APD/GBA (Belgium) - 105/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=105/2022 |ECLI= |Or...")
 
No edit summary
 
(3 intermediate revisions by 3 users not shown)
Line 73: Line 73:
}}
}}


The Belgian DPA holds that it cannot judge over aspects of data processing what that processing is part of another trial, which has not been decided yet. Judging differently would undermine the independence of the judicial power.  
The Belgian DPA held that it could not establish a breach of professional secrecy pursuant to Article 55(3) GDPR as only a judge was competent to do so. It could not, therefore, find the data obtained from the complainant's criminal record to be unlawfully obtained.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject currently stands trial based on tax fraud. He contests the validity of his personal data and that of his clients used by the controller (Algemene Administratie van de Bijzonde Belastingsinspectie, which is the tax inspection). The controller gathered this personal data by accessing the ongoing criminal case.  
The controller is the Belgian tax authority (Algemene Administratie van de Bijzondere Belastinginspectie). The complainant provides tax advice services. The data subjects are (1) the complainant (hereinafter: Tax Advisor) and its (2) customers (hereinafter: Customers).  


The data subject states that the processing of his clients' data damage his reputation and breaches his clients' confidentiality. Regarding the confidentiality, the data subject claims that they cannot be used for taxation reasons.   
The Tax Advisor was involved in a criminal investigation into tax fraud, forgery of documents, and the use of false documents. The investigation was still pending when the DPA issued the decision.   


The controller states that the documents accessed, on its own, do not fall under the definition of 'filing system' under [[Article 4 GDPR#6|Article 4(6)]].
The controller used the Tax Advisor’s criminal records for an investigation into tax evasion of his Customers. These documents only contained personal data of the Customers. The controller’s notice to the Customers of the investigation contained the Tax Advisor’s personal data (full name; address; data of birth).  


Part of processing took place on 2013, however, this processing was not disputed.
The Tax Advisor issued a complaint with the DPA for unlawful processing of personal data. He stated that it damaged his reputation and breached his clients' confidentiality, which cost him customers.  


=== Holding ===
Regarding the data from his criminal records, the Tax Advisor stated that it did relate to him because (1) he processed it in the context of his independent professional activity and (2) it was obtained from his criminal records. He further argued that customer data is covered by professional secrecy and thus cannot be processed for tax purposes.  
The Gegevensbeschermingsautoriteit (Belgian DPA) holds that it is not competent to rule over any processing that took place before the GDPR became into force, unless a compliant was already submitted, which it was not.  


The DPA holds that anybody can lodge a compliant, but only if they have a sufficient interest of data protection. The purely commercial interest the data subject is pursuing, does not meet this threshold. Additionally, the data subject cannot submit a compliant in name of others (his clients in cause) without the necessary data protection interest and competence of representation. As such, the DPA will not investigate the processing of the clients' data.  
The controller stated that the notice to the Customers, on its own, did not fall under the definition of 'filing system' under [[Article 4 GDPR#6|Article 4(6)]]. Therefore the GDPR was not applicable.


The DPA also holds that all documents used and accessed by the controller are part of the tax file of the data subject used by the court. As such, it is very much a filing system in the sense of [[Article 4 GDPR#6|Article 4(6)]]. However, the DPA holds that it cannot judge over the data processing as they are part of another legal procedure. Judging differently would undermine the independence of the judicial power in line with [[Article 55 GDPR#3|Article 55(3)]].
=== Holding ===
The DPA noted that a complaint by someone other than the data subject can be admissible if they have a sufficient interest (Article 58 WOG). Sufficient interest is present if the complainant's interest in some way relates to the interest of the data subjects (mere commercial interest is not enough). The DPA found that the Tax Advisor's interest was purely commercial and thus, not sufficient.


The DPA states that the controller did not receive the data through a request for information from the data subject, but by accessed the court files. The DPA holds that it cannot judge on the alleged breach of confidentiality. Only when the judge in the current case finds a breach of confidentiality can the DPA test the principles of lawfulness and data minimisation, again in line with [[Article 55 GDPR#3|Article 55(3)]].
The DPA also disregarded the Tax Adviser's argument that the data obtained from his criminal records is covered by professional secrecy. The DPA noted that only the judge on the merits can decide on a breach of professional secrecy. As this did not happen (yet), it cannot examine whether the acquisition of data by the controller was in accordance with the GDPR.


Regarding the controller’s notice to the Customers, the DPA held that, contrary to the controllers argument, the GDPR was applicable. The notice is part of a tax file that is managed by controller, which makes it part of a filing system as described in Article [[Article 4 GDPR#6|Article 4(6)]]. However, the DPA refrained from ruling on the lawfulness of the processing of that data, as they were already the subject of pending legal proceedings as part of the main dispute.


The DPA therefore held that the complaint was inadmissible. 
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 11:00, 6 July 2022

APD/GBA - 105/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 2(1) GDPR
Article 4(1) GDPR
Article 4(6) GDPR
Article 55(3) GDPR
Article 57(1)(a) GDPR
Article 57(1)(f) GDPR
Article 57(1)(v) GDPR
Type: Complaint
Outcome: Rejected
Started: 18.11.2019
Decided: 17.06.2022
Published: 17.06.2022
Fine: n/a
Parties: FOD Financiën
National Case Number/Name: 105/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 105/2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA held that it could not establish a breach of professional secrecy pursuant to Article 55(3) GDPR as only a judge was competent to do so. It could not, therefore, find the data obtained from the complainant's criminal record to be unlawfully obtained.

English Summary

Facts

The controller is the Belgian tax authority (Algemene Administratie van de Bijzondere Belastinginspectie). The complainant provides tax advice services. The data subjects are (1) the complainant (hereinafter: Tax Advisor) and its (2) customers (hereinafter: Customers).

The Tax Advisor was involved in a criminal investigation into tax fraud, forgery of documents, and the use of false documents. The investigation was still pending when the DPA issued the decision.

The controller used the Tax Advisor’s criminal records for an investigation into tax evasion of his Customers. These documents only contained personal data of the Customers. The controller’s notice to the Customers of the investigation contained the Tax Advisor’s personal data (full name; address; data of birth).

The Tax Advisor issued a complaint with the DPA for unlawful processing of personal data. He stated that it damaged his reputation and breached his clients' confidentiality, which cost him customers.

Regarding the data from his criminal records, the Tax Advisor stated that it did relate to him because (1) he processed it in the context of his independent professional activity and (2) it was obtained from his criminal records. He further argued that customer data is covered by professional secrecy and thus cannot be processed for tax purposes.

The controller stated that the notice to the Customers, on its own, did not fall under the definition of 'filing system' under Article 4(6). Therefore the GDPR was not applicable.

Holding

The DPA noted that a complaint by someone other than the data subject can be admissible if they have a sufficient interest (Article 58 WOG). Sufficient interest is present if the complainant's interest in some way relates to the interest of the data subjects (mere commercial interest is not enough). The DPA found that the Tax Advisor's interest was purely commercial and thus, not sufficient.

The DPA also disregarded the Tax Adviser's argument that the data obtained from his criminal records is covered by professional secrecy. The DPA noted that only the judge on the merits can decide on a breach of professional secrecy. As this did not happen (yet), it cannot examine whether the acquisition of data by the controller was in accordance with the GDPR.

Regarding the controller’s notice to the Customers, the DPA held that, contrary to the controllers argument, the GDPR was applicable. The notice is part of a tax file that is managed by controller, which makes it part of a filing system as described in Article Article 4(6). However, the DPA refrained from ruling on the lawfulness of the processing of that data, as they were already the subject of pending legal proceedings as part of the main dispute.

The DPA therefore held that the complaint was inadmissible.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                   1/12







                                                                                   Dispute room



                                               Decision on the merits 105/2022 of 17 June 2022





File number : DOS-2019-05858



Subject : Use of personal data obtained through inspection of the criminal file

at the expense of the complainant for the valuation of the complainant's customers




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                   †
The complainant: Mr X, hereinafter referred to as “the complainant”; †

                                                                                                   †

The defendant: FPS Finance, General Administration of the Special Tax Inspectorate, King

                   Boulevard Albert II 33 box 48, 1030 Brussels, hereinafter referred to as “the defendant”, Decision on the substance 105/2022 - 2/12



I. Facts procedure


    1. On 18 November 2019, the complainant lodged a complaint with the Data Protection Authority against

       the defendant.


       The subject of the complaint concerns the use by the General Administration of the Special

       Tax Inspectorate (hereinafter: AABBI) of data obtained by viewing
       the criminal file charged by the complainant in which, in the context of a search of the house with abandonment and

       network search data would have been copied and taken, including

       personal data of customers of the complainant's companies. The AABBI would

       have used personal data to proceed with valuing those customers, as well as to

       accuse them of fraud.

    2. On March 17, 2020, the complaint is declared admissible by the first-line service on the basis of the

       Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the

       Dispute room.


    3. On August 12, 2020, the Disputes Chamber will decide on the basis of Article 95, §1, 1° and Article 98 WOG
       that the file is ready for treatment on the merits and the parties involved are informed

       made of the provisions as stated in article 95, §2, as well as of these in article 98 WOG.

       they are informed, pursuant to Article 99 of the WOG, of the time limits for their

       to file defences.


       The deadline for receipt of the defendant's statement of defense was thereby set

       laid down on September 25, 2020, this for the conclusion of the complainant's reply on October 16

       2020 and this for the defendant's reply on November 6, 2020.

    4. On August 18, 2020, the complainant electronically accepts all communication regarding the case,

       in accordance with article 98 WOG.


    5. On September 22, 2020, the Disputes Chamber will receive the statement of defense from the
       defendant in which an overview is given of the proceedings previously conducted by the

       complainant with regard to the defendant and the pending proceedings concerning the complainant and

       the complainant's customers. The defendant contests the jurisdiction of the Disputes Chamber both for

       as regards the temporal, as the material scope. In the alternative, the

       the defendant that the processing on his behalf is a correct and permitted data processing

       respecting the principles of effectiveness and proportionality, as well as
       that they are processed within a secure framework and are protected against unauthorized

       access, unauthorized use, loss or unauthorized alteration., Judgment on the merits 105/2022 - 3/12




    6. On 16 October 2020, the Disputes Chamber will receive the statement of reply from the complainant in which

        it is explained that the Disputes Chamber has both temporal and material jurisdiction. According to the

        complainant, the complaint is manifestly well-founded and has the defendant, in carrying out his legal

        mandate as a tax authority, the rules arising from Articles 5.1 a), 5.1 c) and 6. 1 c) not

        complied with. The complainant also once again acknowledges all communication regarding the case

        accept electronically and want to make use of the opportunity to be heard,

        in accordance with article 98 WOG. The complainant also requests an integral copy of the file

        (article 95, §2, 3° WOG).


    7. On November 5, 2020, the Disputes Chamber will receive the statement of reply from the defendant

        in which the argumentation is resumed as set out in the statement of defense.


    8. On 9 February 2022, the parties will be notified that the hearing will take place

        on May 9, 2022.


    9. On 9 May 2022, the parties will be heard by the Disputes Chamber.


    10. The minutes of the hearing will be submitted to the parties on 16 May 2022.


    11. On May 23, 2022, the Disputes Chamber will receive comments from the complainant, which he/she

        requests to be attached to the minutes of the hearing. The Disputes Chamber decides

        to include it in its deliberations.




II. Justification




    I. Jurisdiction of the Dispute Chamber


        a) Collection of personal data from the complainant on 15 May 2013


    12. First of all, the Disputes Chamber emphasizes that it derives its competence from the GDPR, from
                                                  1
        applicable from May 25, 2018 and the law of December 3, 2017 establishing the
                                                                                           2
        Data Protection Authority, also entered into force on 25 May 2018, more specifically








1
 Article 99 GDPR.
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
2
 art. 110 WOG.
This Act shall enter into force on 25 May 2018, with the exception of Chapter III which shall enter into force on the date of publication of this Act
published in the Belgian Official Gazette.

The King may determine a date of entry into force for each provision thereof, with the exception of the provisions of Chapter III
prior to the date stated in the first paragraph., Decision on the merits 105/2022 - 4/12




         Article 4, §1 WOG . With regard to the facts that occurred before that date, i.e. the

         processing of the data provided by the judicial authorities as a result of a

         search of the complainant's house with disembarkation were copied and taken, which took place

         on May 15, 2013, the Disputes Chamber can only establish that it occurred well before the

         application of the GDPR have occurred and a complaint has only been lodged with the


         Data Protection Authority on November 18, 2019, when the GDPR is already fully

         was applicable. It follows from this that the Disputes Chamber is not authorized to decide on the
                                                                       4
         data collection dated 15 May 2013 to judge . The Disputes Chamber can face these facts

         nor declare competent under the transitional provision included in Article 112 WOG, 5

         as the complaint was not pending at the time of the entry into force of the aforementioned

         Law of 3 December 2017. In this regard, the complainant specifies in his reply that his

         complaint does not target the original data processing by the Public Prosecution Service, but does


         the subsequent processing (see below margin numbers 15 et seq.). Because the complainant himself indicates that the

         original data collection by the Public Prosecution Service is not in dispute, constitutes

         this is not a point on which the Disputes Chamber should go further.


     13. For the sake of completeness, the Disputes Chamber adds that the mere fact that the complaint was

         first-line service has been declared admissible, does not imply that the Disputes Chamber

         is authorized to assess the complaint in its entirety. In accordance with Article 60(2) of the WOG

         the Frontline Service only examines the formal admissibility conditions such as

                                            6
         included in this provision. Admittedly, the first-line service also globally assesses the

         competence of the Data Protection Authority, which relates to the complaint in

         its entirety, but this does not alter the fact that the Disputes Chamber itself determines the extent to which it is competent






3
  art. 4. §1. The Data Protection Authority is responsible for supervising compliance with the fundamental principles of the
protection of personal data, within the framework of this law and of the laws containing provisions on the protection of
the processing of personal data.
 Without prejudice to the powers of the Community or Regional Governments, of the Community or Regional Parliaments, of the

United College or of the United Assembly referred to in Article 60 of the special law of January 12, 1989 relating to the
Brussels institutions, the Data Protection Authority exercises this mission on the territory of the entire Kingdom, regardless of
which national law applies to the processing concerned.
4See in that regard: Decision on the merits 19/2020 of 29 April 2020, Decision on the merits 124/2021 of 10 November 2021.

5Art. 112 WOG.

Chapter VI does not apply to complaints or requests pending with the Data Protection Authority at the moment
of the entry into force of this law.
 The complaints or requests referred to in the first paragraph are handled by the Data Protection Authority, as the legal successor of the Commission

for the protection of privacy, further handled according to the procedure applicable before the entry into force
of this law.
6 Art. 60. The frontline service examines whether the complaint or request is admissible.

 A complaint is admissible when:
 - it is drawn up in one of the national languages;

 - contains a statement of the facts and the necessary indications for the identification of the processing to which it relates;

 - it falls under the competence of the Data Protection Authority.
[…], Decision on the substance 105/2022 - 5/12




          can define concretely. Well, for the facts that occurred specifically on May 15th

          2013, the Disputes Chamber is not competent for the reason set out above.


          b)Processing of data obtained by accessing the criminal file and use


          of it in the valuation procedure against clients of the complainant after 25 May 2018


     14. The personal data that are the subject of the present complaint

          personal data that were collected in the context of a judicial investigation into tax

          fraud, tax forgery and use of false documents. Since the processing has

          carried out by a competent authority in the field of criminal law, here in principle

                                                                                                                                  7
          Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 of
                                                                                                                                 8
          application. It follows from Article 9.1 of Directive 2016/680/EU and Recital 34 of this Directive

          that in case the personal data is collected for the purpose of prevention, investigation,

          investigation or prosecution of criminal offences, are passed on to a recipient, in this case

          the defendant, who processes the data in question for purposes other than those of the

          Directive, the GDPR applies to the transmission of personal data. This is done by the


          parties as such are not disputed.


     15. Specific with regard to the defendant's argument that the GDPR does not apply to

          the processing of the data of the companies of the complainant's customers with

          referring to recital 14 of the GDPR, the Disputes Chamber points out that the

          argumentation ignores the definition of the term 'personal data' in Article 4.1) GDPR . 10





7
  Articles 1 and 2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons in connection with the processing of personal data by competent authorities for the purposes of the prevention,
investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, and concerning the free movement of such
data and repealing Council Framework Decision 2008/977/JHA.
8
 Recital 34 Directive (EU) 2016/680.
The processing of personal data by competent authorities for the purposes of prevention, investigation, detection or

prosecution of criminal offenses or the execution of penalties, including protection against and prevention of dangers
for public security must relate to an operation or set of operations on personal data
or a set of personal data for those purposes, whether or not performed by automated means or otherwise,
such as collecting, recording, organizing, structuring, storing, updating, modifying, retrieving, consulting, using, aligning,
combine, subject to processing restrictions, delete or destroy data. In particular, the provisions of this
Directive should apply to the transmission of personal data for the purposes of this Directive to a

recipient not covered by this Directive. Recipient is understood to mean a natural or legal person, a
public authority, agency or any other body to whom or to which the personal data is lawfully provided by the competent authority
be published. Where the personal data was initially collected by a competent authority for one of the
purposes of this Directive, Regulation (EU) 2016/679 should apply to the transmission of those data for other
purposes other than those of this Directive, if such processing is permitted by Union or Member State law. More specifically to serve
the provisions of Regulation (EU) 2016/679 to apply to the transfer of personal data for purposes not covered by
fall under this Directive. Regulation (EU) 2016/679 should apply to the processing of personal data by a recipient

which is not the competent authority or which does not act as a competent authority within the meaning of this Directive and to whom the personal data
have been lawfully disclosed by a competent authority. When implementing this Directive, Member States should also apply
may further specify the rules of Regulation (EU) 2016/679, provided that the conditions laid down therein are met.
9
 Recital 14 GDPR. The protection afforded by this Regulation applies to natural persons, irrespective of their
nationality or residence, in connection with the processing of their personal data. This Regulation does not concern the
processing of data on legal persons and in particular companies established as legal persons, such as name and legal form
of the legal person and the contact details of the legal person.
10
  Article 4. For the purposes of this Regulation:, Decision on the substance 105/2022 - 6/12




        Submit insofar as data concerning a legal person are so characteristic of the

        identity of a natural person, which makes them identifiable, do concern them

        personal data within the meaning of Article 4.1) GDPR.


    16. The processing involved in the complaint concerns personal data of the complainant's customers

        which are processed by the defendant after 25 May 2018 in the context of instructions from

        tax evasion. Although this processing falls within the scope of the GDPR,

        but it should be emphasized that the personal data of the customers who rely

        on the complainant's services consisting of the provision of tax advice, cannot

        are qualified as personal data concerning the complainant himself. In that vision

        the Disputes Chamber then examines whether there is a sufficient interest in respect of the

        complainant in order to be able to submit a complaint in this regard.

    17. With regard to the interest of the complainant, the Disputes Chamber refers to Article 58 WOG in which

        it is stated that: ”Anyone can submit a complaint or request in writing, dated and signed”

        submit to the Data Protection Authority”. In accordance with Article 60, paragraph 2

        WOG “A complaint is admissible if it:


           - is drawn up in one of the national languages;


           - contains a statement of the facts, as well as the necessary indications for the identification of the

           processing to which it relates;


           - it falls under the competence of the Data Protection Authority”.


    18. The preparatory work of the WOG determines: "The Data Protection Authority"

        can receive complaints or requests from anyone; natural persons but also

        legal persons, associations or institutions that commit an alleged infringement of the Regulation

        wish to sue. A complaint or request to the Data Protection Authority should be

        in writing, dated and signed by the authorized person. A request

        must be interpreted in the broad sense of the word (request for information or explanation, a
        request to mediate, ...)”.











1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); if
identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to a
identifier such as a name, an identification number, location data, an online identifier or of one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural
person;
†

11par. doc., Chamber of Representatives, 2016-2017, DOC 54 2648/001, p.40 (comment to article 58 of the
original bill)., Decision on the substance 105/2022 - 7/12




    19. The WOG thus does not exclude that a person other than the person concerned or the person designated by the

        the person concerned is authorized, as referred to in Article 220 of the Act of 30 July 2018 on the

        protection of natural persons with regard to the processing of personal data,

        can lodge a complaint with the Authority.


    20. While the GDPR approaches the 'complaint' from the point of view of the data subject, by the

        impose obligations on supervisory authorities when a person makes a complaint (see the

        Articles 57.1., f) and 77 of the GDPR), the GDPR does not prevent national law from persons other than
        provides the person concerned with the opportunity to lodge a complaint with the national supervisory authority.

        The possibility of such a referral is also in accordance with the orders

        assigned to the supervisory authorities by the GDPR. In that regard and in general

        taken, each control authority shall ensure: the monitoring and enforcement of the application of

        the GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to the

        protection of personal data (Article 57, 1., v) GDPR) .2


    21. In that regard, the Disputes Chamber rules that Article 58WOG gives every person the opportunity

        to make a complaint, provided that he has a sufficient interest in accordance with

        the aforementioned provisions of the GDPR . 13


    22. The condition is therefore that the complainant demonstrates a sufficient interest. In this regard

        the Disputes Chamber to determine that the complainant merely mentions a commercial interest

        consisting of the loss of confidentiality of the customer data used by the

        defendant for valuation purposes aimed at the customers, with reputational damage on account of the

        resulting in the complainant stating that in certain cases customers have blocked him
        pointed out.


    23. The complainant clearly appears to be pursuing a commercial interest which cannot be considered sufficient

        are considered. After all, the mere pursuit of a commercial interest is not sufficient to

        demonstrate a sufficient interest, this in the absence of any concrete element that can be

        distinct from this self-contained commercial interest, which the complainant would

        may affect the data processing by the defendant with regard to the

        personal data of the clientele. The factual elements of the file do not show that the

        the complainant has a data protection interest that corresponds to the interest

        of the customers against whom a legal dispute procedure is still pending. From the pure

        fact that the data processing by the defendant relates to personal data of

        after all, it does not automatically follow from the complainant's customers that the complainant has ipso facto

        any interest in that data processing by the defendant. Contrary to what the



12
  In the same sentence: Decision on the merits 30/2020 of 8 June 2020
13See in the same sentence: Decision on the merits 80/2020 of 17 September 2020; Decision on the merits 63/2021 of 01 June 2021; Decision
on the merits 117/2021 of October 22, 2021; Decision 49/2022 of 5 April 2022, Decision on the substance 105/2022 - 8/12



    complainant argues, customer data does not in any way become data relating to the complainant

    solely and solely because the customer data is processed by him in the context of his

    independent professional activity and originate from the original file, being the criminal file

    at his own expense. The complainant does not sufficiently demonstrate that there is a question of

    an interest that coincides with the interest of these customers, so that he does not complain on his own initiative

    can submit regarding the data processing relating to the customers. Moreover
    nor does he have any power of representation in this area for the concerned

    customers.


24. In addition,customers specifically mention the complaint, especially the couple

    Z, already reached an agreement with the defendant on 8 May 2020, which led to the investigation into them

    was terminated. In that regard, the Z couple have no complaint themselves regarding possible infringement of
    protection of their personal data.


25. Consequently, the complainant has no interest in doing so, given the

    statement of approval from Mr and Mrs Z and the resulting lack of interest in

    on their behalf to lodge a complaint themselves with regard to the processing of their

    personal data by the defendant.

26. Because the complainant fails to demonstrate the existence of a sufficient interest on his part

    in order to have his complaint handled by the Data Protection Authority, the

    Disputes Chamber to determine the non-conformity with the procedural rules by the

    declaration of admissibility of the complaint and the subsequent handling of the complaint.

27. In view of the fact that the complainant does not demonstrate that he has an interest that is sufficient

    concretely to be able to file a complaint, the Disputes Chamber furthermore finds that the complainant

    also did not have the capacity to file a complaint and that the full

    procedure has therefore been affected by the absence not only of importance, but also of

    capacity on the part of the complainant.

    c) Processing of data concerning the complainant after 25 May 2018


28. The defendant agrees that the surname and first name of the complainant appear in the preceding

    notices of indications of tax evasion and the notice of amendment and

    in addition, his surname, first name, date of birth and address appear in the official reports from

    the criminal file attached to the messages from the defendant.

29. The aforementioned data fall under the notion of personal data as defined in Article 4.1)

    GDPR, which are processed within the meaning of Article 2. 1 GDPR. Not just any whole or in part

    automated data processing falls under the scope of the GDPR, but also

    any processing of personal data that is included in a file or is intended to

    to be included therein. Although the defendant attempts to demonstrate that these data are not, Decision on the merits 105/2022 - 9/12




        be part of a file as defined in Article 4.6) GDPR by stating that the

        notifications extending the investigation period, the requests for information nor the

        neither the notification of change nor the attachments in themselves a structured set of personal data

        forms that are accessible via criteria, the Disputes Chamber must point out that the aforementioned

        documents are not only part of the initial criminal file against the complainant, but also

        are included in full in the valuation file managed by the defendant of which it is established that

        this is structured according to specific criteria, which therefore does constitute a file . 14

        After all, a public service such as the defendant by definition manages several files, whereby

        these files as well as each file in itself must necessarily be


        structured in such a way that they are accessible according to certain criteria. From this follows

        that the GDPR applies to the data processing concerning the complainant.


    30. However, the file containing the documents containing the complainant's personal data

        included, was submitted for assessment by the defendant as being a party to the

        pending tax proceeding in respect of some customers. The processing of the

        The complainant's personal data must be placed in a broader context, to which

        a tax dispute is based and of which the data processing is an integral part.

        After all, the documents submitted by the parties in the proceedings are currently being assessed

        to the court on the merits, which must thus be regarded as controller

        with regard to the file containing all supporting documents sent to him

        regarding the tax dispute between the parties, including the documents with


        personal data concerning the complainant. In that regard, the Disputes Chamber rules that it
                                              15 16
        pursuant to Article 55.3 of the GDPR in conjunction with Article 4, § 2 of the WOG, cannot rule on a

        sub-aspect that, although related to documents in which the personal data of the

        complainant are processed, but that as part of the main dispute is already the subject

        of pending legal proceedings . To judge otherwise would result in the



14Recital 15 GDPR: “In order to avoid a serious risk of circumvention, the protection of natural persons should be

be technology neutral and not dependent on the technologies used. The protection of natural persons should
apply to both automated processing of personal data and manual processing thereof if the personal data
are stored or intended to be stored in a file. Files or a collection of files and their covers, which
are not structured according to specific criteria should not fall within the scope of this Regulation.”
A contrario, files or a collection of files that are structured according to specific criteria, do fall under the

scope of the GDPR.
See also the Judgment of the Council of State no. 91.531 of 11 December 2000 in the case A. 69.056/IX-2103, Dewinter v Belgian State: that,
after all, almost all government documents are the subject of an automated or manual arrangement in "files" - in
the French "fichier" - which refer to it;

15Article 55. 3 GDPR. Supervisory authorities are not competent to supervise processing by courts in the exercise of
their judicial duties.
16
  Article 4, § 2 WOG. The supervision organized by this law does not relate to the processing by the courts and
courts as well as by the public prosecutor in the exercise of their judicial functions.
17See in that sense the judgment of 24 March 2022 CJEU - case C-245/20 against the Dutch Data Protection Authority:

“32. As the Advocate General noted in points 80 and 81 of his Opinion, it is apparent from the wording of recital 20
of Regulation 2016/679 itself, and in particular from the use of the word 'including', which defines the scope of the
of this Regulation to ensure the independence of the judiciary in the execution of its judicial power, Decision on the substance 105/2022 - 10/12



          Litigation Chamber the independence of the judiciary in the exercise of its

                                                                                                                                  18
          would jeopardize judicial tasks, in particular in the area of decision-making .

          It goes without saying that this can by no means be the intention.


          d) Professional secrecy and use of the accounting program


     31. The documents that the defendant has obtained from the criminal file charges against the complainant are according to the

          complainant obtained by the defendant with disregard of the professional secrecy to which the complainant is responsible

          held.


     32. The complainant argues that the customer data is covered by his professional secrecy and thus cannot be

          are processed for valuation purposes with regard to the relevant customers. Based on this

          the complainant relied on the decision of the Council of the Institute of accountants and

          tax consultants (IAB) dated 17 May 2016 stating that: "[…] if the tax

          administration in the event of an audit by a tax or accounting adviser in principle secret

          should discover data that he could avoid to incriminate third parties, he must

          renounce. In principle, this data is covered by professional secrecy and can only be used

          with regard to the taxpayer, being the member of the IAB. The Council continues

          declare that the taxpayer, in this case the complainant, has cooperated with the request for

          cannot refuse information purely because of its professional secrecy, but has the right to do so

          in such a way that the identity of its clientele and the content of its

          protects work. According to the Council, the taxpayer may not fully

          invoke professional secrecy, but after anonymizing the client and the nature of the performance

          does indeed prove the probable nature of the publication, as requested by the

          AABBI, to be delivered.




tasks cannot be limited to guaranteeing judicial independence in the establishment of a specific
court decision.

33. In general, preserving the independence of the judiciary presupposes that the courts
exercise judicial functions completely autonomously, without any hierarchical link and without being subordinate to or from anywhere
receive orders or instructions, and thus be protected from outside interference or pressure that could affect the independence of the
jeopardize the judgment of their members in disputes submitted to them. The respect for the rights under the
Safeguards of independence and impartiality required by Union law presuppose that rules exist which are suitable for
to dispel any legitimate doubt that the institution concerned is not influenced by external factors and
impartial to the interests involved […].

34. The reference in Article 55(3) of Regulation 2016/679 to processing by courts 'in the exercise of their judicial
tasks' should therefore be understood in the context of this Regulation as meaning not only processing of
personal data by courts in the context of concrete cases, but in a broader sense relates to all processing by
courts in the exercise of their judicial activities, so that processing operations subject to supervision by the
supervisory authority can directly or indirectly influence the independence of their members or their decisions, outside the
competence of this authority.”

18Recital 20 GDPR. While this Regulation applies, inter alia, to the activities of courts and other
judicial authorities, Union or Member State law should regulate the processing and processing procedures relating to the
processing of personal data by courts and other judicial authorities can be further specified. The competence
of the supervisory authorities should not extend to the processing of personal data by courts in the context of
their judicial functions, in order to ensure the independence of the judiciary in the exercise of its judicial functions,
including decision-making. It must be possible to entrust the supervision of such data processing to specific
authorities within the judicial system of the Member State, which, in particular, are responsible for ensuring compliance with the rules of this Regulation

ensure that members of the judiciary are made more aware of their obligations under this Regulation, and complaints
with regard to those data processing operations.[Own underlining], Decision on the merits 105/2022 - 11/12




    33. In this regard, the Disputes Chamber notes that the aforementioned decision of the Council of the IAB

       was taken in response to the request of the AABBI under Article 334 WIB to
       assess whether, and to what extent, the inquiry or production of books

       and modesty is compatible with the observance of professional secrecy.


    34. Not only did the complainant refuse to itself provide the AABBI with the information requested,

       provide after anonymization of the client and the nature of the services, but also tries to

       decision of the Council of the IAB about continuing professional secrecy to the intelligence

       obtained by the AABBI by any means other than through the stated inquiry that

       was made to the complainant. It is undisputed that the defendant provided the data relating to the customers
       has not obtained through the request for information made by the defendant to the

       complainant and about which the defendant has obtained the advice of the IAB. The defendant is

       came into possession of information concerning the customers of the bearing through inspection

       of the criminal file on the basis of article 327, 1 WIB to then proceed to an appraisal of the

       concerning customers. The complainant uses the ILO's decision to argue that the

       professional secrecy was violated as a result of which the defendant would be unlawfully in possession

       information concerning the complainant's customers. The Disputes Chamber can only

       establish that the decision of the ILO on professional secrecy only relates to the
       request information from the defendant addressed to the complainant himself. There is no determination

       violation of professional secrecy regarding the way in which the defendant does

       obtained, namely by means of inspection of the criminal file. Since it is not up to the

       Litigation Chamber is due to rule on whether or not the violation of the

       professional secrecy following the inspection of the criminal file (Article 55.3 AVG in conjunction with Article 4,
                 19
       § 2 WOG), it cannot assess whether or not the personal data thus obtained is

       be processed lawfully by the defendant. Only if the judges ground for violation

       of professional secrecy, the Disputes Chamber may in turn decide
       review data collection on behalf of the defendant against the principles of the GDPR regarding

       lawfulness and minimum data processing requested by the complainant.


    35. The complainant further argues that the defendant obtained the customer data from the

       criminal file on the basis of a file created by the complainant himself

       accounting program to use accounting documents - of which the complainant exists

       disputed - to produce on the basis of which the concerned customers are accused of fraud.

       In this regard, the Disputes Chamber notes that the assessment of the evidential value of the
       the data obtained through inspection by the defendant, its reliability and any

       inferences that can be drawn on the basis of that data belong to the






19See margin no. 30., Decision on the substance 105/2022 - 12/12



       main tax dispute and therefore revert to the court on the merits (Article 55, § 3 GDPR in conjunction with

       Article 4, § 2 WOG).


    36. Finally, the Disputes Chamber notes that insofar as the complainant points out that the processing

       of data concerning his wife is targeted, the complainant does not contribute anything

       showing that he has powers of representation in this regard. Consequently

       the Disputes Chamber will not elaborate on this point.



III. Publication of the decision


   37. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. It is not necessary, however, that the identification data
       directly from the complainant. However, it follows from the nature of the complaint that ipso

       de facto that the identity of the defendant is known in such a way that it is identified as such

       stated in the decision.




   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decided, after deliberation, to

   of Article 100, §1, 1° WOG, to dismiss the complaint in view of the fact that there is no infringement in this regard

   can be determined on the basis of the GDPR.


   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.










(Get). Hielke Hijmans

Chairman of the Disputes Chamber











20See margin no. 30.