       identification data may not be used for commercial purposes. Defendant

       states: “Due to the strict application of the above legislation, employees

       in the sales outlets of the concluante when requesting the migration from a prepaid to a

       postpaid subscription only check the telephone number and the SIM card number.”


 41. The part of the preamble to the Royal Decree quoted by the defendant reads: “The

       operators and the providers referred to in Article 126, § 1, first paragraph, may therefore

       identifiers collected under Section 127 of the WEC and which are

       not use for commercial purposes held under Article 126 of the WEC …….”.



10
  These documents were submitted to the proceedings by way of conclusion.
11 Electronic Communications Act of June 13, 2005, entered into force on June 30, 2005 and executive Royal
decide
12Royal Decree of 27 November 2016 on end-user identification of mobile public electronic
communication services provided on the basis of a prepaid card, BS 7 December 2016. Decision on the merits 101/2022 - 13/29




       The Disputes Chamber points out that the aforementioned article will, however, be continued as follows: “but they
       may collect identification information from prepaid card users and

       keep for commercial purposes in accordance with Article 122 (applicable

       when an invoice is sent) or the general legislation on the protection of

       personal living ambiance."


 42. During the hearing, the defendant with regard to the abovementioned Article 127 WEC, read in
       coherence with the executive Royal Decree and the Report to the King accompanying that decree,

       indicated that the provision has given rise to discussion among all telecom operators,

       namely whether the article should be read strictly or not. Defendant interprets it

       law strictly. Since this case concerns the sale of subscriptions, this

       regarded by the defendant as a commercial objective.


 43. The defendant's assertion that carrying out an identity check (i.e. in this case the
       comparingtheidentitydataofthelowerandthethird)in the context of a conversion

       from prepaid to a postpaid subscription, was not allowed to take place due to the legal

       ban on use for commercial purposes, the Disputes Chamber considers incorrect.


 44. Contrary to the defendant, the Disputes Chamber is of the opinion that there is no question of

       a commercial purpose. First of all, the purpose of using the identity data of
       a prepaid customer in this case only to prevent misuse of the telephone number by

       any unauthorized persons, as in the present case. The aim is therefore to prevent the

       wrongly taking over a telephone number from a prepaid customer by a third party, causing

       it would also have access to its mobile traffic and possibly other services linked

       to the phone number. The defendant therefore had the data of the third party and the

       must compare known data of the complainant in an unambiguous way (and therefore not

       based only on a SIM card number which is anything but a strong identifier.

       In short, this concerns a legitimate purpose, namely the detection of possible
       fraud with telephone numbers which can have enormous consequences for those involved.


 45. The Disputes Chamber also refers to the Report to the King at the executive
                        13
       Royal Decree. The report reads as follows: “It is the intention of the legislator

       not been here to impose a total ban on identity checks, but to

       subject to strict regulations in order to ensure a good level of protection of
       to guarantee personal data.” By failing to check, the defendant

       disregarded the will of the legislator, which is to offer a good

       level of protection of personal data to data subjects. In a case like this, the –






13Report to the King by Royal Decree of 27 November 2016 on the identification of the end-user of mobile phones
public electronic communications services provided on the basis of a prepaid card, BS 7 December 2016. Judgment on the merits 101/2022 - 14/29




       limited - processing of personal data to verify identity for the purpose of

       prevent misuse of personal data.

 46. In its submission, the defendant further claims:


        “If, however, the Disputes Chamber is of the opinion that the concluding party was nevertheless obliged to provide the identity

        with the identity of the holder of the telephone number, it interprets the
        regulations and guidelines to which the controller is subject

        particularly smooth. In no way does this appear to be the intention of the legislator,

        as a result of which the concluding party could not be expected to hold such an opinion.”


 47. Contrary to the defendant's argument, the Disputes Chamber rules that Article 18§1 of

       the Royal Decree implementing and explaining Article 127 § 1 of the WEC very clearly

       and leaves no room for doubt as to its interpretation and application. The article

       namely determines:

        ”The company concerned shall ascertain, through technical and operational

        measures, that the person responsible for the extension or migration of the product

        asks is actually the person identified for that product.”

 48. Subsequently, the article-by-article discussion of the Royal Decree provides the following clear

       explanation to this article:


        ”Art. 18. Product Expansion or Migration. It is possible that a person is already a customer of a

        concerned company for a different product (for example, a subscription to mobile

        telephony) and has been identified by the company concerned for that product. That person
        can then decide to additionally purchase a prepaid card (product extension) or to

        from the first product to a prepaid card (product migration).The

        The company concerned can then establish a link between the prepaid card and the product

        that has already been purchased by the end user. The undertaking concerned shall ensure that

        by setting up technical and operational measures, that the person who is the extension of

        the product asks is actually the identified person for that product. This is possible

        be done, for example, through the presentation of an identity document or on the basis of the

        identification number and a password. The person who is the holder of the product with which

        the prepaid card is associated with must be the same person as the one who

        requires activation of the prepaid card. Therefore, this method should not be used if
        a child requests the activation of the prepaid card and in doing so makes use of a

        other product subscribed to by a parent.” (own underlining)






14Report to the King by Royal Decree of 27 November 2016 on the identification of the end-user of mobile phones
public electronic communications services provided on the basis of a prepaid card, BS 7 December 2016. (Own
underlined by the Disputes Chamber), Decision on the merits 101/2022 - 15/29



49. It is therefore clear and unequivocal from the foregoing that the undertaking concerned

     (in this case, the defendant) even has a legal obligation to, in the case of product migration,

     to obtain certainty about the identity of the person requesting the migration.

     The foregoing serves to obtain certainty as to whether it is actually the person who is responsible for that

     product has been identified.It is also apparent from the explanatory memorandum that the verification only

     can take place after presentation of an identity document or on the basis of a
     identification number and a password.


50. Given the clear and unmistakable wording of the legislator in the above

     regulations in which, according to the Disputes Chamber, no room is left for another

     interpretation, identity verification should have taken place. The Dispute Room
     considers that the defendant should indeed have proceeded to verify the identity

     of the person who requested the SIM card migration. After all, the legislator writes

     expressly states that this check must be carried out on the basis of the identity card or

     identification number and password.

51. Defendant could therefore not suffice with asking for the SIM card number and the

     phone number. After all, the defendant had the identity card of the third party,

     but has failed to compare the personal data with those of the holder of the mobile phone

     number, in this case the complainant.

52. By carrying out a verification, it would soon become apparent that there are two different

     persons went. Defendant has failed to make such a low effort

     carry out verification, while the defendant as a telecom operator had to be aware of

     the enormous consequences that such negligence could entail.

     Defendant thereby knowingly failed to comply with a legal obligation,
     namely that of Article 18 § 1 Royal Decree implementing the Telecommunications Act. The

     The Disputes Chamber comes to the conclusion that there was not only an attributable

     shortcoming but also a violation of Article 18 § 1 of the Royal Decree which is clearly

     prescribes that a check must take place during product migration.

53. During the proceedings, the defendant has consistently argued that product migration should

     be regarded as a commercial purpose and that it was therefore prohibited to

     verify the identity.It appears from article 18§1 of the Royal Decree, however, that the legislator

     does not classify product migration as a commercial purpose and rather prescribes that a

     identity verification must take place. The defendant's argument therefore fails.

54. The Disputes Chamber ruled in its primary decision, among other things, that the defendant

     processing in accordance with Articles 5.1.f, 5.2, 24 and 32 GDPR.

     Defendant has complied with this order, by setting up an additional procedure

     to verify the customer's identity during product migration. Defendant argues in this regard, Decision on the merits 101/2022 - 16/29



      in its conclusion, however, that this was done at the risk that the defendant could be blamed by BIPT or by a

      court may be called back in connection with using the identification data

      for commercial purposes, which would be expressly by Article 126 of the WEC

      forbidden.

 55. The Disputes Chamber concludes that a product migration according to the applicable legislation is not

      can be regarded as a commercial purpose. It therefore notes once again that the

      Articles 5 (1) (f), 5.2, 24 and 32 of the GDPR have been infringed.



Second ground: Defendant took proactive measures in accordance with article 5(2) of the GDPR in order to

compliance with the regulations of the GDPR, including the technical and organizational measures

to ensure.



 56. The defendant submits by its second plea that proactive measures were indeed taken

      taken to ensure compliance with the requirements of the GDPR - including the technical and

      organizational measures - to ensure. Defendant has in response

      added the Safety Working Method, among other things. This internal piece for the employees

      describes how personal data of customers should be handled and reaches
      handles for the confidentiality of the data within the organization of the defendant

      to ensure.


 57. It is pointed out in several places in the working method that a full

      identity check (surname, first name, telephone number, if there is one: customer number,
      date of birth, identity card number, address, amount of the last invoice and where and

      when activation is requested) is required for “all inquiries in light of

      contract amendment, such as; rate plan change, address change, P2P, PPP, activation

      or deactivation of a service, ask for a copy of an invoice and ask for confidential

      information".

 58. In the present case, the third party who (later) obtained access to the complainant's telephone number, the

      conversion of his prepaid card to a postpaid subscription. He therefore asked for

      activation of a new service. This means that the defendant also, according to its own

      working method should have asked for additional data with aim to determine the
      identity of the person in question. By failing to verify the identity of the third party

      defendant acted culpably negligently.


 59. Defendant also has the documents Y Belgium overview of Technical and

      Organizational measures and Group Security Standard introduced into the procedure (see point
      39 above)., Decision on the merits 101/2022 - 17/29



60. According to the defendant, it can also be inferred from those documents that the defendant

     is concerned to take appropriate technical and organizational measures at all times

     to protect the personal data of its subscribers. The measures taken are

     also evaluated by it every year and, if necessary, adjusted. Both documents contain

     general minimum security requirements to be implemented. The Disputes Chamber can, on the basis of

     these documents do not, however, reach a different conclusion than that the defendant is in default in this case
     shot due to insufficient implementation of the technical and organizational measures

     bring.


61. The defendant argues that the infringement had a very limited impact on the complainant. The third

     According to the defendant, the person could not gain access to the complainant's profiles on
     different platforms like WhatsApp and Paypal because those platforms have the two-step verification

     would use in order to log in or sign up to their profiles. The third had

     furthermore, according to the complainant, no access to all communications of the complainant that have been made in the past

     had taken place. Therefore, according to the defendant, there is in no way

     violation of the complainant's privacy. There are only practical inconveniences that the complainant

     would have encountered.

62. The Disputes Chamber points out in this regard that - in contrast to the defendant's

     claimed - for the use of, for example, the WhatsApp application in principle that is sufficient

     someone has the phone number. The two-step verification that according to the defendant
     must be completed must be activated explicitly via the WhatsApp settings and

     is not on by default. So the default security setting is that only the

     telephone number is sufficient for taking over the use of the Whatsapp application. The

     user enters the phone number through which he wants communication through the application

     and then an SMS is sent to that number. After the code

     entered in the text message, communication can take place directly via
     whatsapp. So, if the two-step verification has not been activated, nothing else is needed

     then access the mobile phone number to which the verification code is sent.


63. In addition, by having a telephone number, there is a considerable chance that

     access to different types of personal data can be obtained. Various
     authorities - such as hospitals - remind of appointments by means of the

     sending SMS messages. In addition, having a phone number of a

     others, the door is wide open for fraud and fraud, for example because there are conversations

     messages could be conducted or sent on behalf of the injured party. The

     The Disputes Chamber therefore disagrees with the defendant's statement that there is no way

     would be a violation of privacy.

64. The Court of Justice emphasized the importance of telecom data with the following

     wording in its judgment Digital Rights Ireland of 8 April 2014: “From this information, in their, Decision on the merits 101/2022 - 18/29




       considered as a whole, very precise conclusions can be drawn about the private life of

       the persons whose data is kept, such as their daily habits, their

       permanent or temporary residence, their daily or other movements, the activities that

       they exercise, their social relations and social circles in which they live.” 15 Notwithstanding

       the third party in the present case may not have had access to all the information referred to in the judgment, the

       Litigation room in the opinion that it has the complainant's telephone number

       there was a significant risk of a violation of his privacy rights.


 65. Defendant concludes that in principle only the user of a mobile telephone number

       should know the associated SIM card number. The SIM card number will be

       therefore used as verification that the applicant is indeed the actual user of the

       telephone number provided. The seller would therefore have both the

       phone number and have requested and obtained the SIM card number from the third party. The

       migration was then carried out and the third party therefore has its own identification data

       filed, according to the defendant. The third party's identifiers were

       defendant checked by comparing the identity card data with the specified one

       name, address and place of residence of the third party. According to the defendant, these identity data were

       however, not compared with the identity data of the prepaid customer to whom it is

       SIM card number and mobile number was assigned first, namely the complainant. Latter

       According to the defendant, the check did not take place because identity data may not be used
                                                                                                16
       used for commercial applications based on the Electronic Communications Act and
                                                                                             17
       the Report to the King to the Royal Decree implementing this law, such as

       set out in marginal 42 et seq. above.

 66. The defendant finds it incomprehensible that the third party could find out the SIM card number.

       According to the defendant, the SIM card number can only be retrieved via the systems of

       defendant where it is stored or if these have been communicated by the complainant himself. In order

       to obtain both the telephone number and the SIM card number, the third party – according to

       defendant - either had the cooperation of the complainant or that of a Y employee.

       According to the defendant, the combination between SIM card and telephone number is unique, which means that the

       method of using the combination telephone number-SIM card number is appropriate to the

       verify the user's identity. If only use were made of the

       phone number to verify the user's identity before the migration, according to

       can point out to the defendant faulty technical and organizational measures. The





15Court of Justice of the EU, Digital Rights Ireland and Seitlinger and Others, Joined Cases C‑293/12 and C‑594/12, ECLI:EU:C:2014:238 , para. 27.

16
  Article 127 in conjunction with Article 126 § 2.7° of the Electronic Communications Act of 13 June 2005, which entered into force on 30
17ni 2005.
  Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of mobile phones
public electronic communications services provided on the basis of a prepaid card, BS 7 December 2016. Judgment on the merits 101/2022 - 19/29



       combination of telephone number and SIM card number can, according to the defendant, be

       equated with the combination of e-mail address and password. Also in this combination there is

       the verification consists of an element that is public and an element that only the owner can know.


 67. The Disputes Chamber refers to the statement of the defendant that:

           • employees were obliged to request the SIM card number from the customer and this

               were required to implement a migration from prepaid to postpaid;

           • at the time there was no possibility for the employee to use the

               mobile number to request the SIM card number from the database.

The question therefore remains how the third party arrived at the combination of mobile number and SIM card number.

In any event, the defendant has not been able to demonstrate this to the Disputes Chamber,

as required by Articles 5.2 and 24 GDPR.


 68. Defendant submits an earlier notification dated March 11, 2019 to the
                                                                            18
       Data Protection Authority of a similar data breach. It is also mentioned
       that another reason for not reporting the leak in this case was the following: “The

       Data Protection Authority has not followed up this file further, which shows the

       limited importance that the Data Protection Authority attaches to such (minor)

       data leak. For that reason, the concluding party's presumption that there was no

       reporting obligation would have been confirmed in the present case.” The Disputes Chamber hereby refers to the

       accountability of the defendant arising from Article 5.2 and Article 24 GDPR whereby

       it is up to the defendant to demonstrate that it also acts in accordance with Article 5.1.f GDPR
       namely: ”by taking appropriate technical or organizational measures in a

       processed in such a way as to ensure appropriate security, and that

       they are protected, among other things, against unauthorized or unlawful processing and against

       accidental loss, destruction or damage (“Integrity and Confidentiality”).” The

       claim that a previous report was not handled by the

       Data Protection Authority, does not affect the accountability obligation.




 69. The Disputes Chamber agrees that the accountability obligation pursuant to the Articles
       5, paragraph 2, article 24 and article 32 GDPR entails that the controller

       takes necessary technical and organizational measures to ensure that

       the processing is in accordance with the GDPR. The foregoing obligation belongs to the

       proper fulfillment of the defendant's responsibility under Article 5(2), 24 and 32

       AVG.The Disputes Chamber points out that the accountability obligation of article 5 paragraph 2 and article 24

       GDPR is one of the central pillars of the GDPR. This means that on the



18As document 5 to its claims., Decision on the substance 101/2022 - 20/29




       controller has the obligation, on the one hand, to take proactive
       measures to ensure compliance with the requirements of the GDPR and,

       on the other hand, being able to demonstrate that he has taken such measures.


 70. The Group 29 stated in the Opinion on the “accountability principle”

       that two aspects are important in the interpretation of this principle:

        (i) “the need for a controller to provide appropriate and

               take effective measures to ensure that the principles for

               implement data protection; and

        (ii) the need to demonstrate upon request that appropriate and effective

               measures have been taken. The controller must therefore
                                                           19
               provide evidence of (i) above”.

 71. In view of the above considerations, the Disputes Chamber is of the opinion that the defendant infringed

       has committed to Articles 5.1.f, 5.2, 24 and 32 GDPR due to insufficient technical and

       to take organizational measures to prevent the processing of personal data

       in accordance with the relevant laws and regulations.



Data leak


 72. Article 33(1) of the GDPR provides: ”If a personal data breach has occurred

       occurred, the controller shall report it without undue delay and,

       if possible, no later than 72 hours after he became aware of it, to the corresponding
       Article 55 competent supervisory authority, unless it is not probable that the infringement

       connection with personal data poses a risk to the rights and freedoms of natural persons

       persons. If the notification to the supervisory authority is not made within 72 hours,

       it shall be accompanied by a justification for the delay.”




 73. The defendant argues in its claims that there was no obligation to report the data breach

       to be given to the Data Protection Authority. The reason for this, according to the defendant, is

       fact that the data breach involved one data subject, it was very short-lived and, according to

       Defendant did not disclose sensitive data. With regard to the foregoing, the

       Dispute room on the above, namely that it can be deemed plausible

       that, for example, SMS messages are received which contain special personal data
       could contain.






19 Opinion 3/2010 on the “accountability principle” adopted on 13 July 2010 by the Working Party 29, p. 10 – 14
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf., Decision on the merits 101/2022 - 21/29




 74. When assessing whether an infringement poses a likely high risk to the

       rights and freedoms of individuals according to Group Guidelines 29

       take into account the answer to the question whether the infringement may lead to
       physical, material or immaterial damage to the persons whose data is the object of

       be the infringement. Examples of such damages include discrimination, identity theft, or -

       fraud, financial loss and reputational damage.0 By assigning the complainant's telephone number

       to a third party, the complainant is exposed to the risk of carrying out fraudulent

       acts under his name, using his telephone number. Also exists –

       contrary to what the defendant appears to argue - a risk that sensitive data (such as

       health data) come into the hands of third parties. Defendant argues that there is no obligation to report

       existed before it, among other things because it concerns a data breach of a single

       person. The Disputes Chamber points out that an infringement, however, is serious even for one person

       consequences, depending entirely on the nature of the personal data and the context
       in which they have been compromised. Here too it comes down to looking at the

       likelihood and severity of the consequences. 21 Moreover, this is a risk of

       structural nature to which all prepaid card users may be exposed

       become. It cannot be excluded that there are other cases where the Disputes Chamber

       is not aware of.


 75. The Disputes Chamber is of the opinion that in the present case the defendant has not succeeded in
       demonstrate that sufficient proactive measures have been taken to ensure compliance with the GDPR

       guarantee. The defendant's employees first of all failed to carry out a verification

       between the identities of the third and the complainants Y subsequently failed to

       to report the data breach to the Data Protection Authority. Defendant has no

       submitted documents showing that the documentation obligation imposed on the defendant has been complied with

       rested. The only document that was brought up by the defendant regarding a data breach,

       was a notification of another data breach by the defendant to the

       Data Protection Authority dating from the year 2019. From the documents of the file,

       which was put forward at the hearing and the fact that the defendant did not provide documentation of the

       has submitted a data leak, it appears that the defendant also does not comply with the obligation of article 33
       paragraph 5 GDPR, which provides:




        “The controller shall document all breaches related to

        personal data, including the facts of the breach related to

        personal data, the consequences thereof and the corrective measures taken. That



20
  Guidelines for the reporting of personal data breaches under Regulation 2016/679, wp250rev.01,
Working group 29, p.26.
21Idem, p. 30, Decision on the substance 101/2022 - 22/29



        documentation enables the supervisory authority to verify compliance with this article

        to check."




 76. The Disputes Chamber already pointed out in decision 2020/22 that: “the

       accountability applied to data breaches means that in a
       controller with regard to these data breaches not only

       obligation to report this, if necessary, in accordance with Articles 33 and 34 GDPR to the

       supervisory authority and the data subjects, but that the latter must also at all times

       be able to demonstrate that he has taken the necessary measures to be able to comply with these
                   22
       obligation” The Disputes Chamber is of the opinion that this is not the case in this case

       demonstrated.

 77. In a non-exhaustive list that data controllers can take to comply with the

       accountability obligation is referred by the Group29 to, among others, the

       following measures to be taken: implementing and monitoring

       control procedures to ensure that all measures are not only on paper but

       are also implemented and functioning in practice, establishing internal
       procedures, drawing up a written and binding policy regarding

       data protection, developing internal procedures for effective management

       and reporting security breaches.


 78. The Disputes Chamber also refers to a form attached to the Opinion in which
       A similar data breach was reported, namely the telephone number of a

       customer who had switched to another operator. This phone number was incorrectly referred to as

       freely seen and assigned to a new customer. In the form, the defendant asked the question “What?

       is the degree or level of seriousness of the data breach for data subjects at

       assessing the risks to the rights and freedoms of data subjects?”

       answered with “critical” data breach. According to the Disputes Chamber, this clearly shows that

       the defendant also understands the seriousness of such a data breach.




 79. The Disputes Chamber therefore establishes infringements of Article 33 paragraphs 1 and 5 of the GDPR. The
       The Disputes Chamber points out that on behalf of the controller there is a

       obligation to document any data breach, whether it is risky or not, in order to

       to be able to provide information to the GBA. After all, the processing of personal data is

       a core activity of the defendant. In addition, personal data can contain a large degree of






22Decision 22/2020 of 8 May 2020 of the Disputes Chamber, p.12, Decision on the merits 101/2022 - 23/29




       have sensitivity to those involved, partly because they have a regular and systematic
       enable observation. 23


 80. The defendant submits a Data Breach Assessment document with its claim. In this document

       documented the data breach on April 15, 2020, 7 months after the data breach

       took place. The document reads, among other things:



       “The incident gave a third party access to the customer's communication content from a pre-

       paid card for 3.25 days. The third party had no intention of using the data,

       misuse or distribute it. The data was therefore not publicly available on the

       internet.

       The theoretical impact of the infringement is therefore very large, as it concerns the content of the

       communication, and while the likelihood of the breach affecting the
       person is low, the result is an overall very high risk.



       But based on the information received from the data subject, the third party

       shared communication content probably limited to two-step authentication codes and this

       over a period of 3.5 days. These two-step authentication codes cannot be

       used by the third party who does not have access to the data subject's login data.

       The consequences for the data subject are therefore limited and the risk has been adjusted to a low risk.”

 81. It once again appears from the text quoted above that the defendant was indeed aware

       of the fact that there was a “very high risk” in this case, as it concerned content

       of telecommunications. The risk was adjusted back to “low” after the defendant was informed

       found that the shared content was likely limited to two-step authentication codes.

       Since third parties were unable to access the complainant's login details, it was

       level adjusted. As the Disputes Chamber noted earlier, not only the
       applications that require two-step authentication pose a risk to the complainant, but are also

       telephone and SMS traffic was exposed to great risks of, among other things, fraud that

       could have been committed under his name. The Disputes Chamber rules that there is

       was of high risk.





 82. Defendant believes that it has no obligation to complain to the complainant of the data leak
       to notify. Defendant has therefore failed to inform itself after

       to inform the complainant by means of a communication of the award of the

       telephone number conjoined. The Disputes Chamber judges that the notification to the person concerned




23Decision 18/2020 of 28 April 2020 of the Disputes Chamber, Decision on the substance 101/2022 - 24/29




       in this specific case should be omitted in view of the special circumstance of this

       case where the data subject was already aware of the data breach. The Dispute Room

       therefore considers that no infringement of Article 34 GDPR has been established.


 83. The Disputes Chamber refers to the example below which illustrates the importance of the communication of

       a data breach to the data subjects and the competent authority.

       It concerns an example in recently published “GuidelineonExamplesregardingData
                                            24
       Breach Notification” of the EDPB in which the contact center of a telecommunications

       company gets a call from a person who claims to be a customer and requests a change of his

       e-mail address so that the bills will be sent to that new e-mail address from now on

       sent. The caller provides the correct personal data of the customer, after which the invoices

       will be sent to the new e-mail address from now on. When the actual customer calls the

       company to ask why it is no longer receiving invoices, the company realizes that the invoices

       be sent to someone else.

 84. The EDPB considers the following regarding the above example:




       “This case serves as an example on the importance of prior measures. The breach, from a risk

       aspect, presents a high level of risk, as billing data can give information about the data subject's

       private life (e.g.habits, contacts)and could lead to material damage (e.g. stalking, risk to physical

       integrity). The personal data obtained during this attack can also be used in order to facilitate

       account takeover in this organization or exploit further authentication measures in other

       organizations. Considering these risks, the “appropriate” authentication measure should meet a

       high bar, depending on what personal data can be processed as a result of authentication.



       As a result, both a notification to the SA and a communication to the data subject are needed

       from the controller. The prior client validation process is clearly to be refined in light of this case.

       The methods used for authentication were not sufficient. The malicious party was able to

       pretend to be the intended user by the use of publicly available information and information that

       they otherwise had access to. The use of this type of static knowledge-based authentication

       (where the answer does not change, and where the information is not “secret” such as would be
                                                         25
       the case with a password) is not recommended.”


24EDPB Guideline on Examples regarding Data Breach Notification, 01/2021, published at www.edpb.europa.eu.

25EDPB Guideline on Examples regarding Data Breach Notification, 01/2021, p.30
Underlining by the Dispute Chamber


Free translation: This case serves as an example of the importance of taking preliminary measures. The infringement constitutes
high risk from a risk perspective, as billing data can provide information about the private life of the data subject
(e.g. habits, contacts) and can lead to material damage (e.g. stalking, risk to physical integrity). The
personal data obtained in this attack may also be used to prevent account takeover in this organization
or to leverage further authentication measures at other organizations. Given these risks, the
meet the requirements for an 'appropriate' authentication measure and depending on this it can be determined from which personal data
may be processed., Decision on the merits 101/2022 - 25/29




 85. Notification of breaches should be seen as a way of monitoring compliance

       on the protection of personal data. Therefore, according to the

       The Disputes Chamber is in no way a matter of "notification fatigue" as stated by the defendant

       cited. After all, the Group 29 states:

        “Data controllers should remember that reporting a breach to the

        supervisory authority is required, unless the breach is unlikely to pose a risk

        to the rights and freedoms of natural persons. If it is probable that a

        infringement results in a high risk to the rights and freedoms of natural persons,

        natural persons must also be informed. The threshold for communicating a

        infringement to persons is therefore higher than that for reporting an infringement to the

        supervisory authorities, and so not all breaches need to be reported to individuals

        reported, protecting them from unnecessary notification fatigue.” 26



        When a personal data breach occurs or has

        occurred, this may result in material or immaterial damage to natural persons or

        any other economic, physical or social damage to the person concerned

        as a rule, the controller shall submit as soon as it becomes aware of a breach

        connection with personal data with a risk to the rights and freedoms of data subjects,

        the supervisory authority without undue delay and, if possible, within 72 hours

        of the infringement. This allows the supervisory authority to fulfill its duties
        and properly exercise powers, as laid down in the GDPR.





Response to fine form and right of defence




 86. Defendant responded on May 31, 2022 to the intention to impose a

       fine.

 87. The defendant repeats therein that, according to him, the composition of the Disputes Chamber

       irregular, and the procedure as well, since the chairman has remained in office

       notwithstanding the decision of the Market Court. According to the defendant, it has not been proved that





As a result, both a notification to the supervisory authority and a communication to the data subject are required by the
controller. The pre-customer validation process clearly needs to be refined in light of this case. The
methods used for authentication were not sufficient. A malicious person could have impersonated the
intended user by using publicly available information and information to which they otherwise access
had. Using this type of static, knowledge-based authentication (where the answer doesn't change and where the
information is not “secret” as would be the case with a password) is not recommended.”


26Guidelines for the reporting of personal data breaches under Regulation 2016/679, Article Working Party
29, WP25 0.rev.01, Decision on the merits 101/2022 - 26/29



     there was a data breach and the determination of the existence of a data breach is based

     purely on suspicion. No evidence has been provided by the complainant of the existence of a

     data leak. The defendant is of the opinion that he has sufficient technical and organizational

     took measures to prevent an incident such as the one in the present case. Defendant repeatedly argues

     to have complied with the rules of the Electronic Communications Act (WEC) and gives

     are aware that the aforementioned law checks and verify the identity in the context of
     prohibited for commercial purposes. According to the defendant, the migration of a SIM card should

     to be classified as a commercial purpose. Defendant indicates that it is by

     security policy applied to them in a previous decision of the Disputes Chamber as

     was properly regarded. Defendant again points out that there was no question of a

     obligation to report the data breach to the Data Protection Authority as it concerns 1

     data subject, the data breach was short-lived and there would be no sensitive data
     personal data.


88. The defendant does not agree with the finding of the Disputes Chamber that there is

     been of a “disproportionate degree of negligence” as the defendant does everything to it

     to protect personal data as well as possible. In addition, there was no intention
     or ill will on the part of the defendant. The defendant is of the opinion that the intended fine of

     EUR 20,000 is disproportionate to the infringements identified. Imposing a

     According to the defendant, the fine is in stark contract with previous decisions of the

     Dispute chamber in which such cases with 1 person involved and a limited

     social impact would have been shelved. Defendant claims to be a victim of

     a rogue person who managed to obtain the complainant's personal data.
     There is also no mention of previous infringements committed by the defendant. This makes it whole

     imposing a fine of EUR 20,000 is unreasonable. Defendant finds a warning

     more in place. Should the Disputes Chamber nevertheless wish to impose a fine,

     defendant to limit the fine to an amount of EUR 5,000. What

     Concerning the annual figures, the respondent indicates that there is a slight deviation from the annual figures that

     were submitted by the Disputes Chamber in the sanction form; the correct amount is
     EUR 1.3XX.XXX.XXX instead of EUR 1.2XX.XXX.XXX.




89. The Disputes Chamber is of the opinion that all arguments put forward by the defendant in the

     sanction form have already been dealt with in this decision and were taken into account

     taken when determining the administrative fine in accordance with Article 83.2 of the GDPR.

     After all, the Disputes Chamber has explained in the decision that the data breach is due

     negligence on the part of the defendant. According to the Disputes Chamber, the defendant had
     after all, on the basis of the WEC as well as according to internal regulations, the identification data

     must verify to be sure that the person standing at the shop is actually, Decision on the merits 101/2022 - 27/29




      the holder of the phone number was. This was left by the defendant. Moreover, it was omitted
      to report this to the Data Protection Authority. The Dispute Room

      does not share the view of the defendant where it states that there is no evidence to show

      that third parties have taken cognizance of the personal data as a result of which the existence of a

      data breach cannot be proven. As the Disputes Chamber stated under point 63,

      there was a significant chance that the third party had access to (sensitive) personal data of

      complainant; after all, this third party had access to the telephone number for four days.

      It cannot therefore be ruled out that access by that third party to the personal data of

      complainant has taken place.

 90. In this case, it concerns a controller who processes data en masse on a daily basis

      who can and may be expected to have the appropriate technical and organizational

      takes measures to guarantee the protection of personal data. Seen

      For the foregoing, the Disputes Chamber is of the opinion that a fine of EUR 20,000 can be imposed

      classified as a very small fine in proportion to the established infringements and turnover

      which is apparent from the defendant's annual figures.

 91. Finally, the Disputes Chamber points out that it is not under any obligation, nor on the basis

      of the AVG or the WOG, nor on the basis of case law of the Marktenhof, to determine the motivation

      of the present decision prior to the taking of the decision concerned to the

      contradict the opposing parties, the sanction form only serves

      the possibility of opposing the proposed fine.



3. Infringements of the GDPR



 92. The Disputes Chamber considers infringements of the following provisions proven by the defendant:


       a. Article 5.1.f, 5.2, 24 and 32 AVG, in view of the defendant insufficient precautions

           took to prevent the data breach;

       b. Article 33.1 and 33.5 GDPR, as the defendant did not report the data breach
           to the GBA.


 93. The Disputes Chamber considers it appropriate to impose an administrative fine at

      amount of EUR 20,000 (Article 83, paragraph 2 GDPR; Article 100, §1, 13° WOG and Article 101 WOG).

                                                               27
 94. Taking into account Article 83 AVG and the case law of the Marktenhof, the motivation
      Dispute chamber imposing an administrative fine in concrete terms:







27Brussels Court of Appeal (Market Court section), X t. GBA, Judgment 2020/1471 of 19 February 2020. Judgment on the merits 101/2022 - 28/29



       a.) The seriousness of the breach: the Disputes Chamber has established that the data breach is, among other things,

      due to negligence on the part of the defendant. In addition, the defendant failed to

      to report the leak to the Data Protection Authority and to indicate that in this case

      there is no likely high risk to the complainant's rights and obligations

      as a result of which there would be no reporting obligation for the defendant. The fact that in this case it concerns

      telecom data from which precise data about a person's private life can be
      are derived as well as the potential risk of committing fraudulent acts in

      name of that person indicate that there is a serious infringement.



      b.) The duration of the infringement: the infringement lasted four days, which is a significant period of time

      in light of the potential danger indicated above.


      c.) The fine to be imposed is such a deterrent to prevent such infringements in the future

      to prevent. In this context, the Disputes Chamber reiterates that a fine of EUR 20,000

      can be regarded as a very small fine in relation to the established

      infringements and the turnover that appears from the defendant's annual figures.

95. The Disputes Chamber points out that the other criteria of art. 83.2. GDPR not of nature in this case

     are that they lead to an administrative fine other than that imposed by the Disputes Chamber in

     within the framework of this decision.

96. Superfluously, the Disputes Chamber also refers to the guidelines regarding the calculation of

     administrative fines (Guidelines 04/2022 on the calculation of administrative fines under the

     GDPR) which the EDPB published on its website on May 16, 2022, for consultation.

     Since these guidelines are not yet final, the Disputes Chamber has decided to

     not to be taken into account for determining the amount of the fine in the present case

     procedure.

97. In its response to the intention to impose a fine, the defendant objects

     made at the amount of the proposed fine. From this file, according to the

     However, the dispute chamber found that there was carelessness and negligence towards

     protection of the personal data of the data subject. The processing of
     after all, personal data is a core activity of the defendant, which means that it is

     It is of paramount importance that the personal data is processed in accordance with the GDPR.




98. The facts, circumstances and established infringements therefore justify a fine which

     meets the need to have a sufficiently deterrent effect, whereby the

     defendant is sufficiently sanctioned that practices involving such infringements

     would not be repeated., Decision on the merits 101/2022 - 29/29



  99. In view of the importance of transparency with regard to the decision-making of the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. However, it is not necessary for the

        identifiers of the parties are disclosed directly.






FOR THESE REASONS,

the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


    - pursuant to Article 83 GDPR and Articles 100, 13° and 101 WOG, an administrative

       to impose a fine of EUR 20,000 on the defendant for the infringements of
       Articles 5.1.f, 5.2, 24, 32, 33.1 and 33.5 GDPR.




Against this decision, pursuant to art. 108, § 1WOG, appeal to be lodged within

a period of thirty days, from the notification, to the Marktenhof, with the

Data Protection Authority as Defendant.












 (Get). Hielke Hijmans
 Chairman of the Disputes Chamber