APD/GBA (Belgium) - 51/2023

From GDPRhub
APD/GBA - DOS-2022-01864
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 13(1)(a) GDPR
Article 13(1)(b) GDPR
Article 37(7) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 26.04.2022
Decided: 04.05.2022
Published: 04.05.2022
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2022-01864
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: Philipp Karner

The Belgian Data Protection Authority ordered a company to comply with Article 13(1)(b) GDPR and to publish the contact details of their DPO on their website.

English Summary


The data subject wanted to apply online for a job at the controller. The data subject found many of the required information (such as nationality or postal address) unnecessary for the purpose of identifying the best candidate for the job.

The data subject wanted to get in touch with the controller, but could not find any contact information of the DPO. There was only an online form available.

They wrote an email to the controller and asked to reveal the contact details of their DPO on 24 March 2022 which remained unanswered.

On 25 April 2022 the data subject lodged a complaint with the Data Protection Authority which was declared admissible on 26 April 2022.


First, the DPA held that collecting unnecessary data which is not required to fulfil the purpose violated Article 5(1)(b) GDPR (purpose limitation) as well as Article 5(1)(c) GDPR (data minimisation). Since the controller edited the application form in the meantime and deleted the unnecessary requests, the form was in compliance with GDPR at the time of the decision and the DPA did not impose any further orders.

Second, the DPA held that according to Article 13(1)(b) GDPR the controller must state the contact details of the DPO on their website. There is a similar obligation under Article 37(7) GDPR. The DPA ordered the controller to comply with his obligations under Article 13(1)(b) GDPR and Article 37(7) GDPR and to publish the contact details of their DPO.

Third, the DPA held that the controller violated the data subjects right to information as enshrined in Article 13(1)(a) GDPR when they did not answer the data subjects request for the contact details of the DPO. The DPA ordered the controller to reply to the data subjects request.


It might depend which information is required for the application for a job. For highly sensitve jobs in the official administration or the armed forces it might be permissable to ask for the nationality of the applicant.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


                                                                   Litigation Chamber

                                                        Decision 51/2023 of May 4, 2023

File number: DOS- 2022-01864

Subject: Complaint relating to the personal data required via an online form aimed at
applying for a job with the defendant, and the obligation to inform of an email address

of the DPO

The Litigation Chamber of the Data Protection Authority, constituted by Mr. Hielke

Hijmans, President, sitting alone;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46/EC (general regulation on the protection

data), hereinafter GDPR;

Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to the processing of

personal data (hereinafter LTD);

Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);

Internal regulations as approved by the Chamber of Representatives on December 20, 2018

and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;

made the following decision regarding:

The complainant: X, hereinafter “the complainant”. ;

The defendant: Y, hereinafter "the defendant" Decision 51/2023 - 2/6

 I. Facts and procedural history

  1. The subject of the complaint concerns the collection of unnecessary personal data (nationality,

      national register number, postal address) as part of the form to be completed to apply for

      a job on the defendant's website (a health insurance fund). The complainant also raises the absence

      indication of the email address of the Data Protection Officer (DPO) on the defendant's site, and

      underlines that questions relating to the protection of personal data can only

      be asked via an online form.

  2. On April 25, 2022, the complainant filed his complaint with the Data Protection Authority (hereafter

      after DPA) against the defendant.

  3. On April 26, 2022, the complaint was declared admissible by the First Line Service of the Authority of

      data protection (hereinafter SPL) on the basis of Articles 58 and 60 of the LCA and the complaint is

      forwarded to the Litigation Division under Article 62§ 1 of the LCA. 2

  4. Pursuant to Article 95 § 2, 3° of the LCA as well as Article 47 of the Internal Rules of

      DPA, a copy of the file may be requested by the parties. If one of the parties wishes to

      use of the possibility of consulting the file, the latter is required to contact the secretariat of the

      Litigation Chamber, preferably via litigationchamber@apd-gba.be.

II. Motivation

  II.1 - Principle of minimization

  5. In accordance with Article 5.1.c) of the GDPR, the personal data must be adequate,

      relevant and limited to what is necessary in relation to the purposes for which they are

      processed (data minimization).

  6. The Litigation Chamber recalls that the principle of minimization within the framework of a

      recruitment implies that the information requested from candidates must have the sole purpose

      to assess the candidate's ability to occupy the position to be filled or his professional skills.

  7. In addition, Article 5.1.b) of the GDPR provides that personal data must be

      “collected for specified, explicit and legitimate purposes and not to be processed

      subsequently in a manner incompatible with those purposes; […] (limitation of purposes)”.

  1 Pursuant to Article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been
  declared admissible

  2 Pursuant to article 95, §2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this
  complaint, the file was forwarded to him. Decision 51/2023 - 3/6

8. In the present case, the complainant denounces that the form to be completed online on the website of the

    defendant to apply for a job requires unnecessary personal data (the

    nationality, national register number, postal address). The Litigation Chamber finds
    that on the day of this decision, the form to be completed to apply for jobs on the site

    the defendant's internet no longer requires the personal data denounced by the plaintiff (the

    nationality, national register number, postal address). It therefore appears, a priori, that the

    defendant has adapted the personal data required via this form on its site.

9. In view of the foregoing, the Litigation Chamber classifies without follow-up the grievances relating to the articles

    5.1.b) and 5.1.c) of the GDPR in accordance with its discontinued policy of June 18, 2021 (B.6).

II.2- The information obligation

10. According to Article 13 of the GDPR, “where the personal data relating to a

    data subject are collected from this person, the controller

    provides, at the time the data in question is obtained, all of the following information:

    -a) The identity and contact details of the controller and, where applicable, the representative of the


    -b) Where applicable, the contact details of the data protection officer; […]”.

11. In addition, Article 37.7 of the GDPR requires the controller or processor to publish

    the contact details of the DPO and communicates them to the supervisory authority.

12. The Litigation Chamber recalls that the aforementioned requirements are intended to ensure that persons

    concerned and the supervisory authorities can easily and directly contact the

    DPO without having to contact another department of the organization.

13. Working Party 29 further states that “The contact details of the DPO should contain
    information allowing the persons concerned and the supervisory authorities to reach it

    easily (a postal address, a specific telephone number and/or an e-mail address

    specific electronics). Where appropriate, for the purposes of communication with the public, other

    means of communication could also be provided, for example, assistance by

    specific telephone, or a specific contact form addressed to the DPO on the website of

    the organism. (the Litigation Chamber emphasises)

14. In the complaint form, the complainant indicates that it is not possible to reach directly by

    e-mail the Data Protection Officer (DPO), that no e-mail address is indicated on the

3Article 29 Data Protection Working Party, Guidelines for Data Protection Officers (DPOs),
WP 236, page 15, 5 April 2017, https://ec.europa.eu/newsroom/article29/items/612048/en Decision 51/2023 - 4/6

    defendant's website, and that the only way to ask questions related to the protection of

    data consists of filling out a form on the defendant's website. The complainant has

    elsewhere sent (March 24, 2022) an email to the Defendant's Legal Department requesting

    the e-mail address of the DPO, but indicates that no follow-up has been given to his request by the


15. The Litigation Chamber finds that the defendant did not provide the information requested by the

    complainant, as provided for in Article 13.1.b of the GDPR. She did not give him the contact details.

    of the DPO.

16. The Litigation Chamber therefore notes, and on the basis of the above considerations, that it is necessary to

    conclude that the Respondent may have committed a breach of the provisions of Article 13.1(b) of the

    GDPR, which justifies that in this case, the Litigation Chamber proceeds to take a decision

    on the basis of article 95, § 1, 5° of the LCA, namely to order compliance with the request of the

    complainant to exercise his right to information (Article 13 of the GDPR).

17. This decision is a prima facie decision taken by the Litigation Division in accordance with

    to Article 95 of the LCA on the basis of the complaint lodged by the plaintiff, within the framework of the
    “procedure prior to the substantive decision”, to be distinguished from a decision on the merits of the Chamber

    Litigation within the meaning of Article 100 of the LCA.

18. If, however, the controller does not agree with the content of this decision

    prima facie and believes that it can make factual and/or legal arguments that could

    lead to another decision, the latter may submit to the Litigation Chamber a request for

    processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and this in the

    30 days after notification of this decision. If necessary, the execution of the

    this Decision is suspended for the above-mentioned period.

19. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto

    Article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and to

    attach to the file all the documents they deem useful. If applicable, this decision is

    permanently suspended.

20. With a view to transparency, the Litigation Chamber finally emphasizes that a processing of

    the case on the merits may lead to the imposition of the measures mentioned in Article 100 of the LCA. 5

 Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive).
5 4 Art. 100. § 1. The litigation chamber has the power to
1° dismiss the complaint without follow-up;

2° order the dismissal;
3° pronouncing the suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings and reprimands;
6° order to comply with requests from the data subject to exercise his or her rights;
(7) order that the person concerned be informed of the security problem; Decision 51/2023 - 5/6

III. Publication and communication of the decision

   21. Given the importance of transparency with regard to the decision-making process and the

       decisions of the Litigation Chamber, this decision will be published on the DPA website

       by deleting the direct identification data of the parties and the persons cited,

       whether physical or moral.


the Litigation Chamber of the Data Protection Authority decides, subject to

the introduction of a request by the defendant for treatment on the merits in accordance with the

articles 98 e.s. of the ACL:

    - to close without further action the grievances relating to Articles 5.1.b) and 5.1.c) of the GDPR pursuant to

       Article 95, §1, 3° of the LCA;

   - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the

       defendant to comply with the request of the person concerned with regard to

       his right to information, within 30 days of notification of the
       this Decision;

    - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 4° of the LCA, to formulate a

       warning to the defendant so that it complies in the future with the obligation provided for

       by article 13.1.b) of the GDPR, to publish a contact email of the DPO;

    - to order the defendant to inform the Data Protection Authority by e-mail

       (Litigation Division) of the follow-up given to this decision, within the same period,

       via the e-mail address litigationchamber@apd-gba.be;

   and - if the defendant does not comply in due time with what is requested of it above,

       to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL.

   8° order the freezing, limitation or temporary or permanent prohibition of processing;
   9° order compliance of the processing;
   10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
   data ;
   11° order the withdrawal of accreditation from certification bodies;
   12° to issue periodic penalty payments;
   13° to issue administrative fines;
   14° order the suspension of cross-border data flows to another State or an international body;
   15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
   16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 51/2023 - 6/6

In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within a

thirty days from its notification, to the Court of Markets (Court of Appeal of

Brussels), with the Data Protection Authority as defendant.

Such an appeal may be brought by means of an interlocutory request which must contain the information
listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the court office
of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or through the system

e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud

(se). Hielke Hijmans

President of the Litigation Chamber

6 The request contains on pain of nullity:
(1) indication of the day, month and year;

2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.

7 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.