APD/GBA (Belgium) - 57/2023

From GDPRhub
Revision as of 12:58, 29 May 2023 by Kv33 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=57/2023 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-57-2023.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 57/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 13(1)(c) GDPR
Article 13(2)(a) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 07.04.2022
Decided: 17.05.2023
Published:
Fine: 40,000 EUR
Parties: n/a
National Case Number/Name: 57/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: kv33

The Belgian DPA fined a professional content creator €40,000 for inadequately responding to an access request. The controller had refused to provide copies of recorded phone conversations between the controller and the data subject.

English Summary

Facts

On 18 August 2021 (26), the data subject signed two contract with the controller to develop a website and create promotional videos. To discuss the details, the data subject and the controller had a few conversations over the phone, which were recorded by the controller without the data subject’s knowledge (according to the data subject) The controller did this to record the data subject’s requirements and specific wishes for both the website and the promotional video’s.

Since 2021, the controller and the data subject started having disagreements regarding the signed contract. Following this, the data subject exercised his right to access (Article 15 GDPR) multiple times regarding the recorded telephone conversations. The last request was done on 21 March 2022. (46) The controller refused to provide a copy of the telephone conversations but invited the data subject to the controller’s office to listen to the phone conversations there.

On 7 April 2022, the data subject filed a complaint at the DPA. According to the data subject, the phone conversations were illegally recorded and his right of access was ignored. (1) On 29 June 2022, The investigation service of the DPA finished its investigation and determined several violations of the GDPR.

The controller clarified its position at different moments during the procedure. It stated that its legal basis for recording the telephone conversations was Article 6(1)(b) GDRP. The recordings were necessary for the contract itself and for the quality of the controller’s services. (21). The controller also stated that it did not obstruct the data subject’s right to access, since it had invited the data subject to listen to the recordings at the controller’s office. It also stated that it was not obligated to provide a copy of the recordings, since the right to a copy was not absolute pursuant to Article 15(4) GDPR. ( ) It also did not want to provide a copy to the data subject in order to its employees from unhappy customers. The controller stated that the right of its employees prevailed against the right of access of the data subject. (57) The controller also stated that the data subject merely wanted these phone recording to start a civil procedure against the controller. (58) The controller also did not want to provide the conversations because these could make it possible to get information about the controller’s methods, knowhow and trade secrets, since these phone conversations were very detailed and focussed on the specific demands of the customers. (60) The controller also stated that it had informed the data subject in a GDPR complaint manner about the fact that the phone conversations would be recorded. (74)

Holding

First, the DPA assessed the claimed legal basis of the controller, Article 6(1)(b) GDPR. According to the DPA, there needed to be a ‘direct and objective’ connection between the processing of personal data and the goal of the contract. (27) Without explicitly confirming this, the DPA implied that this was the case. The DPA also agreed with the controller that the phone recordings were necessary for the performance of the contract. Among other reasons, the DPA stated that it was efficient to record the preferences of its customer. It also stated that phone conversations were more efficient that e-mail. There was therefore no violation of Article 5(1)(a) and Article 6(1) GDPR. (28 – 29)

Second, The DPA determined if the controller obstructed the data subject’s right to access. The DPA stated that the right of access is a gateway to other rights. (42) The right to a copy should not be treated as an additional right, but as a way to get access to the all personal data, so not only a copy. The DPA stated that it was in most cases also not enough to comply with the purposes of the right to access when the data subject only had temporary access to the personal data. (47) The DPA also assessed the question in which form the access should be granted. In this case, the controller should have provided a copy of the transcripts tot the data subject, since the sound of his voice was also personal data and could not be provided in transcripts. (49) The DPA explicitly referred to Österreichische Datenschutzbehörde (50). The DPA agreed with the controller that the right to a acces and the right to a copy was not absolute, looking at recital 4 GDPR and Article 52 ECFR. The DPA referred to the EDPB Guidelines and stated that the right to access should be weighted against other fundamental rights in three steps: It should be determined if there are any negative effects when the right of access is granted. Then, the interests of all parties should be assessed, looking at the circumstances and the risks involved. The controller should try to reconcile the interests of all parties When this is deemed impossible, the controller should decide which interest should prevail. (54)

The DPA held that the controller failed to satisfy the second step, since the controller did not try to find a way to reconcile the interests of both parties. The DPA also concluded that the controller did not satisfy the third step. The rights of the controller’s employees did not prevail against the rights of data subjects, since any personal data of employees in the recorded phone conversations would be limited, such as voice and name. The phone conversation was also recorded when the employees were doing their jobs. The DPA therefore concluded that the access should not have been frustrated by the controller for this reason. (57)

Third, the controller assessed another reason of the controller for not providing access, which was the fact that the data subject wanted to start a civil procedure according to the controller. The DPA stated that the data subject’s reason for wanting access should not be considered a condition for exercising this right. The controller should only determine The DPA therefore also rejected this argument. (58 – 59)

Fourth, the DPA assessed the controller’s argument about not wanting to disclose any knowhow or trade secrets. The DPA referred to recital 63 GDPR and stated that the GDPR what a ‘trade secret’ actually was, and therefore looked at the definition in Belgian Law (Artikel I.17/1 WER). (61) The DPA concluded that the phone recordings did not qualify to be considered ‘ trade secrets’ according to the conditions of this Belgian Law. (62 – 63)

Considering the above four points, the DPA held that the controller violated Article 12(2) and 15 GDPR because the controller did respond adequately to the access request.

Fifth, the DPA held that the controller violated Articles 5(1)(a), 12(1), 12(2) 13(1)(c) and 13(2)(a) GDPR by not providing adequate information to the data subject about the phone recordings. ( ) The DPA stated that both the agreements signed by the data subject and the controller included a provision in which it was stated that phone conversations for the performance of the contract. The possibility of phone recordings was also mentioned in the privacy policy of the controller. (78) However, the DPA determined that the controller did not provide all the necessary information. Among other things, the controller did not provide adequate information, in both the contract and the privacy policy, about the legal bases, the purposes of the processing , as required by Article 13(1) and 13(2) GDPR. (79) , and the storage limitations, as required by Article 13(2)(a) GDPR.

Sixth, the DPA held that the controller violated Articles 5(2), 24(1) and 25 GDPR because the controller had not been able to provide evidence that it had deployed sufficient technical and organisational measure to comply with articles 12(2), 15 AVG, 12(1), 13(1)(c) and 13(2)(a) GDPR.

After considering multiple

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/33




                                                                           Litigation room


                                         Decision on the substance57/2023 of 17 May 2023



File number : DOS-2022-01721


Subject: Complaint regarding refusal of access to sound recordings



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs. Jelle Stassijns and Frank De Smet, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;

Having regard to the rules of internal order, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The complainant: Mr. X, represented by Mr. Arne Saerens and Mr. Peter Van

                   Aerschot, both with offices at 8200 Bruges, Lieven Bauwensstraat
                   20, hereinafter “the complainant”;



The Defendant: Y, represented by MrBenjaminDocquir and Mr. MargoCornette, both

                   having its office at Marsveldplein 5, 1050 Brussels, hereinafter referred to as “the defendant”. Decision on the substance 57/2023 – 2/33


I. Factual Procedure


 1. On 7 April 2022, the complainant submits a complaint to the Data Protection Authority against

       defendant.

       The complainant has concluded two agreements with the defendant whereby the defendant

       would be responsible for developing a website (“…”) and company videos (“…”) for the

       complainant, collectively referred to as "the Agreements". Under these agreements

       telephone conversations took place regarding the functional development and design of
       this website and videos. Such telephone conversations were recorded by the

       defendant with a view to the proper implementation of the complainant's wishes in the framework

       of the agreement. However, the complainant claims that he was not aware of this

       recordings. Since 2021, there has been a dispute between the complainant and the defendant regarding the

       performance of the agreement. In this context, the complainant has the right to inspect

       with regard to telephone recordings. The defendant refused to provide a copy
       of the telephone recordings, but states that the complainant can access the recordings

       listen in her offices. The complainant believes that the telephone calls were unlawful

       recorded and that his right of access was ignored. So he has a complaint

       submitted to the GBA.

 2. On April 28, 2022, the complaint will be declared admissible by the First Line Service on the grounds

       of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG

       submitted to the Disputes Chamber.

 3. On April 28, 2022, in accordance with Article 96, § 1 WOG, the request of the

       Disputes Chamber to carry out an investigation submitted to the Inspection Service,

       together with the complaint and the inventory of the documents.

 4. The investigation by the Inspectorate will be completed on 29 June 2022, the report reads

       appended to the file and the file is transferred by the Inspector General to

       the Chairman of the Litigation Chamber (Article 91, § 1 and § 2 WOG).

       The report contains findings regarding the subject of the complaint and decision

       that there would be a violation of:


          1. Article 5 (1) (a) and (2) and Article 6 (1) GDPR;

          2. Article 5, Article 24 (1) and 25 (1) and (2) GDPR;

          3. Article 12 paragraph 1, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR; and


          4. Article 12(1) and (2), Article 13(1) and (2), Article 5(2); Article 24(1) and Article

             25(1) and (2). Decision on the substance 57/2023 – 3/33


5. On 4 July 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG

      that the file is ready for consideration on the merits.

6. On 4 July 2022, the parties concerned will be notified by registered mail

      of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.

      they are informed of the time limits for their

      to file defenses.

      As regards the findings relating to the subject matter of the complaint, the

      deadline for receipt of the statement of defense from the defendant

      recorded on 29 August 2022, those for the complainant's reply on 19

      September 2022 and finally those for the defendant's reply on 10

      October 2022.

7. On 8 July 2022, the complainant requests a copy of the file (Article 95, § 2, 3° WOG), which

      was transferred to him on July 14, 2022, and he indicates that he wishes to make use of

      the possibility to be heard, in accordance with Article 98 WOG.

8. On 11 July 2022, the complainant will electronically accept all communication regarding the case.


9. On August 29, 2022, the Disputes Chamber will receive the conclusion of the answer from the

      defendant with regard to the findings relating to the subject matter of the
      complaint. The defendant argues that the processing on its part is correct and permitted

      data processing, with the principle of lawfulness and transparency

      are respected. The defendant also argues that it may be incomplete

      answering a question from the Inspectorate does not constitute a violation of the

      accountability. The defendant then argues that it is entitled to

      inspectionhasnotcomplicated. Finally, the defendant points out that they are transparent
      has provided information to the complainant and has the necessary technical and

      organizational measures to ensure the exercise of data subjects' rights

      facilitate.

10. On 19 September 2022, the Litigation Chamber will receive the conclusion of the complainant's reply

      with regard to the findings regarding the object of the complaint. The complainant

      agrees with the findings of the Inspectorate regarding the unlawfulness of the

      processing, the accountability for compliance with the obligations in the GDPR

      and the transparency and information obligations on the part of the defendant. For what

      concerns the finding regarding the obstruction of the right of inspection, the defendant states
      that he wishes to exercise his right of access, as granted by the GDPR, and

      that the restrictions invoked by the defendant are disproportionate to

      his right of access. Decision on the substance 57/2023 – 4/33


 11. On 10 October 2022, the Disputes Chamber will receive the statement of rejoinder from the

       defendant with regard to the findings relating to the subject matter of the

       complaint in which the argumentation is resumed as set out in the conclusion of
       answer.


 12. On November 28, 2022, the parties will be notified that the hearing will

       take place on January 30, 2023.

 13. On January 30, 2023, the parties will be heard by the Disputes Chamber.


 14. On February 3, 2023, the minutes of the hearing will be sent to the parties appearing
       submitted.


 15. The Disputes Chamber does not receive any comments because of the parties that have appeared

       regarding the record.

 16. On 5 April 2023, the Disputes Chamber informed the defendant of its intention

       made to proceed to the imposition of an administrative fine, as well as the

       amount thereof in order to give the defendant the opportunity to defend himself,
       before the sanction is effectively imposed.


 17. On May 25, 2023, the Disputes Chamber will receive the response of the defendant to the

       intention to impose an administrative fine, as well as the amount
       of them.


II. Motivation


    II.1. Article 5 (1) (a) (2) and Article 6 (1) GDPR with regard to legality


        II.1.1. Findings in the Inspection Report

 18. During the investigation, the defendant explained that the processing of

      personal data through the recordings of the telephone conversations is based

      to Article 6(1)(b) GDPR, i.e. “the processing is necessary for the performance of a

      agreement to which the data subject is a party, or at the request of the data subject before the

      conclusion of an agreement to take measures'. Based on his research
      the Inspectorate concludes that the defendant has fulfilled the obligations imposed by Article

      5 (1) (a), (2) and Article 6 GDPR has not been complied with. From the Respondent's Replies

      After all, the Inspectorate cannot determine the research questions during the inspection

      to what extent telephone conversations are effectively recorded, what the exact

      purposes and the duration of storage of the recordings. In addition, the

      according to the Inspectorate, the defendant failed to demonstrate the necessity. Hereby refers
      the Inspectorate according to Article 10/1, §1 of the Law of 30 July 2018 on the

      protection of natural persons with regard to the processing of Substance Decision 57/2023 – 5/33


     personal data, which allows recording of telephone conversations provided that the bee

     the communication involved parties are informed of before registration

     the registration, its precise purposes and the duration of storage of the registration. The

     The Inspectorate thus concludes that the defendant has complied with the obligations
     by Article 5 (1) a) and (2) GDPR and Article 6 GDPR with regard to the

     principle of legality.


      II.1.2. Position of the complainant


19. In its conclusions, the complainant fully agrees with the findings of the Inspectorate.

      II.1.3. Defendant's position


20. The defendant disputes this finding and argues in its conclusion that the recordings are

     are really necessary for the correct execution of the agreement.

21. As to the necessity for proper performance, the defendant notes

     that the Inspectorate has not asked to demonstrate the necessary nature,

     since only the defendant was asked on what legal basis the processing operations,

     being the recordings of the telephone conversations have taken place. In her conclusions
     the defendant further explains the necessity. The necessity is twofold:

     on the one hand the implementation of the specific agreement between the defendant and the complainant and

     on the other hand, the guarantee of the quality of this agreement, which is a necessary

     corollarium is of the execution of the agreement. These phone calls are for

     to discuss the wishes and needs of the customer. The defendant illustrates this as follows:

     when the parties have signed a contract, for example for making a

     website, they discuss the concrete implementation modalities by telephone. The purpose of
     this conversation is essential because it is at this time that the client explains his activities

     are, what he expects from the website, etc. Based on this telephone conversation, a first

     website layout design. This method was chosen on the basis of

     the clientele of the defendant (mainly self-employed persons) who prefer a fast and

     telephone conversation instead of an exchange of e-mails. This method does not prevent

     that the customer receives written confirmation of the basic data that were
     provided for the development of the website. Through constant communication between

     her and her clients, the defendant can deliver tailor-made projects for the client

     the recordings give the project managers the opportunity to check whether the needs have been met

     of the customer, as expressed during the conversations. Thus, according to the defendant, no

     there is a violation of Article 5 (1) a) (lawfulness) j° Article 6 (1) GDPR. Decision on the substance 57/2023 – 6/33


        II.1.4. Review by the Litigation Chamber


 22. Starting point of article 5, paragraph 1, a) GDPR, is that personal data is only lawfully

      may be processed. This means, among other things, that there is a legal basis for the processing

      of personal data as referred to in Article 6(1) of the GDPR must be present. In

      further elaboration of this basic principle, article 6, paragraph 1 GDPR states that personal data only

      may be processed on the basis of one of the legal grounds listed in the article.

23. The Disputes Chamber notes that the recording of telephone conversations in the context of

      business transactions are governed by both the GDPR and Article 10/1, §1 of the Law

      of 30 July 2018 on the protection of natural persons with regard to the

      processing of personal data (hereinafter: WVP).


24. The assessment of this file will therefore initially take place on the basis of the

      provisions of the GDPR. The question arises to what extent the processing of

      personal data took place lawfully, in accordance with, inter alia, Articles 5 and 6
      of the GDPR. The Disputes Chamber emphasizes that the application of the GDPR as a regulation

      of the European Union takes precedence over the aforementioned national legislation because of the direct

      operation and primacy within the European legal order. 1


 25. As already mentioned, the defendant argues that the recording of the telephone conversations

      is based on the legal basis as understood in Article 6(1)(b) GDPR, i.e. “the

      processing is necessary for the performance of a contract involving the data subject
      party, or at the request of the data subject before entering into a contract

      to take measures”. It is therefore up to the defendant to prove that she

      legitimately invokes this ground for processing.


 26. When personal data are necessary to perform a contract with the data subject

      that agreement forms the basis for the processing of those

      personal data, as stated in Article 6(1)(b) GDPR. The Disputes Chamber finds that the
      parties have entered into two agreements, the (“…”) dd. August 18, 2021 for what

      concerns the development of the website and the (“…”) for the purpose of producing a

      corporate video, also concluded on August 18, 2021. Both agreements were signed

      the Disputes Chamber.


 27. Furthermore, a controller can only rely on this legal basis

      if the processing of personal data is strictly necessary for the conclusion or






1ie inter alia CJEU of 5 February 1963, NV Algemene Transport- en Expeditie Onderneming van Gend & Loos t. Dutch
Administration of Taxes, C-26-62, ECLI:EU:C:1963:1; CJEU of 15 July 1964, Flaminio Costa v. E.N.E.L., C-6-64,
ECLI:EU:C:1964:66; on the legal protection of citizens on the basis of Union law and the principles of 'direct
effect” and “primacy”, see C. BARNARD, The Substantive Law of the EU: The Four Freedoms, Oxford (5th ed.), 2016, 17. Decision on the substance 57/2023 – 7/33


     performance of the agreement. There must therefore be a direct and objective connection

     between the processing of personal data and the purpose of the contract.

28. The Disputes Chamber establishes that, according to the defendant, the necessity relates

     has on the one hand the performance of the specific agreement between the defendant and

     complainant and, on the other hand, the guarantee of the quality of this agreement. Based on

     two agreements between the defendant and the complainant

     Litigation Chamber finds that these agreements contain several more general provisions

     contain such as a description and cost of the services chosen by the complainant as
     subscriber, the type of video to be produced, etc. Provisions regarding the

     specific modalities were not stipulated in these agreements. The included

     telephone conversations took place in the context of discussions of the specific

     modalities.It goes without saying that not all customers have the same wishes and requirements

     for their website or video. Also using a phone call allows you to easily

     to discuss, clarify any ambiguities or ask questions, for both
     parties. Any requirements for the customer can also change, which means that the

     the defendant can respond more quickly by conducting these conversations by telephone

     instead of by email. The recordings of these conversations are for replay

     listened to if necessary (for example, when in doubt about certain aspects of the website, or to

     verifying that all customer requests have been met). Considering its efficiency for

     both the controller and the customer, the Litigation Chamber is of the opinion that
     the necessity requirement is met.


29. As a result of the above, the Litigation Chamber believes that there is no infringement of

     Article 5 (1) a) with regard to lawfulness and Article 6 (1) GDPR was committed

     by the defendant.

   II.2. Article 12, paragraph 2, paragraph 3 and paragraph 4 and Article 15 GDPR


      II.2.1. Findings in the Inspection Report


30. On the basis of its investigation, the Inspectorate determines the right of the defendant

     ofinspectionoftheplaintiffunjustlycomplicated.After all,thedefendantrefuses a copy
     of the telephone recordings, but only offers the possibility to transfer the recordings

     to come and listen at its head office. The defendant states, according to the

     Inspectorate no elements that justify that it would actually be impossible to

     to provide the complainant with a copy of the aforementioned recordings in which, where appropriate

     personal data of third parties have been made unrecognizable. Decision on the substance 57/2023 – 8/33


      II.2.2. Position of the complainant


31. The complainant recalls that – in accordance with Article 15 GDPR – the

     controller must provide access via a copy of the
     personal data. If a copy is the most appropriate way of providing access,

     can, may and must be provided with a copy. The initial refusal of the

     the defendant is a blatant violation of his rights, according to the complainant. The proposal to

     to come and listen to the recordings at the head office does not meet the requirements of the

     right of access as provided for in the AVG and makes it more difficult to exercise the right to

     access significantly.

32. The complainant does not dispute that the right of access is not absolute and can be limited if

     it would prejudice the rights and freedoms of others. However, this should not matter

     lead to deprivation of all information. However, the complainant argues that the
     restrictions do not apply to this case.


33. With regard to the exception in Article 15(4) GDPR regarding respect for the

     rights of freedoms of third parties, the complainant states that the processed personal data of
     the employees in the telephone conversation are very limited. It is, after all, a normal

     professional telephone conversation using standard salutations.

     Consequently, according to the complainant, the refusal to provide a copy is for these reasons

     disproportionate. The complainant adds in subordinate order that he can too

     agree to receive a version where the direct identification data of the
     employees are omitted, or possibly even a written version of the

     conversations where the direct identification data of the employees are omitted,

     provided that the text of the recordings has been checked by an objective party or by the

     playing the conversations after receiving the written text.

34. As to the defendant's argument regarding the use of the recordings as

     piece of evidence in the context of legal proceedings, reminds the complainant that there is

     no such legal proceedings have yet taken place. In addition, the

     Respondent for forwarding the correct call/text. If the defendant

     forwards the authentic conversations and declares this to be the case, there is none for the complainant
     problem about this.


35. Finally, the complainant refers to the defendant's argument that the provision of

     a copy of the recordings may constitute a breach of business secrecy. The complainer
     argues that this cannot be the case. After all, these are standard conversations between a

     customer and a company. Questions were asked during these conversations

     website builder proposes to build a website or to make a business on a website

     can imagine. According to the complainant, this cannot constitute a business secret. In addition, eight Decision on the substance 57/2023 – 9/33


     the complainant is bound by the provisions of the GDPR when obtaining or processing it

     of the copies and that this is of course only intended for personal consultation.

36. With regard to the alleged abuse of law, the applicant argues in its conclusions that it

     the defendant herself has always contacted the complainant by telephone.

     If all contacts were made by e-mail, the complainant would have all information

     possess. Since the defendant therefore chose to make contact by telephone

     it is normal that she should also be responsible for safeguarding the right

     upon inspection by the complainant as he cannot exercise this himself. The complainant argues that it is not
     the rights of defense of the defendant are being violated, but the

     rightsofdefenseofthedefendant.After all,the complainant exercises a personal rightthat

     is granted to him pursuant to a European regulation. This right to inspect the

     the complainant is misunderstood by the defendant merely to keep the evidence to herself

     and therefore complicates any future procedure.

      II.2.3. Defendant's position


37. In principle, the defendant argues in its conclusions that it does not have the right of access

     unnecessarily complicated. As already stated, she has refused to provide a copy of

     the recordings, but instead she invites the complainant to the recordings in her office

     come and listen. After all, it argues that granting inspection does not mean a copy
     must be provided. Referring to article 15, paragraph 4 GDPR, the defendant argues that it

     right to obtain a copy is not absolute and obtaining a copy is not

     may interfere with the rights and freedoms of others. The defendant argues that

     reluctance to send a copy of a recording is fourfold.

38. Firstly, these recordings also contain personal data about/of employees of the

     defendant. According to the defendant, it is not desirable that such recordings be included in the

     get hold of a (dissatisfied) customer, as dissatisfied customers become employees

     directly and in an unauthorized manner. Besides, it would

     providing these recordings constitute a breach of protection

     personal data of the employees who are part of the recordings. Hereby has
     the defendant made the trade-off between, in its view, improper use of the

     right of access on the one hand and the right to protection of personal data of the

     involved employees on the other hand.

39. Second, the defendant argues that the complainant wishes to use these recordings as

     evidence in a civil dispute or proceeding. If it comes to a court

     procedure, it is necessary to preserve the authenticity of the recordings.

     This is made more difficult when the personal data of the employees concerned is removed from the

     conversation will be deleted. Decision on the substance 57/2023 – 10/33


 40. Thirdly, the defendant argues that a large part of the production process is done by telephone

       expires. Based on the telephone recordings, the working methods and know-how, and

       according to the business secrets, can be derived from the defendant.


 41. Fourth, the defendant argues that the exercise of the right of access is unfounded

       since it constitutes a manifest form of abuse of law. The complainant and the defendant are

       after all, involved in a contractual dispute regarding the performance of the agreement.
       As part of this, the complainant wishes to use the recordings as evidence in the context of

       a possible legal action. The rules and restrictions on the submission

       however, evidence in civil litigation is expressly regulated to rights

       of defense and the right to contradict. Due to the obligation to

       to transfer recordings, the right to a fair trial as guaranteed in Article 6

       of the European Convention on Human Rights are ignored as the

       as a party to civil proceedings, the defendant can itself take the initiative and determine how

       the process proceeds. Deny the defendant the right to choose which evidence it wants

       presenting and when, is a flagrant violation of her right to due process.

        II.2.4. Review by the Litigation Chamber


       General principles


 42. To begin with, the Disputes Chamber points out that the right of access is one of the

       mainrequirementsoftherighttodataprotection.Itisthe"gateway"
       which enables the exercise of other rights conferred by the GDPR on the data subject

       grants, such as the right to rectification, the right to erasure and the right to

       restriction of processing. 2


 43. The complainant has repeatedly exercised his right of access pursuant to Article 15 GDPR with regard to

       of the defendant by requesting that he be provided with a copy of the recordings of

       the telephone conversations in which the complainant participated. Through his lawyer, Mr
       the complainant sent a final request by e-mail and registered letter on 21 March 2022

       to the complainant:


       My client urges you to provide an electronic copy of all

       telephone conversation recordings that you have that involve my client if

       participant in the call.

       My client also requests about the processing of the telephone conversation recordings

       provide him with the following additional information:




2See most recently CJEU, 12 January 2023, ÖsterreichischePostAG, C-154/21, ECLI:EU:C:2023:3, para 38, but also CJEU,
17 July 2014, YS et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16,
EU:C:2017:994, para 57, see also decision 15/2021 dd. February 9, 2021, para 141, and decision 41/2020 dd. July 29, 2020, para
47 Decision on the substance 57/2023 – 11/33


       - the processing purposes


       - the grounds for processing

       - what other categories of personal data you have with regard to the conducted

           keeps track of telephone conversations in addition to the actual recordings,


       - the recipients or categories of recipients to whom the data is or will be

           provided;

       - if possible, the period during which the personal data is expected to be collected

           are stored, or if that is not possible, the criteria for determining that period;

       - when the personal data is transferred to a third country or a

           international organization, information on the appropriate safeguards in this regard

           transfer.


 44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the

       to obtain a definite answer from the controller as to whether or not he is being processed
       regarding personal data. If the latter is the case, the person concerned has it

       right to obtain access to those personal data and to information referred to in Article 15,

       paragraph 1 a) - h) is stated, such as the purpose of the processing of the data and the

       any recipients of the data, as well as information about its existence

       rights, including the right to request rectification or erasure of its data, or to

       submit a complaint to the GBA. The purpose of the right of inspection is the state concerned

       to understand how his personal data is processed and what the consequences are

       can be checked as well as the correctness of the processed data without being
       to justify intention. 3


 45. Article 12 of the GDPR concerns the way in which data subjects can exercise their rights

       exercise and stipulates that the controller is exercising those rights

       must be facilitated by the data subject (Article 12 (2) of the GDPR), and without delay and in

       must provide information about the

       measures taken in response to his request (Article 12(3) of the GDPR).
       Where the controller does not intend to comply with the request,

       he must communicate his refusal within one month, and inform the person concerned about the

       possibility to submit a complaint against this refusal to the supervisory authority

       data protection authority or appeal to the courts (Article 12(4).

       of the GDPR).






3 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 12/33



 46. The Disputes Chamber notes that the last request for inspection was sent by e-mail and

       by registered mail on March 21, 2022. In this context, the Disputes Chamber points out that

       the European Data Protection Board (hereinafter: EDPB) at that time already published the 'Guidelines
                                                                                           4
       01/2022 regarding the rights of data subjects – right of access”.

       published which provides guidance for controllers to deal with the

       exercising the right to access.

       Modality – provision of a copy


 47. With regard to the modalities on which a controller should act

       the Disputes Chamber points out

       that Article 15 (3) GDPR stipulates that the controller must provide the data subject with a

       copy of the personal data being processed. The obligation to a

       to provide a copy should not be construed as an additional right of the data subject,

       but as a means of granting access to the data. Consequently, access serves

       to the data pursuant to Article 15 (1) GDPR, the complete information on all

       data and this access cannot therefore be construed as granting
       access to only a summary of the data. The obligation to make a copy

       provision serves the purposes of the right of access, namely to the data subject

       to become aware of the lawfulness of the processing and to verify it

       check (recital 63). To achieve these goals it is in most

       cases, it is not sufficient that the data subject may view the information only temporarily

       the data subject must be able to access the information by obtaining a copy of the

       receive personal data. 5


 48. The question therefore arises in what form the copy should be provided. Article 15, paragraph 3 infine

       AVG states that when the data subject submits his request electronically, and

       does not request any other arrangement, the information in a commonly used electronic format

       must be provided, whereby the prevalence must be determined from the
                                                                                   6
       point of view of the data subject and not of the controller. In some

       In some cases, the circumstances themselves determine the format in which the personal data must be used

       be provided, such as with audio recordings since the voice of the person concerned itself is a

       personal data. In some cases, a transcript of the conversations can also be provided








4 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf
5
  EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 21 et seq.
6 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available for consultation
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 146 et seq. Decision on the substance 57/2023 – 13/33



       suffice, for example when this was agreed between the complainant and the
                                     7
       controller.

 49. The Disputes Chamber believes that it had to transfer a copy of the sound recordings

       must be forwarded to the complainant. After all, these sound recordings contain the

       personal data that are spoken, but also the voice of the complainant, which

       also constitutes personal data and cannot be displayed in transcripts.


 50. For the sake of completeness, the Disputes Chamber refers to the judgment rendered in the case
                                              8
       “Österreichische Datenschutzbehörde” in which the Court of Justice stated that “it

       right to obtain from the controller a copy of the

       personal data that are processed means that the data subject has a fair and

       comprehensible reproduction of all such data must be given. This right includes it

       right to obtain a copy of extracts from documents or even complete ones

       documents or database extracts containing, among other things, those data, if the

       provision of such a copy is indispensable to enable the data subject

       effectively exercise the rights conferred on him by this Regulation, whereby must
       It should be emphasized that this should also take into account the rights and

       freedoms of others”.9


       Exceptions


 51. Despite this broad concept of a copy, and notwithstanding the fact that it is the

       the main modality with which access must be granted, may be subject to certain conditions

       circumstances other modalities are appropriate. Recital 63 of the GDPR states that it

       right of access must not prejudice the rights or freedoms of others, including

       including business secrets or intellectual property and in particular to it
       copyright that protects the software. However, those considerations should not lead to it

       that the data subject is withheld all information.


 52. As already explained, the defendant puts forward several arguments in its claims

       about this.


 53. First, the defendant argues that the telephone recordings also contain personal data of

       include its employees. The rights and freedoms of these employees continue to apply

       to be insured by the defendant. The Litigation Chamber notes that Article 15, paragraph 4 of

       the GDPR stipulates that the right to obtain a copy must not affect the

       rights and freedoms of others. The general concern that rights and freedoms
       of others can be affected by complying with the request for access, is not



7 EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf para 153 et seq.
8
 ECJ, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369.
9 CJEU, , 4 May 2023, F.F. t. Österreichische Datenschutzbehörde, C-487/21, ECLI:EU:C:2023:369, para 45. Decision on the substance 57/2023 – 14/33


     sufficient to invoke Article 15 (4) GDPR. The Disputes Chamber points it out

     note, however, that the controller must be able to demonstrate that in the concrete

     situation, the rights or freedoms of others would actually be affected.

54. As can be deduced from recital 4 of the GDPR and from the rationale behind Article 52 paragraph

     1,of the European Charter of Fundamental Rights, in particular the right to protection

     of personal data is not an absolute right. Recital 4 states more in particular: “[…]

     The right to the protection of personal data is not absolute, but must be

     be considered in relation to its function in society and must conform to it
     principle of proportionality against other fundamental rights […]".

     the exercise of the right of access must also be weighed against others

     fundamental rights in accordance with the principle of proportionality. The EDPB has in the

     Guidelines provide three steps to perform this trade-off. When this

     consideration ex Article 15 (4) GDPR shows that granting the request is negative

     affects the rights and freedoms of other participants (step 1), the
     interests of all participants are weighed, taking into account the specifics

     circumstances of the case and with the likelihood and severity of the risks involved

     associated with the provision of the data. The controller

     must try to reconcile the conflicting rights (step 2), for example

     by taking appropriate measures to mitigate the risk to the rights and freedoms of

     limiting others, such as, for example, the information concerning others as much as possible
     illegible instead of refusing to provide a copy of the personal data

     provide. However, if it is impossible to find a reconciliation solution, the

     controller decide in a next step which of the conflicting

     rights and freedoms and freedoms prevail (step 3).

55. Applied to the present case, the defendant has in accordance with the above

     step one evaluated the complainant's application and determined that the withdrawals

     contain personal data of employees.


56. In the context of step 2, to verify whether transferring the copy has an impact on
     the rights and freedoms of others, the defendant must as

     controller to try to resolve the conflicting interests

     reconcile by taking appropriate measures to mitigate the risk to rights and freedoms

     of the data subject as much as possible. It is in this context that the defendant

     has offered to come and listen to the recordings at its head office. The complainer

     has refused this possibility, but could nevertheless agree to a transcript
     received with omission of the direct identification data of the employees of

     defendant, subject to the necessary guarantees regarding the correctness thereof

     found a way between the parties to reconcile the conflicting rights. Decision on the substance 57/2023 – 15/33



 57. In the third step, the defendant thus had to verify which of the conflicting
       rights prevail. This should take into account the probability and

       seriousness of possible risks with regard to the rights and freedoms of the

       employees in the telephone recordings. The defendant contends that the right belongs to her

       employees prevail and in this way wishes to shield them from (dissatisfied)

       customers. The Disputes Chamber does not follow this view. The Disputes Chamber notes that there

       personal data of the employees may be present in the telephone recordings,

       but that it is about a limited amount, such as the voice and the name. In addition

       the conversation is of a professional nature. The Litigation Chamber therefore also concludes that it is very minor

       have no adverse consequences for the rights and freedoms of employees. The

       The Litigation Chamber therefore rules that the defendant does not rely on these rights and

       liberties can appeal for the refusal to transfer a copy to the

       defendant.

 58. As a second argument in the context of the refusal to provide a copy to the

       The complainant points out to the defendant that the Inspectorate has misunderstood during the investigation

       that the complainant wishes to use these recordings as evidence in a civil lawsuit

       dispute or proceeding, the authenticity and integrity of which must be preserved. The

       The complainant argues in this regard that no legal proceedings have yet been initiated.

 59. The Disputes Chamber points out that, given the broad application and interpretation of the

       right of access, the purpose for which the right of access is exercised must not be

       considered a condition for the exercise of this right. So it won't come

       to data controllers to verify why the data subject has access to it

       personal data, but only on what the request for access entails and whether or not

       not processed personal data of the data subject. In the aforementioned Guidelines, the

       EDPB also gives as an example that a controller is not allowed to access

       refuse on the basis of suspicions that the personal data concerned would be used

       may be required by the person concerned to defend himself in court in the case
                                                                           10
       of a commercial dispute with the controller. The Dispute Room

       therefore concludes that the defendant cannot rely on this for the refusal

       of the right of access.

 60. Third, the defendant argues that a large part of the production process is by telephone

       and aims to discuss the needs, wishes, working method, etc. with the customer.

       After all, the products offered by the defendant are tailor-made products

       for the customer. Based on the conversation content, such as the questions that would be asked



10EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-aparas_13.dAG Emiliou
confirms this statement in its Opinions in Case C-307/22, 20 April 2023, FT v. DW, para 28, https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62022CC0307. Decision on the substance 57/2023 – 16/33


     to the customer, it would therefore be possible to share the working methods, know-how and so on

     derive business secrets from the defendant.

61. As already mentioned, recital 63 states that the right of access must not be prejudiced

     to the rights or freedoms of others, including trade secrets. The GDPR

     does not, however, clarify what should be covered by business secrecy within the meaning of Recital 63 GDPR

     to be understood. In Belgian national law, Article I.17/1 ELC defines it

     trade secret as follows:

        “Information that meets the following cumulative conditions:


        a) it is secret in the sense that it, in its entirety or in its correct composition and
        arrangement of its constituents is not generally known or easily accessible

        is for persons within the circles usually dealing with the

        relevant type of information;


        b) it has commercial value because it is secret;

        c) it has been subject to reasonable consideration by the person lawfully in control of it

        measures, given the circumstances, to keep it secret.”

62. The Disputes Chamber understands from the conclusions of the defendant that in the recordings

     discussing how the website would be built. Questions would have been asked

     from which the know-how and production processes of the defendant could

     be diverted.Transmitting a copy of these conversations would constitute a violation

     form part of the defendant's trade secret, the defendant claims. The
     However, the Litigation Chamber notes that this information does not comply with the above

     stated definition of a trade secret. According to the first condition of the aforementioned

     definition is a trade secret in the sense that it, in its entirety, or in its proper form

     composition and arrangement of its constituents, is not generally known, or easy

     is accessible to persons within the circles usually dealing with the

     relevant type of information. The Litigation Chamber notes that this information is not
     limited access. After all, this information is communicated in

     standard conversations with all customers, where it is also possible for competitors to

     pretending to be a customer in order to obtain the necessary information. Moreover, this one

     information is also not protected by means of a non-disclosure agreement. This would

     thus mean that the customers would have access to the alleged business secrets of the defendant

     can and may pass on to third parties. After all, the information is already given during
     the conversations themselves without any agreement to keep them secret at the time

     to hold. Moreover, the information still needs to be in the correct composition or arrangement

     components are placed so that they could be relevant to the know-how

     track down. Decision on the substance 57/2023 – 17/33


 63. In view of the above, the Litigation Chamber rules that the above-mentioned exceptions

       to the right to transmit a copy do not apply in this case.


       Abuse of law


 64. In subordinate order, the defendant argues that the exercise of the right of access

       is unfounded as it constitutes a manifest abuse of law. The Defendant

       argues in this connection that the complainant misused the relevant

       wishes to obtain recordings in the context of the commercial dispute. In its conclusions

       the complainant argues that it is the defendant herself who is in constant contact by telephone

       recorded with the complainant. According to the complainant, the defendant must therefore be responsible for the

       safeguard the complainant's right of inspection, as he cannot exercise this himself.


 65. The Litigation Chamber recalls that EU law is not intended to be abused or
                                         11
       fraud may be invoked. Advocate General Kokott argues in connection with the

       abuse of the right of access that determines whether there has been abuse as well

       requires an objective as well as a subjective element. What, first, the objective element

       must be apparent from a set of objective circumstances that, notwithstanding the

       formal compliance with the conditions imposed by a Union regulation, the

       scheme intended purpose was not achieved.Secondly, such determination is also required

       a subjective element, in the sense that it must appear from a set of objective factors that

       the essential purpose of the acts in question is an unjustified

       gain benefit. After all, the prohibition of abuse does not apply when the

       the acts in question may have an explanation other than the mere acquisition of

       an (unjustified) advantage. 12


 66. With regard to the objective element, the Disputes Chamber notes that the wishes and

       needs of the complainant, which he expresses as a customer of the defendant, as personal data

       be qualified as such information because of its content, purpose or effect

       is related to a specific person (namely the complainant himself). Express these conversations

       after all, the vision and train of thought of the complainant with regard to the desired products.

       The collection of this information by the defendant is for the purpose of developing a product

       tailor-made for the complainant. After all, it is the intention of the complainant to

       the bespoke website and video to differentiate itself (and its sole proprietorship).

       of its competitors.




11 CJEU, 9 March 1999, Centros, C‑212/97, EU:C:1999:126, para 24, CJEU, 2 June 2016, Bogendorff von Wolffersdorff,
C‑438/14, EU:C:2016:401, paragraph 57.

12AG Opinion at CJEU, 20 July 2017, Nowak, C-434/16, ECLI:EU:C:2017:582, para 42 et seq.
13The Court of Justice has held that "insofar as the official title of the legal person is one or more natural
                                                       13 13
identifies persons", the legal person under articles 7 and 8 of the Charter 13 and the fundamental rights of the
European Union is entitled to the protection of data related to it. Since the AVG
is an elaboration of the overarching safeguards laid down in these Charter provisions, such
protection for legal persons also derive from the GDPR, although this protection does not extend to the legal person as such Decision on the substance 57/2023 – 18/33


 67. This qualification as personal data results in the basic principles of the GDPR

       apply as well as that the data subject can exercise his rights under the GDPR

       exercise, such as the evaluation of its correctness or the right to oppose

       the processing of his personal data outside the context of the closed

       agreements to. It must thus be established that the granting of a right to

       access to those wants and needs in the recordings serves the purpose of the GDPR, that in it

       exists to guarantee the protection of the right to privacy of the

       complainant in connection with the processing of his personal data.

 68. With regard to the subjective element, the Litigation Chamber finds that the essential

       the purpose of the acts in question is not to take an unfair advantage

       to acquire. The Disputes Chamber states that the exercise of the right of access is the only

       way is for the complainant to check to gain access to which personal data the

       the defendant processes and how this processing takes place, if necessary. Since

       the contacts are made by telephone, the complainant himself has no written record of the

       processing of its data. A request cannot be refused if the

       the person concerned would have the intention to use the personal data to file a complaint
       serve against the defendant. Consequently, there can be no question of an abuse of law.


 69. The Inspection Report finds that there would also be an infringement of Article 12, paragraph 3 and paragraph

       4 GDPR. However, the Litigation Chamber finds that the defendant has an answer

       has formulated to the request of the complainant within the set period of one month,

       as a result of which there is no infringement of Article 12 (3) GDPR. The defendant has

       the request for inspection was also not simply refused, but stated -insufficient
       equivalent - alternatives to, so that there is no infringement of Article

       12 (4) GDPR.


 70. In view of the above, the Disputes Chamber rules that the defendant is not correct

       and has lawfully acted upon the exercise of the right of access to the

       complainant, which constitutes an infringement of Article 12(2) and Article 15 of the GDPR.

    II.3. Article 5(1)(a) (transparency), Article 12(1) and Article 13(1) and (2) GDPR


 71. Based on Article 12(1) and Article 13(1) and (2) of the GDPR, it is necessary that the

       defendant as controller to the data subjects concise, transparent

       and provides understandable information about the personal data being processed. The

       the aforementioned transparency obligations constitute a concretization of the general ones

       transparency obligation of Article 5, paragraph 1, a) of the GDPR. As already explained



concerns, but the natural person(s) who form these, and probably mainly occur in cases where the
legal entity is in fact a sole proprietorship or a small family business with a transparent "corporate veil".
14EDPB Guidelines 01/2020 on data subject rights – right of access, dated 18 January 2022, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf, para 13. Decision on the substance 57/2023 – 19/33


     the defendant take the appropriate technical and organizational measures to

     guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. The

     the defendant must thereby effectively implement the data protection principles, the

     protect the rights of the data subjects and only process personal data that
     are necessary for each specific purpose of the processing.


      II.3.1. Findings in the Inspection Report


72. The Inspectorate first of all finds that the defendant does not demonstrate that she is the complainant

     has effectively informed transparently and in a timely manner about the information that needs to be disclosed
     delivered in accordance with Articles 12 and 13 of the GDPR.


      II.3.2. Position of the complainant


73. The complainant fully agrees with the findings of the Inspectorate. Adds to this

     he admitted that he had indeed not been adequately informed that the
     conversations were recorded. The complainant disputes that he contacted each by telephone

     was informed that the interviews were being recorded. It's first on it

     subsequent e-mail communication that he was informed of the recordings. Consequently has

     the defendant has not complied with its information obligation.

      II.3.3. Defendant's position


74. The defendant argues in its conclusions that it has failed to fulfill its obligations of transparency

     has not violated Articles 12 and 13 GDPR. The defendant argues that it

     complainant at different times and through different channels

     informed about the disputed processing, namely at the conclusion of the agreements,
     via the privacy statement on the website and via the automatic messages upon receipt of

     the calls. As for the lack of clarity regarding the recordings made by the

     Inspection Service was established, the defendant raises that the telephone calls

     were only recorded for incoming and outgoing calls from the general number.

     If an employee contacted the complainant directly or directly through the

     the complainant was contacted, the conversations were not recorded. In addition, the

     complainant was informed of his rights under the GDPR according to the defendant's implementation
     in order to facilitate its exercise. The defendant therefore concludes that it is

     has duly complied with its obligations under Articles 12 and 13 of the GDPR.


      II.3.4. Review by the Litigation Chamber

75. The Litigation Chamber must judge whether the complainant has been adequately informed about the

     disputed processing to meet the requirements of Article 12 (1) and Article 13 (1) and (2) GDPR

     to fulfil. Decision on the substance 57/2023 – 20/33



 76. Article 12(1) GDPR requires the controller to “use appropriate
       measures” to ensure that the data subject receives the information referred to in Articles 13 and 14

       [...] related to processing in a concise, transparent, understandable and easy way

       accessible forms in a clear, simple language, especially when the

       information is specifically intended for a child”.


 77. The Disputes Chamber notes that Article 14 of both concluded agreements stipulates

       that the telephone conversations can be recorded for the purpose of carrying out the

       agreement.This is also mentioned in the privacy statement

       Litigation Chamber to the Group's Transparency Guidelines
       Data Protection Article 29 which provides as follows: "Any company with

       a website would have a statement or notice on that site about the protection of the

       privacy should be published. A direct link to this statement or

       notice on the protection of privacy would be clearly visible

       must be on every page of the website, under a commonly used term (eg.

       "Confidentiality", "Confidentiality Policy" or "Protection Notice".

       privacy".15 The Article 29 Data Protection Working Party states that "all

       information sent to a data subject should also be accessible at

       a single place or in the same document (on paper or in electronic format) that is easy

       can be consulted by this person if he has any information given to him
                                         16
       wish to consult."

 78. The Litigation Chamber points out that the complainant was informed about the disputed

       processing via the agreements – signed by him – and via the privacy statement.

       However, the Disputes Chamber hereby notes that not all essential information has been communicated

       became.


 79. First of all, the Disputes Chamber notes in this context that the privacy statement is not op
       mentions in sufficient detail the precise legal basis(s), the

       purposes of the processing and the personal data used, as required

       by Article 13 (1) and (2) GDPR. The Disputes Chamber has established that the privacy statement is

       mentions these elements, but that the manner in which it is not comprehensible and transparent to

       the data subjects, since it is not clear to the data subject which data is for which

       purposeareprocessedandbased on whatlegal basisthis is done.Ideallyprovides

       the controller a list of the different purposes for which

       he processes personal data, each time indicating which (categories of)




15Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
Version approved on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 11.

16Working Group "Article 29", "Guidelines on transparency under Regulation (EU) 2016/679", revised and
Version adopted on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227), point 17. Decision on the substance 57/2023 – 21/33



       personal data are processed for this purpose, from which source they were obtained

       how long they are kept with what (categories of) recipients they (may) become
       shared.17


 80. Second, the Disputes Chamber notes that the privacy statement does not state clearly

       makes of the retention periods of the personal data concerned or the criteria for

       provision thereof, as required by Article 13 (2) a) GDPR. The privacy statement states

       the following in this regard: “[Defendant] shall use all necessary means to ensure

       ensure that the data of a personal nature is kept for the above

       purposes described and that it does not exceed the legal deadlines.” As also from the

       Guidance from the Data Protection Group shows that such

       wording not. The Data Protection Working Party points out in this regard that the

       (mention of the) retention period is related to the principle of minimum

       data processing contained in article 5, paragraph 1, c) GDPR, as well as the requirement of storage limitation

       of Article 5 (1) e) GDPR. It specifies that “the storage period (or the criteria for
       determine) may be dictated by factors such as legal requirements or sectoral requirements

       guidelines, but should always be formulated in such a way that the data subject, on the basis

       of his or her own situation, can assess the retention period for specific

       data/purposes”. 18 In view of all the foregoing, the Disputes Chamber proposes a

       violation of Article 5(1)(a), Article 12(1) and (2), Article 13(1)(c) and (2)(a)

       of the GDPR.


    II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR


        II.4.1. Findings in the Inspection Report


 81. The controller must comply with the principles of Article 5 GDPR and that

       can demonstrate. This follows from the accountability as understood in Article 5, paragraph 2 j°

       Article 24 (1) GDPR. Based on Articles 24 and 25 GDPR, every

       controller takes appropriate technical and organizational measures

       to ensure and be able to demonstrate that the processing takes place
       in accordance with the GDPR.


 82. In its Inspection Report, the Inspectorate finds that Articles 5, 24, paragraph 1 and 25, paragraph 1 and

       2 GDPR were violated.







17
  This allows the data subjects to ask specifically with which individual via a request for the right of access
recipients the personal data are communicated, see e.g. CJEU, 12 January 2023, Österreichische Post AG, C-154/21,
ECLI:EU:C:2023:3.
18Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260rev1 adopted on 29 November
2017, p 25. Substantive decision 57/2023 – 22/33


83. In the context of his research on accountability in the context of the

     compliance with the basic principles of Article 5, paragraph 2 GDPR, the Inspection Service has the following

     question sent to the defendant:

     “A documented answer to the question of which technical and

     organizational measures the [the defendant] has taken to ensure that

     its processing activities take place in accordance with the principles on

     processing of personal data in accordance with Articles 5, 24 and 25 of the GDPR.”

84. The defendant has formulated an answer to the above question that, according to the

     Inspectorate, focuses on – according to the defendant – the correct handling of the

     request for the complainant's right of access. The Inspectorate sets its

     Inspection report that this answer is next to the issue, since the question related to

     the compliance of the defendant with all the basic principles of the GDPR since the 25th of May 2018.
     As a result, the Inspection Service concludes that there is an infringement of article 5, article

     24 (1) and Article 25 (1) GDPR.


85. Secondly, the Inspectorate finds that the defendant does not provide evidence
     what technical and organizational measures were taken to exercise it

     of the rights of the data subjects and to be able to adequately monitor them

     in accordance with Article 12 GDPR. In this context, the Inspection Service refers to (i) being

     previous finding that the defendant wrongly denied the complainant's right of access

     made it more difficult and (ii) the fact that the defendant does not mention anything in its answer

     and copies of documents that in practice, on the one hand, the management and employees
     inform and raise awareness of the defendant about facilitating and adequate follow-up

     of the rights of the data subjects and, on the other hand, contribute to preventing infringements and

     (human) errors regarding the rights of the data subjects become effective and efficient

     followed up and, where necessary, sanctioned. As a result, the Inspectorate arrives at the

     finding that there is a violation of Article 24(1) and Article 25(1) GDPR.

      II.4.2. Position of the complainant


86. The complainant agrees with the findings in the Inspection Report.


      II.4.3. Defendant's position

87. In its claims, the defendant disputes this finding. The defendant regrets that the

     The Inspectorate has come to a violation of accountability, as understood

     in Article 5 (2), Article 24 (1) and Article 25 (1) GDPR due to a misunderstanding of a

     of the questions of the Inspectorate by the defendant. The defendant denies the

     finding that her answer to the above question was not concrete enough, while

     the question was anything but specifically formulated, according to the defendant. The Defendant
     also notes that it had stated in its reply that it was always available for any decision on the substance 57/2023 – 23/33



       further information, but that no further questions were asked. In addition, some
       days later the inspection investigation was completed.


 88. Since the defendant's findings regarding transparency and the right of access

       contested, it therefore also argues that it does have the appropriate technical and organizational

       has taken measures to ensure transparency obligations and

       facilitating the right of access.

        II.4.4. Review by the Litigation Chamber


 89. The Litigation Chamber recalls that each controller has the

       basic principles on the protection of personal data as understood in Article 5,

       must comply with paragraph 1 GDPR and must be able to demonstrate this. That follows from the

       accountability in Article 5(2) GDPR in conjunction with Article 24(1) GDPR as

       confirmed by the Litigation Chamber .19


 90. Based on Articles 24 and 25 of the GDPR, the defendant must take appropriate technical
       and organizational measures to ensure and be able to demonstrate that the

       processing takes place in accordance with the GDPR. The defendant must do so

       effectively implement data protection principles, the rights of data subjects

       as well as only process personal data that is necessary for each

       specific purpose of the processing.


 91. As part of its investigation, the Inspectorate assessed to what extent the

       the defendant has taken the necessary technical and organizational measures to

       comply with these principles from Article 5 (1) GDPR and in particular the principle of
       legality and transparency. In this case, the defendant has replied to

       the Inspection Service in which it explains the aspects regarding the GDPR from the

       complaint, such as the information obligations and the right of access. The Dispute Chamber reads

       however, in the Inspection Report that the answer formulated by the defendant

       was not sufficient for the Inspectorate. As explained above, the

       Inspectorate in this case believes that certain information, which is for the Inspectorate

       is essential to arrive at a good assessment, which means that the

       Inspectorate concluded that there had been a violation of Article 5, paragraph

       2, Article 24 (1) and Article 25 (1) GDPR.

 92. The Disputes Chamber hereby notes if the Inspectorate establishes that there are no

       concrete information was provided by a controller, this one

       leads to further research. The Disputes Chamber establishes that

       in this case no additional questions were asked about specific subjects or that no



19 Decision on the merits 34/2020 of 23 June 2020 available via the web page
https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision on the substance 57/2023 – 24/33


       no specific documents were requested in order to make a proper assessment of the

       case with regard to accountability under the

       basic principles of the GDPR included in Article 5(1)(b) to f) GDPR.

 93. The Disputes Chamber established in section II.2.4 that there had been an infringement of

       the obligation to facilitate the request for access by the data subject

       in accordance with article 12, paragraph 2 j ° article 15 GDPR. The Disputes Chamber has ruled in part II.3.4

       that there was also a breach of the transparency obligations such as
       included in Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR with regard to the

       understandable language and the indication of the retention periods in the privacy statement.


 94. The Disputes Chamber therefore concludes that the defendant could not demonstrate that he had the
       has taken necessary technical and organizational measures to comply with these

       obligations. Consequently, the Litigation Chamber concludes that there was an infringement of

       Articles 5 (2), 24 (1) and 25 (1) GDPR with regard to the obligations

       arising from Article 12, paragraph 2 j° Article 15 GDPR on the one hand and Article 12, paragraph 1 and Article

       13 (1) c) and (2) a) GDPR on the other hand.

 95. With regard to accountability in the context of compliance with the

       basic principles of the GDPR as understood in Article 5(1)(b) to f) GDPR, the

       Litigation Chamber determined that there are insufficient elements to lead to a violation of this
       judgements.


III. Sanctions


    III.1. General


 96. On the basis of the documents in the file, the Disputes Chamber establishes that there is
       subsequent violations


       - Article 12, paragraph 2 and Article 15 GDPR with regard to the right of access;

       - Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) a) GDPR, for
          with regard to the understandable language and the indication of the retention periods in the

          privacy declaration;


 97. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:

       1° to dismiss a complaint;

       2° to order the exclusion of prosecution;

       3° to order a suspension of the judgment;

       4° propose a settlement;

       5° formulate warnings and reprimands;
       6° to order that the data subject's requests to exercise his rights be complied with

       to practice; Decision on the substance 57/2023 – 25/33


      7° order that the data subject be informed of the security problem;

      8° order that the processing be temporarily or permanently frozen, restricted or prohibited;

      9° order that the processing be brought into compliance;
      10° rectification, restriction or deletion of data and notification

      to recommend it to the recipients of the data;

      11° to order the withdrawal of the accreditation of certification bodies;

      12° to impose penalty payments;

      13° to impose administrative fines;

      14° the suspension of cross-border data flows to another State or
      to recommend an international institution;

      15° transfer the file to the prosecutor's office of the public prosecutor in Brussels, who

      informs it of the follow-up given to the file;

      16° decide on a case-by-case basis to publish its decisions on the website of

      the Data Protection Authority.

   III.2. Article 5 (1) (a) (transparency), Article 12 (1) and Article 13 (1) (c) and (2) (a) GDPR in
        in combination with the accountability principle ex Article 5(2), Article 24(1) and
        Article 25 (1) GDPR


98. As regards the infringement of Article 5(1)(a) (transparency), Article 12(1) and Article

      13 (1) (c) and (2) a) GDPR, with regard to the understandable language and the indication of the

      retention periods in the privacy statement, the Disputes Chamber reminds that they have a lot

      attaches importance to transparency as one of the fundamental principles of the GDPR.

      Transparency is an overarching obligation under the GDPR, which applies
      is in three key areas: 1) the provision of information to data subjects related to

      proper processing; 2) the way in which controllers

      communicate with data subjects about their rights under the GDPR; and 3) the manner

      on which controllers help data subjects to exercise their rights.

      In addition, transparency enables those involved to
      hold controllers and processors accountable. It's coming

      therefore to the defendant as controller to take the necessary appropriate

      take technical and organizational measures to enforce the principle of transparency

      guarantees. In the present case, the breach of transparency is not of that nature

      prevent or seriously hinder the application of these core areas. In this case, the infringement
      limited to stating the necessary information in a cluttered manner,

      as well as not explicitly stating the retention period. Consequently, the Litigation Chamber

      is therefore of the opinion that a reprimand in accordance with Article 100, paragraph 1, 5° is appropriate

      for this infringement.

   III.3. Article 12 (2), Article 15 GDPR, in combination with the principle of accountability ex

        Article 5(2), Article 24(1) and Article 25(1) GDPR Decision on the substance 57/2023 – 26/33



 99. With regard to Article 12 (2), (3) and (4), Article 15 GDPR, in conjunction with the

       accountability principle pursuant to Article 5(2), Article 24(1) and Article 25(1) GDPR for

       with regard to the right of access, the Disputes Chamber considers it appropriate to have a

       impose an administrative fine in the amount of EUR 40,000 (Article 83, paragraph 2, Article

       100, §1, 13° WOG and article 101 WOG).

 100. It should be pointed out in this context that the administrative fine does not matter

       aims to end unified transgression, but requires a strong enforcement of

       the rules of the GDPR. After all, as can be seen from recital 148 GDPR, the GDPR states

       First of all, in the event of any serious infringement – including the first finding of an infringement –

       penalties, including administrative fines, in addition to or instead of appropriate ones

       measures are imposed. The Litigation Chamber will then demonstrate that the infringements

       the defendant has committed on the aforementioned provisions of the GDPR by no means minor

       infringements, nor that the fine would impose a disproportionate burden on a

       natural person as referred to in recital 148 GDPR, where in either case

       a fine may be waived. The fact that it is an initial determination of a

       the defendant committed an infringement of the GDPR, does not affect this in any way

       to the possibility for the Disputes Chamber to make an administrative decision

       impose a fine. The Disputes Chamber will impose the administrative fine

       application of Article 58(2)(i) GDPR. The instrument of administrative fine has

       in no way intended to terminate infringements. To this end, the GDPR and the WOG provide for a

       number of corrective measures, including the orders referred to in Article 100, §1, 8° and 9°

       WOG.

                                                                 21
 101. Taking into account Article 83 GDPR and the case law of the Marktenhof,

       the Disputes Chamber to impose an administrative sanction in concrete terms:

       The seriousness of the breach (Article 83(2)(a) GDPR)


 102. In the context of the transparency principle, the controller must provide the

       facilitating the exercise of the data subject's rights. For data protection

       it is essential that data subjects can easily exercise their rights under the GDPR

       can exercise. This enables the data subject to simply



20Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties,
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or instead of
appropriate measures imposed by the supervisory authorities pursuant to this Regulation. If it
concerns a minor infringement or if the expected fine would place a disproportionate burden on a natural person
person,a reprimand may be chosen instead of a fine.However, account should be taken of
with the nature, seriousness and duration of the infringement, with the intentional nature of the infringement, with damage-limiting
measures, with the degree of responsibility, or with previous relevant infringements, with the manner in which the infringement occurred
has come to the attention of the supervisory authority, with compliance with the measures taken against
the controller or the processor, with the adherence to a code of conduct and with all other aggravating
or mitigating factors. The imposition of penalties, including administrative fines, should be subject
to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter,

including effective remedy and due process. [own underlining]
21Brussels Court of Appeal (Marktenhof section), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the substance 57/2023 – 27/33


       way to find out which personal data a controller

       processed and whether this processing is lawful. A good interpretation of the right of access is

       furthermore necessary to exercise other rights, such as the right to rectification

       and the right to data erasure. This principle was recently endorsed by the Court of Justice
                 22
       confirmed. In view of the present violation, however, in the opinion of the

       Litigation Chamber concerns a serious infringement, in which the defendant's rights

       stakeholders has not been sufficiently facilitated. The Disputes Chamber considers the imposition of
       a reprimand is therefore insufficiently effective, not proportionate and not dissuasive.


       The defendant has not facilitated the right of inspection with its propagated policy

       after all, refuses to allow access in a manner that allows the complainant to

       view personal data not only temporarily. Consequently, it became the exercise of it

       right of access of the complainant by the defendant. From a professional party
       as the defendant, who systematically processes personal data in the context of the

       performs recordings for the performance of agreements, it may be expected that it will be on the

       is aware of the applicable standards and the appropriate technical and organizational

       takes measures to handle this personal data correctly. The

       the defendant has thus failed to observe the guarantees that the GDPR provides for the right of access

       gives to respect.

       The number of data subjects (Article 83 paragraph 2, a) GDPR)


       The Disputes Chamber notes that recording telephone conversations is a

       is standard practice of the Defendant, and that the disclosure policy

       this personal data is not in accordance with applicable law, making it

       it cannot be ruled out that similar cases have occurred or will occur
       occur in the future. However, the Disputes Chamber takes into account the fact that only

       one complaint was lodged.


       The intentional or negligent nature of the breach (Article 83(2)(b) GDPR)

       As to whether or not the breaches were intentional (not negligent)

       have been committed, the Litigation Chamber reminds that "not

       intentionally” means that it was not the intention to commit the infringement, although the

       the controller had not complied with the duty of care pursuant to

       the law rested upon him. With regard to the negligent nature of the infringement

       (article 83.2.b GDPR), the Dispute Chamber understands that the infringement was not committed with

       malicious intent to harm the AVG. The Disputes Chamber finds that the defendant
       has always responded to the complainant's requests, and that it has alternatives in terms of



22 CJEU, 12 January 2023, Österreichische Post AG, C-154/21, ECLI:EU:C:2023:3, para 28 et seq. see also CJEU, 17 July 2014, YS
et al., C-141/12 and C-372/12, EU:C:2014:2081, para 44, and CJEU 20 December 2017, Nowak, C-434/16, EU:C:2017:994,
para 57 Decision on the substance 57/2023 – 28/33


proposed modalities with regard to the inspection, but that these were not sufficient

to the modalities provided for the GDPR and the guidelines mentioned above

the EDPB.

Measures taken to limit the damage suffered by those involved


In the framework of the principle of transparency, the controller must on the basis

of Article 12, paragraph 2, of the GDPR, the exercise of the rights of the data subject
under - inter alia - Article 15 of the GDPR. Both the complainant and the

the defendant suggested possible solutions, but failed to reach a compromise. Like this

the defendant failed to comply with prior to and during the proceedings

the various possible solutions proposed by the complainant, such as

for example, transferring the transcript after checking its accuracy. A

possible solution offered by the defendant was to listen to the
recordings at the head office in Drogenbos. It is for data protection

essential that those involved have to in an easy way, and not just temporarily

can see. The Disputes Chamber therefore argues that an alternative method of access is then

of the right to a copy was offered, but that this offered modality no

could provide an adequate solution.

Previous breaches by the controller (Article 83(2)(e) GDPR).


The Litigation Chamber also takes into account the fact that the defendant has never before
was the subject of an enforcement procedure of the GBA.


Categories of personal data (Article 83(2)(g) GDPR)

The Litigation Chamber takes into account the fact that there is no evidence that is sensitive

data were processed.


Aggravating circumstance (Article 83(2)(k) GDPR)

The Disputes Chamber points out that the present case concerns the rights of

data subjects and in particular the right of access. As already mentioned, the right of

inspect the gateway for other rights or claims - whether or not under the GDPR

to practice. It is therefore essential to guarantee this access in a way that the
data subject has access in a sustainable manner. The Disputes Chamber also takes this into account

with the fact that there was an imbalance between the parties in that sense of the complainant

had the requested personal data and could not simply do so without it

intervention of the defendant.

Extenuating circumstances (Article 83(2)(k) GDPR) Decision on the substance 57/2023 – 29/33


     The Litigation Chamber also takes into account the fact that the defendant is constructive

     has cooperated, both during the Inspection investigation and during the procedure for the

     Litigation room.

     Conclusion


103. The whole of the elements set out above justifies an effective,

     proportionate and dissuasive sanction as referred to in Article 83 GDPR, taking into account
     the assessment criteria specified therein. The Litigation Chamber points out that the other

     criteria of art. 83 (2) GDPR in this case are not such that they lead to another

     administrative fine than that imposed by the Litigation Chamber in the context of this

     decision has been made.

104. On 5 April 2023, a sanction form (“form for reaction against intended

     sanction”) addressed to the defendant containing the intention to impose a fine of 70,000

     to impose EUR. She submitted her response regarding the content on April 25, 2023. The

     In summary, the defendant states in its response to the sanction form that:

      1) the Litigation Chamber has not taken into account the concerns of the

          defendant, nor with the fact that the request for access to a broader civil law

          dispute, which is in no way taken into account by the

          dispute room;

      2) the fact that the complainant is invited to listen to the recording is not

          necessarily means that the right of inspection is only temporary. Complainant has it

          right to make notes while listening and always received one in the past

          summary via e-mail of the elements that were discussed during a telephone conversation

          discussed, including the personal data processed by the defendant.

          The goal was not to prevent him from accessing it, but to prevent it
          evidence would be unauthorizedly distributed, altered or manipulated.

          If it did, it could be used in a conflicting way

          with the rights of the defendant's employees;


      3) from the alleged fact that it would have hindered the right of access – quod certe

          non -, the Litigation Chamber cannot possibly establish and decide that the defendant
          would not have appropriate procedures (under Articles 24 and 25 GDPR);


      4) the complainant's lawyer never proposed to come and listen to the recording

          has answered;


      5) the Litigation Chamber assumes that it would systematically process large-scale processing
          perform. This is not the case; and Decision on the substance 57/2023 – 30/33


       6) the proposed fine is disproportionate to the infringements committed

           established.


 105. The defendant regrets that certain circumstances were not taken into account,

      in particular the duration of the infringement, the non-intentional nature of the infringement and the

      categories of personal data to which the breach relates.

       1) First, with regard to the duration of the infringement, the defendant wishes to repeat

           refer to the civil dispute that exists between the parties.


       2) Second, there was no willful misconduct or malice on the part of the defendant.

           The Respondent has robust and adequate internal procedures, policies and
           rules in place to protect personal data and always in good faith

           endeavored to comply with the GDPR in both spirit and letter.


       3) Finally, as indicated above, are the categories of data used by

           defendant are processed limited and usually relate to the company

           and not on the natural person himself (e.g. contact details, company name,

           company social network and domain name).

 106. The Disputes Chamber is of the opinion that the above has been accepted by the defendant in the

      elements put forward in the sanction form have already been dealt with in the decision and in

      were taken into account when determining the fine in accordance with Article

      83 (2) GDPR. The elements from the sanction form used by the Disputes Chamber

      additional considerations are discussed below.

 107. As to the defendant's argument regarding the alleged

      disproportionate nature of the administrative fine, the Disputes Chamber points out

      that according to Article 83.5 GDPR, the violations of the Articles are Article 12(2)(3)

      and paragraph 4, Article 15 GDPR subject to administrative fines of up to EUR 20,000,000

      or 4% of the total annual turnover of the previous financial year.

 108. As regards the defendant's argument that the administrative

      fine in this case would be higher than in previous decisions of the Litigation Chamber,

      should be pointed out that in accordance with Article 83.2 GDPR as well as the guidelines

      of the Group 29 23 fines are imposed “according to the circumstances

      of the specific case”. In addition, the Disputes Chamber points to the

      case law of the Court of Appeal in Brussels, section Marktenhof, according to which “het

      Belgian legal system does not [assign] nor to a binding precedent value

      administrative or judicial decisions. Any decision of a judge (and this



23Data Protection GroupArticle 29, Guidelinesontheapplicationandsettingofadministrativefinesforthe purposes
of Regulation 2016/679, 3 October 2017. Decision on the substance 57/2023 – 31/33


       applies equally to any decision of an administrative authority, provided that it

       principle of equality is not violated) is specific and does not extend to another

       than the case under consideration”. 24 With regard to the amount of the imposed

       administrative fine, the Marktenhof also pointed to the margin of appreciation of the

       Litigation Chamber: “In practice, this means that the GBA cannot decide on its own

       offender not to impose a fine, but also that, if they decide to impose a fine, these

       is situated between the minimum, ranging from EUR 1, and the intended maximum. Which

       fine is imposed, will be decided by the GBA taking into account the criteria set

       are listed by Article 83 (2) GDPR”. 25


 109. The defendant objects that when determining the amount of the fine in the

       sanction form the consolidated turnover of the French parent company has been used in

       instead of the turnover of the defendant itself. The defendant does not wish to go alone

       emphasize that it was a subsidiary of Regicom Webformance in 2021,

       but also that the Disputes Chamber should only take into account the annual figures of the

       defendant since parent company does not exercise decisive influence over the

       subsidiary. The defendant also submits its annual figures for 2021

       amounted to EUR 24,683,149.


 110. On the basis of all the elements set out above, the

       Litigation Chamber to adjust the proposed sanction from EUR 70,000 to EUR 40,000.

       The established infringements warrant an effective, proportionate and dissuasive

       sanction as referred to in Article 83 GDPR, taking into account the provisions therein

       assessment criteria. The Disputes Chamber is of the opinion that a lower fine in the

       the present case would not meet the requirement of Article 83(1) of the GDPR

       criteria, according to which the

       administrative fine is not only proportionate, but also effective and dissuasive

       must be.


    III.4. Other grievances


 111. The Litigation Chamber proceeds to a deposit of the other grievances and findings of the

       Inspectorate because, based on the facts and the documents in the file, they do not belong to the

       conclude that there has been a breach of the GDPR. These grievances and

       findings of the Inspectorate are therefore regarded as manifestly unfounded

       within the meaning of Art. 57(4) GDPR.





24
  Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 12.
25Brussels Court of Appeal (Marktenhof section), NV N.D.P.K. t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 42.
26
   See point 3.A.2 of the Litigation Chamber's Dismissal Policy, dd. June 18, 2021, available at
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf Decision on the merits 57/2023 – 32/33



IV. Publication of the decision

 112. Given the importance of transparency with regard to decision-making by the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. However, it is not necessary for the

       identification data of the parties are disclosed directly.







      FOR THESE REASONS,

      the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


      - on the basis of article 100, §1, 5° WOG to formulate a reprimand with regard to the

          defendant for the infringement of Article 5(1) (transparency), Article 12(1) and Article

          13 (1) (c) (2) (a) GDPR with regard to the understandable language and the indication of the

          retention periods in the privacy statement;

      - based on Article 83 GDPR and Articles 100, 1, 13° and 101 WOG, an administrative

          to impose a fine of EUR 40,000 on the defendant for the infringement of article

          12 (2) Art. 15 GDPR with regard to facilitating the right of access to the

          complainer;

      - pursuant to art. 100, §1, 6° WOG to order the defendant to grant the right of access

          to be known to the complainant in accordance with Article 12, paragraph 2 in conjunction with 15 GDPR; and

      - to dismiss the other grievances pursuant to Article 100, §1, 1° WOG.









Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.


Such an appeal may be made by means of an inter partes petition
                                                                                           27
listed in Article 1034ter of the Judicial Code and must contain .


27 The petition states under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
    summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer. Decision on the substance 57/2023 – 33/33



a contradictory petition must be submitted to the Registry of the Market Court
                                                                      28
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).









(get). Hielke HIJMANS

Chairman of the Litigation Chamber































































28 The application with its annex is sent, in as many copies as there are parties involved, by registered letter
sent to the clerk of the court or deposited at the clerk's office.