APD/GBA (Belgium) - 57/2021

From GDPRhub
Revision as of 10:14, 26 May 2021 by RRA (talk | contribs)
APD/GBA (Belgium) - 57/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(d) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 06.05.2021
Published: 06.05.2021
Fine: 30.000 EUR
Parties: n/a
National Case Number/Name: 57/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Dutch
Original Source: Beslissing ten gronde 57/2021 van 06 mei 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA states that a separate and clearly defined purpose is necessary for the transfer of personal data to a third party. Multiple, different processing can take place for the same purpose, but each requires a legal basis.

English Summary

Facts

This decision is a reconsideration of the decision 24/2020 and executes the appeal of the Market Court of 18 November 2020 (2020/AR/813), it gives the defendant the possibility to defend itself against all infractions on the GDPR for which the initial sanction was based on.

To summarise, the complainant claimed that its health data was used by an insurance company for a purpose for which he did not explicitly agree. The defendant now claims to use legitimate interest as legal basis.

Holding

The defendant states that non-sensitive personal data can be processed based on legitimate interest for different purposes and for each of these purposes, a balancing test was done.

The DPA recites the requirements for relying on Article 6(1)(f), namely: purpose test, necessity of the processing and a balancing test.

As regards the first condition (the so-called "purpose test"), the DPA considers that the processing purpose as described by the defendant must be considered as carried out in view of a legitimate interest. The interest pursued by the Defendant as the data controller must in itself be regarded as legitimate, in accordance with recital 47 of the GDPR.

In order to satisfy the second condition, it must be demonstrated that the processing is necessary for the achievement of the purposes pursued. More specifically, this means asking the question whether the same result can be achieved by other means without processing personal data or without an unnecessarily intrusive processing for the data subjects.

In order to verify whether the third condition of Article 6(1)(f) - the so-called "balancing test" between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the data subject, on the other hand - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 GDPR. It should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose."

Most purposes pass this assessment, notable passages:

- personal data from a data subject cannot be used for training of personnel as this breaches the data minimisation and reasonable expectations of the data subjects.

- even though there is no explicit legal obligation, it can be within the reasonable expectation of a data subject that a(n) (insurance) company must fulfill legal obligations and is thus bound to process certain data.

- legitimate interest cannot be relied upon to store recordings of video surveillance when signing an insurance contract as this is regulated by the Camera law of 21 March 2007, including the obligation to put up pictograms to inform the data subjects. This does not fall under the reasonable expectations of data subjects and CCTV is based on consent.

- a model for balancing tests has no legal value, it is purely instrumental.



The defendant claims that transfers to third parties is not a processing purpose, but a form of processing within the meaning of Article 4(2).

The DPA states according to Article 5(1)(a), personal data must be processed processed for a specific purpose and the processing must be legitimate within the meaning of Article 6(1). It is possible to do multiple processing for the same purpose, but this must be done in compliance with the above.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(c), there is a breach of the GDPR.

Notwithstanding Article 13(1)(d) regarding transparency of its legitimate interests, the defendant claims that they fulfilled the requirements by merely stating in the privacy notice that the personal data will be processed based on its legitimate interest without indicating what those interests are.

Those legitimate interest are not public as they contain company sensitive information and the documents are very 'heavy', not suited for a privacy notice.

As the defendant is not able to state a specific and separate purpose for the transfer to a third party, and in light of the transparency principle within the meaning of Article 13(1)(d), there is a breach of the GDPR. And even if the defendant does not want to share sensitive information, they must at least provide more information to its data subjects in a clear and transparent way. Sharing company sensitive or 'heavy' documents on their own is not required for this.

Decision

Based on the above, the first decision, and the appeal, the fine for the insurance company is reduced to €30.000 (from €50.000)


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Litigation Chamber 

Decision on the merits 57/2021 of 06 May 2021 

File reference : DOS-2019-02902 

Subject: Lack of transparency in the privacy statement of an insurance company (reconsideration decision 24-2020) 

The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; 

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the AVG; 

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; 

Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;  

Having regard to the documents on file; 

...

...

has taken the following decision concerning: 

- Mr X, hereinafter "the complainant"; 

- Y, represented by Mr Benoit Van Asbroeck and Mr Simon Mortier, hereinafter "the defendant". 

1. Facts and procedure 

1. This decision is a reconsideration of decision 24/2020 of the Dispute Chamber of 14 May 2020, and implements the judgment of the Markets Court of 18 November 2020, with roll number 2020/AR/813.  

2. This decision should be read in conjunction with decision 24/2020 and contains a reconsideration aimed at giving the Respondent the opportunity to defend itself with regard to all breaches of the AVG for which a penalty was imposed in the initial decision, to the extent that these breaches are contested by Y. In this reconsideration, the Dispute Resolution Chamber will thus stay within the framework of the initial decision, including with respect to the administrative fine, which cannot exceed the amount of the fine initially determined. As regards the allegations in respect of which the Dispute Resolution Chamber ruled in the initial decision that there was no infringement of the AVG, this opinion remains valid. The infringements established in the initial decision and not contested by Y are also maintained. 

3. On 14 June 2019, the complainant filed a complaint with the Data Protection Authority against the respondent. 

The subject of the complaint concerns the use of health data obtained by the insurance company from the data subject in the context of a hospitalisation insurance policy for other purposes without the express consent of the insured data subject. The complainant states that he has no problem with his health data being processed for the fulfilment of obligations under the hospitalisation insurance policy taken out with the defendant, but has a problem when the same health data are processed for the purposes listed in point 4.3. of the privacy notice and for the transfer to third parties as mentioned in point 9 of the same privacy notice (it concerns point 6, but the reference to point 9 is a material error) as mentioned in the defendant's privacy notice. He requests that specifically for those purposes, as well as for the transfer, the Respondent gives the data subject the choice to consent or not to the processing of his health data. 

Finally, the complainant expresses the wish to receive a data protection impact assessment from the defendant as it involves the processing of data at high risk for the data subjects. 

4. On 26 June 2019, the complaint shall be declared admissible pursuant to Sections 58 and 60 of the WOG, the complainant shall be notified thereof pursuant to Section 61 of the WOG, and the complaint shall be transferred to the Dispute Resolution Chamber pursuant to Section 62(1) of the WOG. 

5. On 23 July 2019, the Dispute Resolution Chamber shall decide, pursuant to art. 95, §1, 1° and art. 98 WOG that the file is ready for consideration on the merits. 

6. On 24 July 2019, the parties concerned were notified by registered mail of the provisions as mentioned in art. 95, §2 and in art. 98 WOG. Also, pursuant to art. 99 WOG, the parties concerned were informed of the time limits to submit their defences. The deadline for receipt of the statement of reply from the plaintiff was thereby set at 7 October 2019 and for the defendant 7 November 2019. 

7. On 29 July 2019, the Respondent shall notify the Dispute Resolution Chamber that it has taken cognisance of the complaint, shall request a copy of the file (art. 95, §2, 3° WOG) and shall electronically accept all communications concerning the case (art. 98, 1° WOG). 

8. On 30 July 2019, a copy of the case file shall be transmitted to the defendant. 

9. On 2 August 2019, the Dispute Resolution Chamber receives a letter in which the Respondent indicates that he wishes to be heard by the Dispute Resolution Chamber (art. 98, 2° WOG). 

10. On 6 September 2019, the Dispute Resolution Chamber received the response by the Respondent. Firstly, the Respondent argues that the processing of special categories of personal data, in this case health data, by healthcare insurer Y is carried out lawfully. The processing of these special categories of personal data (Article 9 AVG) is in principle prohibited. For the processing, the defendant relies on the exceptional ground of Article 9 (2) (a) AVG, the explicit consent of the data subject. Second, the defendant argues that separate consent is not necessary for each transfer of personal data. Third, according to the defendant, there is no question of asking consent for the processing of data other than health data. Finally, according to the defendant, a data protection impact assessment was not necessary in this case as it concerned already existing processing operations and not new processing operations starting after 25 May 2018. 

11. The complainant has not exercised the right to submit a reply. 

12. The Respondent is not submitting a new Opinion and on 7 November 2019 is merely providing productions in support of the Opinion submitted on 6 September 2019. 

13. On 9 January 2020, the parties are informed that the hearing will take place on 28 January 2020. 

14. On 28 January 2020, the Respondent was heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. Among other things, the Respondent answered questions put by the Dispute Resolution Chamber as to the legal basis for the processing of personal data other than health data. The debates then closed. 

15. On 29 January 2019, the record of the hearing shall be submitted to the parties. 

16. On 31 January 2020, the Respondent shall provide, as requested at the hearing, the annual turnover for the last three financial years. These amount to a turnover of between EUR 500 million and EUR 600 million for the years 2016-2018. 

17. On 6 February 2020, the Dispute Resolution Chamber receives some comments from the Respondent on the minutes, which it decides to include in its deliberations. 

18. On 25 March 2020 the Litigation Chamber informs the defendant of its intention to impose an administrative fine and the amount thereof in order to give the defendant the opportunity to defend itself before the sanction is actually imposed. 

19. On 8 May 2020, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof. 

The Respondent argues that the alleged infringements as set out in the Dispute Resolution Chamber's intention are entirely new and that it has not been able to defend itself in this respect. However, it is for the Dispute Resolution Chamber to find that the documents on the file irrefutably demonstrate that the Respondent was able to fully exercise his rights of defence.  

The defendant also claims to disagree with the imposition of a fine, or the intended amount of the fine. However, he does not present any (new) arguments in support of this claim. Therefore, the response of the defendant does not give the Disputes Committee 

The response of the Respondent does not give rise to an adjustment of the intention to impose an administrative fine nor to an adjustment of the amount of the fine as intended. 

20. On 14 May 2020, the Arbitration Chamber in its decision on the merits 24/2020 ruled as follows: 

- pursuant to Article 100, §1, 9° WOG, to order the Respondent to bring the processing into compliance with Articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG  

- On the basis of Article 100, §1, 13° WOG and Article 101 WOG, impose an administrative fine of EUR 50,000 for the infringements of Article 5.1 a), Article 5.2, Article 6.1, Article 12.1, Article 13.1 c) and d) and Article 13.2 b) AVG. 

21. On 17 June 2020, the Dispute Chamber received notification from the Brussels Court of Appeal of an application against the GBA lodged with the Court Registry. 

22. On 24 June 2020, the introductory hearing before the Market Court takes place, at which the time limits for the parties to conclude their cases are determined, and the case is set for oral argument at the hearing on 21 October 2020. 

On 18 November 2020, the Market Court delivers its judgment.   

The judgment1 contains the following main points concerning the assessment of the object of the application: 

1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-marktenhof.pdf  

- Annulment of the decision on the merits no. 24/2020 of 14 May 2020 of the Dispute Resolution Chamber. 

- The Market Court stated that the Respondent should have been given the opportunity - after the grievance was clearly formulated in writing - to make a written statement on the matter. The fact that the Respondent was asked at the hearing (which was mentioned in the transcript of the hearing) to make submissions on the general question of the legitimate interest invoked by the Respondent to process data other than health data and that the Respondent only made a summary reply to this without any objections does not adequately justify Decision No 24/2020 of 14 May 2020. 

23. Following the judgment, the Dispute Resolution Chamber decided on 27 November 2020 to take up the file again in order to make a new decision. The underlying consideration is that, notwithstanding the annulment of the aforementioned decision by the 

Annulment of the aforementioned decision by the Market Court judgment, the Dispute Resolution Chamber is still caught by the initial complaint lodged on 14 June 2019 as declared admissible by the First Line Service on 26 June 2019. Accordingly, the debates are reopened and new conclusion deadlines are set so that the parties can take a position on the legitimate interest invoked by the Respondent to process data other than health data.  

The parties are informed of the following time limits for the submission of oral argument:  

- the latest date for the plaintiff's reply will be set at 8 January 2021; 

- the date of the reply by the defendant shall be set at 19 February 2021; 

The date of the hearing will also be fixed, which will take place on 22 March 2021. 

24. On 27 November 2020, the Dispute Resolution Chamber received a communication from the Complainant stating that, in view of the clear arguments, it did not consider it necessary to provide additional argumentation. On the same day, the Dispute Resolution Chamber informs the Respondent that the Complainant has indicated that it will not be submitting a claim. At the request of the Respondent, the Dispute Resolution Chamber also confirms that the date initially set for the Reply by the Respondent as well as the date of the hearing will be maintained. 

25. On 19 February 2021, the claim and accompanying documents were received by the Dispute Resolution Chamber from the Respondent. In it the Respondent puts forward the following pleas in law: 

- The Respondent may rely on its legitimate interests to process personal data for purposes pursuant to Article 4.3 of its former Privacy Notice (no violation of Articles 5.1(a), 5.2, 6.1(f) and 13.1(c) and (d) T&C. 

- The Respondent may rely on an applicable legal ground for transfers to third parties pursuant to Article 6 of the former privacy notice (no violation of Articles 5.1(a), 5.2, 6.1 and 13.1(c) and (d) AVG. 

- If the defendant cannot rely on all legal grounds under Article 6.1 of the AVG for the processing purposes under Article 4.3 of the old privacy notice and onward transfers to third parties under Article 6 of the old privacy notice, this constitutes an infringement of the defendant's freedom to conduct a business. 

- The Respondent submits that a reprimand is sufficient and the administrative fine of €50,000 is disproportionate. 

26. On 22 March 2020, the parties were heard by the Dispute Resolution Chamber. The Complainant, although duly summoned, did not appear. During the hearing, the Respondent explained its defence. No other elements are introduced than those already on the file. After this, the debates are closed. 

27. On 25 March 2021, the record of the hearing shall be submitted to the parties in accordance with Article 54 of the Rules of Procedure. On 5 April 2021, the respondent shall submit to the Dispute Resolution Chamber some comments on the transcript, which the Dispute Resolution Chamber decides to include in its deliberations. 

28. On 6 April 2021, the Dispute Resolution Chamber notified the Respondent of its intention to proceed with the imposition of an administrative fine, as well as the amount thereof, in order to give the Respondent the opportunity to defend itself before the sanction is actually imposed. 

29. On 27 April 2021, the Dispute Resolution Chamber received the Respondent's response to the intention to impose an administrative fine, as well as the amount thereof. 

In summary, the Respondent states the following in its response to the intention to impose an administrative fine: 

- As regards the lack of a demonstrated legitimate interest as a legal basis for the purposes of 'staff training' and 'storage of video surveillance recordings during the statutory period', the Respondent argues that no questions were raised during the hearing as to the lawfulness, necessity or proportionality of these processing purposes.  

In this regard, the Dispute Resolution Chamber notes that the Respondent has already extensively addressed in the Conclusions the lawfulness, necessity and proportionality of all processing purposes, including those for "training of staff" and "storage of video surveillance recordings during the statutory period", so that no additional clarification on this was requested at the hearing. During a hearing, only specific questions are asked about remaining ambiguities in order to clarify them and to allow the Dispute Resolution Chamber to form an opinion. 

At the moment, the Litigation Chamber can only conclude that the Respondent's reaction to the intention to impose an administrative fine following the infringement of article 6.1 of the AVG for the purposes of "staff training" and "storage of video surveillance recordings during the statutory period" lacks a proven legitimate interest as a legal basis. 

justified interest as a legal basis, does not contain any new elements which are of a nature to change the opinion of the Dispute Resolution Chamber. 

- As regards the amount of the fine, the Respondent considers that no fine can be imposed for the allegation of processing personal data without a legitimate interest. At the very least, the defendant considers that an amount of EUR 30 000 is disproportionately high. The defendant submits that it appeared from the written conclusions and during the hearing that general training material was in principle always anonymised and that personal data of customers were processed by means of camera surveillance. The documents in the file would also not show that any personal data of the complainant would have been processed for these purposes. Therefore, the complainant (and, by extension, the respondent's other customers) would, in principle, not have suffered any personal detriment as a result of any lack of legitimate interests for the processing activities "training of staff" and "storage of video surveillance recordings during the statutory period". 

The Dispute Resolution Chamber emphasises that whether or not the person concerned suffers any personal disadvantage is not a criterion for the imposition of an administrative fine, as this is not included in Article 83.2 AVG. Therefore, in its decision below, it justifies this sanction without taking into account whether or not the complainant has suffered any personal disadvantage. The criteria for the imposition of an administrative fine are clearly laid down in article 83.2 AVG, on which the Dispute Resolution Chamber bases its decision regarding the administrative fine. 

In so far as necessary, the Dispute Resolution Chamber adds that the Complainant provided its personal data to the Respondent for processing in connection with a hospitalisation insurance scheme and the Respondent subsequently indicated, on the basis of the then current privacy notice, that it also processed the Complainant's personal data for all the purposes stated in the privacy notice. On the basis of the privacy notice given at the time, the Respondent processed the Complainant's data for each of the purposes set out in the privacy notice. This is also apparent from the conclusion underlying the present decision, in which the Respondent itself delineates the allegations arising from the complaint (see margin number 33) and the allegations under points (f), (g) and (h) are the subject of its defence. The allegations arising from the complaint and as described by the defendant itself in its conclusion, concern defects in the privacy notice that concern the complainant, as well as ipso facto any other customer of the defendant who takes out hospital insurance. Indeed, the privacy notice was not drawn up exclusively for the complainant, but for every customer of the defendant who takes out hospitalisation insurance. 

This also explains why, in its conclusion, the Respondent seeks to demonstrate the lawfulness, necessity and proportionality of all processing purposes, without any distinction as to whether or not it is a processing purpose for which personal data of the Complainant are processed. The Respondent verifies that it has a legitimate interest for all processing purposes, because for each of those processing purposes, the personal data of the Complainant were processed in accordance with the Privacy Notice in force at the time. 

- In addition, the Respondent considers that an amount of EUR 30,000 is disproportionate to the infringement.  

More specifically, with regard to the seriousness of the infringement, the Respondent disagrees with the Dispute Resolution Chamber's assertion that, merely because a breach of Articles 5 and 6 of the AVG has been established, the infringements are therefore automatically "serious" and "grave". The defendant submits that, on the one hand, those articles form the basis of virtually the whole of the AVG and, consequently, virtually any infringement of the other articles of the AVG can be reduced to an infringement of Articles 5 and 6 AVG.  

On the other hand, classifying these infringements as 'serious' and 'serious' prevents a differentiation being made with infringements that are truly serious and serious, such as, for example, the complete absence of a privacy notice. However, this is not at all the case here.  

The defendant argues that it did mention these processing purposes in its privacy notice and that it carried out, with the necessary rigour, extensive weighing of interests to ascertain whether it could invoke its legitimate interests.  

With regard to the Respondent's assertion that a breach of the fundamental principles of the AVG contained in Articles 5 and 6 AVG cannot automatically be regarded as serious and serious, the Litigation Chamber notes that Article 83.5 AVG itself provides for a more serious penalty for this breach, for which the highest maximum fine is set, precisely because it concerns fundamental principles that go to the heart of data processing. The Respondent's assertion that every breach of the AVG can be traced back to a breach of the core principles does not stand up, since the Dispute Resolution Chamber is bound by the complaint and performs its assessment against the AVG within those boundaries and therefore, contrary to what the Respondent suggests, every breach cannot be 'traced back' to breaches of the core principles. Since the object of the complaint is precisely the basic principles, the Dispute Resolution Chamber will rule in this case on the application of those principles. Where the Respondent quotes as an example that the total absence of a privacy statement would be a serious and serious breach, the Litigation Chamber states that the total absence of a privacy statement would not only be a serious and serious breach, but also a serious and serious breach. 

serious and onerous breach, but a total disregard for the AVG. However, this does not alter the fact that a defective privacy statement, such as the one at issue here, which does not respect the basic principles of the AVG, must be regarded as serious and serious.

As regards the duration of the infringement, the Respondent points out that it already amended its Privacy Statement during the initial proceedings in the beginning of 2020 and it amended its Privacy Statement again following the initial decision of the Dispute Resolution Chamber in the beginning of 2021 and this should be taken into account as an attenuating circumstance. As regards the deterrent effect, the Respondent again points to its willingness to always amend its Privacy Statement, which it has done twice in a very far-reaching manner, thus achieving the purpose of these proceedings according to the Respondent. 

The Dispute Resolution Chamber already indicated in the intention to impose an administrative fine, as well as the amount thereof, that it takes into account the efforts already made by the Respondent to bring its new privacy notice into line with the AVG, which demonstrates its willingness. On the other hand, it must be noted that, although the amendments made to the new privacy notice are a favourable element in the assessment of the administrative fine, they are not intended to undo the infringements found (see paragraph 120 above). 

The Dispute Resolution Chamber gives more detailed reasons for imposing the administrative fine in section 3 of this decision.    

It follows from the foregoing that the Respondent's response does not lead the Dispute Resolution Chamber to modify the intention to impose an administrative fine or the amount of the fine as intended. 

2. Reasons 

1. Legitimate interest 

(a) Preliminary remark 

30. It follows from the judgment of the Market Court that the Dispute Resolution Chamber in its decision 24/2020 of 14 May 2020 would have ruled without the Respondent being able to defend himself fully because the decision of the Dispute Resolution Chamber would not have been limited to the allegations that are the subject of the complaint. 

31. However, the complainant expressly states in the complaint that the customer must be given the choice of whether to consent to the processing operations listed in points 4.3 and 6, and he is not given it. Indeed, once he has given his consent to the processing of his personal data in the framework of a hospitalisation insurance policy, the data processing should, according to the complainant, be limited to the fulfilment of the obligations arising from that insurance policy. The complainant maintains that the defendant cannot process his data for any other purpose, more specifically the purposes mentioned in point 4.3 and 6 of the former privacy notice, without his consent. The complaint thus challenges the legal basis of the processing for the purposes listed in point 4.3. The Complainant considers that the purposes set out in point 4.3 require his consent and that the Respondent cannot therefore simply use the data obtained on the basis of consent in the context of hospitalisation insurance for other purposes, for which the Respondent relies on its legitimate interest. 

32. The complaint thus essentially concerns the legal basis on which the Respondent may process personal data obtained from the Complainant for the purposes listed in paragraphs 4.3 and 6 of the Respondent's former privacy notice. 

33. In the Respondent's submission before us, the allegations are listed in paragraphs (a) to (h): 

"(a) Y would obtain the consent for the processing of medical data in the context of the conclusion and performance of insurance contracts under coercion, which would render such consent invalid (violation of Articles 5(1)(a) (principle of lawfulness); 6(1)(a) and 9(2)(a) AVG) 

(b) Y should give the Complainant access to the data protection impact assessment ('DIA') which it allegedly carried out for the processing of medical data in connection with the execution of insurance contracts with its customers (breach of Articles 35 and 36 AVG) 

(c) Y should, in Articles 4.3 and 6 of the old Privacy Notice, make a better distinction between the processing of medical data on the one hand and the processing of other 'ordinary' personal data on the other (breach of Article 13(1)(c) AVG);  

d) Y should take additional measures to inform the data subjects of their right to object under Article 21(2) of the AVG (breach of Articles 12(1) and 13(2)(b) of the AVG) 

e) Y should further clarify the legal grounds for the transfer of personal data to third parties, as mentioned in Article 6 of the Privacy Statement of Y (violation of Article 13 (1) (c) AVG) 

f) Y would process personal data without a demonstrated legal basis (including its legitimate interest within the meaning of Article 6(1) AVG) for a number of purposes referred to in Article 4.3 of the ex-Y Privacy Statement and transfers to third parties referred to in Article 6 of the ex-Y Privacy Statement (breach of Articles 5(1)(a) (legality principle) and 6(1) AVG) 

g) Y is alleged not to have provided sufficient information about its legitimate interests in its previous Privacy Statement where Y invokes this legal ground (violation of Articles 5(1)(a) (transparency principle) and 13(1)(c) and (d) of the AVG) 

(h) Y is alleged, where Y invokes this legal ground, not to have sufficiently demonstrated what its legitimate interests would be and not to have demonstrated to what extent its interests would outweigh the interests and fundamental rights of the Complainant (violation of Article 5(2) AVG). 

34. The Respondent also confirms that the allegations described in paragraphs (a) to (h) arise from the Complaint by stating in the Conclusion the following: 

"Should the Dispute Resolution Chamber find that the above allegations and alleged violations of the AVG by Y (points a to h) do not arise from the complaint [...], the Dispute Resolution Chamber is invited to inform Y thereof [...]." 

35. In this respect, the Dispute Resolution Chamber notes that the allegations as currently described by the Respondent in points (a) to (h) were already raised in the complaint, and in respect of which the Respondent now indicates that they do indeed result from the complaint, but in respect of which he nevertheless did not put forward a defence in the proceedings prior to decision 24/2020 of 14 May 2020 as regards (f), (g) and (h).  

With regard to the allegations in points (a) to (e) of his conclusion, the Respondent indicates that he either had the opportunity to defend himself and was found in favour by the Dispute Resolution Chamber (this concerns allegations (a) and (b)), or did not contest the allegations and rectified them in the new privacy notice (this concerns allegations (c), (d) and (e)). As regards the established breach of Article 13.1(c) of the AVG regarding allegation (c), the breach of Article 12.1 and Article 13.2(b) of the AVG regarding allegation (d) and the 

Article 13.1(c) AVG regarding allegation under (e), the Dispute Resolution Chamber refers to the reasons for this in decision 24/2020 of 14 May 2020. 

The defence in the present conclusion only focuses on the allegations under points (f), (g) and (h). 

36. To the extent that there may have been some lack of clarity regarding the subject matter of the complaint on the part of the Respondent prior to decision 24/2020, the Dispute Resolution Chamber nevertheless gave the Respondent the opportunity to defend itself, and will consider below whether and, if so, to what extent the Respondent breached the AVG with regard to the allegations set out in points (f), (g) and (h) of its conclusion, and whether the administrative fine should be upheld. 

b) Legal basis for purposes mentioned under 4.3 of the Privacy Statement  

37. The Respondent claims to be able to rely on its legitimate interests for the processing of non-sensitive personal data for the following purposes listed under Section 4.3 of the former Privacy Notice: 

- Performing computer tests; 

- Monitoring the quality of service provision; 

- training of personnel; 

- monitoring and reporting; 

- the storage of video surveillance recordings for the statutory period; and 

- compiling statistics from encrypted data, including big data. 

38. For each of these purposes, the Respondent has carried out a balancing of interests. The Dispute Resolution Chamber below assesses the balancing of interests undertaken for each of these purposes in accordance with the established decision-making2 approach it uses in assessing the legitimate interest. 

2 See, inter alia: Decision on the merits 03/2021 of 13 January 2021; Decision on the merits 71/2020 of 30 October 2020; Decision on the merits 36/2020 of 9 July 2020; Decision on the merits 35/2020 of 30 June 2020. 

39. Pursuant to Article 6.1(f) of the AVG and the case law of the Court of Justice of the European Union, three cumulative conditions must be met in order for a 

controller may lawfully rely on that ground of law, 'namely, first, the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, second, the necessity of processing the personal data for the purposes of the legitimate interest pursued and, third, the condition that the fundamental rights and freedoms of the data subject are not prejudiced' (Rigas judgment)3.  

3 CJEU, 4 May 2017, C-13/16, Valsts policijas Rigas regiona parvaldes Kartibas policijas parvalde v Rigas pašvaldibas SIA "Rigas satiksme", paragraph 28. See also CJEU, 11 December 2019, C-708/18, TK t/ Asociatia de Proprietari bloc M5A-ScaraA, paragraph 40. 

40. In order to rely on the lawfulness ground of "legitimate interest" under Article 6.1(f) of the AVG, the controller must demonstrate, in other words, that:  

1) the interests it pursues with the processing can be recognised as legitimate (the "purpose test");  

2) the intended processing is necessary for the purposes of achieving those interests (the "necessity test"); and 

(3) the balance of these interests in relation to the interests, fundamental freedoms and rights of data subjects weighs in favour of the controller (the "balancing test"). 

41. With regard to the purpose of "conducting computer tests", the Respondent states the following: 

"Context of the processing purpose 

This processing purpose includes the tests performed by IT testers and developers: 

- in connection with "modifications", which are minor adjustments or in connection with purely functional aspects; and 

- in the context of any automation projects. 

These tests are carried out in the context of: 

- IT and network security; 

- the maintenance, improvement and development of (the quality of) Y products and services; or 

- the improvement of the customer experience (e.g. to make internal processes and systems more efficient for back-office activities, to improve the user experience in Y's digital channels, etc.). 

This process does not include the acceptance and emulation phase, which can only be performed by the "specialised activities" team before the changes can actually be implemented and put into production."  

42. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled. 

43. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

44. Considering the purpose of computer testing, the Dispute Resolution Chamber should note that the Respondent ensures that, where possible, dummy data or anonymised data are used (e.g. in the case of changes involving different systems or applications and requiring a unique reference, such as the policy number). Only when there is no other option, will personal data be used to realise the intended change or development. Possible possibilities for (further) restriction of data processing are constantly investigated and progressively introduced as part of the project 'data anonymisation in non-production environments'. Furthermore, strict access controls are introduced on the IT environments where the IT tests are performed. Procedures are also established for how these IT tests are to be conducted, which all stakeholders must take into account. 

45. The Dispute Resolution Chamber notes that the Respondent cites using personal data only when there is no other option. During the hearing, Y states that the tests are always performed using dummy data, but that the testing phase determines the extent to which such data can be tested. In some cases, the limits of the possibilities to do data masking have been reached. This has to do with the life cycle of the tests, namely gradually dummy data can be used in IT tests, but sometimes the processing of personal data is required in order to ensure the interaction between applications.  The Dispute Resolution Chamber considers that the Respondent has thus made it reasonably plausible that the computer systems are not always based on 

anonymised or pseudonymised data. The second condition is thus fulfilled, as it has been demonstrated that the principle of minimum data processing (Article 5.1(c) of the AVG) has been complied with. Nevertheless, the Dispute Resolution Chamber notes that for the sake of clarity vis-à-vis the customers concerned, the Respondent might consider providing in the privacy notice some succinct explanation of the case where the Respondent has no choice but to conduct computer tests with personal data. 

46. In order to assess whether the third condition of Article 6.1(f) AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the reasonable expectations of the data subject should be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "4. 

4 Recital 47 AVG. 

47. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that moment that his data will be used for computer testing. After all, the customers expect a correct execution of their insurance contracts, which goes hand in hand with secure and correct management of the IT systems. The interest of the customers thus requires that the functionalities of the IT environment be tested for this purpose. 

48. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) of the AVG for processing for the purpose of "computer testing". 

49. With regard to the purpose of "monitoring the quality of service" and "compiling statistics from coded data, including big data", the Respondent states that this comprises three elements and provides as follows: 

- For the part "Statistics and quality testing" 

"Context of the processing purpose 

Y, as an insurer, is subject to prudential supervision. This includes the duty to exercise overall control over its business and its performance, including, but not limited to, the monitoring of sales performance, the performance and remuneration of certain hospital networks and cover/refunds. This relates to the overall control of the quality of the services and the performance of the insurance undertaking to ensure its continuity. This processing purpose includes both one-off and recurring reports, which may or may not involve the use of big data methodologies. These reports are mainly aggregated or anonymised, unless specific statistics are required (by category, such as by age group)." 

50. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) of the AVG is fulfilled. 

51. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

52. The Dispute Resolution Chamber notes that the Respondent only justifies that it is necessary for it to compile statistics and conduct quality tests, as financial viability, quality of service, premium setting and performance cannot be determined without actively measuring them. The Dispute Resolution Chamber does not in any way disregard the need for the Respondent to have statistics and quality tests, but the Respondent limits itself to stating that mainly aggregated or anonymised reports are prepared unless specific statistics are required (by category such as e.g. by age group). Moreover, the Respondent states that big data methodologies may or may not be used to produce such reports.  

53. To what extent the statistics still contain personal data or allow for the re-identification of a data subject, is further explained during the hearing. The respondent states that there are still very few statistics that contain personal data. The 

In any event, the statistics do not contain names and certainly not health data. The statistics do contain codes, but these are aggregated, segmented data in the mass. 

Also, the Directive (EU) 2016/97 on insurance distribution5 and the Belgian implementing legislation of this directive require the processing of certain personal data for specific reporting. Sometimes policy data is processed in the reporting, but this does not result in further processing in the statistics. Each report has a purpose and the processing may not exceed this purpose. A register is kept of those reports and their purpose, which are strictly regulated via the data warehouse and require approvals to deviate from it.  

5 Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast), OJ L 26/19. 

54. The Dispute Resolution Chamber concludes that the Respondent has made the necessary efforts to limit the data processing for this purpose to what is strictly necessary. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG). 

55. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it should be evaluated whether 'the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose'. 

56. The Dispute Resolution Chamber follows the Respondent's view that if an individual enters into an insurance contract with Y, that individual can reasonably expect Y to implement internal controls and compile statistics to ensure that Y can meet its contractual obligations. 

57. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "Statistics and Quality Requirements". 

- For the section on "Satisfaction Surveys" 

"Context of the processing purpose 

This processing purpose includes determining the NPS ("Net Promoter Score"), the customer satisfaction factor, by means of an external survey carried out by a third party in order to safeguard the anonymity of the survey. This factor is calculated with regard to the follow-up by the Y Contact Centre and the claims department (claims handling). 

58. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered to be carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

59. In order to fulfil the second condition, it should be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

60. Starting from the purpose of conducting satisfaction surveys, the Dispute Resolution Chamber should establish that the Respondent allows customers to express an opinion anonymously through this survey and thus to assert their interests. The results are aggregated and processed by an external company so that the anonymity of those involved can be preserved. During the hearing, it was added that customers always have the choice of whether or not to participate in the survey, since they always have the right to object. The Panel finds that customers thus have the necessary freedom of choice, and that the results of those who participate in the survey are made available to the respondent in anonymous form. 

The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5(1)(c) of the AVG). 

61. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. In particular, it must be evaluated whether the "data subject 

at the time and in the context of the collection of the personal data, the data subject may reasonably expect that processing can take place for that purpose "6. 

6 Recital 47 AVG. 

62. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used by the defendant to gauge his satisfaction with the defendant's service. 

63. Consequently, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "conducting satisfaction surveys". 

- For the section on 'Quality assurance tests on operations 

"Context of the processing purpose 

This processing purpose relates to the general monitoring of the quality of the operational services and the performance of Y . This concerns quality checks whereby each employee concerned must carry out 2 random checks per week on the correct underwriting or execution of the insurance contract and applicable instructions and procedures for this purpose." 

64. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber is of the opinion that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

65. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question must be asked whether the same result can be achieved by other means without processing personal data or without processing that is unnecessarily intrusive for the data subjects.

66. In view of the purpose, being the general monitoring of the quality of Y's operational services and performance, the Litigation Chamber should note that the Respondent asserts that Y is subject to the Insurance Distribution Directive (EU) 2016/97 and the Belgian implementing legislation which require insurance companies to tailor their services to the desires and needs of their customers. As indicated during the hearing, the Respondent does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and scope of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). The processing of personal data is necessary in order to actively measure the quality of the service. 

67. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "7. 

7 Recital 47 AVG. 

68. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for carrying out internal quality controls in order to ensure that Y can comply with its legal and contractual obligations. 

69. Accordingly, the Dispute Resolution Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of 'quality checks operations'. 

70. With regard to the purpose of "training of personnel", the Respondent states the following: 

"Context of the processing purpose 

This includes the organisation and follow-up of training, awareness sessions and courses for Y employees who come into contact with (personal data of) customers. Trainings include 

- technical aspects (e.g. with regard to Y products); 

- technical aspects (e.g. the use of Office 365 applications, information security training, etc.) 

- On the job training (training for new employees as well as training with the aim to continuously improve the quality of service); and 

- More general aspects such as compliance topics (e.g. AVG, IDD, etc.). 

71. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6.1(f) AVG is fulfilled. 

72. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

73. Starting from the purpose of training staff, the Dispute Resolution Chamber should note that the Respondent submits that in exceptional cases the cases used for training contain personal data of customers, or personal data of customers are used for the preparation of the training material. However, the Respondent states that the underlying material (case studies) is generally fully anonymised. 

74. The Dispute Resolution Chamber notes that the Respondent cites that, in the context of training, cases contain personal data of customers only in exceptional cases or personal data of customers are used for the preparation of the training material. However, the Respondent fails to clarify in which cases it would be required to provide training to staff using customers' personal data. The defendant does not make it reasonably plausible that staff training could not always be provided on the basis of anonymised data. The second 

condition is thus not met, as it has not been demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) is complied with. 

75. In order to verify whether the third condition of Article 6.1(f) of the AVG - the so-called 'balancing test' between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 of the AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "8. 

8 Recital 47 AVG. 

76. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for staff training. A policy holder can only expect normal management of his customer file, which only requires access to the information contained therein by the personnel who have to carry out tasks for the benefit of the customer concerned. When, in the context of training, information from actual files is shared, the processing of that information is not limited to those who have to perform tasks in the file concerned. 

77. Consequently, the Litigation Chamber concludes that the Respondent cannot rely on the legal ground of 'legitimate interest' for processing for the purpose of 'staff training' and therefore there is an infringement of Article 6.1(f) of the AVG. The Dispute Resolution Chamber additionally notes that if the Respondent nevertheless wishes to use customers' personal data for the purpose of training staff, it may rely on another legal ground, namely consent (Article 6.1(a) AVG). 

78. With regard to the purpose of "monitoring and reporting", the Respondent states the following: 

"Context of the processing purpose 

This processing purpose includes, inter alia, the production of reports for auditing purposes in the context of: 

- IFRS 17 accounting standards for insurance contracts and Belgian generally accepted accounting principles ("Belgian GAAP") 

- calculating reserves (within the framework of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act), etc.); or 

- profitability monitoring or reports in the context of large claims. 

These reports are made both for internal control purposes and for reporting to the Y1 Re group (of which Y is part). This includes both recurring reports and one-off ad hoc reports. Only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are made in the context of large claims or ad hoc reports relating to specific cases or outliers. 

79. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the context of the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest pursued by the Respondent as a data controller can in itself be regarded as legitimate, in accordance with recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled. 

80. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

81. Based on the purpose of monitoring and reporting, the Litigation Chamber finds that the Respondent asserts that the various general financial and insurance law regulations (in the context of, for example, the Act of 13 March 2016 on the status and supervision of insurance or reinsurance undertakings (Solvency II Act)) cannot be complied with without drawing up the necessary reports or carrying out monitoring. As indicated during the hearing, the Respondent also does not rely on its legal obligation (Article 6.1(c) of the AVG) as a legal basis for the processing, as the nature and extent of the reporting is not explicitly required as such by law. Hence, for those processing operations, the defendant claims its 'legitimate interest under that law' as the legal basis. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1. c) of the AVG). Indeed, the processing of personal data is necessary since compliance with the legislation cannot be achieved without the necessary reports or monitoring. 

82. The Respondent adds that only fully aggregated, anonymised, or if not otherwise possible pseudonymised reports are prepared in the context of large claims or ad hoc reports relating to specific cases or outliers. The second condition is thus fulfilled by demonstrating compliance with the principle of minimum data processing (Article 5.1(c) of the AVG). 

83. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other - can be met, the reasonable expectations of the data subject must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "9. 

9 Recital 47 AVG. 

84. The Dispute Resolution Chamber considers that in the case of collection of personal data in the context of taking out insurance, it can be assumed that the policyholder can reasonably expect at that time that his data will be used for the fulfilment of the legal and contractual obligations of the defendant. 

85. Consequently, the Litigation Chamber concludes that the Respondent may rely on the legal basis contained in Article 6.1(f) AVG for processing for the purpose of "monitoring and reporting". 

86. With regard to the purpose "storage of video surveillance recordings for the statutory period", the Respondent states the following: 

"Context of the processing purpose 

It concerns the processing of personal data by means of the cameras located within the premises of Y for the purpose of safeguarding customer security, data security and the protection of the company's assets." 

87. As regards the first condition (the so-called "purpose test"), the Dispute Resolution Chamber considers that the processing purpose as described by the Respondent must be considered as carried out in view of a legitimate interest. The interest that the 

Respondent pursued as a data controller can in itself be considered justified pursuant to recital 47 of the AVG. Consequently, the first condition contained in Article 6(1)(f) AVG is fulfilled. 

88. In order to comply with the second condition, it must be demonstrated that the processing is necessary for the realisation of the purposes pursued. This means, in particular, that the question should be asked whether the same result could be achieved by other means without processing personal data or without processing that would be unnecessarily intrusive for the data subjects. 

89. Starting from the purpose of providing video surveillance, the Dispute Resolution Chamber should note that the Respondent asserts that the images are stored in a secure environment. Both the room and the IT servers involved are subject to strict access security measures. Access to the images is subject to strict procedures. Storage of the images is also limited to the legal retention period (in principle 30 days). 

90. The second condition is thus fulfilled as it was demonstrated that the principle of minimum data processing (Article 5(1)(c) of the AVG) was complied with. 

91. In order to verify whether the third condition of Article 6.1(f) AVG - the so-called "balancing test" between the interests of the controller on the one hand and the fundamental freedoms and rights of the data subject on the other hand - can be met, the data subject's reasonable expectations must be taken into account in accordance with recital 47 AVG. More specifically, it should be evaluated whether "the data subject may reasonably expect, at the time and in the context of the collection of personal data, that processing may take place for that purpose "10. 

10 Recital 47 AVG. 

92. The Dispute Resolution Chamber is of the opinion that when personal data are collected in the context of taking out an insurance policy, it cannot be assumed that the policyholder can reasonably expect at that time that his data will be used for video surveillance. The purpose of video surveillance is not related to the conclusion of an insurance contract, so that the policyholder cannot expect that his personal data provided in connection with an insurance contract will be used for video surveillance purposes. Video surveillance only takes place when the defendant's premises are physically entered, and then it is sufficient 

compliance with the camera law, including the obligation to display a pictogram with information to inform the person concerned. 

93. Consequently, the Dispute Resolution Chamber concludes that the Respondent cannot rely on the legal basis 'legitimate interest' for processing for the purpose of 'storage of video surveillance recordings during the statutory period' and thus there is an infringement of Article 6.1(f) of the AVG.  

94. For the sake of completeness, the Litigation Chamber adds that if a controller wishes to use surveillance cameras, it must then comply with its legal obligations under the Act of 21 March 2007 regulating the installation and use of surveillance cameras. As soon as a controller makes use of surveillance cameras, data processing obligations flow from that law, so that the controller can rely on Article 6(1)(c) AVG. In this regard, the Respondent stated during the hearing that the necessary pictograms have been affixed in accordance with this law. 

c) Model balancing of interests 

95. For each of the aforementioned purposes, the Respondent argues that the processing purpose is permissible because the quantitative score calculated by the balancing of interests model used by Y is below 30. The Respondent submits that on the basis of that model, the processing purposes may be supported by the legitimate interests of the controller to the extent that this score does not exceed 30. 

96. In this respect the Litigation Chamber notes that the model used by Y is a purely internal instrument which, at most, can serve as a guideline within the company, but from which no legal arguments can be drawn in order to pass the test against the legal basis of Article 6.1(f) of the AVG. Thus, no legal value can be attached to the scores calculated on the basis of that model. 

d) All legal grounds contained in Article 6.1 AVG 

97. The Respondent believes that the Dispute Resolution Chamber would have stated in its Decision 24/2020 that it can only rely on consent as a legal ground (Article 6.1(a) AVG) for the 

processing purposes listed in section 4.3. of the old Privacy Notice and not on the other legal grounds of Article 6.1 AVG. 

98. The Litigation Chamber explains that in this regard the following was stated in the decision 24/2020: 

"The Litigation Chamber therefore considers that the breach of Art. 6.1. AVG has been proven, as the data processing for the purposes set out in sections 1, 2, 3 4, 6 and 7 of point 4.3. of the Privacy Statement, without any demonstrated legitimate interest, must be based on the consent of the complainant in the absence of any other possibly applicable legal ground in Art. 6.1. AVG." 

99. From this the defendant infers, albeit incorrectly, that the Dispute Resolution Chamber has given consent as the sole legal basis for the purposes set out therein. However, the Respondent ignores the fact that the Dispute Resolution Chamber reaches that decision precisely because the Respondent fails to demonstrate any legitimate interest and thus fails to demonstrate that the applicable conditions are met to rely on this legal basis in Article 6.1(f) AVG. Indeed, the Litigation Chamber expressly stated in its decision that the Respondent did not demonstrate in any way what its legitimate interest would be and also failed to demonstrate to what extent its interest would outweigh the interests and fundamental rights of the Complainant, although the Respondent is obliged to do so on the basis of its accountability obligation (Article 5.2 AVG). Thus, the Dispute Resolution Chamber could not retain Article 6.1(f) AVG as a valid legal basis. Based on the factual elements that led to decision 24/2020, the only remaining legal ground was consent.  

The Litigation Chamber emphasises that any controller, including thus also the Respondent, may rely on any possible legal ground under Article 6.1 AVG, but that the applicable conditions for the legal ground relied upon must be met.  

2. Legal ground for transfers to third parties 

101. First, the defendant claims that a transfer to third parties is not a processing purpose in itself, but is a mere form of processing personal data within the meaning of Article 4.2 AVG. The Respondent argues that it only makes considerations of interests per processing purpose, but not per processing. 

102. The Dispute Resolution Chamber states that it follows from Article 5.1(a) AVG that personal data must be processed for a specified purpose and that such processing must be lawful within the meaning of Article 6.1 AVG. It is therefore clear that any processing must take place within the framework of a well-defined, explicit and legitimate purpose and that this processing must be based on a legal basis in order to be considered lawful. It is, of course, possible to carry out several processing operations for the same purpose within the meaning of Article 4.2 of the AVG, but this does not alter the fact that data processing for a certain purpose can only be regarded as lawful if there is a legal basis for doing so. 

103. The Litigation Chamber notes that, for each transfer to a third party, the purpose for which the transfer is made must be determined. In order to verify whether the transfer to a third party can be considered lawful, the purpose of the transfer to a third party must be determined. 

104. As the Respondent rightly points out, the legal basis for the transfer to processors (which are, however, not third parties within the meaning of Article 4(10) of the AVG) is the same as for the data processing by the Respondent itself. Indeed, the purpose of processing remains unchanged, as the processor processes the personal data only for the benefit of the defendant as controller. 

105. If the personal data are transferred to a third party within the meaning of Article 4. 10) AVG for the purpose of enabling that third party to process the personal data in question for its own purposes, then that transfer should be considered in isolation for that specific purpose and requires a separate legal basis. For the sake of transparency, the processing basis for all transfers should be stated in the privacy notice in order for the defendant to comply with its obligation under Article 13(1)(c) of the AVG. However, this is not the case, which is why the Dispute Resolution Chamber is of the opinion that there has been a violation of Article 13.1(c) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG. 

3. Principle of Transparency 

106. Notwithstanding the fact that Article 13.1(d) AVG requires the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f), the Respondent maintains that this is sufficient for the purposes of the Privacy Notice referred to in 4.3 above, as well as for the transfers referred to in 6 of the 

privacy statement which are based on Article 6(1)(f) of the AVG, it is sufficient to state that personal data are processed based on the legitimate interest of the defendant, without explaining what exactly this legitimate interest would consist of. 

107. The Respondent submits that the balancing of interests concerns internal documents which have not been made public by Y or included in its Privacy Statement, given the business-sensitive information they contain. Moreover, these are voluminous, rather privacy-related documents that are typically not included in a Privacy Statement. 

108. For transfers to "the companies of the group Y1 Re to which Y belongs, for monitoring and reporting purposes", the Respondent confirms that it is a transfer to another controller, mentions its legitimate interest in its conclusion under the processing purpose "monitoring and reporting", but fails to clarify its legitimate interest in the Privacy Statement. 

109. Furthermore, the Respondent also refers to recital 48 of the AVG which provides that controllers which are part of a group of companies or a group of institutions affiliated to a central body may have a legitimate interest in the transmission of personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees. 

110. The Dispute Resolution Chamber acknowledges that recital 48 applies to the Respondent, but this does not prevent the Respondent from being transparent on this issue in its privacy notice and also in such a case from indicating the legal basis and making clear what its legitimate interest consists in, which is not the case in the old privacy notice. 

111. As regards the transfer to "subcontractors in the European Union or outside, responsible for processing activities defined by Y", the Respondent argues that they are processors of Y . 

112. The Litigation Chamber therefore repeats the reasoning in this regard from its decision 24/2020 to conclude a breach of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. The privacy declaration merely states that personal data are processed for the purposes set out in 4.3 on the basis of the legitimate interest of the defendant, without indicating what exactly this legitimate interest would be, whereas Art. 13.1(d) AVG does require that the processing of personal data be based on the legitimate interest of the defendant. AVG does require the controller to provide the data subject with information regarding his legitimate interests if the processing is based on Article 6(1)(f). 

113.  The Dispute Resolution Chamber also refers to the European Data Protection Board (EDPB) Guidelines on transparency under Regulation (EU) 2016/67911, which emphasise that the specific interest in question must be identified for the benefit of the data subject. 

11 EDPB, Guidelines of the Article 29 Data Protection Working Party on Transparency under Regulation (EU) 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, p. 42. 
116. As the Respondent points out, it is not prepared to apply the aforementioned best practice because, in its view, the documents in question are internal privacy documents containing business-sensitive information.  

117. The Dispute Resolution Chamber states that even if the Respondent refuses to follow this best practice, it is at least obliged under Article 12.1 AVG to provide the data subject with information on its legitimate interest for each of the purposes for which it invokes that legal basis in a concise, transparent, intelligible and easily accessible form and in clear and simple language. In order to comply with this, it is by no means required that privacy technical documents would be disclosed, but it is required that information regarding the legitimate interest is provided in clear language that can be easily understood by a (potential) customer of the defendant 

118. The Litigation Chamber finds that the information required by Article 13.1(d) AVG has not been made available by the Respondent in any way, so that the breach of Article 13.1(d) AVG in conjunction with Article 5.1(a) AVG and Article 5.2 AVG has been established.  

4. Administrative fine 

119. The fact that the Respondent did commit the infringements of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG leads the Dispute Resolution Chamber to uphold the administrative fine. This sanction is not intended to put an end to a violation that has been committed, but to ensure vigorous enforcement of the rules of the AVG. After all, as is clear from recital 148 of the AVG, the AVG stipulates that in the event of any serious breach - i.e. even if the breach is detected for the first time - sanctions, including administrative fines, shall be imposed in addition to or as an alternative to appropriate measures.13 In the following, the Dispute Resolution Chamber demonstrates that the infringements committed by the Respondent of Articles 5.1(a), 5.2, 6.1, 12.1, 13.1(c) and (d) and 13.2(b) AVG are by no means minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in recital 148 AVG, whereby a fine may be waived in either case. The fact that it is a first finding of an infringement committed by the defendant is not sufficient to justify the imposition of a fine. 

13 Recital 148 states: "In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any infringement of the Regulation, in addition to or as an alternative to any appropriate measures imposed by the supervisory authorities under this Regulation. Where the infringement is minor or where the likely fine would impose a disproportionate burden on a natural person, a reprimand may be substituted for a fine. However, account should be taken of the nature, seriousness and duration of the breach, of the intentionality of the breach, of measures to mitigate damages, of the degree of responsibility or of previous relevant breaches, of how the breach came to the attention of the supervisory authority, of compliance with measures taken against the controller or processor, of adherence to a code of conduct and of any other aggravating or mitigating factors. The imposition of sanctions, including administrative pecuniary sanctions, should be subject to appropriate procedural safeguards in line with general principles of Union law and the Charter, including effective remedy and fair trial. own emphasis] 

As regards the AVG, this does not in any way affect the ability of the Dispute Resolution Chamber to impose an administrative fine. The Dispute Resolution Chamber shall impose the administrative fine in application of Article 58.2(i) AVG.  

120. The Litigation Chamber again emphasises that the instrument of an administrative fine is in no way intended to terminate infringements. To this end, the AVG and the WOG provide for a number of corrective measures, including the orders mentioned in Article 100, §1, 8° and 9° WOG. It further emphasises that the administrative fine is one of the sanctions provided for in Article 58.2 AVG and Article 100 WOG. Neither EU law nor national Belgian law establish a hierarchy with regard to the sanctions to be imposed. As an organ of an independent data protection authority as provided for in Section 51 of the AVG, the Litigation Chamber is free to choose the most appropriate sanction. The Litigation Chamber considers that, in view of the controller's duty of accountability, the imposition of an administrative fine for a breach of the AVG could be expected.14  
12 See paragraph 35 of the Guidelines referred to in footnote 6. 

114. Also with regard to point 6. of the Privacy Notice, the Respondent does not indicate what would be its legitimate interest, invoked by it, to process personal data of the Complainant for the purpose of transfer to "The companies of the Y1 RE group to which Y belongs, for monitoring and reporting purposes" and "Subcontractors in the European Union or beyond, responsible for processing activities defined by Y". However, Art. 13.1. d) AVG does require the controller to provide the data subject with information regarding his or her legitimate interests if the processing is based on Article 6(1)(f). In this regard, the Litigation Chamber refers again to the Guidelines on Transparency pursuant to Regulation (EU) 2016/679 and the above.  

115. The Dispute Resolution Chamber stated in its decision 24/2020 that as a best practice, the controller may also, before collecting personal data from the data subject, provide the data subject with information on the consideration to be given to Article 6(1)(f) as the legal basis for the processing. To avoid information fatigue, this information could be included in a layered privacy notice.12 The information provided to data subjects should make clear that these data subjects may receive information on the balancing exercise upon request. This is essential for effective transparency when data subjects have doubts about the fairness of the assessment made or wish to lodge a complaint with a supervisory authority. 

14 On the competence of the Dispute Chamber to impose an administrative fine, see also decision no. 55/2021 of 26 April 2021, available in French on the website of the GBA.   

15 Brussels Court of Appeal (Market Court section), Judgment 2020/1471 of 19 February 2020. 

121. Taking into account Article 83 AVG and the jurisprudence15 of the Markets Court, the Dispute Resolution Chamber motivates the imposition of an administrative sanction in concrete terms: - The seriousness of the breach: the reasoning below shows the seriousness of the breach.  

- The duration of the breach: the breaches are assessed with regard to this aspect in the light of the date on which the AVG became applicable, namely 25 May 2018. The Respondent's privacy notice appears to have remained unchanged since the AVG became applicable until a new privacy notice was drafted in response to the complaint. However, the new privacy statement is not the subject of the Dispute Resolution Chamber's assessment, so it does not express an opinion on the extent to which the new privacy statement complies with the AVG. 

- The necessary deterrent effect to prevent further breaches 

122. As regards the nature and seriousness of the breach (Article 83.2(a) AVG), the Litigation Chamber emphasises that compliance with the principles laid down in Article 5 AVG - in this case, in particular, the principle of transparency including accountability, as well as the principle of legality - is essential, as these are fundamental principles of data protection. The Litigation Chamber considers that the defendant's infringement of the principle of legality 

The Dispute Settlement Chamber therefore considers that the Respondent's breach of the principle of lawfulness set out in Article 6 of the AVG and of the principle of transparency set out in specific terms in Articles 12 and 13 of the AVG constitutes a serious breach.  

123. An important element in determining the amount of the fine is the fact that the Defendant does not contest the following infringements as substantiated in Decision 24/2020 and, as a result, has already made efforts to bring the new privacy notice into line with the AVG in these respects  

- Infringement of Article 12.1 and 13.2 b) of the Privacy Act by not mentioning in the privacy declaration the possibility for the person concerned to exercise his/her right of retention. 

- Infringement of Article 13(1)(c) AVG for failure to state the legal basis for the transfer to each of the different categories of third parties in point 6. of the privacy statement. 

124. Although the amendments made to the new Privacy Notice are a favourable element in the assessment of the administrative fine, the Litigation Chamber emphasises that they are not intended to undo the breaches found. The infringements were found and cannot be retroactively reversed by the controller bringing its data processing into compliance with the requirements of the AVG, albeit too late. 

125. In addition, infringements are also identified in the present decision:  - Infringement of Article 6.1 AVG as regards the purposes of 'training of staff' and 'storage of video surveillance recordings during the statutory period'.  

- Infringement of Article 13(1)(c) of the AVG in conjunction with Article 5(1)(a) of the AVG and Article 5(2) of the AVG. 

- Infringement of Article 13.1 d) AVG in conjunction with Article 5.1 a) AVG and Article 5.2 AVG. 

Furthermore, the Dispute Resolution Chamber also takes into account the finding that the violation of Article 6.1 AVG is limited to two processing purposes "the training of staff" and "the storage of video surveillance recordings during the statutory period" and is therefore of a nature to justify a reduction in the amount of the fine. In addition, the breaches of the principle of transparency and accountability that have been established are of such gravity 

that a substantial fine is appropriate. This is all the more true in view of the large scale of the defendant's processing of data other than health data with a decisive impact on all insured persons who have taken out hospital insurance with Y, which is a considerable number of persons concerned. A decisive element in this respect is also the fact that Y is a major player in the insurance market which may be expected to align its privacy policy with the AVG with due diligence. 

126. As regards the lack of transparency, the Litigation Chamber also points out that the AVG precisely provided for a transitional period of 2 years16 in order to give every controller the necessary time to prepare for and adapt to the requirements set by the AVG. Therefore, the Respondent's argument during the hearing that the changes made by the AVG to the previous Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data are at the root of the lack of transparency cannot be accepted. The defendant argues that Articles 13 and 14 AVG, in conjunction with Article 12 AVG, and the precise manner in which they are interpreted caused the difficulty. The transparency guidelines of the Group 29 (now EDPB) were an aid. Again, the Dispute Resolution Chamber should note that those Guidelines already date from 29 November 2017, were revised and adopted on 11 April 2018 and have remained unchanged since then. The Respondent thus had sufficient time, as required by its accountability obligation (Article 5.2 AVG), to align its privacy statement with the AVG. 

16 Article 99 AVG 

127. This leads the Dispute Resolution Chamber to reconsider the fine and reduce it to €30,000. 

128. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in Section 83 AVG, taking into account the assessment criteria set out therein. The Litigation Chamber points out that the other criteria of art. 83.2. AVG in this case are not such as to result in an administrative fine other than that determined by the Dispute Resolution Chamber for the purposes of this decision. 

5. Publication of the decision 

129. In view of the importance of transparency regarding the Dispute Resolution Chamber's decision, this decision is published on the GBA's website. However, it is not necessary for the identification details of the parties to be published directly for this purpose. 

FOR THESE REASONS, 

the Data Protection Authority's Dispute Resolution Chamber, after deliberation, decides to reverse its decision 24/2020 of 14 May 2020 and to impose an administrative fine of €30,000 on the Respondent, pursuant to art. 100, §1, 13° WOG and art. 101 WOG, for violations of articles 5.1 a), 5.2, 6.1, 12.1, 13.1 c) and d) and 13.2 b) AVG. 

This decision may be appealed pursuant to Article 108 § 1 WOG within a period of thirty days from the notification to the Market Court, with the Data Protection Authority as defendant. 

(Get).Hielke Hijmans 

President of the Litigation Chamber