APD/GBA (Belgium) - 149/2022: Difference between revisions

From GDPRhub
(Changed the Short summary)
Line 95: Line 95:
}}
}}


The Belgium DPA held that a social housing organisation could rely public interest ([[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]) to investigate foreign assets of data subjects. The DPA also determined that this controller could rely on important public interest ([[Article 49 GDPR#1d|Article 49(1)(d) GDPR]]) to conduct international data transfers for the purpose of conducting this foreign investigation. The DPA reprimanded this controller for omissions in the controller-processor agreement, which resulted in violations of [[Article 28 GDPR|Articles 28(2) and 28(3) GDPR]].   
The Belgium DPA held that a social housing organisation could rely on [[Article 6 GDPR|Article 6(1)(e) GDPR]] to investigate foreign assets of data subjects and on [[Article 49 GDPR|Article 49(1)(d) GDPR]] for international data transfers in connection with this purpose. However, the DPA reprimanded the controller for violations of [[Article 28 GDPR|Articles 28(2) and 28(3) GDPR]] in a data processing agreement.   


== English Summary ==
== English Summary ==

Revision as of 14:17, 2 November 2022

APD/GBA - 149/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(e) GDPR
Article 24(1) GDPR
Article 28(2) GDPR
Article 28(3) GDPR
Article 44 GDPR
Article 46 GDPR
Article 49(1)(d) GDPR
Article 49(4) GDPR
Article 57(4) GDPR
Article 23 Constitution
Article 33 Vlaamse Wooncode
Vlaamse Codex Wonen
Type: Complaint
Outcome: Partly Upheld
Started: 27.09.2021
Decided: 18.10.2022
Published: 21.10.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 149/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgium DPA held that a social housing organisation could rely on Article 6(1)(e) GDPR to investigate foreign assets of data subjects and on Article 49(1)(d) GDPR for international data transfers in connection with this purpose. However, the DPA reprimanded the controller for violations of Articles 28(2) and 28(3) GDPR in a data processing agreement.

English Summary

Facts

Two data subjects submitted complaints at the Belgian DPA, stating that their personal data was unlawfully processed by a social housing organisation. The controller was responsible for verifying the eligibility criteria for social housing and was suspecting that the data subjects did not qualify for social housing, after they failed to provide clarity regarding their assets in Turkey. The controller initiated an investigation into these assets. It hired a processor, a private investigation firm, to check personal data of the data subjects. This processor also used a processor of its own, which was located in Turkey. Following the investigation, the controller determined that the data subjects did not qualify for social housing in Belgium, because they owned sufficient assets in Turkey.

After the data subjects submitted their complaint, the DPA also initiated an investigation. The investigation unit of the DPA (investigation unit) determined that the controller breached several GDPR Articles.

The data subjects stated that they were not the owners of the assets in question. They also contested the value of evidence in the reports and stated that the evidence was received illegitimately.

The district court of Lier already delivered a judgement in a case between the controller and the data subjects, which was about the termination of the rental contract. In this ruling, the district Court held amongst other things that the controller could use Article 6(1)(e) GDPR for conducting the investigation into the foreign assets. It also determined that the controller had send letters to the data subjects which remained unanswered.

Holding

DPA authorized?

The DPA first held that it had the authority to decide if the investigation ordered by the controller was GDPR compliant. It held that it was not competent to rule on other issues which were already covered by the district court of Lier.

Violations of Article 5(1)(a) GDPR and Article 6(1) GDPR

The DPA held that the controller did not violate Article 5(1)(a) GDPR and Article 6(1) GDPR (in line with the findings of the investigations unit).

The DPA stated that in order to lawfully process personal data according to Article 5(1)(a) GDPR, the controller needed to base its processing on one of the legal grounds described in Article 6(1) GDPR. Based on the answers of the controller during the investigation, the investigation unit determined that the controller relied on public interest (Article 6(1)(e) GDPR) to process the personal data.

The DPA held that the controller could only rely on Article 6(1)(e) GDPR when processing was necessary for a task in the public interest or when it is necessary for exercising public authority that has been invested in the controller. In these cases, a legal ground for processing, based in European law or national law, was required (Articles 6(1)(e) and 6(3) GDPR and recital 45).

Task in the public interest

The DPA held that the controller processed personal data within its legal obligation to do so for a task in the public interest, which was the allocation of limited government funds for the purpose of providing affordable housing to the most vulnerable people.

Legal ground

The DPA held that in order to rely on Article 6(1)(e) GDPR, a specific, clear and predictable legal basis was required (Recital 41 GDPR). The DPA stated that the controller relied on Article 23 of the Belgian Constitution. This Article constituted the constitutional right to housing, which was an ‘internationally acknowledged right’. The DPA continued by referring to Article 33 of the Flemish Housing Code, which gave the obligation to social housing organisations to create criteria to decide who is eligible for social housing.

Bassed on the above, the DPA held that was predictable that the eligibility requirements for social housing would be checked by the controller. However, the methods used for this purpose were less predictable, because the legal provision in question (Article 52 Kaderbesluit) provided a non limited list with options for the controller to check eligibility for social housing. The DPA pointed out that that tasks of public interest are often not based on precisely defined obligations, but rather on a more general authority to act. The DPA stated that this was applicable in the present case.

Necessity of the processing

The DPA stated that the requirement of necessity of processing is often not specified in laws. Therefore, controllers using Article 6(1)(e) GDPR often have to make an assessment between the necessity of their processing against the public interest and interests of data subjects. The DPA held that the data subjects were asked multiple times to provide clarity regarding their potential foreign assets. The data subjects failed to reply, which resulted in reasonable suspicions at the side of the controller. The district court of Lier already determined that the controller had send letters to the data subjects and that these letters had remained unanswered. The controller stated that it had no other choice than to enlist the processor to start the foreign investigation into the assets of the data subjects.

Based on the above, the DPA determined that the processing was indeed necessary for the purpose of allocating limited government funds for social housing, because of the grave suspicions of the controller. The DPA also mentioned the shortage of social housing and the difficulty of getting access to data regarding foreign assets of data subjects. It did not matter that the option of hiring a private investigation firm was not listed in Article 52 Kaderbesluit, since the list of options in this article was not limited.

The DPA also rejected the argument of the data subjects that the controller could not rely on Article 6(1)(e) GDPR, because the privacy policy was not delivered to them. The DPA held that there was no obligation to deliver a privacy policy for the controller. Providing an online link to a privacy policy was sufficient, which the controller had done. The DPA supported its argument by refering to the WP29 Guidelines for transperency.

Violations of Articles 5, 24(1), 25(1) and 25(2) GPDR

The inspection unit had determined that the controller breached several provisions of the GPDR. However, the DPA determined that the Inspection Unit did not conduct the investigation in a ‘loyal way’. It failed to ask for further question and more precise information when the provided information by the controller was deemed insufficient. The DPA determined that, based on the additional input the controller provided, it could not be concluded that the controller breached Articles 5, 24(1), 25(1) and 25(2) GPDR.

Violation of Articles 28(2) and 28(3) GDPR

In contrast, the DPA confirmed that the controller violated Articles 28(2) and 28(3) GDPR. The investigations unit held that the data processing agreement of the controller with the processor did not contain all the necessary aspects. Aspects such as a signature of the controller and the starting data of the agreement were missing. The controller did not object to this assessment and stated that it acted immediately after receiving the report form the investigations unit. It changed its standard agreement with processors for conducting foreign investigations accordingly. It also did not instruct processors to conduct any further investigations.

The DPA held that the controller breached Articles 28(2) and Article 23(3) GDPR, but that the shortcomings that caused these violations had already been fixed.

Violations of Articles 44, 46, 24(1), 24(2) and 5(2) GDPR

The DPA stated that the transfer of data to third countries (outside of the EU) is only allowed when the level of protection guaranteed by the GDPR is not compromised. This is the case when a third country provides an adequate level of protection or provides supplementary measures.

The controller stated that it did not transfer personal data to Turkey, because it was the processor which provided personal data to - and received personal data from its Turkish processor. The DPA disagreed. It confirmed that the controller was in fact the controller, because it defined the means and purposes of processing (Article 4(7) GDPR). Therefore, it was also the controller's responsibility to ensure its processing was complaint with the GDPR, also when it was the processor that transferred personal data to a third country.

The controller also made an argument stating that it could rely on the exception of Article 49(1)(d) GDPR for important reasons for public interest. The DPA accepted this argument. The DPA held that under Article 49(4) GDPR, only public interests can be used that are recognised in EU law or in member state law. This public interest cannot be too abstract. As an example, the DPA stated public interests that are recognised in international treaties, signed by member states.

The DPA determined that the controller provided social housing for vulnerable people, to support the public interest of the right to housing. This right is internationally recognised in the UDHR (Universal Declaration of Human Rights) as well as the ICESCR (International Covenant on Economic, Social and Cultural Rights), which is ratified by both Belgium and Turkey. The DPA also repeated that the right to housing was provided in Belgian law.

The DPA also determined that the processing by the controller passed the necessity requirement of Article 49(1)(d) GDPR. The DPA referred to its necessity assessment earlier in the decision, when it assessed the possible violations of Articles 5 and 6 GDPR.

Therefore, the DPA determined that controller did not violate Articles 44, 46, 24(1) and 5(2) GDPR, in contrast with the findings of the investigation unit.

Violation of Article 30(1) GDPR

Lastly, the DPA held that the controller did not violate Article 30(1) GDPR. The investigation unit had determined that the registry of the controller was not specific enough in describing the categories of personal data and data subjects, but the DPA disagreed. The DPA held that whether or not the registry is clear and detailed enough should be assessed on a case to case basis. The DPA held that in this case, the registry was specific enough and that the elements in the registry left little room for different interpretations in the context of social housing. Therefore, the DPA held that the controller did not violate Article 30(1)(c) GDPR.

In conclusion, the DPA only determined violations of Articles 28(2) and 28(3) GDPR but only reprimanded the controller (Article 100, §1, 5° WOG). All other determined violations by the investigation unit were deemed unfounded by the DPA (Article 57(4)GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/30




                                                                           Dispute room


                                   Decision on the merits 149/2022 of 18 October 2022



File number: DOS-2021-06293 and DOS-2021-06884


Subject : Sharing personal data concerning tenants of social housing in

in the context of an asset investigation



The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members.

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

In view of the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Having regard to the documents in the file;



Has made the following decision regarding:


The complainant: Mr X1 and Mrs X1, hereinafter: complainant 1

                   Mr X2 and Mrs X2, hereinafter: complainant 2

                   all represented by mr. Rahim Aktepe, with office in 2000
                   Antwerp, Amerikalei 95

                   hereinafter collectively referred to as “the complainant”;


Defendant: Y, represented by Mr. Myrthe Maes, Mr. Nele Somers and Mr. Thomas

                   Bronselaer, with office in 2000 Antwerp, Amerikalei 79, box 201,

                   hereinafter referred to as “the Defendant”. Decision on the merits 149/2022 - 2/30


I. Facts procedure


 1. The subject of the complaint concerns the communication of personal data of social

       tenants to third parties in the context of a foreign asset investigation.

 2. Complainant 1 and complainant 2 serving on 27 September 2021 and 22 October 2021 respectively

       lodge a complaint with the Data Protection Authority against the defendant.

 3. On October 1, 2021 and January 5, 2022 respectively, the complaints will be handled by the

       First-line servicedeclaredadmissibleunderarticle58and60WOGenbe

       they have been transferred to the Disputes Chamber pursuant to Article 62, § 1 WOG.

 4. On 27 October 2021 and 17 January 2022 respectively, in accordance with Article 96,

       § 1 WOG the request of the Disputes Chamber to conduct an investigation

       submitted to the Inspectorate, together with the complaint and the inventory of the documents.

 5. The inspections will be completed by the Inspectorate on February 15, 2022

       bothreportsattachedtothefileandthefilesbecomebytheinspector-general

       submitted to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).


       The report prepared in relation to complainant 1 contains findings with
       relating to the subject matter of the complaint and decides that:


          1. there is no infringement of Article 5(1)(a) and (2) GDPR, Article 6(1) GDPR

              with regard to the principle of legality;

          2. there is an infringement of Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1)

              and 2 GDPR with regard to the principles of fairness and transparency,

              purpose limitation, minimal data processing, accuracy, storage limitation and integrity
              and confidentiality;


          3. there is an infringement of Article 28(2) and (3) GDPR; and

          4. there is an infringement of Articles 44, 46, 24(1) and 5(2) GDPR for what

              concerns the transfer of personal data to Turkey.

       The report prepared in relation to complainant 1 also contains findings that

       go further than the object of the complaint. In general terms, the Inspectorate establishes that:


            1. there is an infringement of Article 30(1) GDPR due to non-compliance with

                various obligations regarding the register of processing activities.

 6. The report prepared in connection with complainant 2 concurs with the findings

       of the first report. Reference will therefore be made in this decision to the first

       report as the Inspection Report. Decision on the merits 149/2022 - 3/30


7. On February 21, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98

     WOG that both files are ready for treatment on the merits. The Disputes Chamber states

     for the parties to merge both businesses. Also on February 21, 2022 was allowed

     the Disputes Chamber has received the agreement to merge the two parties.

8. On February 21, 2022, the parties concerned will be notified by registered letter

     of the provisions as stated in article 95, § 2, as well as of these in article 98 WOG.

     They are also informed, pursuant to Article 99 of the WOG, of the deadlines to

     to file defences.

     As regards the findings relating to the subject matter of the complaint, the

     deadline for receipt of the defendant's response

     recorded on April 4, 2022, this for the conclusion of the reply from the bearing on April 25, 2022

     and finally that for the defendant's reply on 16 May 2022.

     The latest date for receipt of the defendant's response for

     with regard to the findings outside the draft of the complaint, it was set at 4

     Apr 2022.

9. On February 21, 2022, the complainant electronically accepts all communication regarding the case.


10. On March 8, 2022, the defendant requests a copy of the file (Article 95, §2, 3° WOG),
     which was transferred to her on March 23, 2022.


11. On March 8, 2022, the defendant electronically accepts all communications regarding the case

     and expresses its wish to make use of the opportunity to be heard,
     in accordance with article 98 WOG.


12. On April 4, 2022, the Disputes Chamber will receive the statement of defense from the

     the defendant with regard to the findings relating to the subject-matter of the

     complaint, as well as the findings outside the subject of the complaint. The defendant argues that
     the processing in its head constitutes a lawful data processing. Second

     the defendant argues that the data processing in question is a correct and permissible

     data processing, whereby all the basic principles of Art. 5 (1) GDPR are applied

     respected and that she can also demonstrate this. Third, the defendant denies the

     determinations of the Inspectorate regarding the processing agreement, but states

     that it has eliminated these infringements. Fourth, the defendant argues that the
     transfer of personal data to Turkey has taken place in a lawful manner.

     Finally, the defendant argues that the register of processing activities was

     updated to comply with the Inspectorate set

     shortcomings.

13. On April 22, 2022, the Disputes Chamber will receive the conclusion of the complainant's reply, in which

     an overview is given of the previous procedure conducted by the complainant with regard to Decision on the merits 149/2022 - 4/30


       of the defendant before the justice of the peace. The complainant disputes the legality of the

       data processing, and the complainant states that the data processing is not

       has taken place in accordance with the fundamental principles of Article 5(1) of the GDPR.
       With regard to the determinations regarding the processing agreement, the transfer of

       personal data to Turkey and the register of processing activities, the complainant closes

       adhere to the findings of the Inspectorate.


 14. On May 18, 2022, the Disputes Chamber will receive the statement of reply from the defendant
       with regard to the findings with regard to the subject matter of the complaint. In here

       the defendant repeats its views from the statement of defense.


 15. On August 10, 2022, the parties will be notified that the hearing will
       take place on September 22, 2022.


 16. On September 22, 2022, the parties will be heard by the Disputes Chamber.

 17. On September 23, 2022, the minutes of the hearing will be sent to the parties

       submitted.

 18. On September 29, 2022, the Disputes Chamber will receive some

       comments with regard to the official report, which it decides to include in

       her deliberation].

 19. The Disputes Chamber does not receive any comments with regard to the official report

       because of the complainant.




II. Justification

    II.1. Jurisdiction of the Dispute Chamber


 20. In his conclusions, the bearing states in his first three pleas that they do not own

      a property in Turkey, they dispute the evidential value of the investigation reports

      that have been drawn up by Z in the context of the foreign asset research, and finally

      the complainant discusses the doctrine of the illegally obtained evidence.

 21. However, the Disputes Chamber is only authorized to judge whether the foreign

      asset investigation has taken place in accordance with the GDPR. The

      the above resources do not belong to the jurisdiction of the Disputes Chamber and were

      already assessed by the justice of the peace van Lier (see below). So these arguments will
      not be the subject of the proceedings before the Disputes Chamber.


    II.2. Article 5 (1) a) GDPR, Article 6 (1) GDPR


 22. The Inspectorate determines that the defendant has fulfilled the obligations imposed by
      Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the principle Decision on the merits 149/2022 - 5/30


     regarding legality. Based on the answers obtained from the defendant during

     the investigation, the Inspectorate follows the defendant's assertion that it invokes

     the legal basis from article 6, paragraph 1, e) AVG (necessity for the fulfillment of a task

     of general interest).

23. The basic principle of article 5, paragraph 1, a) GDPR is that personal data only in a lawful manner

     may be processed. This means that a legal ground for processing

     personal data as referred to in Article 6(1) of the GDPR must be present. In further

     elaboration of this basic principle, Article 6(1) of the AVG states that personal data may only be
     are processed on the basis of one of the legal grounds listed in the article.


24. The complainant disputes the findings of the Inspectorate and argues that the defendant

     wrongly invokes article 6, paragraph 1, e) AVG. In addition, the lower claims that the defendant

     Nor can it rely on any other legal basis, such as consent (Article 6,
     paragraph 1, a) GDPR).


25. To legally rely on the legal basis of Article 6(1) e) GDPR

     personal data may only be processed if this is necessary for the fulfillment
     of a task in the public interest or if it is necessary for the performance of the

     public authority entrusted to the person responsible. The processing must take place in this

     cases always have a basis in the law of the European Union or that of the

     Member State concerned, which must also state the purpose of the processing. There must therefore

     it will be checked whether the conditions set out in that article have been met in this case.

26. Pursuant to Article 6(3) and Recital 45 of the GDPR, processing on the basis of

     Article 6 (1) e) GDPR meet the following conditions:


          a. The controller must be charged with the fulfillment of a
              mission in the public interest or an order that is part of the

              exercise of public authority on a legal basis, irrespective of

              whether it is in the law of the European Union or in the law of the Member States

              contained;

          b. The purposes of the processing are established on the legal basis or must be

              are necessary for the performance of the assignment in the public interest or the

              exercise of public authority.

27. The Disputes Chamber will determine the conditions of general interest, legal basis and

     necessity below.


     Public interest task

28. The public interest task in question relied on by the defendant is control

     on the registration and allocation conditions in the context of social housing in order to Decision on the merits 149/2022 - 6/30



       to rent out homes to tenants who are not self-sufficient in their housing needs

       can provide. As also confirmed by the justice of the peace of the canton of Lier who has already

       has ruled in this case with regard to the termination aspects

       of the lease, social housing companies are subject to the legal

       obligation to check whether their (prospect) tenants meet the applicable conditions

       both at the start and during the entire term of the rental agreement.

       After all, social housing is reserved for vulnerable people who cannot afford it themselves

       meet their housing needs without assistance. Given the limited availability

       government budgets, the social rental housing should belong to those persons who

       are most in need of housing. 1


 29. It is clear to the Disputes Chamber that the defendant by processing in the context

       fulfills the public interest of its legal task, being a meaningful use of

       limited government resources by allocating social housing to persons who

       are most in need of housing. The defendant therefore rightly argues that the processing may be
                                                              2
       be based on Article 6 (1) e) of the GDPR. The complainant's consent is

       therefore not required for the processing to be lawful, especially since this legal basis

       for legality is not relied upon by the defendant.

       A clear, precise and predictable legal basis


 30. According to Recital 41 of the GDPR, this legal basis or legislative measure

       be clear and precise and their application must be for litigants

       predictable, in accordance with the case law of the Court of Justice of the

       European Union and the ECHR. In the Rotaru judgment 3 the ECtHR used the concept

       predictability of the legal basis. As the case concerned

       on surveillance systems of a state's security apparatus, the context of

       the present case. In other cases, the ECtHR has indicated that it

       may be guided by these principles, but it believes that these criteria, which are set out in the

       specificcontextofthatconcretecasearedeterminedandfollowedsonotassuchon

       all cases apply.


 31. It is apparent from the form of order sought by the defendant that it relies on its mission as a social worker

       housing company to implement Article 23 of the Constitution in which








1T. VANDROMME, Definition of terms in B. HUBEAU and A. HANSELAER, Social Rent, Bruges, die Keuren, 2010, p. 24.

2See in this sense also T. VANDROMME, Professional judge also allows proof of immovable foreign property by a private firm,
De Juristenkrant, January 27, 2021 and a.o.
3EHRM, May 4, 2000, Rotaru t. Romania.

4EHRM, September 2, 2010,Uzun t. Germany, § 66. Judgment on the substance 149/2022 - 7/30


                                                             5
      the right to decent housing. The defendant hereby

      implementation of the internationally recognized right to decent housing.

 32. On the basis of article 33 of the Decree containing the Flemish Housing Code (hereinafter: “Flemish

      Housing Code”), the social housing companies serve, among other things, the

      improve the living conditions of families and single persons in need of housing,

      especially of the most needy families and singles, by taking care of a

      sufficient supply of social rental housing and social housing for sale. This matters

      resulted in the Flemish Government having laid down various conditions that

      (candidate) tenants must comply, so that the most needy to live

      assigned housing.

 33. In order to qualify for social rent, the potential tenant must therefore include:

      meet the registration conditions from Article 3 of the Decree of the Flemish

      Government to regulate the social housing system in implementation of Title VII of the

      Flemish Housing Code (hereinafter: Framework Decision) including:


         “Article 3 § 1. A natural person can be registered in the register stated in

         Article 7, if he meets the following conditions:

         […]


         3°he, together with his family members, has no house or plot intended for

         housing that is fully owned or fully usufruct in domestic or

         abroad, unless it concerns a camping stay located in the Flemish Region;

         […].”


 34. The investigation into compliance with the conditions and obligations for social housing

      is governed by Article 52 of the Framework Decision:

         “Article 52 § 1. The reference person gives the lessor, through his application for

         registration in the register, his registration as a prospective tenant or his tenantship, the

         permission to submit to the competent authorities and institutions and to the local authorities the

         necessary documents or information regarding the requirements set out in this Decree

         conditions and obligations, while maintaining the application of the

         provisions of the law of 8 December 1992 on the protection of personal data

         privacy with regard to the processing of personal data, its






5Article 23: “Everyone has the right to lead a life with dignity […] Those rights include in particular […] 3° the right
on decent housing […]”
6
 Decree containing the Flemish Housing Code of 15 July 1997, BS 19 August 1997.
7Decree of 12 October 2007 of the Flemish Government regulating the social rental system in implementation of
Title VII of the Flemish Housing Code, BS 7 December 2007. Decision on the merits 149/2022 - 8/30


        implementing decrees and any other provision for the protection of personal

        privacy, established by or pursuant to a law, decree or decree.


        § 2. For the implementation of the provisions of this Decree, the landlord invokes
        on information provided to him by the competent authorities or institutions or other lessors

        can be delivered electronically.


        If no or insufficient data is obtained in this way, the candidate-

        tenant or tenant is asked to provide the necessary information. If through the obtained

        information from the competent authorities or institutions or other lessors shows that the
        prospective tenant or tenant does not or no longer meets the conditions and

        obligations of this Decree, that determination shall be communicated to the candidate

        tenant or tenant who can respond within one week after the notification.


        Among the competent authorities and institutions referred to in § 1 and § 2, first paragraph,

        including: 1° the National Register of Natural Persons, mentioned in the law
        of 8 August 1983 regulating a national register of natural persons ;2° de

        social security institutions, mentioned in articles 1 and 2, first paragraph, 2°, of the law of

        15January1990establishingorganizationofacrossroadsbankoftheSociale

        Security and the persons to whom the social security network applies

        of Article 18 of the same Act was extended; 3° the Federal Public Service

        finances; 4° the Civic Integration Crossroads Bank; 5° the Houses of Dutch; 6° the
        reception desks; 7° the Flemish E-government coordination cell; 8° the organizations and the

        institutions, mentioned in article 4, first paragraph, including the policy domain Education

        and Formation of the Flemish Community.


35. From analysis of the above, it is therefore predictable that compliance with the

     enrollment conditions can be controlled by social
     housing companies such as the defendant both at the start and throughout the

     duration of the lease.


36. The way in which this check will take place is less predictable as the aforementioned

     Article 52 of the Framework Decision contains a non-exhaustive list (“among other things”)
     which allows the landlord to use various instruments that are not included in this

     article are included.


37. The Disputes Chamber has already pointed this out in decision 124/2021 dated. 10
     November 2021 that tasks of general interest or public authority with which

     controllers are charged, often not based on accuracy

     defined obligations or legislative standards that meet the requirements listed under

     marginal 29 et seq., more specifically the recording of the essential characteristics of the

     data processing. Rather, processing takes place on the basis of a more general Decision on the merits 149/2022 - 9/30


       authorization to act, such as for the performance of the task necessary, such as

       is also the case in this case. This results in the relevant legal basis in practice

       often does not contain any concretely defined provisions regarding the necessary

       data processing. Controllers who, on the basis of such

       wish to rely on Article 6 (1) e) of the GDPR for a legal basis

       balancing the necessity of the processing for the task of general

       interests and the interests of those involved.

 38. Unnecessarily, the Disputes Chamber points out that since 1 January 2022, the Flemish

       legislator has acted to provide a new legal basis for the

       processing of personal data in the context of a foreign asset investigation.

       To the Codified Decree on the Flemish housing policy (hereinafter: Flemish Codex
               8
       housing), Articles 6.3/1 and 63/2 were added, which now explicitly provide that social
       housing companies to private research agencies personal data

       pass on in the context of a foreign asset investigation. These articles read as

       follows:


       Article 6/3.1 of the Flemish Housing Code:

       § 1. For the purposes of this book, personal data is processed for the following

       purposes:

       1° check whether the conditions and obligations of this book have been met and that the

       Flemish Government determines in accordance with this book;

       […]

       § 2. The controllers, referred to in Article 4, 7) of the general

       Data Protection Regulation are:
       1° the lessor, with regard to the processing that he takes care of;

       […]

       § 3. Pursuant to paragraph 1, the following categories of

       personal data is processed:

       1° identification data;

       2° the national register number and the social security identification numbers;

       3° personal characteristics;

       4° family composition;
       5° financial details;

       6° data on immovable rights;

       7° data of students of Dutch as a second language (NT2);

       8° housing characteristics;

       9° profession and position;


8 Codified Decree on the Flemish housing policy, codified on 17 July 2020, BS 13 November 2020. Decision on the merits 149/2022 - 10/30


     10° data from social research;

     11° living habits;

     12° judicial information about the termination of the rental agreement due to the

     causing serious nuisance or serious neglect of social housing;
     13° data on physical or psychological health;

     14° education and training;

     15° details of the lease that has been terminated by the landlord.

     16° consumption data.

     […]


     § 6. The controller, referred to in paragraph 2, 1° and 2°, may

     transfer personal data under the following conditions:

     1° […];
     2° the personal data, mentioned in paragraph 3, first paragraph, 1°, 2°, 3°, 8° and 10°, to the

     private partners designated by the Flemish Government in accordance with Article 6.3/2, second paragraph, for

     the investigation of the immovable property abroad;

     […]”


     Article 6/3.2, paragraph 1 of the Flemish Housing Code:

     “The lessor who checks whether the conditions for immovable property have been met,

     mentioned in Article 6.8, first paragraph, 2°, Article 6.11 and 6.21, first paragraph, for the immovable

     possession abroad, rely on private or public partners. The Flemish

     Government may designate the entity that enters into a framework agreement in which the private

     partners are identified.”

     The Disputes Chamber notes in this regard that this new legislation has been published

     after the disputed data processing and therefore does not apply to the foreign

     property investigations in this case. Since this Flemish Codex Living is not yet in

     had entered into force at the time of the foreign asset investigations
     the Disputes Chamber did not invoke this legislation to make this decision

     come.

     Necessity


39. Pursuant to Article 6(1)(e) GDPR, the processing is lawful only if and for
     to the extent that the processing is necessary for the fulfillment of a task in the public interest or

     of a task in the exercise of public authority vested in the

     controller has been assigned. As explained above contains

     legislation often lacks concretely defined provisions regarding the necessary

     data processing. Controllers who, on the basis of such

     If you wish to invoke Article 6 (1) e) of the GDPR on a legal basis, you must then make a Decision on the merits yourself 149/2022 - 11/30



       balancing the necessity of the processing for the task of general
       interests and the interests of those involved.


 40. The defendant submits that, in the context of the assessment of necessity, it

       has performed a balancing of interests before transferring the personal data in question

       to Z for conducting a foreign asset investigation. The Defendant

       argues that this balancing of interests has manifested itself in offering the

       possibility to spontaneously report property abroad in advance

       and the transfer of personal data subsequently took place on the basis of

       reasonable suspicions of property fraud. The justice of the peace of the canton of Lier has in
       its judgment dated 8 March 2022 (with regard to complainant 1) and its judgment dated 12 April 2022 (for

       with regard to complainant 2) established that on 29 July 2020 the defendant informed all its tenants

       sent a letter announcing that they would be checked

       immovable is abroad. The letter was personally delivered by carrier to each

       tenant and in his absence the letter was left in the letterbox. Due to the lack

       In response to the complainants' response to this letter, the defendant argues that it has no other

       then had the opportunity to conduct such a foreign asset investigation.


 41. The Disputes Chamber establishes on the one hand that Article 52 of the Framework Decision does not explicitly
       includes reference to private research firms such as Z to provide the required data

       collect, but also that the aforementioned list is non-exhaustive

       formulated so that the appeal to private research agencies is not covered by the aforementioned

       Article 52 of the Framework Decision is excluded.

                                                        9
 42. In accordance with its previous decision, the Disputes Chamber recalls that

       domestic wealth investigations can be done through a simple consultation

       of the land registry. Investigations into real estate abroad and especially non-

       However, EU member states are less evident. The social housing companies then let
       the tenants also declare that they do not own any real estate abroad

       to verify these statements, these social housing companies, such as the

       defendant, relied on specialized firms, such as Z in this case, as processors to

       to conduct foreign asset investigations when they have serious indications or

       has suspicions of foreign property.


 43. The necessity of the foreign asset investigation is apparent from the fact that the

       the complainant has already been invited several times to sell any property abroad

       report, first when signing the above-mentioned declaration on honor and then
       when the defendant had informed the complainant via the warning letter

       of its intention to conduct a foreign asset investigation. The Defendant



9 Decision 124/2021 dated. November 10, 2021, to be consulted via
https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the merits 149/2022 - 12/30



       however, did not receive a satisfactory answer. In view of its legal duty to
       use public funds to accommodate the most vulnerable people, given

       in view of the severe shortage of social housing and in view of the difficulties of

       to look up data for real estate located abroad, the

       the defendant compelled to carry out the foreign asset investigation in order to

       serious suspicion of foreign real estate.


 44. These findings have already been made by the justice of the peace of the canton of Lier in

       her verdict dated March 8, 2022 (with regard to complainant 1) and in her judgment dated. Apr 12, 2022

       (with regard to the complainant 2). The justice of the peace concluded that the defendant
       could lawfully rely on Art. 6 (1) e) GDPR for the purpose of carrying out the foreign

       asset research. The Disputes Chamber sees no reason to

       to take a different position.


 45. Finally, the complainant argues that the defendant cannot rely on Article 6(1)(e) GDPR

       as stated in the privacy policy on its website because this privacy policy does not comply with the

       complainant was served. In this regard, the Disputes Chamber refers to the guidelines on

       transparency of the Data Protection Working Party Article 29 stipulating if

       follows: “Any company with a website should have a statement or notice on that site
       about the protection of privacy should publish. A direct

       link to this statement or notice on the protection of personal

       privacy should be clearly visible on every page of the website, under a

       commonly used term (e.g. "Confidentiality", "Confidentiality Policy" or

       "Notice on the protection of privacy". 10So there is no

       obligation to provide this information personally to the complainant. Even more, the Group

       Data Protection Article 29 states that "any information disclosed to a data subject"

       sent, should also be accessible in a single place or in the same

       document (on paper or in electronic format) that can be easily accessed by
                                                                                                11
       this person if he wishes to consult all the information sent to him."

       It can therefore be concluded from this that publishing a direct link

       to the statement on the protection of personal data on the website (which in

       present case) is sufficient.

 46. As a result of the above, the Disputes Chamber is of the opinion that there is no infringement of the

       Articles 5 (1) a) 6 (1) GDPR was committed by the defendant.






10Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11.

1Working group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 149/2022 - 13/30


   II.3. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR


     Article 5(2), Article 24(1) and Article 25(1) and (2) GDPR

47. The controller must comply with the principles set out in Article 5 of the GDPR and that

     can demonstrate. This follows from the accountability obligation as understood in Article 5, paragraph 2 j°

     Article 24(1) GDPR. On the basis of Articles 24 and 25 GDPR, each

     controller takes the appropriate technical and organizational measures
     to ensure and to be able to demonstrate that the processing takes place

     in accordance with the GDPR.


48. In its inspection report, the Inspectorate establishes that articles 5, 24, paragraph 1, and 25, paragraph 1 and

     2 GDPR were violated. As part of his research on the
     accountability, the Inspectorate has forwarded the following question to the

     defendant:


     “Please demonstrate using documents in accordance with Articles 5, 6, 24 and 25”
     oftheGDPRthatyourorganizationhasappropriatetechnicalandorganizationalmeasures

     taken to ensure compliance with data protection principles, such as minimum

     data processing, to be ensured in the context of the asset investigation in the

     abroad mentioned in the complaint”.

49. The defendant has formulated a reply in which, according to the Inspectorate,

     explanation is given about the security measures taken in the context of which

     various attachments are also transferred. The Inspectorate establishes in its report

     that security measures are related to integrity and confidentiality, such as

     included in Article 5(1)(f) GDPR, but that the defendant does not clarify how the other
     principles of Article 5(1) of the GDPR are guaranteed. In addition, the . concludes

     Inspectorate that certain elements are not specifically explained by the

     defendant. It concerns, among other things, whether and, if necessary, how the highest management

     level of the defendant the agreements on security measures in reports and

     follows up on team meetings, whether and, if necessary, how the officer
     data protection of the defendant is involved in the preparation and

     following security measures, whether and, if so, how breaches of the

     code of ethics for members of the board of directors for the defendant effective

     is sanctioned, when the analysis of the technical infrastructure of the

     was carried out by the defendant and what concrete measures the defendant will take after the
     has taken cognizance of that analysis and, finally, how compliance with the aforementioned

     security measures is generally controlled by the defendant and how

     infringements are effectively sanctioned. Consequently, the Inspectorate comes to the

     determination of a breach of Article 5, Article 24(1) and Article 25(1) GDPR. Decision on the merits 149/2022 - 14/30


 50. In its submissions, the defendant disputes that finding. She argues that she

       supposed to demonstrate which technical and organizational measures

       it took with the help of the documents it had to prepare, such as

       for example the register of processing activities, the closed

       processing agreement with the processor of the personal data during the

       foreign asset investigation, and other documents proving that they have appropriate

       has taken technical and organizational measures in the context of the

       foreign asset research. The defendant regrets that the Inspectorate

       have violated all the principles of Article 5(1) of the GDPR because of a

       misconception of one of the Inspectorate's questions by the defendant. The
       the defendant argues that the findings of the Inspectorate are based on a

       incorrect interpretation of the research question by the defendant. In its conclusions

       the defendant therefore provides more information regarding compliance with the principles of Article 5,

       paragraph 1 GDPR.


 51. The Disputes Chamber states that the Inspectorate, as the investigative body of the GBA,

       is investigating complaints about and serious indications of violations of the
       European and Belgian legislation on personal data, including the GDPR. One of

       the ways in which the investigation is conducted is to obtain all useful information and

       to provide documents. This option allows the controllers

       and/or processors to explain and demonstrate which measures have been taken to

       comply with applicable law.2


 52. In the context of the examination of compliance with the Fundamental Principles and the
       accountability as understood in Article 5 of the GDPR, the Inspectorate has a

       general question to the controller that reads as follows:


        “Please demonstrate using documents accordingly articles 5, 6, 24 and 25”

        of the GDPR that your organization takes appropriate technical and organizational measures

        has taken to ensure compliance with data protection principles, such as

        minimum data processing, to be guaranteed in the context of the asset investigation

        abroad mentioned in the complaint”.

 53. In the present case, the defendant provided a detailed reply to the

       controller, in which it indeed implements the taken

       security measures. However, the Disputes Chamber reads in the Inspection report that it

       answer formulated by the defendant was not sufficient for the

       inspection service. In this case, as explained above, the Inspectorate is of the opinion that

       certain information,whichisessentialtotheInspectionservice,toagoodassessment


12 Charter of the Inspectorate, August 2022, can be consulted online via
https://www.dataprotectionauthority.be/publications/charter-van-de-informatiedienst.pdf Decision on the merits 149/2022 - 15/30


     to come is missing. Consequently, it was ruled by the Inspectorate that there

     was a violation of Article 5, Article 24(1) and Article 25(1) and (2) GDPR.

54. The Disputes Chamber states, however, that an investigation by the Inspectorate into a loyal

     manner should be done. If the response from the controller for the

     Inspection service is not sufficient, in the context of a loyal investigation it falls to the

     Inspection service to clarify on which points more information is requested. This

     can be done, for example, by asking more specific questions about a certain topic or by
     request specific documents or information. After all, it's for the

     controller is not always easy to understand in such general and broad terms

     to formulate a comprehensive answer. If the Inspectorate is more specific

     has asked questions or has requested concrete documents and the

     controller has not been able to provide the requested information, comes
     it is up to the Inspectorate to report breach of accountability as understood

     in Article 5(2) and Article 24(1) of the GDPR. The Disputes Chamber notes in this regard:

     that the Inspectorate has not asked any additional questions about specific

     subjects or that no specific documents were requested in order to

     good assessment of the case. The Disputes Chamber therefore also establishes that
     the inspection investigation was not conducted in a loyal manner with regard to this finding.

     Consequently, the Disputes Chamber comes to the conclusion that on the basis of the

     investigation reportcannotbedecidedtoviolatearticle5, paragraph2, article24,

     paragraph 1 and Article 25, paragraphs 1 and 2 GDPR.

     Article 5(1) GDPR


55. As stated above, the defendant explained how it

     compliance with the fundamentals of the AVG. The Disputes Chamber notes that,
     based on the answer provided by the defendant in the context of the investigation,

     the Inspectorate determines that there is a violation of all basic principles with

     with regard to the protection of personal data as defined in Article 5(1) of the GDPR.

     Although Article 5(1) and (2) GDPR are closely related, any

     breach of the accountability obligation of Article 5(2) of the GDPR does not automatically include a
     violation of Art. 5 (1) GDPR. After all, accountability is the formal

     externalization to document compliance with the material

     demonstrate the basic principles of the GDPR.

56. In its submissions, the defendant explained how the processing operations do meet the

     basic principles of Art. 5 (1) GDPR. These are briefly resumed below.


57. The defendant argues that it does comply with the principle of propriety and transparency.

     It processes the following personal data in the context of the asset investigation: name
     and first name of the tenant, date and place of birth, national register number (if Decision on the merits 149/2022 - 16/30


      applicable and available), date and place of marriage (if applicable and

      available, the file number and elements of the social investigation. The Defendant

      obtains this personal data either because it is legally obliged to request it

      (Article 68 of the Flemish Housing Code), either because it receives this data from Z

      (file number and elements of the social inquiry). This was also confirmed by the

      jurisdiction. 13For the legality of the legal basis, the Disputes Chamber refers

      to what was explained in section II.2. With regard to the principle of transparency,

      the defendant that it has before the commencement of the foreign asset investigation

      reported, in clear language adapted to the target group, in this case residents of social

      homes, that the data would be used for a foreign
      asset research. This information was included in the privacy statement on the

      website and then in the warning letter. With regard to the principle of

      transparency, the Disputes Chamber establishes that the relevant passage from the

      privacy statement reads as follows:



























      The warning letter sent by the defendant on July 29, 2020 is also in

      clear intelligible language:
















13See, among other things, Peace. Hamme June 6, 2019, Rent 2020/1, 57. Decision on the merits 149/2022 - 17/30






































58. As already stated, the privacy statement was accessible via a direct link on the

     website and drafted in clear language. The warning letter to the complainants was also

     sent on July 29, 2020 is written in sufficiently clear language. In view of the

     above, the Dispute Chamber concludes that there is no violation of
     Article 5(1)(a) GDPR.


59. The Disputes Chamber recalls that in accordance with Article 5(1)(b) GDPR

     personal data may only be collected and processed for specified,
     expressly defined and justified purposes. When the data is later for

     be used for another purpose, that new purpose must be compatible with the

     original collection purpose. With regard to Article 5(1)(b) GDPR, the

     the defendant that the purpose of the processing was established and determined ab initio,

     since the privacy statement explicitly states that personal data can be

     are passed on to private bodies for checking the above mentioned
     registration and admission requirements. The purpose is also expressly described in

     the privacy statement, according to the defendant. To determine the justified

     purpose, this purpose must be related to the activities of the

     controller, i.e. the defendant. In this regard, the defendant refers Decision on the merits 149/2022 - 18/30


     to Article 52 of the Framework Decree, being checking compliance with the

     registration and admission requirements in the context of social housing.

60. On the basis of the defendant's documents, the Disputes Chamber finds that the

     personal data were collected for the purpose of administrative registration on

     to enable the waiting list and possible allocation of social housing. The

     privacy statement (see marginal 56) clearly states that the defendant is charged with a

     task of general interest, namely the use of scarce government resources to
     allocating social housing to the most vulnerable. To that end . can

     charge the defendant private bodies with investigations into immovable assets in

     abroad, as is also included in the privacy statement. This control on the

     fulfillingtheenrolmentandadmissionconditionsisinherentlyconnectedwiththetask

     in the general interest of the defendant, as regards the implementation of the right to due process
     housing, especially for the most deprived. Given the above

     the Disputes Chamber concludes that there has been no violation of Article 5(1)

     b) GDPR.

61. The principle of data minimum processing as set out in Article 5(1)(c) GDPR states

     that the personal data processed must be adequate, relevant and limited

     to what is necessary for the purposes for which they are processed. It follows that

     the data may only be processed if the purpose of the processing is not

     can reasonably be accomplished in another way. As to the principle

     of "minimum data processing", the defendant argues that both the purpose, the
     data and the processing are proportional.


62. Recital 39 of the GDPR states that personal data may only be processed

     if the purpose of the processing cannot reasonably be achieved in any other way
     accomplished. On the basis of the documents in the file, the Disputes Chamber determines that the

     the defendant processed the following data in the context of the foreign

     asset investigation: surname and first name, date of birth, place of birth,

     National register number (Belgian or of the home country, if applicable), date and place of the

     marriage (if applicable and available) and any elements of the study
     of the Supervision Service that led to the transmission of the file (suspected of

     foreign real estate). From the documents, the Disputes Chamber understands that the defendant

     did not immediately proceed with a foreign asset investigation. The complainants have

     firstly, a declaration on honor signed at the start of the lease, further

     does the complainant have the legal obligation to refuse the possible acquisition of an immovable property?
     to report to the landlord during the current tenancy agreement, in this case the

     defendant, then the defendant received a warning letter on July 29, 2020

     transferred to the complainants, in which, on the one hand, the foreign asset investigation is made Decision on the merits 149/2022 - 19/30


     announced, and, on the other hand, the possibility is given to

     to report immovable property in order to reach an amicable settlement. Finally, the

     Defendant to conduct an exploratory investigation first. Only when there

     serious indications or suspicions of foreign immovable property, there will be
     proceeded with a foreign asset investigation as is the case in the present case

     used to be. Since the defendant does not have the necessary resources or expertise to

     conducting investigations, it is not excessive to have recourse to a

     specialized firm. In view of the above, the Disputes Chamber concludes that there

     there is no violation of Article 5(1)(c) GDPR.

63. Pursuant to Article 5(1)(d) GDPR, the controller must take all reasonable

     take measures to ensure that the data is correct and up to date. Data

     that are not (anymore) must be deleted or corrected. The defendant argues that it

     has drawn up an internal policy together with its data protection officer

     with guidelines for its employees who come into contact with personal data. Out
     the agenda of the defendant's team meeting dd. October 19, 2021 it turns out that this

     internal note together with other points regarding the AVG were discussed. The Dispute Room

     concludes that there has been no violation of Article 5(1)(d) GDPR.


64. The Disputes Chamber recalls that pursuant to the principle of storage limitation (Article
     5, paragraph 1, e) AVG data may not be stored for longer than is necessary for

     the purpose of the processing. When the data is no longer necessary, then

     they are destroyed or erased. The defendant points out that the register of

     processing activities provides a detailed overview of the retention periods of the

     categories of personal data it processes. In addition, Article 10 of the

     processing agreement with Z that it contains all personal data received and processed
     with regard to the foreign asset investigation when the

     processing agreement comes to an end, i.e. May 31, 2022 (subject to extension).

     Contrary to the complainant's contention, the defendant does not therefore admit that it

     violated the principle of storage limitation. In view of the above concludes

     the Disputes Chamber that there has been no violation of Article 5, paragraph 1, e) GDPR.

65. Article 5, 1, f) of the GDPR prescribes that “[personal data] by taking

     appropriate technical or organizational measures in such a way

     processed that an appropriate security is ensured, and that they include:

     be protected against unauthorized or unlawful processing and against accidental

     loss, destruction or damage”. In this context, the defendant explained its conclusions
     how it has taken various measures independent of the

     processing activities in the context of foreign asset research, such as

     informing its employees about the security measures to be observed (such as Decision on the merits 149/2022 - 20/30


     password use, two-factor identification, internal policies regarding the treatment of

     personal data). Furthermore, the defendant explains that the directors have an ethical

     must sign a code whereby they commit themselves to secrecy of

     personal data and confidential company data. The defendant then states
     a series of measures taken after an analysis of the technical infrastructure

     by an independent company. This includes: creating offline and

     online backups of the processed personal data, firewall installation, antivirus and anti-virus

     malware software, password policy with regular password changes and

     disable all default user accounts. This independent company carries

     periodic checks regarding the security of the IT infrastructure. Also the
     processing agreement determines which measures the processor must take with the

     with a view to security, such as regular renewal of passwords and access codes,

     pseudonymisation and encryption of personal data, internal audit procedures for

     assessment of the security measures taken, confidentiality clause for the

     concerning employees, etc. From the above, the Disputes Chamber concludes that there

     there is no infringement of Article 5 (1) f) GDPR.

66. The Disputes Chamber states again that in the present case it is disproportionate to find a violation of

     to adopt Articles 5, 24, paragraphs 1 and 25, paragraphs 1 and 2 GDPR on the basis of a general question

     in the context of accountability, to which was replied by the defendant,

     without further follow-up questions from the Inspectorate. It belongs to the Inspectorate
     to determine a possible shortcoming of Article 5 (1) GDPR on the basis of a loyal investigation

     by the defendant.


67. Since the Inspectorate does not demonstrate how the defendant de

     has violated fundamental principles of Article 5, including accountability, and the
     The defendant explains in detail in its claims to what extent it does comply with these principles

     complies, the Disputes Chamber concludes that there is no infringement of Articles 5, 24, paragraph 1 and

     25 para. 1 and 2 GDPR was committed by the defendant.


   II.4. Article 28, paragraphs 2 and 3 GDPR

68. Pursuant to Article 28(2) of the GDPR, the processor does not employ another processor without

     prior specific or general written consent of the

     controller. In the event of general written consent, the

     processor informs the controller about intended changes to the

     addition or replacement of other processors, where the controller

     the opportunity to object to these changes.

69. Article 28(3) of the GDPR provides that processing by a processor is governed by a

     agreement or other legal act under Union or Member State law Decision on the substance 149/2022 - 21/30


     which binds the processor towards the controller, and in which

     the subject matter and duration of the processing, the nature and purpose of the processing, the

     type of personal data and the categories of data subjects, and the rights and

     obligations of the controller are described. That
     agreement or other legal act provides in particular that the processor:


         • process the personal data only under the written instructions of the

             controller, including with regard to the transfer of

             personal data to a third country or an international organization (unless it
             is legally obliged to do so);


         • ensures that access to that data is restricted to authorized persons.

             These persons must be bound by secrecy on the basis of a

             agreement or a legal obligation;

         • maintains at least the same level of data security as the

             controller does;

         • the controller provides all possible support in

             fulfilling its obligations with a view to answering requests

             regarding the rights of data subjects;


         • assists the controller in fulfilling its obligations
             in the field of security of personal data and the obligation to report data leaks;


         • after termination of the agreement between the controller and

             processor, the data processed on behalf of the controller

             delete or return personal data to him, and delete existing copies;

         • the controller makes all necessary information available

             to demonstrate that the obligations under the Regulation

             around the deployment of a processor are complied with and is necessary to carry out audits

             to make possible;

         • makes agreements with regard to sub-processors.

70. In its investigation, the Inspectorate establishes that there has been an infringement of Article 28,

     paragraphs 2 and 3 of the GDPR as in the processing agreement between the defendant and

     processor the following elements are missing:


   - The signature of the director representing the defendant, only the
      signature of the director of the processor is in the processing agreement;


   - The date on which the processing agreement starts. On page 10 of the

      processing agreement states “October 14, 2020” but it is not clear whether that is also the

      start date is; Decision on the merits 149/2022 - 22/30


   - A description of the duration of the processing;


   - A description of the type of personal data and the categories of data subjects and
      the nature of the processing; and


   - A prior specific or general written consent of the defendant

      to the processor to hire other processors. Despite the lack of any

      provision in this regard, the processor has engaged a processor in Turkey.

71. The defendant does not dispute those findings. It states that after receiving the

     inspection report has immediately instructed to terminate the processing agreement

     which it uses for carrying out wealth investigations by private companies
     and to elaborate and insert the cited elements. The Defendant

     argues that at this time, the processor does not conduct asset investigations for the benefit of

     the defendant performs more, nor does the defendant transfer any personal data

     the processor. The defendant attaches to its claims a modified template of

     processing agreement that will be used in any future

     foreign asset investigations.

72. The Disputes Chamber rules that the processing agreement that was transferred by

     the defendant is incomplete, as established in the Inspection Report. In her conclusions

     the defendant states that it no longer conducts foreign asset investigations,

     but that they use the revised template of the processing agreement, in accordance with the
     Submit an inspection report. The Disputes Chamber finds that the defendant

     has made efforts to implement the processing agreement in accordance with the

     requirements of Article 28(2) and (3) GDPR.


73. Despite the corrective measures, the Disputes Chamber finds that the
     processing agreement on the basis of which the foreign asset investigation has

     performed did not meet the requirements of Article 28, paragraphs 2 and 3 GDPR, as a result of which

     was of an infringement of Article 28, paragraphs 2 and 3 GDPR, but that this has been remedied in the meantime.

   II.5. Articles 44, 46, 24, paragraphs 1 and 5, and paragraph 2 GDPR


74. When personal data is transferred to countries outside the European Union

     transferred, there is a transfer of personal data. For passing on

     of data to countries outside the European Union, the AVG states that this is only allowed

     if the level of protection provided by the GDPR is not undermined. This is the case

     if the country outside the European Union has an adequate level of data protection

     oradditionalguaranteesprovideonthetransmissionofdata.IftheEuropeanCommission
     has not made an adequacy decision, appropriate

     safeguards to provide a sufficiently high level of protection. Decision on the merits 149/2022 - 23/30


75. With regard to the transfer of data to Turkey, the Inspectorate notes that

     the defendant has infringed Articles 44, 46, 24, paragraphs 1 and 5 and 2 of the GDPR

     as the defendant has failed to demonstrate what measures it and Z have taken
     taken to comply with Articles 44 and 46 GDPR when transferring personal data to Turkey

     and to comply with the Schrems II judgment. The Inspectorate comes to the conclusion that the

     Turkish law on the protection of personal data provides an exemption for the

     processing of personal data within the framework of preventive, protective and

     intelligence activities conducted by public institutions and organizations

     belong to are authorized and designated by law to the national defense, national
     security, public safety, public order or economic security. The

     processing agreement between Z and its Turkish partner would not provide sufficient additional

     provide guarantees to ensure an adequate level of protection of the transferred

     guarantee personal data.

76. First, the defendant argues that it is not the exporter of these personal data

     to Turkey as part of the asset investigation. It is Z who receives the data

     of the defendant, but who in turn passes it on to her partner in Turkey, who then

     uses this data to make the necessary searches in the public registers.

77. The Disputes Chamber does not follow this reasoning. Article 4(7) GDPR defines

     “controller” as the “natural or legal person,

     government agency, agency or other body which, alone or jointly with others, serves the purpose

     of and the means of processing personal data”. It's also the
     the defendant as a social housing company which determines the aim and the means,

     as it has transferred the personal data to Z as a processor for the purpose of

     conducting a foreign asset survey in Turkey. In other words, the

     The Disputes Chamber comes to the conclusion that the defendant as

     controller must be qualified, including with regard to the
     transfer to Turkey. As a controller, it is her duty to

     verify that this transfer will take place in a manner that is in accordance with the

     obligations in the GDPR in this regard. This obligation also applies if they do not themselves

     transfers, but through an appointed processor, as is the case in the present case

     is. If the controller determines that this transfer by the
     processor cannot take place in accordance with the AVG, he may not use this personal data

     transfer to the processor.


78. In the event that the defendant were nevertheless classified as a controller
     it submits in a subordinate order that it is committed to the transfer of

     personal data relies on Article 49 (1) d) GDPR. Decision on the merits 149/2022 - 24/30



       In the context of the assessment of the transfer of personal data to Turkey

       refers the Disputes Chamber to Recommendation 1/2020 of the European Committee for
       data protection (hereinafter: “EDPB”). To help exporters with the complex task of

       assessing the data protection of third countries and where necessary

       adopting appropriate additional measures, the EDPB has a roadmap

       provided.14


       Step 1: familiarity with the transfers

 79. First of all, it is important for the exporter to be aware of the

       personal data that are passed on, for example by relying on his

       processing register. The defendant acknowledges in its claims that the processing register

       was not yet ready at this point. However, the EDPB does not determine how the exporter meets these

       step must comply, but only formulates suggestions. The defendant argues in its

       conclusions that the categories of personal data that were transferred were

       included in the processing agreement, so that there was a good overview of the

       relevant personal data that were the subject of the transfer.


       Step 2: determination of the relevant instrument of transfer

 80. Secondly,theexportermustdeterminewhichtransmissioninstrumentfromchapterVofthe

       AVG he uses.


 81. The Dispute Chamber reminds that the transfer of data to one third

       country, in the absence of an adequacy decision by the European Commission under

       Article 45 GDPR, is only possible if the controller or processor

       has provided appropriate safeguards, and provided that for the data subjects

       enforceable rights and effective remedies are available (Article 46 GDPR). Bee

       lack of a decision declaring the level of protection adequacy
       pursuant to Article 45(3) of the GDPR, or of appropriate safeguards pursuant to Article

       46 GDPR, finds a transfer or a category of transfers of personal data to a

       third country in specific circumstances only under one of the conditions of

       Article 49 GDPR ("Data Protection Derogations").


 82. As stated above, the defendant relies on the derogation provided for in Article 49(1)(d)

       GDPR. Under this Article, transfers to third countries may take place when the

       transfer is "necessary for important reasons of public interest". This one is very similar to
                                                                                        15
       the provision contained in Article 26(1)(d) of Directive 95/46/EC , in which



14EDPB Recommendations 01/2020 on measures to complement transfer instruments to ensure compliance with the

ensure the level of protection of personal data in the Union dd. June 18, 2021, to be consulted via
https://edpb.europa.eu/system/files/2022-
04/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
15Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection Decision on the substance 149/2022 - 25/30


       states that a transfer may only take place when it is necessary or legal

       is mandatory because of an important public interest.


 83. In accordance with Article 49(4) GDPR, only public

       interests recognized in the law of the Union or in the law of the Member State including the

       responsible for the processing. The provision constituting such a public interest

       defines should not be abstract. Transfer is permitted, for example, in the event of a

       substantial general interest that is recognized in international agreements in which
                             16
       the Member States are parties .


 84. In the present case, the transfer takes place in the context of the public interest and more

       determines the right to housing. The right to housing is recognized in a number of

       international human rights instruments. Article 25 of the Universal Declaration of the

       Human Rights recognizes the right to housing as part of the right to a
                                     17
       decent standard of living. Also Article 11(1) of the International Covenant on

       economic, social and cultural rights (ICESCR), which applies to both Belgium and Turkey

       have ratified, guarantees the right to housing as part of the right to
                                          18
       a decent standard of living. For the determination of the right to housing as

       public interest in Belgian national law, reference is made to section II.2 of this

       decision.


 85. On the basis of Article 49(1)(d) GDPR, the necessity test must be applied to

       assess its applicability. This necessity test requires an evaluation

       by the data exporter of whether the transfer of personal data as

       may be considered necessary for the specific purpose of Article 49(1)(d)

       GDPR. With regard to the necessity of the transfer, the Disputes Chamber refers

       to section II.2 of this decision.

 86. In view of the above, the Disputes Chamber concludes that the transfer of the

       personal data to Turkey, in the context of the foreign asset investigation

       legally valid based on article 49, paragraph 1, d) of the AVG, which means that there is no infringement

       is on Article 44, Article 46, Article 24 (1) and Article 5 (2) GDPR.





of natural persons in connection with the processing of personal data and on free movement

of that data.
16EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679 dated. May 25, 2018, te
consult at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf

17Article 25: Everyone has the right to a standard of living adequate for his own health and well-being
and his family, including food, clothing, housing, medical care and necessary social services, and law
security in case of unemployment, illness, disability, widowhood, old age or other lack of livelihood
circumstances beyond his control.
18
  Article 11, paragraph “The States Parties to this Covenant recognize the right of everyone to an adequate
standard of living for himself and his family, including adequate food, clothing and housing, and at all times
better living conditions. The States Parties to this Convention are taking appropriate measures to achieve it
of this right, recognizing the essential importance of voluntary international cooperation” Decision on the substance 149/2022 - 26/30


   II.6. Article 30(1) GDPR


87. Under Article 30 GDPR, each controller must keep a register

     of the processing activities carried out under its responsibility.

     Article 30(1) a) to g) GDPR provides that, with regard to the capacity
     processing carried out by the controller, the following information

     must be available:


     a) the name and contact details of the controller and any

        joint controllers and, where applicable, of the
        representative of the controller and of the officer for

        data protection;


     b) the processing purposes;

     c) a description of the categories of data subjects and of the categories of

        personal data;

     d) the categories of recipients to whom the personal data have been or will be

        provided, including to recipients in third countries or international organisations;


     e) where applicable, transfers of personal data to a third country or

        international organisation, including an indication of that third country or
        international organization and, in the case of the second subparagraph of Article 49(1) of the GDPR,

        the transfers referred to, the documents regarding the appropriate guarantees;


     f) if possible, the envisaged deadlines within which the different categories of
        data must be erased;


     g) if possible, a general description of the technical and organizational

        security measures as referred to in Article 32(1) of the GDPR.

88. The Inspectorate does with regard to the register of processing activities of the

     the defendant makes the following findings, as summarized below:


        • There is no description of the categories of data subjects in the tab
            “Lists” (cf. Article 30(1)(c) of the GDPR). It is therefore unclear what words

            as “staff members”, “directors”, “volunteers”, “(candidate) tenants and

            (candidate) buyers in practice.


        • The description of the categories of personal data is incomplete, since in
            the tab "Lists" are several times non-exhaustive lists (cf. article 30,

            paragraph 1, c) of the GDPR). It is therefore unclear what words like “Electronic

            identification data”, “electronic localization data”, “financial Decision on the merits 149/2022 - 27/30


            identifiers”, “images” and “sound recordings” in practice

            mean.

89. The Disputes Chamber establishes the defendant in its register of processing activities

     provides a summary for:

   - the categories of data subjects (Article 30(1)(c) GDPR), i.e. “staff members”,

      “drivers”, “volunteers”, “(prospective) tenants and (prospective) buyers; and


   - the categories of personal data (article 30, paragraph 1, c) AVG), namely “electronic”

      identification data”, “electronic location data”, “financial
      identifiers”, “images” and “sound recordings”.


90. The Disputes Chamber must rule on whether Article 30(1)(c) GDPR requires

     that a description is given of the categories of personal data and the
     categories of data subjects in the register of processing activities, or whether a

     summary may suffice.


91. The Disputes Chamber notes that Article 30(1)(c) GDPR requires that a description of the
     categories of data subjects and of the categories of personal data is

     included in the register of processing activities. Those involved are the

     identified or identifiable natural persons whose data is

     processed (article 4(1) of the GDPR). Regarding the categories data, it should of course

     concern personal data as defined in Article 4 (1) of the GDPR.

92. The Disputes Chamber recalls what the purpose of the register of

     processing activities. To effectively fulfill the obligations contained in the GDPR

     apply, it is essential that the controller (and the

     processors) have an overview of the processing of personal data that they
     to carry out. This register is therefore primarily an instrument to

     assist the data controller in complying with the GDPR for the different

     data processing and it performs because it registers the most important features of

     makes visible. The Disputes Chamber is of the opinion that this processing register is a

     essential tool in the context of the already mentioned accountability (Article
     5 (2) and Article 24 GDPR) and that this register is the basis for all obligations that the

     GDPR on the controller.


93. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the
     GDPR prevent an enumeration of the categories of personal data and the

     categories of data subjects is included in the register of processing activities

     or that a more detailed description would be needed. Decision on the merits 149/2022 - 28/30



 94. With regard to the categories of recipients, the Disputes Chamber refers to a
       recommendation of the CPP and doctrine stating that it is not true

       it is necessary to state the individual recipients of the data, but that these

       can be grouped by category of recipients. Mutatis mutandis can this

       statement can also be applied to the categories of personal data and data subjects.


 95. The Disputes Chamber points out, however, that the completion of the register of

       processing activities should always be evaluated on a case-by-case basis to determine whether the

       description or summary contained herein is sufficiently clear and specific.

 96. In the present case, the Disputes Chamber finds that the enumerations included in the

       register of processing activities were sufficiently concrete. According to the

       Litigation room little doubt about the meaning of the above listed

       elements in the context of social rent. Consequently, the Disputes Chamber concludes that there

       there is no violation of Article 30(1)(c) GDPR. The Disputes Chamber reminds

       also because the register of processing activities is now up-to-date with regard to

       the international transfers, as recognized by the defendant, as a result of which there is no question

       of a violation of Article 30(1) GDPR.

III. Sanctions


 97. On the basis of the documents in the file, the Disputes Chamber determines that there is

       an infringement of 28, paragraphs 2 and 3 of the GDPR. Although the defendant remedied these infringements

       it is established that there are violations of the right to data protection

       have taken place. As already explained, the processing agreement is a

       important instrument in GDPR compliance. With the processing agreement, the

       controller can rely on processors who provide sufficient guarantees

       offer, in particular in terms of expertise, reliability and resources, to

       ensure that the technical and organizational measures comply with the

       regulations of the GDPR, including with regard to the security of the processing.

 98. When determining the sanction, the Disputes Chamber takes into account the fact that the

       Defendant has already rectified these infringements and has provided evidence thereof.

       The Disputes Chamber therefore decides that in the concrete factual circumstances of this

       case, a reprimand for the aforementioned infringements will suffice. The seriousness of the infringement is not

       such that an administrative fine should be imposed.

 99. The Disputes Chamber proceeds to a deposit of the other grievances and findings of the

       Inspectorate because, on the basis of the facts and the documents in the file, they do not belong to the




19Available at: https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-06-2017.pdf
20W.Kotschy,"Article30:recordsofprocessingactivities",inCh.KunerTheEUGeneralDataProtectionRegulation(GDPR),
a commentary, 2020, p. 621. Decision on the substance 149/2022 - 29/30



       conclude that there is a breach of the GDPR. These grievances and

       findings of the Inspectorate are therefore regarded as manifestly unfounded
                                              21
       within the meaning of Article 57(4) of the GDPR.



IV. Publication of the decision


 100. In view of the importance of transparency with regard to the decision-making of the

       Litigation Chamber, this decision is published on the website of the

       Data Protection Authority. However, it is not necessary for the

       identifiers of the parties are disclosed directly.





    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


    - To formulate a reprimand with regard to the . pursuant to Article 100, §1, 5° WOG

        defendant with regard to the infringement of Article 28(2) and (3) GDPR.


    - To dismiss all other grievances from the complaint pursuant to Article 100, §1, 1° WOG.








Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice against this decision, an appeal may be lodged with the Marktenhof (court of

profession Brussels), with the Data Protection Authority as defendant.


Such an appeal may be lodged by means of an adversarial petition that the
                                                                                           22
Mentions listed in Article 1034ter of the Judicial Code must contain .It

adversarial petition must be submitted to the registry of the Marktenhof









21 See point 3.A.2 of the Disputes Chamber's Dismissal Policy, dated. June 18, 2021, to be consulted via
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
22
  The petition states, on pain of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
    summoned;
 4° the subject matter and the brief summary of the grounds of the claim;
 5° the court before whom the claim is brought;
 6° the signature of the applicant or of his lawyer. Decision on the merits 149/2022 - 30/30


                                                                      23
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).







(get). Hielke H IJMANS

Chairman of the Disputes Chamber





































































23The application with its annex, in as many copies as there are interested parties, shall be sent by registered letter
sent to the clerk of the court or deposited at the clerk's office.