APD/GBA (Belgium) - 162/2022
From GDPRhub
| APD/GBA - 162/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(c) GDPR Article 6(3) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 38(1) GDPR Article 39(1) GDPR Decreet houdende het toeristische logies Decreet tot oprichting van het intern verzelfstandigd agentschap met rechtspersoonlijkheid "Toerisme Vlaanderen" |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 14.01.2022 |
| Decided: | 16.11.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | Toerisme Vlaanderen |
| National Case Number/Name: | 162/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA reprimands a government agency for not proactively involving its DPO in a processing activity relying on Article 6(1)(c) GDPR. All processing activities must be in line with the GDPR, even those mandated by legislation predating the GDPR.
English Summary
Facts
The Belgian DPA's Inspection Service started an investigation of the regional government agency for tourism. The controller collects personal data of Airbnb hosts through Airbnb as intermediary. The controller is legally tasked to watch over the quality of the Airbnb hosts. This legal task forms the legal basis for the controller. The Inspection Service held that the controller couldn't rely on Article 6(1)(c) GDPR, the controller interprets its legal obligations too broadly.
On top of that, the Inspection Service held that the controller breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR because the information in their privacy policy was not concise, transparent, nor easily accessible, as well as containing wrong and missing information. The controller admits that this used to be the case, but that this issue has now been resolved.
Following, the Inspection Service held that the website placed non-strictly necessary cookies without providing a way to refuse the cookies, nor were the website visitors provided with clear information. The controller contests this and also states that a new website was launched in the meantime, which follows best practices.
Lastly, the Inspection Service held that the DPO was not proactively involved nor consulted, resulting in a breach of Article 38(1) GDPR and Article 39(1) GDPR. For the processing as described above, the controller stated that the DPO did not need to be consulted as the Logiesdecreet provided the legal basis to process data. However, the DPO did provide a positive advice afters the first contact of the Inspection Service.
Holding
First, the Belgian DPA checks whether the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts. This processing can only happen if it is necessary to fulfill a legal obligation. The GDPR does not require each separate processing to have its exclusive norm. The norm must be sufficiently clear and precise, its application must be foreseeable by data subjects.
The DPA sets out that the controller is responsible, by law in article 11 Logiesdecreet, for recognition and evaluation of touristic accommodation. The DPA holds that article 11 Logiesdecreet is unclear how personal data can be gathered through intermediaries. The legislator intended to allow the controller to gather contact details of accommodation hosts (which are often not published on the intermediaries' website), as such, it is foreseeable that personal data will be processed for this purpose. The processing is also necessary to reach the purpose. Without the personal data, the controller has no way to contact the hosts. The DPA also holds that the personal data is proportionate to reach the purpose, only the necessary information is requested. The DPA finds no breach of Article 6(1)(c) GDPR.
Secondly, the DPA holds that the cookie policy was indeed not sufficiently transparent and lacked several requirements. The controller is a government agency, it solely referred to the regional governmental DPA (Vlaamse Toezichtscommissie) to contact for complaints. The DPA reaffirms that even though the regional governmental DPA is competent to rule, the DPA is also competent and should be included in the privacy policy. The DPA suggests using a layered approach to make the privacy policy more easily digestible. Finally, the DPA concludes that the previous privacy policy breaches Article 12(1) GDPR, Article 13 GDPR and Article 14 GDPR but that the shortcomings have been resolved in the meantime.
The DPA dismisses the non-strictly necessary cookies report of the Inspection Service since it did not provide adequate prove.
Lastly, the DPA assesses whether the DPO should be been proactively involved. The DPA holds that the DPO is a key-figure regarding data protection. As such, a DPO must be involved for all matters concerning personal data, in a proper and timely manner. The fact that the Logiesdecreet predates the GDPR does not absolve the organisation from applying the GDPR and thus involving the DPO to check whether all processing of personal data is compliant. The DPA holds that the controller breached Article 38(1) GDPR and Article 39(1) GDPR.
The DPA reprimands the controller for its (past) breaches and dismisses the parts which did not lead to GDPR infractions. The DPA also reaffirms that it cannot impose a fine on a governmental agency.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/23
Litigation room
Decision on the basis of 162/2022 of 16 November 2022
File number : DOS-2021-05803
Subject : Research on the sharing of accommodation data via the Airbnb platform
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs Frank De Smet and Jelle Stassijns, members.
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The defendant: VISITFLANDERS, with registered office at 1000 Brussels, Grasmarkt
61, with company number 0225.944.375, hereinafter “the defendant”. Decision on the substance 162/2022 - 2/23
Fact procedure
1. On 14 January 2022, the Executive Committee of the Data Protection Authority will decide
(hereinafter: “GBA”) to catch the Inspection Service on the basis of Article 63, 1° WOG because of
a practice that may give rise to a violation of the fundamental principles of the
protection of personal data.
The object of the proceedings concerns the broad way in which personal data of
operators of accommodation via the Airbnb platform in the context of "random sampling".
requested by the defendant from various intermediaries. This practice lasted
following a judgment of the Court of First Instance which held that this
sampling can only take place in very limited cases. This procedure has
also relates to the fact that hereby no advice from the officer for this
data protection was requested.
2. On 27 January 2022 the investigation will be completed by the Inspection Service, the report will be
appended to the file and the file is transferred by the Inspector General to
the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject matter of the decision
Management Committee and decides that there is:
a. a breach of article 5, paragraph 1, a) and c) and paragraph 2 of the GDPR, article 6, paragraph 1 of the GDPR, article
24 (1) GDPR and Article 25 (1) and (2) GDPR;
b. a breach of Article 12(1) and (6) GDPR, Article 13(1) and (2) GDPR and
Article 14(1) and (2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR
and Article 25(1) of the GDPR; and
c. a violation of Article 38(1) and (3) of the GDPR.
d. an infringement of Article 4, 11) of the GDPR, Article 5, paragraph 1, a) and paragraph 2 of the GDPR, Article 6, paragraph
1, a) of the GDPR and Article 7, paragraphs 1 and 3 of the GDPR for the use of non-strict
necessary cookies.
3. On 4 February 2022, the Litigation Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for treatment on the merits.
4. On 4 February 2022, the defendant will be notified by e-mail of the provisions such as
mentioned in article 95, § 2, as well as in article 98 WOG. They are also based on
Article 99 WOG of the time limits for submitting their defences.
With regard to the findings within and outside the subject matter of the decision of the
Management Committee became the deadline for receipt of the statement of reply of
recorded by the defendant on 18 March 2022. Decision on the substance 162/2022 - 3/23
5. On February 8, 2022, the defendant electronically accepts all communications regarding the
matter.
6. On 25 February 2022, the defendant requests a copy of the file (Article 95, §2, 3 ° WOG),
which was transferred to him on February 25, 2022.
7. On March 17, 2022, the Disputes Chamber will receive the statement of defense from the
defendant with regard to the findings with regard to the object of the
decision of the Executive Committee. This conclusion also contains the reaction of the
defendant about the findings made by the Inspectorate outside the
scope of the complaint. The defendant argues, first, that the processing on its part is a
lawful data processing. Second, the defendant argues that the
data processing in question constitutes correct and permitted data processing,
whereby the basic principle of data minimization from Article 5, paragraph 1, c) GDPR is respected
and that he can also demonstrate this
transparent and understandable, that it contains complete information, and that it can do this
demonstrate. Fourth, the defendant argues that it was not obliged to
to seek advice from the Data Protection Officer in relation to it
Memorandum of Understanding. Finally, the defendant argues that on its website only
Strictly necessary or functional cookies are employed for which there is no permission
is required. According to him, no non-necessary cookies were active. Consequently it was
providing (transparent) information about such cookies according to the defendant
irrelevant. Nor is this a legal obligation, according to the defendant.
8. On September 14, 2022, the parties will be notified that the hearing will
take place on October 21, 2022.
9. On 21 October 2022, the party appearing will be heard by the Disputes Chamber. During the day
the hearing has explained to the defendant what steps it has already taken on the matter
of data protection since the submission of the complaint and the Inspectorate investigation. So
the Litigation Chamber could determine during the hearing that virtually all grievances
from the complaint and areas of concern from the Inspection Report were addressed by the defendant.
10. On October 25, 2022, the minutes of the hearing will be sent to the parties
transferred.
11. On October 29, 2022, the Disputes Chamber will receive some from the defendant
remarks with regard to the official report, which it decides to include in
her deliberation. Decision on the substance 162/2022 - 4/23
Motivation
12. The Disputes Chamber then assesses each of the findings included in the
Inspection report in the light of the pleas put forward by the defendant in this regard.
I.1. Article 5, paragraph 1, a) and c) and paragraph 2 GDPR, Article 6, paragraph 1 GDPR, Article 24, paragraph 1 and Article 25, paragraph
1 en 2 GDPR.
I.1.1. Article 5 paragraph 1 a) and c) and Article 6 paragraph 1 GDPR
13. The Litigation Chamber recalls that the starting point of Article 5(1)(a) GDPR is that
personal data may only be processed lawfully. This means that
a legal basis for the processing of personal data as referred to in Article 6(1) of
the GDPR must be present. Article 6(1) states in further elaboration of this basic principle
GDPR that personal data may only be processed on the basis of one of the
Article listed legal bases.
14. During the Inspection investigation, the defendant admits that he has complied with article 6, paragraph 1c) of the
AVG invokes, with regard to the request to Airbnb for operator and accommodation data
to be delivered to the defendant. The Inspectorate establishes that the defendant assumes
a too broad interpretation of his legal obligations that he does not show why it
processing of personal data in the context of a sample is necessary. On base
of these elements, the Inspectorate declares an infringement of article 5, paragraph 1, a) and c) and article
6 (1) GDPR.
15. The Litigation Chamber recalls that in order to be able to rely lawfully on the
legal basis from article 6, paragraph 1, c) AVG, personal data may only be processed
if this is necessary for the fulfillment of a legal obligation on the
controller rest. In these cases, the processing must always be a
have a basis in the law of the European Union or that of the Member State concerned,
which must also state the purpose of the processing. It should therefore be checked whether
in this case the conditions set out in that article have been met.
16. In accordance with Article 6.3 GDPR, read in conjunction with Article 22 of the Constitution and
Article 7 and 8 of the Charter, a legislative standard should contain the essential features of
to record data processing that is necessary for the fulfillment of a
legal obligation, regardless of whether it is in the law of the European Union or in the law
1
of the Member States. In the aforementioned provisions it is hereby emphasized that the
processing involved should be framed by a standard that is sufficiently clear and
is accurate, the application of which is foreseeable for the persons concerned. The GDPR
however, does not prescribe specific legislation for each individual processing
1See e.g. decision 149/2022 dd. October 18, 2022 and 48/2022 dated April 4, 2022. Substantive decision 162/2022 - 5/23
is. Legislation that serves as a basis for several will suffice
processing based on a legal obligation on the
controller rest.
17. The Litigation Chamber will determine the terms of legal basis and necessity below
judge.
A clear, precise and predictable legal basis
18. According to Recital 41 of the GDPR, this legal basis or legislative measure
be clear and precise and its application must be for the litigants
be foreseeable, in accordance with the jurisprudence of the Court of Justice of the
European Union and the European Court of Human Rights.
19. Recital 41 GDPR specifies in this regard: “When in this regulation to a
referenced to a legal basis or a legislative measure does not require this
necessarily require a legislative act enacted by a parliament,
without prejudice to the requirements in accordance with the constitutional order of the Member State
matter. However, this legal basis or legislative measure must be clear and precise
and its application must be predictable for those to whom it applies
applies, as required by the case law of the European Court of Justice
Union (“Court of Justice”) and the European Court of Human Rights”.
In accordance with Article 22 of the Belgian Constitution, essential elements of
the processing in addition by means of a formal legal standard (law, decree or
ordinance) to be adopted.2
20. In this context, the Disputes Chamber refers more specifically to the Privacy judgment
International of the Court of Justice dated October 6, 2020, in which the Court states that the
relevant legislation should contain clear and precise rules “about the scope and
the application of the measure concerned, so that those whose personal data
at issue, have sufficient guarantees that those data are effective
be protected against the risk of abuse”. The Court adds: “That arrangement
must be legally binding under domestic law and in particular indicate in which
circumstances and under what conditions a measure provides for the processing
of such data can be taken, thus ensuring that the interference to
what is strictly necessary is limited. (...) These considerations apply in particular
2“Everyone has the right to respect for his private and family life, except in the cases and under the
conditions set by law. The law, decree or rule referred to in Article 134 guarantees protection
of that right.”
3 ECJ, C-623/17, 6 October 2020, Privacy International t. Secretary of State for Foreign and Commonwealth Affairs and others Decision on the substance 162/2022 - 6/23
when it comes to the protection of a special category of personal data, te
know sensitive data”
21. The defendant's mission is, among other things, to increase the attractiveness of
Flanders as a destination. To fulfill this mission, article 5 of the decree lays down
establishing the internal independent agency with legal personality
“ToerismeVlaanderen” tasks on the defendant that he must fulfill, including tasks
on integral quality assurance. This includes: responsible for the development and
the promotion of integral quality assurance within the framework of the powers that are
granted by current and future legal and regulatory provisions
regarding the following matters: (a) tourism infrastructure, subsidies, participations and
other initiatives and (b) provision of information, services, training and labelling. In
implementation of the above is determined by the decree on tourist accommodation
6
of 5 February 2016 (hereinafter: Accommodation Decree) (and its implementing decrees)
different conditions that every tourist accommodation in the Flemish Region must meet
sufficient for it to be recognized as tourist accommodation and subsequently to be operated in this way
become. The defendant is charged with the implementation of this Accommodation Decree, including the
recognition as tourist accommodation and monitoring compliance with this
recognition conditions.
22. In order to be recognized as tourist accommodation, the accommodation must therefore comply with the
conditions as stipulated in Article 6 of the Accommodation Decree. The research into it
meeting the conditions for recognition is regulated in chapter 5 of the
Accommodation Decree. Article 10 of the Accommodation Decree prescribes that the Flemish Government
designate persons authorized to supervise and control the
compliance with the provisions of the Accommodation Decree (i.e. inspectors at VISITFLANDERS
which can be designated by the Flemish Government).
23. In the context of this supervisory and control power, Article 11 of the
Accommodation Decree as follows:
“Art. 11. The intermediaries, referred to in Article 2, 5°, must provide tourist accommodation
located in the Flemish Region for which they mediate or promote, op
written request, the details of the operator and the address details of the
communicate tourist accommodation to the agents of the federal and local police and to the
authorized persons, stated in Article 10. These details can be requested
in the context of a random check, if in doubt on the tourist accommodation comply with the
4Article 4 of the decree establishing the internal independent agency with legal personality “Tourism
Flanders”, BS 29 April 2004 (hereinafter: Establishment Decree).
5
BS April 29, 2004.
6BS 8 March 2016. Substantive decision 162/2022 - 7/23
conditions of this decree or its implementing decrees, or in the context of a complaint about
a tourist accommodation.”
7
24. Article 11 of the Accommodation Decree therefore prescribes that intermediaries, such as Airbnb in this case,
the details of the operator and the address details of the tourist accommodation must
inform the officials authorized by the Flemish Government when they do so
be requested. In view of the above, the defendant argues that, through the
the aforementioned authorized officials, can request specific data from a
intermediary such as Airbnb in at least three cases:
- in the context of a clearly defined random check;
- in case of doubt whether the tourist accommodation meets the conditions of the
Accommodation Decree and its implementing decrees;
- in the context of a complaint about tourist accommodation.
25. Contrary to the finding of the Inspectorate, the defendant believes that he
does not interpret Article 11 too broadly. The defendant refers in this regard to the
parliamentary preparation of the Accommodation Decree, which states in this regard:
“ [t]he written request referred to must be made with reasonableness and proportionality
are used. The data must be requested specifically, it is too
say in the context of a clearly defined sample (e.g. one or more
accommodation in the same city, municipality or region), in case of doubt whether these tourist accommodations are sufficient
to the conditions of this decree and its implementing decrees or within the framework of a
complaint about these tourist accommodations.”
26. This position, according to the defendant, is also consistent with the report
on behalf of the Committee on Foreign Policy, European Affairs, International
Cooperation, Tourism and Real Estate which reads as follows:
“[…] Every tourist accommodation can be checked at all times for basic standards.
Inspection is done at the request of a hotel manager (with the possibility of recognition) or on
government initiative (randomly, in case of doubt or complaint)[…]”. In an opinion
the Commission for the Protection of Privacy (CBPL) the same
position taken: “The data should be requested specifically, within the framework
of a clearly defined sample, in case of doubt or in case of a complaint”.
7Article 2,5°Accommodation Decree: “5°intermediary: any natural or legal person who in any way against payment
mediates in offering tourist accommodation on the tourist market, promotes tourist accommodation
or offers services through which operators and tourists can interact directly.' Decision on the substance 162/2022 - 8/23
27. However, the Inspectorate argues that this is an incorrect reading of Article 11 of the Accommodation Decree and
refers in this regard to a judgment of the Court of First Instance in Brussels . In this
verdict, the court concluded that there are only two cases in which the data can be
be requested from the intermediaries: (1) in case of doubt as to whether the accommodation is satisfactory
to the conditions of the decree, and (2) in the case of a complaint about a tourist
accommodation.According to the court, the sample is not a substantive situation that meets the conditions
which may or may not be satisfied, but merely a particular method or procedure which
prescribed by the legislature to be in either hypothesis
used when requesting information.
28. Following this judgment of the Brussels Court of First Instance, the defendant
withAirbnbeenagreement("MemorandumofUnderstanding",hereinafter:"MoU")
being voluntary and in good will to a workable application of this
provision is coming. The MoU regulates a number of modalities about the delivery of operators
accommodation data in the context of a request by the defendant pursuant to Article 11 of
the Accommodation Decree. This includes the data that the defendant will request
specifically named, as well as the number of applications and the geographical demarcation of one
request are specified.
29. The Disputes Chamber notes that the text of Article 11 of the Accommodation Decree has been
established that uncertainty may exist about the cases in which the personal data
may be requested by the defendant from intermediaries. This becomes
illustrated by the fact that the defendant gives a different interpretation to Article 11
of the Accommodation Decree than the Court of First Instance in Brussels in the above
stated verdict. To find out the intention of the legislator, the
Litigation Chamber to the preparatory works of the Accommodation Decree.
30. The preparatory works of the Accommodation Decree state that in practice
it is found that more and more intermediaries such as tourist rental offices and
Internet platforms, such as Airbnb, offer tourist accommodation on the market without
mention of the concrete (address) details of the tourist accommodation or
contact details of the operator. This makes (or even prevents) locating difficult
or checking these accommodations, even in case of complaints. Article 11 of the
Accommodation Decree tries to meet this problem and offers the competent authorities
persons responsible for the supervision and control of the accommodation decree (in addition to the
authorized officials mentioned above, including federal and local agents
police) the possibility to request the operator data and the
address details of tourist accommodation located in the Flemish Region at te
ask these intermediaries such as Airbnb. The written request that applies
8
Court of first instance in Brussels, case A.R. 2018/3527/A. Decision on the substance 162/2022 - 9/23
to be used with fairness and proportionality. The data should be purposeful
to be requested, that is to say, in the context of a demarcated sample
(for example, one or more accommodations in the same city, municipality or region), in case of doubt whether this
tourist accommodation meets the conditions of the accommodation decree and are
implementing decrees or in the context of a complaint about these tourist accommodations.
31. In view of the above, the Disputes Chamber concludes that the intention of the
legislature was to provide for at least three distinct cases in which the
personal data could be specifically requested from an intermediary:
- in the context of a clearly defined sample;
- in case of doubt whether these accommodations meet the conditions of the Accommodation Decree;
- in the context of a complaint about tourist accommodation.
32. This interpretation also satisfies the requirement of foreseeability as defined
in Article 6.3 GDPR. As already explained, Article 6 of the Accommodation Decree determines the
conditions for recognition of a tourist accommodation. These conditions have under
others relate to the safety of the users of the accommodation, such as fire safety.
As soon as these conditions are no longer met, in accordance with Article 12 of
the Accommodation Decree, an administrative fine may be imposed. In addition, can also be ordered
to stop the operation of tourist accommodation (article of the decree).
Based on the above, it is therefore predictable for those involved that the
compliance with the registration conditions must be verifiable by the
authorized officials, both during the recognition and afterwards.
33. The Litigation Chamber finds that this interpretation also allows the defendant to be proactive
to act in the context of its enforcement activity through clearly defined
samples. If the defendant could only act in the event of a complaint
or doubt, the defendant would not have the necessary tools to enforce his decree
audit duty properly. Sampling is therefore absolutely necessary
defendant to be able to implement a sound enforcement policy and thus to comply with
its legal obligation.
34. To the extent necessary, and also as cited by the defendant, the
10
Litigation Chamber that the Amendment Decree was adopted on 9 February 2021
Article 11 of the Accommodation Decree referred to above changes as follows:
9Proposed decree on tourist accommodation, Vl. Parl. 2015-16 499/1 p. 13.
10 In full: Decree amending the Decree of 5 February 2016 concerning tourist accommodation and the abolition of the
Decree of 18 July 2003 on accommodation and associations that practice a week in the context of tourism for
Allen, Parl.St. Vl. Parl., 2021-22, no. 1028/6, p.3. Decision on the substance 162/2022 - 10/23
“Art. 11. The intermediaries share for tourist accommodation in Flanders
Region for which they mediate or promote, upon written request, the
details of the operator and the address details of the tourist accommodation
to federal and local police officers and authorized persons,
mentioned in Article 10.
The data, stated in the first paragraph, can be requested in the following cases:
1° as part of a random check to verify whether tourist accommodation
for which the intermediary mediates or promotes, are registered with
Tourism Flanders. In a sample, at most, the data
requested from all operators and tourist accommodations in the same city or
Township. Multiple samples can be taken at the same intermediate
person;
2° in case of doubt whether a tourist accommodation for which the intermediary mediates or
promotes, meets the conditions stated in this decree, and the
its implementing decrees;
3° in the context of a complaint about tourist accommodation.”
The Litigation Chamber notes in this context that this new legislation has been published
after the data processing at issue and therefore does not apply to the processing in
present case. Consequently, the Litigation Chamber has not relied on this new one
legislation to reach this decision.
Necessity
35. Pursuant to Article 6(1)(c) GDPR, the processing is lawful if and to the extent
the processing is necessary for the fulfillment of the legal obligation on the
controller rest. When personal data is processed
they must be adequate and relevant for the purpose. There are no more allowed
personal data are processed than necessary for the purpose (article 5.1, c) GDPR).
36. According to the Inspection Report, the defendant does not demonstrate why the processing of
personal data in the context of a sample is necessary as imposed by
Article 5(1)(c) in the context of its supervision and audit mission.
37. The defendant argues that the necessity of requesting the data
regarding the tourist accommodation is evident from the fact that without requesting this
the defendant details the tourist accommodation, which is sold on the market through intermediaries
offered (1) cannot verify and (2) cannot contact their operators. The
The defendant only requests the minimum of information that it needs to make a claim
to be able to identify tourist accommodation and to contact its operator so that the
the defendant can check whether the conditions of the accommodation decree and the implementing decrees
are complied with. Without this control and contact option, the defendant cannot
check whether the above-mentioned conditions of the Accommodation Decree and the
implementing decrees are complied with. The defendant hereby points out that this is specifically in
thecaseofAirbnbthemoreisnecessary.Airbnbparttimesinrulenoaddressdata
of the accommodation and no name or contact details of the operator on its website.
38. Based on the conclusion of the defendant, the Litigation Chamber establishes that the following
data is requested:
- The name of the tourist accommodation (accommodation name on Airbnb)
- The address of the tourist accommodation (street, house number,…)
- Capacity of the tourist accommodation (in the context of fire safety);
- The name of the operator of the tourist accommodation (the first and last name of the
operator, where available to Airbnb) and the online host name;
- The contact details of the operator of the tourist accommodation (the e-mail address of
the operator).
39. The Disputes Chamber is of the opinion that this information is necessary with a view to the
correct identification of tourist accommodation and to contact the operator to go
or the conditions of the Accommodation Decree and its implementing decrees
complied.
I.1.2. Article 5 (2), Article 24 (1) and Article 25 (1) and (2) GDPR
40. The controller must comply with the basic principles of Article 5 GDPR and dat
can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j°
Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every
controller takes appropriate technical and organizational measures
to ensure and be able to demonstrate that the processing takes place
in accordance with the GDPR. As already explained, this case concerns the transfer of
operator and accommodation data by Airbnb (as an intermediary) to the defendant. This one
transmission was made at the request of the defendant.
41. In the context of its investigation, the Inspectorate assessed to what extent the
the defendant has taken the necessary technical and organizational measures to
comply with the principle of lawfulness and data minimization within the scope of this
request for transfer. In this respect, the Inspectorate decides that the defendant does not
has sufficiently demonstrated that he has taken the necessary measures to ensure that the
disputed processing takes place in accordance with Article 5(1) a) and c) and
Article 6 (1) GDPR, since the Inspection Service has come to the conclusion that the
processing operations were not in accordance with these principles. Decision on the substance 162/2022 - 12/23
42. The Litigation Chamber has in section I.1.1. no infringements detected of Article 5(1)(a)
and c) and Article 6 (1) GDPR. Consequently, there is also no reason to infringe the
accountability. The Disputes Chamber therefore rules that the
Defendant has sufficiently demonstrated that it does indeed comply with its obligations
accountability there is therefore no breach of Article 5(2), Article 24(1) and Article 25,
paragraphs 1 and 2 GDPR was committed by the defendant, in connection with the legality of the
processing.
I.2. Article 12(1) and (2), Article 13(1) and (2), Article 14(1) and (2), Article 5(2),
Article 24 (1) and Article 25 (1) GDPR
I.2.1. Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and paragraph 2, Article 14, paragraph 1 and paragraph 2
43. In implementation of the transparency principle from Article 5, paragraph 1, a) GDPR, based on Article
12 (1), Article 13 (1) and Article 14 (1) and (2) GDPR, it is necessary that the
controller, in this case the defendant, to the data subjects concise,
provides transparent and understandable information about the personal data that is processed
become. In its capacity as controller, the defendant must
implement Articles 12, 13 and 14 of the GDPR.
44. In the present case, the Inspectorate concludes that the defendant has committed an infringement
committed on Article 12 Paragraph 1 and Paragraph 2 GDPR, Article 13 Paragraph 1 and Paragraph 2 GDPR, Article 12 Paragraph 1 and Paragraph 2,
Art. 5(2), Art. 24(1) GDPR and Art. 25(2) GDPR as the privacy statement
Operator's portal would contain incorrect information and would be incomplete.
45. Pursuant to Article 12(1) of the GDPR, the defendant is responsible for the
take appropriate measures to comply with Articles 13 and 14 of the GDPR
information in a concise, transparent, comprehensible and easily accessible manner
plain language and in writing or by other means, including electronic means
provide.
46. As regards the content of this information, data subjects were provided with the information referred to in paragraphs 1 and 2
listed points of both Articles 13 and 14 to be communicated because not all
information was obtained directly from them. 11
47. First of all, the Inspection Report concludes that the “Operator Portal Privacy Statement” of
the defendant is not transparent and understandable, as required by Article 12 (1) GDPR and
contains incorrect information from a data protection point of view, because of the
following observations:
11 Article 29 Working Party, Guidelines on Transparency under Regulation (EU) 2016/679, WP 260,
revised version of 11 April 2018 (adopted by the European Data Protection Board
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23). Decision on the substance 162/2022 - 13/23
a. ThePrivacy StatementOperator Portalcontainsirrelevantandconfusinginformation,
such as a reference to the “Privacy Act of 1992”, the mention of hyperlinks
without any explanation and clear connection to the text, and a reference to
‘part 9’ of the Operator Portal privacy statement that does not contain part 9.
b. The defendant's Operator Portal privacy statement incorrectly creates the
perception towards data subjects that the GDPR is being complied with. This would
be misleading as the Inspection Service has reported several breaches of the GDPR
has established.
c. The defendant's Operator Portal privacy statement erroneously does not make any
notification of the possibility for data subjects to submit a complaint to the
GBA. However, there is mention of the possibility to file a complaint
serve at the Flemish Supervisory Commission (VTC).
d. Finally, the Inspectorate concludes that the Privacy Statement
Operator portal is not clear and therefore not transparent with regard to:
i. the purposes and legal bases of the processing: there is no
clarifies which legal obligations the defendant must meet
requirements that require the processing of personal data;
ii. the exercise of the rights of data subjects: there is no
clarifies what a data subject may specifically do with the defendant
expect if he exercises his rights; and
iii. the adjustments that were made: it is not specified when
adjustments were made, water was precisely adjusted and via
which “common communication channels” are involved in this regard
to be informed.
48. Secondly, the Inspectorate also notes that the privacy statement for the Operators Portal of
the defendant is incomplete because not all are required according to Articles 13 and 14 GDPR
information is effectively stated, as no information is given
about:
a. the processing purposes and the legal basis for the processing;
b. the fact that data subjects have the right to a given consent at all
time to withdraw;
c. that the data subjects have the right to submit a complaint to the GBA; and
d. the source from which the personal data originates, and where applicable, or they
come from public sources. Decision on the substance 162/2022 - 14/23
49. Since the defendant carries out a large number of data processing operations, resulting in a
large amount of information must be provided to the data subjects, is the
Litigation Chamber considers that a
12
controller such as the defendant must adopt a multi-layered approach:
- On the one hand, the data subject must have clear and
accessible information about the fact that there are information about the processing of
personal data exists (privacy policy) and where he will be able to do it in full
find.
- On the other hand, without prejudice to the accessibility of the
privacy policy in its entirety, from the first communication of the
controller with him be informed of the
details of the purpose of the processing in question, the identity of the
controller and the rights available to him.
50. The importance of providing this multi-layered information arises in particular from
recital 39 of the GDPR. Any additional information necessary to identify the data subject
on the basis of the information provided at this first level to understand what
the consequences of the processing concerned will be for him should be added.
51. The defendant is of the opinion that the information he provided to the concerned
provided meets the requirements of Articles 12, 13 and 14 of the GDPR. In this connection
emphasizes the defendant that he has strict compliance with the legislation concerning
pursues data protection and works closely with its data protection officer for this purpose
data protection. The defendant argues that since the drafting of the
Inspection report has adjusted the privacy statement Uitbatersportaal in consultation with the
data protection officer. In his conclusions, the defendant explains which
how the new privacy statement for the Operators Portal has been amended.
52. With regard to the transparency and comprehensibility of the privacy statement, the
defendant tohehasadjustedtheprivacystatementOperator's portalsince it was drawn up
of the Inspection Report where the following adjustments were made: there is none
reference more to the abolished Privacy Act, only to the GDPR. The confusing
reference to a non-existent part 9 was also removed. The reference to the
contact options of the defendant were also adjusted. As for the
possible confusion around the hyperlinks without further explanation, argues the
defendant that in the passage above the hyperlinks it is indeed explained why the
defendant processes the personal data with explicit reference to it
12
In the same sense: decision no. 81/2020 of the Litigation Chamber (points 53 et seq.) and decision 76/2021 (points 58
et seq.), can be consulted via https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision on the substance 162/2022 - 15/23
Accommodation decrees and the basic register of Flemish accommodation
he has not yet received any question or comment in this regard, which means that he
raises the question of whether there is any confusion at all. Under the title “What are your
rights and how you can exercise them”, the new privacy statement now also provides the
mention (in addition to the VTC) of the GBA in the context of exercising the rights of
data subjects. 13
53. As far as necessary and in accordance with its previous decisions, the
Litigation chamber that the GBA as federal supervisory authority is competent in any case
14
is to monitor compliance with the GDPR. This is also the case if the
data processing relates to a matter covered by the
competence of the communities or the regions (state authorities) and/or
if the controller is a public authority that falls under the
communities or regions, even if the federal state itself has one
supervisory authority within the meaning of the GDPR.
54. Subsequently, the defendant sets out the following arguments in its claims
show that the determination of the Inspectorate regarding the alleged incompleteness of
the Privacy Statement is incorrect.
55. As regards the determination of the purposes and legal bases for the processing
the defendant refers that this has been dealt with earlier [see section II.1]. Then the
defendant that the possibility to submit a complaint and therefore also an objection is explicitly stated in the
privacy statement Operators portal was included. In the new privacy statement
The operator portal contains the following passage:
“Right to object: If you believe that your personal data is not
may be processed longer because of your specific situation, you can
object to such processing, in the context of our products
and services we offer in the public interest.”
56. The Disputes Chamber notes that under part 6 of the previous privacy statement
Operator portal the data subject has been informed about his rights that he can exercise
against the defendant. The Litigation Chamber refers to the relevant passage that
read as follows: “With regard to your personal data, you always have the right to […] a
submit a complaint regarding the processing of your personal data[…].All
requests for the exercise of the above rights can be delivered through the channels provided
are listed in section 9 of this privacy statement. If you don't join us in one
13See e.g. Marktenhof judgment, 2022/AR/457, dd. October 26, 2022, and also the following decisions of the Litigation Chamber:
decision 62/2022 of April 29, 2022, decision 31/2022 of March 4, 2022, decision 15/2020 of April 15, 2020.
14The judgment of the Marktenhof dd. October 26, 2022 (2022/AR/457) confirms the jurisdiction of the DPA regarding
of Flemish authorities. Decision on the substance 162/2022 - 16/23
If a solution is found, you also have the right to submit a complaint to the Flemish
Supervisory Committee […]”.
57. The Disputes Chamber finds that the defendant in the old privacy statement
Operator portal has not used the correct terminology, which can cause confusion
to care. As far as necessary, the Disputes Chamber reminds that a complaint and a
objection (both mentioned in the privacy statement Uitbatersportaal) do not have the same meaning
cover under the GDPR and every controller must use the correct terminology
handling. A data subject has the right to inform a controller
request that his/her personal data is no longer used. This is called the right of
objection. The right to object can be exercised in accordance with Art. 21 GDPR
when the processing is based on one of the following legal grounds: the justified
interest and the performance of a task of public interest or public authority. In others
cases, the data subject cannot object because of the other legal grounds
alternatives exist to achieve the same goal: with consent, the data subject can do this
moving in; the data subject cannot object to processing imposed by law.
If the data subject does not agree with how a controller with
handles his/her personal data and there is no agreement with the controller
solution can be found, the person concerned can submit a complaint to the GBA. In the
originalprivacy statementOperator portal should also have been clarified
that the data subject has the right to lodge an objection with the defendant, and
if necessary, then has the right to submit a complaint to the GBA. In the new
privacy statement Operators portal, this distinction is correctly used, despite the
fact that both terms are used incorrectly in the conclusion.
58. The Defendant also believes that the Privacy Statement of the Operator Portal expressly identifies the source of
mentions the personal data as well as that the public data becomes available
made via the basic register of Flemish accommodation offerings, stating a link to it
base register. The new privacy statement Operators Portal explicitly states under the
title “Why do we process your personal data” following text:
“Toerisme Vlaanderen can obtain the following personal data at three (3)
ways, namely: on paper, via the operator portal or via the web service
Crossroads Bank for Holiday Homes (CIB Vlaanderen is freely available and
accessible via the website of VISITFLANDERS (click here).”
59. In conclusion, the defendant concludes that the new privacy statement
The operator portal is transparent and understandable, and that this information is correct and complete
at least that the determination of the Inspection Service has become meaningless
in view of the changes made to the new privacy statement for the Operators Portal. Decision on the substance 162/2022 - 17/23
60. The Disputes Chamber is of the opinion that the new privacy statement for the Operator Portal contains the
Articles 13 and 14 of the GDPR requirement now contain elements
believes that the defendant, as required by Article 12(1) of the GDPR, in its privacy policy
has mainly used simple, clear and straightforward wording to convey the
to inform data subjects about the data processing operations it carries out.
61. However, the Disputes Chamber also finds that the defendant was negligent in the past
acted, as was also established in the Inspection Report. More specifically contained
the privacy statement Operator portal irrelevant and confusing information, such as a
reference to a non-existent Part 9 and a reference to the Privacy Act of 1992.
In addition, the operator portal privacy statement was incomplete and not transparent, among other things due to
the lack of reference to the possibility to file a complaint with the GBA, by
unclear reference to the purposes and legal bases of the processing and
exercising the rights of the data subject, and by using incorrect terminology.
62. The Disputes Chamber does point out that the defendant has made efforts
to update the information to be provided under Articles 12, 13 and 14 GDPR,
albeit after receipt of the Inspectorate's comments.
63. The Disputes Chamber therefore establishes that the Privacy Statement for the Operators Portal initially does not
met the requirements of Articles 12, 13 and 14 GDPR, resulting in a
violation of Articles 12, 13 and 14 GDPR. This does not alter the fact that this has been rectified in the meantime.
I.2.2. Article 5 (2), Article 24 (1) and Article 25 (1) GDPR
64. With regard to accountability (as defined above in section I.1.2) with
with regard to the transparency obligations, the Inspectorate notes that these are not
was complied with by the defendant with regard to the transparency obligations of the
defendant. This follows from the breach of Articles 12, 13 and 14 mentioned above
AVG.
65. The Litigation Chamber ruled in part I.2.1 that there was indeed a
breach of the principles of transparency as understood in these articles. The Dispute Chamber
notes, therefore, that the defendant failed to demonstrate that it had the necessary technical and
has taken organizational measures to comply with the obligations regarding
transparency as stipulated in Articles 12, 13 and 14 GDPR. Consequently, the decision
Litigation Chamber that there was a violation of Articles 12, 13 and 14 GDPR.
This does not alter the fact that this has been rectified in the meantime. Decision on the substance 162/2022 - 18/23
I.3. Article 38 (1) GDPR and Article 39 (1) GDPR
66. The Inspectorate's report finds that the defendant has complied with the requirements regarding the
position of the data protection officer under Article 38 (1) GDPR and the
tasks of the data protection officer under Article 39 (1) GDPR
complied.
67. The Inspectorate does the following with regard to the data protection officer
findings, as summarized below:
a. The defendant states in his answer to the Inspection Service during the
investigation he received no advice from his data protection officer
inquired about the data processing between Airbnb and the defendant.
According to the defendant, this was not necessary because the legal basis was already established in article
11 of the Accommodation Decree.
b. In the same answer, the defendant states that he is of his official for
data protection has not sought advice on the interpretation of the
term “random sample” from Article 11 of the Accommodation Decree.
68. The Inspectorate therefore decides that the data protection officer should not go to
was properly and timely involved in the context of this file. The advice of October 11, 2021
that was provided following the letter from the GBA on September 10, 2020 is not sufficient to
to be able to speak of proper and timely (documented) involvement.
Consequently, the Inspection Service claims an infringement of Article 38(1) GDPR and Article 39(1) GDPR
fixed.
69. The Litigation Chamber recalls that Article 38(1) GDPR prescribes that the
controller ensures that the officer for
data protection is timely and properly involved in all matters
related to the protection of personal data. Based on Article 39(1).
AVG must be the data protection officer (a) the controller
informing and advising on its obligations under the GDPR and others
Union or Member State data protection provisions and (b) monitor
compliance with the GDPR, other Union or Member State law
data protection provisions and of the policy of the controller
or the processor with regard to the protection of personal data, including
of the allocation of responsibilities, awareness raising and training of the
processing of personnel involved and the relevant audits.
70. The defendant emphasizes regarding the position of the official for
data protection under Article 38(1) GDPR that, in his view, there was no need Decision on the substance 162/2022 - 19/23
to involve the data protection officer in the conclusion of the MoU.
Like all other intermediaries, Airbnb is obliged to provide operator and accommodation data
to the defendant since the entry into force of the Accommodation Decree on 1 April
2017. The legal basis for communicating this information to the defendant is
therefore based on Article 11 of the Accommodation Decree, and not on the MoU
Inspectorate refers to. In any case, the defendant is ahead of the official
data protection involved immediately after the letter dd. September 10, 2020 from the GBA.
The data protection officer subsequently issued a favorable opinion.
In addition, the defendant argues that it has applied the term 'sample' in the way that
is in line with the intention of the legislator of Article 11 of the Accommodation Decree. Finally
the defendant argues that the accommodation decree predates the AVG, since it
accommodation decree entered into force on 1 April 2017, while the GDPR applies with effect from
May 25, 2018. Consequently, according to the defendant, there can be no question of a
infringement of Article 38 (1) GDPR and Article 39 (1) GDPR.
71. The Litigation Chamber recalls that the GDPR recognizes that the officer for
data protection is a key figure in terms of the protection of
personal data whose designation, position and tasks are subject to rules. This one
rules help the controller to comply with its obligations under
the GDPR, but also help the data protection officer to fulfill his duties
should exercise. The data protection officer should be involved
in all matters related to the protection of personal data.
The fact that the legal basis has been laid down in a legal standard does not constitute this
exception to.
72. Based on the defence, the Disputes Chamber establishes that this is precisely the intention of
the MoU to determine between the parties in which cases the transfer of
personal data can take place and under what modalities. Consequently, it concerns
conclusion of the MoU the defendant's policy regarding compliance with the GDPR in the
framework of its enforcement powers.Article 11Logies decree provides that the data
can be requested by the defendant from Airbnb at clearly defined
samples, but the MoU further elaborates what is clearly defined below
samples is understood by the parties. Consequently, the official submitted
data protection to be properly and timely involved in the preparation and
approving the MoU. With regard to the fact that the Accommodation Decree of
was applicable since 2017, the Litigation Chamber points out that it has been applicable since
of the GDPR, each controller is obliged to comply with it
compliance with imposed obligations. Thus, the defendant served this legal basis upon which
he wishes to test himself against the higher legal standard in order to verify whether the decision on the merits 162/2022 - 20/23
requesting the personal data is in accordance with the GDPR. This is also one
matter in which the data protection officer should be involved
become.
73. In view of the above, the Disputes Chamber has determined with regard to Article 38, paragraph 1 GDPR
that the data protection officer was not sufficiently involved with some
data protection matters. Defendant's documents show that the
data protection officer for the purposes of the present case
investigated data processing was only involved after the first writing of the
Inspection Service.
74. In view of the above, the Disputes Chamber rules that there has been a violation of article
38 (1) and Article 39 (1) GDPR.
I.4. Infringement of Articles 4, 11, Article 5(1)(a) and (2), Article 6(1)(a) and Article 7(1) and
paragraph 3 GDPR.
75. The Inspection Report notes that no legally valid permission within the meaning of Article 4.11
of the GDPR, website visitors are asked to use non-strict
necessary cookies. After all, the parties involved would not have a free choice on the part of the defendant
about the use of cookies that are not strictly necessary. The Inspection Report determines
in this regard the following: “The two options for the use of not strict
necessary cookies offered by the defendant to data subjects in the
cookie window (namely “no, give me more info” and “ok, I agree”) are not placed on a
displayed in a similar way. The option “ok, I agree” says nothing
more information for those involved. In addition, there is no choice
the cookie window that allows data subjects to opt out of the use of not strictly necessary
refuse cookies immediately.” In addition, the Inspectorate has established that no
transparent information is given on how a given consent to it
use of unnecessary cookies must be withdrawn.
76. In his conclusions, the defendant argues that the additional finding is not legal
basis on which it should be excluded from the proceedings. The Inspection Service
after all, refers to Article 72 WOG to make this determination. The decision of it
Management Committee to comprehend the Inspection Service in accordance with Article 63, 1° WOG
howevertheobjectoftheinvestigationthusthescopeoftheinvestigationmustaccordingto
defendant are limited to the scope resulting from the decision of the
Executive Committee.
77. In subordinate order, the defendant proceeds to refute the finding of
the Inspection Service. The defendant emphasizes that on its website only strictly necessary
cookies or functional cookies were active for which no permission was required. Decision on the substance 162/2022 - 21/23
This is also not refuted by the Inspectorate, which does not demonstrate that there are also non-
necessary cookies were active on the website at the time of the determination. At 25
February 2022, the defendant launched its new website with a new
cookie window that provides the user with the necessary information and choices on the moment
used cookies. According to the defendant, the new website uses a
new cookie statement transparently informed the data subjects about the use of
cookies. Since no non-strictly necessary cookies were active on the website
at the time of the investigation by the Inspectorate, the provision of information about
or asking permission for such cookies was not an issue at that time.
78. In response to the defendant's statements, the Litigation Chamber first of all refers to article
72 WOG which reads as follows:
“Without prejudice to the provisions of this chapter, the Inspector General and the
inspectors proceed to every investigation, every check and every interview, as well as all information
such as they deem necessary to satisfy themselves that the basic principles of the
protection of personal data, within the framework of this law and of the laws that
contain provisions on the protection of the processing of personal data,
that they supervise are actually complied with.”
79. This provision shows that the Inspectorate is not bound by the scope of the complaint
nor by the scope of the decisions of the Executive Committee. The Inspection Service determines
itself the scope and method of the investigation, taking into account the proportionality
and principle of necessity as described in the Charter of the Inspection Service. 15
80. On the basis of the Inspection Report, the Litigation Chamber concludes that the determination of the
Inspection service regarding the effective use of cookies that are not strictly necessary
is sufficiently substantiated by evidence 16 to allow further processing of this file in this
frame is impossible.
Consequently, the Litigation Chamber will make a filing with regard to the determination
of the Inspectorate regarding Articles 4, 11, Article 5, paragraph 1, a), and paragraph 2, Article 6, paragraph 1, a) and
Article 7, paragraph 1 and paragraph 3 GDPR.
II. Sanctions
81. On the basis of the documents in the file, the Disputes Chamber establishes that there is
two breaches of the GDPR: On the one hand, the breach of Article 12, paragraph 1 and paragraph 2, Article 13, paragraph 1 and
paragraph 2, article 14, paragraph 1 and paragraph 2, article 5, paragraph 2, article 24, paragraph 1 and article 25, paragraph 1 GDPR, and on the other hand
15 Charter of the Inspection Service, August 2022, available at
https://www.dataprotectionauthority.be/publications/charter-van-de-inspectiedienst.pdf.
16Cf. Section A.1 of the dismissal policy of the Litigation Chamber. Decision on the substance 162/2022 - 22/23
this on Article 38 (1) and Article 39 (1) GDPR. Although the defendant these infringements
has been remedied, it is clear that there have been breaches of the right to data protection
have taken place. As already explained, the principle of transparency is one of them
the fundamental principles of the GDPR. Also the data protection officer
plays a crucial role in data protection at a controller
82. The Disputes Chamber is of the opinion that there are sufficient elements to issue a reprimand
which constitutes a light sanction and is sufficient in the light of the circumstances in this file
identified violations of the GDPR. When determining the sanction, the
Litigation Chamber takes into account the fact that the defendant has already rectified these infringements
and provide supporting documents. Needless to say, the Disputes Chamber points this out
that it is not competent to impose an administrative fine on
government bodies, in accordance with Article 221, § 2 of the Data Protection Act. 17
83. The Disputes Chamber proceeds to dismiss the other grievances and
findings of the Inspectorate because they based on the facts and the documents from the
file cannot come to the conclusion that the GDPR has been breached.
These grievances and findings of the Inspectorate are therefore deemed to be obvious
18
considered unfounded within the meaning of Article 57(4) GDPR.
Publication of the decision
84. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority, stating the identification data of the
defendant. This mention is justified by the public interest of
present decision in the context of the exemplary function of the defendant as
public service, on the one hand, and by the unavoidable re-identification of the defendant
case of pseudonymization, on the other hand.
17Law of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
18 See point 3.A.2 of the Dispute Policy of the Litigation Chamber, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 162/2022 - 23/23
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the
defendant with regard to the infringement of article 12, paragraph 1 and paragraph 2, article 13, paragraph 1 and paragraph 2, article
14 (1) and (2), Article 5 (2), Article 24 (1) and Article 25 (1) GDPR;
- on the basis of Article 100, §1, 5° WOG to formulate a reprimand with regard to the
defendant as regards the infringement of Article 38(1) and Article 39(1) GDPR;
- pursuant to article 100, §1, 1° WOG with regard to all other determinations in
dismiss.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
Brussels appeal), with the Data Protection Authority as defendant.
Such an appeal may be made by means of an inter partes petition
listed in Article 1034ter of the Judicial Code. It 19
a contradictory petition must be submitted to the Registry of the Market Court
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). Hielke HIJMANS
Chairman of the Litigation Chamber
19 The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.
20
The petition with its appendix shall be sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.
