APD/GBA (Belgium) - 149/2023: Difference between revisions

From GDPRhub
 
(6 intermediate revisions by 2 users not shown)
Line 79: Line 79:
}}
}}


The Belgian DPA held that the controller's legitimate interest is not a valid legal basis to publish personal data of health professionals on an online booking platform; that the controller has the obligation to inform the data subject of the status of their request; and that the data subject's consent is not a valid legal basis to process the National Register Number which can only be processed by limited entities and subject to prior authorization by the Interior Minister (unless a legal exemption applies).
The Belgian DPA reprimanded a controller, an online booking platform, for failing to comply with [[Article 12 GDPR#3|Article 12(3) GDPR]] and because [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was not a valid legal basis to publish personal data of health professionals on the platform.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller publishes health professionals data on their platform without a valid legal basis. The controller never answered the data subject's request to have her account and associated data deleted and her question about the need to provide her National Register Number (NRN) to create an account. The controller's answer to another data subject also questioning the need to collect his NRN for the creation of an account was deemed unsatisfactory by that data subject.
To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply.
 
Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request.
 
On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account.
 
On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles. In light of this, the DPA also conducted an ''ex officio'' investigation into the legal basis of the data processing of the non-registered health professionals carried out by the controller for its platform.


=== Holding ===
=== Holding ===
The Belgian DPA held that the controller's legitimate interest is not a valid legal basis to publish personal data of health professionals on an online booking platform; that the controller has the obligation to inform the data subject of the status of their request; and that the data subject's consent is not a valid legal basis to process the National Register Number which can only be processed by limited entities and subject to prior authorization by the Interior Minister (unless a legal exemption applies).
The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions.
 
Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under [[Article 4 GDPR#7|Article 4(7) GDPR]] since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller.
 
Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]], there is the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure and that it only failed to inform complainant n.1 of the erasure, the DPA concluded a breach of [[Article 12 GDPR#3|Article 12(3) GDPR]].
 
Regarding the request for the NRN data, the DPA agreed with the controller that to access the information of the platform, there should be a strong identification system in place. Nonetheless, it stressed that such a system should not include the NRN. Moreover, the DPA stated that under [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 8 of the National Law organising the NRN (LRN)], the NRN could be utilised only when granted by the Minister of the Interior to authorities, institutions, and persons explicitly referred to in [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 5(1) LRN], under which the controller did not fall in. Therefore, the controller breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]], in conjunction with [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi Article 8 LRN].
 
Lastly, in its ''ex officio'' capacity, the Belgian DPA then decided to assess the legal basis of the data processing of the non-registered health professionals carried out by the controller, which the controller claimed to be legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. While the DPA acknowledged the controller's legitimate societal interest and economic interest, the DPA noted that non-registered health professionals could not reasonably expect their data to be used by the controller without their prior consent. Indeed, while the information on the platform was the same information as published on the non-registered health professionals' own website or that of their practice, to which they agreed, they could not have expected their data to be republished on a platform such as the one in question. Therefore, there had been a breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]].
 
Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR.  


== Comment ==
== Comment ==
The Belgian DPA had recently issued a fine against a similar platform, following a complaint by health professionals that their data had been processed without their informed consent. In this case, the complain comes from patients who complained to have been misled into believing that they had to create an account and provide unnecessary sensitive personal data to make a booking with a health professional, only to realize that the health professional of their choice did not offer online booking on that platform. This shows that the publication of health professional data on platform without consent poses issues both to health professionals and to patients. It is time online booking platform comply with the GDPR and the decisions of the Belgian DPA.
''Comment by the original contributor:'' The Belgian DPA had recently issued a fine against a similar platform, following a complaint by health professionals that their data had been processed without their informed consent. In this case, the complain comes from patients who complained to have been misled into believing that they had to create an account and provide unnecessary sensitive personal data to make a booking with a health professional, only to realize that the health professional of their choice did not offer online booking on that platform. This shows that the publication of health professional data on platform without consent poses issues both to health professionals and to patients. It is time online booking platform comply with the GDPR and the decisions of the Belgian DPA.


== Further Resources ==
== Further Resources ==

Latest revision as of 08:50, 19 March 2024

APD/GBA - DOS-2020-05649 and DOS-2021-05271
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 7(3) GDPR
Article 12 GDPR
Article 12(1) GDPR
Article 13(1)(a) GDPR
Article 13(1)(c) GDPR
Article 13(2) GDPR
Articles 5, 8.1 and 8.3 of the Belgian Law dd 8 August 1983 organizing a National Register of Natural Persons
Type: Complaint
Outcome: Upheld
Started: 04.12.2020
Decided: 10.11.2023
Published:
Fine: n/a
Parties: Madame X1 and Monsieur X2
Société Y1 and Société Y2 (or 'Platform Z')
National Case Number/Name: DOS-2020-05649 and DOS-2021-05271
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA (in FR)
Initial Contributor: n/a

The Belgian DPA reprimanded a controller, an online booking platform, for failing to comply with Article 12(3) GDPR and because Article 6(1)(f) GDPR was not a valid legal basis to publish personal data of health professionals on the platform.

English Summary

Facts

To book an appointment with a dentist through 'Platform Z' (the platform), which aims to facilitate contact with healthcare professionals and doctors, complainant n.1 had to make an account. After the account creation, complainant n.1 requested the platform to delete her account and her personal data, to which she did not receive any reply.

Thus, on 4 December 2020, complainant n.1 lodged a complaint with the Belgian DPA against the company that created the platform and a shareholder company, which she claimed to be joint-controllers, for not taking any action to comply with her request.

On 31 July 2021, complainant n.2 also informed the Belgian DPA that to create an account on the platform, he had to provide his National Register Number (NRN). Complainant n.2 explained to have emailed the company stating that their request was illegal, to which the platform explained that the NRN was needed as a security measure. Consequently, complainant n.2 did not create an account.

On 2 August 2023, complainants n.1 and no.2 were informed that the hearing would take place on 15 September 2023. In response to the invitation to the hearing, complainant n.2 indicated that he had no intention of filing a complaint other than to point out a potential violation to the DPA. The DPA still found itself able to continue the proceedings since it considered the alleged breach to be sufficiently serious and to be revealing the existence of a practice likely to infringe the data protection principles. In light of this, the DPA also conducted an ex officio investigation into the legal basis of the data processing of the non-registered health professionals carried out by the controller for its platform.

Holding

The Belgian DPA decided to join the two complaints as it considered them closely related and to ensure consistency in its decisions.

Firstly, concerning the complaint of complainant n.1, the DPA addressed whether the company that created the platform and the shareholder company could be considered joint controllers. The DPA noted that joint controllership presupposes participation in the determination of the purposes and means of the data processing, which does not necessarily happen in situations of financial support for a project. Thus, the DPA stated that in this instance, the shareholder company was not to be considered a joint controller under Article 4(7) GDPR since there was no evidence that it contributed to determining the data processing for the platform, and the company that created the platform was to be considered the sole controller.

Secondly, the DPA addressed the controller's failure to comply with complainant n.1's right to erasure. The DPA stressed that pursuant to Article 12(3) GDPR, there is the obligation to inform the data subject of the measures taken following the deletion request, as soon as possible and, in any event, within one month of receipt of the request. Since, in the present instance, the controller did provide evidence of the data erasure and that it only failed to inform complainant n.1 of the erasure, the DPA concluded a breach of Article 12(3) GDPR.

Regarding the request for the NRN data, the DPA agreed with the controller that to access the information of the platform, there should be a strong identification system in place. Nonetheless, it stressed that such a system should not include the NRN. Moreover, the DPA stated that under Article 8 of the National Law organising the NRN (LRN), the NRN could be utilised only when granted by the Minister of the Interior to authorities, institutions, and persons explicitly referred to in Article 5(1) LRN, under which the controller did not fall in. Therefore, the controller breached Article 5(1)(a) GDPR and Article 6(1) GDPR, in conjunction with Article 8 LRN.

Lastly, in its ex officio capacity, the Belgian DPA then decided to assess the legal basis of the data processing of the non-registered health professionals carried out by the controller, which the controller claimed to be legitimate interest under Article 6(1)(f) GDPR. While the DPA acknowledged the controller's legitimate societal interest and economic interest, the DPA noted that non-registered health professionals could not reasonably expect their data to be used by the controller without their prior consent. Indeed, while the information on the platform was the same information as published on the non-registered health professionals' own website or that of their practice, to which they agreed, they could not have expected their data to be republished on a platform such as the one in question. Therefore, there had been a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR.

Taking into consideration the aforementioned breaches, the DPA reprimanded the controller and ordered the controller to bring its processing operations into compliance with the GDPR.

Comment

Comment by the original contributor: The Belgian DPA had recently issued a fine against a similar platform, following a complaint by health professionals that their data had been processed without their informed consent. In this case, the complain comes from patients who complained to have been misled into believing that they had to create an account and provide unnecessary sensitive personal data to make a booking with a health professional, only to realize that the health professional of their choice did not offer online booking on that platform. This shows that the publication of health professional data on platform without consent poses issues both to health professionals and to patients. It is time online booking platform comply with the GDPR and the decisions of the Belgian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/36



                                                                      Litigation Chamber

                                  Decision on merits 149/2023 of November 10, 2023






File numbers: DOS-2020-05649 and DOS-2021-05271


Subject: Complaints relating to the processing of personal data carried out by

an online medical and paramedical appointment booking platform

The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke HIJMANS, president, and gentlemen DirkVanDerKelenet YvesPoullet, members, resuming

the case in this composition;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;


Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter

“LCA”);

Having regard to the Law of August 8, 1983 organizing a National Register of individuals (hereinafter

“LRN”);


Considering the internal regulations as approved by the House of Representatives on
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the files;



Has taken the following decision regarding:


Complainant No. 1: Mrs. X1, (DOS-2020-05649);



Complainant No. 2: Mr. X2, (DOS-2021-05271);


The defendants: The company Y1, represented by Maîtres Florence Garcet and Claire

                       Vandesande, lawyers, whose firm is established in 4000 Liège, rue des

                       Augustins, 32, hereinafter “the first defendant” (DOS-2020-05649 and
                       DOS-2021-05271);


                       Company Y2, hereinafter “the second defendant” (DOS-2020-05649); Decision on merits 149/2023 — 2/36


                    Hereinafter referred to together as “the Defendants”.



I. Facts and procedure


    I.1. As for the complaint of complainant no. 1 (DOS-2020-05649)


 1. On December 4, 2020, complainant no. 1 filed a complaint with the Authority of

       data protection (DPA) against the defendants.

 2. According to the terms of his complaint and the details provided in terms of conclusions and during

       the hearing (see below), complainant no. 1 reports the following facts.

 3. At the beginning of October 2020, wishing to make an appointment with his dentist without calling him by

       telephone, complainant no. 1 notes that the site […] (hereinafter “Z” or “the platform” or “the

       platform Z") allows you to make an appointment directly online with

       health professionals. The contact details of his dentist can be found on the
       platform, complainant no. 1 creates an account to be able to make an appointment with her.


 4. Complainant No. 1 reports that it was only after the creation of her account that she received

       the information that it was not possible for him to make an appointment with his
       dentist, only the contact details of the latter being referenced on the site without

       possibility of making an appointment with her via the platform itself.


 5. For the proper understanding of this decision, the Litigation Chamber specifies here
       from the outset that the “Z” platform aims to facilitate rapid contact between

       patients and healthcare professionals – including doctors but not

       only - in particular through online appointment booking. When a patient

       accesses the platform, two options are available to him:

       - Either only the contact details of the practitioner sought appear on the platform without

           possibility of making an appointment with him via this. We then talk about

           “non-registered practitioner/professional”. In this case, the patient can make an appointment

           with this practitioner via the contact channels specific to this one starting from the contact details

           referenced on the platform. No account is required for this.

       - Either it is possible to make an appointment directly via the platform with the

           practitioner sought. We then speak of “registered practitioner/professional” on the

           platform. To make such an appointment, the patient must create a patient account
           for which he is asked to provide the following personal data: his name,

           his first name, his email address, his telephone number and his Register Number

           National (NRN).

    6. On October 21, 2020, not having been able to make an appointment with his dentist (not registered) via

        the platform, complainant no. 1 requests the deletion of her account and data at Decision on the merits 149/2023 — 3/36


       personal character that she transmitted during the creation of it. In terms

       of the email sent for this purpose to the email address info@[…], complainant no. 1 also makes

       part of his question regarding the obligation to provide his NRN when creating his

       account.

7. Complainant No. 1 indicates that it has not received a response to this erasure request.


8. Via a company specializing in data protection, complainant no. 1 requests

      on October 22, 2020 what are the legal bases on which the different

      data processing carried out from the platform, the reasons for processing the NRN

      as well as the exact identity of the data controller. Complainant No. 1 reports that
      this request also remained unanswered.


9. According to the terms of his complaint submitted to the APD on December 4, 2020, i.e. 1 and a half months later

      sending the above-mentioned requests, complainant no. 1 denounces both the lack of action given to

      his request for erasure and his questions about the legal bases of the different
      data processing carried out by the platform, including its NRN.


10. On January 5, 2021, complaint no. 1 was declared admissible by the Front Line Service

      (SPL) of the APD on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the
                                                          er
      Litigation Chamber under article 62, § 1 of the LCA.

11. On February 2, 2021, in accordance with article 96, § 1 of LCA, the request of the Chamber

      Contentious to carry out an investigation is transmitted to the Inspection Service (SI).

12. On May 9, 2022 the IS investigation is closed, the report is attached to the file and it is

      transmitted by the SI to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the LCA).


13. The content of the IS report can be summarized as follows:

      - The first defendant is the sole data controller within the meaning of article 4.7.

          of the GDPR to the exclusion of the second defendant. As part of his analysis,

          the Inspector General mentions a lack of clarity regarding the identification of the

          data controller in the platform’s Privacy Policy (article

          13.1.a) of the GDPR);

      - As preliminary observations, the IS notes on the one hand that the platform has been the subject

          of an evaluation in April 2020 by the General Secretariat. The SI notes that “some

          shortcomings identified by the General Secretariat do not appear to have been the subject of

          the recommended compliance” (page 10 of the investigation report). The SI points to this

          regard to gaps in information relating to the basis for the lawfulness of the processing (article
          13.1.c) of the GDPR) and the data retention period (13.2.a) of the GDPR). LeSIrelève

          on the other hand that according to him the platform processes a significant volume of health data

          within the meaning of Article 9 of the GDPR. Decision on merits 149/2023 — 4/36


       - Starting from the facts denounced in the complaint, the SI then declares to note, in the

           scope of this, a certain number of breaches of the GDPR:


               o a violation by the first respondent of Article 12 of the GDPR in that it

                   did not provide any information to complainant no. 1 following her request

                   erasure of October 21, 2020;

               o a violation by the first respondent of articles 7.3. in fine and 12.1. of

                   GDPR in that, in its capacity as data controller, it does not render the

                   deleting a “patient account” as simple as creating this account

                   and therefore does not facilitate the exercise of the rights of the persons concerned, in

                   the species, the complainant’s right to erasure;

               o a violation by the first defendant of articles 15.1 and 19 of the GDPR,

                   that in its capacity as data controller, it has not given confirmation to

                   complainant no. 1 that personal data concerning her were not

                   no longer processed nor did it notify complainant no. 1 of the deletion of her data;


               o a violation by the first respondent of articles 5.1 a), 5.2. and 6 of the GDPR
                   in that, in its capacity as data controller, the first defendant

                   cannot validly invoke its legitimate interest (article 6.1. f) of the GDPR) to

                   the referencing of “unregistered” health professionals on the platform;


               o a potential violation by the first respondent in its capacity as

                   data controller, of Article 32 of the GDPR in that the use by the

                   leading defender of systems such as Cloudflare, AmazonWeb Services
                   and Runcloud to manage its infrastructure does not constitute a measure

                   appropriate technique to guarantee a level of security adapted to the

                   risk presented by its activity.

                                                                                   er
 14. On June 15, 2022, the Litigation Chamber decides, under article 95, §1, 1° and article

       98 of the ACL, that the case can be processed on its merits.

 15. On this same date, the parties are informed by registered mail of the provisions such

       as set out in article 95, §2 as well as article 98 of the LCA. They are also informed,

       under section 99 of the LCA, deadlines for transmitting their conclusions. The date

       limit for receipt of submissions in response from defendants was set on August 10

       2022, that for the conclusions in reply of complainant no. 1 on September 1, 2022 and

       that for the defendants' reply conclusions as of September 23, 2022.





1The SI, however, qualifies this observation in the introduction to its report, indicating that it noted certain aspects without, however,
carry out a complete review of all aspects relating to the processing security obligation. Decision on merits 149/2023 — 5/36


                                                                                                        2
 16. The parties are invited to defend themselves with regard to the following findings and grievances retained

       by the Litigation Chamber:

       - The qualification of the first defendant as sole controller of the processing

           within the meaning of article 4.7 of the GDPR;


       - A breach of articles 13.1. a), 13.1 c) and 13.2 of the GDPR in respect of the first

           defendant in that the platform's Privacy Policy does not mention

           not adequately identify and contact details of the data controller (article

           13.1.a) of the GDPR), does not mention the legal basis of the data processing carried out

           – including data relating to health within the meaning of article 4.19 of the GDPR – (article

           13.1. c) of the GDPR) and does not mention the data retention periods

           personal data processed (article 13.2. a) of the GDPR more precisely);


       - A breach of Article 12 of the GDPR in that the first defendant did not provide

           no information to complainant no. 1 following her request to exercise the right to

           erasure;

       - A breach of articles 7.3 in fine and 12.1 of the GDPR, in that the first

           defendant did not make the deletion of a “patient account” as simple as

           creation of this account (it is therefore not as simple to withdraw consent as

           to give it) and therefore does not facilitate the exercise of the rights of the persons concerned;


       - A breach of articles 5.1.a), 5.2.and 6 of the GDPR in which the legitimate interest invoked

           by the first defendant the basic title of lawfulness of treatment of professionals

           referenced but “not registered” on the platform, is not validly invoked.


17 The Litigation Chamber also invites the parties to present their arguments

       in relation to the basis of lawfulness which underlies the processing by the first respondent of the

       NRN questioned by complainant no. 1 under the terms of her complaint. The Litigation Chamber

       also informs the parties that a complaint relating to this same question is





2
 As part of its own assessment, the Litigation Chamber is free to retain one or other findings of the inspection
to include them in the list of grievances on which it asks the parties to defend in the letter based on article 98
of the aforementioned LCA. No other conclusion can be drawn from the abandonment of one or other grievance other than the fact that the Chamber
Litigation does not consider it appropriate to bring the parties to a conclusion regarding them. It cannot be deduced from this that the Chamber
Litigation confirms compliance with the GDPR on these aspects. In view of this own assessment, the Chamber
Litigation specifies that the LCA does not require it to use the Inspection Service. In fact, the Litigation Chamber decides
sovereignly whether, following the filing of a complaint, an investigation is necessary or not (article 63, 2° of the LCA and art. 94, 1° of
the LCA). In this sense, article 94, 3° LCA explicitly provides that once seized, the Litigation Chamber can process the complaint
without having recourse to the Inspection Service. It thus has a power of appreciation of the complaint which is independent of the inspection
(Market Court (19th ch. A), December 7, 2022, 2022/AR/560 and 2022/AR/564; Market Court (19th ch. A), December 7
2022, 2022/AR/556). Decision on merits 149/2023 — 6/36


      also pending before the Litigation Chamber (DOS-2021-05271 – complaint no. 2 below)

      After).

18. On 2 August 2022, the first respondent agreed to receive all communications

      relating to the case electronically. By the same letter, she requests a copy of the

      file (art. 95, §2, 3° LCA), which is sent to him on August 4, 2022


19. On August 10, 2022, complainant no. 1 requested a copy of the file (art. 95, §2, 3° LCA),
      which is transmitted to him on August 11, 2022.


20. On August 10, 2022, the Litigation Chamber received the conclusions in response to the first

      defendant. The first respondent having filed submissions in reply and
      synthesis, its argument is summarized in point 22 below.


21. On September 1, 2022, the Litigation Chamber receives the conclusions in response to the

      complainant no. 1. In summary, she defends the following:

      - The first and second defendants are data controllers

               spouses (article 4.7. of the GDPR) taking into account a range of elements from which it

               results that the second defendant is not only an investor in the

               project of the first defendant;

      - Identification of the data controller under the terms of the Privacy Policy

               confidentiality of the platform is not sufficiently clear and does not meet the

               requirements of section 13.1. a) of the GDPR since the first defendant is not

               not mentioned as such. Only two natural persons,
               directors of the first defendant are indicated in the data

               of contact ;


      - Article 13.1.c) of the GDPR is not respected because the Confidentiality Policy

               of the platform does not mention the legal bases for each processing
               individualized, limited to mentioning article 6.1. of the GDPR in its entirety and

               making no reference to Article 9.2. a) of the GDPR for the different treatments

               health data operated via the platform;


      - The platform's Privacy Policy does not contain information on
               data retention periods (article 13.2. a) of the GDPR);


      - Not having been informed of the measures taken following his request

               erasure, there has been a breach of article 12.3. GDPR;

      - Articles 7.3.infine and 12.2. of the GDPR are violated when the deletion of a

               account turns out to be more complex than creating it. Furthermore, two

               separate procedures co-exist to exercise the right to erasure on the one hand and

               to exercise other rights on the other hand; Decision on merits 149/2023 — 7/36


      - Complainant no. 1 indicates that she fully agrees with the SI's reasoning regarding

               the invalidity of the legitimate interest (article 6.1.f) of the GDPR) for the processing of

               personal data of non-registered practitioners such as a dentist and share as soon as possible

               upon finding a violation of articles 5.1.a), 5.2. and 6 of the GDPR by the
               defendants;


      - Your complaint is admissible including with regard to the processing of your NRN from then on

               that the legal principle “ne bis in idem” invoked by the first defendant is

               inapplicable in this case.

      - As for the basis of lawfulness of the processing of the NRN, complainant no. 1 emphasizes that the

               processing of NRN is in principle prohibited except in the cases provided for by the Law of 8

               August 1983 organizing a National Register of Natural Persons (LRN – article

               5) and in principle subject to authorization from the Minister of the Interior (article 8.1.). There
               exemption from authorization provided for in article 8.3 of the LRN, the first of which is invoked

               defendant is not applicable since the introduction of the NRN on the

               platform does not allow the person to be identified or authenticated as required by

               said article 8.3.

22. On September 23, 2022, the Litigation Chamber receives the conclusions in reply and

      summary of the first defendant. In summary, she defends the following.


      - The mere fact of the second defendant acting as an investor/shareholder
               does not imply ipso facto that it is responsible for processing within the meaning of the article

               4.7 of the GDPR. In fact, the second respondent did not take any decision

               relating neither to the purposes nor to the means of processing personal data

               operated within the framework of the platform;

      - Emphasizing that the IS does not formally consider breaches of the articles

               13.1a), 13.1c) and 13.2. of the GDPR with regard to the Privacy Policy of the

               platform, the first defendant nonetheless exposes (without recognizing a

               any breach) that it intends to draft a new Policy of

               confidentiality which will clarify the elements of information concerned by the articles

               above;

      - She actually granted the request for erasure of complainant no. 1, alone

               the email confirming the deletion took place was not sent to this

               last ;

      - It is no less easy to delete an account than to create one, both

               procedures carried out, without being formally identical, in several stages

               and requiring active steps in both cases (article 7.3. in fine); Decision on merits 149/2023 — 8/36



       - The action of the APD with regard to the basis of lawfulness of data processing of

                non-registered professionals is inadmissible. The complaint of plaintiff no. 1 does not

                concerning according to the first defendant in no way this question, this one

                should have been the subject of a separate procedure. The first defendant considers

                not having to justify this in the context of this procedure and vis-

                towards complainant no. 1. Alternatively, she sets out the reasons why she

                believes it can rely on its legitimate interest within the meaning of article 6.1.f) of the GDPR

                to base these processing operations (see also point 88 below).


       - Concerning the question of the basis of lawfulness of the processing of the NRN, she is surprised

                that this question can be the subject of two separate procedures (both in the

                framework of complaint no. 1 and complaint no. 2 – see. infra and point 32), emphasizing
                                                                                                      3
                that it has already concluded on this issue in the context of complaint no. 2.

                Continuing a game for identical facts without having provided a solution

                definitive in the first dispute is, according to her, not compatible with the right to trial

                fair enshrined in Article 6 of the European Convention on Human Rights

                man (ECHR). Therefore, the first respondent judges the request of the

                complainant no. 1 (and the APD) inadmissible on this point. Alternatively, the first

                defend her submission to the conclusions she filed in the context of the complaint

                No. 2 on this aspect (point 46).

 23. On August 2, 2023, the Litigation Chamber notifies the parties that the hearing will take place on August 15

       September 2023.


 24. In this same letter, the parties are informed that on June 14, 2023, the Chamber

       Litigation adopted decision 75/2023. Taking into account this decision unknown to the 5

       parties at the time when they were invited to conclude, the Litigation Chamber gives the

       parties the possibility of concluding additionally on its position in this

       decision 75/2023, in particular on the aspects which would be relevant with regard to the

       complaint no. 1 until August 31, 2023.


 25. On 31 August 2023, in response to the opportunity given to it, the first respondent

       submits final conclusions.





3The Litigation Chamber explains in this regard that this decision addresses in chronological order of introduction of
each of the complaints, firstly the progress of the procedure relating to complaint no. 1 lodged in 2020 and then, the progress of the
procedure relating to complaint no. 2 filed in 2021. However, complaint no. 2 not having been sent to the inspection service
whose report was communicated to the Litigation Chamber on February 9, 2022, the parties to this second complaint were
invited to conclude before the parties to complaint no. 1 even though complaint no. 2 was therefore lodged after the

complaint #1.
4https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-75-2023.pdf
5
 It was also made clear to the parties that an action for annulment had been filed against this decision before the Courts
markets. See. also the mention made in the decision published when the appeal is filed:
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr..75-2023.pdf Decision on the merits 149/2023 — 9/36


26. She specifies that these replace the motivation that she developed in her

     previous conclusions with regard to the invoked basis of lawfulness of legitimate interest

     (article 6.1.f) of the GDPR) for the processing of data from “non-

     registered”. The first defendant maintains that she was justified in relying on the article
     6.1. f) of the GDPR to process the data of unregistered healthcare professionals.


27. Nevertheless, the first defendant indicates that, following legal monitoring, it has

     scrupulous, taken into account since the summer of the decision 75/2023 of the Litigation Chamber

     and having made the decision to now rely on the consent of the said
     professionals and have initiated a process of obtaining their consent

     from the summer. The first defendant also produces the latest version of the Policy

     confidentiality of the platform put online in August 2023, which is now

     reference to the aforementioned request for consent from unregistered professionals.

28. On 15 September 2023, plaintiff no. 1 and the representatives of the first defendant

     are heard by the Litigation Chamber, the second defendant not appearing

     not. They each present the argument developed in terms of conclusions. At the invitation

     of the Litigation Chamber, the first defendant shows the methods of creation

     and account deletion when leaving the platform. She also presents the version

     test of the platform which will now work without requesting the NRN, the first
     defendant renouncing, in view of the two complaints in particular, to work with this

     identifier. She confirms what she had indicated in conclusion, namely the progressive collection of

     consent of non-registered health professionals and the abandonment of the basis of legality of

     legitimate interest.

29. On September 28, 2023, the minutes of the hearing are submitted to the parties present at

     this one. The second defendant receives a copy for information.


30. As of October 6, 2023, the Litigation Chamber does not receive from the first
     defendant and plaintiff no. 1 present at the hearing no remarks relating to the

     minutes.



   I.2. As for Complainant No. 2's Complaint (DOS-2021-05271)


31. On July 31, 2021, complainant no. 2 filed a complaint (hereinafter complaint no. 2) with

     the ODA against the first respondent.

32. Under the terms of the complaint, complainant no. 2 reports that he noticed that in order to be able to take

     an appointment on the “Z” platform, you need to create your account without

     which no appointment can be made - you must communicate your NRN and that

     this practice seems to him to be contrary to the law. Decision on merits 149/2023 — 10/36


 33. Complainant No. 2 produces the email he sent to the first respondent on July 17

       2021 in which he emphasizes that it is according to him (sic) “strictly prohibited by law, to a

       private company like yours, to request the National Number. You are asked to

       remove this mandatory field to make an appointment.


 34. The same day, the first respondent replied that (sic) “your national number is

       requested for security reasons and it is fully encrypted in our database

       therefore unusable by a third party. A national number is much more difficult to guess by

       anyone than an email address and therefore more secure. Especially in the context of a

       healthcare-related application.”


 35. As mentioned in point 32, complainant no. 2, dissatisfied with the response received,

       filed a complaint with the APD on July 31, 2021.

 36. On August 16, 2021, his complaint was declared admissible by the SPL of the APD on the basis of the articles

       58 and 60 of the LCA and transmitted to the Litigation Chamber under Article 62, § 1 of er

       the LCA.


 37. It does not appear from the complaint filed that complainant no. 2 communicated his NRN to

       the first defendant. On the contrary, it seems that complainant no. 2 has given up on creating a

       account on the grounds that his NRN was requested from him. In its conclusions (point 46 below), the

       first defendant indicates in this sense that it is not able to determine whether the

       Complainant No. 2 actually made an appointment via the platform. She adds that to all

       less, when a search is launched from its name in the database of the

       platform, it is noted that he does not have any account on it. In other words,

       it therefore appears that the first defendant did not process data of a personal nature

       personnel relating to complainant no. 2 (including his NRN). The latter is therefore not a person

       concerned within the meaning of articles 4.1. and 77 of the GDPR.


 38. This lack of standing does not, however, deprive complainant no. 2 of his right to file

       complaint to the DPA in support of article 77 of the GDPR supplemented by articles 58 et seq.

       LCA. In this regard, the Litigation Chamber recalls that in a judgment of October 7, 2021, 7

       the Court of Cassation thus stated:




6Article 56 of the LCA provides as follows: Any person may file a complaint or a written request, dated and signed

with the Data Protection Authority. It must be read in combination with the admissibility criteria of the complaint
detailed in Article 60 of the LCA which do not include the condition of being a data subject. There is no less
limits to the admissibility of a complaint linked to the complainant's interest in taking action as described by the Litigation Chamber in
terms of its Note relating to the position of the complainant in the procedure before the Litigation Chamber and in a certain
many of its decisions. See. for example: Decision on the merits 30/2020 of June 8, 2020 (points 4-7); Decision as to
fund 80/2020 of December 17, 2020 (points 44-52); Decision on the merits 63/2021 of June 1, 2021 (points 10-18); Decision
as to the merits 117/2021 of October 22, 2021 (points 29-35); Decision 49/2022 of April 5, 2022 (points 7-12); Decision as to
fund 106/2022 of June 27, 2022. https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-
complainant-in-the-procedure-within-the-litigation-chamber.pdf
7
 https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05K
LU7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE
= Decision on merits 149/2023 — 11/36



                “3. It incontestably emerges from all the legal provisions

                mentioned above that a data subject has the right to lodge a complaint
                to the Data Protection Authority against a processing practice

                which she considers to be violating her rights under the GDPR (...). This is also the case

                when the personal data of the data subject themselves

                have not been processed but the latter has not obtained the advantage or

                service because, precisely because of the existence of the practice constituting

                allegedly a violation, she refused to consent to the treatment” 8


39. In this case, complainant no. 2 is effectively denouncing a practice since the NRN is

       requested for any account creation with the platform. This complaint no. 2 is by

       elsewhere the second that the APD receives on this subject, the first being that of complainant no. 1

       questioned above (DOS-2020-05649).

 40. On January 21, 2022, the first defendant and plaintiff No. 2 (i.e. the parties concerned

       by this complaint no. 2) are informed by registered mail of the provisions such as

       repeated in article 95, § 2 as well as article 98 of the LCA. They are also informed, in

       under article 99 of the LCA, deadlines for transmitting their conclusions. The deadline

       for the receipt of the submissions in response from the first respondent was set for 4

       March 2022, that for the conclusions in reply of complainant no. 2 as of March 28, 2022 and that

       for the first respondent's reply submissions as of April 19, 2022.

 41. In terms of this letter, the first respondent and complainant no. 2 are requested to make

       present their arguments with regard to the potential breaches of the GDPR revealed by the

       practice of processing NRN denounced, i.e. a potential breach of articles 5.1.a)

       (principle of lawfulness), 5.1.c) (data minimization), 5.1.e) (limited retention period),

       6.1. (lawfulness), 12 (transparency), 13 (obligation of information), 5.2. and 24

       (responsibility/accountability) and 32 (security obligation) of the GDPR as well as the

       corollary provisions of the LRN in particular its article 5 (processing authorization).


 42. On February 22, 2022, the first respondent requested a copy of the file (art. 95, §2, 3°

       LCA), which is sent to him on February 25, 2022.

 43. On this same date, the first respondent agreed to receive all the

       communications relating to the case by electronic means.









8
     See. in this regard, decision 126/2021 of the Litigation Chamber:
https://www.autoriteprotectiondonnees.be/publications/classement-sans-suite-n-126-C’estpdfla Chambre
Contentious which underlines. Decision on merits 149/2023 — 12/36


44. On March 3, 2022, the Litigation Chamber received the conclusions in response to the first

      defendant. The first respondent having filed submissions in reply and

      synthesis, the summary of its argument is set out in point 46 below.

45. On April 13, 2022, the first respondent announced her request to be heard, and this

      in accordance with section 98 of the LCA.


46. On April 15, 2022, the Litigation Chamber receives the conclusions in reply and summary
      of the first defendant. In summary, she defends the following:


      - The processing of the NRN is based on the free consent of the person concerned

          (article 5.1. a) and 6 of the GDPR): the patient is in fact free to create an account or not. He
          can also benefit from the platform’s information service and contact the

          healthcare professional of their choice via their own communication channels

          on the basis of the contact information thus made available to him;


      - When a search is launched from the name of complainant no. 2 in the database
          data from the platform, it is noted that he does not have any account on it


      - The choice to use the NRN is motivated by the absolute necessity of identifying the patient

          certain and unique way. There is therefore no infringement of the principle of minimization (article

          5.1. c) of the GDPR) with regard to the processing of this NRN;

      - The data is only kept for the time necessary for identification and

          the patient's authentication and deleted as soon as the latter unsubscribes from the

          platform (article 5.1.e) of the GDPR);

      - Regarding transparency and information obligations, a specific tab is

          dedicated to information regarding the processing of the NRN on the platform (FAQ –

          confidentiality). The reasons why this NRN is requested are described there;

      - By opting for the processing of the NRN for identification and authentication purposes

          sole of the person concerned, the first respondent correctly put in place

          implements article 32 of the GDPR, taking into account the risks linked to the nature of the data

          processed. All processed data (including the NRN) is included in a database

          encrypted and protected data (article 32 of the GDPR);

      - It results from the measures put in place (information and security in particular)

          that the first defendant has respected the obligations incumbent upon it in execution

          of articles 5.2. and 24 of the GDPR;

      - Concerning respect for the NRN, the first defendant only treats the NRN for purposes

          identification and authentication of the platform user. She is therefore

          exempt from prior authorization from the Minister of the Interior in application of article

          8.3. of the NRL. The first respondent adds that she does not in any way consult the Decision on the merits 149/2023 — 13/36



           National Register of Natural Persons and the data contained therein (pages 15

           of its conclusions – last paragraph) and that it is therefore not subject to the article

           5 of the LRN.

47. On 2 August 2023, the first respondent and complainant no. 2 were informed that

       the hearing will take place on September 15, 2023. It should be noted that in response to the invitation to

       the hearing, complainant no. 2 – who did not conclude – indicates that he had no other intention in

       filing a complaint than reporting a potential breach of the DPA. As far as

       necessary, the Litigation Chamber specifies that this assertion in no way calls into question

       the admissibility of his complaint (paragraphs 36-39) and should also not be interpreted as

       removal of it. Even assuming that it was conceived as a crime by complainant no. 2,

       the Litigation Chamber remains free to continue examining the complaint notwithstanding a

       such withdrawal as soon as it considers the breach reported sufficiently serious or

       revealing the existence of a practice likely to undermine the principles

       fundamentals of the protection of personal data as is the case in

       the species.

 48. On September 15, 2023, the first respondent was heard by the Chamber

       Contentious. Complainant No. 2 does not appear.


 49. On September 28, 2023, the minutes of the hearing are communicated to the first

       defendant. Complainant No. 2 receives a copy for information.


 50. As of October 6, 2023, the Litigation Chamber does not receive from the first

       defendant no remarks relating to the minutes.



    I.3. As for the joining of complaints no. 1 and no. 2


 51. By this decision, the Litigation Chamber decides to join complaints no. 1 and no. 2

       that it considers linked by such a close relationship that there is an interest in taking a single decision
       with regard to them in order to guarantee the consistency of its decisions. Both complaints, if they are

       certainly introduced by distinct complainants (no. 1 and no. 2), nonetheless aim at the same

       platform and also denounce a common grievance linked to the treatment of the NRN as it was

       mentioned in points 9 (complaint no. 1) and 32 (complaint no. 2) above. In other words,

       the objective of consistency pursued by the Litigation Chamber in the treatment of

       complaints submitted to it opposes their separate examination.






9 See. the Disclosure Policy of the Litigation Chamber

https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
contentieuse.pdf Decision on the merits 149/2023 — 14/36


II. Motivation



    II.1. As for the qualification of the second defendant (DOS-2020-05649)


        II.1.1. The point of view of the SI and the parties


 52. As mentioned in point 1, complainant no. 1 lodges her complaint both against the first
       and the second defendants whom it describes as joint data controllers in the

       meaning of article 4.7. of the GDPR.


 53. Complainant No. 1 is in fact of the opinion that a body of serious and consistent evidence supports

       in favor of this thesis: (1) in 2018, the second defendant - whose creation and management

       of internet sites is part of the fields of activity - massively invested in the project
       creation of the platform from both a financial and operational point of view, (2) “the platform

       Z” identified himself at the time of the facts reported in his Privacy Policy as

       being the co-ownership of the first and second defendants, dedicating to the latter

       a page on its site in its capacity as a sole investor and thus offering it a real

       showcase, (3)the two companies are closely linked, two entities of the second defendant

       being directors of the first defendant.

 54. As reported above, the IS retains the status of data controller

       solely on the part of the first defendant (paragraph 13). The first defendant

       shares this analysis and qualifies as the sole “data controller” with regard to the

       data processing carried out by the platform (point 22).



        II.1.2. The appreciation of the Litigation Chamber


 55. The Litigation Chamber is not bound by the quality recognized by the first

       defendant, nor by that which the SI would attribute to it. She must appreciate the reality of this
       qualification and if necessary to reject it if it should result from its analysis that it does not

       can be retained.


 56. The Litigation Chamber recalls that a data controller is defined as “the

       natural or legal person or any other entity which alone or jointly with

       others, determines the purposes and means of processing personal data
       personal” (article 4.7 of the GDPR). This is an autonomous concept, specific to the regulations

       in terms of data protection, the assessment of which must be based on the criteria

       that it sets out: the determination of the purposes of the data processing concerned as well as

       that of the means thereof.





10See. in this sense Brussels (Cour des Marchés), June 8, 2022, 2022/AR/42, p. 6. Decision on the merits 149/2023 — 15/36


 57. The Litigation Chamber also recalls that the essential criterion for there to be –

       as plaintiff #1 pleads – joint responsibility for treatment is participation

       joint action of two or more entities in determining the purposes and means of a

       treatment. More precisely, joint participation must encompass, on the one hand, the

       determination of the ends and on the other, the determination of the means. A contribution

       joint to this determination implies that more than one entity exercises influence

       decisive on the question of knowing if, for what purpose and how the processing takes place. In
       In practice, joint participation can take the form of a joint decision taken

       by two or more entities or result from convergent decisions adopted by them at

       subject of the purposes and essential means of processing.


 58. In this case, the Litigation Chamber notes that the elements provided by complainant no. 1

       certainly show, as the SI underlines and as the first does not dispute
       defendant, that the second defendant invested in the project to create the

       platform by the first defendant (then a young start-up). The quality of responsibility

       spouse presupposes, however, as has just been recalled, participation in the

       determination of the purposes and means of processing. The mere fact of supporting

       financially a project does not necessarily mean that there is determination of these

       purposes and means through common or convergent decisions of the defendants

       on data processing. When, in its Guidelines relating to the concepts

       controller and processor, the EDPS emphasizes that all types of

       partnership, cooperation or collaboration do not imply that the entities are
       joint controllers of the processing, it presupposes that these entities each play a role

       with regard to data processing; role which, depending on the case, will carry the qualification of

       joint data controller or not. In this case, the Litigation Chamber considers

       that there is no element which even attests to any role of the second

       defendant with regard to the data processing as such. The participation of

       the second defendant is financial and neither the documents produced by plaintiff no. 1 nor the

       findings of the SI only allow the Litigation Chamber to conclude that the second

       defendant actually participated in determining the purpose and means
       data processing carried out by the platform.


 59. In conclusion of the above, the Litigation Chamber concludes that the second

       The defendant is not a data controller (spouse) within the meaning of Article 4.7. of

       GDPR with regard to the platform's data processing.

 60. The Litigation Chamber notes that during the proceedings, the first respondent

       clarified the identification and contact details of the data controller (article 13.1. a) of the

       GDPR) in its Privacy Policy by now providing a clause which does not


1https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_fr.pdf Decision on the merits 149/2023 — 16/36


      no longer mentions the names of the natural persons who were its directors at

      the time. It also removed the mention “co-owners of the platform” from the

      of these. This information is foreign to the qualification of roles in terms of protection

      data does not necessarily have its place in a confidentiality policy and
      risk at the very least creating confusion.



   II.2. As for the breach of article 12.3 of the GDPR by the first defendant: the absence
        information relating to the follow-up of the request to exercise the right to erasure of the

        complainant no. 1 (DOS-2020-05649)


       II.2.1. The point of view of the SI and the parties

61. As explained in points 7, 9 and 21 above, complainant no. 1 denounces the absence

      response from the first defendant to its request to delete the patient account

      that she had created and all the personal data concerning her that she had

      communicated on the occasion of its creation.

62. According to its investigation report (point 13), the SI indicates that it became aware

      a screenshot which would attest that complainant no. 1 is no longer listed in the database

      data of the first defendant. The SI is no less relevant than the first

      defendant recognizes – as the latter writes in its conclusions (point 22) – not

      not having confirmed to complainant no. 1 that her personal data had actually been

      been erased.


       II.2.2. The appreciation of the Litigation Chamber


63. It is therefore not disputed that the first respondent refrained from providing the

      complainant no. 1 information on the measures taken following her request

      erasure as soon as possible and in any event within a period of one month from

      from receipt, on October 21, 2020, of its request as required by article 12.3.
      of the GDPR.


64. The Litigation Chamber insists in this regard on the fact that following up on the exercise of the right

      to the erasure of the data subject not only carries the obligation to erase the

      data concerning them when the conditions for this erasure are met (article 17.1 b)
      of the GDPR in this case – withdrawal of consent) but also that of informing the

      data subject on the measures taken following the erasure request, within the

      as soon as possible and in any event within one month from receipt of

      the request (article 12.3. of the GDPR).

65. In support of the above, the Litigation Chamber concludes that there has been a breach of article

      12.3. of the GDPR in the case of the first defendant. Decision on merits 149/2023 — 17/36



 66. The Litigation Chamber notes that the request for erasure of complainant no. 1 is

       following the fact that she could not have noticed that the dentist she was seeking to

       contact was not registered on the platform until after having created his account (in

       October 2020). In this regard, complainant no. 1, on January 9, 2021, informed the APD that following

       of a change on the site, a pop-up now warns the patient that the practitioner is not

       not registered on the platform. Received the complaint on February 2, 2021, the IS indicates that it has not been

       able to observe the situation to which complainant number 1 describes having been confronted.

       The first defendant, for her part, defends that this pop-up has always existed.

 67. The Litigation Chamber is not in a position to note a possible breach of the

       GDPR which would arise from the situation described by complainant no. 1. She doesn't insist

       less, without this constituting any corrective measure or sanction in the sense

       of article 100 of the LCA, that it must be perfectly clear to the patient that the creation of a

       account is only required if he can contact a practitioner via the platform

       written on it. Thus, the information according to which a practitioner is or is not registered (and therefore

       information whether or not it is possible to make an appointment with the latter via the platform) must

       be accessible before any account is created. Failing this, the respect owed by the first

       defendant to its obligation of transparency and its duty of loyalty could be

       questioned (articles 12.1 and 5.1. a) of the GDPR). The Litigation Chamber notes in this regard

       that the first defendant specified that in addition to the pop-up in place, it is, following a

       modification made during the procedure, now explicitly provided for in its

       Privacy policy that it is not necessary to create an account to view the

       contact data of healthcare professionals, whether registered or non-registered.


 68. Concerning more generally the erasure policy and retention periods

       data, the Litigation Chamber recalls that data protection authorities
                                                                    er
       are of the opinion that both the elements of information provided for in §1 of articles 13 and 14 of the GDPR

       that those provided for in §2 of these same articles must be communicated to the person
                   13
       concerned. Thus, the data retention periods provided for in article 13.2. a)and14.2. has)

       of the GDPR must always be brought to the attention of the persons concerned. There

       Litigation Chamber notes in this regard that the first respondent has modified its policy

       of confidentiality during the procedure and that this now provides for deadlines for

       conservation according to treatment categories.





12See. in this regard point 10 of the EDPS Guidelines on transparency (Article 29 Group, WP 260 taken from
account by the EDPS during its inaugural session on 25 May 2018: https://edpb.europa.eu/our-work-tools/our-
documents/article-29-working-party-guidelines-transparency-under-regulation_en) which emphasizes that: “an essential aspect
of the principle of transparency highlighted in these provisions is that the data subject should be able to
determine in advance what the scope and consequences of the processing encompass so as not to be caught off guard at a
later stage as to how his personal data was used.

13 See. the EDPS Guidelines on transparency (https://edpb.europa.eu/our-work-tools/our-
documents/article-29-working-party-guidelines-transparency-under-regulation_en) already cited (point 23). Decision on merits 149/2023 — 18/36


   II.3. As for the breach of article 7.3. in fine of the GDPR and in article 12.1. of the GDPR by
        first respondent (DOS-2020-05649): withdrawal of consent and

        facilitation of the exercise of rights


       II.3.1. The point of view of the SI and the parties

a) As for the withdrawal of consent (article 7.3. in fine)


69. According to its investigation report (point 13), the SI concluded that there was a violation by the first

      defendant, of articles 7.3 in fine of the GDPR in that the first defendant does not

      would not make deleting a “patient account” as simple as creating that account.

70. The IS details in this regard that the creation of an account simply requires entry of

      personal data on the platform and securing the account via the receipt of a

      SMS. Conversely, the deletion of an account cannot be done directly on the site and

      requires sending an email to the address suppression@[…] or contacting the
      first defendant from the platform via the chatbot. This difference

      constitutes according to the SI a violation of article 7.3. of the GDPR under which it must be

      “as easy to withdraw as to give consent”.

71. Complainant no. 1 agrees with the analysis of the SI (point 21).


72. In her conclusions, the first defendant states that at the time of the events, the patient

      who chose to create an account was invited to provide identification data

      already cited (point 5). The patient then received an SMS with a code that he had to enter on
      the platform in order to confirm the creation of your account. Concretely, the patient had to

      click on a first link, which took him to a second, to a third and finally to

      a 4th (4-step procedure). Once clicked on the last “Registration” link, the candidate

      When creating an account, you were asked to provide the above-mentioned data. What followed was a double

      verification by entering the SMS code received.

73. As for the deletion of the account, the first respondent explains that the withdrawal of its

      consent by the patient required at the time of the facts that the latter send an e-mail to

      the address dedicated to this purpose deletion@[…] mentioned in the FAQ “How to delete

      my data ? The patient had to click on 4 links (4-step procedure), the last one

      Link to the deletion email.” He could also use the chatbot.

b) Regarding the facilitation of the exercise of rights

74. The SI further considers that it follows from its finding regarding the withdrawal of consent (point

      13), that the first defendant does not facilitate the exercise of the right to erasure provided for in

      Article 17 of the GDPR, including that of complainant no. 1 (pages 18 and 19 of the IS report). SO

      that the IS introduces its reasoning starting from article 12.2 of the GDPR (page 17 of the report

      investigation), he concludes that there has been a violation of this obligation by erroneously referring to Decision on the merits 149/2023 — 19/36


       Litigation Chamber in article 12.1 of the GDPR and not in article 12.2. GDPR which establishes

       this obligation.


 75. Complainant No. 1 adds that the fact that the first respondent provides two addresses

       of contact, a general one for the exercise of info@[…] rights and a specific one for the exercise of
       right of erasure deletion@[…] has also not facilitated the exercise of his right to

       erasure. She points out that in addition, the Confidentiality Policy of the first

       defendant does not correctly reflect these procedures.


 76. Concluding with regard to article 12.1 of the GDPR as raised by the SI, the first

       defendant explains that clear information is given as to the terms of withdrawal
       of consent.



        II.3.2. The appreciation of the Litigation Chamber


 a) As for the withdrawal of consent (article 7.3. in fine)


 77. The Litigation Chamber recalls that article 7.3 in fine of the GDPR provides that the
       controller must ensure that it is also simple for the person concerned

       to withdraw than to give consent, and that this can be done at any time.


 78. As stated by the European Data Protection Committee (EDPS) in its Guidelines
                                                        14
       guidelines 05/2020 devoted to consent, the GDPR gives an important place

       upon withdrawal of consent.

 79. The EDPS nevertheless emphasizes that the GDPR does not specify that the person

       concerned must always be able to withdraw their consent by means of the same

       action (point 113). However, the EDPS is of the opinion that “when consent is obtained

       electronically only by clicking, tapping or swiping, the

       data subjects must, in practice, be able to withdraw this consent by the same

       bias. When consent is obtained through a specific user interface
       to the service (for example through a website, an application, an account with

       identifier, the interface of an IoT device or by email), it is obvious that a

       data subject must be able to withdraw consent through the same interface

       electronic, since changing interface for the sole purpose of withdrawing consent

       would require unnecessary effort” (point 114).

 80. Finally, the EDPS adds that “the GDPR considers the existence of easy withdrawal as a

       necessary aspect for valid consent. If the right of withdrawal does not meet the

       GDPR requirements, the data controller’s consent mechanism is not

       GDPR compliant. As mentioned in section 3.1 on the condition of consent


14European Data Protection Board (EDPS), Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on merits 149/2023 — 20/36


     informed, the data controller must inform the data subject of the right of withdrawal

     of consent before giving consent, in accordance with Article 7,

     paragraph 3 of the GDPR. As part of the obligation of transparency, the person responsible for

     processing must also inform the data subjects of how they can
     exercise their rights” (point 116).


81. It does not appear to the Litigation Chamber that the procedure to follow for the deletion

     of their account and the erasure of their data by a patient is less easy than the steps

     to follow to register on the platform. As explained above by the first
     defendant (paragraphs 72-73), in each case, several steps are necessary. If the

     creation of the account can be done from the platform, it is not done “in a simple

     clic” or in a few clicks on it but also requires the receipt of a code by

     SMS to reintroduce afterwards. Sending an e-mail from the platform as well as

     the possible use of the chatbot to request the deletion of said account are, according to

     the Litigation Chamber, do not constitute a less easy procedure in that these
     procedures can also be done from the site and also require several

     steps. As recalled above (point 79), the procedures by which consent

     is given and withdrawn must not be strictly identical. Upon examination of each of them,

     the Litigation Chamber is not of the opinion that the procedure for deleting the account is

     characterized by a greater degree of difficulty than that of creating the account. There

     Litigation Chamber concludes that the first defendant did not surrender
     guilty of a breach of article 7.3 in fine of the GDPR.


82. Without this element entering into the foregoing conclusion, the Chamber

     Litigation notes that the first defendant has, during the proceedings, either after

     the facts denounced, added a button on which you just have to click to request the
     account deletion and clarified the procedure for requesting account deletion in

     its Privacy Policy.


b) As for the facilitation of the exercise of rights (article 12.2. of the GDPR)

83. As for article 12.2. of the GDPR (see the remark in point 74 above), the Chamber

     Contentious simply points out the following without this constituting a

     any corrective measure and/or sanction within the meaning of article 100 of the LCA.

84. The establishment of internal and standardized procedures dedicated to the exercise of rights

     of data subjects in terms of data protection is essential and

     nature to contribute to the effective application of these rights. It certainly facilitates their

     exercise as required by Article 12.2. of the GDPR. However, when in the context

     of such a procedure a contact address dedicated to the exercise of these rights exists, it does not
     the persons concerned may be accused of using another communication channel

     to address their requests. No harmful consequences for the person Decision on merits 149/2023 — 21/36



       concerned cannot be derived from the fact – even in the event that it is correctly

       been informed – that she would not have used the appropriate form or would have contacted the
       data controller by another means, via an incorrect e-mail address for example. 15

       In this case, the first respondent noted in this regard that complainant no. 1 had

       send your deletion request to the general address of the platform and not to the address

       dedicated to the exercise of the right to erasure but that this had no impact on the

       processing of his deletion request, his data having been erased. Bedroom

       Litigation notes that, barring exceptions, this is indeed the attitude that is expected

       data controllers.



    II.4. As for the breach of articles 5.1. a), 5.2. and 6 of the GDPR by first
         defendant: the basis of the lawfulness of the processing of health professionals’ data

         non-registered (DOS-2020-05649)


        II.4.1. The point of view of the SI and the parties


 85. According to its investigation report, the SI concludes that the first respondent cannot

       rely on article 6.1.f) of the GDPR as the basis of lawfulness for data processing

       data from non-registered health professionals, particularly because they are not satisfied

       to the weighting test (see below) in that “the publication of the contact data of these

       doctors on the Internet (whether through an official service such as the Banque Carrefour des

       Companies or no) does not allow them to reasonably expect that this data
       be processed and in this case reproduced without their consent, on the website of a

       private company offering IT solutions to doctors in return for

       different subscription rates (…) (page 26 of the report).”


 86. Complainant No. 1 declares for her part that she fully agrees with the analysis of the IS.


 87. As for the first defendant, she mainly argues that this complaint should have been

       the subject of a separate procedure since it does not emerge from the complaint filed by the
       complainant no. 1. It is therefore inadmissible in his eyes.


 88. In the alternative, the first defendant pleads (1) that she pursues a legitimate interest (which

       consists of making it easier for patients to maintain contact with

       health professionals of their choice), (2) that the data it processes relating to

       non-registered health professionals are necessary for the realization of the interest it




15See. the EDPS Guidelines on transparency (WP 260 of the Article 29 Group taken up by
EDPB during its inaugural session on May 25, 2018): https://edpb.europa.eu/our-work-tools/our-documents/article-29-
working-party-guidelines-transparency-under-regulation_en and those relating to the right of access (Guidelines 01/2022)
https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf
16
  See the EDPS Guidelines 01/2022 on the right of access: https://edpb.europa.eu/system/files/2023-
04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf (points 53 et seq.). Decision on merits 149/2023 — 22/36


      continues (i.e. the provision of contact details for information and possible

      making contact) and (3) that the weighing exercise it carried out allows it to conclude

      that it can rely on this legitimate interest. The first defendant indicates that she thus

      taking into account the public and professional nature of the data (taken from the Bank
      Carrefour des Entreprises (BCE) and Google), the absence of obvious harm to life

      deprived of the practitioners concerned or any other of their fundamental rights, the absence

      of harm in their physical, economic or social situation (on the contrary, a benefit in

      term of visibility would be provided to them), their reasonable expectations and the existence of a

      right of opposition in their head. The result of this weighting authorized him to conclude

      that it satisfied the 3 tests of purpose (1), necessity (2) and weighting (3) required
      by article 6.1.f) of the GDPR. The first defendant therefore defends that she could found

      the processing of data of non-registered health professionals on this basis

      lawfulness.



       II.4.2. The appreciation of the Litigation Chamber


89. With the SI, the Litigation Chamber is of the opinion that the question of the basis of legality of the
      processing of data of non-registered practitioners must, in this case, be considered

      as part of the scope of complaint no. 1 since (1) this question is

      raised – admittedly in general terms – by complainant no. 1 in her complaint, (2) that

      the latter, even before filing it, questioned the first defendant on this

      subject without receiving a response and (3) that the request for erasure of complainant no. 1 is

      following the fact that the dentist with whom she was seeking to make an appointment
      was precisely an unregistered health professional and that due to this absence

      registration, complainant no. 1 was unable to make the planned appointment. Bedroom

      Litigation recalls that in any event, once seized, the IS can in the exercise of its

      own competence, broaden the scope of its investigations.

90. As for the merits, the Litigation Chamber recalls that in order to be able to rely on the basis of

      legality of “legitimate interest” in application of article 6.1.f) of the GDPR, the person responsible for the

      treatment, i.e. the first respondent in this case, must demonstrate that a) the interest it

      continues via the data processing concerned can be recognized as legitimate (the "test

      purpose"); b) that the processing envisaged is necessary to achieve this interest (the "test

      of necessity") and that c) the weighting of this interest in relation to the interests, freedoms and
      fundamental rights of the persons concerned weigh in their favor or in favor of the third party (the

      "weighting test").


91. The Litigation Chamber will verify whether in this case, these 3 tests are satisfied with regard to

      concerns the processing in dispute, i.e. the provision on the data platform
      personal data of non-registered health professionals in the sense already specified, i.e. Decision on the merits 149/2023 — 23/36


      health professionals whose first and last names were included by the first defendant,

      specialty, address and professional telephone number on the platform without possibility

      to make an appointment with them via this one.


As for the purpose test (a): is there a question of a legitimate interest?

92. The Litigation Chamber recalls that in order to be qualified as “legitimate”, the interest

      sued by the data controller (or the third party but this is not the case

      of species) must be lawful under the law, determined in a sufficiently clear manner and

      precise, to be real and present (born and actual) and not fictitious or hypothetical.


93. By making the contact details of doctors available to users of the platform

      and other health professionals even if their agenda is not linked to the platform, the

      first defendant pursues the objective of enabling patients to find and

      easily contact a healthcare professional by sharing data
      necessary for possible contact with the latter (see also below). This

      Therefore, the Litigation Chamber is of the opinion that the first defendant contributes to the right

      of each patient to access health care as well as their right to consult the practitioner

      (registered) of his choice as guaranteed by article 6 of the Law of August 22, 2002 relating to

      patient rights. The data processing carried out by the first defendant

      are thus part of the pursuit of a legitimate societal interest to which is coupled a

      economic interest specific to the first defendant, also legitimate, based on the

      freedom of enterprise, in particular enshrined in article 16 of the Charter of Rights

      fundamentals of the Union.

94. In support of the above, the Litigation Chamber is of the opinion that the interest pursued by

      the first defendant is legitimate. Therefore, the “finality test” of

      Article 6.1.f) of the GDPR.


As for the necessity test (b): is the treatment necessary?

95. Regarding the test of necessity, the Litigation Chamber recalls that the Court of Justice

      of the European Union (CJEU) ruled among others in the “TK” judgment on this

      condition of necessity of treatment, insisting on the strict interpretation of this condition

      17which is also not specific to article 6.1. f) of the GDPR but common to all







17"As regards the second condition laid down in Article 7(f) of Directive 95/46, relating to the necessity of the appeal

to the processing of personal data for the realization of the legitimate interest pursued, the Court recalled that
derogations and restrictions from the principle of protection of personal data must take place within

the limits of what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑‑13/16, EU:C:2017:336, paragraph 30 and case law
cited). Decision on merits 149/2023 — 24/36


      bases of legality listed in article 6.1 of the GDPR with the exception of the consent provided for in article

      6.1. has).


96. The CJEU also observes that the condition relating to the necessity of the processing must

      be examined in conjunction with the so-called “data minimization” principle enshrined

      in Article 6(1)(c) of Directive 95/46, according to which the data to be

      personal character must be "adequate, relevant and not excessive with regard to the

      purposes for which they are collected and for which they are processed

      later”.

97. The CJEU also clarified that while there are realistic and less intrusive alternatives to

      treatment carried out, this treatment is not “necessary”. In other words, the person responsible

      treatment must ensure that there is no less intrusive means of achieving its

      objective than to implement the treatment envisaged (for example a device treating

      no personal data, or different treatment more protective of the right to privacy

      and the protection of the personal data of the data subject).

98. This case law formulated in relation to Articles 7 and 6 of Directive 95/46/EC remains

      relevant to this day. Article 6.1 of the GDPR in fact repeats the terms of article 7 of the

      directive 95/46/EC - the legitimate interest of the data controller being retained (article 7

      f) and article 6.1. f), certainly in slightly different terms. Article 5.1. c) of the relative GDPR

      to the principle of minimization reinforces the terms of article 6.1.c) of the directive

      95/46/EC to which the CJEU also refers. As the first defendant points out,

      the “video surveillance” context of the TK judgment is certainly distinct from that in which the

      disputed treatment is relevant to this case. However, this does not justify that the principles

      stated by the CJEU with regard to the conditions of legitimate interest as the basis of lawfulness

      are excluded. These requirements are expressed in general terms applicable to all

      mixed contexts.

99. In this case, the Litigation Chamber is of the opinion that the processing of data

      personal data of non-registered doctors is necessary for the realization of the pursued interest

      by the first defendant through its platform and consisting of linking

      (future) patients and healthcare professionals. As for the data processed, the Chamber

      Contentieuse considers that the principle of minimization is respected: it is in fact a matter of



18This condition requires the referring court to verify that the legitimate interest in the processing of the data pursued

by the video surveillance at issue in the main proceedings, which consists, in substance, of ensuring the security of goods and

persons and to prevent the occurrence of offenses, cannot reasonably be achieved as effectively by
other means less detrimental to the freedoms and fundamental rights of the persons concerned, in particular

the rights to respect for private life and the protection of personal data guaranteed by Articles 7 and 8
of the Charter." It is the Litigation Chamber which underlines. Decision on the merits 149/2023 — 25/36


      provide platform users (patients) with limited and necessary information

      relating to the identity of the practitioner, his specialty (is it appropriate to make an appointment

      or not with him? ), to its geographical proximity or at least its location via its

      address (is it appropriate to contact him rather than someone else?) as well as his number
      professional telephone (to allow appointments to be made if necessary via the

      platform but also live via this number).


As for the weighting test (c):

100. The Litigation Chamber recalls that in addition to the two conditions mentioned above, article 6.1. f) of

      GDPR can only be mobilized if the interests or fundamental freedoms and rights of the

      person concerned does not prevail over the interest pursued by speaking to the person responsible for processing

      or the third party. In other words, the data controller must carry out an implementation

      balance, a weighting between the rights and interests involved, and verify within this framework that
      the interests (commercial, security of goods, fight against fraud, etc.) that it pursues

      do not create an imbalance to the detriment of the rights and interests of people whose

      data is processed. If the interests and rights of the latter prevail, article 6.1. f) of

      GDPR cannot be used.

101. Concretely, the data controller must first identify the consequences

      any impact its treatment can have on the people concerned: on their lives

      private but also, more broadly, on all the rights and interests covered by the

      Protection of personal data. This involves evaluating the degree of intrusion of the

      treatment considered in the individual sphere, measuring its impact on private life
      people (processing of sensitive data, processing relating to people

      vulnerable, profiling, etc.) and on their other fundamental rights (freedom of expression,

      freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of

      treatment of their situation (monitoring or surveillance of their activities or movements,

      exclusion of access to services, etc.). These impacts must be measured in order to

      determine, on a case-by-case basis, the extent of the intrusion caused by the treatment into the lives of the

      people. The principle of data minimization will also be taken into account.

102. The data controller must then take into account, in the weighting between its

      legitimate interest and the rights and interests of the data subjects, “expectations

      reasonable” of the latter. This consideration is essential when it comes to
      treatments which can be implemented without the prior consent of the

      persons: in the absence of a positive and explicit act on their part, legitimate interest requires

      not to surprise people in the implementation methods as well as in the

      consequences of the treatment.

103. In this case, the Litigation Chamber finds that the data processed are indeed

      publicly accessible and professional data. This nature of the data Decision on the merits 149/2023 — 26/36


      processed is a factor that can contribute to tipping the scales in favor of the person responsible

      processing on the condition that the data subjects can reasonably

      expect the use of their data for the purpose pursued by the said data controller

      processing without their prior consent.

104. The Litigation Chamber is of the opinion that in this case, the disputed treatment is not part

      reasonable expectations of the non-registered healthcare professionals concerned. THE

      contact details of the latter are published on their own website or on that of their

      office, or even that of a hospital in which they provide services. They have
      a direct link with this practice or hospital. The Litigation Chamber starts from the idea that they

      have indicated their agreement for these publications which are part of relationships

      professional relationships that they have established themselves. However, they cannot

      reasonably expect that their data will be republished on a platform

      such as that of the first defendant which beyond the “directory” function that it

      offers for these non-registered health professionals, more generally pursues a
      commercial interest by offering different priced services including that of making appointments

      you directly via the platform and electronic diary management. That the first

      defendant could have thought that increased visibility of health professionals could

      being beneficial can certainly be conceived. However, the Litigation Chamber concludes that in

      the case, the fact that the processing cannot be considered as falling within the

      reasonable expectations of these practitioners is decisive and tips the balance in favor
      rights and freedoms of the latter. Therefore, the “weighting test” is not satisfied.


Conclusion

105. At the end of the above analysis, the Litigation Chamber concludes that there was a violation of

      Article 5.1. a) (lawfulness requirement) and Article 6.1. of the GDPR by the first

      defendant in that it could not validly rely on the basis of lawfulness of

      Article 6.1.f) of the GDPR to legitimize the processing of healthcare professionals’ data

      not registered on its platform and therefore did not have a valid legal basis for founding

      said treatments.


   II.5. As for the processing of the National Register Number (DOS-2020-05649 and DOS-2021-
        05271)


       II.5.1. The parties' point of view


106. Both complainant No. 1 and complainant No. 2 denounce the terms of their respective complaints

      the processing of the NRN by the first respondent and question the lawfulness of the processing

      of it with regard to the LRN. Decision on merits 149/2023 — 27/36


107. Complainant No. 1 highlights that in principle, the use of NRN is prohibited. Only

      the persons exhaustively listed in article 5.1. of the LRN may, subject to

      authorization from the Minister of the Interior, use it. By way of derogation, Article 8.3. delaLRN predicts

      that “authorization to use the National Register number is not required if the

      National Register number is used exclusively for identification purposes and

      authentication of a natural person within the framework of a computer application
      offered by a private or public institution under Belgian law or by the authorities, institutions

      and persons referred to in Article 5, § 1”. Complainant no. 1 considers that it is wrong that the

      first defendant relies on this exemption since the introduction by the patient

      of its NRN on the platform does not allow it to be identified or authenticated (the NRN seems

      rather be used as a user number of the data subject), the first

      defendant not having access to the National Register nor to the electronic identity card of the

      patient.Therefore, it is necessary to consider, according to complainant number 1, that the first defendant
      processes the NRN of users of the platform illegally.


108. As for the first defendant, she sets out in terms of conclusions that she opted for

      the NRN to identify and authenticate users of the platform in a secure manner,

      in the case of a unique identifier of which only the person concerned has, a priori, knowledge
      (item 22). She considered it essential given the (health) data which

      could be exchanged through the platform between a patient and a professional

      health, that the user is identified and authenticated in a unique and certain manner. There

      The first respondent indicates that she believed she could rely on Article 8.3. of the

      LRN cited above while stating that it does not access the National Register.

109. During the hearing, the first respondent indicated, as has already been mentioned

      at point 28, that it had made the decision not to request the NRN from users of

      the platform, thus breaking with a choice that had been made at the time of the creation of the

      platform by the previous management.



       II.5.2. The appreciation of the Litigation Chamber

110. Article 87 of the GDPR provides that “Member States may specify the conditions

      specific to the processing of a national identification number or any other identifier

      of general application. In this case, the national identification number or any other

      identifier of general application is only used subject to appropriate safeguards

      for the rights and freedoms of the data subject adopted pursuant to this

      regulations”. Decision on merits 149/2023 — 28/36


 111. Under Belgian law, the processing of the NRN which constitutes such a national identification number

       is strictly regulated in the LRN already cited. This determines restrictively in

       its article 5, the authorities, bodies, organizations or people who can access it.


 112. Article 8 of the LRN sets out the need to be, except in exceptional circumstances, authorized by the

       Minister of the Interior to, as in this case, use this number. An exemption from authorization

       is provided if, as mentioned above, the NRN is used exclusively “for purposes

       identification and authentication of a natural person in the context of a

       computer application offered by a private or public institution under Belgian law or by
                                                                       er
       the authorities, institutions and persons referred to in Article 5, § 1”.

                                                                                       20
 113. As pointed out by the Commission for the Protection of Privacy (CPVP) in its opinion
                                    21
       19/2018 of February 28, 2018 relating to a preliminary draft law introducing in particular

       modifications to the LRN including the aforementioned article 8.3, “the authentication of a person consists

       to verify that she really has the identity she claims to have. This is the authentication certificate

       (including the National Register number) present on the electronic identity card which

       allows it through the technique of cryptography” (point 31 of the opinion).

 114. In the present case, it appears from the explanations provided by the first defendant herself

       that it did not carry out the identification or authentication of the user of the


       platform from the NRN that the latter was invited to communicate. Indeed, the first

       Defendant admits not having access to the National Register. It therefore does not proceed, via a

       access to RN data and reading of the electronic identity card, verification of

       the identity of the person nor verifies that the person is who they claim to be.

       first defendant only asks the patient to enter an access “code”

       (his NRN in this case) without checking that it reveals his certain identity. It is not

       in no way excludes this person mentioning an NRN which is not theirs, coupled with their

       real identity what, without reading the electronic identity card, the first

       defendant will not be able to detect. If the Litigation Chamber shares the analysis of the

       first defendant that strong identification and authentication are necessary

       taking into account the processing of data (sensitive if applicable) which takes place via the

       platform, it nonetheless concludes that the first defendant was wrong

       argues that it was within the conditions of exemption of article 8.3. of the NRL.






19In application of article 4.1 of the LCA, the APD (and the Litigation Chamber) has jurisdiction to monitor compliance with the Law
RN: “The Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the

protection of personal data, within the framework of this law and laws containing provisions relating to
to the protection of the processing of personal data”.
20The APD succeeded the Commission for the Protection of Private Life (CPVP) in execution of the Law of December 3, 2017 relating to
creation of the Data Protection Authority (LCA): article 3.
21
  Commission for the Protection of Privacy, Opinion 19/2018 of February 28, 2018 relating to the preliminary draft law establishing
various “Interior” provisions. Decision on merits 149/2023 — 29/36


 115. Thus, even in the event that, as in the present case, users of the platform consent

       to communicate their NRN, this consent, also in accordance with the requirements of articles 6 and

       7 of the GDPR, if applicable, is not sufficient to authorize processing since the

       processing of the NRN must be lawful and comply with the requirements of the LRN, including its articles 5 and
       8. The Litigation Chamber concludes that failing the first defendant to

       found under the conditions of these provisions, she was not authorized to use this NRN and

       therefore to solicit them, in violation of articles 5.1. a) and 6.1.GDPR in combination

       with article 8 of the LRN.

 116. The Litigation Chamber took note of the decision of the first respondent to

       refrain from requesting the NRN from users of the platform. She recalls that this

       change does not erase the past breach and must be reflected in the Policy

       confidentiality of the first defendant.



III. As for corrective measures and sanctions


 117. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:

       1° close the complaint without further action;

       2° order the dismissal of the case;


       3° pronounce a suspension of the sentence;

       4° propose a transaction;


       5° issue warnings or reprimands;

       6° order to comply with the requests of the person concerned to exercise their rights;


       7° order that the person concerned be informed of the security problem;

       8° order the freezing, limitation or temporary or definitive ban on processing;


       9° order compliance of the processing;

       10° order the rectification, restriction or erasure of the data and the notification of

       these to the recipients of the data;

       11° order the withdrawal of the accreditation of certification bodies;


       12° give fines;

       13° issue administrative fines;


       14° order the suspension of cross-border data flows to another State or a
       international body; Decision on merits 149/2023 — 30/36


     15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the

     follow-up given to the file;

     16° decide on a case-by-case basis to publish its decisions on the website of the Authority of

     Data protection.



   III.1. With regard to the first defendant (DOS-2020-05649 and DOS-2020-05271)


      III.1.1. The shortcomings


118. It follows from the above that the first defendant was guilty of

     breach of article 12.3 of the GDPR (point 65), articles 5.1.a (lawfulness) and 6.1 of the GDPR
     with regard to the processing of data of unregistered health professionals (point 105)

     as well as article 5.1. a) (lawfulness) and 6.1. of the GDPR read in conjunction with Article 8 of the

     LRN with regard to the processing of the NRN of users of the platform (point 115).


119. It is the responsibility of the Litigation Chamber to determine the corrective measure and/or the sanction
     most appropriate to these shortcomings.


120. The Litigation Chamber first specifies the following with regard to the principle “ne bis in

     idem” invoked by the first respondent with regard to the complaint based on the legality of the
     NRN treatment. The first defendant is indeed surprised to have been invited to

     conclude on this question in the context of the two complaints (point 22) and declared during

     the hearing to question the respect of this principle by the Litigation Chamber if it

     was to sanction the same breach twice over an identical period.

121. The Litigation Chamber recalls that the general principle of law “non bis in idem”

     carries that “no one can be prosecuted or punished a second time due to an offense

     (even otherwise qualified) for which he has already been acquitted or convicted by a judgment

     definitive in accordance with the law and criminal procedure of each country. In other words,

     second prosecutions are prohibited on grounds of identical or substantially identical facts

     identical which, having been the subject of previous proceedings, gave rise to a decision
     final decision of acquittal or conviction. By “identical facts or substantially

     identical'', it is necessary to understand a set of concrete factual circumstances relating to a

     same suspect, which are inseparably linked in time and place (Cass., April 24, 2015,

     No. F.14.0045.N).

122. The respect due to this general principle of law in no way prevents the Chamber from

     Litigation invites the parties concerned to defend themselves with regard to the same grievance

     raised in various pending proceedings and in which it has not yet taken

     decision.The Litigation Chamber is free to invite a conclusion in a case pending

     following a complaint even subsequent to another which would raise the same grievance

     during the same time period. It remains free to adopt its decisions according to the Decision on the merits 149/2023 — 31/36


     calendar of priorities that it establishes. The Litigation Chamber adds that if having regard to the

     case in point, the nature of the sanctions it imposes can, depending on the case, be described as

     criminal, this is not necessarily always the case.

123. In this case, the Litigation Chamber having not yet taken any decision with regard to

     one or the other of complaints n°1 and n°2, it remained in any case free to invite the

     parties to conclude with regard to this complaint of the lawfulness of the processing of the NRN within the framework of

     two complaints. With regard to this decision, the Litigation Chamber has, as it was

     presented in point 51, decided to join these complaints n°1 and n°2, in particular with regard to the grievance
     common point that they raised as well as to adopt, as will be specified below, a

     single sanction with regard to the breach identified in point 115 above.



      III.1.2. The assessment of the sanction/adequate corrective measure by the Chamber
          Litigation


124. In assessing the most appropriate sanction with regard to the breaches noted,

     The Litigation Chamber takes into account the following elements specific to the specific case.

     Thus, it takes into account the decisions and changes initiated by the first
     defendant who both in its final conclusions (point 27) and during the hearing (point

     28) specified that following decision 75/2023 of the Litigation Chamber, it had

     initiated a process of obtaining consent from non-health professionals

     registered. In the same sense, the first defendant decided to give up requesting the

     NRN of platform users at the time of account creation and presented a

     test version without this NRN during the hearing (point 28). The Litigation Chamber is
     also sensitive to the successive adaptations made by the first defendant

     to its Confidentiality Policy in a concern for constant improvement regarding the implementation

     implementation of its obligations arising from the GDPR (points 60 and 68). Finally, the Chamber

     Litigation generally highlights the good cooperation of the first

     defendant both with itself and with the IS, notwithstanding article 31 of the GDPR which

     requires such collaboration. However, all these elements are not likely to
     remove the shortcomings it noted (point 118).


125. On this basis, the Litigation Chamber is of the opinion that addressing a reprimand to the

     first respondent for the breaches noted is appropriate and holds both

     take into account the reality of these failings and the fact that they are attributable to a young
     start-up with a limited number of employees (2), who throughout the procedure showed themselves

     wishing to comply, has taken a number of decisions in this direction and has

     initiated the operational changes resulting from these decisions. Decision on merits 149/2023 — 32/36


 126. The Litigation Chamber adds that for the remainder, it is not required to present the

       reasons why it does not retain this or that sanction, for example suggested by

       the complainant.

 127. In this case, the Litigation Chamber nevertheless intends to react to the fact that in its

       reply and summary conclusions, the first respondent argues that the Chamber

       Litigation would not be justified in imposing an administrative fine on him for

       reasons based on the fact that the fine is only the 13th sanction in the list of the article

       100 of the LCA as well as due to the considerations issued by the Court of Markets (CdM)

       as for this in its judgment of January 27, 2021 (RG 2020/AR/1333, p.19.) as well as that of

       terms of which, in a judgment of May 26, 2021, the said Court would rule out the possibility for the
       Chamber Contentious to impose a fine from the first offense committed by

       inadvertence (GR 2021/AR/163).


 128. The Litigation Chamber recalls that article 58.2 of the GDPR states that each authority

       supervisory authority has the authority to adopt all corrective measures listed. The fine
       administrative appears in the penultimate position (9th – litera i)), just before the 10th

       allows you to order the suspension of flows. Consider that there is a form of hierarchy

       between the measures finds no support in the text of the GDPR, on the contrary since the

       litera j) specifies that each supervisory authority may impose an administrative fine

       pursuant to Article 83, in addition to or instead of the measures referred to herein

       paragraph, depending on the specific characteristics of each case. In addition, the measurement

       referred to in letter j) (suspension of flows) cannot of course be conditioned by
       the prior existence of a fine that would have been imposed. That wouldn't make any sense.


129. Regarding article 100.1. LCA taken in execution of the GDPR, the same reasoning

       applies. It should be noted in this regard that the LCA does not take over the full terms of the article

       58.2. of the GDPR, namely that the administrative fine can be ordered in addition or

       instead of the measures referred to in this paragraph, depending on the characteristics
       specific to each case. Certainly the fine is mentioned in 13th position in litera 13 but

       this must be read with the precision which was omitted by the Belgian legislator. The measures which

       are referred to in litera 14, 15 and 16 (publicity of the decision) of article 100.1. LCA are not

       elsewhere not conceived as being able to intervene only “after a fine”.

 130. In summary, the place of the fine in the list of corrective measures/sanctions provided for

       in the GDPR and the LCA does not mean, a fortiori in support of the text of article 58.2.i) of the

       GDPR itself, that it is a measure of last resort conditional on adoption Decision on merits 149/2023 — 33/36



       other corrective measures/sanctions - considered less onerous, even in the event of

       first breach by negligence. 22


 131. The Litigation Chamber adds that since these judgments cited by the first defendant,

       the CdM returned to this position. The CdM subsequently brought more

       clarifications to the judgments cited by the first defendant, in particular by recalling the

       possibility of imposing a fine (and even a fine higher than the minimum amount

       of the range) to the data controller committing an offense for the first
           23
       times .

 132. As already mentioned, the Litigation Chamber must, however, adopt the measure

       corrective action and/or the appropriate sanction in the specific case.


 133. If the Litigation Chamber judges that the reprimand is an appropriate sanction in this case

       (point 125), the changes decided upon mentioned above must nonetheless be

       materialize to put an end to the breaches denounced in articles 5.1. a) and6 of

       GDPR as quickly as possible. The CC therefore combines its reprimand with orders to implement

       compliance in accordance with the system below and a ban on processing

       data concerned beyond a deadline set at January 15, 2024. It goes without saying that the

       first defendant will have to draw all the consequences, for example, in terms

       erasure of said data in the absence of a legal basis which would authorize the processing

       beyond this date and adaptation of its Privacy Policy.


 134. The Litigation Chamber specifies that as for obtaining the consent of practitioners

       non-registered, the first respondent may request the consent of each

       healthcare professional concerned by sending a personalized letter.



    III.2. With regard to the second defendant (DOS-2020-05649)


 135. The Litigation Chamber decides to adopt a classification decision without further action with regard to

       of the second defendant.






22In its guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679

(WP 253 of the GDPR, the EDPB clarified in this regard that: “The assessment of the effective, proportionate and dissuasive nature in each
case must also take into consideration the objective pursued by the corrective measure adopted, namely to restore respect

rules or punish unlawful behavior (or both). The EDPB also states that fines are a

important instrument that supervisory authorities should use in appropriate circumstances. Supervisory authorities
are encouraged to take a considered and balanced approach when implementing corrective measures to

to respond to the violation in a manner that is both effective, dissuasive and proportionate. This is not about considering fines
as a last resort or fear of imposing them, but, on the other hand, they must not be used in such a way either.

way that their effectiveness would be reduced. See. also recital 148 of the GDPR.

23See. Court of Markets, July 7, 2021, 2021/AR/320, published on the APD website. Decision on merits 149/2023 — 34/36


 136. In matters of dismissal, the Litigation Chamber must justify its decision by

       step and:

       - pronounce a classification without technical follow-up if the file does not contain or not

                sufficient elements likely to lead to a sanction or if it includes a

                technical obstacle preventing it from rendering a decision;


       - or pronounce a classification without further opportunity, if despite the presence
                of elements likely to lead to a sanction, the continuation of the examination of the

                file does not seem appropriate given the priorities of ODA such as

                specified and illustrated in the Chamber's No Action Policy

                Contentious.

 137. In the event of classification without follow-up on the basis of several reasons (respectively, classification

       without technical and/or appropriate action), the reasons for classification without action must be

       treated in order of importance.

 138. In the present case, the Litigation Chamber decides to proceed with a classification without

       continued for technical reason based on the absence of any breach of the GDPR or the laws including

       it is responsible for ensuring the respect that can be observed in the head of the second

       defendant. Indeed, the latter is not responsible for processing (spouse), nor sub-contractor.

       treating party, no breach is alleged against him in this case with regard to the complaints raised in

       against him by complainant no. 1.

 139. Therefore, the Litigation Chamber closes complaint no. 1 without further action for technical reasons on

       the basis of article 100.1.1° of the LCA.





 11.



IV. Publication of the decision


 140. Given the importance of transparency regarding the decision-making process of the Chamber

       Contentious, this decision is published on the website of the Protection Authority

       data (APD). However, it is not necessary for this purpose that the data

       identification of the parties are directly mentioned. Decision on merits 149/2023 — 35/36




     FOR THESE REASONS    ,

     the Litigation Chamber of the Data Protection Authority (APD) decides, after

     deliberation:

        - Under article 100, § 1, 5° of the LCA, to issue a reprimand with regard to

            of the first respondent for the violation of articles (i) 12.3. of the GDPR, (ii)

            5.1. a) (lawfulness) and 6.1. of the GDPR with regard to the processing of personal data

            healthcare professionals not registered on the platform and (iii), 5.1. a) and 6.1. of

            GDPR read in combination with article 8 of the LRN with regard to the processing of

            national register number of platform users.

        - Under article 100.8. and 9. of the LCA. to accompany this reprimand with an order to

            the first respondent to put a definitive end to the violations referred to above

            above (ii) and (iii) by providing by January 15, 2024 a basis of legality
            valid for the processing of data of unregistered health professionals and

            the abandonment of the collection of the national register number (NRN) of users of the

            platform. The Litigation Chamber must be informed, documents

            supporting evidence.

        - Under article 100.1.1° of the LCA, to classify complaint no. 1 without further action

            with regard to the second defendant.




In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (Cour
of Appeal of Brussels), with the Data Protection Authority (DPA) as a party

defendant. Decision on merits 149/2023 — 36/36



Such an appeal may be introduced by means of an interlocutory request which must contain the

                                                                               24
information listed in article 1034ter of the Judicial Code. The interlocutory request must be
                                                                                                                        25
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).










(sé). Hielke H IJMANS

President of the Litigation Chamber






















































24The request contains barely any nullity:

  1° indication of the day, month and year;
  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
      Business Number;

  3° the surname, first name, address and, where applicable, the status of the person to be summoned;
  4° the object and summary of the grounds of the request;
  5° indication of the judge who is seized of the request;

the signature of the applicant or his lawyer.
25
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.