APD/GBA (Belgium) - 147/2022

From GDPRhub
APD/GBA - 147/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 2(1) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.10.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 147/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: n/a

The Belgian DPA ordered a controller, a vacation park owner, to comply with the principle of data minimisation pursuant to Article 5(1)(c) GDPR. The controller legally processed personal data according to Article 6(1)(b) GDPR to prevent the fraudulent abuse of a swimming pool discount card, but unnecessarily requested photos and degree of kinship of the data subject's family members when their names alone would have sufficed.

English Summary

Facts

The controller was the owner of a ‘vacation park’. The data subject owned one of the apartments in this park.

The controller provided a special membership card for the owners of an apartment which included a discount for access to the swimming pool. Family members, limited to a certain degree of kinship, were also allowed to use this card. Several details had to be provided to use the card, such as the name of the card owner, a photo of every user family member using it, and their degree of kinship to the owner. It became clear from the proceedings that fraudulent use of the card had occurred in the past by loaned it to unauthorized third parties to profit from the discount. The controller used two legal grounds for the processing: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Article 6(1)(f) GDPR, however, was only recently added as a legal ground. The data subject filed a complaint at the DPA, stating that he wanted to access the pool with a discount without providing the photos of the users of the card and their degree of kinship.

Holding

The DPA held that the controller could rely on Article 6(1)(b) GDPR to regulate access to its swimming pool. The DPA stated that according to Article 13(1)(c) GDPR, the controller should mention the legal basis and the purpose of the processing to the data subject before it starts processing personal data. The controller had mentioned in the contract with the data subject that it would have the possibility to regulate access to the pool. Therefore, the controller could rely on Article 6(1)(b) GDPR.

The DPA did however state that the controller could not rely on Article 6(1)(f) GDPR because this legal ground was added to the privacy policy after the processing had already started. Nevertheless, this finding did not affect the decision since the DPA held that one legal ground was enough for the controller to process personal data.

The DPA did however determine that the controller violated Article 5(1)(c) GDPR, stating that personal data could only be processed when the goal of the processing could not be reached any other way. The DPA held that identifying data subjects for preventing fraud was a specified, explicit and legitimate purpose in the context of Article 5(1)(b) GDPR. However, the DPA continued by stating that only providing names of the people who could use the card was sufficient for reaching the goal of preventing fraud. The DPA disagreed with the controller here, who stated that it would be necessary to also load a photo and degree of kinship on the card, and read this card automatically with an ID-Card reader, every time the card was used at the pool. The DPA held that this was not necessary for the intended goal and determined that this could even entail automatic processing (Article 2(1) GDPR).

Regarding the obligatory photo, the DPA was of the opinion that a human check at the reception was sufficient to prevent fraud and that providing a photo was therefore unnecessary. The DPA also stated that such a visual check would not even fall under the GDPR. The DPA also held that it was not necessary to provide the degree of kinship of family members. The DPA held that this degree of kinship did not provide any additional value, because the controller would not even be able verify this degree of kinship provided by the data subject. Therefore, there was a less privacy intrusive way to reach the intended goal, which resulted in a violation of Article 5(1)(c) GDPR by the controller.

The DPA ordered the controller to bring its processing in compliance with Article 5(1)(c) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8




                                                                           Dispute room


                                   Decision on the merits 147/2022 of 17 October 2022



File number : DOS-2019-04465


Subject: Digital membership card as access card for a reduced rate



The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Dirk Van Der Kelen and Christophe Boeraeve, members.


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


In view of the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Has made the following decision regarding:



The complainant: Mr X, hereinafter referred to as “the complainant”


The Defendant: Y. Y1. hereinafter referred to as “the defendant” Decision on the merits 147/2022 - 2/8


I. Facts procedure


 1. On December 3, 2019, the complainant submits a complaint to the Data Protection Authority

       against the defendant.


 2. The subject of the complaint concerns the creation of a digital membership card by the
       defendant for holiday home owners and their family members limited to one

       certain degree of kinship in order to give them access at a favorable rate

       to the pool for a large number of swims per holiday home. It is not for that purpose

       only the name of the applicant, also owner of the holiday home, to be provided,

       but also for each user of the card a photo must be uploaded in a
                                                       e e
       data file, as well as the family ties (1 or 2 degree) must be stated. the complainant

       who owns a home in the holiday park wishes to gain access to the
       swimming pool at the preferential rate, but without providing photos and without

       indication of the degree of kinship.


 3. On January 7, 2020, the complaint will be declared admissible by the Frontline Service on the grounds

       of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, 1 WOG
       submitted to the Disputes Chamber.


 4. On August 11, 2020, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° enart. 98WOG

       that the file is ready for processing on the merits.

 5. On 11 August 2020, the concerned parties will be notified of the provisions

       as stated in article 95, § 2, as well as those in art. 98 WOG. They are also based on

       of art. 99 WOG of the time limits for submitting their defences.

       The deadline for receipt of the defendant's response was

       laid down on September 25, 2020, this for the conclusion of the complainant's reply

       on October 16, 2020 and, finally, for the defendant's reply to the statement on

       Nov 6, 2020.

 6. In the absence of response from the defendant to the invitation to submit

       defenses and with a view to safeguarding the rights of the defence, the

       Dispute Chamber on June 24, 2022, in accordance with Article 52 of the Rules of Procedure

       of internal order to proceed to a hearing which will be scheduled for July 4, 2022.


 7. On June 28, 2022, the defendant requests a copy of the file (art. 95, §2, 3° WOG),
       which was transferred to him the same day.


 8. At the request of the defendant, the date of the hearing is moved to 5

       Sep 2022.

 9. On August 29, 2022, the Disputes Chamber will receive the statement of reply from the

       defendant. In it, the defendant explains that the membership card is an exceptional Decision on the merits 147/2022 - 3/8



       commercial offer to private owners and its unauthorized use

       led to the collection of personal data, including photos of the beneficiaries

       of the map. In court, the defendant argues that the privacy principles as included in

       Article 5.1 a) - d) and f) GDPR are complied with, as well as the accountability principle

       laid down in article 5.2 GDPR. Finally, the defendant argues that the photos cannot be

       are considered biometric data within the meaning of Article 9 GDPR.

 10. On September 5, 2022, the parties will be heard by the Disputes Chamber.


 11. On September 7, 2022, the minutes of the hearing will be sent to the parties

       submitted.


 12. On September 13, 2022, the Disputes Chamber will receive some

       comments with regard to the official report, which it decides to include in

       her deliberation.

 13. On 15 September 2022, the Disputes Chamber will also receive a number of

       comments with regard to the official report, which are included in

       the deliberation.




II. Justification


    a) Legal basis


 14. The defendant argues that the processing of the personal data on the basis of the

       digital membership card, namely the first name and last name, as well as the photo of both
                                                                         e e
       the private owner if each of his family members is limited to the 1 and 2 degree, his basis

       can be found in Article 6.1 b) GDPR. In addition, the defendant invokes his

       legitimate interest (Article 6.1 f) GDPR) to have data processing based on the

       digital map as legitimate.

 15. The Disputes Chamber elaborates on the legal grounds used by the defendant

       cited. In accordance with Article 13.1 c) GDPR, before starting the

       processing activities are determined by the controller which

       legal basis applies, and in relation to what specific purpose, with the 1

       obligation on the defendant to inform the complainant.


 16. Applied specifically to the present file, the Disputes Chamber establishes that the appendix to
                    2 3
       the basic deed concerning the holiday domain in Article 19 provides that the defendant for



1See in this regard the Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edge nos. 121-
123); https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
2 In the basic deed referred to as: “annex Regulations of Co-ownership and Internal Order”

3Article 19 of the basic deed reads as follows: “Any owner may stay on the domain when it suits him with the
members of his family. He may also receive guests provided they are neither too numerous nor too noisy. The Decision on the merits 147/2022 - 4/8


       will issue appropriate regulations to the visiting relatives or guests or

       charge fees for the use of, among other things, the swimming pool. The Disputes Chamber determines

       that the defendant contractually has the option under the aforementioned provision

       to regulate access to the swimming pool, as the defendant has in practice

       done by providing a preferential rate for the owner and his relatives in 1 and 2

       degree. The complainant acknowledges in his conclusion as well as during the hearing that this system is

       a favorable rate to access the swimming area has been in existence for many years.

       The Disputes Chamber is of the opinion that the basis for this can be found in the basic deed and

       the data processing is thus based on Article 6.1 b) GDPR in order to
                                                            e e
       a holiday home and its family members limited to the 1 and 2 degree via an access card
       be able to enjoy the advantage of access to the swimming pool at

       a discounted rate.


 17. In the following, the question to what extent the processing of the

       personal data by means of the digital membership card as it is currently

       set up, namely with processing the photos of the users of the card as well as the

       indication of the degree of kinship to the owner of the property
       holiday home respects the principle of minimum data processing.


 18. For the sake of completeness, the Disputes Chamber also notes that the legal basis

       ‘legitimate interest’ (Article 6.1 f) GDPR) to which the defendant relies in the subsidiary order

       bases, is invoked by the defendant post factum and the defendant indicates that

       this legal basis was recently added to the privacy statement. The

       The Disputes Chamber repeats that due to the obligation to collect at the time of the collection of
       personal data to provide the legal basis on which the

       controller (Article 13.1 c) GDPR), the defendant before

       When collecting is started, you have to decide what the legal basis is for this. The

       addition of the legal basis 'legitimate interest' after the data collection

       took place, as in the present case, is not in accordance with the requirement that the

       legal basispriortocollectionofthephotosandinformationaboutdegree

       of kinship must be determined and made known to the

       person concerned, being the complainant. However, it is sufficient that there is one valid legal basis

       is present, which in the present case is the agreement that formed the basis of the

       data collection.

 19. It follows from the foregoing that the Disputes Chamber determines that the legal basis on which the

       the complainant primarily invokes the performance of an agreement (Article 6.1 b)


the owner of the lot is responsible for damage caused by his guests
issue appropriate regulations or charge the visiting relatives or guests for the use of, among other things,
swimming pool, sports pond or even for access to the domain. The owner is personally responsible for the
registration of the persons he accommodates under his roof. Other external visitors to the domain will
be subject to the same provisions.” Decision on the merits 147/2022 - 5/8



       GDPR), which constitutes a valid legal basis for the processing by the defendant of the

       personal data by means of the digital membership card. Thus

       it is established that the defendant does not infringe article 6.1 AVG in conjunction with article 13.1 c)

       GDPR has committed.




    b) Minimum data processing principle

 20. The existence of a legal ground that allows the defendant to

       to proceed with data processing in the light of the purpose pursued by him, in

       this case consisting of the granting of an advantage to the owners and a limited

       number of relatives by giving them access to the swimming pool at a favorable rate,

       does not mean that the defendant is obliged to comply with the principle of minimum

       data processing. This means that the defendant must determine how the

       purpose can be achieved on the basis of sufficient data, relevant

       are limited to what is necessary for the purposes for which they are being processed

       (Article 5.1 c) GDPR).


 21. When applied to the present complaint, it must be verified whether the defendant has

       and the degree of kinship of the intended users of the membership card may

       retrieving and then processing it in a data file with a view to a

       controlled access to the swimming pool at a discounted rate to prevent card abuse

       prevented by third parties. Indeed, in the past, it was repeatedly established that third parties

       unauthorized use of the card because some owners used the then-current

       made a paper card with swimming sessions available to the tenants of their

       holiday home in the context of private rental. Based on the purpose
       consisting of averting possible misuse of the card, it should be checked whether

       for this purpose the processing of the relevant photos and degree of relationship is required.


 22. Personal data may only be processed if the purpose of the processing is not

       can reasonably be realized in another way. From the actual elements of



4Recital 39 GDPR.
“Any processing of personal data must be done properly and lawfully. Fornatural persons serves it

be transparent that personal data concerning them is collected, used, consulted or otherwise
processed and to what extent the personal data is or will be processed. According to the
transparency principle, information and communication in connection with the processing of those personal data
be easily accessible and understandable, and must be clearly used in a simple language
in particular informing data subjects about the identity of the controller and the purposes of the
processing, as well as further information to ensure fair and transparent processing with regard to the
natural persons concerned and their right to receive confirmation and communication of their personal data that
are processed. Natural persons must be made aware of the risks, rules, safeguards and rights in
connection with the processing of personal data, as well as how they exercise their rights in relation to this
be able to carry out processing. More specifically, the specific purposes for which the personal data are collected
processed, to be explicit and legitimate and to be established when the personal data is collected. The
personal data must be adequate, relevant and limited to what is necessary for the
purposes for which they are processed. In particular, this requires ensuring that the storage period of the
personal data is kept to a strict minimum. Personal data may only be processed if the Decision on the merits 147/2022 - 6/8



       the file shows that there is a need to identify the users of the card who are
       offer at the pool, so that it can be verified whether the users actually

       are those who are entitled to access the pool at the

       favorable discount rate and thus abuse can be excluded. This constitutes a

       specific, explicit and legitimate purpose within the meaning of Article 5.1

       b) GDPR . It is common ground that the owners concerned, including the complainant, were

       written by the defendant explaining in the letter that pursuant to

       misuse of the paper card would be switched to a digital card with

       explanation that henceforth the photos of the beneficiaries indicating the degree of

       relationship would be necessary.

 23. Exactly about the need to provide photos with the degree

       of kinship and its processing in a database for the purpose of

       use of the digital card in the context of combating abuse, the

       to have examined the defendant during the hearing to use the identity card as

       means of access control, but that its reading is in no way less

       would be privacy violating, since the identity card contains more data than necessary

       for access control.

 24. In this regard, the Disputes Chamber points out that the purpose pursued by the

       Defendant can be reached solely by the names of the

       to process beneficiaries of the discounted rate in a data file that is

       linked to a digital map. After all, it is sufficient that the beneficiary of the card

       at the pool entrance counter where he can get the discounted rate

       granted provided he offers his digital membership card and on presentation of his

       identity card. It is by no means necessary that the complainant shows his identity card

       'reading' as the defendant argues, which is an automated

       data processing in accordance with Article 2.1 of the GDPR. Reading the

       identity card would have the consequence that by means of an e-ID card reader, more

       data is processed than necessary for the purpose, since a lot of data is stored on the card

       more information than that which the defendant believes it needs.

 25. The Disputes Chamber states that it is sufficient that the names of the beneficiaries are

       processed by means of the membership card and can be consulted by the



purpose of the processing cannot reasonably be achieved in any other way. To make sure that
personal data are not kept for longer than necessary, the controller must set time limits
for the erasure of data or for a periodic review thereof. All reasonable measures must be taken
taken to ensure that incorrect data is corrected or deleted
be processed in a manner that ensures appropriate security and confidentiality of that data, including for
preventing unauthorized access or use of personal data and equipment intended for
processing is used.” [own underlining]
5See in this regard also recital 39 GDPR which states: “[…] More specifically, the specific purposes serve
for which the personal data are processed must be explicit and justified and to be established when the
personal data is collected. […]” Decision on the substance 147/2022 - 7/8


     receptionist.To make sure whoever offers the membership card is right

     is a beneficiary of the preferential rate, provides a purely visual check of the

     identity card on which both the name and the photo of the person concerned are visible

     stated, the guarantee of correct identification. Processing photos of the
     beneficiaries can therefore in no way be regarded as relevant and necessary

     for the realization of the intended purpose. The combination of the

     processing the names of the beneficiaries of the benefit rate by means of the

     membership card linked to a database, which is a

     data processing within the meaning of Article 4. 2) GDPR, and, on the other hand, the visual

     verification of the identity card which also contains the name of the beneficiary,
     as well as the photo that can be used to check whether the person who presents himself

     at the entrance counter is actually the person to whom that name and photo belong and

     is thus entitled to use the membership card is sufficient to prevent misuse

     A mere visual check in which physical similarities are checked

     of those who want access and the photo on the identity card, do not fall under the

     scope of the GDPR, as such control is not accompanied by any
     form of processing within the meaning of article 2.1 AVG. In case of identity verification, the

     visu, after all, there is no question of fully or partially automated processing,

     nor of any processing contained in a file or intended to be incorporated therein

     Hospitalized. It follows that with this method the intended goal can be achieved in

     a less privacy-violating way than that currently used by the defendant.

26. This also applies to the processing of the degree of kinship whose

     processing is also irrelevant and necessary in light of the purpose. The

     notification of the degree of kinship for each beneficiary, as requested by the

     defendant, is based on the simple “declaration of honor” of the owner of the

     vacation home. The Disputes Chamber is of the opinion that it is sufficient that the owner of the
     holiday home only gives the names of his relatives in the 1st and 2nd degree without him

     for each of them should state the exact degree. The designation of the

     kinship degree offers no added value, since this information is not

     may be subject to some scrutiny given that the unverified

     information to be provided by the owner himself, which is not objective

     can be established by the defendant on the basis of any document. This leads to
     that the Disputes Chamber is of the opinion that also with regard to the degree of kinship the

     processing only the names of the beneficiaries is sufficient without further specification

     of the degree of kinship.


27. By virtue of the fact that the defendant's purpose can be achieved without
     processing of the photos of the beneficiaries of the membership card and their degree of Decision on the merits 147/2022 - 8/8



      relationship, it is established that the defendant has a violation of article 5.1c) GDPR

      committed.




III. Publication of the decision


 28. Given the importance of transparency in the decision-making of the

      Litigation Chamber, this decision is published on the website of the

      Data Protection Authority. However, it is not necessary for the

      identifiers of the parties are disclosed directly.





    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to

    pursuant to art. 100, §1, 9° WOG, to order the defendant that the processing in

    is brought into line with Article 5.1, c) GDPR, within a period of

    two months, the Data Protection Authority about it within the same period

    to inform.




Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice against this decision, an appeal may be lodged with the Marktenhof (court of

profession Brussels), with the Data Protection Authority as defendant.


Such an appeal may be lodged by means of an adversarial petition that the
must contain the statements listed in Article 1034ter of the Judicial Code. It

adversarial petition must be submitted to the registry of the Marktenhof

in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).




(get). HielkeIJMANS

Chairman of the Disputes Chamber



6The petition states, on pain of nullity:
 1° the day, month and year;

 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
    summoned;
 4° the subject matter and the brief summary of the grounds of the claim;
 5° the court before whom the claim is brought;
 6° the signature of the applicant or of his lawyer.
7The application with its annex shall be sent by registered letter, in as many copies as there are parties concerned
sent to the clerk of the court or deposited at the clerk's office.