APD/GBA (Belgium) - 124/2021: Difference between revisions

From GDPRhub
(Thank you for the summary! I deleted references to the "litigation chamber" and just replaced them by general references to the Belgian DPA because this is a procedural detail that we usually don't mention. I also made minor corrections (for grammar, syntax).)
No edit summary
Line 50: Line 50:
}}
}}


The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before May 25 2018 (i.e. before the application date of the GDPR).
The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before 25 May 2018 (i.e. before the application date of the GDPR).


== English Summary ==
== English Summary ==

Revision as of 09:59, 7 December 2021

APD/GBA (Belgium) - 124/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(3) GDPR
Article 13(1)(c) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 10.11.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 124/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 124/2021 (in NL)
Initial Contributor: Matthias Smet

The Belgian DPA considered that it was competent to review the lawfulness of data processing operations which, although having started before 25 May 2018, had continued after that date, but that it was not competent for one-off or multiple processing operations that only took place before 25 May 2018 (i.e. before the application date of the GDPR).

English Summary

Facts

Complainants X1 and X2 filed a complaint against a controller (the Defendant) regarding the disclosure to third parties of personal data concerning tenants of social housing in the context of an asset investigation. According to the Complainants, the Defendant did not have any valid legal basis to disclose such data (i.e. breach of Article 6 GDPR), and had failed to properly inform the Complainants about the processing activity (i.e. breach of Article 13 GDPR).

After these complaints were declared admissible, the Belgian DPA conducted an investigation at the premises of the Defendant. During the investigation, five additional breaches against data protection principles were discovered.

The Defendant stated that the processing it carried out formed part of the legal framework for social housing and that the legal basis for the processing, namely the consent of the Complainants, was expressly included in the Flemish regulations governing the social housing system.

Holding

Dismissal of the complaints

The processing operations in casu all took place before the GDPR became applicable, except for the period that was granted to the Complainants to leave the house. This period expired on 31 October 2021.

In previous decisions, the Belgian DPA had already stated that it can only be competent for data processing operations which, although having started before 25 May 2018, still continued after that date, but not for one-off or multiple processing operations which exclusively took place before 25 May 2018.

On the basis of these considerations, the Belgian DPA considers itself incompetent ratione temporis to review the merits of the complaints, given that the contested processing operations had been carried out before the GDPR had become applicable. Therefore, the Belgian DPA decided to dismiss the Complaints in accordance with the terms of the its dismissal policy.

'Legal obligation' or 'fulfillment of a task in the public interest' as a legal basis

Despite the complaints being dismissed, the Belgian DPA provided guidance on the legal basis of the processing operations. The Belgian DPA stated in particular that if processing operations are carried out because the controller is legally obliged to do so, or because they are necessary for the performance of a task carried out in the public interest, the processing must be based on Union or Member State law. Article 6(3) GDPR specifies that the purpose of the processing must be found in that legal basis. In other words, a legislative standard must normally be sufficiently clear and precise so that the essential characteristics (including the precise purposes) of a processing operation are known when the above legal bases are relied on. The Belgian DPA noted however that, in practice, processing is often carried out on the basis of a general regulatory power, rather than on the basis of detailed provisions specifically allowing for such processing. Therefore, the Belgian DPA considered that when using general legal grounds, a balancing test is necessary between the necessity of the processing and the interests of the data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                1/12








                                                                                Dispute room



                                       Decision on the merits 124/2021 of 10 November 2021








File number : DOS-2018-05039en DOS-2018-05524



Subject : Sharing of personal data concerning tenants of social housing in the

framework of an asset investigation




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs Frank De Smet and Romain Robert;

Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;

Having regard to the documents in the file;



has taken the following decision regarding:



The complainants: Mrs and Mr X1, represented by Mr. Özgür Balci (hereinafter: 'complainant 1'), and

                   Mrs. X2, represented by Mr. Özgür Balci (hereinafter "complainant 2"),

                   hereinafter collectively referred to as 'the complainants'.



The defendant: Y, represented by mr. Kris De Sager, hereinafter “the defendant”. Decision on the merits 124/2021 - 2/12




I. Facts procedure



    1. On September 17, 2018 and September 26, 2018, respectively, Complainant 1 and Complainant 2 filed a

        lodge a complaint with the Data Protection Authority against the defendant.

        The object of the complaints concerns the communication to third parties of personal data

        concerning tenants of social housing in the context of an asset survey.


   2. On October 5, 2018 and October 15, 2018 respectively, the complaints will be

        First-line service has been declared admissible on the basis of Articles 58 and 60 WOG and the

        complaints pursuant to art. 62, §1 WOG transferred to the Disputes Chamber. The Dispute Room

        deals with both cases in a single decision as the subject matter of the complaint is fully

        is parallel.


   3. On October 18, 2018, in accordance with art. 96, §1 WOG the request of the Dispute Chamber

        sent to the Inspectorate to carry out an investigation, together with the complaints

        and the inventory of the pieces.


   4. The inspection will be completed by the Inspectorate on 21 October 2019, the report will be

        the file is added and the file is transferred by the Inspector General to the

        Chairman of the Disputes Chamber (art. 91, §1 and §2 WOG).

        The report contains findings with regard to the subject matter of the complaint and concludes that

        defendant:


                    • has not complied with the obligations imposed by Articles 5 and 6 of the GDPR;

                        (Principles on processing of personal data and lawfulness of the

                        processing)



                    • the obligations imposed by Article 12(1) of the GDPR and by Articles 13 and

                        14 of the GDPR;

                        (provision of transparent information, communication and further rules for the

                        exercise of the rights of data subjects, and regarding to provide

                        information)



                    • the obligations imposed by Article 44 of the GDPR and Article 49 of the GDPR

                        has not complied with.

                        (General principle on transfers and on derogations for specific

                        situations)



  5. The report also contains findings outside the subject matter of the complaint and concludes that

        defendant: Judgment on the merits 124/2021 - 3/12




                    • has not complied with the obligations imposed by Article 30(1) of the GDPR;

                         (register of processing activities)



                    • has not complied with the obligations imposed by Article 31 of the GDPR;

                (cooperation with the supervisory authority)



                    • the obligations imposed by Article 37(5) and (7) of the GDPR and Article 38,

                         paragraph 1 of the GDPR has not been complied with.

                (designation of the data protection officer and his position)



  6. In its report, the Inspectorate formulates an additional consideration of the temporal


        application of the GDPR to the aforementioned facts. In this regard, she refers to the fact that the

        Defendant has requested the complainants by letter dated April 11, 2018 for “no later than 31”

        October 2018 […] to leave the house and garage and make it available to Y”. The

        Inspectorate indicates that the GDPR applies to the aforementioned facts, in view of the fact that

        the period to vacate the house and garage expires on October 31, 2018, and thus after the

        become applicable of the GDPR on 25 May 2018 . 1


  7. In addition, the Inspectorate states that the GDPR has already entered into force on 24 May 2016

        pursuant to Article 99(1) of the GDPR, whereby the defendant had already taken the necessary steps

        must take to ensure that the processing of personal data is in accordance with the GDPR

        bring.


  8. On January 14, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it

        file is ready for processing on the merits.


  9. The Disputes Chamber decides on the basis of the report of the Inspectorate to divide the file

        in two separate parts.


  10. On January 14, 2020, the concerned parties will be notified by registered letter of

        the provisions as stated in article 95, §2, as well as those in art. 98 WOG. They will also be

        pursuant to art. 99 WOG of the time limits for submitting their defences.


        With regard to the findings with regard to the subject-matter of the complaint, the

        date for receipt of the statement of reply from the complainants on 28 January 2020 and this before

        the statement of the defendant's reply on February 11, 2020. With regard to the findings

        going beyond the subject of the complaint, the deadline for receipt of the

        statement of defense of the defendant recorded on January 28, 2020.






1
 Article 99(2) of the GDPR Decision on the merits 124/2021 - 4/12



11. At the request of the defendant, the Disputes Chamber decided to exceptionally grant an extension

      of the claim periods. With regard to the findings with regard to the

      subject of the complaint (art. 98, 1° WOG), the time limit for the complainants' conclusion was determined

      on January 31, 2020 and this for the statement of reply of the defendant on February 14, 2020 .

      With regard to the findings that go beyond the object of the complaint, the extreme


      date for receipt of the defendant's claims set at January 31, 2020

12. On January 14, 2020, the defendant requests a copy of the file (art. 95, §2, 3° WOG), which

      it was transferred on January 22, 2020.


13. On 29 January 2020, the complainants lodged their statement of defense in which three pleas were raised:

      quoted:


                  • In the first ground of appeal, the complainants allege an infringement of Articles 5 and 6

                     of the GDPR. Defendant does not justify on what legal basis it

                     communicated the complainants' details to Z. There is no evidence that

                     complainants have consented to the communication of the

                     personal data to Z.


                  • In the second ground of appeal, the complainants allege an infringement of Articles 12, 13 and

                     14 of the GDPR. The information provided on the Defendant's website is not

                     transparent, incoherent and incomprehensible to those involved.

                  • In the third plea, the complainants allege an infringement of Articles 44 and 49

                     of the GDPR. Referring to the Inspection Report, the conditions of

                     Article 49 not complied with.


  14. On January 31, 2020, the Disputes Chamber will receive the statement of defense from the defendant

      with regard to findings outside the subject matter of the complaint. In this she wishes her

      to assert defenses in the file with regard to the findings made by the

      Inspection service was performed outside the scope of the complaint (art. 92.3° WOG) and the infringements that

      it believes it must conclude from these findings.


          • With regard to the findings regarding the register of processing activities,

              defendant that she has in any case always been transparent in all her communication to

              the Inspectorate and that it has complied with all its obligations. Defendant argues that

              the foregoing shows that it is impossible to conclude that it committed an infringement

              against Article 30(1) of the GDPR.


          • Concerning the determination of cooperation with the supervisory authority

              Defendant believes that it never fulfills its obligations under Article of the GDPR

              would have intentionally failed to comply and thus did not infringe Article 31 of the GDPR. Decision on the merits 124/2021 - 5/12



        • What the findings regarding the appointment of the data protection officer

            and its position, the defendant is of the opinion that all requirements are always met, and that

            the professional qualities and expertise in data protection beyond question


            to stand.

    According to the defendant, no infringement was committed with regard to Articles 37 and 38 of the GDPR.


15. On 14 February 2020, the Disputes Chamber received the statement of reply from the

    defendant with regard to the findings within the subject matter of the complaint. In her first

    In its plea, the defendant argues that only acts performed from the date on which the

    AVG regulation applies can withstand the test of the AVG. There would be no actions

    have been made from 25 May 2018 that would be the subject of discussion.


     In its second plea, the defendant states that the obligations imposed by Articles 5 and

     6 were complied with. In this regard, the defendant argues that this is a document issued by the Flemish Government and

     the Flemish Housing Company is a recognized social housing company with as

     specific aim to improve living conditions (of the most deprived and single people)

     by ensuring an adequate supply of social rental or owner-occupied housing. She acts and is

     bound by the legal framework on social rent. Defendant further argues that the

     processing of the personal data must be in accordance with the AVG, but that this processing is

     is based on the consent of the complainants, which is also provided for in the decision of

     the Flemish Government of 12 October 2007 to regulate the social rental system in

     implementation of Title VII of the Flemish Housing Code to regulate the social housing system

     for the implementation of Title VII of the Flemish Housing Code (hereinafter referred to as the "Social Rent Framework Decree")

     . In addition, the defendant refers to Legal Consideration 47 of the GDPR, which states that the

     processing of personal data that are strictly necessary for fraud prevention is also a

     legitimate interest for the controller. Furthermore, the defendant argues that the

     lack of a detailed procedure concerning the control of the

     property condition abroad and the exchanges of this information by no means

     means that information cannot be sought and obtained in any other way.


    With regard to Articles 13 and 14 of the GDPR, the defendant maintains that the GDPR has not yet

    was applicable.


    With regard to the privacy statement, the respondent, referring to its reply letter of 1

    October 2019, that this was established on the advice of its official for

    data protection and that it is still subject to revision and reworking.


    As far as the wording is concerned, the defendant argues that the text is clear and that the abbreviations also

    clear when read in context. Decision on the merits 124/2021 - 6/12




II. Justification


    II.1. Jurisdiction of the Dispute Chamber


   16. On the basis of the information currently available to the Disputes Chamber, and in particular

       on the fact that the contested processing operations were carried out on a date before the applicable

       of the GDPR, the Disputes Chamber considers itself ratione temporis to be incompetent to process this complaint

       to treat and therefore decide to dismiss this on the basis of Article 95, §1, 3° WOG.


  17. In order for the Disputes Chamber to be competent, it is necessary that the GDPR applies to the

       processing of personal data that are the subject of the complaint. According to art. 4, paragraph 2

       GDPR is the processing of personal data: “any operation or set of operations with

       relating to personal data or a set of personal data, whether or not carried out via

       automated procedures, such as collecting, recording, organizing, structuring, storing,

       update or modify, request, consult, use, provide by transmission,

       distribute or otherwise make available, align or combine, shield,

       erasure or destruction of data”.


       The processing operations in this case and their timing can be summarized as follows: the order to

       verification investigation at the Dutch company Z dates from March 7, 2018. The investigation by the

       firm Z was completed and a report was submitted on March 28, 2018. Subsequently, with

       a letter dated 11 April 2018 an end to the lease and the defendants are

       requested to vacate the house and the garage by 31 October 2018 at the latest.


       In the defendant's letter, the complainants are given a period of time to

       to leave the garage. This period ends on October 31, 2018, so after the application of the

       GDPR on 25 May 2018. 2 In its conclusion, the defendant argues that the

       data processing in question took place before May 25, 2018, as a result of which the GDPR

       does not apply in this case. The Inspectorate argues in its report that the GDPR does apply

       is applicable because the aforementioned term expires on October 31, 2018, i.e. after the applicable

       become of the GDPR. Moreover, according to the Inspectorate, the GDPR has already entered into force on 24

       May 2016, pursuant to Article 99(1) of the GDPR, whereby the defendant already has the necessary

       should have taken steps to ensure that the processing operations are in accordance with

       would be with the GDPR.


   18. The Disputes Chamber establishes that the aforementioned processing of personal data has

       occurred before the GDPR came into effect on May 25, 2018. Although the deadline

       which was granted to the complainants to vacate the home and garage does indeed expire on 31

       October 2021, the processing operations that are the subject of this case have not

       occurred during this period. The Disputes Chamber is therefore not authorized to take cognizance of



2
 Article 99(2) GDPR Decision on the merits 124/2021 - 7/12




        to take. The Disputes Chamber finds the legal basis of its competence in the law of 3


        December 2017 establishing the Data Protection Authority (WOG) whose

        entry into force was established, subject to exceptions, on 25 May 2018 (Article 110 of the

        WOG). Although the Disputes Chamber is competent for data processing that, although before 25

        May 2018 but still continuing after that, she is not authorized for one-off

        processing operations that would have taken place before 25 May 2018 or multiple processing operations

                                            4
        the before May 25, 2018. The Disputes Chamber cannot determine that after 25 May 2018

        processing operations to which this case relates have taken place.

                                                                                           5
   19. In view of the foregoing, the Dispute Chamber proceeds to a technical dismissal through which this

        complaint is not followed up further as there is no infringement of the GDPR.


    II.2. Legislative framework : Relationship between the processing of personal data and the

          admission requirements in the context of social rent



   20. For the sake of completeness, the Disputes Chamber wishes to draw attention to the broader issue


        related to the complaint, namely the processing of personal data in function of the

        control of the registration and admission conditions in the context of social rent.


   21. In this context, the Disputes Chamber first of all points out that pursuant to Article 13.1c) of the GDPR, the

        controller already when collecting personal data concerning a

        data subject, this data subject must inform about, among other things, the processing purposes

                                                                                                           6
        for which the personal data is intended, as well as the legal basis of the processing. The

        The controller must therefore establish the legal basis for the processing prior to the processing

        transparent manner. No cascade system is possible in determining the

        applicable legal basis for the processing, where the controller

        designates alternative legal bases, as each legal base has different obligations


        associated with the controller.


   22. At the time of the facts in question, the registration and admission requirements in the

        framework of social rent determined by the Social Rent Framework Decree. Article 3, 1 of the Framework Decision

        states that a natural person can be registered in the register referred to in Article 7, if he

        meets several conditions, including the following:


         ”3° [the (prospect) tenant], together with his family members, has no house or plot that



3
  See point 3.1.A.4 of the Disputes Chamber's Dismissal Policy, published on its website on June 16, 2021,
(https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf).
4Decision on the merits 19/2020 of 29 April 2020 (https://www.dataprotectionauthority.be/publications/besluit-ten-

ground no.-19-2020.pdf)
5 See point 3.1.A4 of the Disputes Chamber's Dismissal Policy, published on its website on June 16, 2021,
(https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf).

6See art. 13, 1 c of the GDPR.
7
 “Each landlord keeps a register in which, according to the order in which the application for registration is submitted, the candidate
tenants are registered, stating any priority rules […]” (Art. 7 of the Social Rent Framework Decree) Decision on the merits 124/2021 - 8/12




        is intended for residential construction wholly in full ownership or wholly in usufruct in domestic or

        abroad, unless it concerns a camping stay located in the Flemish Region”


   23. Pursuant to Article 52, §1 of the Framework Decree, the tenant gives the landlord, by means of his application

        to registration in the register, his registration as a prospective tenant or his tenantship, the


        permission to submit to the competent authorities and institutions and to the local authorities the

        necessary documents or information regarding the conditions laid down in this decree and

        to obtain obligations. These competent authorities and institutions are in§2 of the same

        article listed in a non-exhaustive manner as follows 9:


                1° the National Register of Natural Persons, mentioned in the law of 8 August 1983

               arranging a national register of natural persons;


               2° the social security institutions, mentioned in Articles 1 and 2, first paragraph, 2°, of the law

               of 15 January 1990 establishing and organizing a Crossroads Bank for the


               Social Security and the persons to whom the social security network with

               application of Article 18 of the same law was extended;


               3° the Federal Public Service Finance;


               4° the Civic Integration Crossroads Bank;

               5° the Houses of Dutch;


               6° the reception offices;


               7° the Flemish E-government coordination cell;


               8° the organizations and institutions referred to in Article 4, first paragraph, including the

               policy area Education and Training of the Flemish Community.


   24. These sources can be easily consulted for real estate properties in Belgium.

        However, investigations into real estate in EU countries or non-EU countries are less




8
 art. 52.§1.: The reference person gives the landlord, by means of his application for registration in the register, his registration as
prospective tenant or his tenantship, the permission to apply to the competent authorities and institutions and to the local authorities
administer the necessary documents or data regarding the conditions and obligations set out in this Decree
obtain, while preserving the application of the provisions of the law of December 8, 1992 on the protection of the
privacy in relation to the processing of personal data, its implementing decrees and any other provision

for the protection of privacy, established by or pursuant to a law, decree or decision.
9Art. 52.§2: For the implementation of the provisions of this Decree, the lessor relies on information provided by the competent authorities
governments or institutions or other landlords can deliver it electronically. If in this way no or insufficient
data are obtained, the candidate-tenant or tenant is requested to provide the necessary data.

information from the competent authorities or institutions or other landlords shows that the prospective tenant or tenant does not or does not
more meets the conditions and obligations of this Decree, this determination will be communicated to the prospective tenant or
tenant who can respond within one week after the notification. Among the competent authorities and institutions, mentioned in §1 and §2,
first paragraph, includes :1° the National Register of Natural Persons, mentioned in the law of 8 August 1983
arranging a national register of natural persons; 2° the social security institutions referred to in Articles 1 and 2,
first paragraph, 2°, of the law of 15 January 1990 establishing and organizing a Crossroads Bank for Social Security

and the persons to whom the social security network was extended under Article 18 of the same law; 3° the
Federal Public Service Finance;4°the Crossroads Bank for Civic Integration;5°the Houses of Dutch;6°the reception offices;7°de
Flemish E-government coordination cell;8° the organizations and the institutions referred to in Article 4, first paragraph, including the
policy area Education and Training of the Flemish Community. Decision on the merits 124/2021 - 9/12




        naturally. The defendant notes that no procedure with regard to investigations in

        non-EU countries was available at the time of the facts, but that this does not exclude the possibility that there

        can be called upon to private investigative agencies to comply with the obligation to check with


        with regard to the aforementioned condition of ownership.

   25. The Social Rent Framework Decree was repealed by the Decree of the Flemish Government of 11


        September 2020 to implement the Flemish Housing Codex. The aforementioned article 52, §§1 and 2

        of the Social Rent Framework Decree has been incorporated in full in Article 5.246, §1 of the

        the aforementioned decision of the Flemish Government of 11 September 2020. Social landlords can

        therefore still conducting research via the same non-exhaustive sources listed above

        to real estate. To address the lack of an effective

        procedure for investigations into foreign real estate, the Flemish


        The Social Housing Company (hereinafter: “VMSW”) has concluded a framework agreement with

        private investigative agencies specializing in real estate investigations in

        Abroad. Social landlords can call on these research bureaus when

        there is a risk of the presence of foreign immovable property at their (candidate)

        tenants.


   26. In its claims, the defendant refers to the fact that it has received a letter from the Flemish Government and

        Flemish Housing Company is a recognized housing company whose aim is to

        rental or sale of social housing the housing conditions of the person in need of housing

        improve families and singles, especially the most deprived families and


        single persons, by ensuring an adequate supply of social housing or social housing

        owner-occupied houses. It does this, among other things, by checking the registration conditions (such as:

        set out above).


   27. If the processing is carried out because the controller is legally required to do so

        mandatory10 or if the processing is necessary for the fulfillment of a task of general

        interest or for a task in the exercise of public authority, the 1

        processing has a basis in Union or Member State law. 12


    28. However, in accordance with Article 6.3 of the GDPR, “the purpose of the processing must be that legal basis”

        [to be] determined whether in relation to the processing referred to in point (e) of paragraph 1 is necessary


        [to be] for the performance of a task in the public interest or for the exercise of

        public authority conferred on the controller”. Furthermore, according to article

        6.3 GDPR, the legal basis also includes “specific provisions to regulate the application of the rules”

        of this Regulation, including the general conditions on the





10Art. 6, 1, (c) of the GDPR.
11
 art. 6, 1, (e) of the GDPR
12Art. 6.3 of the AVG. Decision on the merits 124/2021 - 10/12



       lawfulness of processing by the controller; the types processed


       data; The involved; the entities to which and the purposes for which the

       personal data may be provided; the target limitation; the storage periods; and the

       processing activities and procedures (…)”.

   29. The Disputes Chamber points out in this regard that, in accordance with the aforementioned Article 6.3 of the GDPR,

       read in conjunction with Article 22 of the Constitution and in the light of Articles 7 and 8 of

       the European Charter of Fundamental Rights, a legislative standard defines the essential features of a


       must record data processing that is necessary for the performance of a task of

       public interest or for the exercise of official authority vested in the
                                                    13
       controller is entrusted. The Disputes Chamber emphasizes that the parties involved

       processing should be framed by a standard that is sufficiently clear and precise

       the application of which is foreseeable to the persons concerned. In accordance with article 6.3

       GDPR, the precise purpose(s) of the processing should be specified in the legal standard itself

       included. Furthermore, the following elements must be foreseeable: the identity of the

       controller(s), the categories of data processed, on the understanding that

       they must be in accordance with Article 5.1 of the GDPR, "adequate, relevant and

       limited to what is necessary for the purposes for which they are processed", the

       categories of data subjects whose data will be processed, the retention period of

       the data, the recipients or categories of recipients to whom their data is sent

       communicated, the circumstances in which and the reasons for which they will be communicated

       and any limitation of the obligations and/or rights referred to in Articles 5, 12 to

       with 22 and 34 GDPR.


   30. The Disputes Chamber points out in this regard, however, that tasks of general interest or public

       authority with which controllers are entrusted are often not based on

       precisely defined obligations or legislative standards that meet the requirements stated

       under marginal 28, in particular the recording of the essential characteristics of the

       data processing. Rather, processing takes place on the basis of a more general

       authorization to act as is necessary for the performance of the task. This leads to

       the relevant legal basis in practice often no concretely defined provisions

       contains about the necessary data processing. Data controllers who on

       If you wish to invoke Article 6.1 e) GDPR on such a legal basis, you must then

       make a trade-off between the necessity of the processing for the task of general

       interests and the interests of those involved.







13See also the advice of the Knowledge Center of the GBA 36/2020, 42/2020, 44/2020, 46/2020, 52/2020 and 64/2020
(https://www.dataprotectionauthority.be/burger/zoeken?q=&search_category%5B%5D=taxonomy%3Apublications&sear

ch_type%5B%5D=advice&s=recent&l=25) Decision on the merits 124/2021 - 11/12




   31. The defendant also refers to Legal Consideration 47 of the GDPR which states that the

        processing of personal data that are strictly necessary for fraud prevention also a

        legitimate interest for the controller. The Disputes Chamber points out that

        the legal basis 'legitimate interest' as provided for in Article 6.1, f) of the GDPR does not apply

        applies to processing by bodies with a public law function in the context of

        the performance of their duties.14


   32. Finally, the defendant argues that the processing in question is based on the

        consent of the complainants and that the processing is therefore lawful under Article 6, 1, a)

        of the GDPR. This consent would result from the signing of a declaration of honor

        in which the tenant confirms that he does not own immovable property. More specifically, it mentions

        statement, which was prepared by the VMSW, the following:


        This declaration on honor serves to verify whether the imposed property value has been met

        met. The declaration made will be checked with the competent government department.


   33. The Disputes Chamber states that although consent may constitute a lawful ground for processing,

        as stipulated in Article 6, 1, a) of the GDPR, but adds that at the time

        processing is based on the consent of the data subject, there are several conditions

        this permission applies. Consent must be freely given, specific and

        informed and finally unambiguous.15In this context, Recital 43 of the

        GDPR states that there is no free consent in the case of a clear


        disproportion between the parties or if the failure to give consent to the data subjects

        obvious disadvantage. In this case there is a clear mismatch between the person concerned

        and the social housing company with a specific status under public law as

        controller. Moreover, the (candidate) social tenant does not have the

        actual choice to refuse without negative consequences to the refusal

        be connected. After all, in the event of refusal, he is no longer eligible for social security benefits

        home. The Disputes Chamber emphasizes that a legally required consent is not a lawful

        processing ground in accordance with Article 6(1)(a) of the GDPR as it is not free

        may have been given by the person concerned.


   34. In view of the above, the Disputes Chamber determines that the consent does not

        may constitute a legal ground for the present processing operations


   35. In this decision, the Disputes Chamber limits itself to these general considerations about the

        legal basis. The Disputes Chamber has observed these social problems and

        will investigate further when further proceedings in this regard are brought before it

        turn into.




14Recital 47 of the GDPR.
15EDPB Guidelines 05/2020 on consent underRegulation 2016/679, p. 7-8. Decision on the merits 124/2021 - 12/12




III. Publication of the decision



   36. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. It is not necessary, however, that the identification data

       of the parties be made public directly.



   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decided, after deliberation, to

   of Article 100, §1, 1° WOG to dismiss the present complaint.



   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.












(get). Hielke Hijmans

Chairman of the Disputes Chamber