APD/GBA (Belgium) - 57/2021: Difference between revisions

From GDPRhub
No edit summary
Line 151: Line 151:
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


<pre>
<pre>Litigation Chamber
                                                                                        1/36


Decision on the merits 57/2021 of 06 May 2021


File reference : DOS-2019-02902


Subject: Lack of transparency in the privacy statement of an insurance company (reconsideration decision 24-2020)


The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the AVG;


Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG;


Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 


Having regard to the documents on file;


                                                                      Dispute Chamber
...


...


has taken the following decision concerning:


                                      Decision on the merits 57/2021 of 06 May 2021
- Mr X, hereinafter "the complainant";


- Y, represented by Mr Benoit Van Asbroeck and Mr Simon Mortier, hereinafter "the defendant".


1. Facts and procedure


1. This decision is a reconsideration of decision 24/2020 of the Dispute Chamber of 14 May 2020, and implements the judgment of the Markets Court of 18 November 2020, with roll number 2020/AR/813. 


2. This decision should be read in conjunction with decision 24/2020 and contains a reconsideration aimed at giving the Respondent the opportunity to defend itself with regard to all breaches of the AVG for which a penalty was imposed in the initial decision, to the extent that these breaches are contested by Y. In this reconsideration, the Dispute Resolution Chamber will thus stay within the framework of the initial decision, including with respect to the administrative fine, which cannot exceed the amount of the fine initially determined. As regards the allegations in respect of which the Dispute Resolution Chamber ruled in the initial decision that there was no infringement of the AVG, this opinion remains valid. The infringements established in the initial decision and not contested by Y are also maintained.


File number: DOS-2019-02902
3. On 14 June 2019, the complainant filed a complaint with the Data Protection Authority against the respondent.


The subject of the complaint concerns the use of health data obtained by the insurance company from the data subject in the context of a hospitalisation insurance policy for other purposes without the express consent of the insured data subject. The complainant states that he has no problem with his health data being processed for the fulfilment of obligations under the hospitalisation insurance policy taken out with the defendant, but has a problem when the same health data are processed for the purposes listed in point 4.3. of the privacy notice and for the transfer to third parties as mentioned in point 9 of the same privacy notice (it concerns point 6, but the reference to point 9 is a material error) as mentioned in the defendant's privacy notice. He requests that specifically for those purposes, as well as for the transfer, the Respondent gives the data subject the choice to consent or not to the processing of his health data.


Finally, the complainant expresses the wish to receive a data protection impact assessment from the defendant as it involves the processing of data at high risk for the data subjects.


Subject: Lack of transparency in a privacy statement
4. On 26 June 2019, the complaint shall be declared admissible pursuant to Sections 58 and 60 of the WOG, the complainant shall be notified thereof pursuant to Section 61 of the WOG, and the complaint shall be transferred to the Dispute Resolution Chamber pursuant to Section 62(1) of the WOG.


insurance company (reconsideration of decision 24-2020)
5. On 23 July 2019, the Dispute Resolution Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits.


6. On 24 July 2019, the parties concerned were notified by registered mail of the provisions as mentioned in art. 95, §2 and in art. 98 WOG. Also, pursuant to art. 99 WOG, the parties concerned were informed of the time limits to submit their defences. The deadline for receipt of the statement of reply from the plaintiff was thereby set at 7 October 2019 and for the defendant 7 November 2019.


7. On 29 July 2019, the Respondent shall notify the Dispute Resolution Chamber that it has taken cognisance of the complaint, shall request a copy of the file (art. 95, §2, 3° WOG) and shall electronically accept all communications concerning the case (art. 98, 1° WOG).


8. On 30 July 2019, a copy of the case file shall be transmitted to the defendant.


9. On 2 August 2019, the Dispute Resolution Chamber receives a letter in which the Respondent indicates that he wishes to be heard by the Dispute Resolution Chamber (art. 98, 2° WOG).


10. On 6 September 2019, the Dispute Resolution Chamber received the response by the Respondent. Firstly, the Respondent argues that the processing of special categories of personal data, in this case health data, by healthcare insurer Y is carried out lawfully. The processing of these special categories of personal data (Article 9 AVG) is in principle prohibited. For the processing, the defendant relies on the exceptional ground of Article 9 (2) (a) AVG, the explicit consent of the data subject. Second, the defendant argues that separate consent is not necessary for each transfer of personal data. Third, according to the defendant, there is no question of asking consent for the processing of data other than health data. Finally, according to the defendant, a data protection impact assessment was not necessary in this case as it concerned already existing processing operations and not new processing operations starting after 25 May 2018.


11. The complainant has not exercised the right to submit a reply.


The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
12. The Respondent is not submitting a new Opinion and on 7 November 2019 is merely providing productions in support of the Opinion submitted on 6 September 2019.


Hijmans, chairman and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
13. On 9 January 2020, the parties are informed that the hearing will take place on 28 January 2020.  


14. On 28 January 2020, the Respondent was heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. Among other things, the Respondent answered questions put by the Dispute Resolution Chamber as to the legal basis for the processing of personal data other than health data. The debates then closed.


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
15. On 29 January 2019, the record of the hearing shall be submitted to the parties.


on the protection of natural persons with regard to the processing of
16. On 31 January 2020, the Respondent shall provide, as requested at the hearing, the annual turnover for the last three financial years. These amount to a turnover of between EUR 500 million and EUR 600 million for the years 2016-2018.


personal data and on the free movement of such data and repealing Directive
17. On 6 February 2020, the Dispute Resolution Chamber receives some comments from the Respondent on the minutes, which it decides to include in its deliberations.


95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
18. On 25 March 2020 the Litigation Chamber informs the defendant of its intention to impose an administrative fine and the amount thereof in order to give the defendant the opportunity to defend itself before the sanction is actually imposed.


19. On 8 May 2020, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof.


The Respondent argues that the alleged infringements as set out in the Dispute Resolution Chamber's intention are entirely new and that it has not been able to defend itself in this respect. However, it is for the Dispute Resolution Chamber to find that the documents on the file irrefutably demonstrate that the Respondent was able to fully exercise his rights of defence. 


In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
The defendant also claims to disagree with the imposition of a fine, or the intended amount of the fine. However, he does not present any (new) arguments in support of this claim. Therefore, the response of the defendant does not give the Disputes Committee


WOG;
The response of the Respondent does not give rise to an adjustment of the intention to impose an administrative fine nor to an adjustment of the amount of the fine as intended.


20. On 14 May 2020, the Arbitration Chamber in its decision on the merits 24/2020 ruled as follows:


- pursuant to Article 100, §1, 9° WOG, to order the Respondent to bring the processing into compliance with Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG 


Having regard to the rules of internal procedure, as approved by the Chamber of
- On the basis of Article 100, §1, 13° WOG and Article 101 WOG, impose an administrative fine of EUR 50,000 for the infringements of Article 5.1 a), Article 5.2, Article 6.1, Article 12.1, Article 13.1 c) and d) and Article 13.2 b) AVG.
Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on


January 15, 2019;
21. On 17 June 2020, the Dispute Chamber received notification from the Brussels Court of Appeal of an application against the GBA lodged with the Court Registry.


22. On 24 June 2020, the introductory hearing before the Market Court takes place, at which the time limits for the parties to conclude their cases are determined, and the case is set for oral argument at the hearing on 21 October 2020.


On 18 November 2020, the Market Court delivers its judgment. 


Considering the documents in the file;
The judgment1 contains the following main points concerning the assessment of the object of the application:


1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-marktenhof.pdf 


- Annulment of the decision on the merits no. 24/2020 of 14 May 2020 of the Dispute Resolution Chamber.


- The Market Court stated that the Respondent should have been given the opportunity - after the grievance was clearly formulated in writing - to make a written statement on the matter. The fact that the Respondent was asked at the hearing (which was mentioned in the transcript of the hearing) to make submissions on the general question of the legitimate interest invoked by the Respondent to process data other than health data and that the Respondent only made a summary reply to this without any objections does not adequately justify Decision No 24/2020 of 14 May 2020.


23. Following the judgment, the Dispute Resolution Chamber decided on 27 November 2020 to take up the file again in order to make a new decision. The underlying consideration is that, notwithstanding the annulment of the aforementioned decision by the


Annulment of the aforementioned decision by the Market Court judgment, the Dispute Resolution Chamber is still caught by the initial complaint lodged on 14 June 2019 as declared admissible by the First Line Service on 26 June 2019. Accordingly, the debates are reopened and new conclusion deadlines are set so that the parties can take a position on the legitimate interest invoked by the Respondent to process data other than health data. 


The parties are informed of the following time limits for the submission of oral argument: 


                                                                                                .
- the latest date for the plaintiff's reply will be set at 8 January 2021;
                                                                                                .


                                                                                                . Decision on the merits 57/2021 - 2/36
- the date of the reply by the defendant shall be set at 19 February 2021;


The date of the hearing will also be fixed, which will take place on 22 March 2021.


24. On 27 November 2020, the Dispute Resolution Chamber received a communication from the Complainant stating that, in view of the clear arguments, it did not consider it necessary to provide additional argumentation. On the same day, the Dispute Resolution Chamber informs the Respondent that the Complainant has indicated that it will not be submitting a claim. At the request of the Respondent, the Dispute Resolution Chamber also confirms that the date initially set for the Reply by the Respondent as well as the date of the hearing will be maintained.


has taken the following decision regarding:
25. On 19 February 2021, the claim and accompanying documents were received by the Dispute Resolution Chamber from the Respondent. In it the Respondent puts forward the following pleas in law:  


    - Mr X, hereinafter “the complainant”;
- The Respondent may rely on its legitimate interests to process personal data for purposes pursuant to Article 4.3 of its former Privacy Notice (no violation of Articles 5.1(a), 5.2, 6.1(f) and 13.1(c) and (d) T&C.


    - Y, represented by Masters Benoit Van Asbroeck and Simon Mortier, hereinafter “de
- The Respondent may rely on an applicable legal ground for transfers to third parties pursuant to Article 6 of the former privacy notice (no violation of Articles 5.1(a), 5.2, 6.1 and 13.1(c) and (d) AVG.


        defendant".
- If the defendant cannot rely on all legal grounds under Article 6.1 of the AVG for the processing purposes under Article 4.3 of the old privacy notice and onward transfers to third parties under Article 6 of the old privacy notice, this constitutes an infringement of the defendant's freedom to conduct a business.  


- The Respondent submits that a reprimand is sufficient and the administrative fine of €50,000 is disproportionate.


26. On 22 March 2020, the parties were heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. During the hearing, the Respondent explained its defence. No other elements are introduced than those already on the file. After this, the debates are closed.


27. On 25 March 2021, the record of the hearing shall be submitted to the parties in accordance with Article 54 of the Rules of Procedure. On 5 April 2021, the respondent shall submit to the Dispute Resolution Chamber some comments on the transcript, which the Dispute Resolution Chamber decides to include in its deliberations.


    1. Facts and procedure
28. On 6 April 2021, the Dispute Resolution Chamber notified the Respondent of its intention to proceed with the imposition of an administrative fine, as well as the amount thereof, in order to give the Respondent the opportunity to defend itself before the sanction is actually imposed.  


29. On 27 April 2021, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof.


In summary, the Respondent states the following in its response to the intention to impose an administrative fine:


- As regards the lack of a demonstrated legitimate interest as a legal basis for the purposes of 'staff training' and 'storage of video surveillance recordings during the statutory period', the Respondent argues that no questions were raised during the hearing as to the lawfulness, necessity or proportionality of these processing purposes. 


  1. This decision is a reconsideration of decision 24/2020 of the Disputes Chamber of 14
In this regard, the Dispute Resolution Chamber notes that the Respondent has already extensively addressed in the Conclusions the lawfulness, necessity and proportionality of all processing purposes, including those for "training of staff" and "storage of video surveillance recordings during the statutory period", so that no additional clarification on this was requested at the hearing. During a hearing, only specific questions are asked about remaining ambiguities in order to clarify them and to allow the Dispute Resolution Chamber to form an opinion.


      May 2020, and implements the judgment of the Marktenhof of 18 November 2020, with
At the moment, the Litigation Chamber can only conclude that the Respondent's reaction to the intention to impose an administrative fine following the infringement of article 6.1 of the AVG for the purposes of "staff training" and "storage of video surveillance recordings during the statutory period" lacks a proven legitimate interest as a legal basis.


      roll number 2020 / AR / 813.
justified interest as a legal basis, does not contain any new elements which are of a nature to change the opinion of the Dispute Resolution Chamber.  


- As regards the amount of the fine, the Respondent considers that no fine can be imposed for the allegation of processing personal data without a legitimate interest. At the very least, the defendant considers that an amount of EUR 30 000 is disproportionately high. The defendant submits that it appeared from the written conclusions and during the hearing that general training material was in principle always anonymised and that personal data of customers were processed by means of camera surveillance. The documents in the file would also not show that any personal data of the complainant would have been processed for these purposes. Therefore, the complainant (and, by extension, the respondent's other customers) would, in principle, not have suffered any personal detriment as a result of any lack of legitimate interests for the processing activities "training of staff" and "storage of video surveillance recordings during the statutory period".


The Dispute Resolution Chamber emphasises that whether or not the person concerned suffers any personal disadvantage is not a criterion for the imposition of an administrative fine, as this is not included in Article 83.2 AVG. Therefore, in its decision below, it justifies this sanction without taking into account whether or not the complainant has suffered any personal disadvantage. The criteria for the imposition of an administrative fine are clearly laid down in article 83.2 AVG, on which the Dispute Resolution Chamber bases its decision regarding the administrative fine.


  2. This decision must be read in conjunction with decision 24/2020 and contains a
In so far as necessary, the Dispute Resolution Chamber adds that the Complainant provided its personal data to the Respondent for processing in connection with a hospitalisation insurance scheme and the Respondent subsequently indicated, on the basis of the then current privacy notice, that it also processed the Complainant's personal data for all the purposes stated in the privacy notice. On the basis of the privacy notice given at the time, the Respondent processed the Complainant's data for each of the purposes set out in the privacy notice. This is also apparent from the conclusion underlying the present decision, in which the Respondent itself delineates the allegations arising from the complaint (see margin number 33) and the allegations under points (f), (g) and (h) are the subject of its defence. The allegations arising from the complaint and as described by the defendant itself in its conclusion, concern defects in the privacy notice that concern the complainant, as well as ipso facto any other customer of the defendant who takes out hospital insurance. Indeed, the privacy notice was not drawn up exclusively for the complainant, but for every customer of the defendant who takes out hospitalisation insurance.


      review to give the defendant the opportunity to defend himself
This also explains why, in its conclusion, the Respondent seeks to demonstrate the lawfulness, necessity and proportionality of all processing purposes, without any distinction as to whether or not it is a processing purpose for which personal data of the Complainant are processed. The Respondent verifies that it has a legitimate interest for all processing purposes, because for each of those processing purposes, the personal data of the Complainant were processed in accordance with the Privacy Notice in force at the time.


      regarding all breaches of the GDPR for which a sanction was imposed in the initial decision,
- In addition, the Respondent considers that an amount of EUR 30,000 is disproportionate to the infringement. 


More specifically, with regard to the seriousness of the infringement, the Respondent disagrees with the Dispute Resolution Chamber's assertion that, merely because a breach of Articles 5 and 6 of the AVG has been established, the infringements are therefore automatically "serious" and "grave". The defendant submits that, on the one hand, those articles form the basis of virtually the whole of the AVG and, consequently, virtually any infringement of the other articles of the AVG can be reduced to an infringement of Articles 5 and 6 AVG. 


      insofar as these infringements are contested by Y. With this review, the
On the other hand, classifying these infringements as 'serious' and 'serious' prevents a differentiation being made with infringements that are truly serious and serious, such as, for example, the complete absence of a privacy notice. However, this is not at all the case here. 


      The disputes chamber thus falls within the framework of the initial decision, also with regard to the
The defendant argues that it did mention these processing purposes in its privacy notice and that it carried out, with the necessary rigour, extensive weighing of interests to ascertain whether it could invoke its legitimate interests. 


      administrative fine that cannot exceed the amount of the initially determined fine.
With regard to the Respondent's assertion that a breach of the fundamental principles of the AVG contained in Articles 5 and 6 AVG cannot automatically be regarded as serious and serious, the Litigation Chamber notes that Article 83.5 AVG itself provides for a more serious penalty for this breach, for which the highest maximum fine is set, precisely because it concerns fundamental principles that go to the heart of data processing. The Respondent's assertion that every breach of the AVG can be traced back to a breach of the core principles does not stand up, since the Dispute Resolution Chamber is bound by the complaint and performs its assessment against the AVG within those boundaries and therefore, contrary to what the Respondent suggests, every breach cannot be 'traced back' to breaches of the core principles. Since the object of the complaint is precisely the basic principles, the Dispute Resolution Chamber will rule in this case on the application of those principles. Where the Respondent quotes as an example that the total absence of a privacy statement would be a serious and serious breach, the Litigation Chamber states that the total absence of a privacy statement would not only be a serious and serious breach, but also a serious and serious breach.  


      With regard to the allegations concerning the Disputes Chamber in the initial decision
serious and onerous breach, but a total disregard for the AVG. However, this does not alter the fact that a defective privacy statement, such as the one at issue here, which does not respect the basic principles of the AVG, must be regarded as serious and serious.


      ruled that there was no breach of the GDPR, that judgment is preserved. The
As regards the duration of the infringement, the Respondent points out that it already amended its Privacy Statement during the initial proceedings in the beginning of 2020 and it amended its Privacy Statement again following the initial decision of the Dispute Resolution Chamber in the beginning of 2021 and this should be taken into account as an attenuating circumstance. As regards the deterrent effect, the Respondent again points to its willingness to always amend its Privacy Statement, which it has done twice in a very far-reaching manner, thus achieving the purpose of these proceedings according to the Respondent.  


      infringements identified in the initial decision and not contested by Y remain
The Dispute Resolution Chamber already indicated in the intention to impose an administrative fine, as well as the amount thereof, that it takes into account the efforts already made by the Respondent to bring its new privacy notice into line with the AVG, which demonstrates its willingness. On the other hand, it must be noted that, although the amendments made to the new privacy notice are a favourable element in the assessment of the administrative fine, they are not intended to undo the infringements found (see paragraph 120 above).


      equally preserved.
The Dispute Resolution Chamber gives more detailed reasons for imposing the administrative fine in section 3 of this decision.  


It follows from the foregoing that the Respondent's response does not lead the Dispute Resolution Chamber to modify the intention to impose an administrative fine or the amount of the fine as intended.


2. Reasons


1. Legitimate interest


  3. On June 14, 2019, the complainant lodged a complaint with the Data Protection Authority against
(a) Preliminary remark


      defendant.
30. It follows from the judgment of the Market Court that the Dispute Resolution Chamber in its decision 24/2020 of 14 May 2020 would have ruled without the Respondent being able to defend himself fully because the decision of the Dispute Resolution Chamber would not have been limited to the allegations that are the subject of the complaint.  


31. However, the complainant expressly states in the complaint that the customer must be given the choice of whether to consent to the processing operations listed in points 4.3 and 6, and he is not given it. Indeed, once he has given his consent to the processing of his personal data in the framework of a hospitalisation insurance policy, the data processing should, according to the complainant, be limited to the fulfilment of the obligations arising from that insurance policy. The complainant maintains that the defendant cannot process his data for any other purpose, more specifically the purposes mentioned in point 4.3 and 6 of the former privacy notice, without his consent. The complaint thus challenges the legal basis of the processing for the purposes listed in point 4.3. The Complainant considers that the purposes set out in point 4.3 require his consent and that the Respondent cannot therefore simply use the data obtained on the basis of consent in the context of hospitalisation insurance for other purposes, for which the Respondent relies on its legitimate interest.


32. The complaint thus essentially concerns the legal basis on which the Respondent may process personal data obtained from the Complainant for the purposes listed in paragraphs 4.3 and 6 of the Respondent's former privacy notice.


      The object of the complaint concerns the use of health data that the
33. In the Respondent's submission before us, the allegations are listed in paragraphs (a) to (h):


      insurance company of the person concerned has obtained under a
"(a) Y would obtain the consent for the processing of medical data in the context of the conclusion and performance of insurance contracts under coercion, which would render such consent invalid (violation of Articles 5(1)(a) (principle of lawfulness); 6(1)(a) and 9(2)(a) AVG)


      hospitalization insurance for other purposes without the express consent of the
(b) Y should give the Complainant access to the data protection impact assessment ('DIA') which it allegedly carried out for the processing of medical data in connection with the execution of insurance contracts with its customers (breach of Articles 35 and 36 AVG)


      insured person concerned. The complainant states that he has no problem with his
(c) Y should, in Articles 4.3 and 6 of the old Privacy Notice, make a better distinction between the processing of medical data on the one hand and the processing of other 'ordinary' personal data on the other (breach of Article 13(1)(c) AVG); 


      health data is processed for the performance of obligations under
d) Y should take additional measures to inform the data subjects of their right to object under Article 21(2) of the AVG (breach of Articles 12(1) and 13(2)(b) of the AVG)


      the hospitalization insurance taken out with the defendant, but a problem
e) Y should further clarify the legal grounds for the transfer of personal data to third parties, as mentioned in Article 6 of the Privacy Statement of Y (violation of Article 13 (1) (c) AVG)


      when those same health data are processed for the purposes listed
f) Y would process personal data without a demonstrated legal basis (including its legitimate interest within the meaning of Article 6(1) AVG) for a number of purposes referred to in Article 4.3 of the ex-Y Privacy Statement and transfers to third parties referred to in Article 6 of the ex-Y Privacy Statement (breach of Articles 5(1)(a) (legality principle) and 6(1) AVG)


      in point 4.3. of the privacy statement and for the transfer to third parties as mentioned in point 9
g) Y is alleged not to have provided sufficient information about its legitimate interests in its previous Privacy Statement where Y invokes this legal ground (violation of Articles 5(1)(a) (transparency principle) and 13(1)(c) and (d) of the AVG)


      of the same privacy statement (it concerns point 6, but the reference to point 9 is a
(h) Y is alleged, where Y invokes this legal ground, not to have sufficiently demonstrated what its legitimate interests would be and not to have demonstrated to what extent its interests would outweigh the interests and fundamental rights of the Complainant (violation of Article 5(2) AVG).


      material mistake) as stated in the defendant's privacy statement. He asks that
34. The Respondent also confirms that the allegations described in paragraphs (a) to (h) arise from the Complaint by stating in the Conclusion the following:


      specifically for those purposes, as well as for the transfer the defendant gives the choice to the
"Should the Dispute Resolution Chamber find that the above allegations and alleged violations of the AVG by Y (points a to h) do not arise from the complaint [...], the Dispute Resolution Chamber is invited to inform Y thereof [...]."


      data subject to consent or not to the processing of his health data. Decision on the merits 57/2021 - 3/36
35. In this respect, the Dispute Resolution Chamber notes that the allegations as currently described by the Respondent in points (a) to (h) were already raised in the complaint, and in respect of which the Respondent now indicates that they do indeed result from the complaint, but in respect of which he nevertheless did not put forward a defence in the proceedings prior to decision 24/2020 of 14 May 2020 as regards (f), (g) and (h).


With regard to the allegations in points (a) to (e) of his conclusion, the Respondent indicates that he either had the opportunity to defend himself and was found in favour by the Dispute Resolution Chamber (this concerns allegations (a) and (b)), or did not contest the allegations and rectified them in the new privacy notice (this concerns allegations (c), (d) and (e)). As regards the established breach of Article 13.1(c) of the AVG regarding allegation (c), the breach of Article 12.1 and Article 13.2(b) of the AVG regarding allegation (d) and the


Article 13.1(c) AVG regarding allegation under (e), the Dispute Resolution Chamber refers to the reasons for this in decision 24/2020 of 14 May 2020.


    Finally, the complainant indicates that he wishes to receive a data protection impact assessment
The defence in the present conclusion only focuses on the allegations under points (f), (g) and (h).


    of the defendant as there is a high-risk data processing involved
36. To the extent that there may have been some lack of clarity regarding the subject matter of the complaint on the part of the Respondent prior to decision 24/2020, the Dispute Resolution Chamber nevertheless gave the Respondent the opportunity to defend itself, and will consider below whether and, if so, to what extent the Respondent breached the AVG with regard to the allegations set out in points (f), (g) and (h) of its conclusion, and whether the administrative fine should be upheld.


    The involved.
b) Legal basis for purposes mentioned under 4.3 of the Privacy Statement 


37. The Respondent claims to be able to rely on its legitimate interests for the processing of non-sensitive personal data for the following purposes listed under Section 4.3 of the former Privacy Notice:


- Performing computer tests;


- Monitoring the quality of service provision;


4. On 26 June 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of
- training of personnel;


    the WOG, the complainant will be informed of this on the basis of art. 61 WOG and the complaint becomes
- monitoring and reporting;


    on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.
- the storage of video surveillance recordings for the statutory period; and


- compiling statistics from encrypted data, including big data.


38. For each of these purposes, the Respondent has carried out a balancing of interests. The Dispute Resolution Chamber below assesses the balancing of interests undertaken for each of these purposes in accordance with the established decision-making2 approach it uses in assessing the legitimate interest.


5. On 23 July 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it
2 See, inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of 30 October 2020; Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020.  


    file is ready for treatment on the merits.
39. Pursuant to Article 6.1(f) of the AVG and the case law of the Court of Justice of the European Union, three cumulative conditions must be met in order for a


controller may lawfully rely on that ground of law, 'namely, first, the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, second, the necessity of processing the personal data for the purposes of the legitimate interest pursued and, third, the condition that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas judgment)3. 


3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rigas regiona parvaldes Kartibas policijas parvalde v Rigas pašvaldibas SIA "Rigas satiksme", paragraph 28. See also CJEU, 11 December 2019, C-708/18, TK t/ Asociatia de Proprietari bloc M5A-ScaraA, paragraph 40.


6. On July 24, 2019, the parties concerned will be notified of
40. In order to rely on the lawfulness ground of "legitimate interest" under Article 6.1(f) of the AVG, the controller must demonstrate, in other words, that: 


    the provisions as stated in article 95, §2 and in art. 98 WOG. The were also involved
1) the interests it pursues with the processing can be recognised as legitimate (the "purpose test"); 


    parties on the basis of art. 99 WOG of the time limits for their defenses
2) the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and


    to submit. The deadline for receiving the complainant's reply was
(3) the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the controller (the "balancing test").  


    recorded on 7 October 2019 and 7 November 2019 for the defendant.
41. With regard to the purpose of "conducting computer tests", the Respondent states the following:


"Context of the processing purpose


This processing purpose includes the tests performed by IT testers and developers:


7. On July 29, 2019, the defendant reports to the Disputes Chamber that it has taken note of
- in connection with "modifications", which are minor adjustments or in connection with purely functional aspects; and


    the complaint, it requests a copy of the file (art.95, §2, 3 ° WOG) and accepts it electronically
- in the context of any automation projects.  


    all communication regarding the case (art. 98, 1 ° WOG).
These tests are carried out in the context of:


- IT and network security;


- the maintenance, improvement and development of (the quality of) Y products and services; or


8. A copy of the file will be sent to the defendant on 30 July 2019.
- the improvement of the customer experience (e.g. to make internal processes and systems more efficient for back-office activities, to improve the user experience in Y's digital channels, etc.).  


This process does not include the acceptance and emulation phase, which can only be performed by the "specialised activities" team before the changes can actually be implemented and put into production." 


42. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled.


9. On August 2, 2019, the Disputes Chamber will receive a letter in which the defendant indicates
43. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


    that he wishes to be heard by the Disputes Chamber (art. 98, 2 ° WOG).
44. Considering the purpose of computer testing, the Dispute Resolution Chamber should note that the Respondent ensures that, where possible, dummy data or anonymised data are used (e.g. in the case of changes involving different systems or applications and requiring a unique reference, such as the policy number). Only when there is no other option, will personal data be used to realise the intended change or development. Possible possibilities for (further) restriction of data processing are constantly investigated and progressively introduced as part of the project 'data anonymisation in non-production environments'. Furthermore, strict access controls are introduced on the IT environments where the IT tests are performed. Procedures are also established for how these IT tests are to be conducted, which all stakeholders must take into account.  


45. The Dispute Resolution Chamber notes that the Respondent cites using personal data only when there is no other option. During the hearing, Y states that the tests are always performed using dummy data, but that the testing phase determines the extent to which such data can be tested. In some cases, the limits of the possibilities to do data masking have been reached. This has to do with the life cycle of the tests, namely gradually dummy data can be used in IT tests, but sometimes the processing of personal data is required in order to ensure the interaction between applications.  The Dispute Resolution Chamber considers that the Respondent has thus made it reasonably plausible that the computer systems are not always based on


anonymised or pseudonymised data. The second condition is thus fulfilled, as it has been demonstrated that the principle of minimum data processing (Article 5.1(c) of the AVG) has been complied with. Nevertheless, the Dispute Resolution Chamber notes that for the sake of clarity vis-à-vis the customers concerned, the Respondent might consider providing in the privacy notice some succinct explanation of the case where the Respondent has no choice but to conduct computer tests with personal data.


10. On September 6, 2019, the Disputes Chamber will receive the statement of defense from the
46. In order to assess whether the third condition of Article 6.1(f) AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the reasonable expectations of the data subject should be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "4.


    defendant. Respondent argues, first, that processing special categories of
4 Recital 47 AVG.  


    personal data, in this case health data by health insurer Y in a lawful manner
47. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that moment that his data will be used for computer testing. After all, the customers expect a correct execution of their insurance contracts, which goes hand in hand with secure and correct management of the IT systems. The interest of the customers thus requires that the functionalities of the IT environment be tested for this purpose.


    happens. The processing of these special categories of personal data (Art.9 GDPR)
48. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) of the AVG for processing for the purpose of "computer testing".  


    is prohibited in principle. The respondent invokes the exception for the processing
49. With regard to the purpose of "monitoring the quality of service" and "compiling statistics from coded data, including big data", the Respondent states that this comprises three elements and provides as follows:


    of Article 9 (2) a GDPR, the express consent of the data subject. Second, argues
- For the part "Statistics and quality testing"


    respondent that no separate consent is required for each transfer of
"Context of the processing purpose


    personal data. Thirdly, according to the respondent, there is no question of asking
Y, as an insurer, is subject to prudential supervision. This includes the duty to exercise overall control over its business and its performance, including, but not limited to, the monitoring of sales performance, the performance and remuneration of certain hospital networks and cover/refunds. This relates to the overall control of the quality of the services and the performance of the insurance undertaking to ensure its continuity. This processing purpose includes both one-off and recurring reports, which may or may not involve the use of big data methodologies. These reports are mainly aggregated or anonymised, unless specific statistics are required (by category, such as by age group)."


    consent to the processing of data other than health data. Finally it was
50. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled.  


    according to the respondent, a data protection impact assessment is not necessary in this case
51. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


    since it concerns existing processing operations and not new processing operations
52. The Dispute Resolution Chamber notes that the Respondent only justifies that it is necessary for it to compile statistics and conduct quality tests, as financial viability, quality of service, premium setting and performance cannot be determined without actively measuring them. The Dispute Resolution Chamber does not in any way disregard the need for the Respondent to have statistics and quality tests, but the Respondent limits itself to stating that mainly aggregated or anonymised reports are prepared unless specific statistics are required (by category such as e.g. by age group). Moreover, the Respondent states that big data methodologies may or may not be used to produce such reports. 


    commences after May 25, 2018. Decision on the merits 57/2021 - 4/36
53. To what extent the statistics still contain personal data or allow for the re-identification of a data subject, is further explained during the hearing. The respondent states that there are still very few statistics that contain personal data. The


In any event, the statistics do not contain names and certainly not health data. The statistics do contain codes, but these are aggregated, segmented data in the mass.


Also, the Directive (EU) 2016/97 on insurance distribution5 and the Belgian implementing legislation of this directive require the processing of certain personal data for specific reporting. Sometimes policy data is processed in the reporting, but this does not result in further processing in the statistics. Each report has a purpose and the processing may not exceed this purpose. A register is kept of those reports and their purpose, which are strictly regulated via the data warehouse and require approvals to deviate from it. 


5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast), OJ L 26/19.


54. The Dispute Resolution Chamber concludes that the Respondent has made the necessary efforts to limit the data processing for this purpose to what is strictly necessary. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG).


11. The complainant has not exercised the right to submit a reply.
55. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it should be evaluated whether 'the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose'.  


56. The Dispute Resolution Chamber follows the Respondent's view that if an individual enters into an insurance contract with Y, that individual can reasonably expect Y to implement internal controls and compile statistics to ensure that Y can meet its contractual obligations.


57. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "Statistics and Quality Requirements".


12. The defendant does not submit a new claim and only submits exhibits on 7 November 2019
- For the section on "Satisfaction Surveys"


"Context of the processing purpose


    in support of the statement of defense submitted on 6 September 2019.
This processing purpose includes determining the NPS ("Net Promoter Score"), the customer satisfaction factor, by means of an external survey carried out by a third party in order to safeguard the anonymity of the survey. This factor is calculated with regard to the follow-up by the Y Contact Centre and the claims department (claims handling).  


58. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered to be carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.


59. In order to fulfil the second condition, it should be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


13. On January 9, 2020, the Parties will be notified that the hearing will take place
60. Starting from the purpose of conducting satisfaction surveys, the Dispute Resolution Chamber should establish that the Respondent allows customers to express an opinion anonymously through this survey and thus to assert their interests. The results are aggregated and processed by an external company so that the anonymity of those involved can be preserved. During the hearing, it was added that customers always have the choice of whether or not to participate in the survey, since they always have the right to object. The Panel finds that customers thus have the necessary freedom of choice, and that the results of those who participate in the survey are made available to the respondent in anonymous form.


    on January 28, 2020.
The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG).  


61. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it must be evaluated whether the "data subject


at the time and in the context of the collection of the personal data, the data subject may reasonably expect that processing can take place for that purpose "6.


14. On January 28, 2020, the defendant will be heard by the Disputes Chamber. The complainant, though
6 Recital 47 AVG.  


    duly summoned, did not appear. Among other things, the defendant answers questions from
62. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used by the defendant to gauge his satisfaction with the defendant's service.


    the Disputes Chamber on the legal basis for the processing of personal data, no
63. Consequently, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "conducting satisfaction surveys".


    being health data. After this, the debates are closed.
- For the section on 'Quality assurance tests on operations


"Context of the processing purpose


This processing purpose relates to the general monitoring of the quality of the operational services and the performance of Y . This concerns quality checks whereby each employee concerned must carry out 2 random checks per week on the correct underwriting or execution of the insurance contract and applicable instructions and procedures for this purpose."


15. On January 29, 2019, the official report of the hearing will be presented to the parties.
64. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.  


65. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question must be asked whether the same result can be achieved by other means without processing personal data or without processing that is unnecessarily intrusive for the data subjects.


66. In view of the purpose, being the general monitoring of the quality of Y's operational services and performance, the Litigation Chamber should note that the Respondent asserts that Y is subject to the Insurance Distribution Directive (EU) 2016/97 and the Belgian implementing legislation which require insurance companies to tailor their services to the desires and needs of their customers. As indicated during the hearing, the Respondent does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and scope of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). The processing of personal data is necessary in order to actively measure the quality of the service.


16. On January 31, 2020, the defendant will provide the annual turnover as requested during the hearing
67. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "7.


    of the last three financial years. For the years 2016-2018, these always amount to a turnover between
7 Recital 47 AVG.  


    the 500 and 600 million Euros.
68. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for carrying out internal quality controls in order to ensure that Y can comply with its legal and contractual obligations.  


69. Accordingly, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of 'quality checks operations'.


70. With regard to the purpose of "training of personnel", the Respondent states the following:


17. On 6 February 2020, the Disputes Chamber will receive a number of comments from the defendant
"Context of the processing purpose


    with regard to the official report, which it decides to include in its deliberations.
This includes the organisation and follow-up of training, awareness sessions and courses for Y employees who come into contact with (personal data of) customers. Trainings include  


- technical aspects (e.g. with regard to Y products);


- technical aspects (e.g. the use of Office 365 applications, information security training, etc.)


18. On March 25, 2020, the Disputes Chamber will notify the defendant of its intention to do so
- On the job training (training for new employees as well as training with the aim to continuously improve the quality of service); and


    to impose an administrative fine, as well as the amount thereof
- More general aspects such as compliance topics (e.g. AVG, IDD, etc.).


    in order to give the defendant the opportunity to defend himself before the sanction becomes effective
71. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled.


    is imposed.
72. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.  


73. Starting from the purpose of training staff, the Dispute Resolution Chamber should note that the Respondent submits that in exceptional cases the cases used for training contain personal data of customers, or personal data of customers are used for the preparation of the training material. However, the Respondent states that the underlying material (case studies) is generally fully anonymised.


74. The Dispute Resolution Chamber notes that the Respondent cites that, in the context of training, cases contain personal data of customers only in exceptional cases or personal data of customers are used for the preparation of the training material. However, the Respondent fails to clarify in which cases it would be required to provide training to staff using customers' personal data. The defendant does not make it reasonably plausible that staff training could not always be provided on the basis of anonymised data. The second


19. On May 8, 2020, the Disputes Chamber will receive the respondent's response to the intention
condition is thus not met, as it has not been demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) is complied with.


    to impose an administrative fine, as well as the amount thereof.
75. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 of the AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "8.  


    The defendant alleges that the alleged infringements as contained in the intent of
8 Recital 47 AVG.


    the Disputes Chamber would be completely new and he was unable to do so
76. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for staff training. A policy holder can only expect normal management of his customer file, which only requires access to the information contained therein by the personnel who have to carry out tasks for the benefit of the customer concerned. When, in the context of training, information from actual files is shared, the processing of that information is not limited to those who have to perform tasks in the file concerned.


    to defend. However, the Disputes Chamber must establish this from the documents in the file
77. Consequently, the Litigation Chamber concludes that the Respondent cannot rely on the legal ground of 'legitimate interest' for processing for the purpose of 'staff training' and therefore there is an infringement of Article 6.1(f) of the AVG. The Dispute Resolution Chamber additionally notes that if the Respondent nevertheless wishes to use customers' personal data for the purpose of training staff, it may rely on another legal ground, namely consent (Article 6.1(a) AVG).


    it is indisputable that the defendant does have full rights of defense
78. With regard to the purpose of "monitoring and reporting", the Respondent states the following:


    can exercise.
"Context of the processing purpose


    The defendant also claims to disagree with the imposition of a fine, or the
This processing purpose includes, inter alia, the production of reports for auditing purposes in the context of:


    intended amount of the fine. However, he does not put forward any (new) arguments
- IFRS 17 accounting standards for insurance contracts and Belgian generally accepted accounting principles ("Belgian GAAP")  


    substantiation of this thesis. The response of the defendant gives before the Dispute Chamber Decision on the merits 57/2021 - 5/36
- calculating reserves (within the framework of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act), etc.); or


- profitability monitoring or reports in the context of large claims.


These reports are made both for internal control purposes and for reporting to the Y1 Re group (of which Y is part). This includes both recurring reports and one-off ad hoc reports. Only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are made in the context of large claims or ad hoc reports relating to specific cases or outliers.


79. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled.


      therefore no reason to adjust the intention to impose a
80. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.


      administrative fine nor to change the amount of the fine such as
81. Based on the purpose of monitoring and reporting, the Litigation Chamber finds that the Respondent asserts that the various general financial and insurance law regulations (in the context of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act)) cannot be complied with without drawing up the necessary reports or carrying out monitoring. As indicated during the hearing, the Respondent also does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and extent of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). Indeed, the processing of personal data is necessary since compliance with the legislation cannot be achieved without the necessary reports or monitoring.


      intended.
82. The Respondent adds that only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are prepared in the context of large claims or ad hoc reports relating to specific cases or outliers. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1(c) of the AVG).  


83. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "9.


9 Recital 47 AVG.


  20. On May 14, 2020, the Disputes Chamber ruled as follows in its Decision on the merits 24/2020:
84. The Dispute Resolution Chamber considers that in the case of collection of personal data in the context of taking out insurance, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for the fulfilment of the legal and contractual obligations of the defendant.


      - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in
85. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "monitoring and reporting".


86. With regard to the purpose "storage of video surveillance recordings for the statutory period", the Respondent states the following:


      is brought into line with article 5.1 a), article 5.2, article 6.1, article 12.1, article
"Context of the processing purpose


      13.1 c) and d) and 13.2 b) GDPR.
It concerns the processing of personal data by means of the cameras located within the premises of Y for the purpose of safeguarding customer security, data security and the protection of the company's assets."


      - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine
87. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest that the


      of EUR 50,000 as a result of the violations of article 5.1 a), article 5.2, article 6.1, article
Respondent pursued as a data controller can in itself be considered justified pursuant to recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled.  


      12.1, article 13.1 c) and d) and article 13.2 b) GDPR.
88. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects.  


89. Starting from the purpose of providing video surveillance, the Dispute Resolution Chamber should note that the Respondent asserts that the images are stored in a secure environment. Both the room and the IT servers involved are subject to strict access security measures. Access to the images is subject to strict procedures. Storage of the images is also limited to the legal retention period (in principle 30 days).


90. The second condition is thus fulfilled as it was demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) was complied with.


  21. On 17 June 2020, the Disputes Chamber will receive the
91. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the data subject's reasonable expectations must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "10.


      notification of an application against the GBA, lodged at the Registry of the Court.
10 Recital 47 AVG.  


92. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for video surveillance. The purpose of video surveillance is not related to the conclusion of an insurance contract, so that the policyholder cannot expect that his personal data provided in connection with an insurance contract will be used for video surveillance purposes. Video surveillance only takes place when the defendant's premises are physically entered, and then it is sufficient


compliance with the camera law, including the obligation to display a pictogram with information to inform the person concerned.


  22. The introductory session for the Marktenhof will take place on 24 June 2020, at which the
93. Consequently, the Dispute Resolution Chamber concludes that the Respondent cannot rely on the legal basis 'legitimate interest' for processing for the purpose of 'storage of video surveillance recordings during the statutory period' and thus there is an infringement of Article 6.1(f) of the AVG. 


94. For the sake of completeness, the Litigation Chamber adds that if a controller wishes to use surveillance cameras, it must then comply with its legal obligations under the Act of 21 March 2007 regulating the installation and use of surveillance cameras. As soon as a controller makes use of surveillance cameras, data processing obligations flow from that law, so that the controller can rely on Article 6(1)(c) AVG. In this regard, the Respondent stated during the hearing that the necessary pictograms have been affixed in accordance with this law.


      conclusion deadlines for the parties are set, as well as the case is set for
c) Model balancing of interests


      pleadings at the session on October 21, 2020.
95. For each of the aforementioned purposes, the Respondent argues that the processing purpose is permissible because the quantitative score calculated by the balancing of interests model used by Y is below 30. The Respondent submits that on the basis of that model, the processing purposes may be supported by the legitimate interests of the controller to the extent that this score does not exceed 30.  


      The Marktenhof will pass judgment on 18 November 2020.
96. In this respect the Litigation Chamber notes that the model used by Y is a purely internal instrument which, at most, can serve as a guideline within the company, but from which no legal arguments can be drawn in order to pass the test against the legal basis of Article 6.1(f) of the AVG. Thus, no legal value can be attached to the scores calculated on the basis of that model.  


      The judgment contains the following points for attention with regard to the assessment of
d) All legal grounds contained in Article 6.1 AVG


      the subject of the petition:
97. The Respondent believes that the Dispute Resolution Chamber would have stated in its Decision 24/2020 that it can only rely on consent as a legal ground (Article 6.1(a) AVG) for the  


processing purposes listed in section 4.3. of the old Privacy Notice and not on the other legal grounds of Article 6.1 AVG.


98. The Litigation Chamber explains that in this regard the following was stated in the decision 24/2020:


      • Annulment of decision on the merits no. 24/2020 of 14 May 2020 of the Disputes Chamber.
"The Litigation Chamber therefore considers that the breach of Art. 6.1. AVG has been proven, as the data processing for the purposes set out in sections 1, 2, 3 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, must be based on the consent of the complainant in the absence of any other possibly applicable legal ground in Art. 6.1. AVG."


      • The Marktenhof argues that the defendant should be given the opportunity - after the complaint is ready
99. From this the defendant infers, albeit incorrectly, that the Dispute Resolution Chamber has given consent as the sole legal basis for the purposes set out therein. However, the Respondent ignores the fact that the Dispute Resolution Chamber reaches that decision precisely because the Respondent fails to demonstrate any legitimate interest and thus fails to demonstrate that the applicable conditions are met to rely on this legal basis in Article 6.1(f) AVG. Indeed, the Litigation Chamber expressly stated in its decision that the Respondent did not demonstrate in any way what its legitimate interest would be and also failed to demonstrate to what extent its interest would outweigh the interests and fundamental rights of the Complainant, although the Respondent is obliged to do so on the basis of its accountability obligation (Article 5.2 AVG). Thus, the Dispute Resolution Chamber could not retain Article 6.1(f) AVG as a valid legal basis. Based on the factual elements that led to decision 24/2020, the only remaining legal ground was consent. 


          and clearly formulated in writing - in order to reach a written conclusion on this
The Litigation Chamber emphasises that any controller, including thus also the Respondent, may rely on any possible legal ground under Article 6.1 AVG, but that the applicable conditions for the legal ground relied upon must be met. 


2. Legal ground for transfers to third parties


          take. The fact that the defendant was asked on the occasion of the hearing
101. First, the defendant claims that a transfer to third parties is not a processing purpose in itself, but is a mere form of processing personal data within the meaning of Article 4.2 AVG. The Respondent argues that it only makes considerations of interests per processing purpose, but not per processing.


          (which was stated in the minutes of the hearing) to take a position
102. The Dispute Resolution Chamber states that it follows from Article 5.1(a) AVG that personal data must be processed for a specified purpose and that such processing must be lawful within the meaning of Article 6.1 AVG. It is therefore clear that any processing must take place within the framework of a well-defined, explicit and legitimate purpose and that this processing must be based on a legal basis in order to be considered lawful. It is, of course, possible to carry out several processing operations for the same purpose within the meaning of Article 4.2 of the AVG, but this does not alter the fact that data processing for a certain purpose can only be regarded as lawful if there is a legal basis for doing so.


          on the general question of the legitimate interest on which the defendant
103. The Litigation Chamber notes that, for each transfer to a third party, the purpose for which the transfer is made must be determined. In order to verify whether the transfer to a third party can be considered lawful, the purpose of the transfer to a third party must be determined.


          is relying on processing other than health data and that the defendant
104. As the Respondent rightly points out, the legal basis for the transfer to processors (which are, however, not third parties within the meaning of Article 4(10) of the AVG) is the same as for the data processing by the Respondent itself. Indeed, the purpose of processing remains unchanged, as the processor processes the personal data only for the benefit of the defendant as controller.


          only formulated a brief answer to this without any reservations or objections
105. If the personal data are transferred to a third party within the meaning of Article 4. 10) AVG for the purpose of enabling that third party to process the personal data in question for its own purposes, then that transfer should be considered in isolation for that specific purpose and requires a separate legal basis. For the sake of transparency, the processing basis for all transfers should be stated in the privacy notice in order for the defendant to comply with its obligation under Article 13(1)(c) of the AVG. However, this is not the case, which is why the Dispute Resolution Chamber is of the opinion that there has been a violation of Article 13.1(c) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG.


          does not adequately justify decision no. 24/2020 of 14 May 2020.
3. Principle of Transparency


106. Notwithstanding the fact that Article 13.1(d) AVG requires the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f), the Respondent maintains that this is sufficient for the purposes of the Privacy Notice referred to in 4.3 above, as well as for the transfers referred to in 6 of the


  23. Following up on the judgment, the Disputes Chamber will decide on November 27, 2020 to proceed
privacy statement which are based on Article 6(1)(f) of the AVG, it is sufficient to state that personal data are processed based on the legitimate interest of the defendant, without explaining what exactly this legitimate interest would consist of.


      to retake the file with a view to taking a new decision. The
107. The Respondent submits that the balancing of interests concerns internal documents which have not been made public by Y or included in its Privacy Statement, given the business-sensitive information they contain. Moreover, these are voluminous, rather privacy-related documents that are typically not included in a Privacy Statement.  


      The underlying consideration is that the Disputes Chamber notwithstanding the
108. For transfers to "the companies of the group Y1 Re to which Y belongs, for monitoring and reporting purposes", the Respondent confirms that it is a transfer to another controller, mentions its legitimate interest in its conclusion under the processing purpose "monitoring and reporting", but fails to clarify its legitimate interest in the Privacy Statement.


109. Furthermore, the Respondent also refers to recital 48 of the AVG which provides that controllers which are part of a group of companies or a group of institutions affiliated to a central body may have a legitimate interest in the transmission of personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees.


110. The Dispute Resolution Chamber acknowledges that recital 48 applies to the Respondent, but this does not prevent the Respondent from being transparent on this issue in its privacy notice and also in such a case from indicating the legal basis and making clear what its legitimate interest consists in, which is not the case in the old privacy notice.


111. As regards the transfer to "subcontractors in the European Union or outside, responsible for processing activities defined by Y", the Respondent argues that they are processors of Y .


112. The Litigation Chamber therefore repeats the reasoning in this regard from its decision 24/2020 to conclude a breach of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. The privacy declaration merely states that personal data are processed for the purposes set out in 4.3 on the basis of the legitimate interest of the defendant, without indicating what exactly this legitimate interest would be, whereas Art. 13.1(d) AVG does require that the processing of personal data be based on the legitimate interest of the defendant. AVG does require the controller to provide the data subject with information regarding his legitimate interests if the processing is based on Article 6(1)(f).


1
113.  The Dispute Resolution Chamber also refers to the European Data Protection Board (EDPB) Guidelines on transparency under Regulation (EU) 2016/67911, which emphasise that the specific interest in question must be identified for the benefit of the data subject.  
  The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 57/2021 - 6/36


11 EDPB, Guidelines of the Article 29 Data Protection Working Party on Transparency under Regulation (EU) 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, p. 42.
116. As the Respondent points out, it is not prepared to apply the aforementioned best practice because, in its view, the documents in question are internal privacy documents containing business-sensitive information. 


117. The Dispute Resolution Chamber states that even if the Respondent refuses to follow this best practice, it is at least obliged under Article 12.1 AVG to provide the data subject with information on its legitimate interest for each of the purposes for which it invokes that legal basis in a concise, transparent, intelligible and easily accessible form and in clear and simple language. In order to comply with this, it is by no means required that privacy technical documents would be disclosed, but it is required that information regarding the legitimate interest is provided in clear language that can be easily understood by a (potential) customer of the defendant


118. The Litigation Chamber finds that the information required by Article 13.1(d) AVG has not been made available by the Respondent in any way, so that the breach of Article 13.1(d) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG has been established. 


    annulment of the aforementioned decision by the judgment of the Marktenhof, is still contained
4. Administrative fine


    by the initial complaint filed on June 14, 2019 as declared admissible by the
119. The fact that the Respondent did commit the infringements of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG leads the Dispute Resolution Chamber to uphold the administrative fine. This sanction is not intended to put an end to a violation that has been committed, but to ensure vigorous enforcement of the rules of the AVG. After all, as is clear from recital 148 of the AVG, the AVG stipulates that in the event of any serious breach - i.e. even if the breach is detected for the first time - sanctions, including administrative fines, shall be imposed in addition to or as an alternative to appropriate measures.13 In the following, the Dispute Resolution Chamber demonstrates that the infringements committed by the Respondent of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG are by no means minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in recital 148 AVG, whereby a fine may be waived in either case. The fact that it is a first finding of an infringement committed by the defendant is not sufficient to justify the imposition of a fine.


    First-line service on June 26, 2019. Therefore, the debates will be reopened
13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of the Regulation, in addition to or as an alternative to any appropriate measures imposed by the supervisory authorities under this Regulation. Where the infringement is minor or where the likely fine would impose a disproportionate burden on a natural person, a reprimand may be substituted for a fine. However, account should be taken of the nature, seriousness and duration of the breach, of the intentionality of the breach, of measures to mitigate damages, of the degree of responsibility or of previous relevant breaches, of how the breach came to the attention of the supervisory authority, of compliance with measures taken against the controller or processor, of adherence to a code of conduct and of any other aggravating or mitigating factors. The imposition of sanctions, including administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in line with general principles of Union law and the Charter, including effective remedy and fair trial. own emphasis]


    and new closing deadlines are set, so that parties can take a stand
As regards the AVG, this does not in any way affect the ability of the Dispute Resolution Chamber to impose an administrative fine. The Dispute Resolution Chamber shall impose the administrative fine in application of Article 58.2(i) AVG. 


    regarding the legitimate interest on which the defendant relies on other than
120. The Litigation Chamber again emphasises that the instrument of an administrative fine is in no way intended to terminate infringements. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. It further emphasises that the administrative fine is one of the sanctions provided for in Article 58.2 AVG and Article 100 WOG. Neither EU law nor national Belgian law establish a hierarchy with regard to the sanctions to be imposed. As an organ of an independent data protection authority as provided for in Section 51 of the AVG, the Litigation Chamber is free to choose the most appropriate sanction. The Litigation Chamber considers that, in view of the controller's duty of accountability, the imposition of an administrative fine for a breach of the AVG could be expected.14 
12 See paragraph 35 of the Guidelines referred to in footnote 6.


    process health data.
114. Also with regard to point 6. of the Privacy Notice, the Respondent does not indicate what would be its legitimate interest, invoked by it, to process personal data of the Complainant for the purpose of transfer to "The companies of the Y1 RE group to which Y belongs, for monitoring and reporting purposes" and "Subcontractors in the European Union or beyond, responsible for processing activities defined by Y". However, Art. 13.1. d) AVG does require the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f). In this regard, the Litigation Chamber refers again to the Guidelines on Transparency pursuant to Regulation (EU) 2016/679 and the above.


115. The Dispute Resolution Chamber stated in its decision 24/2020 that as a best practice, the controller may also, before collecting personal data from the data subject, provide the data subject with information on the consideration to be given to Article 6(1)(f) as the legal basis for the processing. To avoid information fatigue, this information could be included in a layered privacy notice.12 The information provided to data subjects should make clear that these data subjects may receive information on the balancing exercise upon request. This is essential for effective transparency when data subjects have doubts about the fairness of the assessment made or wish to lodge a complaint with a supervisory authority.


14 On the competence of the Dispute Chamber to impose an administrative fine, see also decision no. 55/2021 of 26 April 2021, available in French on the website of the GBA. 


  The parties are notified of the following settlement deadlines:
15 Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020.


  • the deadline for the complainant's reply is set at 8
121. Taking into account Article 83 AVG and the jurisprudence15 of the Markets Court, the Dispute Resolution Chamber motivates the imposition of an administrative sanction in concrete terms: - The seriousness of the breach: the reasoning below shows the seriousness of the breach. 


      January 2021;
- The duration of the breach: the breaches are assessed with regard to this aspect in the light of the date on which the AVG became applicable, namely 25 May 2018. The Respondent's privacy notice appears to have remained unchanged since the AVG became applicable until a new privacy notice was drafted in response to the complaint. However, the new privacy statement is not the subject of the Dispute Resolution Chamber's assessment, so it does not express an opinion on the extent to which the new privacy statement complies with the AVG.


  • the deadline for the defendant's reply is set at 19
- The necessary deterrent effect to prevent further breaches


      February 2021;
122. As regards the nature and seriousness of the breach (Article 83.2(a) AVG), the Litigation Chamber emphasises that compliance with the principles laid down in Article 5 AVG - in this case, in particular, the principle of transparency including accountability, as well as the principle of legality - is essential, as these are fundamental principles of data protection. The Litigation Chamber considers that the defendant's infringement of the principle of legality


The Dispute Settlement Chamber therefore considers that the Respondent's breach of the principle of lawfulness set out in Article 6 of the AVG and of the principle of transparency set out in specific terms in Articles 12 and 13 of the AVG constitutes a serious breach. 


  The date of the hearing will also be determined, which will take place on March 22, 2021.
123. An important element in determining the amount of the fine is the fact that the Defendant does not contest the following infringements as substantiated in Decision 24/2020 and, as a result, has already made efforts to bring the new privacy notice into line with the AVG in these respects 


- Infringement of Article 12.1 and 13.2 b) of the Privacy Act by not mentioning in the privacy declaration the possibility for the person concerned to exercise his/her right of retention.


- Infringement of Article 13(1)(c) AVG for failure to state the legal basis for the transfer to each of the different categories of third parties in point 6. of the privacy statement.


24. On 27 November 2020, the Disputes Chamber will receive the notification from the complainant that the
124. Although the amendments made to the new Privacy Notice are a favourable element in the assessment of the administrative fine, the Litigation Chamber emphasises that they are not intended to undo the breaches found. The infringements were found and cannot be retroactively reversed by the controller bringing its data processing into compliance with the requirements of the AVG, albeit too late.


    because of the clear arguments it seems unnecessary to add additional arguments to him.
125. In addition, infringements are also identified in the present decision:  - Infringement of Article 6.1 AVG as regards the purposes of 'training of staff' and 'storage of video surveillance recordings during the statutory period'.


    On the same day, the Disputes Chamber will inform the defendant that it informs the complainant
- Infringement of Article 13(1)(c) of the AVG in conjunction with Article 5(1)(a) of the AVG and Article 5(2) of the AVG.


    has stated that it will not submit a conclusion. At the request of the defendant, the
- Infringement of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG.  


    The Disputes Chamber also states that the initially determined date for the statement of reply of the
Furthermore, the Dispute Resolution Chamber also takes into account the finding that the violation of Article 6.1 AVG is limited to two processing purposes "the training of staff" and "the storage of video surveillance recordings during the statutory period" and is therefore of a nature to justify a reduction in the amount of the fine. In addition, the breaches of the principle of transparency and accountability that have been established are of such gravity


    defendant, as well as the date of the hearing.
that a substantial fine is appropriate. This is all the more true in view of the large scale of the defendant's processing of data other than health data with a decisive impact on all insured persons who have taken out hospital insurance with Y, which is a considerable number of persons concerned. A decisive element in this respect is also the fact that Y is a major player in the insurance market which may be expected to align its privacy policy with the AVG with due diligence.  


126. As regards the lack of transparency, the Litigation Chamber also points out that the AVG precisely provided for a transitional period of 2 years16 in order to give every controller the necessary time to prepare for and adapt to the requirements set by the AVG. Therefore, the Respondent's argument during the hearing that the changes made by the AVG to the previous Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data are at the root of the lack of transparency cannot be accepted. The defendant argues that Articles 13 and 14 AVG, in conjunction with Article 12 AVG, and the precise manner in which they are interpreted caused the difficulty. The transparency guidelines of the Group 29 (now EDPB) were an aid. Again, the Dispute Resolution Chamber should note that those Guidelines already date from 29 November 2017, were revised and adopted on 11 April 2018 and have remained unchanged since then. The Respondent thus had sufficient time, as required by its accountability obligation (Article 5.2 AVG), to align its privacy statement with the AVG.


16 Article 99 AVG


25. On February 19, 2021, the Disputes Chamber will receive the conclusion with accompanying documents from
127. This leads the Dispute Resolution Chamber to reconsider the fine and reduce it to €30,000.


    the defendant. In it, the defendant puts forward the following pleas:
128. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Section 83 AVG, taking into account the assessment criteria set out therein. The Litigation Chamber points out that the other criteria of art. 83.2. AVG in this case are not such as to result in an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision.


          • The respondent can rely on its legitimate interests for the processing
5. Publication of the decision


              of personal data for purposes in accordance with Article 4.3 of its old
129. In view of the importance of transparency regarding the Dispute Resolution Chamber's decision, this decision is published on the GBA's website. However, it is not necessary for the identification details of the parties to be published directly for this purpose.  


              privacy statement (no violation of article 5.1 a); 5.2, 6.1 f) and 13.1 c) and d)
FOR THESE REASONS,  


              GDPR.
the Data Protection Authority's Dispute Resolution Chamber, after deliberation, decides to reverse its decision 24/2020 of 14 May 2020 and to impose an administrative fine of €30,000 on the Respondent, pursuant to art. 100, §1, 13° WOG and art. 101 WOG, for violations of articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG.  


          • Respondent can rely on an applicable legal basis for transfers to
This decision may be appealed pursuant to Article 108 § 1 WOG within a period of thirty days from the notification to the Market Court, with the Data Protection Authority as defendant.


              third parties in accordance with Article 6 of the old privacy statement (no
(Get).Hielke Hijmans


              violation of articles 5.1 a), 5.2, 6.1 and 13.1 c) and d) GDPR.
President of the Litigation Chamber </pre>
 
          • If defendant cannot invoke all legal grounds under Article
 
              6.1 GDPR for the processing purposes in accordance with Article 4.3 of the old
 
              privacy statement and transfers to third parties in accordance with Article 6 of the old
 
              privacy statement, this constitutes an infringement of the freedom to conduct a business of the
 
              defendant.
 
          • Respondent argues that a reprimand is sufficient and that the administrative fine of
 
              € 50,000.00 is disproportionate. Decision on the merits 57/2021 - 7/36
 
 
 
26. On March 22, 2020, the parties will be heard by the Disputes Chamber. The complainant, though
 
    duly summoned, did not appear. The defendant will explain his defense during the hearing
 
    to. No elements other than those that already form part of this are applied
 
    File. After this, the debates are closed.
 
 
 
 
27. The minutes of the hearing will be presented to the parties on 25 March 2021
 
    in accordance with Article 54 of the Rules of Procedure. The defendant delivers on April 5
 
    2021 the Disputes Chamber some comments with regard to the official report, which
 
    she decides to include it in her deliberation.
 
 
 
28. On April 6, 2021, the Disputes Chamber announced its intention to the defendant
 
    to proceed to impose an administrative fine, as well as the amount
 
    in order to give the defendant the opportunity to defend himself before the sanction
 
    is effectively enforced.
 
 
 
29. On April 27, 2021, the Disputes Chamber will receive the respondent's response to the intention
 
    to impose an administrative fine, as well as the amount thereof.
 
    In summary, the defendant states in his response to the intention to impose a
 
    administrative fine the following:
 
 
 
  - With regard to the lack of a demonstrated legitimate interest as a legal basis for the
 
      purposes “training personnel” and “storage of video surveillance recordings
 
      during the legal period, ”the defendant argues that there was no
 
      questions were asked regarding legality, necessity or the
 
      proportionality of these processing purposes.
 
 
 
      In this regard, the Disputes Chamber notes that the defendant in the claims already
 
      The legality, necessity and proportionality of all have been discussed extensively
 
 
      processing purposes, including those for “staff training” and “storage
 
      of video surveillance recordings during the legal period ”, so that no
 
      additional clarification was requested during the hearing. Be at a hearing
 
      only punctual questions were asked about any remaining uncertainties in order to clarify them
 
      and to allow the Disputes Chamber to form an opinion.
 
      At present, the Disputes Chamber can only establish that the respondent's response to the
 
      intention to impose an administrative fine as a result of the infringement of
 
      Article 6.1 GDPR with regard to the purposes “training personnel” and “storage
 
      of video surveillance recordings during the legal period ”in the absence of a Decision on the merits 57/2021 - 8/36
 
 
 
    demonstrated legitimate interest as legal basis, does not contain any new elements that of
 
    nature to change the judgment of the Disputes Chamber.
 
 
 
- With regard to the amount of the fine, the defendant is of the opinion that no fine is possible
 
 
    be charged for charging that personal data would have been processed without it
 
    to have a legitimate interest. At the very least, the defendant believes that a
 
    amount of EUR 30,000 is disproportionately high. The defendant argues that from the
 
    written conclusions and the hearing revealed that general training material
 
    in principle, it is always anonymized and there is virtually no personal data of customers
 
    are processed via CCTV. The documents in the file do not show that either
 
    any personal data of the complainant would have been processed for this
 
    processing purposes. For that reason, the complainant (and by extension the other customers of
 
    defendant), have in principle not been personally harmed by any lack of
 
    legitimate interests for the processing activities “staff training” and
 
    “The storage of video surveillance recordings during the legal period”.
 
 
 
    The Disputes Chamber emphasizes whether or not experiencing any personal harm
 
    does not constitute a criterion for imposing an administrative fine, as this is not
 
    included in Article 83.2 GDPR. It will therefore motivate this sanction in its decision below
 
    without taking into account whether or not the complainant has any personal disadvantage
 
    ago. The criteria for imposing an administrative fine are clearly defined
 
    in article 83.2 GDPR, on which the Disputes Chamber will make its decision regarding the administrative
 
    fine.
 
 
 
    To the extent necessary, the Disputes Chamber adds that the complainant is
 
    has provided personal data to the defendant for processing under a
 
    hospitalization insurance and the defendant then on the basis of the then
 
    privacy statement indicated that the personal data of the complainant was also processed for all
 
    purposes stated in the privacy statement. Based on the then privacy statement
 
    the defendant processed the complainant's data for each of the purposes included
 
    in the privacy statement. This is also evident from the conclusion that underlies the current one
 
    decision, in which the defendant himself defines the allegations arising from the complaint
 
    (see marginal 33) and the allegations under points f), g) and h) are the subject of
 
    his defense. The allegations arising from the complaint and as made by the defendant himself
 
    described in his conclusion, concern defects in the privacy statement issued by the complainant
 
    concern, as well as ipso facto any other customer of the defendant who has a
 
    take out hospitalization insurance. After all, the privacy statement is not exclusively for the complainant
 
    drawn up, but for each client of the defendant who takes out hospitalization insurance. Decision on the merits 57/2021 - 9/36
 
 
 
    This also explains why the defendant in his claim the legality, necessity
 
    and proportionality of all processing purposes, without distinction of whether or not
 
    concerns a processing purpose for which personal data of the complainant will be made
 
    processed, tries to demonstrate. The defendant verifies whether it is for all processing purposes
 
 
    has a legitimate interest, because for each of those processing purposes the
 
    personal data of the complainant were processed in accordance with the then
 
    privacy declaration.
 
 
 
- In addition, the defendant is of the opinion that an amount of EUR 30,000 is disproportionate to
 
    the infringement.
 
    More specifically, as regards the seriousness of the infringement, the defendant does not agree with the
 
    statement of the Disputes Chamber that, solely because of the fact that an infringement of Articles 5
 
    and 6 of the GDPR, the infringements are therefore automatically “serious” and
 
    Would be “serious”. The defendant argues that on the one hand these articles are the basis
 
    lie with almost the entire GDPR and therefore virtually any violation of the other GDPR
 
    articles can be reduced to an infringement of articles 5 and 6 GDPR.
 
    On the other hand, these infringements are classified as being “serious” and “serious”.
 
    prevent a differentiation from being made with infringements that are actual
 
    weighty and serious, such as, for example, the complete absence of one
 
    privacy declaration. However, this is not at all relevant here.
 
    The defendant argues that it has indeed stated these processing purposes in its
 
    privacy statement and has extensive weighing of interests with due diligence
 
    to determine whether it can rely on its legitimate interests.
 
 
 
    Regarding the defendant's contention that a breach of the basic principles of the GDPR
 
    included in Articles 5 and 6 GDPR would not automatically be considered serious and serious
 
    can be considered, the Disputes Chamber notes that Article 83.5 GDPR itself provides for
 
    a more severe punishment for this infringement for which there is the highest maximum fine
 
    determined precisely because of the fact that these are basic principles that lie at the heart of a
 
    concern data processing. The defendant's claim that any breach of the GDPR
 
    can be traced back to a breach of basic principles, does not stand as the
 
    The Disputes Chamber is caught by the complaint and carries out the assessment against the GDPR within those limits
 
    and therefore by no means, contrary to what the defendant maintains, any infringement could be possible
 
    are "reduced" to violations of the basic principles. Since the complaint is exactly the
 
    basic principles, the Disputes Chamber will rule on the
 
    application of those principles. Where the defendant cites as an example that the
 
    a complete absence of a privacy statement would be serious and important, states the
 
    Disputes Chamber that the total lack of a privacy statement is not only a serious and Decision on the merits 57/2021 - 10/36
 
 
 
      would be a serious infringement, but a total disregard of the GDPR. However, this increases
 
      does not mean that a defective privacy statement, such as in the present case, which contains the
 
      does not respect basic principles of the GDPR, if it must be serious and weighty
 
      classified.
 
 
 
 
      Regarding the duration of the breach, the defendant points out that it already has its privacy statement
 
      during the initial procedure at the beginning of 2020 and has amended its privacy statement to
 
      following the initial decision of the Disputes Chamber at the beginning of 2021
 
      adjusted and this should be taken into account as an attenuating circumstance.
 
      As to the deterrent effect, the defendant points to her again
 
      willingness to constantly adjust its privacy statement, which they do
 
      twice has done so in a very drastic manner, thus the purpose of these proceedings
 
      this has been achieved according to the defendant.
 
 
 
      The Disputes Chamber has already announced its intention to impose an administrative one
 
      fine, as well as the amount thereof, that it is already done by the defendant
 
      efforts to bring the new privacy statement into line with the GDPR,
 
      evidence of his willingness. Hand must be
 
      noted that although the changes made to the new privacy statement are beneficial
 
      are an element in the assessment of the administrative fine, they do not serve it
 
      that the infringements established would be rectified (see marginal 120).
 
      The Disputes Chamber gives more detailed reasons for the imposition of the administrative fine
 
      in section 3 of this decision.
 
 
 
    It follows from the foregoing that the respondent's response to the Disputes Chamber is none
 
    gives rise to an adjustment of the intention to impose an administrative one
 
    fine, nor to change the amount of the fine as intended.
 
 
 
 
 
  2. Justification
 
 
 
    1. Legitimate interest
 
 
      a) Preliminary remark
 
 
 
30. It follows from the judgment of the Marktenhof that the Disputes Chamber in its decision 24/2020 of
 
    May 14, 2020 would have ruled without the defendant being able to fully comply
 
    because the decision of the Disputes Chamber would not have been limited to the
 
    allegations that are the subject of the complaint. Decision on the merits 57/2021 - 11/36
 
 
 
 
 
31. However, the complainant explicitly states in the complaint that the customer should be given the choice whether to use
 
    agrees to the processing operations listed in points 4.3 and 6 and does not receive them. After all, once
 
    he has given his consent to the processing of his personal data in the context of
 
 
    hospitalization insurance, according to the complainant, data processing should be limited to
 
    to perform the obligations arising from that insurance. The complainant argues
 
    that the defendant does not use his data for any other purpose, more specifically the
 
    the purposes stated in points 4.3 and 6 of the old privacy statement, can be processed without
 
    permission. The complaint thus becomes the legal basis of the processing for the purposes
 
    listed in section 4.3. The complainant believes that those purposes are mentioned in point 4.3
 
    consent is required and the defendant therefore does not automatically obtain the data obtained on the basis
 
    of permission in the context of a hospitalization insurance can also be used for others
 
    purposes, for which the defendant relies on his legitimate interest.
 
 
 
32. The complaint thus essentially relates to the legal basis on which the defendant can rely
 
    appeal to process the personal data obtained from the complainant for the purposes
 
    listed in points 4.3 and 6 of the defendant's old privacy statement.
 
 
 
33. In the present claim of the defendant, the allegations are listed in the paragraphs
 
    a) to h):
 
 
 
 
  “A) Y would consent to the processing of medical data for the purpose of closing
 
  and executing insurance contracts under duress, eliminating these
 
  consent would be invalid (violation of Article 5 (1) (a))
 
  (legality principle); 6 (1) (a) and 9 (2) (a) GDPR)
 
 
 
  b) Y must grant the Complainant access to the DPIA
 
  (“GBEB”) that it allegedly carried out for the processing of medical data related
 
  with the performance of insurance contracts with its customers (violation of articles
 
  35 and 36 GDPR)
 
 
 
  c) Y should, in Articles 4.3 and 6 of the old Privacy Statement, make a better distinction
 
  between the processing of medical data on the one hand and the processing of other "ordinary"
 
  personal data on the other hand (violation of Article 13 (1) (c) GDPR);
 
 
 
  d) Y should take additional steps to inform data subjects of their
 
  right to object pursuant to Article 21 (2) GDPR (violation of Article 12 (1)
 
  and 13 (2) (b) GDPR) Decision on the substance 57/2021 - 12/36
 
 
 
 
 
  e) Y serves the legal grounds referred to in Article 6 of the Y old Privacy Statement for the
 
  transfer of personal data to third parties, to be further clarified (violation of Article 13,
 
  para.1 lit.c) GDPR)
 
 
 
 
  f) Y would process personal data without proven legal basis (including her
 
  legitimate interest within the meaning of Article 6 (1) of the GDPR) for a number of in Article 4.3 of the
 
  the purposes stated in the old Y Privacy Statement and in Article 6 of the old Y Privacy Statement
 
  said transfers to third parties (violation of Article 5 (1) (a))
 
  (principle of legality) and 6 (1) GDPR)
 
 
 
  g) Y would have provided insufficient information about her in her old Privacy Statement
 
  legitimate interests, where Y invokes this legal basis (violation of
 
  Articles 5 (1) (a) (principle of transparency) and 13 (1) (c) and (d) GDPR)
 
 
 
  h) Y, where Y relies on this legal basis, would not have sufficiently demonstrated why
 
  its legitimate interests would exist and would have failed to demonstrate in
 
  to what extent her interests would outweigh the interests and fundamental rights of the Complainant
 
  (Violation of Article 5 (2) GDPR). "
 
 
 
34. The defendant also confirms that the allegations set out in points a) to h)
 
    arise from the complaint by stating the following in the conclusion:
 
    “Should the Dispute Chamber consider the above allegations and alleged violations
 
    on the GDPR by Y (points a to h) do not arise from the complaint […], becomes the Disputes Chamber
 
    invited to inform Y of this […]. ”
 
 
 
35. The Disputes Chamber notes in this regard that already in the complaint the allegations as now
 
    described by the respondent in points a) to h) and
 
    about which the defendant now indicates that these do indeed arise from the complaint,
 
    but about which he nevertheless put forward no defense in respect of f), g) and h) in the
 
    procedure prior to decision 24/2020 of 14 May 2020.
 
    As to the allegations under a) to e) of his Opinion, the defendant states
 
    indicates that he has either been able to defend himself and has been upheld by the
 
    Disputes Chamber (this concerns allegations a) and b)), or has not disputed the allegations
 
    and has been corrected in the new privacy statement (this concerns the allegations under c), d) and
 
    e)). Regarding the established infringement of Article 13.1 c) GDPR regarding the allegation under
 
    c), the breach of Article 12.1 and Article 13.2 b) GDPR on allegation under point (d) and the Decision on the merits 57/2021 - 13/36
 
 
 
 
      infringement of article 13.1 c) GDPR regarding the allegation under e) refers the Dispute Chamber
 
      to the motivation for this in decision 24/2020 of 14 May 2020.
 
      The defense in the present Opinion focuses only on the allegations under points f), g)
 
      and H).
 
 
 
  36. To the extent that there would be some uncertainty about the subject of the complaint
 
      on behalf of the defendant prior to the decision 24/2020, the
 
      The litigation chamber nevertheless offered the defendant the opportunity to submit itself
 
      and the Disputes Chamber will then check whether, and if necessary, to what extent the
 
      defendant has infringed the GDPR with regard to allegations such as
 
      described in points f), g) and h) of his opinion and whether the administrative fine should be applied
 
      are maintained.
 
 
 
 
 
 
        b) Legal basis for the purposes stated under 4.3 of the privacy statement
 
 
 
  37. The defendant argues that it can rely on its legitimate interests for the
 
      processing of non-sensitive personal data for the following purposes
 
      under point 4.3 of the old privacy statement:
 
          • performing computer tests;
 
          • monitoring the quality of the service;
 
          • training of personnel;
 
          • monitoring and reporting;
 
          • the storage of video surveillance recordings during the legal period; and
 
          • compiling statistics on coded data, including big data.
 
 
 
 
 
 
 
  38. For each of these purposes, the defendant has carried out a balancing of interests. The
 
 
      The Disputes Chamber below assesses the weighing of interests for each of these purposes
                                                        2
      in accordance with the firm decision-making it uses to assess the
 
      legitimate interest.
 
 
 
  39. In accordance with article 6.1 f) GDPR and the case law of the Court of Justice of the European
 
      Union must meet three cumulative conditions for a
 
 
 
 
 
2 See inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of October 30, 2020;
 
Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. Decision on the merits 57/2021 - 14/36
 
 
 
 
      controller can validly invoke this ground of lawfulness, “te
 
      know, in the first place, the promotion of a legitimate interest of the
 
      controller or of the third party (ies) to whom the data are provided, in the
 
      second, the necessity of processing the personal data for the purpose
 
      of the legitimate interest, and, thirdly, the condition that the fundamental
 
      rights and freedoms of the person involved in data protection do not prevail ”
 
      (“Rigas” judgment).
 
 
 
  40. In order to be able to rely on the lawfulness ground of
 
      in other words, the “legitimate interest” is the responsibility of the controller
 
      to show that:
 
    1) the interests pursued by this processing can be recognized as justified
 
        (the “target key”);
 
    2) the intended processing is necessary for the realization of these interests (the
 
 
        “Necessity test”); and
 
    3) the balancing of these interests against the interests, fundamental freedoms and
 
        fundamental rights of data subjects weighs in favor of the
 
        controller (the “balancing test”).
 
 
 
  41. With regard to the purpose of “performing computer tests”, the defendant argues
 
      next one:
 
 
 
    “Context of the processing purpose
 
    This processing purpose includes the tests performed by IT testers and developers:
 
    • related to "changes", which are minor changes or related to purely functional ones
 
    aspects; and
 
    • in the context of any automation projects.
 
    These tests are carried out as part of:
 
    • IT and network security;
 
 
    • the maintenance, improvement and development of (the quality of) Y products and services;
 
    or
 
    • improving the customer experience (eg to make internal processes and systems more efficient
 
    for back-office activities, to enhance the user experience in Y's digital channels
 
    improve, etc.).
 
 
 
 
 
 
3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
 
recital 40. Decision on the substance 57/2021 - 15/36
 
 
 
  This process does not include the acceptance and emulation phase, which is only specialized by the team
 
  activities "can be performed before the changes can actually be made
 
  implemented and can be put into production. ”
 
 
 
 
42. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
43. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
44. Based on the purpose, being the performance of computer tests, the Dispute Chamber serves
 
    establish that the defendant asserts that, where possible, dummy data or
 
    anonymous data is used (e.g. in case of changes where different
 
    systems or applications are involved and that require a unique reference, such as the
 
    policy number). Only when there is no other option will personal data be used to collect the
 
    to be able to realize the intended change or development. Possible possibilities for (a
 
    further) limitations of data processing are constantly being researched and progressive
 
    introduced as part of the project 'data anonymization in non-production environments'. Furthermore
 
    Strict access controls are introduced on the IT environments where the IT tests are carried out
 
    executed. Procedures are also established for how these IT tests should be carried out
 
    are carried out, which must be taken into account by all concerned.
 
 
 
 
45. The Disputes Chamber notes that the defendant states that he only uses personal data
 
    when there is no other option. During the hearing, Y stated that the tests are always taking place
 
    based on dummy data, but that the test phase determines the extent to which with
 
    such data can be tested. After all, in some cases the boundaries of the
 
    opportunities to do data masking. This has to do with the life cycle of
 
    the tests, namely gradually dummy data can be used in IT testing, but
 
    sometimes the processing of personal data is required in order to ensure the interaction between
 
    to be able to insure applications. The Disputes Chamber is of the opinion that the defendant does so
 
    reasonably plausible that the computer systems are not always based on Decision on the merits 57/2021 - 16/36
 
 
 
 
      anonymized or pseudonymized data can be tested. To the second
 
      condition is thus fulfilled, by showing that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with. Nevertheless, the Disputes Chamber notes
 
      note that for purposes of clarification as to the customers concerned, the defendant might
 
      consider providing some brief explanation of the case in the privacy statement
 
      in which the defendant has no choice but to perform computer tests with personal data.
 
 
 
  46. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  4
      expect that processing can take place for that purpose ”.
 
 
 
  47. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be
 
      used to perform computer tests. After all, customers expect a correct one
 
      execution of their insurance contracts, which is accompanied by a safe and correct
 
      management of IT systems. The interest of the customers thus requires that the functionalities of
 
 
      the IT environment are tested for this purpose.
 
 
 
 
  48. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
 
      Purpose “conducting computer tests” may rely on the legal basis contained in
 
      Article 6.1 f) GDPR.
 
 
 
 
  49. Regarding the purpose “monitoring the quality of the service” and “the
 
      compiling statistics on coded data, including big data ”, states the
 
 
      defendant that this comprises three parts and determines that:
 
 
 
    - For the section “Statistics and quality tests”
 
 
 
        “Context of the processing purpose
 
 
 
 
 
 
4 Recital 47 GDPR. Decision on the merits 57/2021 - 17/36
 
 
 
      Y, as an insurer, is subject to prudential supervision. This means, among other things, that they
 
      is bound to overall control of its company and its performance, including,
 
      but not limited to, the audit of the sales performance, performance and fees
 
      certain hospital networks and the coverages / reimbursements. This relates to the
 
 
      general control of the quality of the services and the performance of the
 
      insurance company to ensure its continuity. This processing purpose
 
      includes both one-off and recurring reports with or without use
 
      made of big data methodologies. These are mainly aggregated or
 
      anonymised reports, unless specific statistics are required (by category
 
      eg per age group). ”
 
 
 
 
50. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the context of the processing purpose should be as described by the defendant
 
    are considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
51. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
52. The Disputes Chamber notes that the defendant only justifies that it is for him
 
    is necessary to compile statistics and perform quality testing, as the
 
    financial viability, quality of service, premium setting and the
 
    performance cannot be determined without actively measuring it. The Disputes Chamber misunderstands
 
    by no means the need for the defendant to have statistics and
 
    quality tests, but the defendant mainly limits himself to asserting that
 
    aggregated or anonymized reports are prepared, unless specific statistics
 
    required (per category such as eg per age group). Moreover, the defendant proposes that
 
    the format of those reports may or may not be using big data methodologies.
 
 
 
53. To what extent the statistics still contain personal data or allow to proceed with
 
    re-identification of a data subject will be further explained during the hearing. The
 
    defendant states that there are still very few statistics containing personal data. The Decision on the merits 57/2021 - 18/36
 
 
 
 
      statistics do not contain names and certainly no health data. The statistics
 
      do contain codes, but they are mass aggregated, segmented data.
                                                                                  5
      Also requires the directive (EU) 2016/97 on insurance distribution and the Belgian
 
      implementing legislation of this Directive that provided for specific reporting
 
      personal data are processed. Sometimes policy data is processed in the reporting,
 
      but with that no further processing in the statistics takes place. Each report has one
 
      purpose and the processing may not go beyond that. A register is kept of
 
      those reports and their purpose, which are strictly regulated through the data warehouse and
 
      which requires "approvals" to deviate from it.
 
 
 
  54. The Disputes Chamber decides that the defendant has made the necessary efforts to resolve the
 
      limit data processing for this purpose to what is strictly necessary. To the second
 
      condition is thus fulfilled by showing that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
 
  55. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
      expect that processing can take place for that purpose ”.
 
 
 
 
  56. The Disputes Chamber follows the defendant's position that if a person has a
 
      enters into an insurance agreement with Y, he can reasonably expect that Y will be intern
 
      performs checks and compiles statistics to ensure that Y is contractual
 
      fulfill obligations.
 
 
 
 
  57. Accordingly, the Disputes Chamber decides that the defendant applies for processing for the
 
      Purpose “Statistics and Quality Requirements” can invoke the legal basis included in
 
      Article 6.1 f) GDPR.
 
 
 
    - For the section “Satisfaction surveys”
 
 
 
 
 
 
 
 
5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution
 
(recast), OJ L 26/19. Decision on the merits 57/2021 - 19/36
 
 
 
      “Context of the processing purpose
 
      This processing purpose includes determining the NPS ("Net Promoter Score"), the
 
      satisfaction factor of the customers based on an external survey by a third party to determine the
 
      to safeguard anonymity of the query. This factor is calculated with regard to the follow-up
 
 
      by the Y Contact Center and the claims department (claims handling)
 
 
 
58. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
59. In order to meet the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
60. Based on the purpose of conducting satisfaction surveys, the
 
    Disputes Chamber to determine that the defendant asserts that the customer through this questioning
 
    can give an opinion anonymously and thus assert his interests. The results
 
    are aggregated and processed by an outside company so that the anonymity of the
 
    those involved can be indemnified. During the hearing it is added that the
 
    customers always have the choice whether or not to participate in the survey, as they always have
 
    have the right to object. The Disputes Chamber finds that the customers thus over
 
    have the necessary freedom of choice and that the results of those who participate in the
 
    survey in anonymous form will be made available to the defendant.
 
    The second condition is thus fulfilled by showing that the principle of
 
    minimum data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
61. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
    “Balancing test” between the interests of the controller, on the one hand, and the
 
    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
    reasonable, in accordance with Recital 47 GDPR
 
    expectations of the data subject. More specifically, it should be evaluated whether “data subject Decision on the substance 57/2021 - 20/36
 
 
 
 
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                  6
      expect that processing can take place for that purpose ”.
 
 
 
  62. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be provided by the defendant
 
      will be used to gauge his satisfaction with the service provided by the
 
      defendant.
 
 
 
 
 
  63. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose “conducting satisfaction surveys” can rely on the legal basis
 
      included in Article 6.1 f) GDPR.
 
 
 
    - For the part “Quality tests operations”
 
 
        “Context of the processing purpose
 
        This processing purpose relates to the general control of the quality of
 
        the operational services and performance of Y. This is about quality checks where
 
        every employee involved must perform 2 random checks per week for up to
 
        the correct underwriting or performance of the insurance contract and applicable
 
        instructions and procedures for this purpose. "
 
 
 
 
  64. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
      judgment that the processing purpose should be as described by the defendant
 
      considered performed for a legitimate interest. The importance that the
 
      defendant as controller may in accordance with recital 47
 
      GDPR can be considered justified in itself. The first is therefore satisfied
 
      condition contained in Article 6.1, f) GDPR.
 
 
 
  65. In order to fulfill the second condition, it must be demonstrated that the processing
 
      necessary for the achievement of the objectives pursued. This means more
 
      stipulates that the question should be asked whether the same result can be achieved by other means
 
 
      are achieved without processing of personal data or without an unnecessarily invasive one
 
      processing for data subjects.
 
 
 
 
 
 
 
 
6 Recital 47 GDPR. Decision on the merits 57/2021 - 21/36
 
 
 
 
  66. Based on the purpose, being the general control of the quality of the operational
 
      services and performance of Y, the Disputes Chamber must determine that the defendant is late
 
      apply that Y is subject to the insurance distribution directive (EU) 2016/97
 
      and the Belgian implementing legislation that the insurance companies oblige them
 
      tailor services to the desires and needs of their customers. As indicated
 
      during the hearing, the defendant does not invoke his legal obligation (Article 6.1
 
      c) GDPR) as the legal basis for the processing, given the nature and scope of the reporting
 
      is not explicitly imposed as such by law. Hence, the defendant for that
 
      processing its 'legitimate interest under that legislation' as the legal basis.
 
 
      The second condition is thus fulfilled by showing that the principle of
 
      minimum data processing (Article 5.1. c) GDPR) has been complied with. The processing of
 
      personal data is necessary in order to actively measure the quality of the service.
 
 
 
  67. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
      expect that processing can take place for that purpose ”. 7
 
 
 
 
  68. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be
 
      used to carry out internal quality control to ensure that Y hair
 
      comply with legal and contractual obligations.
 
 
 
  69. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose “quality testing operations” can rely on the legal basis included in Article
 
      6.1 f) GDPR.
 
 
 
  70. With regard to the purpose of “training personnel”, the defendant states the following:
 
 
 
 
    “Context of the processing purpose
 
 
 
 
 
 
 
 
7 Recital 47 GDPR. Decision on the merits 57/2021 - 22/36
 
 
 
  This includes the organization and follow-up of training courses, awareness-raising sessions ("awareness") and
 
  training for Y employees who come into contact with (personal data of) customers.
 
  Training courses include:
 
  • insurance technical aspects (eg with regard to Y products);
 
 
  • technical aspects (eg the use of Office 365 applications, training on
 
  information security, etc.);
 
  • "on the job" training courses (training for new employees as well as training with the aim of increasing the
 
  to continuously improve service quality); and
 
  • more general aspects such as compliance topics (eg the GDPR, IDD, etc.). ”
 
 
 
71. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the processing purpose should be as described by the defendant
 
    considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
72. In order to fulfill the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
73. Based on the purpose, being the training of personnel, the Disputes Chamber should be established
 
    to argue that the defendant argues that in exceptional cases the cases are used
 
    contain, or become, personal data of customers for the training
 
    personal data of customers used for the preparation of the training material. The
 
    defendant argues that the underlying material (cases), however, is generally complete
 
    is anonymized.
 
 
 
74. The Disputes Chamber notes that the defendant states that in the context of training courses the
 
    cases only contain personal data of customers in exceptional cases or
 
    personal data of customers are used for the preparation of the training material.
 
    However, the defendant fails to clarify in which cases he would be required
 
    offer training to staff based on customers' personal data.
 
    The defendant does not reasonably demonstrate that staff training is not always on
 
    could be provided on the basis of anonymised data. To the second Decision on the merits 57/2021 - 23/36
 
 
 
 
      condition is thus not fulfilled because it has not been demonstrated that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
  75. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
                                                                  8
      expect that processing can take place for that purpose ”.
 
 
 
  76. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it cannot be assumed that the policyholder takes out insurance
 
      at that time can reasonably expect that his data will be
 
      used for staff training. A policyholder can only expect to
 
      normal management of his customer file, which only requires access to the information contained therein
 
      information by the personnel who have to perform tasks therein for the benefit of the person concerned
 
      customer. When information from concrete files is shared in the context of a course,
 
      the processing of that information is not limited to those who have to perform tasks in
 
      the relevant file.
 
 
 
 
  77. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose "training of personnel" cannot rely on the legal basis "justified."
 
      interest "and there is therefore a violation of article 6.1 f) GDPR. The Disputes Chamber observes
 
      in addition to that if the defendant nevertheless wishes to receive personal data of customers
 
      use for staff training, he can rely on another legal basis
 
      being the consent (Article 6.1 a) GDPR).
 
 
 
  78. With regard to the purpose of “monitoring and reporting”, the respondent states the following:
 
 
 
      “Context of the processing purpose
 
      This processing purpose includes the preparation of reports for the purpose of checks
 
 
      can perform in the context of:
 
      • IFRS 17 accounting standards for insurance contracts and the Belgian, general
 
      accepted accounting rules ("Belgian GAAP");
 
 
 
 
 
 
8 Recital 47 GDPR. Decision on the merits 57/2021 - 24/36
 
 
 
    • calculating the reserves (in the context of, for example, the law of 13 March 2016 on
 
    the status and supervision of insurance or reinsurance companies (Solvency
 
    II law), etc.); or
 
    • profitability monitoring or reporting in the context of major damage claims.
 
 
    These reports are created for both internal audit and reporting purposes
 
    to the Y1 Re group (of which Y is a part). This keeps recurring reports as well
 
    one-off ad hoc reports. Only fully aggregated,
 
    anonymised, or if not otherwise possible pseudonymized reports prepared in
 
    in the context of major claims or ad hoc reports regarding specific cases or outliers. ”
 
 
 
79. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
    judgment that the context of the processing purpose should be as described by the defendant
 
    are considered performed for a legitimate interest. The importance that the
 
    defendant as controller may in accordance with recital 47
 
    GDPR can be considered justified in itself. The first is therefore satisfied
 
    condition contained in Article 6.1, f) GDPR.
 
 
 
80. In order to meet the second condition, it must be demonstrated that the processing
 
    necessary for the achievement of the objectives pursued. This means more
 
    stipulates that the question should be asked whether the same result can be achieved by other means
 
    are achieved without processing of personal data or without an unnecessarily invasive one
 
    processing for data subjects.
 
 
 
81. Based on the purpose, being monitoring and reporting, the Disputes Chamber must determine
 
    argue that the defendant asserts that the various general financial and
 
    insurance law regulations (in the context of, for example, the law of 13 March 2016
 
    on the status and supervision of insurance or reinsurance undertakings
 
    (Solvency II law)) cannot be complied with without compiling the necessary reports
 
    or to monitor. As indicated at the hearing, the
 
    here too, the defendant does not rely on his legal obligation (Article 6.1 c) GDPR) as legal basis
 
    for the processing, since the nature and scope of the reporting is not explicitly stated as
 
    imposed by law as such. Hence, the defendant for those processing operations
 
    Uses "legitimate interest under that legislation" as the legal basis. To the second
 
    condition is thus fulfilled by showing that the principle of minimal
 
    data processing (Article 5.1. c) GDPR) has been complied with. The processing of personal data
 
    is necessary as legislation cannot be complied with without the
 
    necessary reports are drawn up or monitoring is carried out. Decision on the merits 57/2021 - 25/36
 
 
 
 
  82. The defendant adds that only fully aggregated, anonymized, or if
 
      not otherwise possible pseudonymized reports are prepared in the context of large
 
      claims for damages or ad hoc reports related to specific cases or outliers. To the
 
      second condition is thus fulfilled by showing that the principle of minimal
 
      data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
  83. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
                                                                9
      expect that processing can take place for that purpose ”.
 
 
 
  84. The Disputes Chamber is of the opinion that when collecting personal data in the framework
 
      it can be assumed that the policyholder is taking out an insurance policy
 
      at that time can reasonably expect that his data will be
 
      used for the fulfillment of the legal and contractual obligations of the defendant.
 
 
 
  85. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
      purpose “monitoring and reporting” can rely on the legal basis included in article 6.1
 
 
      f) GDPR.
 
 
 
 
 
  86. Regarding the purpose “the storage of video surveillance recordings during the
 
      legal period ”, the defendant states that:
 
 
 
      “Context of the processing purpose
 
      It concerns the processing of personal data by means of the cameras that are located
 
      within Y's premises with the aim of customer security, data security and the
 
      protection of the company's assets. "
 
 
 
 
  87. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
 
      judgment that the processing purpose should be as described by the defendant
 
      considered performed for a legitimate interest. The importance that the
 
 
 
 
 
 
9 Recital 47 GDPR. Decision on the merits 57/2021 - 26/36
 
 
 
 
      defendant as controller may in accordance with recital 47
 
      GDPR can be considered justified in itself. The first is therefore satisfied
 
      condition contained in Article 6.1, f) GDPR.
 
 
 
  88. In order to fulfill the second condition, it must be demonstrated that the processing
 
      necessary for the achievement of the objectives pursued. This means more
 
      stipulates that the question should be asked whether the same result can be achieved by other means
 
      are achieved without processing of personal data or without an unnecessarily invasive one
 
      processing for data subjects.
 
 
 
  89. Based on the purpose, being the provision of video surveillance, the Disputes Chamber serves
 
      establish that the defendant asserts that the images are stored in a secure
 
      surroundings. Both the space and the affected IT servers are subject to strict
 
      access protection. The images are accessed according to strict procedures. The
 
 
      storage of the images is also limited to the legal retention period (in principle 30 days).
 
 
 
  90. The second condition is thus fulfilled in that it was established that the principle of
 
      minimum data processing (Article 5.1. c) GDPR) has been complied with.
 
 
 
  91. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
 
      “Balancing test” between the interests of the controller, on the one hand, and the
 
      fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
 
      reasonable, in accordance with Recital 47 GDPR
 
      expectations of the data subject. More specifically, it should be evaluated whether “data subject
 
      at the time and in the context of the collection of the personal data is reasonably permitted
 
      expect that processing can take place for that purpose ”. 10
 
 
 
  92. The Disputes Chamber is of the opinion that with the collection of personal data in the framework
 
      it cannot be assumed that the policyholder takes out insurance
 
 
      at that time can reasonably expect that his data will be
 
      used for video surveillance. The purpose of video surveillance is unrelated to the
 
      conclusion of an insurance contract, so that the policyholder does not adhere to it
 
      can expect that his personal data is provided in response to a
 
      insurance contract will be used in the context of video surveillance. Only at
 
      there is video surveillance when physically entering the defendant's premises and then it suffices
 
 
 
 
 
 
10
  Recital 47 GDPR. Decision on the merits 57/2021 - 27/36
 
 
 
    that the camera law is complied with, including the obligation to affix a
 
    icon with information to notify the data subject.
 
 
 
93. Accordingly, the Disputes Chamber decides that the defendant applies for processing operations for the
 
 
    purpose “the storage of video surveillance recordings during the legal period” does not
 
    can rely on the legal basis "legitimate interest" and thus there is an infringement
 
    to Article 6.1 f) GDPR.
 
 
 
94. For the sake of completeness, the Disputes Chamber adds that if a controller
 
    wishes to use surveillance cameras, these are legal obligations
 
    ensuing from the law of 21 March 2007 regulating the placement and use of
 
    security cameras must comply. As soon as a controller uses
 
    of surveillance cameras, arise from the aforementioned law obligations regarding
 
    data processing, so that the controller can rely on article 6.1 c)
 
    GDPR. In that regard, the defendant stated at the hearing that in
 
    the necessary pictograms have been affixed in accordance with this law.
 
 
 
 
 
      c) Model of balancing of interests
 
 
 
95. For each of the foregoing purposes, the defendant argues that the
 
    processing purpose is permissible because of the quantitative score calculated by the model
 
    balance of interests that Y uses is lower than 30. The defendant argues that on the basis of that
 
    model the processing purposes can be based on the legitimate interests
 
    of the controller as long as this score does not exceed 30.
 
 
 
96. In this regard, the Disputes Chamber should note that the model used by Y is a
 
    is a purely internal instrument that can at most act as a guideline within the company,
 
    but from which no legal arguments can be drawn to support the assessment against the
 
    legal basis of Article 6.1 f) GDPR. To the scores calculated on the basis of that model
 
    therefore no legal value can be attached.
 
 
 
 
 
      d) All legal grounds included in Article 6.1 GDPR
 
 
 
97. The defendant is of the opinion that the Disputes Chamber in its decision 24/2020 would have stated that
 
    he can only rely on consent as a legal basis (Article 6.1 a) GDPR) for the Decision on the merits 57/2021 - 28/36
 
 
 
          processing purposes included in point 4.3. of the old privacy statement and not on
 
          the other legal grounds of Article 6.1 GDPR.
 
 
 
      98. The Disputes Chamber explains that the following was made in this regard in the decision 24/2020
 
 
          mention:
 
          The Disputes Chamber is therefore of the opinion that the violation of art. 6.1. AVG is proven,
 
          since the data processing is for the purposes stated in sections 1, 2, 3, 4, 6 and
 
          7 of point 4.3. of the privacy statement, without any demonstrated legitimate interest,
 
          should be based on the consent of the complainant in the absence of any other possible
 
          applicable legal basis in art. 6.1. AVG. ”
 
 
 
      99. From this the defendant deduces, albeit incorrectly, that the Dispute Chamber is the only one
 
          legal basis for the purposes specified therein precedes the consent. The defendant
 
          however, ignores the fact that the Disputes Chamber reaches that decision, precisely because the
 
          defendant fails to demonstrate any legitimate interest and thus in
 
          fails to demonstrate that the applicable conditions have been fulfilled to comply with this
 
          legal basis in Article 6.1 f) GDPR. The Disputes Chamber stated in its decision
 
          after all expressly that the defendant has in no way demonstrated from what
 
          legitimate interest or would exist and also failed to demonstrate to what extent his interest
 
          would outweigh the interests and fundamental rights of the complainant, although the defendant
 
          is obliged to do so on the basis of its accountability obligation (Article 5.2 GDPR). The
 
          Accordingly, the Disputes Chamber could not withhold article 6.1 f) GDPR as a valid legal basis. On base
 
          of the factual elements leading to the decision 24/2020 was the only remaining
 
          legal basis the consent.
 
 
 
      100. The Disputes Chamber emphasizes that every controller, including the
 
          defendant, can invoke any possible legal basis of Article 6.1 GDPR, but that the
 
          applicable conditions for the legal basis invoked must be fulfilled.
 
 
 
 
 
2. Legal basis for transfers to third parties
 
 
 
 
      101. First, the defendant claims that a transfer to third parties does not have a processing purpose
 
          is itself, but is merely a form of processing of personal data within the meaning of Article
 
          4.2 GDPR. The defendant states that he only draws up balances of interests per
 
          processing purpose, but not per processing. Decision on the merits 57/2021 - 29/36
 
 
 
      102. The Disputes Chamber states that it follows from article 5.1 a) GDPR that personal data must be
 
          processed for a specific purpose and that such processing must be lawful in the sense
 
          of Article 6.1 GDPR. So it is clear that any processing must be done within the framework
 
          of a specific, explicit and justified purpose and that
 
 
          processing must be based on a legal ground for it to be lawful
 
          considered. It is of course possible to perform multiple processing operations within the meaning of Article 4.2 GDPR
 
          for the same purpose, but this does not alter the fact that the
 
          data processing for a specific purpose can only be considered lawful
 
          labeled if there is a legal basis for doing so.
 
 
 
      103. The Disputes Chamber notes that any transfer to third parties must be determined with the
 
          in view of the purpose for which the transfer takes place. To be able to verify whether the transfer is to
 
          third parties can be regarded as lawful, it must thus be determined for what purpose
 
          which is passed on to third parties.
 
 
 
 
      104. As the defendant rightly points out, the legal basis for the transfer to processors (which
 
          however, no third parties within the meaning of Article 4, 10) GDPR) are the same as for the
 
          data processing by the defendant himself. After all, the processing purpose remains
 
          unchanged, as the processor only processes the personal data for the benefit of the
 
          defendant as controller.
 
 
 
 
      105. If the personal data are transferred to a third party within the meaning of Article 4. 10)
 
          GDPR with a view to the purpose of enabling that third party to provide the relevant personal data
 
          to process it for your own purposes, then that transfer must cease for that specific purpose
 
          considered themselves and requires a separate legal basis. With a view to
 
          transparency should become the processing basis for all transfers in the privacy statement
 
          stated that the defendant fulfills his obligation under art. 13.1 c) would comply with GDPR. This is
 
          However, this is not the case, so that the Disputes Chamber is of the opinion that there is a
 
          infringement of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.
 
 
 
 
 
3. Transparency principle
 
 
 
 
      106. Notwithstanding the fact that Article 13.1 d) GDPR requires the controller to send the
 
          provides the data subject with information about his legitimate interests, if the processing
 
          is based on Article 6 (1) (f), the defendant maintains that it suffices
 
          for the purposes of the privacy statement referred to in point 4.3, as well as for the purposes of 6 of the Decision on the merits 57/2021 - 30/36
 
 
 
    data transfers based on Article 6 (1) (f) GDPR only
 
    state that personal data is processed on the basis of the legitimate interest of
 
    the defendant without indicating exactly what that legitimate interest would consist of.
 
 
 
 
107. The defendant argues that the balancing of interests concerns internal documents that have not been handled by Y
 
    made public or included in its Privacy Statement, in view of the
 
    business sensitive information they contain. Moreover, this involves bulky, rather privacy-
 
    technical documents that are typically not included in a privacy statement.
 
 
 
108. For transmission to “the companies of the group Y1 Re to which Y belongs, for monitoring
 
    and reporting ”, the defendant confirms that this is a transfer to another
 
    controller, indicates the defendant demonstrating his legitimate interest
 
    consists in its conclusion under the processing purpose “monitoring and reporting”, but late
 
    after clarifying his legitimate interest in the privacy statement.
 
 
 
109. Furthermore, the defendant also refers to recital 48 of the GDPR which states that
 
    controllers that are part of a concern or group of institutions
 
    associated with a central body may have a legitimate interest in the
 
    forwarding of personal data within the group for internal administrative purposes,
 
    including the processing of personal data of customers or employees.
 
 
 
110. The Disputes Chamber acknowledges that consideration 48 applies to the defendant, but this
 
    does not prevent the defendant from being transparent about this in his privacy statement and
 
    also in such a case must indicate the legal basis and must make it clear where it is
 
    legitimate interest exists, which is not the case in the old privacy statement.
 
 
 
 
111. Responsible for transfers to “subcontractors in the European Union or abroad
 
    for processing activities defined by Y ”, the defendant argues that it concerns
 
    processors of Y.
 
 
 
112. The Disputes Chamber therefore restates the reasoning in this regard from its decision
 
    24/2020 to decide on an infringement of Article 13.1 d) GDPR in conjunction with Article 5.1 a) GDPR
 
    and Article 5.2 GDPR. The privacy statement only mentions that for those referred to in 4.3. listed
 
    purposes personal data are processed on the basis of the legitimate interest of the
 
    defendant without indicating exactly what that legitimate interest would consist of,
 
    while art. 13.1. d) GDPR does require the controller to comply
 
    obliged to provide the data subject with information about his legitimate interests,
 
    if the processing is based on Article 6 (1) (f). Decision on the merits 57/2021 - 31/36
 
 
 
 
 
 
 
  113. The Disputes Chamber also refers to the Guidelines of the European Committee for the
 
      data protection (EDPB) on transparency according to Regulation (EU)
 
      2016/679, who stress the need to identify the specific interest in question
 
      for the benefit of the data subject.
 
 
 
 
 
  114. Also with regard to point 6. of the privacy statement, the defendant does not indicate why
 
      legitimate interest, on which he relies, would exist to obtain personal data from the
 
      to process the complainant for the purpose of transferring it to “The companies of the Y1 RE group
 
      to which Y belongs, for monitoring and reporting ”and“ Subcontractors in the European Union
 
      or beyond, responsible for processing activities defined by Y ”. However
 
      requires art. 13.1. d) GDPR in fact that the controller is the data subject
 
      must provide information about his legitimate interests, if the processing
 
      is based on Article 6 (1) (f). The Disputes Chamber refers again to the
 
      Guidelines on transparency in accordance with Regulation (EU) 2016/679 and the
 
      stated above in this regard.
 
 
 
 
 
  115. The Disputes Chamber stated in its decision 24/2020 that as best practice the
 
      controller also, before becoming personal data of the data subject
 
      collected, can provide the data subject with information about the assessment to be made
 
      created in order to be able to use Article 6 (1) (f) as a legal basis for the processing.
 
      To avoid information fatigue, this information can be included in a layered
 
      privacy statement / notice. 12 The information provided to data subjects should make clear
 
      that these data subjects can receive information about the assessment upon request. This is
 
      essential for effective transparency when data subjects have doubts about the
 
      fairness of the consideration made as to whether to submit a complaint to a supervisory authority
 
      authority.
 
 
 
 
  116. As the defendant points out, he is unwilling to apply the aforementioned best practice,
 
      because, according to him, it concerns internal privacy-technical documents with company-sensitive
 
      information.
 
 
 
 
 
 
 
 
11
  EDPB, Guidelines of the Article 29 Working Party on Data Protection on Transparency under Regulation (EU)
2016/679, approved November 29, 2017, last revised and approved April 11, 2018, p. 42.
12See paragraph 35 of the guidelines referred to in footnote 6. Decision on the substance 57/2021 - 32/36
 
 
 
 
      117. The Disputes Chamber argues that even if the defendant refuses to follow this best practice,
 
          he is at least obliged to notify the data subject on a
 
          concise, transparent, intelligible and easily accessible form and in clear and
 
          provide simple language information about his legitimate interest for each of the
 
 
          purposes for which he relies on that legal basis. It is by no means to comply with this
 
          requires privacy-technical documents to be made public, but it is
 
          requires that information about the legitimate interest is provided in clear
 
          wording that can be easily understood by a customer or potential customer of the defendant
 
 
 
      118. The Disputes Chamber finds that the information required by Article 13.1 d) GDPR is in no way whatsoever
 
          is made available by the defendant, so that the infringement of Article 13.1 d)
 
          GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.
 
 
 
 
 
 
 
 
4. Administrative fine
 
 
 
 
      119. The fact that the defendant does indeed commit the infringements of Articles 5.1 a), 5.2, 6.1, 12.1, 13.1
 
          c) and d) and 13.2 b) GDPR, brings the Dispute Chamber to the administrative
 
          fine. This sanction does not extend to an offense committed
 
          but with a view to vigorous enforcement of the rules of the GDPR. As
 
 
          is clear from recital 148 of the GDPR, the GDPR states that in the event of any serious infringement
 
          - including when an infringement is first established - penalties, including administrative ones
                                                                                              13
          fines are imposed in addition to or instead of appropriate measures. After this, the
 
          Disputes Chamber states that the breaches committed by the defendant against Articles 5.1 a),
 
          5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR in no way concern minor infringements, nor that the
 
          a fine would cause a disproportionate burden on a natural person as referred to in
 
          Recital 148 GDPR, whereby a fine can be waived in either case.
 
          The fact that it is a first finding of an infringement committed by the defendant in the
 
 
 
 
 
 
    13
      Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
    including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
    appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
    for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
    instead of a fine, a reprimand can be chosen. However, the
    nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,
 
    with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
    supervisory authority has come up with compliance with the measures taken against the
    controller or processor, with affiliation to a code of conduct and any other aggravating or
    mitigating factors. Imposing penalties, including administrative fines, should be subject to
    appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
    effective remedy and due process. [own underlining] Decision on the merits 57/2021 - 33/36
 
 
 
 
      GDPR, does not in any way affect the possibility for the Disputes Chamber
 
      to impose an administrative fine. The Disputes Chamber explains the administrative
 
      fine in accordance with article 58.2 i) GDPR.
 
 
 
  120. The Disputes Chamber emphasizes once again that the instrument of administrative fine
 
      is in no way intended to end infringements. To this end, the AVG and the WOG provide for a
 
      number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 °
 
      WOG. She also emphasizes that the administrative fine is one of the sanctions foreseen
 
      in article 58.2 GDPR and article 100 WOG. Neither EU law nor national Belgian law
 
      has a hierarchy with regard to the sanctions to be imposed. It stands as the Dispute Chamber
 
      body of an independent data protection authority as referred to in Article 51
 
      AVG is free to choose the most appropriate sanction. The Disputes Chamber is of the opinion that, in view of the
 
      accountability of the controller, the imposition of a
 
      administrative fine for violation of the GDPR could be expected. 14
 
 
 
                                                                  15
  121. Taking into account article 83 GDPR and the case law of the Marktenhof, the
 
      Disputes Chamber imposing an administrative sanction in concrete terms:
 
        - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.
 
        - The duration of the infringement: the infringements are assessed for this aspect in
 
            in light of the date on which the GDPR became applicable, namely May 25
 
            2018. The defendant's privacy statement appears to have remained unchanged since
 
            the GDPR becoming applicable until such time as, following the
 
            complaint, a new privacy statement has been drawn up. The new privacy statement constitutes
 
            however, not the object of assessment by the Dispute Chamber, so that they themselves
 
            also does not comment on the extent to which the new privacy statement is consistent
 
            is with the GDPR.
 
        - The necessary deterrent effect to prevent further infringements.
 
 
 
 
 
  122. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes
 
      that compliance with the principles set out in art. 5 GDPR - in the present case in particular the
 
      transparency principle including accountability, as well as the
 
      principle of legality - essential, because it is fundamental principles of
 
      data protection. The Disputes Chamber considers the defendant's infringement
 
 
 
 
 
 
 
14 With regard to the jurisdiction of the Disputes Chamber regarding the imposition of an administrative fine, see also decision no
55/2021 of April 26, 2021, available in French on the GBA website.
15
  Court of Appeal Brussels (section Marktenhof), Judgment 2020/1471 of 19 February 2020. Decision on the merits 57/2021 - 34/36
 
 
 
    the principle of legality specified in art. 6 GDPR and the transparency principle
 
    which is specifically laid down in Articles 12 and 13 GDPR, therefore as a serious violation.
 
 
 
123. An important element in determining the amount of the fine is the fact that the defendant
 
 
    subsequent infringements as motivated in decision 24/2020 not disputed and as a result thereof
 
    has already made efforts to address the new privacy statement on those points
 
    to comply with the GDPR:
 
      - Infringement of Article 13.1 c) GDPR due to lack of clear distinction between the
 
          processing health data on the one hand, and processing the other 'normal'
 
          personal data on the other hand and this for each of the purposes of 4.3. of the
 
          privacy statement, as for each of the 6. transmissions of the privacy statement.
 
      - Violation of Articles 12.1 and 13.2 b) GDPR in the absence of mention in the privacy statement
 
          of the possibility for the data subject to exercise his right of retention.
 
      - Infringement of Article 13.1 c) GDPR due to lack of indication of the legal basis for the
 
          transfer to each of the distinct categories of third parties in point 6. of the
 
          privacy declaration.
 
 
 
 
124. Although the changes made to the new privacy statement are a positive element
 
    when assessing the administrative fine, the Disputes Chamber emphasizes that it is there
 
    do not seek to rectify the infringements established. The
 
    infringements have been identified and cannot be reversed retroactively by the
 
    controller who still processes his data - albeit too late
 
    complies with the requirements of the GDPR.
 
 
 
 
 
 
 
125. In addition, the current decision also identifies infringements:
 
      - Violation of article 6.1 GDPR with regard to the purposes of “training personnel” and
 
          “The storage of video surveillance recordings during the legal period”.
 
      - Violation of art. 13.1. c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR.
 
      - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and article 5.2 GDPR.
 
 
 
 
    Furthermore, the Disputes Chamber also takes into account the finding that the violation of Article 6.1
 
    AVG is limited to two processing purposes “staff training” and “the storage of
 
    recordings of video surveillance during the legal period ”and is therefore of a nature to be a
 
    justify a reduction in the amount of the fine. In addition, the established
 
    breaches of the principle of transparency and accountability are so serious Decision on the substance 57/2021 - 35/36
 
 
 
 
          that a substantial fine is required. This applies all the more in view of the large scale
 
          of the processing of non-health data by the defendant with
 
          decisive impact on all insured persons who have taken out hospitalization insurance
 
          affiliated with Y, which concerns a significant number of stakeholders. A decisive element
 
          this is also due to the fact that Y is a major player in the insurance market that may become
 
          expects the latter to duly and with the necessary conscientiousness align its privacy policy with the
 
          GDPR.
 
 
 
      126. With regard to the lack of transparency, the Disputes Chamber also points out that the GDPR is exactly
 
          has provided for a transition period of 2 years 16 to the end of each controller
 
          give the necessary time to prepare and adapt to the requirements set by the
 
          GDPR. The defendant's argument made at the hearing that the changes
 
          which the GDPR has implemented compared to the previous directive 95/46 / EC of the European
 
          Parliament and the Council on the protection of individuals with regard to the
 
 
          processing of personal data and on the free movement of such data to the
 
          based on the lack of transparency cannot therefore be accepted. The
 
          defendant argues that Articles 13 and 14 GDPR, in conjunction with Article 12 GDPR, and the precise manner of
 
          interpretation of it caused the difficulty. The transparency guidelines of
 
          Group 29 (now EDPB) were an auxiliary tool. Here too, the Disputes Chamber serves
 
          state that those guidelines date back to 29 November 2017, have been revised and adopted
 
          on April 11, 2018 and have remained unchanged since then. The defendant thus disposed of
 
          sufficient time, as required by its accountability (Article 5.2 GDPR)
 
          privacy statement to align with the GDPR.
 
 
 
      127. This leads the Disputes Chamber to reconsider the fine and reduce it to € 30,000.
 
 
 
      128. The totality of the elements set out above justifies an effective,
 
          proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein
 
          certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.
 
 
          GDPR in this case are not such as to lead to a different administrative fine than
 
          those adopted by the Disputes Chamber in the context of this decision.
 
 
 
 
 
5. Publication of the decision
 
 
 
 
 
 
 
 
    16
      Article 99 GDPR Decision on the substance 57/2021 - 36/36
 
 
 
  129. Given the importance of transparency with regard to the decision-making process of the
 
    Disputes Chamber, this decision will be published on the GBA website. However, it is
 
    does not require that the identification data of the parties be directly
 
    announced.
 
 
 
 
FOR THESE REASONS,
 
 
 
the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her
 
to review decision 24/2020 of 14 May 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG
 
and art. 101 WOG to impose an administrative fine of € 30,000.00 as a result of the infringements
 
to Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) GDPR.
 
 
 
On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within
 
a period of thirty days from the notification at the Marktenhof, with the
 
Data protection authority as defendant.
 
 
 
 
 
(Get) Hielke Hijmans
 
Chairman of the Disputes Chamber
</pre>

Revision as of 10:16, 18 May 2021

APD/GBA (Belgium) - 57/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(d) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 06.05.2021
Published: 06.05.2021
Fine: 30.000 EUR
Parties: n/a
National Case Number/Name: 57/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 57/2021 van 06 mei 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA states that a separate and clearly defined purpose is necessary for transfer to a third party. Multiple, different processing can take place for the same purpose, but each requires a legal basis.

English Summary

Facts

This decision is a reconsideration of the decision 24/2020 and executes the appeal of the Market Court of 18 November 2020 (2020/AR/813), it gives the defendant the possibility to defend itself against all infractions on the GDPR for which the initial sanction was based on.

To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.

Dispute

Holding

Legal basis of legitimate interest

The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes: - conducting computer tests; - monitoring the quality of service; - training of personnel; - monitoring and reporting; - storing recordings of video surveillance for the statutory period; and - compiling statistics from coded data, including big data. For each of these purposes, a balancing test was done.

The DPA recites the requirements for relying on Article 6(1)(f), namely purpose test, necessity of the processing and a balancing test.

As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as the data controller can in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.

In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.

In order to verify whether the third condition of Article 6(1)(f) - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."

Conducting computer tests

The DPA holds that this satisfies the first, second and third criteriua. It does state that the data subject could be more informed about the tests.

Monitoring the quality of service and compiling statistics from coded data, including big data

This topic has three parts: "statistics and quality tests", "satisfaction questionnaires" and "quality tests operations", each legitimate interest basis was assessed by the DPA:

Statistics and quality tests

All criteria have been fulfilled.

Satisfaction questionnaires

All criteria have been fulfilled.

Quality tests operations

All criteria have been fulfilled.

Training of personnel

The first criteria has been fulfilled. The necessity test has not been fulfilled, as it is not necessary to use client data in order to provide training cases for personnel, this is a breach of data minimisation of Article 5(1)(c). The balancing test is also not fulfilled as it is not within the reasonable expectations of a person taking an insurance for their information to be used as an example.

Monitoring and reporting

The first criteria has been fulfilled. The second criteria has been fulfilled as a minimum of data is necessary to fulfill legal obligations. Said legal obligations however, did not foresee in an explicit legal basis for the processing. The third criteria has also been fulfilled as it is a reasonable expectation of a data subject that the insurance company must fulfill its legal obligations.

Storing recordings of video surveillance for the statutory period

The first and second criteria have been fulfilled. The third criteria has not been fulfilled as a data subject signing an insurance contract cannot reasonably expect that their data will be used for video surveillance. This falls under the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects.

Model of balancing test

The defendant states that all these balancing tests scored less than 30 on the model that they used, which means legitimate interest can be used as a legal basis.

The DPA holds that this is purely instrumental and no legal value can be given to a model.

Legal basis for transfer to third parties

The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of Article 4(2).

The DPA states according to Article 5(1)(a), personal data must be processed processed for a specific purpose and the processing must be legitimate within the meaning of Article 6(1). It is possible to do multiple processing for the same purpose, but this must be done in compliance with the above.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(c), there is a breach of the GDPR.

Transparency principle

Notwithstanding Article 13(1)(d) regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.

Those legitimate interest are not public as they contain company sensitive information and the documents are very 'heavy', not suited for a privacy notice.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(d), there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.

Decision

Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Litigation Chamber 

Decision on the merits 57/2021 of 06 May 2021 

File reference : DOS-2019-02902 

Subject: Lack of transparency in the privacy statement of an insurance company (reconsideration decision 24-2020) 

The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; 

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the AVG; 

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; 

Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;  

Having regard to the documents on file; 

...

...

has taken the following decision concerning: 

- Mr X, hereinafter "the complainant"; 

- Y, represented by Mr Benoit Van Asbroeck and Mr Simon Mortier, hereinafter "the defendant". 

1. Facts and procedure 

1. This decision is a reconsideration of decision 24/2020 of the Dispute Chamber of 14 May 2020, and implements the judgment of the Markets Court of 18 November 2020, with roll number 2020/AR/813.  

2. This decision should be read in conjunction with decision 24/2020 and contains a reconsideration aimed at giving the Respondent the opportunity to defend itself with regard to all breaches of the AVG for which a penalty was imposed in the initial decision, to the extent that these breaches are contested by Y. In this reconsideration, the Dispute Resolution Chamber will thus stay within the framework of the initial decision, including with respect to the administrative fine, which cannot exceed the amount of the fine initially determined. As regards the allegations in respect of which the Dispute Resolution Chamber ruled in the initial decision that there was no infringement of the AVG, this opinion remains valid. The infringements established in the initial decision and not contested by Y are also maintained. 

3. On 14 June 2019, the complainant filed a complaint with the Data Protection Authority against the respondent. 

The subject of the complaint concerns the use of health data obtained by the insurance company from the data subject in the context of a hospitalisation insurance policy for other purposes without the express consent of the insured data subject. The complainant states that he has no problem with his health data being processed for the fulfilment of obligations under the hospitalisation insurance policy taken out with the defendant, but has a problem when the same health data are processed for the purposes listed in point 4.3. of the privacy notice and for the transfer to third parties as mentioned in point 9 of the same privacy notice (it concerns point 6, but the reference to point 9 is a material error) as mentioned in the defendant's privacy notice. He requests that specifically for those purposes, as well as for the transfer, the Respondent gives the data subject the choice to consent or not to the processing of his health data. 

Finally, the complainant expresses the wish to receive a data protection impact assessment from the defendant as it involves the processing of data at high risk for the data subjects. 

4. On 26 June 2019, the complaint shall be declared admissible pursuant to Sections 58 and 60 of the WOG, the complainant shall be notified thereof pursuant to Section 61 of the WOG, and the complaint shall be transferred to the Dispute Resolution Chamber pursuant to Section 62(1) of the WOG. 

5. On 23 July 2019, the Dispute Resolution Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits. 

6. On 24 July 2019, the parties concerned were notified by registered mail of the provisions as mentioned in art. 95, §2 and in art. 98 WOG. Also, pursuant to art. 99 WOG, the parties concerned were informed of the time limits to submit their defences. The deadline for receipt of the statement of reply from the plaintiff was thereby set at 7 October 2019 and for the defendant 7 November 2019. 

7. On 29 July 2019, the Respondent shall notify the Dispute Resolution Chamber that it has taken cognisance of the complaint, shall request a copy of the file (art. 95, §2, 3° WOG) and shall electronically accept all communications concerning the case (art. 98, 1° WOG). 

8. On 30 July 2019, a copy of the case file shall be transmitted to the defendant. 

9. On 2 August 2019, the Dispute Resolution Chamber receives a letter in which the Respondent indicates that he wishes to be heard by the Dispute Resolution Chamber (art. 98, 2° WOG). 

10. On 6 September 2019, the Dispute Resolution Chamber received the response by the Respondent. Firstly, the Respondent argues that the processing of special categories of personal data, in this case health data, by healthcare insurer Y is carried out lawfully. The processing of these special categories of personal data (Article 9 AVG) is in principle prohibited. For the processing, the defendant relies on the exceptional ground of Article 9 (2) (a) AVG, the explicit consent of the data subject. Second, the defendant argues that separate consent is not necessary for each transfer of personal data. Third, according to the defendant, there is no question of asking consent for the processing of data other than health data. Finally, according to the defendant, a data protection impact assessment was not necessary in this case as it concerned already existing processing operations and not new processing operations starting after 25 May 2018. 

11. The complainant has not exercised the right to submit a reply. 

12. The Respondent is not submitting a new Opinion and on 7 November 2019 is merely providing productions in support of the Opinion submitted on 6 September 2019. 

13. On 9 January 2020, the parties are informed that the hearing will take place on 28 January 2020. 

14. On 28 January 2020, the Respondent was heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. Among other things, the Respondent answered questions put by the Dispute Resolution Chamber as to the legal basis for the processing of personal data other than health data. The debates then closed. 

15. On 29 January 2019, the record of the hearing shall be submitted to the parties. 

16. On 31 January 2020, the Respondent shall provide, as requested at the hearing, the annual turnover for the last three financial years. These amount to a turnover of between EUR 500 million and EUR 600 million for the years 2016-2018. 

17. On 6 February 2020, the Dispute Resolution Chamber receives some comments from the Respondent on the minutes, which it decides to include in its deliberations. 

18. On 25 March 2020 the Litigation Chamber informs the defendant of its intention to impose an administrative fine and the amount thereof in order to give the defendant the opportunity to defend itself before the sanction is actually imposed. 

19. On 8 May 2020, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof. 

The Respondent argues that the alleged infringements as set out in the Dispute Resolution Chamber's intention are entirely new and that it has not been able to defend itself in this respect. However, it is for the Dispute Resolution Chamber to find that the documents on the file irrefutably demonstrate that the Respondent was able to fully exercise his rights of defence.  

The defendant also claims to disagree with the imposition of a fine, or the intended amount of the fine. However, he does not present any (new) arguments in support of this claim. Therefore, the response of the defendant does not give the Disputes Committee 

The response of the Respondent does not give rise to an adjustment of the intention to impose an administrative fine nor to an adjustment of the amount of the fine as intended. 

20. On 14 May 2020, the Arbitration Chamber in its decision on the merits 24/2020 ruled as follows: 

- pursuant to Article 100, §1, 9° WOG, to order the Respondent to bring the processing into compliance with Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG  

- On the basis of Article 100, §1, 13° WOG and Article 101 WOG, impose an administrative fine of EUR 50,000 for the infringements of Article 5.1 a), Article 5.2, Article 6.1, Article 12.1, Article 13.1 c) and d) and Article 13.2 b) AVG. 

21. On 17 June 2020, the Dispute Chamber received notification from the Brussels Court of Appeal of an application against the GBA lodged with the Court Registry. 

22. On 24 June 2020, the introductory hearing before the Market Court takes place, at which the time limits for the parties to conclude their cases are determined, and the case is set for oral argument at the hearing on 21 October 2020. 

On 18 November 2020, the Market Court delivers its judgment.   

The judgment1 contains the following main points concerning the assessment of the object of the application: 

1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-marktenhof.pdf  

- Annulment of the decision on the merits no. 24/2020 of 14 May 2020 of the Dispute Resolution Chamber. 

- The Market Court stated that the Respondent should have been given the opportunity - after the grievance was clearly formulated in writing - to make a written statement on the matter. The fact that the Respondent was asked at the hearing (which was mentioned in the transcript of the hearing) to make submissions on the general question of the legitimate interest invoked by the Respondent to process data other than health data and that the Respondent only made a summary reply to this without any objections does not adequately justify Decision No 24/2020 of 14 May 2020. 

23. Following the judgment, the Dispute Resolution Chamber decided on 27 November 2020 to take up the file again in order to make a new decision. The underlying consideration is that, notwithstanding the annulment of the aforementioned decision by the 

Annulment of the aforementioned decision by the Market Court judgment, the Dispute Resolution Chamber is still caught by the initial complaint lodged on 14 June 2019 as declared admissible by the First Line Service on 26 June 2019. Accordingly, the debates are reopened and new conclusion deadlines are set so that the parties can take a position on the legitimate interest invoked by the Respondent to process data other than health data.  

The parties are informed of the following time limits for the submission of oral argument:  

- the latest date for the plaintiff's reply will be set at 8 January 2021; 

- the date of the reply by the defendant shall be set at 19 February 2021; 

The date of the hearing will also be fixed, which will take place on 22 March 2021. 

24. On 27 November 2020, the Dispute Resolution Chamber received a communication from the Complainant stating that, in view of the clear arguments, it did not consider it necessary to provide additional argumentation. On the same day, the Dispute Resolution Chamber informs the Respondent that the Complainant has indicated that it will not be submitting a claim. At the request of the Respondent, the Dispute Resolution Chamber also confirms that the date initially set for the Reply by the Respondent as well as the date of the hearing will be maintained. 

25. On 19 February 2021, the claim and accompanying documents were received by the Dispute Resolution Chamber from the Respondent. In it the Respondent puts forward the following pleas in law: 

- The Respondent may rely on its legitimate interests to process personal data for purposes pursuant to Article 4.3 of its former Privacy Notice (no violation of Articles 5.1(a), 5.2, 6.1(f) and 13.1(c) and (d) T&C. 

- The Respondent may rely on an applicable legal ground for transfers to third parties pursuant to Article 6 of the former privacy notice (no violation of Articles 5.1(a), 5.2, 6.1 and 13.1(c) and (d) AVG. 

- If the defendant cannot rely on all legal grounds under Article 6.1 of the AVG for the processing purposes under Article 4.3 of the old privacy notice and onward transfers to third parties under Article 6 of the old privacy notice, this constitutes an infringement of the defendant's freedom to conduct a business. 

- The Respondent submits that a reprimand is sufficient and the administrative fine of €50,000 is disproportionate. 

26. On 22 March 2020, the parties were heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. During the hearing, the Respondent explained its defence. No other elements are introduced than those already on the file. After this, the debates are closed. 

27. On 25 March 2021, the record of the hearing shall be submitted to the parties in accordance with Article 54 of the Rules of Procedure. On 5 April 2021, the respondent shall submit to the Dispute Resolution Chamber some comments on the transcript, which the Dispute Resolution Chamber decides to include in its deliberations. 

28. On 6 April 2021, the Dispute Resolution Chamber notified the Respondent of its intention to proceed with the imposition of an administrative fine, as well as the amount thereof, in order to give the Respondent the opportunity to defend itself before the sanction is actually imposed. 

29. On 27 April 2021, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof. 

In summary, the Respondent states the following in its response to the intention to impose an administrative fine: 

- As regards the lack of a demonstrated legitimate interest as a legal basis for the purposes of 'staff training' and 'storage of video surveillance recordings during the statutory period', the Respondent argues that no questions were raised during the hearing as to the lawfulness, necessity or proportionality of these processing purposes.  

In this regard, the Dispute Resolution Chamber notes that the Respondent has already extensively addressed in the Conclusions the lawfulness, necessity and proportionality of all processing purposes, including those for "training of staff" and "storage of video surveillance recordings during the statutory period", so that no additional clarification on this was requested at the hearing. During a hearing, only specific questions are asked about remaining ambiguities in order to clarify them and to allow the Dispute Resolution Chamber to form an opinion. 

At the moment, the Litigation Chamber can only conclude that the Respondent's reaction to the intention to impose an administrative fine following the infringement of article 6.1 of the AVG for the purposes of "staff training" and "storage of video surveillance recordings during the statutory period" lacks a proven legitimate interest as a legal basis. 

justified interest as a legal basis, does not contain any new elements which are of a nature to change the opinion of the Dispute Resolution Chamber. 

- As regards the amount of the fine, the Respondent considers that no fine can be imposed for the allegation of processing personal data without a legitimate interest. At the very least, the defendant considers that an amount of EUR 30 000 is disproportionately high. The defendant submits that it appeared from the written conclusions and during the hearing that general training material was in principle always anonymised and that personal data of customers were processed by means of camera surveillance. The documents in the file would also not show that any personal data of the complainant would have been processed for these purposes. Therefore, the complainant (and, by extension, the respondent's other customers) would, in principle, not have suffered any personal detriment as a result of any lack of legitimate interests for the processing activities "training of staff" and "storage of video surveillance recordings during the statutory period". 

The Dispute Resolution Chamber emphasises that whether or not the person concerned suffers any personal disadvantage is not a criterion for the imposition of an administrative fine, as this is not included in Article 83.2 AVG. Therefore, in its decision below, it justifies this sanction without taking into account whether or not the complainant has suffered any personal disadvantage. The criteria for the imposition of an administrative fine are clearly laid down in article 83.2 AVG, on which the Dispute Resolution Chamber bases its decision regarding the administrative fine. 

In so far as necessary, the Dispute Resolution Chamber adds that the Complainant provided its personal data to the Respondent for processing in connection with a hospitalisation insurance scheme and the Respondent subsequently indicated, on the basis of the then current privacy notice, that it also processed the Complainant's personal data for all the purposes stated in the privacy notice. On the basis of the privacy notice given at the time, the Respondent processed the Complainant's data for each of the purposes set out in the privacy notice. This is also apparent from the conclusion underlying the present decision, in which the Respondent itself delineates the allegations arising from the complaint (see margin number 33) and the allegations under points (f), (g) and (h) are the subject of its defence. The allegations arising from the complaint and as described by the defendant itself in its conclusion, concern defects in the privacy notice that concern the complainant, as well as ipso facto any other customer of the defendant who takes out hospital insurance. Indeed, the privacy notice was not drawn up exclusively for the complainant, but for every customer of the defendant who takes out hospitalisation insurance. 

This also explains why, in its conclusion, the Respondent seeks to demonstrate the lawfulness, necessity and proportionality of all processing purposes, without any distinction as to whether or not it is a processing purpose for which personal data of the Complainant are processed. The Respondent verifies that it has a legitimate interest for all processing purposes, because for each of those processing purposes, the personal data of the Complainant were processed in accordance with the Privacy Notice in force at the time. 

- In addition, the Respondent considers that an amount of EUR 30,000 is disproportionate to the infringement.  

More specifically, with regard to the seriousness of the infringement, the Respondent disagrees with the Dispute Resolution Chamber's assertion that, merely because a breach of Articles 5 and 6 of the AVG has been established, the infringements are therefore automatically "serious" and "grave". The defendant submits that, on the one hand, those articles form the basis of virtually the whole of the AVG and, consequently, virtually any infringement of the other articles of the AVG can be reduced to an infringement of Articles 5 and 6 AVG.  

On the other hand, classifying these infringements as 'serious' and 'serious' prevents a differentiation being made with infringements that are truly serious and serious, such as, for example, the complete absence of a privacy notice. However, this is not at all the case here.  

The defendant argues that it did mention these processing purposes in its privacy notice and that it carried out, with the necessary rigour, extensive weighing of interests to ascertain whether it could invoke its legitimate interests.  

With regard to the Respondent's assertion that a breach of the fundamental principles of the AVG contained in Articles 5 and 6 AVG cannot automatically be regarded as serious and serious, the Litigation Chamber notes that Article 83.5 AVG itself provides for a more serious penalty for this breach, for which the highest maximum fine is set, precisely because it concerns fundamental principles that go to the heart of data processing. The Respondent's assertion that every breach of the AVG can be traced back to a breach of the core principles does not stand up, since the Dispute Resolution Chamber is bound by the complaint and performs its assessment against the AVG within those boundaries and therefore, contrary to what the Respondent suggests, every breach cannot be 'traced back' to breaches of the core principles. Since the object of the complaint is precisely the basic principles, the Dispute Resolution Chamber will rule in this case on the application of those principles. Where the Respondent quotes as an example that the total absence of a privacy statement would be a serious and serious breach, the Litigation Chamber states that the total absence of a privacy statement would not only be a serious and serious breach, but also a serious and serious breach. 

serious and onerous breach, but a total disregard for the AVG. However, this does not alter the fact that a defective privacy statement, such as the one at issue here, which does not respect the basic principles of the AVG, must be regarded as serious and serious.

As regards the duration of the infringement, the Respondent points out that it already amended its Privacy Statement during the initial proceedings in the beginning of 2020 and it amended its Privacy Statement again following the initial decision of the Dispute Resolution Chamber in the beginning of 2021 and this should be taken into account as an attenuating circumstance. As regards the deterrent effect, the Respondent again points to its willingness to always amend its Privacy Statement, which it has done twice in a very far-reaching manner, thus achieving the purpose of these proceedings according to the Respondent. 

The Dispute Resolution Chamber already indicated in the intention to impose an administrative fine, as well as the amount thereof, that it takes into account the efforts already made by the Respondent to bring its new privacy notice into line with the AVG, which demonstrates its willingness. On the other hand, it must be noted that, although the amendments made to the new privacy notice are a favourable element in the assessment of the administrative fine, they are not intended to undo the infringements found (see paragraph 120 above). 

The Dispute Resolution Chamber gives more detailed reasons for imposing the administrative fine in section 3 of this decision.    

It follows from the foregoing that the Respondent's response does not lead the Dispute Resolution Chamber to modify the intention to impose an administrative fine or the amount of the fine as intended. 

2. Reasons 

1. Legitimate interest 

(a) Preliminary remark 

30. It follows from the judgment of the Market Court that the Dispute Resolution Chamber in its decision 24/2020 of 14 May 2020 would have ruled without the Respondent being able to defend himself fully because the decision of the Dispute Resolution Chamber would not have been limited to the allegations that are the subject of the complaint. 

31. However, the complainant expressly states in the complaint that the customer must be given the choice of whether to consent to the processing operations listed in points 4.3 and 6, and he is not given it. Indeed, once he has given his consent to the processing of his personal data in the framework of a hospitalisation insurance policy, the data processing should, according to the complainant, be limited to the fulfilment of the obligations arising from that insurance policy. The complainant maintains that the defendant cannot process his data for any other purpose, more specifically the purposes mentioned in point 4.3 and 6 of the former privacy notice, without his consent. The complaint thus challenges the legal basis of the processing for the purposes listed in point 4.3. The Complainant considers that the purposes set out in point 4.3 require his consent and that the Respondent cannot therefore simply use the data obtained on the basis of consent in the context of hospitalisation insurance for other purposes, for which the Respondent relies on its legitimate interest. 

32. The complaint thus essentially concerns the legal basis on which the Respondent may process personal data obtained from the Complainant for the purposes listed in paragraphs 4.3 and 6 of the Respondent's former privacy notice. 

33. In the Respondent's submission before us, the allegations are listed in paragraphs (a) to (h): 

"(a) Y would obtain the consent for the processing of medical data in the context of the conclusion and performance of insurance contracts under coercion, which would render such consent invalid (violation of Articles 5(1)(a) (principle of lawfulness); 6(1)(a) and 9(2)(a) AVG) 

(b) Y should give the Complainant access to the data protection impact assessment ('DIA') which it allegedly carried out for the processing of medical data in connection with the execution of insurance contracts with its customers (breach of Articles 35 and 36 AVG) 

(c) Y should, in Articles 4.3 and 6 of the old Privacy Notice, make a better distinction between the processing of medical data on the one hand and the processing of other 'ordinary' personal data on the other (breach of Article 13(1)(c) AVG);  

d) Y should take additional measures to inform the data subjects of their right to object under Article 21(2) of the AVG (breach of Articles 12(1) and 13(2)(b) of the AVG) 

e) Y should further clarify the legal grounds for the transfer of personal data to third parties, as mentioned in Article 6 of the Privacy Statement of Y (violation of Article 13 (1) (c) AVG) 

f) Y would process personal data without a demonstrated legal basis (including its legitimate interest within the meaning of Article 6(1) AVG) for a number of purposes referred to in Article 4.3 of the ex-Y Privacy Statement and transfers to third parties referred to in Article 6 of the ex-Y Privacy Statement (breach of Articles 5(1)(a) (legality principle) and 6(1) AVG) 

g) Y is alleged not to have provided sufficient information about its legitimate interests in its previous Privacy Statement where Y invokes this legal ground (violation of Articles 5(1)(a) (transparency principle) and 13(1)(c) and (d) of the AVG) 

(h) Y is alleged, where Y invokes this legal ground, not to have sufficiently demonstrated what its legitimate interests would be and not to have demonstrated to what extent its interests would outweigh the interests and fundamental rights of the Complainant (violation of Article 5(2) AVG). 

34. The Respondent also confirms that the allegations described in paragraphs (a) to (h) arise from the Complaint by stating in the Conclusion the following: 

"Should the Dispute Resolution Chamber find that the above allegations and alleged violations of the AVG by Y (points a to h) do not arise from the complaint [...], the Dispute Resolution Chamber is invited to inform Y thereof [...]." 

35. In this respect, the Dispute Resolution Chamber notes that the allegations as currently described by the Respondent in points (a) to (h) were already raised in the complaint, and in respect of which the Respondent now indicates that they do indeed result from the complaint, but in respect of which he nevertheless did not put forward a defence in the proceedings prior to decision 24/2020 of 14 May 2020 as regards (f), (g) and (h).  

With regard to the allegations in points (a) to (e) of his conclusion, the Respondent indicates that he either had the opportunity to defend himself and was found in favour by the Dispute Resolution Chamber (this concerns allegations (a) and (b)), or did not contest the allegations and rectified them in the new privacy notice (this concerns allegations (c), (d) and (e)). As regards the established breach of Article 13.1(c) of the AVG regarding allegation (c), the breach of Article 12.1 and Article 13.2(b) of the AVG regarding allegation (d) and the 

Article 13.1(c) AVG regarding allegation under (e), the Dispute Resolution Chamber refers to the reasons for this in decision 24/2020 of 14 May 2020. 

The defence in the present conclusion only focuses on the allegations under points (f), (g) and (h). 

36. To the extent that there may have been some lack of clarity regarding the subject matter of the complaint on the part of the Respondent prior to decision 24/2020, the Dispute Resolution Chamber nevertheless gave the Respondent the opportunity to defend itself, and will consider below whether and, if so, to what extent the Respondent breached the AVG with regard to the allegations set out in points (f), (g) and (h) of its conclusion, and whether the administrative fine should be upheld. 

b) Legal basis for purposes mentioned under 4.3 of the Privacy Statement  

37. The Respondent claims to be able to rely on its legitimate interests for the processing of non-sensitive personal data for the following purposes listed under Section 4.3 of the former Privacy Notice: 

- Performing computer tests; 

- Monitoring the quality of service provision; 

- training of personnel; 

- monitoring and reporting; 

- the storage of video surveillance recordings for the statutory period; and 

- compiling statistics from encrypted data, including big data. 

38. For each of these purposes, the Respondent has carried out a balancing of interests. The Dispute Resolution Chamber below assesses the balancing of interests undertaken for each of these purposes in accordance with the established decision-making2 approach it uses in assessing the legitimate interest. 

2 See, inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of 30 October 2020; Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. 

39. Pursuant to Article 6.1(f) of the AVG and the case law of the Court of Justice of the European Union, three cumulative conditions must be met in order for a 

controller may lawfully rely on that ground of law, 'namely, first, the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, second, the necessity of processing the personal data for the purposes of the legitimate interest pursued and, third, the condition that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas judgment)3.  

3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rigas regiona parvaldes Kartibas policijas parvalde v Rigas pašvaldibas SIA "Rigas satiksme", paragraph 28. See also CJEU, 11 December 2019, C-708/18, TK t/ Asociatia de Proprietari bloc M5A-ScaraA, paragraph 40. 

40. In order to rely on the lawfulness ground of "legitimate interest" under Article 6.1(f) of the AVG, the controller must demonstrate, in other words, that:  

1) the interests it pursues with the processing can be recognised as legitimate (the "purpose test");  

2) the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and 

(3) the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the controller (the "balancing test"). 

41. With regard to the purpose of "conducting computer tests", the Respondent states the following: 

"Context of the processing purpose 

This processing purpose includes the tests performed by IT testers and developers: 

- in connection with "modifications", which are minor adjustments or in connection with purely functional aspects; and 

- in the context of any automation projects. 

These tests are carried out in the context of: 

- IT and network security; 

- the maintenance, improvement and development of (the quality of) Y products and services; or 

- the improvement of the customer experience (e.g. to make internal processes and systems more efficient for back-office activities, to improve the user experience in Y's digital channels, etc.). 

This process does not include the acceptance and emulation phase, which can only be performed by the "specialised activities" team before the changes can actually be implemented and put into production."  

42. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled. 

43. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

44. Considering the purpose of computer testing, the Dispute Resolution Chamber should note that the Respondent ensures that, where possible, dummy data or anonymised data are used (e.g. in the case of changes involving different systems or applications and requiring a unique reference, such as the policy number). Only when there is no other option, will personal data be used to realise the intended change or development. Possible possibilities for (further) restriction of data processing are constantly investigated and progressively introduced as part of the project 'data anonymisation in non-production environments'. Furthermore, strict access controls are introduced on the IT environments where the IT tests are performed. Procedures are also established for how these IT tests are to be conducted, which all stakeholders must take into account. 

45. The Dispute Resolution Chamber notes that the Respondent cites using personal data only when there is no other option. During the hearing, Y states that the tests are always performed using dummy data, but that the testing phase determines the extent to which such data can be tested. In some cases, the limits of the possibilities to do data masking have been reached. This has to do with the life cycle of the tests, namely gradually dummy data can be used in IT tests, but sometimes the processing of personal data is required in order to ensure the interaction between applications.  The Dispute Resolution Chamber considers that the Respondent has thus made it reasonably plausible that the computer systems are not always based on 

anonymised or pseudonymised data. The second condition is thus fulfilled, as it has been demonstrated that the principle of minimum data processing (Article 5.1(c) of the AVG) has been complied with. Nevertheless, the Dispute Resolution Chamber notes that for the sake of clarity vis-à-vis the customers concerned, the Respondent might consider providing in the privacy notice some succinct explanation of the case where the Respondent has no choice but to conduct computer tests with personal data. 

46. In order to assess whether the third condition of Article 6.1(f) AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the reasonable expectations of the data subject should be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "4. 

4 Recital 47 AVG. 

47. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that moment that his data will be used for computer testing. After all, the customers expect a correct execution of their insurance contracts, which goes hand in hand with secure and correct management of the IT systems. The interest of the customers thus requires that the functionalities of the IT environment be tested for this purpose. 

48. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) of the AVG for processing for the purpose of "computer testing". 

49. With regard to the purpose of "monitoring the quality of service" and "compiling statistics from coded data, including big data", the Respondent states that this comprises three elements and provides as follows: 

- For the part "Statistics and quality testing" 

"Context of the processing purpose 

Y, as an insurer, is subject to prudential supervision. This includes the duty to exercise overall control over its business and its performance, including, but not limited to, the monitoring of sales performance, the performance and remuneration of certain hospital networks and cover/refunds. This relates to the overall control of the quality of the services and the performance of the insurance undertaking to ensure its continuity. This processing purpose includes both one-off and recurring reports, which may or may not involve the use of big data methodologies. These reports are mainly aggregated or anonymised, unless specific statistics are required (by category, such as by age group)." 

50. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled. 

51. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

52. The Dispute Resolution Chamber notes that the Respondent only justifies that it is necessary for it to compile statistics and conduct quality tests, as financial viability, quality of service, premium setting and performance cannot be determined without actively measuring them. The Dispute Resolution Chamber does not in any way disregard the need for the Respondent to have statistics and quality tests, but the Respondent limits itself to stating that mainly aggregated or anonymised reports are prepared unless specific statistics are required (by category such as e.g. by age group). Moreover, the Respondent states that big data methodologies may or may not be used to produce such reports.  

53. To what extent the statistics still contain personal data or allow for the re-identification of a data subject, is further explained during the hearing. The respondent states that there are still very few statistics that contain personal data. The 

In any event, the statistics do not contain names and certainly not health data. The statistics do contain codes, but these are aggregated, segmented data in the mass. 

Also, the Directive (EU) 2016/97 on insurance distribution5 and the Belgian implementing legislation of this directive require the processing of certain personal data for specific reporting. Sometimes policy data is processed in the reporting, but this does not result in further processing in the statistics. Each report has a purpose and the processing may not exceed this purpose. A register is kept of those reports and their purpose, which are strictly regulated via the data warehouse and require approvals to deviate from it.  

5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast), OJ L 26/19. 

54. The Dispute Resolution Chamber concludes that the Respondent has made the necessary efforts to limit the data processing for this purpose to what is strictly necessary. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG). 

55. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it should be evaluated whether 'the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose'. 

56. The Dispute Resolution Chamber follows the Respondent's view that if an individual enters into an insurance contract with Y, that individual can reasonably expect Y to implement internal controls and compile statistics to ensure that Y can meet its contractual obligations. 

57. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "Statistics and Quality Requirements". 

- For the section on "Satisfaction Surveys" 

"Context of the processing purpose 

This processing purpose includes determining the NPS ("Net Promoter Score"), the customer satisfaction factor, by means of an external survey carried out by a third party in order to safeguard the anonymity of the survey. This factor is calculated with regard to the follow-up by the Y Contact Centre and the claims department (claims handling). 

58. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered to be carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

59. In order to fulfil the second condition, it should be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

60. Starting from the purpose of conducting satisfaction surveys, the Dispute Resolution Chamber should establish that the Respondent allows customers to express an opinion anonymously through this survey and thus to assert their interests. The results are aggregated and processed by an external company so that the anonymity of those involved can be preserved. During the hearing, it was added that customers always have the choice of whether or not to participate in the survey, since they always have the right to object. The Panel finds that customers thus have the necessary freedom of choice, and that the results of those who participate in the survey are made available to the respondent in anonymous form. 

The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG). 

61. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it must be evaluated whether the "data subject 

at the time and in the context of the collection of the personal data, the data subject may reasonably expect that processing can take place for that purpose "6. 

6 Recital 47 AVG. 

62. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used by the defendant to gauge his satisfaction with the defendant's service. 

63. Consequently, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "conducting satisfaction surveys". 

- For the section on 'Quality assurance tests on operations 

"Context of the processing purpose 

This processing purpose relates to the general monitoring of the quality of the operational services and the performance of Y . This concerns quality checks whereby each employee concerned must carry out 2 random checks per week on the correct underwriting or execution of the insurance contract and applicable instructions and procedures for this purpose." 

64. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

65. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question must be asked whether the same result can be achieved by other means without processing personal data or without processing that is unnecessarily intrusive for the data subjects.

66. In view of the purpose, being the general monitoring of the quality of Y's operational services and performance, the Litigation Chamber should note that the Respondent asserts that Y is subject to the Insurance Distribution Directive (EU) 2016/97 and the Belgian implementing legislation which require insurance companies to tailor their services to the desires and needs of their customers. As indicated during the hearing, the Respondent does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and scope of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). The processing of personal data is necessary in order to actively measure the quality of the service. 

67. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "7. 

7 Recital 47 AVG. 

68. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for carrying out internal quality controls in order to ensure that Y can comply with its legal and contractual obligations. 

69. Accordingly, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of 'quality checks operations'. 

70. With regard to the purpose of "training of personnel", the Respondent states the following: 

"Context of the processing purpose 

This includes the organisation and follow-up of training, awareness sessions and courses for Y employees who come into contact with (personal data of) customers. Trainings include 

- technical aspects (e.g. with regard to Y products); 

- technical aspects (e.g. the use of Office 365 applications, information security training, etc.) 

- On the job training (training for new employees as well as training with the aim to continuously improve the quality of service); and 

- More general aspects such as compliance topics (e.g. AVG, IDD, etc.). 

71. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

72. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

73. Starting from the purpose of training staff, the Dispute Resolution Chamber should note that the Respondent submits that in exceptional cases the cases used for training contain personal data of customers, or personal data of customers are used for the preparation of the training material. However, the Respondent states that the underlying material (case studies) is generally fully anonymised. 

74. The Dispute Resolution Chamber notes that the Respondent cites that, in the context of training, cases contain personal data of customers only in exceptional cases or personal data of customers are used for the preparation of the training material. However, the Respondent fails to clarify in which cases it would be required to provide training to staff using customers' personal data. The defendant does not make it reasonably plausible that staff training could not always be provided on the basis of anonymised data. The second 

condition is thus not met, as it has not been demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) is complied with. 

75. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 of the AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "8. 

8 Recital 47 AVG. 

76. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for staff training. A policy holder can only expect normal management of his customer file, which only requires access to the information contained therein by the personnel who have to carry out tasks for the benefit of the customer concerned. When, in the context of training, information from actual files is shared, the processing of that information is not limited to those who have to perform tasks in the file concerned. 

77. Consequently, the Litigation Chamber concludes that the Respondent cannot rely on the legal ground of 'legitimate interest' for processing for the purpose of 'staff training' and therefore there is an infringement of Article 6.1(f) of the AVG. The Dispute Resolution Chamber additionally notes that if the Respondent nevertheless wishes to use customers' personal data for the purpose of training staff, it may rely on another legal ground, namely consent (Article 6.1(a) AVG). 

78. With regard to the purpose of "monitoring and reporting", the Respondent states the following: 

"Context of the processing purpose 

This processing purpose includes, inter alia, the production of reports for auditing purposes in the context of: 

- IFRS 17 accounting standards for insurance contracts and Belgian generally accepted accounting principles ("Belgian GAAP") 

- calculating reserves (within the framework of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act), etc.); or 

- profitability monitoring or reports in the context of large claims. 

These reports are made both for internal control purposes and for reporting to the Y1 Re group (of which Y is part). This includes both recurring reports and one-off ad hoc reports. Only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are made in the context of large claims or ad hoc reports relating to specific cases or outliers. 

79. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled. 

80. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

81. Based on the purpose of monitoring and reporting, the Litigation Chamber finds that the Respondent asserts that the various general financial and insurance law regulations (in the context of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act)) cannot be complied with without drawing up the necessary reports or carrying out monitoring. As indicated during the hearing, the Respondent also does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and extent of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). Indeed, the processing of personal data is necessary since compliance with the legislation cannot be achieved without the necessary reports or monitoring. 

82. The Respondent adds that only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are prepared in the context of large claims or ad hoc reports relating to specific cases or outliers. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1(c) of the AVG). 

83. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "9. 

9 Recital 47 AVG. 

84. The Dispute Resolution Chamber considers that in the case of collection of personal data in the context of taking out insurance, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for the fulfilment of the legal and contractual obligations of the defendant. 

85. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "monitoring and reporting". 

86. With regard to the purpose "storage of video surveillance recordings for the statutory period", the Respondent states the following: 

"Context of the processing purpose 

It concerns the processing of personal data by means of the cameras located within the premises of Y for the purpose of safeguarding customer security, data security and the protection of the company's assets." 

87. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest that the 

Respondent pursued as a data controller can in itself be considered justified pursuant to recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled. 

88. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

89. Starting from the purpose of providing video surveillance, the Dispute Resolution Chamber should note that the Respondent asserts that the images are stored in a secure environment. Both the room and the IT servers involved are subject to strict access security measures. Access to the images is subject to strict procedures. Storage of the images is also limited to the legal retention period (in principle 30 days). 

90. The second condition is thus fulfilled as it was demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) was complied with. 

91. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the data subject's reasonable expectations must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "10. 

10 Recital 47 AVG. 

92. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for video surveillance. The purpose of video surveillance is not related to the conclusion of an insurance contract, so that the policyholder cannot expect that his personal data provided in connection with an insurance contract will be used for video surveillance purposes. Video surveillance only takes place when the defendant's premises are physically entered, and then it is sufficient 

compliance with the camera law, including the obligation to display a pictogram with information to inform the person concerned. 

93. Consequently, the Dispute Resolution Chamber concludes that the Respondent cannot rely on the legal basis 'legitimate interest' for processing for the purpose of 'storage of video surveillance recordings during the statutory period' and thus there is an infringement of Article 6.1(f) of the AVG.  

94. For the sake of completeness, the Litigation Chamber adds that if a controller wishes to use surveillance cameras, it must then comply with its legal obligations under the Act of 21 March 2007 regulating the installation and use of surveillance cameras. As soon as a controller makes use of surveillance cameras, data processing obligations flow from that law, so that the controller can rely on Article 6(1)(c) AVG. In this regard, the Respondent stated during the hearing that the necessary pictograms have been affixed in accordance with this law. 

c) Model balancing of interests 

95. For each of the aforementioned purposes, the Respondent argues that the processing purpose is permissible because the quantitative score calculated by the balancing of interests model used by Y is below 30. The Respondent submits that on the basis of that model, the processing purposes may be supported by the legitimate interests of the controller to the extent that this score does not exceed 30. 

96. In this respect the Litigation Chamber notes that the model used by Y is a purely internal instrument which, at most, can serve as a guideline within the company, but from which no legal arguments can be drawn in order to pass the test against the legal basis of Article 6.1(f) of the AVG. Thus, no legal value can be attached to the scores calculated on the basis of that model. 

d) All legal grounds contained in Article 6.1 AVG 

97. The Respondent believes that the Dispute Resolution Chamber would have stated in its Decision 24/2020 that it can only rely on consent as a legal ground (Article 6.1(a) AVG) for the 

processing purposes listed in section 4.3. of the old Privacy Notice and not on the other legal grounds of Article 6.1 AVG. 

98. The Litigation Chamber explains that in this regard the following was stated in the decision 24/2020: 

"The Litigation Chamber therefore considers that the breach of Art. 6.1. AVG has been proven, as the data processing for the purposes set out in sections 1, 2, 3 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, must be based on the consent of the complainant in the absence of any other possibly applicable legal ground in Art. 6.1. AVG." 

99. From this the defendant infers, albeit incorrectly, that the Dispute Resolution Chamber has given consent as the sole legal basis for the purposes set out therein. However, the Respondent ignores the fact that the Dispute Resolution Chamber reaches that decision precisely because the Respondent fails to demonstrate any legitimate interest and thus fails to demonstrate that the applicable conditions are met to rely on this legal basis in Article 6.1(f) AVG. Indeed, the Litigation Chamber expressly stated in its decision that the Respondent did not demonstrate in any way what its legitimate interest would be and also failed to demonstrate to what extent its interest would outweigh the interests and fundamental rights of the Complainant, although the Respondent is obliged to do so on the basis of its accountability obligation (Article 5.2 AVG). Thus, the Dispute Resolution Chamber could not retain Article 6.1(f) AVG as a valid legal basis. Based on the factual elements that led to decision 24/2020, the only remaining legal ground was consent.  

The Litigation Chamber emphasises that any controller, including thus also the Respondent, may rely on any possible legal ground under Article 6.1 AVG, but that the applicable conditions for the legal ground relied upon must be met.  

2. Legal ground for transfers to third parties 

101. First, the defendant claims that a transfer to third parties is not a processing purpose in itself, but is a mere form of processing personal data within the meaning of Article 4.2 AVG. The Respondent argues that it only makes considerations of interests per processing purpose, but not per processing. 

102. The Dispute Resolution Chamber states that it follows from Article 5.1(a) AVG that personal data must be processed for a specified purpose and that such processing must be lawful within the meaning of Article 6.1 AVG. It is therefore clear that any processing must take place within the framework of a well-defined, explicit and legitimate purpose and that this processing must be based on a legal basis in order to be considered lawful. It is, of course, possible to carry out several processing operations for the same purpose within the meaning of Article 4.2 of the AVG, but this does not alter the fact that data processing for a certain purpose can only be regarded as lawful if there is a legal basis for doing so. 

103. The Litigation Chamber notes that, for each transfer to a third party, the purpose for which the transfer is made must be determined. In order to verify whether the transfer to a third party can be considered lawful, the purpose of the transfer to a third party must be determined. 

104. As the Respondent rightly points out, the legal basis for the transfer to processors (which are, however, not third parties within the meaning of Article 4(10) of the AVG) is the same as for the data processing by the Respondent itself. Indeed, the purpose of processing remains unchanged, as the processor processes the personal data only for the benefit of the defendant as controller. 

105. If the personal data are transferred to a third party within the meaning of Article 4. 10) AVG for the purpose of enabling that third party to process the personal data in question for its own purposes, then that transfer should be considered in isolation for that specific purpose and requires a separate legal basis. For the sake of transparency, the processing basis for all transfers should be stated in the privacy notice in order for the defendant to comply with its obligation under Article 13(1)(c) of the AVG. However, this is not the case, which is why the Dispute Resolution Chamber is of the opinion that there has been a violation of Article 13.1(c) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG. 

3. Principle of Transparency 

106. Notwithstanding the fact that Article 13.1(d) AVG requires the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f), the Respondent maintains that this is sufficient for the purposes of the Privacy Notice referred to in 4.3 above, as well as for the transfers referred to in 6 of the 

privacy statement which are based on Article 6(1)(f) of the AVG, it is sufficient to state that personal data are processed based on the legitimate interest of the defendant, without explaining what exactly this legitimate interest would consist of. 

107. The Respondent submits that the balancing of interests concerns internal documents which have not been made public by Y or included in its Privacy Statement, given the business-sensitive information they contain. Moreover, these are voluminous, rather privacy-related documents that are typically not included in a Privacy Statement. 

108. For transfers to "the companies of the group Y1 Re to which Y belongs, for monitoring and reporting purposes", the Respondent confirms that it is a transfer to another controller, mentions its legitimate interest in its conclusion under the processing purpose "monitoring and reporting", but fails to clarify its legitimate interest in the Privacy Statement. 

109. Furthermore, the Respondent also refers to recital 48 of the AVG which provides that controllers which are part of a group of companies or a group of institutions affiliated to a central body may have a legitimate interest in the transmission of personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees. 

110. The Dispute Resolution Chamber acknowledges that recital 48 applies to the Respondent, but this does not prevent the Respondent from being transparent on this issue in its privacy notice and also in such a case from indicating the legal basis and making clear what its legitimate interest consists in, which is not the case in the old privacy notice. 

111. As regards the transfer to "subcontractors in the European Union or outside, responsible for processing activities defined by Y", the Respondent argues that they are processors of Y . 

112. The Litigation Chamber therefore repeats the reasoning in this regard from its decision 24/2020 to conclude a breach of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. The privacy declaration merely states that personal data are processed for the purposes set out in 4.3 on the basis of the legitimate interest of the defendant, without indicating what exactly this legitimate interest would be, whereas Art. 13.1(d) AVG does require that the processing of personal data be based on the legitimate interest of the defendant. AVG does require the controller to provide the data subject with information regarding his legitimate interests if the processing is based on Article 6(1)(f). 

113.  The Dispute Resolution Chamber also refers to the European Data Protection Board (EDPB) Guidelines on transparency under Regulation (EU) 2016/67911, which emphasise that the specific interest in question must be identified for the benefit of the data subject. 

11 EDPB, Guidelines of the Article 29 Data Protection Working Party on Transparency under Regulation (EU) 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, p. 42. 
116. As the Respondent points out, it is not prepared to apply the aforementioned best practice because, in its view, the documents in question are internal privacy documents containing business-sensitive information.  

117. The Dispute Resolution Chamber states that even if the Respondent refuses to follow this best practice, it is at least obliged under Article 12.1 AVG to provide the data subject with information on its legitimate interest for each of the purposes for which it invokes that legal basis in a concise, transparent, intelligible and easily accessible form and in clear and simple language. In order to comply with this, it is by no means required that privacy technical documents would be disclosed, but it is required that information regarding the legitimate interest is provided in clear language that can be easily understood by a (potential) customer of the defendant 

118. The Litigation Chamber finds that the information required by Article 13.1(d) AVG has not been made available by the Respondent in any way, so that the breach of Article 13.1(d) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG has been established.  

4. Administrative fine 

119. The fact that the Respondent did commit the infringements of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG leads the Dispute Resolution Chamber to uphold the administrative fine. This sanction is not intended to put an end to a violation that has been committed, but to ensure vigorous enforcement of the rules of the AVG. After all, as is clear from recital 148 of the AVG, the AVG stipulates that in the event of any serious breach - i.e. even if the breach is detected for the first time - sanctions, including administrative fines, shall be imposed in addition to or as an alternative to appropriate measures.13 In the following, the Dispute Resolution Chamber demonstrates that the infringements committed by the Respondent of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG are by no means minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in recital 148 AVG, whereby a fine may be waived in either case. The fact that it is a first finding of an infringement committed by the defendant is not sufficient to justify the imposition of a fine. 

13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of the Regulation, in addition to or as an alternative to any appropriate measures imposed by the supervisory authorities under this Regulation. Where the infringement is minor or where the likely fine would impose a disproportionate burden on a natural person, a reprimand may be substituted for a fine. However, account should be taken of the nature, seriousness and duration of the breach, of the intentionality of the breach, of measures to mitigate damages, of the degree of responsibility or of previous relevant breaches, of how the breach came to the attention of the supervisory authority, of compliance with measures taken against the controller or processor, of adherence to a code of conduct and of any other aggravating or mitigating factors. The imposition of sanctions, including administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in line with general principles of Union law and the Charter, including effective remedy and fair trial. own emphasis] 

As regards the AVG, this does not in any way affect the ability of the Dispute Resolution Chamber to impose an administrative fine. The Dispute Resolution Chamber shall impose the administrative fine in application of Article 58.2(i) AVG.  

120. The Litigation Chamber again emphasises that the instrument of an administrative fine is in no way intended to terminate infringements. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. It further emphasises that the administrative fine is one of the sanctions provided for in Article 58.2 AVG and Article 100 WOG. Neither EU law nor national Belgian law establish a hierarchy with regard to the sanctions to be imposed. As an organ of an independent data protection authority as provided for in Section 51 of the AVG, the Litigation Chamber is free to choose the most appropriate sanction. The Litigation Chamber considers that, in view of the controller's duty of accountability, the imposition of an administrative fine for a breach of the AVG could be expected.14  
12 See paragraph 35 of the Guidelines referred to in footnote 6. 

114. Also with regard to point 6. of the Privacy Notice, the Respondent does not indicate what would be its legitimate interest, invoked by it, to process personal data of the Complainant for the purpose of transfer to "The companies of the Y1 RE group to which Y belongs, for monitoring and reporting purposes" and "Subcontractors in the European Union or beyond, responsible for processing activities defined by Y". However, Art. 13.1. d) AVG does require the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f). In this regard, the Litigation Chamber refers again to the Guidelines on Transparency pursuant to Regulation (EU) 2016/679 and the above.  

115. The Dispute Resolution Chamber stated in its decision 24/2020 that as a best practice, the controller may also, before collecting personal data from the data subject, provide the data subject with information on the consideration to be given to Article 6(1)(f) as the legal basis for the processing. To avoid information fatigue, this information could be included in a layered privacy notice.12 The information provided to data subjects should make clear that these data subjects may receive information on the balancing exercise upon request. This is essential for effective transparency when data subjects have doubts about the fairness of the assessment made or wish to lodge a complaint with a supervisory authority. 

14 On the competence of the Dispute Chamber to impose an administrative fine, see also decision no. 55/2021 of 26 April 2021, available in French on the website of the GBA.   

15 Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020. 

121. Taking into account Article 83 AVG and the jurisprudence15 of the Markets Court, the Dispute Resolution Chamber motivates the imposition of an administrative sanction in concrete terms: - The seriousness of the breach: the reasoning below shows the seriousness of the breach.  

- The duration of the breach: the breaches are assessed with regard to this aspect in the light of the date on which the AVG became applicable, namely 25 May 2018. The Respondent's privacy notice appears to have remained unchanged since the AVG became applicable until a new privacy notice was drafted in response to the complaint. However, the new privacy statement is not the subject of the Dispute Resolution Chamber's assessment, so it does not express an opinion on the extent to which the new privacy statement complies with the AVG. 

- The necessary deterrent effect to prevent further breaches 

122. As regards the nature and seriousness of the breach (Article 83.2(a) AVG), the Litigation Chamber emphasises that compliance with the principles laid down in Article 5 AVG - in this case, in particular, the principle of transparency including accountability, as well as the principle of legality - is essential, as these are fundamental principles of data protection. The Litigation Chamber considers that the defendant's infringement of the principle of legality 

The Dispute Settlement Chamber therefore considers that the Respondent's breach of the principle of lawfulness set out in Article 6 of the AVG and of the principle of transparency set out in specific terms in Articles 12 and 13 of the AVG constitutes a serious breach.  

123. An important element in determining the amount of the fine is the fact that the Defendant does not contest the following infringements as substantiated in Decision 24/2020 and, as a result, has already made efforts to bring the new privacy notice into line with the AVG in these respects  

- Infringement of Article 12.1 and 13.2 b) of the Privacy Act by not mentioning in the privacy declaration the possibility for the person concerned to exercise his/her right of retention. 

- Infringement of Article 13(1)(c) AVG for failure to state the legal basis for the transfer to each of the different categories of third parties in point 6. of the privacy statement. 

124. Although the amendments made to the new Privacy Notice are a favourable element in the assessment of the administrative fine, the Litigation Chamber emphasises that they are not intended to undo the breaches found. The infringements were found and cannot be retroactively reversed by the controller bringing its data processing into compliance with the requirements of the AVG, albeit too late. 

125. In addition, infringements are also identified in the present decision:  - Infringement of Article 6.1 AVG as regards the purposes of 'training of staff' and 'storage of video surveillance recordings during the statutory period'.  

- Infringement of Article 13(1)(c) of the AVG in conjunction with Article 5(1)(a) of the AVG and Article 5(2) of the AVG. 

- Infringement of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. 

Furthermore, the Dispute Resolution Chamber also takes into account the finding that the violation of Article 6.1 AVG is limited to two processing purposes "the training of staff" and "the storage of video surveillance recordings during the statutory period" and is therefore of a nature to justify a reduction in the amount of the fine. In addition, the breaches of the principle of transparency and accountability that have been established are of such gravity 

that a substantial fine is appropriate. This is all the more true in view of the large scale of the defendant's processing of data other than health data with a decisive impact on all insured persons who have taken out hospital insurance with Y, which is a considerable number of persons concerned. A decisive element in this respect is also the fact that Y is a major player in the insurance market which may be expected to align its privacy policy with the AVG with due diligence. 

126. As regards the lack of transparency, the Litigation Chamber also points out that the AVG precisely provided for a transitional period of 2 years16 in order to give every controller the necessary time to prepare for and adapt to the requirements set by the AVG. Therefore, the Respondent's argument during the hearing that the changes made by the AVG to the previous Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data are at the root of the lack of transparency cannot be accepted. The defendant argues that Articles 13 and 14 AVG, in conjunction with Article 12 AVG, and the precise manner in which they are interpreted caused the difficulty. The transparency guidelines of the Group 29 (now EDPB) were an aid. Again, the Dispute Resolution Chamber should note that those Guidelines already date from 29 November 2017, were revised and adopted on 11 April 2018 and have remained unchanged since then. The Respondent thus had sufficient time, as required by its accountability obligation (Article 5.2 AVG), to align its privacy statement with the AVG. 

16 Article 99 AVG 

127. This leads the Dispute Resolution Chamber to reconsider the fine and reduce it to €30,000. 

128. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Section 83 AVG, taking into account the assessment criteria set out therein. The Litigation Chamber points out that the other criteria of art. 83.2. AVG in this case are not such as to result in an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision. 

5. Publication of the decision 

129. In view of the importance of transparency regarding the Dispute Resolution Chamber's decision, this decision is published on the GBA's website. However, it is not necessary for the identification details of the parties to be published directly for this purpose. 

FOR THESE REASONS, 

the Data Protection Authority's Dispute Resolution Chamber, after deliberation, decides to reverse its decision 24/2020 of 14 May 2020 and to impose an administrative fine of €30,000 on the Respondent, pursuant to art. 100, §1, 13° WOG and art. 101 WOG, for violations of articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG. 

This decision may be appealed pursuant to Article 108 § 1 WOG within a period of thirty days from the notification to the Market Court, with the Data Protection Authority as defendant. 

(Get).Hielke Hijmans 

President of the Litigation Chamber