APD/GBA (Belgium) - 162/2022
|APD/GBA - 162/2022|
|Relevant Law:||Article 4(11) GDPR|
Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(3) GDPR
Article 7(1) GDPR
Article 7(3) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 38(1) GDPR
Article 39(1) GDPR
Decreet houdende het toeristische logies
Decreet tot oprichting van het intern verzelfstandigd agentschap met rechtspersoonlijkheid "Toerisme Vlaanderen"
|National Case Number/Name:||162/2022|
|European Case Law Identifier:||n/a|
|Original Source:||Gegevensbeschermingsautoriteit (in NL)|
|Initial Contributor:||Enzo Marquet|
The Belgian DPA reprimands a government agency for not proactively involving its DPO in a processing activity relying on Article 6(1)(c) GDPR. All processing activities must be in line with the GDPR, even those mandated by legislation predating the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on Article 6(1)(c) GDPR, the controller interprets its legal obligations too broadly.
Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices.
Lastly, the Inspection Service held that the DPO was not proactively involved nor consulted, resulting in a breach of Article 38(1) GDPR and Article 39(1) GDPR. For the processing as described above, the controller stated that the DPO did not need to be consulted as the Logiesdecreet provided the legal basis to process data. However, the DPO did provide a positive advice afters the first contact of the Inspection Service.
Holding[edit | edit source]
First, the Belgian DPA checks whether the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts. This processing can only happen if it is necessary to fulfill a legal obligation. The GDPR does not require each separate processing to have its exclusive norm. The norm must be sufficiently clear and precise, its application must be foreseeable by data subjects.
The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of Article 6(1)(c) GDPR.
The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.
Lastly, the DPA assesses whether the DPO should be been proactively involved. The DPA holds that the DPO is a key-figure regarding data protection. As such, a DPO must be involved for all matters concerning personal data, in a proper and timely manner. The fact that the Logiesdecreet predates the GDPR does not absolve the organisation from applying the GDPR and thus involving the DPO to check whether all processing of personal data is compliant. The DPA holds that the controller breached Article 38(1) GDPR and Article 39(1) GDPR.
The DPA reprimands the controller for its (past) breaches and dismisses the parts which did not lead to GDPR infractions. The DPA also reaffirms that it cannot impose a fine on a governmental agency.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.