APD/GBA (Belgium) - 165/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 101: Line 101:
The DPA noted that a controller has an obligation to take measures to ensure an appropriate level of security and compliance with the GDPR, as well as demonstrate the measures taken, according to [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. In light of this, the DPA stated that the city of Antwerp did not provide any documentation showcasing compliance and regarding measures and decisions that were taken for the security of the processing of personal data, breaching the above-mentioned articles. Furthermore, after reviewing the documentation produced regarding the data breach, the DPA found the documentation abstract and lacking in follow-up planning, as well as non-compliant with [[Article 32 GDPR|Articles 32(1) and 32(2) GDPR]].  
The DPA noted that a controller has an obligation to take measures to ensure an appropriate level of security and compliance with the GDPR, as well as demonstrate the measures taken, according to [[Article 5 GDPR#2|Article 5(2) GDPR]], [[Article 24 GDPR#1|Article 24(1) GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. In light of this, the DPA stated that the city of Antwerp did not provide any documentation showcasing compliance and regarding measures and decisions that were taken for the security of the processing of personal data, breaching the above-mentioned articles. Furthermore, after reviewing the documentation produced regarding the data breach, the DPA found the documentation abstract and lacking in follow-up planning, as well as non-compliant with [[Article 32 GDPR|Articles 32(1) and 32(2) GDPR]].  


The DPA also concluded a breach of [[Article 35 GDPR#1|Article 35(1)]], [[Article 35 GDPR#2|Article 35(2)]], [[Article 35 GDPR#3|Article 35(3)]] and [[Article 35 GDPR#7|Article 35(7) GDPR]] since, even though the tool predated the GDPR, the city of Antwerp should have proactively assessed if their processing aligned with the GDPR and adapt their processing if necessary, including conducting a correct DPIA. Meanwhile, the DPA noted that the DPIA provided by the city of Antwerp wrongfully designated it as a processor.  
The DPA also concluded a breach of [[Article 35 GDPR#1|Article 35(1)]], [[Article 35 GDPR#2|Article 35(2)]], [[Article 35 GDPR#3|Article 35(3)]] and [[Article 35 GDPR#7|Article 35(7) GDPR]] since, even though the tool predated the GDPR, the city of Antwerp should have proactively assessed if their processing aligned with the GDPR and adapt their processing if necessary, including conducting a correct DPIA. Meanwhile, the DPA noted that in the DPIA provided to it by the city of Antwerp, the latter was wrongfully designated as a processor.  


Lastly, the DPA found that although the DPO was involved in the data breach, it was not involved in a timely manner to ensure adequate security of processing according to [[Article 32 GDPR#1|Article 32(1) GDPR]]. The DPA stated that as soon as the city of Antwerp declared itself a joint-controller, the DPO should have become involved, not only after the data breach was discovered. As such, the DPA concluded a breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR#1|Article 39(1) GDPR]].
Lastly, the DPA found that although the DPO was involved in the data breach, it was not involved in a timely manner to ensure adequate security of processing according to [[Article 32 GDPR#1|Article 32(1) GDPR]]. The DPA stated that as soon as the city of Antwerp declared itself a joint-controller, the DPO should have become involved, not only after the data breach was discovered. As such, the DPA concluded a breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR#1|Article 39(1) GDPR]].

Revision as of 08:44, 10 January 2024

APD/GBA - 165/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 35(1) GDPR
Article 35(2) GDPR
Article 35(3) GDPR
Article 35(7) GDPR
Article 38(1) GDPR
Article 39(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 13.12.2023
Fine: n/a
Parties: City of Antwerp
MeldJeAan
National Case Number/Name: 165/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA reprimanded the city of Antwerp for several breaches of the GDPR due to its usage of a tool called 'MeldJeAan'. The tool, used by parents to claim a spot for their children in schools, had suffered a data breach as its database had been directly accessible without log-in.

English Summary

Facts

The Belgian DPA started an investigation into the usage of a tool called 'MeldJeAan' by the city of Antwerp.

The tool in question could be used by parents to claim a spot for their children in a school. To use the tool, specific personal data had to be provided, such as contact details, personal details of the child, and information on the parents. By logging in, schools could download the list of all the information of their students. However, due to a flaw in the system, the lists could be accessed directly without logging in. It had been noted that there had been a data breach as there was at least one confirmed download by an unauthorised party through this way.

Following the investigation, a report was produced, which flagged several breaches by the city of Antwerp. On 23 June 2023, the DPA held a hearing on the matter.

Holding

The DPA started by assessing the role of the city of Antwerp in the situation at hand. Since the purposes of the tool were decided by several parties, including the city of Antwerp, and Antwerp partly financed the usage of the tool, the DPA concluded that there was joint-controllership according to Article 26 GDPR.

The DPA noted that a controller has an obligation to take measures to ensure an appropriate level of security and compliance with the GDPR, as well as demonstrate the measures taken, according to Article 5(2) GDPR, Article 24(1) GDPR and Article 25(1) GDPR. In light of this, the DPA stated that the city of Antwerp did not provide any documentation showcasing compliance and regarding measures and decisions that were taken for the security of the processing of personal data, breaching the above-mentioned articles. Furthermore, after reviewing the documentation produced regarding the data breach, the DPA found the documentation abstract and lacking in follow-up planning, as well as non-compliant with Articles 32(1) and 32(2) GDPR.

The DPA also concluded a breach of Article 35(1), Article 35(2), Article 35(3) and Article 35(7) GDPR since, even though the tool predated the GDPR, the city of Antwerp should have proactively assessed if their processing aligned with the GDPR and adapt their processing if necessary, including conducting a correct DPIA. Meanwhile, the DPA noted that in the DPIA provided to it by the city of Antwerp, the latter was wrongfully designated as a processor.

Lastly, the DPA found that although the DPO was involved in the data breach, it was not involved in a timely manner to ensure adequate security of processing according to Article 32(1) GDPR. The DPA stated that as soon as the city of Antwerp declared itself a joint-controller, the DPO should have become involved, not only after the data breach was discovered. As such, the DPA concluded a breach of Article 38(1) GDPR and Article 39(1) GDPR.

Based on the above, the DPA reprimanded the city of Antwerp.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/24




                                                                          Dispute Chamber


                                 Decision on the merits 165/2023 of December 11, 2023



File number: DOS-2022-02499


Subject: Potential data breach regarding a

registration system



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Mr Jelle Stassijns and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Considering the documents in the file;



Made the following decision regarding:


The defendant: City of Antwerp, with registered office in 2000 Antwerp, Grote Markt

                   1, with company number 0207.500.123, hereinafter “the defendant”. Decision on the merits 165/2023 – 2/24


I. Facts and procedure


 1. The central registration system MeldJeAan (hereinafter: MeldJeAan) has been in use for several years

       In various cities, more social schools are used in the context of allocating schools

       to achieve mix within the schools.

 2. To this end, the parents and, if applicable, the guardian submitted the following personal data

       to provide: identification data (name, address, date of birth, telephone number of both

       parents/guardian and children), electronic identification data (e-mail addresses of both

       parents/guardian as children), personal characteristics (age, gender of children),

       education and training (mother), national number (the child's national register number),

       the fact whether there are already brothers and/or sisters of the child in a particular school in that city

       being present, the fact that the parents are staff members of a school to which one registers,
       whether the family received a school allowance in the current school year or the previous one

       school year, the spoken language of the child and any special education report.

       In addition, other personal data were also processed within the application, namely:

       indicators regarding students: home language, mother's education level, neighborhood indicator and

       school allowance and preferences for a particular school. Based on this personal

       preferences and other data, the children were assigned a school. Subsequently

       Lists were drawn up per school of the children who were in favor of the school
       reported. An employee can log in to the back office of “MeldJeAan”.

       his school downloads a list with all personal data of the parents and their children

       who had registered at that school. Due to a possible defect in the online application

       Register as used for Ghent secondary education, it turned out that the URL with the link

       to the download list could also be accessed directly, without logging in to the

       back office. Each secondary school in the system receives a unique ID of 30 characters

       which is included in the URL, which, if one had that unique ID and
       could download the list with personal data of the parents without first logging in

       and their child who were registered at the school linked to the unique ID. There was

       at least one list downloaded in such a manner. The method of

       downloading was reported to the press, which also downloaded a list itself and,

       although pseudonymised, has published.

 3. This online application MeldJeAan was also used in Antwerp, among others, for some

       concerns primary education. The GBA has not received any notification of this

       data breach related to the application due to the





1 No logs are kept of when or who downloads lists as this is not included in the
program specification was included. See appendix 1, reporting form, point 4: prevention and management of it

data breach. Decision on the merits 165/2023 – 3/24


     controllers in Antwerp, although the security risk also applies

     of them existed.

4. In view of the above, the Management Committee of the

     The Data Protection Authority (hereinafter: “GBA”) will decide on June 20, 2022.

     to be taken on the basis of Article 63, 1°WOG because of a practice that may give rise to this

     to a violation of the basic principles of personal data protection.

5. The investigation by the Inspection Service will be completed on October 10, 2022

     report is added to the file and the file is submitted to the Inspector General

     transferred to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).

     The report contains findings relating to the subject of the decision

     management committee and decides that there has been a violation of:


         1. Article 5.1.f) and 5.2 of the GDPR, Article 24.1 of the GDPR, Article 25.1 of the GDPR and

            Articles 32.1 and 32.2 GDPR;

         2. Articles 35.1, 35.2, 35.3 and 35.7 GDPR; and

         3. Article 38.1 and Article 39 GDPR.


     The report also contains additional findings in view of Article 72 of the WOG. The

     The Inspection Service determines, in broad terms, that there has been a violation of:

         4. Article 30.1 GDPR.


6. On October 28, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
     WOG that the file is ready for substantive treatment.


7. On October 28, 2022, the defendant will be notified by registered mail of

     the provisions stated in Article 95, § 2, as well as those in Article 98 WOG. Also

     she will be informed of the deadline in accordance with Article 99 of the WOG
     to submit defenses.


     The deadline for receipt of the defendant's response is:

     recorded on December 9, 2022.

8. On October 28, 2022, the defendant electronically accepts all communications regarding the

     case.

9. On November 2, 2022, the defendant requests a copy of the file (art. 95, § 2,3° WOG),

     which was transferred to her on November 9, 2022.


10. On December 9, 2022, the Disputes Chamber will receive the response statement

     defendant. Decision on the merits 165/2023 – 4/24


 11. On May 8, 2023, the defendant will be notified that the hearing will

       take place on June 23, 2023.


 12. On June 23, 2023, the defendant will be heard by the Disputes Chamber.

 13. On June 28, 2023, the official report of the hearing will be sent to the defendant

       submitted.

 14. On July 4, 2023, the Disputes Chamber will receive some comments from the defendant

       with regard to the official report, which it decides to include in its deliberations.


II. Justification


    II.1. Identity of the controller


        II.1.1. Establishment of the Inspection Service

 15. The Inspection Service identifies the defendant as the controller for what

       concerns the processing of personal data in the context of online

       registration system MeldJeAan. The inspection report refers on the one hand to the

       processing agreement with Z regarding the development of the online application

       Notify in which the defendant is referred to as the controller, and

       on the other hand, to the document called “measures taken in response to the

       data breach ReportJeAan” that the defendant has submitted to the Inspection Service.

        II.1.2. Position of the defendant


 16. The defendant argued in her conclusions that she should not be regarded as

       controller for the processing of personal data via

       Sign In. In this context, the defendant referred to the decree of 25 February 1997
       concerning primary education. Pursuant to this decree, the Local Education Platform

       Antwerp (hereinafter: LOP Antwerp) has been obliged since 2021 to use the registration system in the

       to organize primary education in Antwerp. Consequently, the LOPA Antwerp also serves as

       to be considered a controller in the context of MeldJeAan, it stated

       the defendant.

 17. In confirmation of this statement, the defendant also referred to the letter of

       the Flemish Supervisory Commission (VTC) dated. October 25, 2022 in which this is the LOP

       Antwerp appears to be regarded as the controller with regard to the

       processing of personal data in the context of MeldJeAan.

 18. However, at the hearing the defendant took a different position. First of all, she lights

       the evolution of the role of controller and processor. Until the end



2
 B.S. April 14, 1997. Decision on the merits 165/2023 – 5/24


     2022, the defendant was of the opinion that the LOP Antwerp

     controller in the context of Report Your Aanwas, in view of the above

     decretal obligation of the LOP Antwerp to organize the registration system. The
     documentation that was provided to the Inspection Service in August 2022 during the

     research in the context of this dossier, was drawn up on the basis of the advice provided by the

     defendant had received from the VTC, namely that the LOP as

     should be considered a controller. In January 2023 it made

     Agency for Educational Services of the Flemish Government (hereinafter: AGODI).

     position has been announced regarding who will take on the role of controller in this regard.
     This position states that from the 2023-2024 school year, the schools will be considered jointly

     should be considered a controller since the LOP Antwerp

     itself is not a legal entity, but consists of the school boards involved. Since it

     registration system a fairer and more transparent way to register registrations

     intended and in view of, among other things, the limited operating budgets of the LOP Antwerp
     the defendant has decided to allocate financial resources and thus the

     to assume joint processing responsibility, together with the

     school boards. This position was taken subject to the outcome of the

     Flemish policy discussion. As a result of this position, the defendant has changed its approach

     adjusted to ensure compliance with the GDPR.

      II.1.3. Assessment of the Disputes Chamber


19. The Disputes Chamber notes that in recent years several

     authorities have taken different positions and advice has been provided regarding the

     processing responsibility for Log in, but that is the most recent position
     of the defendant is that it considers itself as joint

     controller.


20. In this context, the Disputes Chamber refers to Article 26 GDPR. This article determines that when
     two or more controllers jointly determine the purposes and means of

     determine the processing, they are joint controllers. Two

     important elements of the cited Article 26 GDPR are, on the one hand, 'the purpose and the means

     of the processing' and, on the other hand, 'jointly'.

21. As regards the determination of the purposes and means of the processing

     referred to Article 4.7 GDPR which contains the definition of controller

     as follows: the “natural or legal person, public authority, service or other

     body which, alone or together with others, determines the purpose and means of the
     processing of personal data”. As with the concept of decision on the merits 165/2023 – 6/24


       controller requires the analysis of a joint

       controller makes a factual assessment. 3


 22. As for the 'joint' character, is the overarching criterion for existence

       of joint responsibility for processing the joint participation

       of two or more entities to determine the purposes and means of one

       processing activity. Joint participation can take the form of a joint

       decision of two or more entities or are the result of convergent decisions of

       two or more entities, when the decisions are complementary and necessary to achieve the

       to have processing take place in such a way that they have a tangible effect on the

       determination of the purposes and means of the processing. The processing is important

       would not be possible without the participation of both parties, in the sense that the processing

       by each party is inseparable, i.e. inextricably linked to that of the other. 4


 23. The Disputes Chamber determines that the purpose of the processing of personal data via

       MeldJeAan is fourfold. Firstly, guaranteeing the free choice of school for all parents

       and students, by avoiding camping lines in front of the school gate, objectification of

       enrollments in schools with capacity pressure, drawing up a central timeline and

       uniformity in function of the parents; secondly, achieving optimal learning outcomes

       development opportunities for all students and this for primary education, as far as possible,

       in a school in their neighborhood; thirdly, promoting social cohesion, and fourthly

       avoiding exclusion, segregation and discrimination. These objectives became

       determined by AGODI and the LOP Antwerp, decree 5 is mandatory within its


       scope to implement this. AGODI states this on its own website

       that the school boards and AGODI act as joint controller

       are: “[for] the registration system of the Flemish government, the

       school boards and AGODI are joint controllers. Which means

       that the school boards and AGODI jointly determine the purpose and means for the processing of










3EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 52.
4
 EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58
e.v.
5 Primary education decree of February 25, 1997, Belgian Official Gazette 17 April 1997. -
https://codex.vlaanderen.be/Portals/Codex/documents/1005384.html

Article 37vices semel. (01/09/2022- ...)

Notwithstanding the first paragraph, the school boards that govern a school, with the exception of schools for special education, must
have set up a registration procedure within the operating area of LOPA Antwerp, Brussels-Capital or Ghent
which applies to all schools, with the exception of schools for special education, located within that respective school
scope. Decision on the merits 165/2023 – 7/24


       determine personal data. Both are responsible for orderly maintenance and

       processing personal data in the context of the General Data Regulation”. 6


 24. The defendant explains that the LOP Antwerp does not have the necessary resources

       has to finance this registration system. Accordingly, the defendant has the
       decision to determine and allocate the necessary financial resources to it

       LOP Antwerp to be able to implement this decree obligation.


 25. The Disputes Chamber establishes that the defendant has taken the decision to terminate the

       on the one hand to determine the necessary financial resources and on the other hand to allocate these financial resources

       in the context of MeldJeAan. In addition, the defendant has
       processing agreement has been concluded with Z in which the scope of the processing is specified

       determined by the defendant as controller with regard to the

       processor. In view of the above, the Disputes Chamber finds that the defendant,

       is the joint controller together with AGODI and the school boards

       since the decisions of AGODI and the LOP Antwerp regarding the organization of the

       central registration system and the decisions of the defendant to take the necessary

       to provide financial resources and conclude the processing agreement

       convergent decisions have a tangible effect on the definition of the purpose and the
       means of the processing and that complement each other and are necessary for the processing

       to take place in such a way.


 26. In view of the above, the defendant serves as joint

       to be considered a controller within the meaning of Article 26 GDPR

       it must fulfill the obligations under the joint

       controllers as determined in the GDPR.

    II.2. Article 5.1.f), 5.2, Article 24. 1, Article 25. 1 and Article 32. 1 and 32.2 GDPR


        II.2.1. Findings in the Inspection Report


 27. During the inspection investigation, the Inspection Service asked about the security of

       the processing of personal data in the context of the online registration system

       "Sign In". In answering these questions, the defendant referred to the
       following documents: the processing agreement with Z on the one hand and the overview of

       the measures taken in response to the MeldJeAan data breach on the other hand.


 28. Firstly, the Inspection Service notes that the aforementioned processing agreement with Z

       does not contain signatures of the defendant and the processor.




6 https://onderwijs.vlaanderen.be/nl/directies-administraties-en-beleidingen/studentadministration-basic-en-secondary-
education/students-register-in-primary-and-secondary-education/students-register-in-normal-
education/registration-and-registration/registration system-normal Decision on the merits 165/2023 – 8/24


29. Secondly, the Inspection Service refers to the document entitled “Measures

     taken around the data breach MeldJeAan” of the defendant in which a list is included

     of three categories of measures: software, access and environment. However, it is in the
     the aforementioned document does not indicate when exactly those measures were discussed,

     approved and implemented and which managers and employees of the defendant

     and processor Z were involved.


30. Finally, the Inspection Service notes that it is unclear how and when the officer
     for data protection of the defendant was involved in the context of the

     security of the processing of personal data in the context of MeldJeAan.


31. Based on the above findings, the Inspectorate concludes that this is the case
     of an infringement of articles 5.1.f), 5.2, 24.1, 25.1, 32.1 and 32.2 GDPR.


      II.2.2. Position of the defendant


32. The defendant disputes the findings of the Inspection Service. As for the
     findings regarding the lack of signatures in the processing agreement

     the defendant argues that in accordance with Article 28.3 GDPR it is sufficient that the

     processing by a processor is regulated in an agreement or otherwise

     legal act under Union or Member State law which the processors

     vis-à-vis the controller. The defendant states that there is no
     discussion exists between the parties to the processing agreement about the binding

     nature of this processing agreement. Moreover, the defendant points out that

     contractual framework between the parties is currently being revised so that the

     Inspection service transferred processing agreement will soon be outdated. The

     If desired, a new signed agreement can be submitted to the Disputes Chamber

     be transferred.

33. The defendant then refers to the determination of the Inspection Service as to how

     and when compliance with the processing agreement between the defendant and the

     processor is checked by it. In this context, the defendant states that the GDPR
     nowhere, not even as part of accountability, does it provide for an obligation

     to systematically check compliance with each processor agreement, at least

     not when there is no indication or report of any risk.

34. Finally, the defendant formulates an answer regarding the determination of the

     Inspection service on how and when the data protection officer is involved

     was made in the context of the security of the processing of personal data

     from MeldJeAan. The defendant clarifies that the official for

     data protection was not initially involved with MeldJeAan since the

     creation of this platform was established before the entry into force of the GDPR. Decision on the merits 165/2023 – 9/24


     In the meantime, the data protection officer was called in and

     involved in (among other things) the data protection impact assessment that was carried out.

      II.2.3. Assessment by the Disputes Chamber


35. Article 5.1.f) of the GDPR requires that “[personal data] by taking

     appropriate technical or organizational measures in such a way

     processes that appropriate security is guaranteed, and that they, among other things,

     are protected against unauthorized or unlawful processing and against accidental processing

     loss, destruction or damage”.

36. In further elaboration of Article 5.1.f) GDPR, Article 32.1 GDPR states that the defendant as

     controller takes appropriate technical and organizational measures

     must take steps to ensure a level of security appropriate to the risk

     the state of the art, the implementation costs, as well as
     the nature, scope, context, processing purposes and likelihood and severity

     of the varying risks to the rights and freedoms of individuals.


37. Article 32.2 of the GDPR provides that when assessing the appropriate level of security
     processing risks must be taken into account, especially as a result of

     destruction, loss, alteration or unauthorized disclosure of

     access to data transmitted, stored or otherwise processed, either by

     accident or unlawful.

38. The Disputes Chamber points out that the accountability obligation under Article 5.2 GDPR, Article 24.1

     and Article 25.1 GDPR means that the controller has an obligation to:

     on the one hand, taking proactive measures to ensure compliance with the regulations

     of the GDPR and, on the other hand, to be able to demonstrate that he has such

     has taken measures.

39. In short: the defendant is obliged to take appropriate technical and

     organizational measures to ensure an appropriate level of security and this too

     to be able to demonstrate.

40. With regard to the above-mentioned accountability obligation, the Disputes Chamber states

     established that the Inspection Service asked the defendant the following:


     “A copy of [defendant's] documents regarding the measures and decisions taken
     were taken for the security of the processing of data in the context

     of the online registration system 'Register' and its accountability

     in accordance with Article 1 (1) (f) and (2) of the GDPR, Article 24 (1) of the GDPR, Article 25,

     paragraph 1 of the GDPR and article 32 of the GDPR. Please also provide a copy of the

     information and advice provided by the data protection officer of [defendant] in Decision on the merits 165/2023 – 10/24


     has provided that connection and to provide a document-substantiated explanation of his/her position

     involvement in that context in accordance with Article 38(1) read in conjunction with

     Article 39(1) GDPR”.

41. The Disputes Chamber notes that the defendant does not submit any documents, or in any way

     shows in another way how and when compliance with the processor agreement was achieved

     checked, neither at the start nor during the execution of the

     processing agreement. However, Article 28(1) prescribes that when and processing
     is carried out on behalf of a controller, this

     controller may only rely on processors who:

     provide adequate guarantees with regard to the application of appropriate technical and

     organizational measures to ensure that the processing meets the requirements of the GDPR.

     The controller can check this by, for example, requesting a
     description of the processor's security measures and the method used by the processor

     processor, with the involvement of the official for

     data protection. In the context of the already mentioned accountability obligation, it is of

     importance of properly documenting these assessments.

42. The Disputes Chamber then determines that the document “Measures taken regarding

     the data breachReport” provides a series of measures, together with a clarification as to what

     the purpose of each measure and the status of the implementation. An additional one

     document indicates when the meetings regarding these measures take place

     took place and who participated. The Disputes Chamber notes that this
     document is little concrete about the approval of these measures and about the

     further timing of the implementation of certain measures and follow-up of those already in place

     security measures introduced/still to be introduced. The defendant shows with this

     documents therefore do not indicate that the status of the

     technology, the implementation costs, nature, scope and context of the processing, nor does it show
     indicate that these measures are sufficiently tailored to the security risk and account

     take into account the processing risks, as prescribed by Article 32.1 and 32.2 GDPR.


43. With regard to the Inspection Service's determination regarding the involvement of the
     data protection officer, the Dispute Chamber determines that the defendant

     does not submit any documentation, such as advice, showing that the official for

     data protection was consulted in the context of the security of MeldJeAan.

     The defendant points out that MeldJeAan was created before the GDPR was introduced

     was applicable. However, it is up to each controller to, after the
     when the GDPR comes into effect, to proactively check whether the processing of

     personal data meet the requirements of the GDPR and, if necessary, to take the necessary

     make adjustments and document this accordingly. Decision on the merits 165/2023 – 11/24


44. In view of the above, the Disputes Chamber rules that there is an infringement

     Article 5.1.f), Article 32.1 and 32.2 j ° Article 5.2, Article 24.1 and Article 25.1 GDPR, namely

     accountability regarding the security of the processing of

     personal data in the context of MeldJeAan.

45. The Inspection Service also established a violation of the above-mentioned articles in view of

     the fact that the processing agreement between the defendant and Z has not been signed

     The Disputes Chamber pointed out that the processing agreement was executed by

     the parties, as agreed, regardless of the signature. The Dispute Chamber
     rules that the lack of signature does not constitute a violation of Article 5.1.f), Article 32.1

     and 32.2 j° Article 5.2, Article 24.1 and Article 25.1 GDPR.


46. To the extent necessary, the Disputes Chamber reminds that, although Articles 5.1 and 5.2 of the GDPR

     are closely related to each other, a violation of the accountability obligation of Article 5.2
     GDPR does not automatically mean a violation of Article 5.1 GDPR. The

     accountability concerns the formal delivery externalization through documents

     Will demonstrate compliance with the material basic principles of the GDPR. The Disputes Chamber

     notes that the Inspection Report does not contain any elements that indicate a violation in

     in connection with specific processing of personal data on behalf of the defendant.

   II.3. Articles 35.1, 35.2, 35.3 and 35.7 GDPR


      II.3.1. Findings of the Inspection Service


47. During the Inspection Investigation, the Inspection Service asked the defendant for this

     whether or not a data protection impact assessment (hereinafter: GEB) has been carried out

     for the processing that takes place with regard to MeldJeAan.

48. As indicated above in paragraph 27 et seq., on the basis of the answers provided

     of the defendant, the Inspection Service concluded that the defendant was not merely

     can be considered a processor, but as a controller, given the
     processing agreement with Z in which the defendant acts as controller

     is indicated and the measures taken following the data breach. So it rests on her

     obligation to carry out a GEB.


49. The Inspection Service points out that this case involves an evaluation or
     scoring within the meaning of Article 35.3.a) GDPR, namely characteristics of

     professional performance, economic situation, health, personal preferences or

     interests, reliability or behavior, location or movements of the data subject.

     In addition, data relating to vulnerable data subjects, namely:

     children, processed. Decision on the merits 165/2023 – 12/24


 50. The Inspection Service then refers to the Guidelines for

      WP29 data protection impact assessments stating that the

      requirement to execute a GEB applies to existing processes and which is probably a

      pose a high risk to the rights and freedoms of natural persons and for which the

      risks have changed, taking into account the nature, size, context and

      purposes of the processing.

 51. In view of the above, the Inspection Service concludes that the defendant as

      controller for the processing of personal data in the context

      of MeldJeAan should have carried out a GEB. The fact that this didn't happen matters

      according to the Inspection Report, an infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR.


       II.3.2. Position of the defendant


 52. In its conclusions, the defendant argued that it was not the controller

      had to be considered. As already explained, the defendant during the
      hearing, however, took the position that they, together with AGODI and the local

      school boards acts as joint controller for what the

      processing of personal data in the context of MeldJeAan.


 53. The defendant has taken various measures and actions in response to this position

      taken to act in accordance with the GDPR. For example, she has drawn up a GEB, which

      has received a favorable opinion from the data protection officer. DeGEB
      was then submitted to the school boards as a joint effort

      controllers. No comments were made on the GEB

      by the school boards, which means it is considered final. The defendant

      subsequently transferred this GEB to the Disputes Chamber.


       II.3.3. Assessment by the Disputes Chamber


 54. The Disputes Chamber refers to part II.1.3 in which the defendant as a joint

      controller has been qualified. Article 26.1 of the GDPR states
      stipulates that joint controllers must transparently disclose their

      respective responsibilities for the fulfillment of the obligations under

      determine and agree on the regulation. Joint controllers

      must therefore determine “who does what” by mutually deciding who will have which tasks

      to ensure that the processing complies with applicable regulations







7WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to be a
high risk" within the meaning of Regulation 2016/679.
8Working Party 29, predecessor of the EDPB. Decision on the merits 165/2023 – 13/24


                                                                                            9
       obligations under the GDPR with regard to the joint processing in question. A

       of these obligations, which, if necessary, must be included in this division of tasks
       drawing up a GEB (Article 35 GDPR).


 55. In line with the risk-based approach set out in the GDPR, a

       GEB is not obliged for any processing. A GEB is only mandatory if the processing

       "is likely to pose a high risk to natural rights and freedoms

       persons" (Article 35(1) GDPR). When joint controllers at

       involved in the processing, they must determine precisely their respective obligations. In

       the GEB must describe which party is responsible for the different

       measures designed to address risks affecting the rights and freedoms of the

       protect those involved. Each controller must explain what

       his needs are and he must share useful information without giving away secrets

       (e.g. protection of trade secrets, intellectual property, confidential
                                                           10
       company information) or vulnerable points.

 56. Although in other circumstances a data protection impact assessment is required

       may be, Article 35.3 GDPR gives some examples of when a

       processing "likely to involve a high risk":


       “(a)asystematicandcomprehensiveassessmentofpersonalaspectsofnatural

       persons, which is based on automated processing, including profiling, and
       on which decisions are based that have legal consequences for the natural person

       are connected or which significantly affect the natural person in a similar manner;


       b) large-scale processing of special categories of personal data as referred to

       in Article 9(1) or of data relating to criminal convictions and

       criminal offenses as referred to in Article 10; or

       (c) systematic and large-scale monitoring of publicly accessible areas".


 57. When assessing whether a GEB is required for processing and on the basis of their inherently high

       risk, nine criteria must be taken into account, namely: (1) the evaluation of

       scoring, (2) automated decision-making with legal effect or similar

       substantial consequence, (3) systematic monitoring, (4) sensitive data or data of the very kind

       personal nature, (5) data processed on a large scale, (6) matching or merging

       of datasets, (7) data relating to vulnerable data subjects, (8) innovative

       use or innovative application of new technological or organizational



9
 EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58
e.v.
10WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to have a
involves a high risk" within the meaning of Regulation 2016/679, p.9. Decision on the merits 165/2023 – 14/24


       solutions and (9) when as a result of the processing itself "data subjects [...] have a right

       cannot exercise or rely on a service or an agreement"

       (Article 22 and recital 91).


 58. The WP29 states in its guidelines on the GEB that in most cases a

       controller can assume that for a processing operation that involves two of
                                                                      11
       the above criteria is met, a GEB must be carried out. The Disputes Chamber states

       It is clear that this is the case for MeldJeAan. The Disputes Chamber recalls that the

       following personal data were processed: identification data (name, address,

       date of birth, telephone number of both parents and children), electronic

       identification data (email addresses of both parents and children), personal

       characteristics (age, gender of children), education and training (mother), national

       number (the national register number of the child), the fact whether there are already brothers and/or sisters

       the child is present in a certain Antwerp school, the fact of whether the parents are a staff member

       being from a school where one applies, the fact whether the family received a school allowance

       in the current school year or the previous school year and the spoken language of the child.

       In addition, the following personal data were also processed within the application:

       various indicators regarding students such as home language, mother's education level,

       neighborhood indicator and school allowance and preferences for a particular school. There is therefore

       there is an evaluation or scoring, including profile determination and

       prediction, in particular of “characteristics concerning occupational performance, economic

       situation, health, personal preferences or interests, reliability or behavior,

       location or movements of the data subject" (recitals 71 and 91 GDPR).


 59. This data is also processed on a large scale, as the personal data

       of thousands of children in Antwerp and their parents are processed in the context of the

       assignmentofaschool. These children are vulnerable data subjects (recital 75GDPR).

       In addition, sensitive data is also processed, such as the national register number of the

       registered children and whether or not a student is regarded as an indicator student

       must be.







1WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to involve a

high risk" within the meaning of Regulation 2016/679, p.12.
12WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to have a
high risk" within the meaning of Regulation 2016/679, p.12.
13
  https://meldjeaansecondary.gent.be/faq: An indicator student is a student of whom:
• The mother does not have a secondary education diploma or a study certificate for the second year
has completed the third grade of secondary education (or equivalent); and/or

• The family receives a school allowance in the current school year or the previous school year.
The other children are non-indicator students.

We use a short questionnaire to determine whether a child is an indicator student or a non-indicator student. Decision on the merits 165/2023 – 15/24


60. In view of the above, the Disputes Chamber is of the opinion that a GEB was appropriate

     to be drawn up for the processing of personal data in the context of

     Sign In.

61. Article 35.7 GDPR determines what a GEB must at least contain:

     a) a systematic description of the intended processing operations and the

         processing purposes, including, where appropriate, the legitimate ones

         interests pursued by the controller;


     b) an assessment of the necessity and proportionality of the processing operations
         regarding the purposes;


     (c) an assessment of the risks to the rights and freedoms referred to in paragraph 1

         those involved; and

     (d) the measures envisaged to address the risks, including safeguards,

         security measures and mechanisms to protect data

         guarantee and to demonstrate compliance with this Regulation
         of the rights and legitimate interests of data subjects and other persons

         in question


62. On December 9, 2022, the defendant submitted the GEB that it drew up with
     regarding the processing of personal data in the context of MeldJeAan. The

     Dispute Chamber determines that the GEB designates the defendant as the processor, which is not the case

     is consistent with the position set out by the defendant during the

     hearing.

63. The controller must also obtain the advice of the officer at the GEB

     obtain data protection, if this has been designated (Article 35.2 GDPR). The

     the defendant also presents the official's positive advice

     data protection regarding the GEB.

64. The Disputes Chamber notes that the registration system was already in place before the GDPR

     came into force and that various (sometimes contradictory) advice regarding the

     processing responsibility were provided by, among others, VTC and AGODI. This means

     However, this does not mean that the obligations arising from the GDPR should not be complied with
     become. As soon as the defendant has made the decision to grant the financing

     to the LOP Antwerp to implement its decree obligations,

     the defendant should have evaluated whether, in the facts, they were considered (joint)

     controller and whether it complied with all

     obligations arising from this qualification, such as drawing up a GEB. Decision on the merits 165/2023 – 16/24


65. The Disputes Chamber notes that the defendant does not comply with the above

     regulations since the GEB still designates the defendant as processor. The

     Disputes Chamber points out that the GEB is in accordance with the above

     regulations from Article 35GDPR must be applied, also taking into account the capacity
     of joint controller of the defendant. Accordingly, the

     Disputes Chamber also states that there is a violation of Articles 35.1, 35.2, 35.3 and 35.7

     GDPR


   II.4. Article 38.1 and Article 39 GDPR

      II.4.1. Findings of the Inspection Service


66. During the investigation, the Inspection Service asked the defendant to provide copies

     providing the information and advice to the data protection officer

     has provided in the context of (i) the security of the processing of personal data,

     (ii) the register of processing activities and (iii) the

     data protection impact assessment.

67. The defendant answered during the investigation that the MeldJeAan application in

     has been in use since 2014. Since this is before the entry into force of the GDPR,

     no advice was sought from the data protection officer at that time. The

     processing was included in the register for processing activities and the
     data protection officer was informed about the data breach in Ghent and the

     steps taken as a result. At the time of writing this

     response, a GEB was created to which the data protection officer

     would provide advice.

68. Based on the above answer from the defendant, the Inspection Service determines that

     defendant does not demonstrate that the data protection officer was effective and timely

     was involved in:

      - the security of the processing of personal data in the context of MeldJeAan;

      - the register of processing activities; and

      - the assessment of the need for and, where appropriate, the implementation of a

          data protection impact assessment.



      II.4.2. Position of the defendant


69. In her conclusions, the defendant argues that the data protection officer
     was initially not involved in MeldJeAan given the creation of this platform

     came into effect well before the GDPR came into effect and there was therefore no question of one

     data protection officer and the obligation to involve him. Decision on the merits 165/2023 – 17/24


     In addition, the defendant reiterates in its conclusions that the processing was recorded

     in the register of processing activities, that the officer was informed about it

     data breach in Ghent and that a new GEB is in the making that will be submitted for advice
     to the data protection officer;


      II.4.3. Assessment by the Disputes Chamber


70. It is important to note that the MeldJeAan platform predates the
     entry into force of the GDPR. The GDPR has been applicable since May 25, 2018

     controller must therefore proactively check whether the requirements of have been met

     the GDPR, and not to adopt a wait-and-see attitude. As soon as the defendant submits the

     had made the decision to award the financing to the LOP Antwerp

     to implement its decree obligations, the defendant should have

     evaluate whether, in fact, it should be regarded as a controller
     whether it met all obligations arising from this qualification.


71. These obligations include, among other things, the provisions regarding the position and tasks of the

     data protection officer as defined in Article 38 and Article 39.1 of
     the GDPR. After all, the GDPR recognizes that the data protection officer is a

     is a key figure with regard to the protection of personal data whose appointment,

     position and tasks are subject to rules. These rules help the

     controller to comply with its obligations under the GDPR, but

     also help the Data Protection Officer to properly perform his duties
     to practice.


72. The Disputes Chamber recalls that Article 38.1 GDPR prescribes that the

     controller ensures that the official for

     data protection is involved in a timely and appropriate manner in all matters
     related to the protection of personal data.


73. Pursuant to Article 39.1 GDPR, the Data Protection Officer must (a) the

     inform and advise the controller about his obligations
     pursuant to the GDPR and other Union or Member State law

     data protection provisions and (b) monitor compliance with the GDPR, other

     Union or Member State data protection provisions and policies

     of the controller or processor with regard to protection

     of personal data, including the allocation of responsibilities,
     awareness and training of the staff involved in the processing and the

     regarding audits.


74. The defendant's documents do not show that the data protection officer

     was involved in the obligations under Articles 32.1 and 32.2 (see part II.2). The official Decision on the merits 165/2023 – 18/24


     for data protection was involved after a potential was mentioned

     incident with MeldJeAan regarding Ghent secondary education.

75. The defendant also submits the positive advice regarding the aforementioned GEB to the

     Dispute Chamber which shows that they have, since their qualification as joint

     controller, involves the data protection officer

     processing of personal data relating to MeldJeAan. The Dispute Chamber

     rules that there is a historical violation of Article 38.1 and Article 39.1

     GDPR, but that the defendant has already taken sufficient steps for something
     concerns the tasks, role and position of the data protection officer.


   II.5. Article 30.1 GDPR


      II.5.1. Findings in the Inspection Report


76. The Inspection Service does this regarding the register of processing activities of the
     defendant concludes that this does not meet the minimum requirements as imposed

     by Article 30.1 GDPR. In concrete terms, the Inspection Service states the following in this regard

     infringements established:


      - the description of the categories of data subjects and of the categories of
          personal data is incomplete (Article 30.1.c) GDPR) as in the “Export

          processing register” of the register of the processing activities of the

          defendant only briefly describes the categories of data subjects and personal data

          are listed rather than described. That is the case for the

          columns “categories of data subjects (whose processing the application

          personal data?)”, “data categories: basic data” and “data categories:
          sensitive data”. It is therefore not clear what exactly is meant there;


      - the defendant does not demonstrate that its register of processing activities is up to date

          is. In that context, the Inspection Service refers to the fact that the defendant

          is stated “see export processing register (date: 30/08/2022)” while the

          register was delivered to the Inspection Service via email on 19/09/2022. Consequently
          the Inspection Service received the register of processing activities on 19/09/2022

          of the defendant that was last supplemented on 30/08/2022.


      II.5.2. Position of the defendant


77. The defendant submits that the GDPR states that the controller and

     processor is obliged to (i) keep a register to ensure compliance with the regulation
     to be able to demonstrate and (ii) to cooperate with the supervisory authority and

     to provide this register upon request. Furthermore, the GDPR does not provide any further explanation Decision on the merits 165/2023 – 19/24


     about the realization, design and/or content of a register of

     processing activities.

78. Consequently, the defendant argues, the GDPR nowhere describes the level at which the

     entries in the register of processing activities must be described. The

     GDPR leaves the controller, in this case the defendant, largely free in this regard, provided that:

     the register (i) is sufficiently transparent by specifying a number of mandatory elements

     determines which processing activities are carried out and (ii) is set up accordingly
     that the GBA can use it to carry out checks on compliance (or non-compliance).

     GDPR. The defendant therefore believes that the register is indeed so detailed

     that little more can be described/clarified regarding the categories of

     data subjects and personal data. All terms used, be sure to read in

     connection with all other categories mentioned, are sufficiently clear whether who is which
     processes personal data.


79. As regards the topicality of the register, the defendant confirms that the information provided to the

     Inspection service concerned export indeed dated August 30, 2022,
     despite the fact that this was only transferred on September 19, 2022. After all, it was

     not asked about an export that could not exceed a certain age and

     moreover, this was indeed the current version of the register, due to lack of need

     adjustment thereof in the period from August 30, 2022 to September 19, 2022.

      II.5.3. Assessment by the Disputes Chamber


80. Article 30 GDPR requires each controller to keep a record

     of the processing activities carried out under his responsibility.

     Article 30.1.a) to g) GDPR stipulates that, with regard to the

     controller carried out processing operations, the following information is available
     must be:


        a) the name and contact details of the controller and, if applicable

           joint controllers and, where appropriate, of the
           representative of the controller and of the official for

           data protection;


        b) the purposes of processing;

        c) a description of the categories of data subjects and of the categories of

           personal data;

        d) the categories of recipients to whom the personal data have been or will be received

           provided, including to recipients in third countries or international organizations; Decision on the merits 165/2023 – 20/24


         e) where applicable, transfers of personal data to a third country or a

            international organisation, including the indication of the third country or countries

            international organization and, in the case of the GDPR referred to in Article 49.1, second paragraph,

            said transfers, the documents regarding the appropriate safeguards;


         f) if possible, the intended deadlines within which the different categories of

            data must be deleted;

         g) if possible, a general description of the technical and organizational aspects

            security measures as referred to in Article 32.1 GDPR.

 81. The Disputes Chamber establishes the defendant in its register of processing activities

       provides a summary for:


        - The categories of data subjects (Article 30.1.c) GDPR), namely residents, are not

            residents, internal employees, external employees, children.


        - The categories of personal data (Article 30.1.c) GDPR) namely, on the one hand

            basic data such as name and first name, address details (street, house number, bus,
            municipality, country), telephone number, identification codes (national register number),

            birth details (date of birth and place of birth), vehicle details,

            login details and sensitive data such as health data, legal data

            facts


 82. The Disputes Chamber - with reference to previous decisions - must pronounce itself

       on whether Article 30.1.c) GDPR requires a description of the

       categories of personal data and the categories of data subjects in the register of

       processing activities, or whether a summary is sufficient.

 83. The Disputes Chamber notes that Article 30.1.c) GDPR requires a description of the

       categories of data subjects and categories of personal data

       are included in the register of processing activities.

 84. The Disputes Chamber recalls the purpose of the register of

       processing activities. To effectively fulfill the obligations contained in the GDPR

       apply, it is essential that the controller (and the

       processors) have an overview of the processing of personal data that they

       to carry out. This register is therefore primarily an instrument to

       to assist the controller in complying with the GDPR for the various

       data processing that it carries out, because the register has the most important characteristics

       makes it visible. The Disputes Chamber is of the opinion that this processing register is a



14 See, among others; decision 149/2022 dated. October 18, 2022, can be consulted via
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-149-2022.pdf Decision on the merits 165/2023 – 21/24


      is an essential instrument in the context of the already mentioned accountability obligation (Article

      5(2) and Article 24 GDPR) and that this register underlies all obligations under which the

      GDPR imposes on the controller.


 85. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the

      GDPR require more than a list of the categories of personal data and

      the categories of data subjects are included in the register
      processing activities and that a more detailed description would therefore be necessary.


 86. With regard to the categories of recipients, the Disputes Chamber refers to a
                                                                                          15
      recommendation of the Commission for the protection of privacy and
                  16
      the doctrine stating that although it is not necessary the individual

      recipients of the data, but that these can be grouped

      per category of recipients. Mutatis mutandis, this statement can also be applied to
      the categories of personal data and data subjects.


 87. However, the Disputes Chamber points out that the completion of the register of

      processing activities must always be evaluated on a case-by-case basis to determine whether the

      description or summary contained herein is sufficiently clear and concrete.

 88. In the present case, the Disputes Chamber notes that the lists included in the

      register of processing activities were sufficiently specific. According to the

      Dispute Chamber there is little doubt about the meaning of the above

      elements in the context of the processing activities listed in the register

      processing activities.

 89. With regard to the second finding of the Inspection Service regarding the topicality of

      the register of processing activities, the Disputes Chamber points out that the register of

      processing activities should also be updated in accordance with developments

      and evolution of the activities of the company or organization concerned. If the

      controller starts a new processing activity or a

      existing processing activity changes, the register of processing activities must be kept

      to be adjusted accordingly.

 90. Since the period between the export of the register of processing activities and the

      transfer is limited to just under 3 weeks, and since there are no elements

      which shows that the register of processing activities would not have been up to date, is the

      Disputes Chamber is of the opinion that no infringement has been proven.






15Available at: https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-06-2017.pdf
16W. Kotschy, “Article 30: recordsof processing activities,” in Ch. KunerThe EU General Data Protection Regulation (GDPR),
a commentary, 2020, pg. 621. Decision on the merits 165/2023 – 22/24



 91. Consequently, the Disputes Chamber concludes that there is no infringement of article

       30.1 GDPR.

III. Sanctions


 92. Based on the documents from the file, the Disputes Chamber determines that this is the case

       multiple violations of the GDPR. Firstly, the infringement of Article 5.1.f), Article

       32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article 25.1 GDPR, secondly these on the articles

       35.1, 35.2, 35.3 and 35.7 GDPR, and finally Article 38.1 and Article 39.1 GDPR.


 93. Having the necessary processes in place to achieve and demonstrate the

       Compliance with the GDPR is one of the fundamental principles of the GDPR. The

       data protection impact assessment is an important accountability tool

       because it not only helps controllers to meet the requirements of the GDPR

       to comply, but also to demonstrate that appropriate measures have been taken

       ensure compliance with the GDPR. Also the official for

       data protection plays a crucial role in data protection at a

       controller.

 94. The Disputes Chamber is of the opinion that there are sufficient elements to justify a reprimand

       which is a light sanction and is sufficient in the light of the facts in this file

       established violations of the GDPR. When determining the sanction, the

       Disputes Chamber takes into account the fact that the defendant has (incorrect) advice

       obtained regarding his qualification as controller but after internal

       analysis has taken the necessary steps to meet its obligations such as

       prescribed by the GDPR. The defendant has already corrected the infringements and

       provides evidence of this. For the sake of completeness, the Dispute Chamber points out that this is not the case

       is authorized to impose an administrative fine on government bodies,

       in accordance with Article 221, § 2 of the Data Protection Act. 17


 95. The Disputes Chamber proceeds with a dismissal with regard to the other grievances and

       findings of the Inspection Service because they are based on the facts and documents from the

       file cannot conclude that there have been violations of the GDPR.

       These grievances and findings of the Inspection Service are therefore considered apparent
       considered unfounded within the meaning of Article 57(4) GDPR. 18









17
  Act of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
18 See point 3.A.2 of the Dismissal Chamber's dismissal policy. June 18, 2021, available via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 165/2023 – 23/24



IV. Publication of the decision


 96. Considering the importance of transparency with regard to decision-making

       Dispute Chamber, this decision will be published on the website of the
       Data Protection Authority, stating the identification details of

       the defendant, given the inevitable re-identification of the defendant in the event of

       pseudonymization.





    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


    - to formulate a reprimand on the basis of Article 100, §1, 5° WOG with regard to the

        defendant as regards;

            o the infringement of Article 5.1.f), Article 32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article

               25.1 GDPR;


            o the infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR;

            o the infringement of articles 38.1 and 39.1 GDPR;


    - on the basis of Article 100, §1, 1° WOG with regard to all other determinations

        dismiss.



Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant.




Such an appeal can be lodged by means of an inter partes petition
                                                                                           19
must contain information listed in Article 1034ter of the Judicial Code. It

an objection petition must be submitted to the registry of the Market Court









19The petition states, under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
    summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer. Decision on the merits 165/2023 – 24/24


                                                                      20
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).







(get). Hielke H IJMANS

Chairman of the Disputes Chamber





































































20The petition with its appendix will be sent by registered letter in as many copies as there are parties involved
sent to the registrar of the court or deposited at the registry.