APD/GBA (Belgium) - 141/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 54: Line 54:


=== Facts ===
=== Facts ===
The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit. The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.  
The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.
 
The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.  


=== Holding ===
=== Holding ===
The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments. Because the DPO held the final responsibility over the referenced departments, a conflict of interest arose, in breach of [[Article 38 GDPR#6|Article 38(6)]] GDPR.     
The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments.    
 
Thus, because the DPO held the final responsibility over the referenced departments, the DPA held that there was a conflict of interest, in breach of [[Article 38 GDPR#6|Article 38(6)]] GDPR.  
 
As a result, the DPA fined the bank €75,000 for violating [[Article 38 GDPR#6|Article 38(6) GDPR]]    


== Comment ==
== Comment ==
Line 69: Line 75:


<pre>
<pre>
 
1/26
Litigation Chamber
Decision on the merits 141/2021 of 16 December 2021
File reference : DOS-2020-03763
Subject : The exercise of data subjects' rights in relation to a Bank's
information systems of a Bank.
The Dispute Resolution Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans
chairman, and Messrs Dirk Van Der Kelen and Frank De Smet;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
the protection of individuals with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the
Data Protection Regulation), hereinafter referred to as the AVG;
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG;
Having regard to the Rules of Internal Procedure, as approved by the House of Representatives
on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;
Having regard to the documents in the file;
has adopted the following decision concerning:
The defendant: the bank Y, represented by Mr. Erik Valgaeren and Mr. Carolien Michielsen,
Hereinafter referred to as 'the defendant'.
.
.
.
Decision on the merits 141/2021 - 2/26
I. Facts and Procedure
A. Investigation of the Inspectorate
1. On 22 April 2020, the Executive Committee of the Data Protection Authority (hereinafter referred to as GBA) decided
to bring a case before the Inspectorate of the GBA on the basis of Article 63, 1° WOG.
Following decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May
2019 and the subsequent judgment of the Markets Court dated 9 October 2019, the
Executive Committee indeed found that there were serious indications of practices that could give rise to
could give rise to breaches of the fundamental principles of personal data protection.
The Management Board has therefore referred the matter to the Inspectorate with the request to conduct an investigation into the extent to which the
request to conduct an investigation into the extent to which the defendant's information systems
enables the exercise of the rights of the data subject, in particular the right to rectification (Article
16 AVG), is possible. This means that the Inspectorate has been caught up in verifying whether the
information systems of the defendant are in line with the requirements of the AVG
with regard to the exercise of the rights which each data subject1 has in his
as a client of the defendant.
2. The Inspectorate shall transmit its report dated 23 March 2021 to the Dispute Resolution Chamber on the basis of
of Article 91, §2 WOG, as a result of which the Dispute Resolution Chamber was constituted pursuant to Article 92, 3° WOG;
B. Procedure before the Litigation Chamber
3. On 6 April 2021 the Litigation Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the
ready for treatment on the merits.
4. On the same day the defendant is informed by registered mail of this decision, as well as of the inspection report and the
4. On the same day, the defendant is informed by registered mail of this decision, as well as of the inspection report and the inventory of the documents of the file that are
4. On the same day the defendant is notified by registered mail of this decision, as well as of the inspection report and the inventory of documents of the file that has been submitted to the Litigation Chamber by the Inspection Department. The defendant is also
The defendant is also informed of the provisions as mentioned in art. 98 WOG and is informed pursuant to art. 99 WOG.
99 WOG of the time limit to submit his defence. The
deadline for receipt of the defendant's statement of defence was set at 28 May
2021.
5. On 10 May 2021 the defendant asks for a copy of the case file (art. 95, §2, 3° WOG), which is
On May 12, 2021. In addition, the defendant electronically accepts all
1 Decision No. 01/2019 of 15 May 2019, on the other hand, concerns only the safeguarding of the rights of one specific complainant whose personal data are processed by the
personal data are processed by the Respondent, as the Dispute Resolution Chamber was only seized for that processing in the
complaint.
Decision on the merits 141/2021 - 3/26
communication relating to the case and has indicated that he wishes to avail himself of the possibility
to be heard, in accordance with Article 98 of the WOG.
6. On 28 May 2021 the Litigation Chamber received the respondent's statement of defence
in which it is requested to establish in the main order that there is no violation of articles 5.1(c), 5.1(d), 5.1(e) and 5.1(f).
Articles 5.1(c), (d) and (f), 5.2, 12, 16, 24, 25, 30.1, 31, 32, 38.3 and 38.6 of the AVG, and, in secondary order
take into account the mitigating circumstances when imposing a sanction.
7. On 14 July 2021, the Respondent is informed that the hearing will take place on
30 September 2021.
8. On 30 September 2021 the respondent shall be heard by the Dispute Resolution Chamber and thus be given
8. On 30 September 2021 the defendant shall be heard by the Disputes Committee and thus have the opportunity to present his arguments. The Dispute Resolution Chamber shall decide to
The Dispute Resolution Chamber decides to continue the proceedings in order to give the defendant the opportunity to present his arguments.
15 November 2021, as the date on which the introduction of diacritical marks in the
the introduction of diacritical marks in names and forenames in its applications, the defendant has
to come and explain the new computer system. A new hearing will be scheduled
scheduled for shortly after that date.
9. On 1 October 2021, the Respondent shall be notified that the hearing for the
of the case in continuation will take place on 22 November 2021.
10. On 12 October 2021, the minutes of the hearing held on 30 September 2021 shall be submitted to the
Respondent in accordance with Article 54 of the Rules of Internal Procedure of
the GBA. The Respondent shall hereby be given the opportunity to have any comments he may have on the record
to be added as an annex to the record.
11. On 19 October 2021 the Dispute Resolution Chamber receives some comments from the Respondent
11. On 19 October 2021 the Disputes Committee receives some remarks from the defendant with regard to the official report.
the hearing established on 22 November 2021.
12. On 22 November 2021, the Respondent shall be heard by the Dispute Resolution Chamber and the
On 22 November 2021, the Panel shall hear the Respondent and explain the implementation of the introduction of diacritical marks in the names and first names in its
its applications.
13. On 23 November 2021, the minutes of the hearing held on 22 November 2021 shall be submitted to the
Respondent in accordance with Article 54 of the Rules of Internal Procedure of
the GBA. The Respondent is hereby given the opportunity to have any comments he may have on the matter
be added as an annex to the record, without reopening the debates
constitutes a reopening of the debates.
14. On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to
On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to impose an administrative fine, as well as the amount of the fine.
Decision on the merits 141/2021 - 4/26
thereof in order to give the Respondent the opportunity to defend itself, before the sanction is
before the penalty is actually imposed.
15. On 29 November 2021, the Dispute Resolution Chamber shall receive the comments to the transcript of the
hearing that took place on 22 November 2021, which the Litigation Chamber shall include in its deliberations.
In its deliberations.
16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the proposal to
16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the intention to impose an administrative fine as well as the amount thereof. The
The Respondent submits that a number of mitigating circumstances set out in the
conclusion for Y Belgium and at the hearing, do not appear to have been taken into account by the
Dispute Resolution Chamber as they do not appear in the penalty form, as well as that the proposed fine is disproportionately high.
would be disproportionately high in relation to the decision on the merits no. 18/2020 of 28 April 2020 for an identical infringement.
April 2020 for an identical infringement.
II. Reasons
17. Hereafter, the Litigation Chamber assesses each of the findings included in the report of the Inspectorate in the light of the relevant information provided by the parties.
Inspectorate in the light of the pleas put forward in that regard by the Respondent.
(a) Principle of accuracy (Article 5.1(d) of the AVG), accountability (Article 5.2 of the AVG), transparency
information, communication and detailed arrangements for exercising the rights of the data subject
(Article 12 AVG), right to rectification (Article 16 AVG), data protection by design and
default settings (Article 25 AVG) and the duty to cooperate (Article 31 AVG).
18. The first element to be examined by the Inspectorate concerns the
assessment of the extent to which the Respondent has made the necessary adjustments in order to remove the
diacritical marks in its ICT systems.
The Inspectorate finds that the Respondent is unable to provide a clear and systemic picture of the
in terms of time horizon for the implementation of diacritical marks in the current ICT system (applications + mainframe) and possible first results showing the efforts made.
efforts made. Furthermore, the Inspectorate also states that the Respondent remains stuck in the
"exploratory phase" of preliminary studies and discussions without wanting to achieve concrete goals and results.
achieve.
20. The Inspectorate concludes that the Respondent is in breach of Articles 5.1 d,
5.2, 12, 16, 25 and 31 of the AVG because the Respondent does not want to or is not able to present a concrete time horizon with concrete results, nor is it able to
The defendant is not willing or able to provide a concrete time horizon with concrete results, nor is it willing or able to demonstrate systemic changes that would have a
have a positive impact on the initial demand of the data subject. According to the
Inspectorate since the decision taken by the Dispute Resolution Chamber on 15 May 2019 -
subject to the carrying out of some preliminary study work (feasibility) - has not changed and has therefore not improved.
Decision on the merits 141/2021 - 5/26
21. The Inspectorate makes the following considerations in this regard:
o The Respondent has IT applications and database systems (some 150) including the
central customer system which concerns a mainframe system that was put into use in 1995.
taken into use in 1995. That central customer system supports only EBCDIC ("extended binarycoded decimal interchange code"). Although diacritical marks have since been
added to the EBCDIC table in the meantime, the defendant did not make any changes to the central customer
central customer system. In 2020, the Respondent is still using an IT system that dates
system dating back to 1995 and does not appear to be able to implement the right of rectification.
rectification.
o With regard to the number of underlying applications that interact with the central customer system
system, which need to be changed due to the introduction of diacritical marks, the Inspectorate
diacritical marks, the Inspectorate notes that the Respondent in the initial letter
dated 6 November 2019 lists 150 applications and is only able to
deliver a list that corresponds to the exact number as stated on 6
November 2019, supplemented by the correct systemic naming and filtering out
of double counting. The Inspectorate notes in this regard that the Respondent often
replied that the analysis was 'not yet complete', which is strange given the number of
months of lead time, the number of staff, the financial resources and
capabilities of the Respondent.
o With regard to the large and very old systems for which the Respondent on 6 November
2019 states that a lead time of 18 months is expected for their adaptation,
the Inspectorate notes that the Respondent does not issue a list until 2 November 2020
describing and specifically naming those systems.
o By examining the 'change management' and the plan of approach to proceed
implementation of the technical proposals, the Inspectorate is attempting to gain insight into the process
development and the way in which implementations are carried out at the defendant.
defendant. The Inspectorate notes that on 16
September 2020 that the changes that need to be made in view of the
the introduction of accented letters will be made according to the AGILE principle, which is the
principle of AGILE, which means that the Respondent will resolve the restriction of accented letters in small, manageable steps.
the restriction of accented letters.
On 12 October 2020, the Respondent reports that it has taken initiatives to include the
diacritical marks into the central customer system, following a 4-phase approach
is being followed and at that time phase 1 and 2 are being processed:
1) analysis of all systems and applications potentially affected;
Decision on the merits 141/2021 - 6/26
2) adaptation of these systems in the test environment and testing them separately for the
processing of diacritical marks;
3) Performing chain tests to ensure consistency of the applications;
4) actually implementing the changes
On 2 November 2020, the defendant documents how AGILE was translated into
its organisation and provides information about the feasibility study in the form of two
diagrams of the testing approach.
The Inspectorate concludes that it is strange that there is little structured and umbrella
and umbrella information is available to follow up on this change over all.
follow-up. Apart from general information about the AGILE approach and the pre-study phase,
the Respondent is unable to provide any information that demonstrates any progress or concrete
results that could have a positive impact on the data subject and the exercise of his
exercise of his rights.
o Following the examination of the technical design, the inspection report contains the
technical figures with regard to the architectural design whereby the defendant
indicates whether, and if so to what extent, changes can have an impact on each of the components, both for
each of the components, both for the central customer system, the supporting and
underlying technologies - middleware, the mainframe Z applications, the non-mainframe Z applications, as well as for the channels and front-end
applications.
Articles 5.1 d), 12 and 16 AVG
22. The Respondent submits that Articles 5.1(d), 12 and 16 AVG are complied with and argues
as follows:
- The exercise of the data subject's rights is facilitated in accordance with Article 12
AVG by allowing customers to modify their data themselves via the
Internet banking applications, or have them changed by employees in the front office. The Privacy
Statement also provides the necessary contact details for exercising the right to correction.
In addition, there is also an internal guide and documentation of the procedures for exercising the
of the rights of those involved. Furthermore, the necessary processes have been implemented to
adequately handle requests to exercise rights.
- The right to rectification (Article 16 of the AVG) is respected for all requests for adjustment or
rectification. The impossibility for the respondent to comply with the request for rectification is limited to the processing of the data.
request for rectification is limited to the processing of diacritical marks in a name.
Decision on the merits 141/2021 - 7/26
- The implementation of a complex IT project involving adjustments to many systems, which requires a great deal of time and
time and investment in order to be able to satisfy an absolute minority of requests for improvement is, according to the
improvement requests cannot, in the opinion of the defendant, be regarded as a reasonable measure within the meaning of Article 5(1)(d) TFEU.
of Article 5.1(d) of the AVG.
- The Respondent cites that the judgment of the Markets Court dated 9 October 2019 is still pending
before the Court of Cassation and, pending the judgment, it cannot be simply claimed
that Articles 5.1(d), 12 and 16 of the AVG are not complied with because of the lack of display
of diacritical marks.
23. The Respondent's Conclusion states that it was initially foreseen to implement diacritical marks in its
signs in its ICT systems as part of the UNITE ICT project already underway in 2019 within the Y Group, which aimed to upgrade the systems and applications of the
Y entities in Belgium and those of the Y entities in the Netherlands,
but the UNITE project proved to be too ambitious, with the result that in 2020 the defendant will be operating under separate
the defendant had to carry out the necessary technical system changes in 2020 under separate management, i.e. without Y Netherlands.
implement. On the basis of this statement, the Dispute Resolution Chamber finds that there was an intention to
diacritical marks in the Respondent's applications, but that this did not take place due to the
the Respondent within the UNITE project. The defendant
now concludes that the inclusion of diacritical marks in the applications presupposes
that this exceeds the bounds of reasonableness, whereas Article 5.1(d) of the AVG merely requires that the
defendant to take every reasonable step to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are not used for other purposes.
which are inaccurate, having regard to the purposes for which they are processed.
24. Based on the inspection report, the Dispute Resolution Chamber notes that the central customer system
which is at the core of the bank in that customer data is stored centrally and retrieved from
from there are retrieved by adjoining systems, is a mainframe system that was brought into use in 1995.
taken into use in 1995. Although diacritical marks were added to the
EBCDIC table, no changes were made by the defendant to the central customer system supporting EBCDIC.
customer system which supports EBCDIC. This means that the Respondent did not use this opportunity to
made use of this opportunity to adapt its system.
25. Although the reasonableness of the implementation of this measure is disputed by the Respondent, the Dispute
The Dispute Resolution Chamber is of the opinion that it is part of the normal expectations of a customer whose personal data are processed in the context of the
customer whose personal data are processed in the context of his financial relationship with the bank,
that his name is correctly displayed, precisely in view of the importance of correctness of data in
the provision of financial services and the supply of financial products. The Dispute Resolution Chamber
also refers in this regard to the judgment of the Markets Court dated 9 October 2019 in which it states
that a correctly operating banking institution may be expected to have a computer program that meets
computer programme that meets current standards, to which the above-mentioned right to the correct spelling of the name of the bank may be added.
right to correct spelling of the name. The Court adds that the right to
Decision on the merits 141/2021 - 8/26
rectification is a fundamental right2
. It therefore seems reasonable for the bank to use the measures at its disposal to
It therefore appears reasonable for the bank to use the measures at its disposal to process the names of customers with diacritical marks and thus to use the
customers' names with diacritical marks and thus to adapt the mainframe system in use since 1995 to current
current possibilities. With regard to the defendant's argument that such adaptation would require not
not only to its central customer system, but also to the underlying or adjacent systems
would require significant time and investment, which cannot be considered reasonable, the
Dispute Resolution Chamber observes that this is generally inherent in any fundamental change of
systems, which is all the more true in the case of old systems such as the one at issue here.
as in the present case. The need to devote time to and invest in appropriate
adapted IT systems in order to be able to process diacritical marks is not - contrary to what the defendant maintains
contrary to what the defendant maintains, is not limited to an absolute minority of requests for
requests for correction but is necessary in the interests of every customer whose name contains diacritical marks.
contains diacritical marks. Indeed, the starting point should be that the defendant, like any
The starting point should be that the defendant, like any data controller, makes every effort to process correct data and does not take a
not adopt a 'wait and see' approach, i.e. take action only following a customer's request for the name to be changed.
of a customer's request for the amendment of his name.
26. The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to proceed to date with the rectification of the name of the Client is a serious problem.
The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to correct, to date, the name of customers requesting the display of diacritical marks in their name
signs in their name, constitutes an infringement of Article 5(1)(d) of the AVG. It also constitutes
Infringement of Article 16 of the AVG, since the defendant is not in a position to fully respect the right to rectification.
fully respect the right to rectification. The Respondent submits that all requests for rectification or correction are
are implemented, except for the request to adapt diacritical marks. This leads the
Dispute Resolution Chamber to conclude that the Respondent has not complied with any exercise of the right to rectification.
right of rectification. However, the right of rectification must be respected in all its facets.
27. However, in determining the sanction for these breaches, the Dispute Resolution Chamber shall take into account
the defendant's statement to undertake to implement all the necessary changes by 15 November 2021 in order to
to make all the necessary adjustments to the diacritical marks in the names and first names by 15 November 2021.
2 The judgment of the Market Court is drafted in the following terms:
"[...]
The fact that it would require a technical 'effort' to use a computer program that does place accents on
capital letters is neither serious nor relevant.
To state now (in the year 2019!) that adapting a computer program would require several months of work and/or financial
additional costs for the banking institution, does not allow NV Y BELGIUM to disregard the rights of the person concerned. The
rights granted to the person concerned are equivalent to obligations to produce a result on the part of the processor of the
personal data.
A correctly functioning banking institution may be expected - if it uses a computer program - to have a
computer program that meets current standards, including the above-mentioned right to correct spelling of the name.
name. The right of rectification is a fundamental right.
[...]"
Decision on the merits 141/2021 - 9/26
be able to reproduce the name in its applications. In this obligation of result, the defendant
In this result commitment, two caveats are made by the defendant, of which the Litigation Chamber takes note:
1° In accordance with the globally applicable industry standard, bank cards do not show diacritical marks.
1° In accordance with the globally applicable industry standard, bank cards do not bear diacritical marks. If the Defendant were to do so, this could lead to problems in using the bank cards.
If the Defendant did so, this could lead to problems in the use of the bank card, both online and offline. Also with regard to the
electronic payment transactions (SEPA), all Belgian banks have jointly decided to limit themselves to the standard set of characters without diacritics.
the standard character set without diacritical marks.
2° The display of diacritical marks on printed statements of credit cards will only be available at a later date.
be available at a later date.
During the hearing of 22 November 2021, the defendant demonstrated by means of a presentation that the necessary
presentation that the necessary steps had been taken to incorporate the diacritical marks into the names of the persons concerned.
diacritical marks in the customers' names, allowing the Dispute Resolution Chamber to conclude that there has been
there is progress in this respect. Specifically with regard to the Complainant in Decision 01/2019 of 15 May
2019, the Respondent also demonstrates that the diacritical mark is processed in his name.
28. With respect to Article 12 AVG, the Dispute Resolution Chamber finds that the Respondent adequately
adequately demonstrates that there is transparent communication with customers in order to inform them of the
inform customers about the exercise of their rights, as well as that the necessary means are made available to
are made available for the exercise of those rights, thereby facilitating the exercise of those rights.
those rights. In addition, it is not apparent from the inspection report that the defendant does not provide
transparent communication (Article 12.1 of the AVG). The inspection report merely demonstrates that
it is not technically possible for the Respondent to comply with a rectification request that relates to a data subject
The inspection report only shows that it is not technically possible for the defendant to comply with a request for rectification concerning diacritical marks, but that does not prevent the defendant from
However, the defendant does facilitate the exercise of the rights of its customers (Article 12(2) of the AVG)
via the online banking applications or with the assistance of the front office staff, but
the defendant is not in a position to respond appropriately and to proceed without delay to
rectification, in so far as the request concerns diacritical marks (Article 16 AVG). It follows that
It follows that no infringement of Article 12 of the AVG can be established.
29. Concerning the Respondent's assertion that the Dispute Resolution Chamber cannot proceed to
finding an infringement of Articles 5.1(d), 12 and 16 of the AVG on account of the lack of display of diacritical marks, because of
diacritical marks, because of the pending proceedings before the Court of Cassation brought by the
Defendant against the judgment of the Market Court rendered pursuant to decision 01/20193 of the
01/20193 of the Chamber of Disputes, the Chamber points out that the appeal in cassation is an extraordinary legal remedy that does not have a
Appeal in cassation is an extraordinary legal remedy that does not have a suspensive effect. This means that the judgment of
Court of Appeal has full effect pending the judgment of the Court of Cassation.
3 Decision 01/2019 of 15 May 2019 regarding a complaint for failure to comply with a request to correct the spelling of a name
of name
Decision on the merits 141/2021 - 10/26
and the Inspectorate was able to catch the Litigation Chamber through the inspection report of 23 March 2021
so that the Disputes Chamber can now proceed to take the present decision on the merits.
merits.
Article 25 AVG
30. The Respondent submits that the Inspectorate establishes an alleged breach of Article 25 AVG
but does not explain what this breach would consist of.
31. The Dispute Resolution Chamber considers that the Inspection Report clearly demonstrates that the Respondent
continues to use for its central customer system a mainframe which was brought into service
put into service in 1995 and notwithstanding the technical possibility of incorporating and processing diacritical
diacritical marks, it has chosen not to adapt its system accordingly.
to do so. In accordance with Article 25 of the AVG, the state of the art which allows diacritical marks to be processed requires that the system be adapted to this state of the art.
of diacritical marks requires the defendant to implement appropriate technical and organisational
take appropriate technical and organisational measures so that the principles of data protection, including the principle of
correctness, in an effective manner and to implement the necessary safeguards in the processing
in order to incorporate the necessary safeguards into the processing to ensure compliance with the
requirements of the AVG and to protect the rights of data subjects.
32. The Respondent cites that Article 25 AVG also refers to implementation costs as criteria for determining the appropriate
The Respondent cites Article 25 AVG as also referring to the costs of implementation as well as the risks to the rights and freedoms of data subjects in terms of probability and seriousness.
The Respondent cites that Article 25 AVG also refers to the costs of implementation as criteria for determining the appropriate measures, as well as to the risks to the rights and freedoms of natural persons associated with the
processing. In that regard, the defendant claims that there is no risk whatsoever in relation to
as regards the identification of the person on the basis of the specific use of a given name
without displaying the specific diacritical mark. Moreover, the implementation of a
very complex IT project involving adjustments to numerous systems takes a great deal of time and investment in order to
respond to an absolute minority of requests for correction which, in the defendant's view, means that the risk is extremely limited.
According to the defendant, the risk is extremely limited in terms of seriousness and probability with regard to the rights and
freedoms of natural persons.
33. The Respondent's assertion that there would be no risk of identification of the data subject in the absence of the processing of diacritics is not correct.
The defendant's allegation that there is no risk of identification of the data subject in the absence of the processing of diacritical signs, as well as the
The Respondent's allegation that there is no risk of identification of the data subject in the absence of processing of diacritical marks, as well as the extremely limited risk alleged by the Respondent given the small number of requests for correction of diacritical marks
cannot, in the opinion of the Dispute Resolution Chamber, result in the Respondent being entirely at fault, as in the present case.
as in the present case, to implement any measure to comply with possible requests for correction.
possible requests for correction.
Decision on the merits 141/2021 - 11/26
34. Furthermore, the Respondent refers to the Guidelines 4/2019 on Article 25
Data protection by design and by default4 which, in relation to the accuracy of data
of data, it is stated that the requirements set forth in Article 5.1(d) of the AVG must be considered
in relation to the risks and consequences of the concrete use of the data. From that
The defendant takes the view that the measure consisting in the inclusion of diacritical marks in its systems is not proportionate.
signs in its systems is not proportionate to the risks for the data subject. The defendant
However, the defendant disregards the fact that the Guidelines provide, with regard to the design and standardisation elements
standard setting elements on accuracy, specifically as regards erasure/rectification
provides that the controller must delete or rectify incorrect data without delay. The
Guidelines thus confirm what is stipulated in Article 5.1(d) of the AVG, namely that every controller has the obligation to delete or rectify incorrect data without delay.
controller has the obligation to erase or rectify incorrect data without delay, and thus not to allow the processing of incorrect data to continue.
rectify incorrect data without delay, and it is thus not up to the controller to decide whether or not to accede to a request for rectification.
whether or not to accede to a request to erase or rectify inaccurate data, motivated by financial considerations or risk analysis
from financial considerations or risk analysis.
35. The failure of the Respondent to adapt its IT systems in order to facilitate the
processing of diacritical marks in the name of clients if requested, a breach of contract has occurred.
This constitutes an infringement of Article 25 of the AVG. The fact that the
Respondent asserts that in the meantime, namely since Decision 01/2019 of 15 May 2019 and the
The fact that the Respondent shows that it has already made numerous efforts to make its systems AVG-compliant with regard to the processing of diacritical marks is also an important element in the determination of the penalty.
important element in determining the penalty for this infringement. However, this cannot lead to
to retroactively undo the infringement.
36. In view of the efforts which the defendant has meanwhile made and the limited gravity and risk
to the fundamental rights of the affected persons, in the light of recital 75 of the AVG, the Dispute
AVG, the Dispute Resolution Chamber decides that despite having found infringements of articles
5.1.d), 16 and 25 AVG, not to impose a penalty for those infringements. It
therefore orders a discontinuation of proceedings pursuant to Article 100, §1, 2° WOG.
Article 5.2 and 31 AVG
37. The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers.
The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers to the questions asked, from which the Inspectorate concludes that the
Inspectorate concludes that the Respondent did not comply with its duty of accountability and cooperation.
with his duty of accountability and cooperation. The Inspectorate also finds it strange that there is little structured and
information to follow up on the adjustments from an overarching view.
follow-up. Apart from general information about the AGILE approach and the preliminary study phase, the
According to the Inspectorate, the defendant cannot provide any information that would enable any progress to be made in the
4 https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_nl.pdf
Decision on the merits 141/2021 - 12/26
dossier or concrete results that could have a positive impact on the person concerned
and the exercise of his or her rights and freedoms.
38. However, on the basis of the documents provided by the Respondent, the Dispute Resolution Chamber must
establish that the Respondent is able, by means of the necessary documentation, to demonstrate the extent to which the
AVG is complied with. Not only does the Respondent have an internal guide and documentation of
the procedures for exercising the rights of the data subjects
but also specifically documentation relating to the IT project to implement the
diacritical marks and the processes demonstrating the progress of the project. In this way, the
documented the steps already taken and to be taken. The
Respondent's explanation for the length of time it took to respond in several phases to the
The explanation given by the Respondent for the time taken to answer the questions asked by the Inspectorate in several phases is that further analysis was required to determine which applications were
required in order to determine which applications could be affected by the addition of diacritical marks and
addition of diacritical marks and that this was not immediately possible. The defendant submits
that time was needed to carry out analyses and tests in order to then implement the
The Respondent submits that time was needed to carry out analyses and tests in order to then implement the changes in a controlled manner without endangering the stability of its systems.
In this regard, the Dispute Resolution Chamber finds, based on the documents before it, that the Respondent has
documentation that unmistakably demonstrates the progress of the dossier and concrete results, so that there is no
concrete results, so that no breach of Article 5.2 of the AVG can be identified.
39. The Dispute Resolution Chamber also assessed the findings of the Inspectorate in the light of the Respondent's
The Dispute Resolution Chamber also assessed the Inspectorate's findings in the light of the Respondent's duty of cooperation and found that the Inspectorate
has insufficiently demonstrated that the Respondent has not, by means of reply letters, attempted to
attempted, by means of reply letters, to answer the questions posed in a comprehensive and circumspect manner. In addition
the Respondent stated on several occasions that it was prepared to enter into consultation in addition
as a result of which it cannot be established that he did not fulfil the obligation to
cooperation with the supervisory authority.
40. The Dispute Resolution Chamber therefore finds that no violation of Article 31 AVG can be
established. This opinion is based on factual findings, so that it is not necessary in this
This opinion is based on factual findings, so that it is not necessary in this case to give an opinion in principle on the scope of the duty to cooperate.
b) Principle of minimal data processing (Article 5.1(c) of the AVG), integrity and confidentiality
(Article 5.1(f) of the AVG), accountability (Article 5.2 of the AVG), the responsibility of the controller (Article 24 of the AVG)
controller (Article 24 AVG), data protection by design and by default (Article 25 AVG), data
default settings (section 25 AVG) and security of processing (section 32 AVG).
41. The Inspectorate notes that the Respondent uses the surname of the Complainant5 in
5 The Inspectorate refers to the complainant in decision No. 01/2019 of 15 May 2019
Decision on the merits 141/2021 - 13/26
- internal notes for and presentations by the Data Council
- email traffic and ICT testing
which relates to the ICT programme in connection with the use of diacritical marks.
42. The Inspectorate concludes that this processing activity by the Respondent is a
violation of Articles 5.1 c) and f), 5.2, 24, 25 and 32 of the AVG, which is based on the
consideration that the use of the plaintiff's surname is not necessary for the purpose for which it is processed and
purpose for which it is processed and can therefore be avoided. The name for the project or
the case could bear another name and the surname of the complainant has no added value. There
According to the Inspectorate, there are various words in other languages with diacritical marks that
can be used for this purpose, the use of the complainant's surname could be stigmatising and
and by spreading it throughout its organisation the Respondent has no control over it.
The inspection report concludes that using the family name as a "test person" or as a "case" is not
proportionate to
- the application of the basic principles of "minimum data processing" and "integrity and
confidentiality";
- the appropriate technical or organisational measures to be taken;
- ensuring the confidentiality, integrity, availability and resilience of its
processing systems and services;
- the contractual (banking) duty of discretion or the discrete processing of the personal data
as a Bank towards the Customer.
43. The Dispute Resolution Chamber states that the complainant's surname in Decision No. 01/2019 of 15 May
2019 does constitute personal data within the meaning of Article 4.1) of the AVG, as the complainant is identifiable on the basis of the name of the person who is the subject of the decision.
is identifiable on the basis of the decision No. 01/2019 taken by the Dispute Resolution Chamber, and
the judgment of the Market Court dated 9 October 2019, in which the defendant was a party in each case and the identity of the complainant was thus known to him.
identity of the complainant was thus known to him. This implies that the complainant can be identified on the basis of
This implies that the complainant can be directly identified within the organisation of the defendant on the basis of his surname alone, since they are both parties.
Respondent's organisation, since they were both parties to the dispute. According to the Dispute Resolution Chamber, the use
the use of the surname as a project name should be regarded as a processing based on the legitimate interest of the
legitimate interest of the Respondent (Article 6.1(f) of the AVG).
44. In accordance with Article 6.1(f) AVG and the case-law of the Court of Justice of the European Union
(hereinafter 'the Court'), three cumulative conditions must be met in order for a controller, being the defendant, to be able to exercise the right to data protection.
for a controller, i.e. the defendant, to be able to validly rely on this ground of law, 'namely
lawfulness, 'namely, first, the legitimate interest of the controller or of the defendant in the processing of personal data.
of the controller or of the third party or parties to whom the data are disclosed
Decision on the substance 141/2021 - 14/26
and, second, the necessity of processing the personal data for the purposes of the legitimate interests of the data controller or of third parties to whom the data are disclosed.
for the purposes of the legitimate interests pursued, and, third, the condition that the fundamental rights and freedoms of the persons concerned must be protected.
third, that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas v. Guardian, 2010, p. 12).
prevail" (Rigas judgment6 ).
).
45. In order to be able to rely on the legal ground of the "legitimate interest" under Article 6.1(f) of the AVG, the data controller must be able to prove that the person concerned has a legitimate interest.
"legitimate interest" under Article 6.1(f) AVG, the controller must demonstrate that
demonstrate that:
- the interests it pursues with the processing can be recognised as legitimate
(the "purpose test");
- the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and
"necessity test"); and
- the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the interests, fundamental freedoms and rights of data subjects.
freedoms and fundamental rights of data subjects in favour of the controller
(the "balancing test").
46. As regards the first condition (the "purpose test"), the Litigation Chamber is of the opinion that
that the purpose of implementing both the above-mentioned decision of the Dispute
As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the purpose of implementing the aforementioned decision of the Dispute Resolution Chamber and the judgment of the Market Court7
can be regarded as pursuing a legitimate interest.
a legitimate interest. The interest pursued by the defendant as data controller may be
can in itself be considered justified pursuant to recital 47 of the AVG.
in accordance with recital 47 of the AVG. Consequently, the first condition laid down in Article 6(1)(f) of the AVG is fulfilled.
47. In order to comply with the second condition, it must be demonstrated that the processing is
In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular
whether the same result could be achieved by other means without processing personal data or without a
result without processing personal data or without processing that is unnecessarily burdensome for the data subject.
for the data subject.
48. Given that the defendant was a party to each of the proceedings before the Dispute Chamber and the
As the defendant was always a party to the proceedings before the Dispute Chamber and the Market Court, the identity of the complainant was thus already known to a limited circle of persons within the defendant's organisation.
persons within the Respondent's organisation.
49. Moreover, the Respondent states that the surname was used in purely internal and confidential documents
confidential documents within the Data Council consisting of only 7 members, and in some emails limited to the strictly necessary persons involved in the project. From none of the documents
6 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA "Rīgas
satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph
40.
7 See in the same sense Decision on the merits 35/2020 of 30 June 2020, para. 28.
Decision on the merits 141/2021 - 15/26
show that the processing of the complainant's surname would have been unnecessarily intrusive for
the person concerned. Thus, the Dispute Resolution Chamber finds that the Respondent did not process the surname of the
did not process the surname of the person concerned in disregard of the principle of minimum data processing, so that the
data processing, so that the second condition is satisfied.
50. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called
"balancing test" between the interests of the controller on the one hand and the fundamental freedoms and
freedoms and fundamental rights of the data subject, on the other hand - can be fulfilled, the following must be taken into account
In accordance with recital 47 AVG, the reasonable expectations of the data subject should be taken into account.
reasonable expectations of the data subject. In particular, it must be evaluated whether the "data subject
at the time and in the context of the collection of the personal data, the data subject may reasonably expect that the
reasonably expect that processing can be carried out for that purpose "8 .
.
51. This is also emphasised by the Court in its judgment "TK v. Asociaţia de Proprietari bloc M5AScaraA" of 11 December 20199 , in which it states
, where it states:
"Also relevant to this balancing exercise are the reasonable expectations of the data subject that his or her
personal data will not be processed if, in the given circumstances of the
case, the data subject cannot reasonably expect further processing of the data".
52. From both the decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May 2019, and the judgment
of the Markets Court dated 9 October 2019, it follows that the Respondent had to adapt its applications, at least as regards the
adapt its applications, at least as regards the processing of diacritical marks in the surname of
the data subject. This necessarily implies that the data subject could reasonably
could reasonably expect10 that his family name would be used within the organisation of the
Respondent's organisation in order to meet the requirements laid down in the aforementioned decision of the
Dispute Resolution Chamber, as well as in this one by the Market Court.
8 Recital 47 AVG.
9 CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 58.
10 Recital 47 AVG. The legitimate interests of a controller, including those of a
controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the interests of the controller or of a third party are safeguarded.
provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden,
taking into account the data subject's reasonable expectations based on his/her relationship with the controller.
controller. Such a legitimate interest may be present, for example, when there is a
relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or employee of the controller.
customer or is employed by the data controller. In each case, a careful assessment is required to determine whether
legitimate interest, as well as to determine whether a data subject may reasonably expect, at the time and in the context of the collection
of the personal data, may reasonably expect that processing can take place for that purpose. The interests and
fundamental rights of the data subject may in particular outweigh the interests of the controller where
personal data are processed in circumstances where the data subjects would not reasonably expect any further processing.
Since it is for the legislator to create the legal basis for personal data processing by public authorities
that legal basis should not apply to processing by public authorities in the course of their duties.
The processing of personal data that is strictly necessary for the purposes of fraud prevention is also a legitimate interest of the
controller in question. The processing of personal data for the purpose of direct marketing may be considered to be
considered to be carried out with a view to a legitimate interest. (own emphasis added)
Decision on the merits 141/2021 - 16/26
53. The totality of the aforementioned elements leads the Dispute Chamber to the conclusion that the
Respondent has lawfully processed the surname of the person concerned within its organisation on the basis of
processed within its organisation on the basis of Article 6.1(f) of the AVG and that there are no elements showing
that the Respondent acted contrary to the requirements of the AVG, so that there is no violation on the part of the Respondent.
no infringement of Articles 5.1(c) and (f), 5.2, 24, 25 and 32 of the AVG was committed by the defendant.
committed.
c) Position of the Data Protection Officer (Articles 38.3 and 38.6 AVG)
54. The Inspectorate's report notes with regard to the position of the Data Protection Officer that
The report of the Inspectorate establishes that there is a conflict of interest on his/her part and that he/she does not report directly to the highest management level.
The report of the Inspectorate establishes with regard to the position of the DPO that there is a conflict of interest on his part and that he does not report directly to the highest management body.
55. The defence raises the question of the requirement to report directly to the highest management level
55. The defence emphasises, regarding the requirement to report directly to the highest management level (Article 38.3 AVG), that the DPO reports to the Executive Committee and that he does not report directly to the highest management level.
reports to the Executive Committee, also referred to as the Management Committee, and
This is done through the Chief Risk Officer (CRO) who himself sits on the Executive Committee, being the highest
body. The defendant emphasises that the reporting line does indeed go directly from the
Data Protection Officer to the Executive Committee. Reporting to a
body can only be done through a natural person, in this case the CRO who serves as the point of access to that body.
that body. The Respondent justifies this choice of the CRO by the fact that he is the member of the
Executive Committee which is the privileged interlocutor of the Risk Committee which takes cognisance of all the important privacy-related
takes cognisance of all important privacy-related issues.
56. The DPO is himself a permanent member of the Data council, which is a
delegated subcommittee and extension of the Executive Committee, whereby the decisions of the Data
Data Council's decisions are binding on the Executive Committee. The Respondent underlines that the
Data Protection Officer's seat on the Data Council constitutes a form of
reporting to the highest level.
57. The Respondent also adds that the Executive Committee is a collegiate body, whereby the
CEO has one vote in the decision-making process, as do all other members of it. The Respondent
emphasises during the hearing that the DPO does not have to report to the highest individual
namely the CEO, within the highest body, but that reporting to the highest body
is sufficient. Moreover, all other members of the Executive Committee, including the
CEO, are responsible for departments that process data. It follows, according to the
Respondent that it cannot be argued that any particular member of the Executive
would be more neutral than the other members.
58. On the basis of the documents substantiating the explanation provided by the Respondent, the
Dispute Resolution Chamber that no violation of Article 38.3 AVG can be established.
Decision on the merits 141/2021 - 17/26
59. As regards the Inspectorate's finding of a conflict of interest (Article 38.3 AVG) on the part of the Data Protection Officer
As regards the Inspectorate's finding that there is a conflict of interests (Article 38.6 of the AVG) on the part of the Data Protection Officer because he is also the
head of the Operational Risk Management (ORM), Information Risk
Management (IRM) and the Special Investigation Unit (SIU), the defendant argues that the head of these services does not have the power to take decisions.
those departments does not have decision-making powers at the level of the purposes and means of operational processing of personal
of operational processing of personal data, but a purely advisory and
supervisory power.
60. During the hearing, the Dispute Resolution Chamber examined the impact that the Data Protection Officer
Data Protection Officer has on decision-making by virtue of his other functions.
61. The Dispute Resolution Chamber notes that the Respondent, in its conclusion, does not consider the purely advisory and
supervisory competence of each of the three services, namely Operational Risk Management
Information Risk Management and Special Investigation Unit, stresses. The defendant believes
This allows the defendant to argue that the DPO has no duties (including through his
functions in each of the relevant services) that would enable him to take decisions about the purpose and means of any processing.
the purposes and means of any processing of personal data.
62. The Dispute Resolution Chamber considers that this does not demonstrate that the Data Protection Officer who is also the
who is also the head of each of those departments and therefore has a position of responsibility within them
is in a position of responsibility, would not carry out tasks incompatible with his position as Data Protection Officer.
as the Data Protection Officer.
63. In this regard, the Litigation Chamber notes that the advisory and supervisory role of the
departments as such does not mean that they do not determine the purposes and means of data processing.
data processing.
64. The Dispute Resolution Chamber should assess how and to what extent the independence of the
64. The Dispute Resolution Chamber should assess how and to what extent the independence of the Data Protection Officer in relation to each of these three departments - of which he is the Head of Service - is ensured.
of which he is head of department - is ensured.
65. The Respondent thus appoints the same physical person as the head of each of the three departments and as the Data Protection Officer.
The defendant itself thus appoints the same physical person as being responsible for each of the three departments and as being the Data Protection Officer. This responsibility
for each of those three departments undeniably means that, in that capacity
determines the purposes and means of the processing of personal data within these three departments and is thus responsible for
departments and is thus responsible for the data processing processes that
fall under the domain of Operational Risk Management, Information Risk Management and Special
Investigation Unit as established in the inspection report.
Decision on the merits 141/2021 - 18/26
66. The Group 29 Guidelines for Data Protection Officers11 explain that the
Data Protection Officer cannot hold any position within the organisation where he or she
he or she must determine the purposes and means of the processing of personal data.
determine. This is thus a substantial conflict of interest. The role of controller of a service
is thus incompatible with the function of the data protection officer, who must be able to perform his or her tasks
be able to perform his tasks independently. By combining in the same physical person the functions of the controller for each of the services, the data protection officer is able to carry out his tasks independently.
the function of controller for each of the three services concerned separately
on the one hand, and the function of Data Protection Officer on the other hand, each of those three services lacks any possible independent supervision.
of those three services any possible independent supervision by the Data Protection Officer.
data protection officer. In addition, the combination of these functions may lead to a lack of
secrecy and confidentiality vis-à-vis staff members in accordance with Article 38(5) of the AVG cannot be sufficiently guaranteed.
can not be sufficiently guaranteed.
67. The Respondent seeks to rebut the existence of a conflict of interest in relation to the Data Protection Officer by arguing that the
The Respondent seeks to rebut the existence of a conflict of interest in respect of the DPO by arguing that the services IRM, ORM and SIU are part of the second-line function.
are part of the second level function which only include supervisory and control functions. The head
of these services, who is also the Data Protection Officer, has, according to the defendant
no decision-making power at the level of the purposes and means of operational processing of personal
processing of personal data, but only in an advisory and supervisory capacity.
power. The defendant considers that this reasoning is supported by decision
56/2021 of 26 April 2021.
68. As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the
As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the Litigation Chamber considers that the assessment of any
11 Under Article 38(6), data protection officers may "perform other tasks and duties". To this end, the
However, the organisation must ensure that "these tasks or duties do not lead to a conflict of interest".
The absence of a conflict of interest is closely linked to the requirement to act autonomously. Although data protection officers may
other functions, they can only be entrusted with other tasks and duties if these do not give rise to any conflict of interest.
give rise to any conflict of interest. This implies in particular that the DPO within the organisation
a position in which he or she determines the purposes and means of the processing of personal data.
Given the specific organisational structure of each organisation, this should be assessed on a case-by-case basis.
As a rule of thumb, the following are considered to be positions with a conflict of interest within the organisation: senior management positions
(e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, head of the marketing department, head of Human Resources or head of the IT department).
Resources or head of the IT department), but also lower positions within the organisational structure if these persons have to define the objectives of
and means of data processing. In addition, a conflict of interest may also arise, for example, when
arise when an external data protection officer is asked to represent the controller or processor in the legal proceedings.
or the processor in court in cases involving data protection issues.
Depending on the activities, size and structure of the organisation, it may be good practice for controllers or processors to
identify the positions that may be incompatible with the data protection officer function
provide internal rules to this effect in order to avoid conflicts of interest;-include a more general explanation of conflicts of interest
declare that their data protection officer has no conflict of interest in his or her role as data protection officer, as a way of avoiding conflicts of interest.
officer, as a way of sensitising others to this requirement;-include safeguards in the organisation's internal rules and ensure that
Include safeguards in the organisation's internal rules and regulations and ensure that the vacancy for the position of DPO or the service agreement is
service agreement is sufficiently precise and detailed to avoid conflicts of interest. In this context, we should
take into account that conflicts of interest can take different forms depending on whether the data protection officer is recruited internally or externally.
officer is recruited internally or externally.
WP243Rev01, para 3.5, underlining by Dispute Chamber. These guidelines have been endorsed by the European Data
Data Protection Board (EDPB).
12 See above, footnote 11.
Decision on the merits 141/2021 - 19/26
conflict of interest should be done on a case-by-case basis, taking into account the specific organisational structure of each organisation.
each organisation. Thus, the Dispute Resolution Chamber assesses in concreto.
69. Although the Respondent maintains that the three services in question belong to the
Although the Respondent maintains that the three services in question belong to the second-line function, which means that these services do not introduce any processing themselves, but only
Although the Respondent maintains that the three services in question belong to the second-line function so that these services do not introduce processing themselves but only supervise, set frameworks for and carry out checks, during the
the Dispute Resolution Chamber inquires into the relationship between the second-line and first-line functions in order to find out whether
whether the second-line function can fulfil its advisory and supervisory role without determining the purpose and means of any processing of its own.
determine the purpose and means of any processing carried out by itself and by the first-line function.
first-line function. Specifically, during the hearing, the Dispute Resolution Chamber found that
If the second-line function has to exercise its supervisory and monitoring powers, it also needs information to do so.
to do so, it also needs information from the front-line function. This is also evident from the
register of processing activities which lists a large number of categories of personal
This is also apparent from the register of processing activities, which lists a large number of categories of personal data processed by the second-line function. According to the
According to the Dispute Resolution Chamber, this clearly shows that personal data are processed by the second-line function for which it has
second-line function for which it determines the purpose and the means.
70. The Respondent's response to this is that taking note of, being the reading, of
personal data is not sufficient to qualify as processing personal data.
processing of personal data. The defendant here makes the comparison with an employee who consults personal data in the exercise of his/her job.
The defendant hereby makes the comparison with an employee who consults personal data in the course of his/her work, but does not himself/herself act as a
separate controller of the processing. To follow a different interpretation
would lead, according to the defendant, to each employee being regarded as a separate controller.
controller.
71. As regards the categories of personal data indicated in the Register of Processing
With regard to the categories of personal data processed by the second-line function indicated in the processing register, the Respondent argues that these have been listed out of
prudence', because the second-line function may become aware of those personal data in the
function in the performance of its tasks. Again, the Respondent adds that the second-line function is not responsible for the processing of personal data.
second-line function is not responsible for the processing of personal data,
but may become aware of certain categories of personal data only through the exercise of their supervisory powers
categories of personal data and the second-line function will never be able to determine how personal data will be filled in and processed within the bank.
personal data will be filled in and processed within the bank.
72. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4.
The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4(2) of the AVG. It should be noted here that the
processing of personal data does not result in the person carrying out the processing, such as an employee, being regarded as a separate processor,
such as an employee, should be regarded as a separate controller.
controller. The controller is the person who determines the purposes and means of the processing within the meaning of Article 4(1)(b) of the Act.
The data controller is the one who determines the purpose and means of the processing in the sense of Article 4, 7) AVG. The second tier function determines - as an entity within
Decision on the merits 141/2021 - 20/26
the controller - determines the purposes and means of the processing of personal
personal data that the front-line function is required to supply to it - and thus contributes to determining the purpose and means of the
the purpose and the means of the processing carried out by the front-line service - so that the second-line function can exercise its own supervisory functions.
second-line function to fulfil its own supervisory and advisory role. This is
indisputably from the processing register. It follows that the Data Protection Officer
who also holds the position of Head of Department of the
ORM/IRM/SIU, determines the purposes and means of the data processing operations carried out by the
first-line function to the extent that this information is necessary for the tasks entrusted to the second-line function and
second-line function and then also determines the purposes and means of the data processing operations carried out by the second-line
data processing by the second-line function.
73. This leads the Dispute Resolution Chamber to conclude that the combination of the capacity of
Data Protection Officer with the function of Head of Service of the three departments
ORM/IRM/SIU is not sustainable without a conflict of interest on the part of the DPO.
Data Protection Officer. Consequently, the Dispute Resolution Chamber finds that the breach of Article 38.6
AVG has been proven.
74. It is important that the Data Protection Officer is able to perform his or her duties and tasks
with respect for the position assigned to him by Article 38 AVG, in particular that
he can act without any conflict of interest. The Litigation Chamber therefore instructs the
The Dispute Resolution Chamber therefore instructs the Respondent to bring the processing in this respect into line with article 38.6 of the
38.6 AVG in this respect and thus ensure that these tasks or duties do not give rise to a conflict of interest.
75. Taking into account that the AVG has assigned a key role to the Data Protection Officer by giving him an informative and
Data Protection Officer (DPO) by giving him an informing and advising role vis-à-vis the controller with regard to
the controller on all matters relating to the protection of personal data, including the
protection of personal data, including the notification of data breaches, the
Dispute Resolution Chamber shall also impose an administrative fine.
76. In addition to the corrective measure to bring the processing into compliance with Article 38.6 of the AVG
76. In addition to the corrective measure to bring the processing into line with Article 38.6 of the AVG, the Litigation Chamber also decides to impose an administrative fine which
does not aim to put an end to a violation committed, but aims to ensure vigorous enforcement of the AVR rules.
vigorous enforcement of the rules of the AVG. As is clear from Recital 148, the AVG requires
For serious breaches, penalties, including administrative fines, to be imposed in addition to, or instead of, appropriate measures.13
of appropriate measures to be imposed.13 The Dispute Resolution Chamber does so in application of
13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative pecuniary sanctions, should be applied in addition to or instead of appropriate measures.
including administrative pecuniary sanctions, should be imposed for any breach of the Regulation, in addition to or as an alternative to any appropriate measure taken by the supervisory authorities under the Regulation.
measures imposed by the supervisory authorities under this Regulation. If the infringement is minor
infringement or where the likely fine would impose a disproportionate burden on a natural person, a fine may be replaced by a reprimand.
a reprimand may be chosen instead of a fine. However, account should be taken of the nature, seriousness and duration of the infringement and of whether it was committed intentionally.
the infringement, the intentionality of the infringement, any damage limitation measures taken, the degree of responsibility
or previous relevant infringements, how the breach came to the attention of the supervisory authority, and
compliance with the measures taken against the controller or processor, with the affiliation to
Decision on the merits 141/2021 - 21/26
Article 58.2(i) AVG. The instrument of administrative fine therefore does not aim in any way to
terminate infringements. To that end, the AVG and the WOG provide for a number of corrective
measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG.
77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber
77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber in order to justify the imposition of this sanction and its amount.
78. In this respect the Dispute Resolution Chamber finds that although there is no evidence of a deliberate infringement, there is a
In this regard, the Dispute Resolution Chamber finds that, although there is no evidence of an intentional breach, there is evidence of gross negligence on the part of the Respondent.
Although the Data Protection Officer is a function that was first mandated at the European level in the AVG, it is not a
mandatory at the European level in the AVG, the concept of a data protection officer is not new and has existed for a long time.
data protection officer is not new and has existed for a long time in many Member States and in many organisations.14
79. Moreover, already on 13 December 2016, the Working Party 29 adopted guidelines for these
officers. These guidelines were, after a wide public consultation, on 5 April 2017
revised. As shown below, these guidelines are clear on the extent to which the
which the data protection officer can also fulfil other functions within the
company, taking into account the organisational structure specific to each organisation and
should be assessed on a case-by-case basis.
80. In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the function of DPO with that of a company can be a good thing.
In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the position of data processing officer with a position as head of a department (in which personal data are also processed) which
(where personal data are also processed) which the data processing officer must supervise, cannot take place on a
must supervise, cannot be done in an independent manner.
81. An organisation such as the Respondent may be expected to carefully prepare for the
introduction of the AVG and already from the time of the entry into force of the AVG
pursuant to Article 99 AVG in May 2016. After all, the processing of personal data is a
core activity of the Respondent, which moreover processes personal data on a very large scale.
82. The duration of the breach is also taken into consideration. The Data Protection Officer
data protection officer was created in the AVG applicable since 25 May 2018, so that the
breach of Article 38.6 AVG has already been established from that date. In any event, the breach lasted
until the date on which the full-time appointed Data Protection Officer took up his duties, i.e.
Data Protection Officer, i.e. 1 July 2021.
83. Finally, the defendant processes personal data of a huge number of people.
Ineffective safeguards for the protection of personal data, in particular through the
appointment of a data protection officer who does not comply with the requirement of
a code of conduct and any other aggravating or mitigating factors. The imposition of sanctions, including
administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter
Union law and the Charter, including effective remedy and fair trial.
14 See, inter alia, WP243Rev01, para 1.
Decision on the merits 141/2021 - 22/26
independence and therefore not free from any conflict of interest, thus have a
potential impact on a huge number of stakeholders.
84. The totality of the elements set out above justifies an effective,
proportionate and dissuasive sanction within the meaning of Article 83 AVG, taking into account the assessment criteria laid down therein, in the amount of
criteria laid down therein, in the amount of EUR 75,000. The
Litigation Chamber points out that the other criteria of Article 83.2. AVG are not of such a nature in this case
that they lead to an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision.
for the purposes of this decision.
85. The mitigating circumstances referred to by the Respondent in its response to the
The mitigating circumstances referred to by the Respondent in its response to the Dispute Resolution Chamber's intention to impose an administrative fine, namely
the absence of harm to the data subjects (Article 83.2(a) AVG ); the measures taken
to detect and prevent potential conflicts of interest in a timely manner, notably by
implementing appropriate policies and mechanisms as described in the conclusion (Article 83.2, c) AVG
83.2 (c) AVG); the absence of previous relevant infringements (Section 83.2 (e) AVG), as well as the cooperation in good faith with the
cooperation with the GBA in good faith (article 83.2 f) AVG), are taken into consideration by the Dispute Resolution Chamber when
taken into account when determining the amount of the administrative fine.
86. To answer the Respondent's objection concretely, the Dispute Resolution Chamber stated that
although it has not been established that there was any damage on the part of the parties concerned
the absence of any injury has not been established, nor have any previous infringements been identified.
have been established. This finding leads the Chamber to reduce the initially proposed amount of the administrative fine, i.e. the amount of the fine that was imposed on the parties involved.
EUR 100,000 to EUR 75,000.
87. As regards the implementation of policies and mechanisms to avoid conflicts of interest, the
With regard to the implementation of policies and mechanisms to avoid conflicts of interest, the Dispute Resolution Chamber notes that these were adopted late, i.e. well after the
entry into force15
as well as the applicability16 of the AVG. The Conflicts of Interest Policy
dates from 20 January 2020 and the specific DPO policy was implemented on 12 October
2020 following the decision on the merits no. 18/2020 of 28 April 2020, as mentioned in the
conclusion, a full-time DPO was not appointed until 1 July 2021.
appointed on 1 July 2021. This means that although the Respondent cooperated with the
GBA to remedy the breach and mitigate its potential negative effects, but
this took place well after the entry into force and application of the AVG,
which has an impact on the duration of the breach (see above, peripheral).
15 Pursuant to Article 99.1 AVG, the AVG entered into force on 25 May 2016.
16 Article 99.2 AVG provides that the AVG will apply from 25 May 2018.
Decision on the merits 141/2021 - 23/26
88. As regards the amount of the fine, the Respondent argues that the fine is higher than the one
As to the amount of the fine, the Respondent argues that the fine is higher than the one imposed for an identical infringement in the decision on the merits no. 18/2020 of 28 April 2020, whereas
the Respondent claims that its consolidated turnover is lower, it has already taken measures to address
to address the GBA's concerns and has a smaller market position.
89. The Dispute Resolution Chamber states that the maximum amount of the administrative fine for an
violation of Article 38 AVG is determined by Article 83.4 AVG17. The amount of the fine imposed
The amount of the fine imposed in this decision is significantly lower than the maximum amount laid down in Article 83.4 AVG, in view of the fact that the
The amount of the fine imposed in this decision is significantly lower than the maximum amount stipulated in Article 83.4 AVG, in view of the fact that the Dispute Resolution Chamber has
has been taken into account. Moreover, the Dispute Resolution Chamber evaluates the concrete elements of each case separately in order to impose an appropriate sanction.
individually in order to impose an appropriate penalty18
. The reference by the defendant to
decision on the merits no. 18/2020 of 28 April 2020 concerns the same infringement, namely the existence
of a conflict of interest on the part of the Data Protection Officer (Article 38.6
AVG), but otherwise the Dispute Resolution Chamber must take into account all factual elements
that are specific to each case, whereby in this case the duration of the breach is an important element
which justifies the imposition of a fine of EUR 75,000 in this case, whereby the duration of the infringement is an important element.
EUR 75,000, whereby the Dispute Resolution Chamber based itself on the defendant's consolidated
annual accounts of the defendant.
d) Register of processing activities (Article 30 of the AVG)
90. With regard to the register of processing activities, the Inspectorate makes the following
findings, as summarised below:
- The register of processing activities of the ORM/IRM/SIU19 services is incomplete;
- the register of processing operations contains only three processing operations, namely
one processing activity for each of the services. The Inspectorate finds this strange,
since in each of the three services there are different processing activities within the
second-line function, so that it is rather abnormal to combine these processing activities into a single processing activity.
these processing activities into one processing activity;
17 Article 83.4 AVG. Breaches of the following provisions are subject to administrative fines in accordance with paragraph 2
up to EUR 10 000 000 or, for an undertaking, up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater
figure is higher:
(a) the obligations of the controller and processor under Articles 8, 11, 25 to
39, and 42 and 43;
[...]
18 See in this respect the judgment of the Markets Court dated 7 July 2021, roll number 2021/AR/320, NV Nationale Dienst voor Promotie van
Kinderartikelen (N.D.P.K. N.V.) v. GBA, p. 42.
19 Operational Risk Management (ORM)/Information Risk Management (IRM)/Special Investigation Unit (SIU)
Decision on the merits 141/2021 - 24/26
- The defendant failed to provide a complete list of all processing purposes of personal
personal data in accordance with Article 30.1(b) of the AVG;
- the following information in the register of processing activities is not visible:
- the name and contact details of the data protection officer
in accordance with Article 30.1(a) of the AVG;
- a description of the time limits envisaged for the deletion of the different categories of data in accordance with Article 30.1(a) of the
of data are to be erased pursuant to Article 30.1 f) AVG;
- a description of the technical and organisational security measures
in accordance with Article 30.1 g) AVG.
- The register of processing activities should be complete and clear in itself, but the
following terms are not explained: "12. TIN" and "S9. Criminal data" . Also, the description
of the purposes of the processing is vague: 'E7_To support the activities to safeguard and
ensure the security and integrity of Y and/or the financial sector" and "C6_Compliance with legal
obligations', and does not accurately reflect the processing activity and processing purpose of these
services provided by the defendant.
- Specifically with regard to the SIU service, the register of processing activities states that
personal data relating to criminal convictions and offences are processed with
processed with the following statement "S9. Criminal data". The Inspectorate finds it strange that
The Inspectorate finds it strange that this is not specifically explained.
91. With regard to these findings by the Inspectorate, the Respondent has the following
apply:
- Except for the enumeration of the elements that must be included in the
register and the obligation to communicate the register to the supervisory authority upon request, the AVG does not impose any
authority, the AVG does not impose any other legal obligation concerning the register.
According to the respondent, by its findings in the inspection report, the Inspectorate seems to want to set the threshold higher than it is obliged to do.
the Inspectorate seems to want to set the threshold higher than the legal requirements in this respect. The defendant
adds and demonstrates that it has additionally taken into account Recommendation no.
06/2017 of 14 June 2017, as stipulated by the Commission for the Protection of
Privacy Commission;
- With regard to the vague terms and vague description of the purposes of the processing, the
Respondent argues that the Register is an internal tool and resource for the
controller. The Respondent recognises that the Register also serves as a
The Respondent acknowledges that the Register also serves as a source of information for the GBA and in that sense it should also be understandable for the GBA itself. However, it
However, it is not excluded that the controller may, with regard to the GBA
Decision on the merits 141/2021 - 25/26
may still provide an explanation of certain internal terminology used in the register.
register. Article 30.1 AVG requires that the register of processing activities contain a description of the
of the categories of personal data, as well as the processing purposes, but does not
does not contain any concrete obligations regarding the level of detail of these categories of
personal data and the processing purposes. The aforementioned Recommendation no. 06/2017 does, however, provide examples of categories of personal data and processing purposes.
examples of categories of personal data and purposes which are of a similar 'general' nature.
general' nature.
As regards the concepts and purposes identified by the Inspectorate as vague, the
Respondent states that these were defined in another internal document. The definitions from that
document were taken up in the register - both as regards the categories of personal data and the purposes
The definitions from that document - both with regard to the categories of personal data and the purposes - were taken up again in the register and were already available in the register by clicking on the relevant terms.
relevant terms.
- The respondent emphasises that the Inspectorate has only used the register for the
processing activities of the ORM/IRM/SIU services and not the full register.
register. The document supplied by the Respondent was a limited extract from the
The document supplied by the respondent was a limited extract from the register and only contained details of the processing activities of the departments concerned.
- The processing activities of the ORM, IRM and SIU services are further explained by the Respondent.
explained by the Respondent. He states that the IRM and ORM services are primarily of an advisory and
nature, without actually having any executive function in the area of processing information and/or personal data.
processing of information and/or personal data. It concerns very limited
processing that are grouped in the register under one processing activity for each of the two services.
of both services. A number of processing activities that the Inspectorate ascribes to the IRM
IRM and ORM services respectively relate to activities that are described elsewhere in the register under the responsible departments.
described elsewhere in the register under the responsible departments. As far as the SIU service is concerned
the activities are also described and here, too, they were grouped in the excerpt from the register as being
Register extract as being one processing activity. The defendant
emphasises again that the AVG does not prescribe a specific required level of detail.
- With regard to the information missing from the register of processing activities, according to the inspection report, the
processing activities, the defendant argues that the name and contact details of the data protection officer are included in the register of processing activities.
Data Protection Officer are contained in a large number of internal documents and are thus well known within
documents and are thus well known within the Respondent's organisation, but that those data concerning the Data Protection Officer are not included in the register.
data concerning the Data Protection Officer were not included in the extract from the
did not appear in the extract from the register of processing activities for technical reasons.
As regards retention periods and technical and organisational measures
Article 30 AVG requires the register to contain this information if possible, but does not as
as such mandatory to mention them in the register itself. The defendant submits that it is necessary to
Decision on the merits 141/2021 - 26/26
opted, for pragmatic reasons and with a view to greater clarity, to describe this information in a separate
The Respondent submits that for pragmatic reasons and for the sake of greater clarity, it was decided to describe this information in a separate document.
92. Based on the defence and the supporting documents, the Litigation Chamber decides that
There has been no infringement by the Respondent of article 30 of the AVG.
III. Publication of the decision
93. In view of the importance of transparency with regard to the decision making of the
Dispute Resolution Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for this purpose to publish the identification details
of the parties to be published directly.
(get). Hielke Hijmans
President of the Dispute Resolution Chamber
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority, after deliberation, decides to:
- Pursuant to Article 100, §1, 2° WOG, to order a dismissal for the violation of
Articles 5.1 d), 16 and 25 AVG ;
- On the basis of Article 100, §1, 13° and Article 101 WOG, impose an administrative fine of € 75,000 for the
as a result of the violation of Article 38.6 of the AVG.
This decision may be appealed pursuant to Article 108, §1 WOG within a period of thirty days from the notification of the decision.
period of thirty days from the notification, before the Market Court, with the
Data Protection Authority as defendant.
</pre>
</pre>

Revision as of 08:54, 18 February 2022

APD/GBA (Belgium) - 141-2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 38(6) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.12.2021
Fine: 75000 EUR
Parties: n/a
National Case Number/Name: 141-2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 141/2021 van 16 december 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined a bank €75,000 because its DPO was also the head of three departments with decision-making powers over processing of personal data, which resulted in a conflict of interest in breach of Article 38(6) GDPR.

English Summary

Facts

The data subject filed complaint regarding a violation to their right to rectification against a bank. The DPA launched an investigation which over time broadened its scope towards the role of the bank's DPO. The investigation revealed that there might be a conflict of interest since the DPO held a number of other functions, including leading the bank's Operational Risk Management, the Information Risk Management department and Special Investigation Unit.

The bank argued that the head of these services did not have decision-making power to determine the purposes and means of processing of personal data, but a purely advisory and supervisory role.

Holding

The Belgian DPA refuted the bank's argument, stating that the role was not 'purely advisory and supervisory'. Particularly, the DPA held that the DPO could still determine the means and purposes of processing of personal data. This was further proven by the bank's Record of Processing Activities, which listed a substantial number of categories of personal data which are processed by these departments.

Thus, because the DPO held the final responsibility over the referenced departments, the DPA held that there was a conflict of interest, in breach of Article 38(6) GDPR.

As a result, the DPA fined the bank €75,000 for violating Article 38(6) GDPR

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/26
Litigation Chamber
Decision on the merits 141/2021 of 16 December 2021
File reference : DOS-2020-03763
Subject : The exercise of data subjects' rights in relation to a Bank's 
information systems of a Bank.
The Dispute Resolution Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans 
chairman, and Messrs Dirk Van Der Kelen and Frank De Smet;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the 
the protection of individuals with regard to the processing of personal data and 
on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the 
Data Protection Regulation), hereinafter referred to as the AVG;
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG;
Having regard to the Rules of Internal Procedure, as approved by the House of Representatives 
on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 
Having regard to the documents in the file;
has adopted the following decision concerning:
The defendant: the bank Y, represented by Mr. Erik Valgaeren and Mr. Carolien Michielsen,
Hereinafter referred to as 'the defendant'.
.
.
.
Decision on the merits 141/2021 - 2/26
I. Facts and Procedure
A. Investigation of the Inspectorate
1. On 22 April 2020, the Executive Committee of the Data Protection Authority (hereinafter referred to as GBA) decided 
to bring a case before the Inspectorate of the GBA on the basis of Article 63, 1° WOG.
Following decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May 
2019 and the subsequent judgment of the Markets Court dated 9 October 2019, the 
Executive Committee indeed found that there were serious indications of practices that could give rise to 
could give rise to breaches of the fundamental principles of personal data protection. 
The Management Board has therefore referred the matter to the Inspectorate with the request to conduct an investigation into the extent to which the 
request to conduct an investigation into the extent to which the defendant's information systems 
enables the exercise of the rights of the data subject, in particular the right to rectification (Article 
16 AVG), is possible. This means that the Inspectorate has been caught up in verifying whether the 
information systems of the defendant are in line with the requirements of the AVG 
with regard to the exercise of the rights which each data subject1 has in his 
as a client of the defendant.
2. The Inspectorate shall transmit its report dated 23 March 2021 to the Dispute Resolution Chamber on the basis of 
of Article 91, §2 WOG, as a result of which the Dispute Resolution Chamber was constituted pursuant to Article 92, 3° WOG;
B. Procedure before the Litigation Chamber
3. On 6 April 2021 the Litigation Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the 
ready for treatment on the merits.
4. On the same day the defendant is informed by registered mail of this decision, as well as of the inspection report and the 
4. On the same day, the defendant is informed by registered mail of this decision, as well as of the inspection report and the inventory of the documents of the file that are 
4. On the same day the defendant is notified by registered mail of this decision, as well as of the inspection report and the inventory of documents of the file that has been submitted to the Litigation Chamber by the Inspection Department. The defendant is also 
The defendant is also informed of the provisions as mentioned in art. 98 WOG and is informed pursuant to art. 99 WOG. 
99 WOG of the time limit to submit his defence. The 
deadline for receipt of the defendant's statement of defence was set at 28 May 
2021.
5. On 10 May 2021 the defendant asks for a copy of the case file (art. 95, §2, 3° WOG), which is 
On May 12, 2021. In addition, the defendant electronically accepts all 
1 Decision No. 01/2019 of 15 May 2019, on the other hand, concerns only the safeguarding of the rights of one specific complainant whose personal data are processed by the 
personal data are processed by the Respondent, as the Dispute Resolution Chamber was only seized for that processing in the 
complaint.
Decision on the merits 141/2021 - 3/26
communication relating to the case and has indicated that he wishes to avail himself of the possibility 
to be heard, in accordance with Article 98 of the WOG.
6. On 28 May 2021 the Litigation Chamber received the respondent's statement of defence
in which it is requested to establish in the main order that there is no violation of articles 5.1(c), 5.1(d), 5.1(e) and 5.1(f). 
Articles 5.1(c), (d) and (f), 5.2, 12, 16, 24, 25, 30.1, 31, 32, 38.3 and 38.6 of the AVG, and, in secondary order 
take into account the mitigating circumstances when imposing a sanction.
7. On 14 July 2021, the Respondent is informed that the hearing will take place on 
30 September 2021.
8. On 30 September 2021 the respondent shall be heard by the Dispute Resolution Chamber and thus be given 
8. On 30 September 2021 the defendant shall be heard by the Disputes Committee and thus have the opportunity to present his arguments. The Dispute Resolution Chamber shall decide to 
The Dispute Resolution Chamber decides to continue the proceedings in order to give the defendant the opportunity to present his arguments. 
15 November 2021, as the date on which the introduction of diacritical marks in the 
the introduction of diacritical marks in names and forenames in its applications, the defendant has 
to come and explain the new computer system. A new hearing will be scheduled 
scheduled for shortly after that date.
9. On 1 October 2021, the Respondent shall be notified that the hearing for the 
of the case in continuation will take place on 22 November 2021.
10. On 12 October 2021, the minutes of the hearing held on 30 September 2021 shall be submitted to the 
Respondent in accordance with Article 54 of the Rules of Internal Procedure of 
the GBA. The Respondent shall hereby be given the opportunity to have any comments he may have on the record 
to be added as an annex to the record.
11. On 19 October 2021 the Dispute Resolution Chamber receives some comments from the Respondent
11. On 19 October 2021 the Disputes Committee receives some remarks from the defendant with regard to the official report. 
the hearing established on 22 November 2021.
12. On 22 November 2021, the Respondent shall be heard by the Dispute Resolution Chamber and the 
On 22 November 2021, the Panel shall hear the Respondent and explain the implementation of the introduction of diacritical marks in the names and first names in its 
its applications.
13. On 23 November 2021, the minutes of the hearing held on 22 November 2021 shall be submitted to the 
Respondent in accordance with Article 54 of the Rules of Internal Procedure of 
the GBA. The Respondent is hereby given the opportunity to have any comments he may have on the matter 
be added as an annex to the record, without reopening the debates 
constitutes a reopening of the debates.
14. On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to 
On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to impose an administrative fine, as well as the amount of the fine. 
Decision on the merits 141/2021 - 4/26
thereof in order to give the Respondent the opportunity to defend itself, before the sanction is 
before the penalty is actually imposed.
15. On 29 November 2021, the Dispute Resolution Chamber shall receive the comments to the transcript of the 
hearing that took place on 22 November 2021, which the Litigation Chamber shall include in its deliberations. 
In its deliberations.
16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the proposal to 
16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the intention to impose an administrative fine as well as the amount thereof. The 
The Respondent submits that a number of mitigating circumstances set out in the 
conclusion for Y Belgium and at the hearing, do not appear to have been taken into account by the 
Dispute Resolution Chamber as they do not appear in the penalty form, as well as that the proposed fine is disproportionately high. 
would be disproportionately high in relation to the decision on the merits no. 18/2020 of 28 April 2020 for an identical infringement. 
April 2020 for an identical infringement.
II. Reasons 
17. Hereafter, the Litigation Chamber assesses each of the findings included in the report of the Inspectorate in the light of the relevant information provided by the parties. 
Inspectorate in the light of the pleas put forward in that regard by the Respondent.
(a) Principle of accuracy (Article 5.1(d) of the AVG), accountability (Article 5.2 of the AVG), transparency 
information, communication and detailed arrangements for exercising the rights of the data subject 
(Article 12 AVG), right to rectification (Article 16 AVG), data protection by design and 
default settings (Article 25 AVG) and the duty to cooperate (Article 31 AVG).
18. The first element to be examined by the Inspectorate concerns the 
assessment of the extent to which the Respondent has made the necessary adjustments in order to remove the 
diacritical marks in its ICT systems. 
The Inspectorate finds that the Respondent is unable to provide a clear and systemic picture of the 
in terms of time horizon for the implementation of diacritical marks in the current ICT system (applications + mainframe) and possible first results showing the efforts made. 
efforts made. Furthermore, the Inspectorate also states that the Respondent remains stuck in the 
"exploratory phase" of preliminary studies and discussions without wanting to achieve concrete goals and results. 
achieve.
20. The Inspectorate concludes that the Respondent is in breach of Articles 5.1 d, 
5.2, 12, 16, 25 and 31 of the AVG because the Respondent does not want to or is not able to present a concrete time horizon with concrete results, nor is it able to 
The defendant is not willing or able to provide a concrete time horizon with concrete results, nor is it willing or able to demonstrate systemic changes that would have a 
have a positive impact on the initial demand of the data subject. According to the 
Inspectorate since the decision taken by the Dispute Resolution Chamber on 15 May 2019 -
subject to the carrying out of some preliminary study work (feasibility) - has not changed and has therefore not improved.
Decision on the merits 141/2021 - 5/26
21. The Inspectorate makes the following considerations in this regard:
o The Respondent has IT applications and database systems (some 150) including the 
central customer system which concerns a mainframe system that was put into use in 1995. 
taken into use in 1995. That central customer system supports only EBCDIC ("extended binarycoded decimal interchange code"). Although diacritical marks have since been
added to the EBCDIC table in the meantime, the defendant did not make any changes to the central customer 
central customer system. In 2020, the Respondent is still using an IT system that dates 
system dating back to 1995 and does not appear to be able to implement the right of rectification. 
rectification.
o With regard to the number of underlying applications that interact with the central customer system 
system, which need to be changed due to the introduction of diacritical marks, the Inspectorate 
diacritical marks, the Inspectorate notes that the Respondent in the initial letter 
dated 6 November 2019 lists 150 applications and is only able to 
deliver a list that corresponds to the exact number as stated on 6 
November 2019, supplemented by the correct systemic naming and filtering out 
of double counting. The Inspectorate notes in this regard that the Respondent often 
replied that the analysis was 'not yet complete', which is strange given the number of 
months of lead time, the number of staff, the financial resources and 
capabilities of the Respondent.
o With regard to the large and very old systems for which the Respondent on 6 November 
2019 states that a lead time of 18 months is expected for their adaptation, 
the Inspectorate notes that the Respondent does not issue a list until 2 November 2020 
describing and specifically naming those systems.
o By examining the 'change management' and the plan of approach to proceed 
implementation of the technical proposals, the Inspectorate is attempting to gain insight into the process 
development and the way in which implementations are carried out at the defendant. 
defendant. The Inspectorate notes that on 16 
September 2020 that the changes that need to be made in view of the 
the introduction of accented letters will be made according to the AGILE principle, which is the 
principle of AGILE, which means that the Respondent will resolve the restriction of accented letters in small, manageable steps. 
the restriction of accented letters.
On 12 October 2020, the Respondent reports that it has taken initiatives to include the 
diacritical marks into the central customer system, following a 4-phase approach 
is being followed and at that time phase 1 and 2 are being processed:
1) analysis of all systems and applications potentially affected;
Decision on the merits 141/2021 - 6/26
2) adaptation of these systems in the test environment and testing them separately for the 
processing of diacritical marks;
3) Performing chain tests to ensure consistency of the applications;
4) actually implementing the changes 
On 2 November 2020, the defendant documents how AGILE was translated into 
its organisation and provides information about the feasibility study in the form of two 
diagrams of the testing approach.
The Inspectorate concludes that it is strange that there is little structured and umbrella 
and umbrella information is available to follow up on this change over all. 
follow-up. Apart from general information about the AGILE approach and the pre-study phase, 
the Respondent is unable to provide any information that demonstrates any progress or concrete 
results that could have a positive impact on the data subject and the exercise of his 
exercise of his rights.
o Following the examination of the technical design, the inspection report contains the 
technical figures with regard to the architectural design whereby the defendant 
indicates whether, and if so to what extent, changes can have an impact on each of the components, both for 
each of the components, both for the central customer system, the supporting and 
underlying technologies - middleware, the mainframe Z applications, the non-mainframe Z applications, as well as for the channels and front-end 
applications.
Articles 5.1 d), 12 and 16 AVG
22. The Respondent submits that Articles 5.1(d), 12 and 16 AVG are complied with and argues 
as follows:
- The exercise of the data subject's rights is facilitated in accordance with Article 12 
AVG by allowing customers to modify their data themselves via the 
Internet banking applications, or have them changed by employees in the front office. The Privacy 
Statement also provides the necessary contact details for exercising the right to correction. 
In addition, there is also an internal guide and documentation of the procedures for exercising the 
of the rights of those involved. Furthermore, the necessary processes have been implemented to 
adequately handle requests to exercise rights.
- The right to rectification (Article 16 of the AVG) is respected for all requests for adjustment or 
rectification. The impossibility for the respondent to comply with the request for rectification is limited to the processing of the data. 
request for rectification is limited to the processing of diacritical marks in a name.
Decision on the merits 141/2021 - 7/26
- The implementation of a complex IT project involving adjustments to many systems, which requires a great deal of time and 
time and investment in order to be able to satisfy an absolute minority of requests for improvement is, according to the 
improvement requests cannot, in the opinion of the defendant, be regarded as a reasonable measure within the meaning of Article 5(1)(d) TFEU. 
of Article 5.1(d) of the AVG.
- The Respondent cites that the judgment of the Markets Court dated 9 October 2019 is still pending 
before the Court of Cassation and, pending the judgment, it cannot be simply claimed 
that Articles 5.1(d), 12 and 16 of the AVG are not complied with because of the lack of display 
of diacritical marks.
23. The Respondent's Conclusion states that it was initially foreseen to implement diacritical marks in its 
signs in its ICT systems as part of the UNITE ICT project already underway in 2019 within the Y Group, which aimed to upgrade the systems and applications of the 
Y entities in Belgium and those of the Y entities in the Netherlands, 
but the UNITE project proved to be too ambitious, with the result that in 2020 the defendant will be operating under separate 
the defendant had to carry out the necessary technical system changes in 2020 under separate management, i.e. without Y Netherlands. 
implement. On the basis of this statement, the Dispute Resolution Chamber finds that there was an intention to 
diacritical marks in the Respondent's applications, but that this did not take place due to the 
the Respondent within the UNITE project. The defendant 
now concludes that the inclusion of diacritical marks in the applications presupposes 
that this exceeds the bounds of reasonableness, whereas Article 5.1(d) of the AVG merely requires that the 
defendant to take every reasonable step to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are not used for other purposes. 
which are inaccurate, having regard to the purposes for which they are processed.
24. Based on the inspection report, the Dispute Resolution Chamber notes that the central customer system 
which is at the core of the bank in that customer data is stored centrally and retrieved from 
from there are retrieved by adjoining systems, is a mainframe system that was brought into use in 1995. 
taken into use in 1995. Although diacritical marks were added to the 
EBCDIC table, no changes were made by the defendant to the central customer system supporting EBCDIC. 
customer system which supports EBCDIC. This means that the Respondent did not use this opportunity to 
made use of this opportunity to adapt its system.
25. Although the reasonableness of the implementation of this measure is disputed by the Respondent, the Dispute 
The Dispute Resolution Chamber is of the opinion that it is part of the normal expectations of a customer whose personal data are processed in the context of the 
customer whose personal data are processed in the context of his financial relationship with the bank, 
that his name is correctly displayed, precisely in view of the importance of correctness of data in 
the provision of financial services and the supply of financial products. The Dispute Resolution Chamber 
also refers in this regard to the judgment of the Markets Court dated 9 October 2019 in which it states 
that a correctly operating banking institution may be expected to have a computer program that meets 
computer programme that meets current standards, to which the above-mentioned right to the correct spelling of the name of the bank may be added. 
right to correct spelling of the name. The Court adds that the right to 
Decision on the merits 141/2021 - 8/26
rectification is a fundamental right2
. It therefore seems reasonable for the bank to use the measures at its disposal to 
It therefore appears reasonable for the bank to use the measures at its disposal to process the names of customers with diacritical marks and thus to use the 
customers' names with diacritical marks and thus to adapt the mainframe system in use since 1995 to current 
current possibilities. With regard to the defendant's argument that such adaptation would require not 
not only to its central customer system, but also to the underlying or adjacent systems 
would require significant time and investment, which cannot be considered reasonable, the 
Dispute Resolution Chamber observes that this is generally inherent in any fundamental change of 
systems, which is all the more true in the case of old systems such as the one at issue here. 
as in the present case. The need to devote time to and invest in appropriate 
adapted IT systems in order to be able to process diacritical marks is not - contrary to what the defendant maintains 
contrary to what the defendant maintains, is not limited to an absolute minority of requests for 
requests for correction but is necessary in the interests of every customer whose name contains diacritical marks. 
contains diacritical marks. Indeed, the starting point should be that the defendant, like any 
The starting point should be that the defendant, like any data controller, makes every effort to process correct data and does not take a 
not adopt a 'wait and see' approach, i.e. take action only following a customer's request for the name to be changed. 
of a customer's request for the amendment of his name.
26. The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to proceed to date with the rectification of the name of the Client is a serious problem. 
The Dispute Resolution Chamber is therefore of the opinion that the Respondent's inability to correct, to date, the name of customers requesting the display of diacritical marks in their name 
signs in their name, constitutes an infringement of Article 5(1)(d) of the AVG. It also constitutes 
Infringement of Article 16 of the AVG, since the defendant is not in a position to fully respect the right to rectification. 
fully respect the right to rectification. The Respondent submits that all requests for rectification or correction are 
are implemented, except for the request to adapt diacritical marks. This leads the 
Dispute Resolution Chamber to conclude that the Respondent has not complied with any exercise of the right to rectification. 
right of rectification. However, the right of rectification must be respected in all its facets.
27. However, in determining the sanction for these breaches, the Dispute Resolution Chamber shall take into account 
the defendant's statement to undertake to implement all the necessary changes by 15 November 2021 in order to 
to make all the necessary adjustments to the diacritical marks in the names and first names by 15 November 2021. 
2 The judgment of the Market Court is drafted in the following terms:
"[...]
The fact that it would require a technical 'effort' to use a computer program that does place accents on 
capital letters is neither serious nor relevant.
To state now (in the year 2019!) that adapting a computer program would require several months of work and/or financial 
additional costs for the banking institution, does not allow NV Y BELGIUM to disregard the rights of the person concerned. The 
rights granted to the person concerned are equivalent to obligations to produce a result on the part of the processor of the 
personal data.
A correctly functioning banking institution may be expected - if it uses a computer program - to have a 
computer program that meets current standards, including the above-mentioned right to correct spelling of the name. 
name. The right of rectification is a fundamental right.
[...]"
Decision on the merits 141/2021 - 9/26
be able to reproduce the name in its applications. In this obligation of result, the defendant 
In this result commitment, two caveats are made by the defendant, of which the Litigation Chamber takes note:
1° In accordance with the globally applicable industry standard, bank cards do not show diacritical marks. 
1° In accordance with the globally applicable industry standard, bank cards do not bear diacritical marks. If the Defendant were to do so, this could lead to problems in using the bank cards.
If the Defendant did so, this could lead to problems in the use of the bank card, both online and offline. Also with regard to the 
electronic payment transactions (SEPA), all Belgian banks have jointly decided to limit themselves to the standard set of characters without diacritics. 
the standard character set without diacritical marks. 
2° The display of diacritical marks on printed statements of credit cards will only be available at a later date. 
be available at a later date.
During the hearing of 22 November 2021, the defendant demonstrated by means of a presentation that the necessary 
presentation that the necessary steps had been taken to incorporate the diacritical marks into the names of the persons concerned. 
diacritical marks in the customers' names, allowing the Dispute Resolution Chamber to conclude that there has been 
there is progress in this respect. Specifically with regard to the Complainant in Decision 01/2019 of 15 May 
2019, the Respondent also demonstrates that the diacritical mark is processed in his name.
28. With respect to Article 12 AVG, the Dispute Resolution Chamber finds that the Respondent adequately 
adequately demonstrates that there is transparent communication with customers in order to inform them of the 
inform customers about the exercise of their rights, as well as that the necessary means are made available to 
are made available for the exercise of those rights, thereby facilitating the exercise of those rights. 
those rights. In addition, it is not apparent from the inspection report that the defendant does not provide 
transparent communication (Article 12.1 of the AVG). The inspection report merely demonstrates that 
it is not technically possible for the Respondent to comply with a rectification request that relates to a data subject 
The inspection report only shows that it is not technically possible for the defendant to comply with a request for rectification concerning diacritical marks, but that does not prevent the defendant from 
However, the defendant does facilitate the exercise of the rights of its customers (Article 12(2) of the AVG) 
via the online banking applications or with the assistance of the front office staff, but 
the defendant is not in a position to respond appropriately and to proceed without delay to 
rectification, in so far as the request concerns diacritical marks (Article 16 AVG). It follows that 
It follows that no infringement of Article 12 of the AVG can be established.
29. Concerning the Respondent's assertion that the Dispute Resolution Chamber cannot proceed to 
finding an infringement of Articles 5.1(d), 12 and 16 of the AVG on account of the lack of display of diacritical marks, because of 
diacritical marks, because of the pending proceedings before the Court of Cassation brought by the 
Defendant against the judgment of the Market Court rendered pursuant to decision 01/20193 of the 
01/20193 of the Chamber of Disputes, the Chamber points out that the appeal in cassation is an extraordinary legal remedy that does not have a 
Appeal in cassation is an extraordinary legal remedy that does not have a suspensive effect. This means that the judgment of 
Court of Appeal has full effect pending the judgment of the Court of Cassation. 
3 Decision 01/2019 of 15 May 2019 regarding a complaint for failure to comply with a request to correct the spelling of a name 
of name
Decision on the merits 141/2021 - 10/26
and the Inspectorate was able to catch the Litigation Chamber through the inspection report of 23 March 2021 
so that the Disputes Chamber can now proceed to take the present decision on the merits. 
merits.
Article 25 AVG
30. The Respondent submits that the Inspectorate establishes an alleged breach of Article 25 AVG 
but does not explain what this breach would consist of.
31. The Dispute Resolution Chamber considers that the Inspection Report clearly demonstrates that the Respondent 
continues to use for its central customer system a mainframe which was brought into service 
put into service in 1995 and notwithstanding the technical possibility of incorporating and processing diacritical 
diacritical marks, it has chosen not to adapt its system accordingly. 
to do so. In accordance with Article 25 of the AVG, the state of the art which allows diacritical marks to be processed requires that the system be adapted to this state of the art. 
of diacritical marks requires the defendant to implement appropriate technical and organisational 
take appropriate technical and organisational measures so that the principles of data protection, including the principle of 
correctness, in an effective manner and to implement the necessary safeguards in the processing 
in order to incorporate the necessary safeguards into the processing to ensure compliance with the 
requirements of the AVG and to protect the rights of data subjects.
32. The Respondent cites that Article 25 AVG also refers to implementation costs as criteria for determining the appropriate 
The Respondent cites Article 25 AVG as also referring to the costs of implementation as well as the risks to the rights and freedoms of data subjects in terms of probability and seriousness. 
The Respondent cites that Article 25 AVG also refers to the costs of implementation as criteria for determining the appropriate measures, as well as to the risks to the rights and freedoms of natural persons associated with the 
processing. In that regard, the defendant claims that there is no risk whatsoever in relation to 
as regards the identification of the person on the basis of the specific use of a given name 
without displaying the specific diacritical mark. Moreover, the implementation of a 
very complex IT project involving adjustments to numerous systems takes a great deal of time and investment in order to 
respond to an absolute minority of requests for correction which, in the defendant's view, means that the risk is extremely limited. 
According to the defendant, the risk is extremely limited in terms of seriousness and probability with regard to the rights and 
freedoms of natural persons.
33. The Respondent's assertion that there would be no risk of identification of the data subject in the absence of the processing of diacritics is not correct. 
The defendant's allegation that there is no risk of identification of the data subject in the absence of the processing of diacritical signs, as well as the 
The Respondent's allegation that there is no risk of identification of the data subject in the absence of processing of diacritical marks, as well as the extremely limited risk alleged by the Respondent given the small number of requests for correction of diacritical marks 
cannot, in the opinion of the Dispute Resolution Chamber, result in the Respondent being entirely at fault, as in the present case. 
as in the present case, to implement any measure to comply with possible requests for correction. 
possible requests for correction. 
Decision on the merits 141/2021 - 11/26
34. Furthermore, the Respondent refers to the Guidelines 4/2019 on Article 25 
Data protection by design and by default4 which, in relation to the accuracy of data 
of data, it is stated that the requirements set forth in Article 5.1(d) of the AVG must be considered 
in relation to the risks and consequences of the concrete use of the data. From that 
The defendant takes the view that the measure consisting in the inclusion of diacritical marks in its systems is not proportionate. 
signs in its systems is not proportionate to the risks for the data subject. The defendant 
However, the defendant disregards the fact that the Guidelines provide, with regard to the design and standardisation elements 
standard setting elements on accuracy, specifically as regards erasure/rectification 
provides that the controller must delete or rectify incorrect data without delay. The 
Guidelines thus confirm what is stipulated in Article 5.1(d) of the AVG, namely that every controller has the obligation to delete or rectify incorrect data without delay. 
controller has the obligation to erase or rectify incorrect data without delay, and thus not to allow the processing of incorrect data to continue. 
rectify incorrect data without delay, and it is thus not up to the controller to decide whether or not to accede to a request for rectification. 
whether or not to accede to a request to erase or rectify inaccurate data, motivated by financial considerations or risk analysis 
from financial considerations or risk analysis.
35. The failure of the Respondent to adapt its IT systems in order to facilitate the 
processing of diacritical marks in the name of clients if requested, a breach of contract has occurred. 
This constitutes an infringement of Article 25 of the AVG. The fact that the 
Respondent asserts that in the meantime, namely since Decision 01/2019 of 15 May 2019 and the 
The fact that the Respondent shows that it has already made numerous efforts to make its systems AVG-compliant with regard to the processing of diacritical marks is also an important element in the determination of the penalty. 
important element in determining the penalty for this infringement. However, this cannot lead to 
to retroactively undo the infringement.
36. In view of the efforts which the defendant has meanwhile made and the limited gravity and risk 
to the fundamental rights of the affected persons, in the light of recital 75 of the AVG, the Dispute 
AVG, the Dispute Resolution Chamber decides that despite having found infringements of articles 
5.1.d), 16 and 25 AVG, not to impose a penalty for those infringements. It 
therefore orders a discontinuation of proceedings pursuant to Article 100, §1, 2° WOG. 
Article 5.2 and 31 AVG
37. The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers. 
The report of the Inspectorate shows several times that the defendant needed several letters to formulate concrete answers to the questions asked, from which the Inspectorate concludes that the 
Inspectorate concludes that the Respondent did not comply with its duty of accountability and cooperation. 
with his duty of accountability and cooperation. The Inspectorate also finds it strange that there is little structured and 
information to follow up on the adjustments from an overarching view. 
follow-up. Apart from general information about the AGILE approach and the preliminary study phase, the 
According to the Inspectorate, the defendant cannot provide any information that would enable any progress to be made in the 
4 https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_nl.pdf
Decision on the merits 141/2021 - 12/26
dossier or concrete results that could have a positive impact on the person concerned 
and the exercise of his or her rights and freedoms.
38. However, on the basis of the documents provided by the Respondent, the Dispute Resolution Chamber must 
establish that the Respondent is able, by means of the necessary documentation, to demonstrate the extent to which the 
AVG is complied with. Not only does the Respondent have an internal guide and documentation of 
the procedures for exercising the rights of the data subjects 
but also specifically documentation relating to the IT project to implement the 
diacritical marks and the processes demonstrating the progress of the project. In this way, the 
documented the steps already taken and to be taken. The 
Respondent's explanation for the length of time it took to respond in several phases to the 
The explanation given by the Respondent for the time taken to answer the questions asked by the Inspectorate in several phases is that further analysis was required to determine which applications were 
required in order to determine which applications could be affected by the addition of diacritical marks and 
addition of diacritical marks and that this was not immediately possible. The defendant submits 
that time was needed to carry out analyses and tests in order to then implement the 
The Respondent submits that time was needed to carry out analyses and tests in order to then implement the changes in a controlled manner without endangering the stability of its systems. 
In this regard, the Dispute Resolution Chamber finds, based on the documents before it, that the Respondent has 
documentation that unmistakably demonstrates the progress of the dossier and concrete results, so that there is no 
concrete results, so that no breach of Article 5.2 of the AVG can be identified.
39. The Dispute Resolution Chamber also assessed the findings of the Inspectorate in the light of the Respondent's 
The Dispute Resolution Chamber also assessed the Inspectorate's findings in the light of the Respondent's duty of cooperation and found that the Inspectorate 
has insufficiently demonstrated that the Respondent has not, by means of reply letters, attempted to 
attempted, by means of reply letters, to answer the questions posed in a comprehensive and circumspect manner. In addition 
the Respondent stated on several occasions that it was prepared to enter into consultation in addition 
as a result of which it cannot be established that he did not fulfil the obligation to 
cooperation with the supervisory authority.
40. The Dispute Resolution Chamber therefore finds that no violation of Article 31 AVG can be 
established. This opinion is based on factual findings, so that it is not necessary in this 
This opinion is based on factual findings, so that it is not necessary in this case to give an opinion in principle on the scope of the duty to cooperate.
b) Principle of minimal data processing (Article 5.1(c) of the AVG), integrity and confidentiality 
(Article 5.1(f) of the AVG), accountability (Article 5.2 of the AVG), the responsibility of the controller (Article 24 of the AVG) 
controller (Article 24 AVG), data protection by design and by default (Article 25 AVG), data 
default settings (section 25 AVG) and security of processing (section 32 AVG).
41. The Inspectorate notes that the Respondent uses the surname of the Complainant5 in 
5 The Inspectorate refers to the complainant in decision No. 01/2019 of 15 May 2019
Decision on the merits 141/2021 - 13/26
- internal notes for and presentations by the Data Council
- email traffic and ICT testing
which relates to the ICT programme in connection with the use of diacritical marks.
42. The Inspectorate concludes that this processing activity by the Respondent is a 
violation of Articles 5.1 c) and f), 5.2, 24, 25 and 32 of the AVG, which is based on the 
consideration that the use of the plaintiff's surname is not necessary for the purpose for which it is processed and 
purpose for which it is processed and can therefore be avoided. The name for the project or 
the case could bear another name and the surname of the complainant has no added value. There 
According to the Inspectorate, there are various words in other languages with diacritical marks that 
can be used for this purpose, the use of the complainant's surname could be stigmatising and 
and by spreading it throughout its organisation the Respondent has no control over it. 
The inspection report concludes that using the family name as a "test person" or as a "case" is not 
proportionate to
- the application of the basic principles of "minimum data processing" and "integrity and 
confidentiality";
- the appropriate technical or organisational measures to be taken;
- ensuring the confidentiality, integrity, availability and resilience of its 
processing systems and services;
- the contractual (banking) duty of discretion or the discrete processing of the personal data 
as a Bank towards the Customer.
43. The Dispute Resolution Chamber states that the complainant's surname in Decision No. 01/2019 of 15 May 
2019 does constitute personal data within the meaning of Article 4.1) of the AVG, as the complainant is identifiable on the basis of the name of the person who is the subject of the decision. 
is identifiable on the basis of the decision No. 01/2019 taken by the Dispute Resolution Chamber, and 
the judgment of the Market Court dated 9 October 2019, in which the defendant was a party in each case and the identity of the complainant was thus known to him. 
identity of the complainant was thus known to him. This implies that the complainant can be identified on the basis of 
This implies that the complainant can be directly identified within the organisation of the defendant on the basis of his surname alone, since they are both parties. 
Respondent's organisation, since they were both parties to the dispute. According to the Dispute Resolution Chamber, the use 
the use of the surname as a project name should be regarded as a processing based on the legitimate interest of the 
legitimate interest of the Respondent (Article 6.1(f) of the AVG). 
44. In accordance with Article 6.1(f) AVG and the case-law of the Court of Justice of the European Union 
(hereinafter 'the Court'), three cumulative conditions must be met in order for a controller, being the defendant, to be able to exercise the right to data protection. 
for a controller, i.e. the defendant, to be able to validly rely on this ground of law, 'namely 
lawfulness, 'namely, first, the legitimate interest of the controller or of the defendant in the processing of personal data. 
of the controller or of the third party or parties to whom the data are disclosed 
Decision on the substance 141/2021 - 14/26
and, second, the necessity of processing the personal data for the purposes of the legitimate interests of the data controller or of third parties to whom the data are disclosed. 
for the purposes of the legitimate interests pursued, and, third, the condition that the fundamental rights and freedoms of the persons concerned must be protected. 
third, that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas v. Guardian, 2010, p. 12). 
prevail" (Rigas judgment6 ).
).
45. In order to be able to rely on the legal ground of the "legitimate interest" under Article 6.1(f) of the AVG, the data controller must be able to prove that the person concerned has a legitimate interest. 
"legitimate interest" under Article 6.1(f) AVG, the controller must demonstrate that 
demonstrate that:
- the interests it pursues with the processing can be recognised as legitimate 
(the "purpose test");
- the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and 
"necessity test"); and
- the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the interests, fundamental freedoms and rights of data subjects. 
freedoms and fundamental rights of data subjects in favour of the controller 
(the "balancing test").
46. As regards the first condition (the "purpose test"), the Litigation Chamber is of the opinion that 
that the purpose of implementing both the above-mentioned decision of the Dispute 
As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the purpose of implementing the aforementioned decision of the Dispute Resolution Chamber and the judgment of the Market Court7
can be regarded as pursuing a legitimate interest. 
a legitimate interest. The interest pursued by the defendant as data controller may be 
can in itself be considered justified pursuant to recital 47 of the AVG. 
in accordance with recital 47 of the AVG. Consequently, the first condition laid down in Article 6(1)(f) of the AVG is fulfilled.
47. In order to comply with the second condition, it must be demonstrated that the processing is 
In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular 
whether the same result could be achieved by other means without processing personal data or without a 
result without processing personal data or without processing that is unnecessarily burdensome for the data subject. 
for the data subject.
48. Given that the defendant was a party to each of the proceedings before the Dispute Chamber and the 
As the defendant was always a party to the proceedings before the Dispute Chamber and the Market Court, the identity of the complainant was thus already known to a limited circle of persons within the defendant's organisation. 
persons within the Respondent's organisation.
49. Moreover, the Respondent states that the surname was used in purely internal and confidential documents 
confidential documents within the Data Council consisting of only 7 members, and in some emails limited to the strictly necessary persons involved in the project. From none of the documents 
6 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA "Rīgas 
satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 
40.
7 See in the same sense Decision on the merits 35/2020 of 30 June 2020, para. 28.
Decision on the merits 141/2021 - 15/26
show that the processing of the complainant's surname would have been unnecessarily intrusive for 
the person concerned. Thus, the Dispute Resolution Chamber finds that the Respondent did not process the surname of the 
did not process the surname of the person concerned in disregard of the principle of minimum data processing, so that the 
data processing, so that the second condition is satisfied.
50. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called 
"balancing test" between the interests of the controller on the one hand and the fundamental freedoms and 
freedoms and fundamental rights of the data subject, on the other hand - can be fulfilled, the following must be taken into account 
In accordance with recital 47 AVG, the reasonable expectations of the data subject should be taken into account. 
reasonable expectations of the data subject. In particular, it must be evaluated whether the "data subject 
at the time and in the context of the collection of the personal data, the data subject may reasonably expect that the 
reasonably expect that processing can be carried out for that purpose "8 .
.
51. This is also emphasised by the Court in its judgment "TK v. Asociaţia de Proprietari bloc M5AScaraA" of 11 December 20199 , in which it states
, where it states:
"Also relevant to this balancing exercise are the reasonable expectations of the data subject that his or her 
personal data will not be processed if, in the given circumstances of the 
case, the data subject cannot reasonably expect further processing of the data".
52. From both the decision No. 01/2019 taken by the Dispute Resolution Chamber on 15 May 2019, and the judgment 
of the Markets Court dated 9 October 2019, it follows that the Respondent had to adapt its applications, at least as regards the 
adapt its applications, at least as regards the processing of diacritical marks in the surname of 
the data subject. This necessarily implies that the data subject could reasonably 
could reasonably expect10 that his family name would be used within the organisation of the 
Respondent's organisation in order to meet the requirements laid down in the aforementioned decision of the 
Dispute Resolution Chamber, as well as in this one by the Market Court.
8 Recital 47 AVG.
9 CJEU, 11 December 2019, C-708/18, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, paragraph 58. 
10 Recital 47 AVG. The legitimate interests of a controller, including those of a 
controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the interests of the controller or of a third party are safeguarded. 
provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden, 
taking into account the data subject's reasonable expectations based on his/her relationship with the controller. 
controller. Such a legitimate interest may be present, for example, when there is a 
relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or employee of the controller. 
customer or is employed by the data controller. In each case, a careful assessment is required to determine whether 
legitimate interest, as well as to determine whether a data subject may reasonably expect, at the time and in the context of the collection 
of the personal data, may reasonably expect that processing can take place for that purpose. The interests and 
fundamental rights of the data subject may in particular outweigh the interests of the controller where 
personal data are processed in circumstances where the data subjects would not reasonably expect any further processing. 
Since it is for the legislator to create the legal basis for personal data processing by public authorities 
that legal basis should not apply to processing by public authorities in the course of their duties. 
The processing of personal data that is strictly necessary for the purposes of fraud prevention is also a legitimate interest of the 
controller in question. The processing of personal data for the purpose of direct marketing may be considered to be 
considered to be carried out with a view to a legitimate interest. (own emphasis added) 
Decision on the merits 141/2021 - 16/26
53. The totality of the aforementioned elements leads the Dispute Chamber to the conclusion that the 
Respondent has lawfully processed the surname of the person concerned within its organisation on the basis of 
processed within its organisation on the basis of Article 6.1(f) of the AVG and that there are no elements showing 
that the Respondent acted contrary to the requirements of the AVG, so that there is no violation on the part of the Respondent. 
no infringement of Articles 5.1(c) and (f), 5.2, 24, 25 and 32 of the AVG was committed by the defendant.
committed.
c) Position of the Data Protection Officer (Articles 38.3 and 38.6 AVG)
54. The Inspectorate's report notes with regard to the position of the Data Protection Officer that 
The report of the Inspectorate establishes that there is a conflict of interest on his/her part and that he/she does not report directly to the highest management level. 
The report of the Inspectorate establishes with regard to the position of the DPO that there is a conflict of interest on his part and that he does not report directly to the highest management body.
55. The defence raises the question of the requirement to report directly to the highest management level 
55. The defence emphasises, regarding the requirement to report directly to the highest management level (Article 38.3 AVG), that the DPO reports to the Executive Committee and that he does not report directly to the highest management level. 
reports to the Executive Committee, also referred to as the Management Committee, and 
This is done through the Chief Risk Officer (CRO) who himself sits on the Executive Committee, being the highest 
body. The defendant emphasises that the reporting line does indeed go directly from the 
Data Protection Officer to the Executive Committee. Reporting to a 
body can only be done through a natural person, in this case the CRO who serves as the point of access to that body. 
that body. The Respondent justifies this choice of the CRO by the fact that he is the member of the 
Executive Committee which is the privileged interlocutor of the Risk Committee which takes cognisance of all the important privacy-related 
takes cognisance of all important privacy-related issues.
56. The DPO is himself a permanent member of the Data council, which is a 
delegated subcommittee and extension of the Executive Committee, whereby the decisions of the Data 
Data Council's decisions are binding on the Executive Committee. The Respondent underlines that the 
Data Protection Officer's seat on the Data Council constitutes a form of 
reporting to the highest level.
57. The Respondent also adds that the Executive Committee is a collegiate body, whereby the 
CEO has one vote in the decision-making process, as do all other members of it. The Respondent
emphasises during the hearing that the DPO does not have to report to the highest individual 
namely the CEO, within the highest body, but that reporting to the highest body 
is sufficient. Moreover, all other members of the Executive Committee, including the 
CEO, are responsible for departments that process data. It follows, according to the 
Respondent that it cannot be argued that any particular member of the Executive 
would be more neutral than the other members. 
58. On the basis of the documents substantiating the explanation provided by the Respondent, the 
Dispute Resolution Chamber that no violation of Article 38.3 AVG can be established.
Decision on the merits 141/2021 - 17/26
59. As regards the Inspectorate's finding of a conflict of interest (Article 38.3 AVG) on the part of the Data Protection Officer 
As regards the Inspectorate's finding that there is a conflict of interests (Article 38.6 of the AVG) on the part of the Data Protection Officer because he is also the 
head of the Operational Risk Management (ORM), Information Risk 
Management (IRM) and the Special Investigation Unit (SIU), the defendant argues that the head of these services does not have the power to take decisions. 
those departments does not have decision-making powers at the level of the purposes and means of operational processing of personal 
of operational processing of personal data, but a purely advisory and 
supervisory power.
60. During the hearing, the Dispute Resolution Chamber examined the impact that the Data Protection Officer 
Data Protection Officer has on decision-making by virtue of his other functions.
61. The Dispute Resolution Chamber notes that the Respondent, in its conclusion, does not consider the purely advisory and 
supervisory competence of each of the three services, namely Operational Risk Management 
Information Risk Management and Special Investigation Unit, stresses. The defendant believes 
This allows the defendant to argue that the DPO has no duties (including through his 
functions in each of the relevant services) that would enable him to take decisions about the purpose and means of any processing. 
the purposes and means of any processing of personal data.
62. The Dispute Resolution Chamber considers that this does not demonstrate that the Data Protection Officer who is also the 
who is also the head of each of those departments and therefore has a position of responsibility within them 
is in a position of responsibility, would not carry out tasks incompatible with his position as Data Protection Officer. 
as the Data Protection Officer.
63. In this regard, the Litigation Chamber notes that the advisory and supervisory role of the 
departments as such does not mean that they do not determine the purposes and means of data processing. 
data processing.
64. The Dispute Resolution Chamber should assess how and to what extent the independence of the 
64. The Dispute Resolution Chamber should assess how and to what extent the independence of the Data Protection Officer in relation to each of these three departments - of which he is the Head of Service - is ensured.
of which he is head of department - is ensured.
65. The Respondent thus appoints the same physical person as the head of each of the three departments and as the Data Protection Officer. 
The defendant itself thus appoints the same physical person as being responsible for each of the three departments and as being the Data Protection Officer. This responsibility 
for each of those three departments undeniably means that, in that capacity 
determines the purposes and means of the processing of personal data within these three departments and is thus responsible for 
departments and is thus responsible for the data processing processes that 
fall under the domain of Operational Risk Management, Information Risk Management and Special 
Investigation Unit as established in the inspection report.
Decision on the merits 141/2021 - 18/26
66. The Group 29 Guidelines for Data Protection Officers11 explain that the 
Data Protection Officer cannot hold any position within the organisation where he or she 
he or she must determine the purposes and means of the processing of personal data. 
determine. This is thus a substantial conflict of interest. The role of controller of a service
is thus incompatible with the function of the data protection officer, who must be able to perform his or her tasks 
be able to perform his tasks independently. By combining in the same physical person the functions of the controller for each of the services, the data protection officer is able to carry out his tasks independently. 
the function of controller for each of the three services concerned separately 
on the one hand, and the function of Data Protection Officer on the other hand, each of those three services lacks any possible independent supervision. 
of those three services any possible independent supervision by the Data Protection Officer. 
data protection officer. In addition, the combination of these functions may lead to a lack of 
secrecy and confidentiality vis-à-vis staff members in accordance with Article 38(5) of the AVG cannot be sufficiently guaranteed. 
can not be sufficiently guaranteed. 
67. The Respondent seeks to rebut the existence of a conflict of interest in relation to the Data Protection Officer by arguing that the 
The Respondent seeks to rebut the existence of a conflict of interest in respect of the DPO by arguing that the services IRM, ORM and SIU are part of the second-line function. 
are part of the second level function which only include supervisory and control functions. The head 
of these services, who is also the Data Protection Officer, has, according to the defendant 
no decision-making power at the level of the purposes and means of operational processing of personal 
processing of personal data, but only in an advisory and supervisory capacity. 
power. The defendant considers that this reasoning is supported by decision 
56/2021 of 26 April 2021.
68. As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the 
As also provided for in the Working Party 29 Guidelines for Data Protection Officers12 , the Litigation Chamber considers that the assessment of any 
11 Under Article 38(6), data protection officers may "perform other tasks and duties". To this end, the 
However, the organisation must ensure that "these tasks or duties do not lead to a conflict of interest". 
The absence of a conflict of interest is closely linked to the requirement to act autonomously. Although data protection officers may
other functions, they can only be entrusted with other tasks and duties if these do not give rise to any conflict of interest. 
give rise to any conflict of interest. This implies in particular that the DPO within the organisation 
a position in which he or she determines the purposes and means of the processing of personal data. 
Given the specific organisational structure of each organisation, this should be assessed on a case-by-case basis.
As a rule of thumb, the following are considered to be positions with a conflict of interest within the organisation: senior management positions 
(e.g. Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, head of the marketing department, head of Human Resources or head of the IT department). 
Resources or head of the IT department), but also lower positions within the organisational structure if these persons have to define the objectives of 
and means of data processing. In addition, a conflict of interest may also arise, for example, when 
arise when an external data protection officer is asked to represent the controller or processor in the legal proceedings. 
or the processor in court in cases involving data protection issues.
Depending on the activities, size and structure of the organisation, it may be good practice for controllers or processors to 
identify the positions that may be incompatible with the data protection officer function 
provide internal rules to this effect in order to avoid conflicts of interest;-include a more general explanation of conflicts of interest 
declare that their data protection officer has no conflict of interest in his or her role as data protection officer, as a way of avoiding conflicts of interest. 
officer, as a way of sensitising others to this requirement;-include safeguards in the organisation's internal rules and ensure that 
Include safeguards in the organisation's internal rules and regulations and ensure that the vacancy for the position of DPO or the service agreement is 
service agreement is sufficiently precise and detailed to avoid conflicts of interest. In this context, we should 
take into account that conflicts of interest can take different forms depending on whether the data protection officer is recruited internally or externally. 
officer is recruited internally or externally.
WP243Rev01, para 3.5, underlining by Dispute Chamber. These guidelines have been endorsed by the European Data 
Data Protection Board (EDPB). 
12 See above, footnote 11.
Decision on the merits 141/2021 - 19/26
conflict of interest should be done on a case-by-case basis, taking into account the specific organisational structure of each organisation. 
each organisation. Thus, the Dispute Resolution Chamber assesses in concreto.
69. Although the Respondent maintains that the three services in question belong to the 
Although the Respondent maintains that the three services in question belong to the second-line function, which means that these services do not introduce any processing themselves, but only 
Although the Respondent maintains that the three services in question belong to the second-line function so that these services do not introduce processing themselves but only supervise, set frameworks for and carry out checks, during the 
the Dispute Resolution Chamber inquires into the relationship between the second-line and first-line functions in order to find out whether 
whether the second-line function can fulfil its advisory and supervisory role without determining the purpose and means of any processing of its own. 
determine the purpose and means of any processing carried out by itself and by the first-line function. 
first-line function. Specifically, during the hearing, the Dispute Resolution Chamber found that 
If the second-line function has to exercise its supervisory and monitoring powers, it also needs information to do so. 
to do so, it also needs information from the front-line function. This is also evident from the 
register of processing activities which lists a large number of categories of personal 
This is also apparent from the register of processing activities, which lists a large number of categories of personal data processed by the second-line function. According to the 
According to the Dispute Resolution Chamber, this clearly shows that personal data are processed by the second-line function for which it has 
second-line function for which it determines the purpose and the means.
70. The Respondent's response to this is that taking note of, being the reading, of 
personal data is not sufficient to qualify as processing personal data. 
processing of personal data. The defendant here makes the comparison with an employee who consults personal data in the exercise of his/her job. 
The defendant hereby makes the comparison with an employee who consults personal data in the course of his/her work, but does not himself/herself act as a 
separate controller of the processing. To follow a different interpretation 
would lead, according to the defendant, to each employee being regarded as a separate controller. 
controller. 
71. As regards the categories of personal data indicated in the Register of Processing 
With regard to the categories of personal data processed by the second-line function indicated in the processing register, the Respondent argues that these have been listed out of 
prudence', because the second-line function may become aware of those personal data in the 
function in the performance of its tasks. Again, the Respondent adds that the second-line function is not responsible for the processing of personal data. 
second-line function is not responsible for the processing of personal data, 
but may become aware of certain categories of personal data only through the exercise of their supervisory powers 
categories of personal data and the second-line function will never be able to determine how personal data will be filled in and processed within the bank. 
personal data will be filled in and processed within the bank.
72. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4. 
The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4(2) of the AVG. It should be noted here that the 
processing of personal data does not result in the person carrying out the processing, such as an employee, being regarded as a separate processor, 
such as an employee, should be regarded as a separate controller. 
controller. The controller is the person who determines the purposes and means of the processing within the meaning of Article 4(1)(b) of the Act. 
The data controller is the one who determines the purpose and means of the processing in the sense of Article 4, 7) AVG. The second tier function determines - as an entity within 
Decision on the merits 141/2021 - 20/26
the controller - determines the purposes and means of the processing of personal 
personal data that the front-line function is required to supply to it - and thus contributes to determining the purpose and means of the 
the purpose and the means of the processing carried out by the front-line service - so that the second-line function can exercise its own supervisory functions. 
second-line function to fulfil its own supervisory and advisory role. This is 
indisputably from the processing register. It follows that the Data Protection Officer 
who also holds the position of Head of Department of the 
ORM/IRM/SIU, determines the purposes and means of the data processing operations carried out by the 
first-line function to the extent that this information is necessary for the tasks entrusted to the second-line function and 
second-line function and then also determines the purposes and means of the data processing operations carried out by the second-line 
data processing by the second-line function.
73. This leads the Dispute Resolution Chamber to conclude that the combination of the capacity of 
Data Protection Officer with the function of Head of Service of the three departments 
ORM/IRM/SIU is not sustainable without a conflict of interest on the part of the DPO. 
Data Protection Officer. Consequently, the Dispute Resolution Chamber finds that the breach of Article 38.6 
AVG has been proven.
74. It is important that the Data Protection Officer is able to perform his or her duties and tasks 
with respect for the position assigned to him by Article 38 AVG, in particular that 
he can act without any conflict of interest. The Litigation Chamber therefore instructs the 
The Dispute Resolution Chamber therefore instructs the Respondent to bring the processing in this respect into line with article 38.6 of the 
38.6 AVG in this respect and thus ensure that these tasks or duties do not give rise to a conflict of interest.
75. Taking into account that the AVG has assigned a key role to the Data Protection Officer by giving him an informative and 
Data Protection Officer (DPO) by giving him an informing and advising role vis-à-vis the controller with regard to 
the controller on all matters relating to the protection of personal data, including the 
protection of personal data, including the notification of data breaches, the 
Dispute Resolution Chamber shall also impose an administrative fine. 
76. In addition to the corrective measure to bring the processing into compliance with Article 38.6 of the AVG 
76. In addition to the corrective measure to bring the processing into line with Article 38.6 of the AVG, the Litigation Chamber also decides to impose an administrative fine which 
does not aim to put an end to a violation committed, but aims to ensure vigorous enforcement of the AVR rules. 
vigorous enforcement of the rules of the AVG. As is clear from Recital 148, the AVG requires 
For serious breaches, penalties, including administrative fines, to be imposed in addition to, or instead of, appropriate measures.13 
of appropriate measures to be imposed.13 The Dispute Resolution Chamber does so in application of 
13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative pecuniary sanctions, should be applied in addition to or instead of appropriate measures. 
including administrative pecuniary sanctions, should be imposed for any breach of the Regulation, in addition to or as an alternative to any appropriate measure taken by the supervisory authorities under the Regulation. 
measures imposed by the supervisory authorities under this Regulation. If the infringement is minor 
infringement or where the likely fine would impose a disproportionate burden on a natural person, a fine may be replaced by a reprimand. 
a reprimand may be chosen instead of a fine. However, account should be taken of the nature, seriousness and duration of the infringement and of whether it was committed intentionally. 
the infringement, the intentionality of the infringement, any damage limitation measures taken, the degree of responsibility 
or previous relevant infringements, how the breach came to the attention of the supervisory authority, and 
compliance with the measures taken against the controller or processor, with the affiliation to 
Decision on the merits 141/2021 - 21/26
Article 58.2(i) AVG. The instrument of administrative fine therefore does not aim in any way to 
terminate infringements. To that end, the AVG and the WOG provide for a number of corrective 
measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. 
77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber 
77. First of all, the nature and seriousness of the infringement is taken into account by the Dispute Resolution Chamber in order to justify the imposition of this sanction and its amount. 
78. In this respect the Dispute Resolution Chamber finds that although there is no evidence of a deliberate infringement, there is a 
In this regard, the Dispute Resolution Chamber finds that, although there is no evidence of an intentional breach, there is evidence of gross negligence on the part of the Respondent. 
Although the Data Protection Officer is a function that was first mandated at the European level in the AVG, it is not a 
mandatory at the European level in the AVG, the concept of a data protection officer is not new and has existed for a long time. 
data protection officer is not new and has existed for a long time in many Member States and in many organisations.14
79. Moreover, already on 13 December 2016, the Working Party 29 adopted guidelines for these 
officers. These guidelines were, after a wide public consultation, on 5 April 2017 
revised. As shown below, these guidelines are clear on the extent to which the 
which the data protection officer can also fulfil other functions within the 
company, taking into account the organisational structure specific to each organisation and 
should be assessed on a case-by-case basis.
80. In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the function of DPO with that of a company can be a good thing. 
In short, in the opinion of the Dispute Resolution Chamber, there is no doubt that combining the position of data processing officer with a position as head of a department (in which personal data are also processed) which 
(where personal data are also processed) which the data processing officer must supervise, cannot take place on a 
must supervise, cannot be done in an independent manner.
81. An organisation such as the Respondent may be expected to carefully prepare for the 
introduction of the AVG and already from the time of the entry into force of the AVG 
pursuant to Article 99 AVG in May 2016. After all, the processing of personal data is a 
core activity of the Respondent, which moreover processes personal data on a very large scale. 
82. The duration of the breach is also taken into consideration. The Data Protection Officer 
data protection officer was created in the AVG applicable since 25 May 2018, so that the 
breach of Article 38.6 AVG has already been established from that date. In any event, the breach lasted 
until the date on which the full-time appointed Data Protection Officer took up his duties, i.e. 
Data Protection Officer, i.e. 1 July 2021. 
83. Finally, the defendant processes personal data of a huge number of people. 
Ineffective safeguards for the protection of personal data, in particular through the 
appointment of a data protection officer who does not comply with the requirement of 
a code of conduct and any other aggravating or mitigating factors. The imposition of sanctions, including 
administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter 
Union law and the Charter, including effective remedy and fair trial.
14 See, inter alia, WP243Rev01, para 1.
Decision on the merits 141/2021 - 22/26
independence and therefore not free from any conflict of interest, thus have a 
potential impact on a huge number of stakeholders. 
84. The totality of the elements set out above justifies an effective, 
proportionate and dissuasive sanction within the meaning of Article 83 AVG, taking into account the assessment criteria laid down therein, in the amount of 
criteria laid down therein, in the amount of EUR 75,000. The 
Litigation Chamber points out that the other criteria of Article 83.2. AVG are not of such a nature in this case 
that they lead to an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision. 
for the purposes of this decision.
85. The mitigating circumstances referred to by the Respondent in its response to the 
The mitigating circumstances referred to by the Respondent in its response to the Dispute Resolution Chamber's intention to impose an administrative fine, namely 
the absence of harm to the data subjects (Article 83.2(a) AVG ); the measures taken 
to detect and prevent potential conflicts of interest in a timely manner, notably by 
implementing appropriate policies and mechanisms as described in the conclusion (Article 83.2, c) AVG 
83.2 (c) AVG); the absence of previous relevant infringements (Section 83.2 (e) AVG), as well as the cooperation in good faith with the 
cooperation with the GBA in good faith (article 83.2 f) AVG), are taken into consideration by the Dispute Resolution Chamber when 
taken into account when determining the amount of the administrative fine. 
86. To answer the Respondent's objection concretely, the Dispute Resolution Chamber stated that 
although it has not been established that there was any damage on the part of the parties concerned 
the absence of any injury has not been established, nor have any previous infringements been identified. 
have been established. This finding leads the Chamber to reduce the initially proposed amount of the administrative fine, i.e. the amount of the fine that was imposed on the parties involved. 
EUR 100,000 to EUR 75,000. 
87. As regards the implementation of policies and mechanisms to avoid conflicts of interest, the 
With regard to the implementation of policies and mechanisms to avoid conflicts of interest, the Dispute Resolution Chamber notes that these were adopted late, i.e. well after the 
entry into force15
as well as the applicability16 of the AVG. The Conflicts of Interest Policy 
dates from 20 January 2020 and the specific DPO policy was implemented on 12 October 
2020 following the decision on the merits no. 18/2020 of 28 April 2020, as mentioned in the 
conclusion, a full-time DPO was not appointed until 1 July 2021. 
appointed on 1 July 2021. This means that although the Respondent cooperated with the 
GBA to remedy the breach and mitigate its potential negative effects, but 
this took place well after the entry into force and application of the AVG, 
which has an impact on the duration of the breach (see above, peripheral).
15 Pursuant to Article 99.1 AVG, the AVG entered into force on 25 May 2016.
16 Article 99.2 AVG provides that the AVG will apply from 25 May 2018.
Decision on the merits 141/2021 - 23/26
88. As regards the amount of the fine, the Respondent argues that the fine is higher than the one 
As to the amount of the fine, the Respondent argues that the fine is higher than the one imposed for an identical infringement in the decision on the merits no. 18/2020 of 28 April 2020, whereas
the Respondent claims that its consolidated turnover is lower, it has already taken measures to address 
to address the GBA's concerns and has a smaller market position.
89. The Dispute Resolution Chamber states that the maximum amount of the administrative fine for an 
violation of Article 38 AVG is determined by Article 83.4 AVG17. The amount of the fine imposed 
The amount of the fine imposed in this decision is significantly lower than the maximum amount laid down in Article 83.4 AVG, in view of the fact that the 
The amount of the fine imposed in this decision is significantly lower than the maximum amount stipulated in Article 83.4 AVG, in view of the fact that the Dispute Resolution Chamber has 
has been taken into account. Moreover, the Dispute Resolution Chamber evaluates the concrete elements of each case separately in order to impose an appropriate sanction. 
individually in order to impose an appropriate penalty18
. The reference by the defendant to 
decision on the merits no. 18/2020 of 28 April 2020 concerns the same infringement, namely the existence 
of a conflict of interest on the part of the Data Protection Officer (Article 38.6 
AVG), but otherwise the Dispute Resolution Chamber must take into account all factual elements 
that are specific to each case, whereby in this case the duration of the breach is an important element 
which justifies the imposition of a fine of EUR 75,000 in this case, whereby the duration of the infringement is an important element. 
EUR 75,000, whereby the Dispute Resolution Chamber based itself on the defendant's consolidated 
annual accounts of the defendant.
d) Register of processing activities (Article 30 of the AVG)
90. With regard to the register of processing activities, the Inspectorate makes the following 
findings, as summarised below:
- The register of processing activities of the ORM/IRM/SIU19 services is incomplete;
- the register of processing operations contains only three processing operations, namely 
one processing activity for each of the services. The Inspectorate finds this strange, 
since in each of the three services there are different processing activities within the 
second-line function, so that it is rather abnormal to combine these processing activities into a single processing activity. 
these processing activities into one processing activity;
17 Article 83.4 AVG. Breaches of the following provisions are subject to administrative fines in accordance with paragraph 2 
up to EUR 10 000 000 or, for an undertaking, up to 2 % of its total annual worldwide turnover in the preceding business year, whichever is the greater 
figure is higher: 
(a) the obligations of the controller and processor under Articles 8, 11, 25 to 
39, and 42 and 43;
[...]
18 See in this respect the judgment of the Markets Court dated 7 July 2021, roll number 2021/AR/320, NV Nationale Dienst voor Promotie van 
Kinderartikelen (N.D.P.K. N.V.) v. GBA, p. 42.
19 Operational Risk Management (ORM)/Information Risk Management (IRM)/Special Investigation Unit (SIU)
Decision on the merits 141/2021 - 24/26
- The defendant failed to provide a complete list of all processing purposes of personal 
personal data in accordance with Article 30.1(b) of the AVG;
- the following information in the register of processing activities is not visible:
- the name and contact details of the data protection officer 
in accordance with Article 30.1(a) of the AVG;
- a description of the time limits envisaged for the deletion of the different categories of data in accordance with Article 30.1(a) of the 
of data are to be erased pursuant to Article 30.1 f) AVG;
- a description of the technical and organisational security measures 
in accordance with Article 30.1 g) AVG.
- The register of processing activities should be complete and clear in itself, but the 
following terms are not explained: "12. TIN" and "S9. Criminal data" . Also, the description 
of the purposes of the processing is vague: 'E7_To support the activities to safeguard and 
ensure the security and integrity of Y and/or the financial sector" and "C6_Compliance with legal 
obligations', and does not accurately reflect the processing activity and processing purpose of these 
services provided by the defendant.
- Specifically with regard to the SIU service, the register of processing activities states that 
personal data relating to criminal convictions and offences are processed with 
processed with the following statement "S9. Criminal data". The Inspectorate finds it strange that 
The Inspectorate finds it strange that this is not specifically explained.
91. With regard to these findings by the Inspectorate, the Respondent has the following 
apply:
- Except for the enumeration of the elements that must be included in the 
register and the obligation to communicate the register to the supervisory authority upon request, the AVG does not impose any 
authority, the AVG does not impose any other legal obligation concerning the register. 
According to the respondent, by its findings in the inspection report, the Inspectorate seems to want to set the threshold higher than it is obliged to do. 
the Inspectorate seems to want to set the threshold higher than the legal requirements in this respect. The defendant 
adds and demonstrates that it has additionally taken into account Recommendation no. 
06/2017 of 14 June 2017, as stipulated by the Commission for the Protection of 
Privacy Commission;
- With regard to the vague terms and vague description of the purposes of the processing, the 
Respondent argues that the Register is an internal tool and resource for the 
controller. The Respondent recognises that the Register also serves as a 
The Respondent acknowledges that the Register also serves as a source of information for the GBA and in that sense it should also be understandable for the GBA itself. However, it 
However, it is not excluded that the controller may, with regard to the GBA 
Decision on the merits 141/2021 - 25/26
may still provide an explanation of certain internal terminology used in the register. 
register. Article 30.1 AVG requires that the register of processing activities contain a description of the 
of the categories of personal data, as well as the processing purposes, but does not 
does not contain any concrete obligations regarding the level of detail of these categories of 
personal data and the processing purposes. The aforementioned Recommendation no. 06/2017 does, however, provide examples of categories of personal data and processing purposes. 
examples of categories of personal data and purposes which are of a similar 'general' nature. 
general' nature.
As regards the concepts and purposes identified by the Inspectorate as vague, the 
Respondent states that these were defined in another internal document. The definitions from that 
document were taken up in the register - both as regards the categories of personal data and the purposes 
The definitions from that document - both with regard to the categories of personal data and the purposes - were taken up again in the register and were already available in the register by clicking on the relevant terms. 
relevant terms. 
- The respondent emphasises that the Inspectorate has only used the register for the 
processing activities of the ORM/IRM/SIU services and not the full register. 
register. The document supplied by the Respondent was a limited extract from the 
The document supplied by the respondent was a limited extract from the register and only contained details of the processing activities of the departments concerned.
- The processing activities of the ORM, IRM and SIU services are further explained by the Respondent. 
explained by the Respondent. He states that the IRM and ORM services are primarily of an advisory and 
nature, without actually having any executive function in the area of processing information and/or personal data. 
processing of information and/or personal data. It concerns very limited 
processing that are grouped in the register under one processing activity for each of the two services. 
of both services. A number of processing activities that the Inspectorate ascribes to the IRM 
IRM and ORM services respectively relate to activities that are described elsewhere in the register under the responsible departments. 
described elsewhere in the register under the responsible departments. As far as the SIU service is concerned 
the activities are also described and here, too, they were grouped in the excerpt from the register as being 
Register extract as being one processing activity. The defendant 
emphasises again that the AVG does not prescribe a specific required level of detail.
- With regard to the information missing from the register of processing activities, according to the inspection report, the 
processing activities, the defendant argues that the name and contact details of the data protection officer are included in the register of processing activities. 
Data Protection Officer are contained in a large number of internal documents and are thus well known within 
documents and are thus well known within the Respondent's organisation, but that those data concerning the Data Protection Officer are not included in the register. 
data concerning the Data Protection Officer were not included in the extract from the 
did not appear in the extract from the register of processing activities for technical reasons.
As regards retention periods and technical and organisational measures
Article 30 AVG requires the register to contain this information if possible, but does not as 
as such mandatory to mention them in the register itself. The defendant submits that it is necessary to 
Decision on the merits 141/2021 - 26/26
opted, for pragmatic reasons and with a view to greater clarity, to describe this information in a separate 
The Respondent submits that for pragmatic reasons and for the sake of greater clarity, it was decided to describe this information in a separate document.
92. Based on the defence and the supporting documents, the Litigation Chamber decides that 
There has been no infringement by the Respondent of article 30 of the AVG.
III. Publication of the decision
93. In view of the importance of transparency with regard to the decision making of the 
Dispute Resolution Chamber, this decision will be published on the website of the 
Data Protection Authority. However, it is not necessary for this purpose to publish the identification details 
of the parties to be published directly.
(get). Hielke Hijmans 
President of the Dispute Resolution Chamber
FOR THESE REASONS, 
the Litigation Chamber of the Data Protection Authority, after deliberation, decides to:
- Pursuant to Article 100, §1, 2° WOG, to order a dismissal for the violation of
Articles 5.1 d), 16 and 25 AVG ;
- On the basis of Article 100, §1, 13° and Article 101 WOG, impose an administrative fine of € 75,000 for the
as a result of the violation of Article 38.6 of the AVG.
This decision may be appealed pursuant to Article 108, §1 WOG within a period of thirty days from the notification of the decision. 
period of thirty days from the notification, before the Market Court, with the 
Data Protection Authority as defendant.