APD/GBA (Belgium) - 165/2023
From GDPRhub
| APD/GBA - 165/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1) GDPR Article 32(2) GDPR Article 35(1) GDPR Article 35(2) GDPR Article 35(3) GDPR Article 35(7) GDPR Article 38(1) GDPR Article 39(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 13.12.2023 |
| Fine: | n/a |
| Parties: | City of Antwerp MeldJeAan |
| National Case Number/Name: | 165/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The city of Antwerp was reprimanded for not notifying the Belgian DPA of a data breach where the URL of a database was directly accessible without log-in.
English Summary
Facts
To increase the social mix in schools, a tool called 'MeldJeAan' (rough translations: RegisterYourself) was created. This tool can be used by parents to claim a spot for this children in a school. Specific personal data (both regular and special categories) must be provided such as contact details, personal details of the child, information on the parents, etc. Schools can download the list of this tool for their students by logging in. However, the URL to the lists could be accessed directly, without requiring to log in. There was at least one confirmed download by an unauthorized party through this way. More could be possible, but access to the tool was not logged.
The city of Antwerp also used this tool. Since no data breach was reported, the Inspection Service started an investigation into the usage of this tool by the city.
The report of the Inspection Service mentioned several breaches: - The city of Antwerp should be the controller. Antwerp stated that it followed the advice of the regional Flemish Supervisory Authority, meaning the city would be a joint-controller with other involved parties.
- The city of Antwerp provided documents, including a data processing agreement with the developer of the tool (the processor) and a list of security measures taken after a data breach. However, the Inspection Service found that the data processing agreement lacked signatures, and the document on security measures did not specify when they were discussed or who was involved. Additionally, it was unclear how and when the DPO was involved. The city of Antwerp stated that the tool was created long before the GDPR came into force.
Since the Inspection Service found the city of Antwerp to be the controller, they should have conducted a DPIA since the tool profiles its data subjects. The city of Antwerp stated that a DPIA had been conducted in the meantime.
The Inspection Service noted that the DPO is not proactively informed or consulted for new project. The city of Antwerp stated that the tool was created well before the GDPR existed, that the register of processing activities was updated accordingly and that the DPO is aware about the initial data breach and involved in the new DPIA. Additionally, the Inspection Service found that the register of processing activities described the categories of personal data too vague. The city of Antwerp stated that the GDPR does not state how concrete the description has to be and that the description was clear.
Holding
The DPA started by assessing the capacity of the city of Antwerp. Since the purposes of the tool were decided by several instances, as well as Antwerp, and Antwerp partly financed the usage of the tool, the DPA concluded that there is joint-controllership according to Article 26 GDPR.
The DPA further concluded that the city of Antwerp could not provide documentation on how the security practices of the tool were audited. The DPA also reviewed the documentation regarding the data breach, but found the documentation abstract and lacking in follow-up planning.
Regarding the involvement of the DPO, the DPA rebutted the fact that the tool predates the GDPR. It comes to any controller to proactively assess if their processing aligns with the GDPR and to adapt their processing if necessary. This should also be reflected in the DPIA. The fact that the processing activity existed before the entry into force of the GDPR, is irrelevant.
The DPA concluded a breach of Article 5(1)(f), Article 32(1) and Article 32(2) juncto Article 5(2), Article 24(1) and Article 25(1) as well as Article 35(1), Article 35(2), Article 35(3) and Article 35(7). The DPA did state that unsigned data processing agreements do not breach the above articles.
The DPA also found that the DPO was not involved in a timely manner to ensure adequate security of processing according to Article 32(1), but the DPO was involved for the data breach. The DPA found that as soon as the city of Antwerp declared itself joint-controller, the DPO became involved in a timely manner. As such, the DPA concluded a historical breach of Article 38(1) and Article 39(1).
Regarding the register of processing activities: the DPA stated that Article 30(1)(c) requires a description of the categories of personal data and categories of data subjects involved. The register is an essential part of a controller's compliance and its accountability under Article 5(2). The DPA stated that nor the GDPR, nor its goal, require more than a listing of those categories. The DPA elaborated that a register must be assessed on a case by case basis to verify if the description is sufficiently clear and concrete. In this case, the DPA concluded no breach.
Based on the above, the DPA reprimands the city of Antwerp for breaches of Article 5(1)(f), Article 32(1) and Article 32(2) juncto Article 5(2), Article 24(1) and Article 25(1) as well as Article 35(1), Article 35(2), Article 35(3) and Article 35(7) and lastly Article 38(1) and Article 39(1).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/24
Dispute Chamber
Decision on the merits 165/2023 of December 11, 2023
File number: DOS-2022-02499
Subject: Potential data breach regarding a
registration system
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Mr Jelle Stassijns and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter WOG;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The defendant: City of Antwerp, with registered office in 2000 Antwerp, Grote Markt
1, with company number 0207.500.123, hereinafter “the defendant”. Decision on the merits 165/2023 – 2/24
I. Facts and procedure
1. The central registration system MeldJeAan (hereinafter: MeldJeAan) has been in use for several years
In various cities, more social schools are used in the context of allocating schools
to achieve mix within the schools.
2. To this end, the parents and, if applicable, the guardian submitted the following personal data
to provide: identification data (name, address, date of birth, telephone number of both
parents/guardian and children), electronic identification data (e-mail addresses of both
parents/guardian as children), personal characteristics (age, gender of children),
education and training (mother), national number (the child's national register number),
the fact whether there are already brothers and/or sisters of the child in a particular school in that city
being present, the fact that the parents are staff members of a school to which one registers,
whether the family received a school allowance in the current school year or the previous one
school year, the spoken language of the child and any special education report.
In addition, other personal data were also processed within the application, namely:
indicators regarding students: home language, mother's education level, neighborhood indicator and
school allowance and preferences for a particular school. Based on this personal
preferences and other data, the children were assigned a school. Subsequently
Lists were drawn up per school of the children who were in favor of the school
reported. An employee can log in to the back office of “MeldJeAan”.
his school downloads a list with all personal data of the parents and their children
who had registered at that school. Due to a possible defect in the online application
Register as used for Ghent secondary education, it turned out that the URL with the link
to the download list could also be accessed directly, without logging in to the
back office. Each secondary school in the system receives a unique ID of 30 characters
which is included in the URL, which, if one had that unique ID and
could download the list with personal data of the parents without first logging in
and their child who were registered at the school linked to the unique ID. There was
at least one list downloaded in such a manner. The method of
downloading was reported to the press, which also downloaded a list itself and,
although pseudonymised, has published.
3. This online application MeldJeAan was also used in Antwerp, among others, for some
concerns primary education. The GBA has not received any notification of this
data breach related to the application due to the
1 No logs are kept of when or who downloads lists as this is not included in the
program specification was included. See appendix 1, reporting form, point 4: prevention and management of it
data breach. Decision on the merits 165/2023 – 3/24
controllers in Antwerp, although the security risk also applies
of them existed.
4. In view of the above, the Management Committee of the
The Data Protection Authority (hereinafter: “GBA”) will decide on June 20, 2022.
to be taken on the basis of Article 63, 1°WOG because of a practice that may give rise to this
to a violation of the basic principles of personal data protection.
5. The investigation by the Inspection Service will be completed on October 10, 2022
report is added to the file and the file is submitted to the Inspector General
transferred to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings relating to the subject of the decision
management committee and decides that there has been a violation of:
1. Article 5.1.f) and 5.2 of the GDPR, Article 24.1 of the GDPR, Article 25.1 of the GDPR and
Articles 32.1 and 32.2 GDPR;
2. Articles 35.1, 35.2, 35.3 and 35.7 GDPR; and
3. Article 38.1 and Article 39 GDPR.
The report also contains additional findings in view of Article 72 of the WOG. The
The Inspection Service determines, in broad terms, that there has been a violation of:
4. Article 30.1 GDPR.
6. On October 28, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for substantive treatment.
7. On October 28, 2022, the defendant will be notified by registered mail of
the provisions stated in Article 95, § 2, as well as those in Article 98 WOG. Also
she will be informed of the deadline in accordance with Article 99 of the WOG
to submit defenses.
The deadline for receipt of the defendant's response is:
recorded on December 9, 2022.
8. On October 28, 2022, the defendant electronically accepts all communications regarding the
case.
9. On November 2, 2022, the defendant requests a copy of the file (art. 95, § 2,3° WOG),
which was transferred to her on November 9, 2022.
10. On December 9, 2022, the Disputes Chamber will receive the response statement
defendant. Decision on the merits 165/2023 – 4/24
11. On May 8, 2023, the defendant will be notified that the hearing will
take place on June 23, 2023.
12. On June 23, 2023, the defendant will be heard by the Disputes Chamber.
13. On June 28, 2023, the official report of the hearing will be sent to the defendant
submitted.
14. On July 4, 2023, the Disputes Chamber will receive some comments from the defendant
with regard to the official report, which it decides to include in its deliberations.
II. Justification
II.1. Identity of the controller
II.1.1. Establishment of the Inspection Service
15. The Inspection Service identifies the defendant as the controller for what
concerns the processing of personal data in the context of online
registration system MeldJeAan. The inspection report refers on the one hand to the
processing agreement with Z regarding the development of the online application
Notify in which the defendant is referred to as the controller, and
on the other hand, to the document called “measures taken in response to the
data breach ReportJeAan” that the defendant has submitted to the Inspection Service.
II.1.2. Position of the defendant
16. The defendant argued in her conclusions that she should not be regarded as
controller for the processing of personal data via
Sign In. In this context, the defendant referred to the decree of 25 February 1997
concerning primary education. Pursuant to this decree, the Local Education Platform
Antwerp (hereinafter: LOP Antwerp) has been obliged since 2021 to use the registration system in the
to organize primary education in Antwerp. Consequently, the LOPA Antwerp also serves as
to be considered a controller in the context of MeldJeAan, it stated
the defendant.
17. In confirmation of this statement, the defendant also referred to the letter of
the Flemish Supervisory Commission (VTC) dated. October 25, 2022 in which this is the LOP
Antwerp appears to be regarded as the controller with regard to the
processing of personal data in the context of MeldJeAan.
18. However, at the hearing the defendant took a different position. First of all, she lights
the evolution of the role of controller and processor. Until the end
2
B.S. April 14, 1997. Decision on the merits 165/2023 – 5/24
2022, the defendant was of the opinion that the LOP Antwerp
controller in the context of Report Your Aanwas, in view of the above
decretal obligation of the LOP Antwerp to organize the registration system. The
documentation that was provided to the Inspection Service in August 2022 during the
research in the context of this dossier, was drawn up on the basis of the advice provided by the
defendant had received from the VTC, namely that the LOP as
should be considered a controller. In January 2023 it made
Agency for Educational Services of the Flemish Government (hereinafter: AGODI).
position has been announced regarding who will take on the role of controller in this regard.
This position states that from the 2023-2024 school year, the schools will be considered jointly
should be considered a controller since the LOP Antwerp
itself is not a legal entity, but consists of the school boards involved. Since it
registration system a fairer and more transparent way to register registrations
intended and in view of, among other things, the limited operating budgets of the LOP Antwerp
the defendant has decided to allocate financial resources and thus the
to assume joint processing responsibility, together with the
school boards. This position was taken subject to the outcome of the
Flemish policy discussion. As a result of this position, the defendant has changed its approach
adjusted to ensure compliance with the GDPR.
II.1.3. Assessment of the Disputes Chamber
19. The Disputes Chamber notes that in recent years several
authorities have taken different positions and advice has been provided regarding the
processing responsibility for Log in, but that is the most recent position
of the defendant is that it considers itself as joint
controller.
20. In this context, the Disputes Chamber refers to Article 26 GDPR. This article determines that when
two or more controllers jointly determine the purposes and means of
determine the processing, they are joint controllers. Two
important elements of the cited Article 26 GDPR are, on the one hand, 'the purpose and the means
of the processing' and, on the other hand, 'jointly'.
21. As regards the determination of the purposes and means of the processing
referred to Article 4.7 GDPR which contains the definition of controller
as follows: the “natural or legal person, public authority, service or other
body which, alone or together with others, determines the purpose and means of the
processing of personal data”. As with the concept of decision on the merits 165/2023 – 6/24
controller requires the analysis of a joint
controller makes a factual assessment. 3
22. As for the 'joint' character, is the overarching criterion for existence
of joint responsibility for processing the joint participation
of two or more entities to determine the purposes and means of one
processing activity. Joint participation can take the form of a joint
decision of two or more entities or are the result of convergent decisions of
two or more entities, when the decisions are complementary and necessary to achieve the
to have processing take place in such a way that they have a tangible effect on the
determination of the purposes and means of the processing. The processing is important
would not be possible without the participation of both parties, in the sense that the processing
by each party is inseparable, i.e. inextricably linked to that of the other. 4
23. The Disputes Chamber determines that the purpose of the processing of personal data via
MeldJeAan is fourfold. Firstly, guaranteeing the free choice of school for all parents
and students, by avoiding camping lines in front of the school gate, objectification of
enrollments in schools with capacity pressure, drawing up a central timeline and
uniformity in function of the parents; secondly, achieving optimal learning outcomes
development opportunities for all students and this for primary education, as far as possible,
in a school in their neighborhood; thirdly, promoting social cohesion, and fourthly
avoiding exclusion, segregation and discrimination. These objectives became
determined by AGODI and the LOP Antwerp, decree 5 is mandatory within its
scope to implement this. AGODI states this on its own website
that the school boards and AGODI act as joint controller
are: “[for] the registration system of the Flemish government, the
school boards and AGODI are joint controllers. Which means
that the school boards and AGODI jointly determine the purpose and means for the processing of
3EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 52.
4
EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58
e.v.
5 Primary education decree of February 25, 1997, Belgian Official Gazette 17 April 1997. -
https://codex.vlaanderen.be/Portals/Codex/documents/1005384.html
Article 37vices semel. (01/09/2022- ...)
Notwithstanding the first paragraph, the school boards that govern a school, with the exception of schools for special education, must
have set up a registration procedure within the operating area of LOPA Antwerp, Brussels-Capital or Ghent
which applies to all schools, with the exception of schools for special education, located within that respective school
scope. Decision on the merits 165/2023 – 7/24
determine personal data. Both are responsible for orderly maintenance and
processing personal data in the context of the General Data Regulation”. 6
24. The defendant explains that the LOP Antwerp does not have the necessary resources
has to finance this registration system. Accordingly, the defendant has the
decision to determine and allocate the necessary financial resources to it
LOP Antwerp to be able to implement this decree obligation.
25. The Disputes Chamber establishes that the defendant has taken the decision to terminate the
on the one hand to determine the necessary financial resources and on the other hand to allocate these financial resources
in the context of MeldJeAan. In addition, the defendant has
processing agreement has been concluded with Z in which the scope of the processing is specified
determined by the defendant as controller with regard to the
processor. In view of the above, the Disputes Chamber finds that the defendant,
is the joint controller together with AGODI and the school boards
since the decisions of AGODI and the LOP Antwerp regarding the organization of the
central registration system and the decisions of the defendant to take the necessary
to provide financial resources and conclude the processing agreement
convergent decisions have a tangible effect on the definition of the purpose and the
means of the processing and that complement each other and are necessary for the processing
to take place in such a way.
26. In view of the above, the defendant serves as joint
to be considered a controller within the meaning of Article 26 GDPR
it must fulfill the obligations under the joint
controllers as determined in the GDPR.
II.2. Article 5.1.f), 5.2, Article 24. 1, Article 25. 1 and Article 32. 1 and 32.2 GDPR
II.2.1. Findings in the Inspection Report
27. During the inspection investigation, the Inspection Service asked about the security of
the processing of personal data in the context of the online registration system
"Sign In". In answering these questions, the defendant referred to the
following documents: the processing agreement with Z on the one hand and the overview of
the measures taken in response to the MeldJeAan data breach on the other hand.
28. Firstly, the Inspection Service notes that the aforementioned processing agreement with Z
does not contain signatures of the defendant and the processor.
6 https://onderwijs.vlaanderen.be/nl/directies-administraties-en-beleidingen/studentadministration-basic-en-secondary-
education/students-register-in-primary-and-secondary-education/students-register-in-normal-
education/registration-and-registration/registration system-normal Decision on the merits 165/2023 – 8/24
29. Secondly, the Inspection Service refers to the document entitled “Measures
taken around the data breach MeldJeAan” of the defendant in which a list is included
of three categories of measures: software, access and environment. However, it is in the
the aforementioned document does not indicate when exactly those measures were discussed,
approved and implemented and which managers and employees of the defendant
and processor Z were involved.
30. Finally, the Inspection Service notes that it is unclear how and when the officer
for data protection of the defendant was involved in the context of the
security of the processing of personal data in the context of MeldJeAan.
31. Based on the above findings, the Inspectorate concludes that this is the case
of an infringement of articles 5.1.f), 5.2, 24.1, 25.1, 32.1 and 32.2 GDPR.
II.2.2. Position of the defendant
32. The defendant disputes the findings of the Inspection Service. As for the
findings regarding the lack of signatures in the processing agreement
the defendant argues that in accordance with Article 28.3 GDPR it is sufficient that the
processing by a processor is regulated in an agreement or otherwise
legal act under Union or Member State law which the processors
vis-à-vis the controller. The defendant states that there is no
discussion exists between the parties to the processing agreement about the binding
nature of this processing agreement. Moreover, the defendant points out that
contractual framework between the parties is currently being revised so that the
Inspection service transferred processing agreement will soon be outdated. The
If desired, a new signed agreement can be submitted to the Disputes Chamber
be transferred.
33. The defendant then refers to the determination of the Inspection Service as to how
and when compliance with the processing agreement between the defendant and the
processor is checked by it. In this context, the defendant states that the GDPR
nowhere, not even as part of accountability, does it provide for an obligation
to systematically check compliance with each processor agreement, at least
not when there is no indication or report of any risk.
34. Finally, the defendant formulates an answer regarding the determination of the
Inspection service on how and when the data protection officer is involved
was made in the context of the security of the processing of personal data
from MeldJeAan. The defendant clarifies that the official for
data protection was not initially involved with MeldJeAan since the
creation of this platform was established before the entry into force of the GDPR. Decision on the merits 165/2023 – 9/24
In the meantime, the data protection officer was called in and
involved in (among other things) the data protection impact assessment that was carried out.
II.2.3. Assessment by the Disputes Chamber
35. Article 5.1.f) of the GDPR requires that “[personal data] by taking
appropriate technical or organizational measures in such a way
processes that appropriate security is guaranteed, and that they, among other things,
are protected against unauthorized or unlawful processing and against accidental processing
loss, destruction or damage”.
36. In further elaboration of Article 5.1.f) GDPR, Article 32.1 GDPR states that the defendant as
controller takes appropriate technical and organizational measures
must take steps to ensure a level of security appropriate to the risk
the state of the art, the implementation costs, as well as
the nature, scope, context, processing purposes and likelihood and severity
of the varying risks to the rights and freedoms of individuals.
37. Article 32.2 of the GDPR provides that when assessing the appropriate level of security
processing risks must be taken into account, especially as a result of
destruction, loss, alteration or unauthorized disclosure of
access to data transmitted, stored or otherwise processed, either by
accident or unlawful.
38. The Disputes Chamber points out that the accountability obligation under Article 5.2 GDPR, Article 24.1
and Article 25.1 GDPR means that the controller has an obligation to:
on the one hand, taking proactive measures to ensure compliance with the regulations
of the GDPR and, on the other hand, to be able to demonstrate that he has such
has taken measures.
39. In short: the defendant is obliged to take appropriate technical and
organizational measures to ensure an appropriate level of security and this too
to be able to demonstrate.
40. With regard to the above-mentioned accountability obligation, the Disputes Chamber states
established that the Inspection Service asked the defendant the following:
“A copy of [defendant's] documents regarding the measures and decisions taken
were taken for the security of the processing of data in the context
of the online registration system 'Register' and its accountability
in accordance with Article 1 (1) (f) and (2) of the GDPR, Article 24 (1) of the GDPR, Article 25,
paragraph 1 of the GDPR and article 32 of the GDPR. Please also provide a copy of the
information and advice provided by the data protection officer of [defendant] in Decision on the merits 165/2023 – 10/24
has provided that connection and to provide a document-substantiated explanation of his/her position
involvement in that context in accordance with Article 38(1) read in conjunction with
Article 39(1) GDPR”.
41. The Disputes Chamber notes that the defendant does not submit any documents, or in any way
shows in another way how and when compliance with the processor agreement was achieved
checked, neither at the start nor during the execution of the
processing agreement. However, Article 28(1) prescribes that when and processing
is carried out on behalf of a controller, this
controller may only rely on processors who:
provide adequate guarantees with regard to the application of appropriate technical and
organizational measures to ensure that the processing meets the requirements of the GDPR.
The controller can check this by, for example, requesting a
description of the processor's security measures and the method used by the processor
processor, with the involvement of the official for
data protection. In the context of the already mentioned accountability obligation, it is of
importance of properly documenting these assessments.
42. The Disputes Chamber then determines that the document “Measures taken regarding
the data breachReport” provides a series of measures, together with a clarification as to what
the purpose of each measure and the status of the implementation. An additional one
document indicates when the meetings regarding these measures take place
took place and who participated. The Disputes Chamber notes that this
document is little concrete about the approval of these measures and about the
further timing of the implementation of certain measures and follow-up of those already in place
security measures introduced/still to be introduced. The defendant shows with this
documents therefore do not indicate that the status of the
technology, the implementation costs, nature, scope and context of the processing, nor does it show
indicate that these measures are sufficiently tailored to the security risk and account
take into account the processing risks, as prescribed by Article 32.1 and 32.2 GDPR.
43. With regard to the Inspection Service's determination regarding the involvement of the
data protection officer, the Dispute Chamber determines that the defendant
does not submit any documentation, such as advice, showing that the official for
data protection was consulted in the context of the security of MeldJeAan.
The defendant points out that MeldJeAan was created before the GDPR was introduced
was applicable. However, it is up to each controller to, after the
when the GDPR comes into effect, to proactively check whether the processing of
personal data meet the requirements of the GDPR and, if necessary, to take the necessary
make adjustments and document this accordingly. Decision on the merits 165/2023 – 11/24
44. In view of the above, the Disputes Chamber rules that there is an infringement
Article 5.1.f), Article 32.1 and 32.2 j ° Article 5.2, Article 24.1 and Article 25.1 GDPR, namely
accountability regarding the security of the processing of
personal data in the context of MeldJeAan.
45. The Inspection Service also established a violation of the above-mentioned articles in view of
the fact that the processing agreement between the defendant and Z has not been signed
The Disputes Chamber pointed out that the processing agreement was executed by
the parties, as agreed, regardless of the signature. The Dispute Chamber
rules that the lack of signature does not constitute a violation of Article 5.1.f), Article 32.1
and 32.2 j° Article 5.2, Article 24.1 and Article 25.1 GDPR.
46. To the extent necessary, the Disputes Chamber reminds that, although Articles 5.1 and 5.2 of the GDPR
are closely related to each other, a violation of the accountability obligation of Article 5.2
GDPR does not automatically mean a violation of Article 5.1 GDPR. The
accountability concerns the formal delivery externalization through documents
Will demonstrate compliance with the material basic principles of the GDPR. The Disputes Chamber
notes that the Inspection Report does not contain any elements that indicate a violation in
in connection with specific processing of personal data on behalf of the defendant.
II.3. Articles 35.1, 35.2, 35.3 and 35.7 GDPR
II.3.1. Findings of the Inspection Service
47. During the Inspection Investigation, the Inspection Service asked the defendant for this
whether or not a data protection impact assessment (hereinafter: GEB) has been carried out
for the processing that takes place with regard to MeldJeAan.
48. As indicated above in paragraph 27 et seq., on the basis of the answers provided
of the defendant, the Inspection Service concluded that the defendant was not merely
can be considered a processor, but as a controller, given the
processing agreement with Z in which the defendant acts as controller
is indicated and the measures taken following the data breach. So it rests on her
obligation to carry out a GEB.
49. The Inspection Service points out that this case involves an evaluation or
scoring within the meaning of Article 35.3.a) GDPR, namely characteristics of
professional performance, economic situation, health, personal preferences or
interests, reliability or behavior, location or movements of the data subject.
In addition, data relating to vulnerable data subjects, namely:
children, processed. Decision on the merits 165/2023 – 12/24
50. The Inspection Service then refers to the Guidelines for
WP29 data protection impact assessments stating that the
requirement to execute a GEB applies to existing processes and which is probably a
pose a high risk to the rights and freedoms of natural persons and for which the
risks have changed, taking into account the nature, size, context and
purposes of the processing.
51. In view of the above, the Inspection Service concludes that the defendant as
controller for the processing of personal data in the context
of MeldJeAan should have carried out a GEB. The fact that this didn't happen matters
according to the Inspection Report, an infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR.
II.3.2. Position of the defendant
52. In its conclusions, the defendant argued that it was not the controller
had to be considered. As already explained, the defendant during the
hearing, however, took the position that they, together with AGODI and the local
school boards acts as joint controller for what the
processing of personal data in the context of MeldJeAan.
53. The defendant has taken various measures and actions in response to this position
taken to act in accordance with the GDPR. For example, she has drawn up a GEB, which
has received a favorable opinion from the data protection officer. DeGEB
was then submitted to the school boards as a joint effort
controllers. No comments were made on the GEB
by the school boards, which means it is considered final. The defendant
subsequently transferred this GEB to the Disputes Chamber.
II.3.3. Assessment by the Disputes Chamber
54. The Disputes Chamber refers to part II.1.3 in which the defendant as a joint
controller has been qualified. Article 26.1 of the GDPR states
stipulates that joint controllers must transparently disclose their
respective responsibilities for the fulfillment of the obligations under
determine and agree on the regulation. Joint controllers
must therefore determine “who does what” by mutually deciding who will have which tasks
to ensure that the processing complies with applicable regulations
7WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to be a
high risk" within the meaning of Regulation 2016/679.
8Working Party 29, predecessor of the EDPB. Decision on the merits 165/2023 – 13/24
9
obligations under the GDPR with regard to the joint processing in question. A
of these obligations, which, if necessary, must be included in this division of tasks
drawing up a GEB (Article 35 GDPR).
55. In line with the risk-based approach set out in the GDPR, a
GEB is not obliged for any processing. A GEB is only mandatory if the processing
"is likely to pose a high risk to natural rights and freedoms
persons" (Article 35(1) GDPR). When joint controllers at
involved in the processing, they must determine precisely their respective obligations. In
the GEB must describe which party is responsible for the different
measures designed to address risks affecting the rights and freedoms of the
protect those involved. Each controller must explain what
his needs are and he must share useful information without giving away secrets
(e.g. protection of trade secrets, intellectual property, confidential
10
company information) or vulnerable points.
56. Although in other circumstances a data protection impact assessment is required
may be, Article 35.3 GDPR gives some examples of when a
processing "likely to involve a high risk":
“(a)asystematicandcomprehensiveassessmentofpersonalaspectsofnatural
persons, which is based on automated processing, including profiling, and
on which decisions are based that have legal consequences for the natural person
are connected or which significantly affect the natural person in a similar manner;
b) large-scale processing of special categories of personal data as referred to
in Article 9(1) or of data relating to criminal convictions and
criminal offenses as referred to in Article 10; or
(c) systematic and large-scale monitoring of publicly accessible areas".
57. When assessing whether a GEB is required for processing and on the basis of their inherently high
risk, nine criteria must be taken into account, namely: (1) the evaluation of
scoring, (2) automated decision-making with legal effect or similar
substantial consequence, (3) systematic monitoring, (4) sensitive data or data of the very kind
personal nature, (5) data processed on a large scale, (6) matching or merging
of datasets, (7) data relating to vulnerable data subjects, (8) innovative
use or innovative application of new technological or organizational
9
EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, July 7, 2021,
https://edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_nl.pdf, marginal 58
e.v.
10WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to have a
involves a high risk" within the meaning of Regulation 2016/679, p.9. Decision on the merits 165/2023 – 14/24
solutions and (9) when as a result of the processing itself "data subjects [...] have a right
cannot exercise or rely on a service or an agreement"
(Article 22 and recital 91).
58. The WP29 states in its guidelines on the GEB that in most cases a
controller can assume that for a processing operation that involves two of
11
the above criteria is met, a GEB must be carried out. The Disputes Chamber states
It is clear that this is the case for MeldJeAan. The Disputes Chamber recalls that the
following personal data were processed: identification data (name, address,
date of birth, telephone number of both parents and children), electronic
identification data (email addresses of both parents and children), personal
characteristics (age, gender of children), education and training (mother), national
number (the national register number of the child), the fact whether there are already brothers and/or sisters
the child is present in a certain Antwerp school, the fact of whether the parents are a staff member
being from a school where one applies, the fact whether the family received a school allowance
in the current school year or the previous school year and the spoken language of the child.
In addition, the following personal data were also processed within the application:
various indicators regarding students such as home language, mother's education level,
neighborhood indicator and school allowance and preferences for a particular school. There is therefore
there is an evaluation or scoring, including profile determination and
prediction, in particular of “characteristics concerning occupational performance, economic
situation, health, personal preferences or interests, reliability or behavior,
location or movements of the data subject" (recitals 71 and 91 GDPR).
59. This data is also processed on a large scale, as the personal data
of thousands of children in Antwerp and their parents are processed in the context of the
assignmentofaschool. These children are vulnerable data subjects (recital 75GDPR).
In addition, sensitive data is also processed, such as the national register number of the
registered children and whether or not a student is regarded as an indicator student
must be.
1WP29, Guidelines on data protection impact assessments and determining whether a processing operation is "likely to involve a
high risk" within the meaning of Regulation 2016/679, p.12.
12WP29, Guidelines on data protection impact assessments and determining whether a processing operation is “likely to have a
high risk" within the meaning of Regulation 2016/679, p.12.
13
https://meldjeaansecondary.gent.be/faq: An indicator student is a student of whom:
• The mother does not have a secondary education diploma or a study certificate for the second year
has completed the third grade of secondary education (or equivalent); and/or
• The family receives a school allowance in the current school year or the previous school year.
The other children are non-indicator students.
We use a short questionnaire to determine whether a child is an indicator student or a non-indicator student. Decision on the merits 165/2023 – 15/24
60. In view of the above, the Disputes Chamber is of the opinion that a GEB was appropriate
to be drawn up for the processing of personal data in the context of
Sign In.
61. Article 35.7 GDPR determines what a GEB must at least contain:
a) a systematic description of the intended processing operations and the
processing purposes, including, where appropriate, the legitimate ones
interests pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations
regarding the purposes;
(c) an assessment of the risks to the rights and freedoms referred to in paragraph 1
those involved; and
(d) the measures envisaged to address the risks, including safeguards,
security measures and mechanisms to protect data
guarantee and to demonstrate compliance with this Regulation
of the rights and legitimate interests of data subjects and other persons
in question
62. On December 9, 2022, the defendant submitted the GEB that it drew up with
regarding the processing of personal data in the context of MeldJeAan. The
Dispute Chamber determines that the GEB designates the defendant as the processor, which is not the case
is consistent with the position set out by the defendant during the
hearing.
63. The controller must also obtain the advice of the officer at the GEB
obtain data protection, if this has been designated (Article 35.2 GDPR). The
the defendant also presents the official's positive advice
data protection regarding the GEB.
64. The Disputes Chamber notes that the registration system was already in place before the GDPR
came into force and that various (sometimes contradictory) advice regarding the
processing responsibility were provided by, among others, VTC and AGODI. This means
However, this does not mean that the obligations arising from the GDPR should not be complied with
become. As soon as the defendant has made the decision to grant the financing
to the LOP Antwerp to implement its decree obligations,
the defendant should have evaluated whether, in the facts, they were considered (joint)
controller and whether it complied with all
obligations arising from this qualification, such as drawing up a GEB. Decision on the merits 165/2023 – 16/24
65. The Disputes Chamber notes that the defendant does not comply with the above
regulations since the GEB still designates the defendant as processor. The
Disputes Chamber points out that the GEB is in accordance with the above
regulations from Article 35GDPR must be applied, also taking into account the capacity
of joint controller of the defendant. Accordingly, the
Disputes Chamber also states that there is a violation of Articles 35.1, 35.2, 35.3 and 35.7
GDPR
II.4. Article 38.1 and Article 39 GDPR
II.4.1. Findings of the Inspection Service
66. During the investigation, the Inspection Service asked the defendant to provide copies
providing the information and advice to the data protection officer
has provided in the context of (i) the security of the processing of personal data,
(ii) the register of processing activities and (iii) the
data protection impact assessment.
67. The defendant answered during the investigation that the MeldJeAan application in
has been in use since 2014. Since this is before the entry into force of the GDPR,
no advice was sought from the data protection officer at that time. The
processing was included in the register for processing activities and the
data protection officer was informed about the data breach in Ghent and the
steps taken as a result. At the time of writing this
response, a GEB was created to which the data protection officer
would provide advice.
68. Based on the above answer from the defendant, the Inspection Service determines that
defendant does not demonstrate that the data protection officer was effective and timely
was involved in:
- the security of the processing of personal data in the context of MeldJeAan;
- the register of processing activities; and
- the assessment of the need for and, where appropriate, the implementation of a
data protection impact assessment.
II.4.2. Position of the defendant
69. In her conclusions, the defendant argues that the data protection officer
was initially not involved in MeldJeAan given the creation of this platform
came into effect well before the GDPR came into effect and there was therefore no question of one
data protection officer and the obligation to involve him. Decision on the merits 165/2023 – 17/24
In addition, the defendant reiterates in its conclusions that the processing was recorded
in the register of processing activities, that the officer was informed about it
data breach in Ghent and that a new GEB is in the making that will be submitted for advice
to the data protection officer;
II.4.3. Assessment by the Disputes Chamber
70. It is important to note that the MeldJeAan platform predates the
entry into force of the GDPR. The GDPR has been applicable since May 25, 2018
controller must therefore proactively check whether the requirements of have been met
the GDPR, and not to adopt a wait-and-see attitude. As soon as the defendant submits the
had made the decision to award the financing to the LOP Antwerp
to implement its decree obligations, the defendant should have
evaluate whether, in fact, it should be regarded as a controller
whether it met all obligations arising from this qualification.
71. These obligations include, among other things, the provisions regarding the position and tasks of the
data protection officer as defined in Article 38 and Article 39.1 of
the GDPR. After all, the GDPR recognizes that the data protection officer is a
is a key figure with regard to the protection of personal data whose appointment,
position and tasks are subject to rules. These rules help the
controller to comply with its obligations under the GDPR, but
also help the Data Protection Officer to properly perform his duties
to practice.
72. The Disputes Chamber recalls that Article 38.1 GDPR prescribes that the
controller ensures that the official for
data protection is involved in a timely and appropriate manner in all matters
related to the protection of personal data.
73. Pursuant to Article 39.1 GDPR, the Data Protection Officer must (a) the
inform and advise the controller about his obligations
pursuant to the GDPR and other Union or Member State law
data protection provisions and (b) monitor compliance with the GDPR, other
Union or Member State data protection provisions and policies
of the controller or processor with regard to protection
of personal data, including the allocation of responsibilities,
awareness and training of the staff involved in the processing and the
regarding audits.
74. The defendant's documents do not show that the data protection officer
was involved in the obligations under Articles 32.1 and 32.2 (see part II.2). The official Decision on the merits 165/2023 – 18/24
for data protection was involved after a potential was mentioned
incident with MeldJeAan regarding Ghent secondary education.
75. The defendant also submits the positive advice regarding the aforementioned GEB to the
Dispute Chamber which shows that they have, since their qualification as joint
controller, involves the data protection officer
processing of personal data relating to MeldJeAan. The Dispute Chamber
rules that there is a historical violation of Article 38.1 and Article 39.1
GDPR, but that the defendant has already taken sufficient steps for something
concerns the tasks, role and position of the data protection officer.
II.5. Article 30.1 GDPR
II.5.1. Findings in the Inspection Report
76. The Inspection Service does this regarding the register of processing activities of the
defendant concludes that this does not meet the minimum requirements as imposed
by Article 30.1 GDPR. In concrete terms, the Inspection Service states the following in this regard
infringements established:
- the description of the categories of data subjects and of the categories of
personal data is incomplete (Article 30.1.c) GDPR) as in the “Export
processing register” of the register of the processing activities of the
defendant only briefly describes the categories of data subjects and personal data
are listed rather than described. That is the case for the
columns “categories of data subjects (whose processing the application
personal data?)”, “data categories: basic data” and “data categories:
sensitive data”. It is therefore not clear what exactly is meant there;
- the defendant does not demonstrate that its register of processing activities is up to date
is. In that context, the Inspection Service refers to the fact that the defendant
is stated “see export processing register (date: 30/08/2022)” while the
register was delivered to the Inspection Service via email on 19/09/2022. Consequently
the Inspection Service received the register of processing activities on 19/09/2022
of the defendant that was last supplemented on 30/08/2022.
II.5.2. Position of the defendant
77. The defendant submits that the GDPR states that the controller and
processor is obliged to (i) keep a register to ensure compliance with the regulation
to be able to demonstrate and (ii) to cooperate with the supervisory authority and
to provide this register upon request. Furthermore, the GDPR does not provide any further explanation Decision on the merits 165/2023 – 19/24
about the realization, design and/or content of a register of
processing activities.
78. Consequently, the defendant argues, the GDPR nowhere describes the level at which the
entries in the register of processing activities must be described. The
GDPR leaves the controller, in this case the defendant, largely free in this regard, provided that:
the register (i) is sufficiently transparent by specifying a number of mandatory elements
determines which processing activities are carried out and (ii) is set up accordingly
that the GBA can use it to carry out checks on compliance (or non-compliance).
GDPR. The defendant therefore believes that the register is indeed so detailed
that little more can be described/clarified regarding the categories of
data subjects and personal data. All terms used, be sure to read in
connection with all other categories mentioned, are sufficiently clear whether who is which
processes personal data.
79. As regards the topicality of the register, the defendant confirms that the information provided to the
Inspection service concerned export indeed dated August 30, 2022,
despite the fact that this was only transferred on September 19, 2022. After all, it was
not asked about an export that could not exceed a certain age and
moreover, this was indeed the current version of the register, due to lack of need
adjustment thereof in the period from August 30, 2022 to September 19, 2022.
II.5.3. Assessment by the Disputes Chamber
80. Article 30 GDPR requires each controller to keep a record
of the processing activities carried out under his responsibility.
Article 30.1.a) to g) GDPR stipulates that, with regard to the
controller carried out processing operations, the following information is available
must be:
a) the name and contact details of the controller and, if applicable
joint controllers and, where appropriate, of the
representative of the controller and of the official for
data protection;
b) the purposes of processing;
c) a description of the categories of data subjects and of the categories of
personal data;
d) the categories of recipients to whom the personal data have been or will be received
provided, including to recipients in third countries or international organizations; Decision on the merits 165/2023 – 20/24
e) where applicable, transfers of personal data to a third country or a
international organisation, including the indication of the third country or countries
international organization and, in the case of the GDPR referred to in Article 49.1, second paragraph,
said transfers, the documents regarding the appropriate safeguards;
f) if possible, the intended deadlines within which the different categories of
data must be deleted;
g) if possible, a general description of the technical and organizational aspects
security measures as referred to in Article 32.1 GDPR.
81. The Disputes Chamber establishes the defendant in its register of processing activities
provides a summary for:
- The categories of data subjects (Article 30.1.c) GDPR), namely residents, are not
residents, internal employees, external employees, children.
- The categories of personal data (Article 30.1.c) GDPR) namely, on the one hand
basic data such as name and first name, address details (street, house number, bus,
municipality, country), telephone number, identification codes (national register number),
birth details (date of birth and place of birth), vehicle details,
login details and sensitive data such as health data, legal data
facts
82. The Disputes Chamber - with reference to previous decisions - must pronounce itself
on whether Article 30.1.c) GDPR requires a description of the
categories of personal data and the categories of data subjects in the register of
processing activities, or whether a summary is sufficient.
83. The Disputes Chamber notes that Article 30.1.c) GDPR requires a description of the
categories of data subjects and categories of personal data
are included in the register of processing activities.
84. The Disputes Chamber recalls the purpose of the register of
processing activities. To effectively fulfill the obligations contained in the GDPR
apply, it is essential that the controller (and the
processors) have an overview of the processing of personal data that they
to carry out. This register is therefore primarily an instrument to
to assist the controller in complying with the GDPR for the various
data processing that it carries out, because the register has the most important characteristics
makes it visible. The Disputes Chamber is of the opinion that this processing register is a
14 See, among others; decision 149/2022 dated. October 18, 2022, can be consulted via
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-149-2022.pdf Decision on the merits 165/2023 – 21/24
is an essential instrument in the context of the already mentioned accountability obligation (Article
5(2) and Article 24 GDPR) and that this register underlies all obligations under which the
GDPR imposes on the controller.
85. The Disputes Chamber notes that neither the text of the GDPR nor the objectives of the
GDPR require more than a list of the categories of personal data and
the categories of data subjects are included in the register
processing activities and that a more detailed description would therefore be necessary.
86. With regard to the categories of recipients, the Disputes Chamber refers to a
15
recommendation of the Commission for the protection of privacy and
16
the doctrine stating that although it is not necessary the individual
recipients of the data, but that these can be grouped
per category of recipients. Mutatis mutandis, this statement can also be applied to
the categories of personal data and data subjects.
87. However, the Disputes Chamber points out that the completion of the register of
processing activities must always be evaluated on a case-by-case basis to determine whether the
description or summary contained herein is sufficiently clear and concrete.
88. In the present case, the Disputes Chamber notes that the lists included in the
register of processing activities were sufficiently specific. According to the
Dispute Chamber there is little doubt about the meaning of the above
elements in the context of the processing activities listed in the register
processing activities.
89. With regard to the second finding of the Inspection Service regarding the topicality of
the register of processing activities, the Disputes Chamber points out that the register of
processing activities should also be updated in accordance with developments
and evolution of the activities of the company or organization concerned. If the
controller starts a new processing activity or a
existing processing activity changes, the register of processing activities must be kept
to be adjusted accordingly.
90. Since the period between the export of the register of processing activities and the
transfer is limited to just under 3 weeks, and since there are no elements
which shows that the register of processing activities would not have been up to date, is the
Disputes Chamber is of the opinion that no infringement has been proven.
15Available at: https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-06-2017.pdf
16W. Kotschy, “Article 30: recordsof processing activities,” in Ch. KunerThe EU General Data Protection Regulation (GDPR),
a commentary, 2020, pg. 621. Decision on the merits 165/2023 – 22/24
91. Consequently, the Disputes Chamber concludes that there is no infringement of article
30.1 GDPR.
III. Sanctions
92. Based on the documents from the file, the Disputes Chamber determines that this is the case
multiple violations of the GDPR. Firstly, the infringement of Article 5.1.f), Article
32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article 25.1 GDPR, secondly these on the articles
35.1, 35.2, 35.3 and 35.7 GDPR, and finally Article 38.1 and Article 39.1 GDPR.
93. Having the necessary processes in place to achieve and demonstrate the
Compliance with the GDPR is one of the fundamental principles of the GDPR. The
data protection impact assessment is an important accountability tool
because it not only helps controllers to meet the requirements of the GDPR
to comply, but also to demonstrate that appropriate measures have been taken
ensure compliance with the GDPR. Also the official for
data protection plays a crucial role in data protection at a
controller.
94. The Disputes Chamber is of the opinion that there are sufficient elements to justify a reprimand
which is a light sanction and is sufficient in the light of the facts in this file
established violations of the GDPR. When determining the sanction, the
Disputes Chamber takes into account the fact that the defendant has (incorrect) advice
obtained regarding his qualification as controller but after internal
analysis has taken the necessary steps to meet its obligations such as
prescribed by the GDPR. The defendant has already corrected the infringements and
provides evidence of this. For the sake of completeness, the Dispute Chamber points out that this is not the case
is authorized to impose an administrative fine on government bodies,
in accordance with Article 221, § 2 of the Data Protection Act. 17
95. The Disputes Chamber proceeds with a dismissal with regard to the other grievances and
findings of the Inspection Service because they are based on the facts and documents from the
file cannot conclude that there have been violations of the GDPR.
These grievances and findings of the Inspection Service are therefore considered apparent
considered unfounded within the meaning of Article 57(4) GDPR. 18
17
Act of 30 July 2018 on the protection of natural persons with regard to the processing of
personal data, B.S., September 5, 2018.
18 See point 3.A.2 of the Dismissal Chamber's dismissal policy. June 18, 2021, available via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 165/2023 – 23/24
IV. Publication of the decision
96. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority, stating the identification details of
the defendant, given the inevitable re-identification of the defendant in the event of
pseudonymization.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- to formulate a reprimand on the basis of Article 100, §1, 5° WOG with regard to the
defendant as regards;
o the infringement of Article 5.1.f), Article 32.1 and 32.2 in conjunction with Article 5.2, Article 24.1 and Article
25.1 GDPR;
o the infringement of articles 35.1, 35.2, 35.3 and 35.7 GDPR;
o the infringement of articles 38.1 and 39.1 GDPR;
- on the basis of Article 100, §1, 1° WOG with regard to all other determinations
dismiss.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
19
must contain information listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
19The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer. Decision on the merits 165/2023 – 24/24
20
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
20The petition with its appendix will be sent by registered letter in as many copies as there are parties involved
sent to the registrar of the court or deposited at the registry.
