APD/GBA (Belgium) - 66/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=66/2021 |E...")
 
Line 59: Line 59:


=== Holding ===
=== Holding ===
The defendant states that the complainant has right of access, but that she does not have right of rectification as this would prevent them from exercising their function. It comes to the fiscal administration to exercise their legal competences, as such, the government claims that the DPA is not competent in this matter.
The defendant states that the complainant has right of access, but that she does not have right of rectification as this would prevent them from exercising their function. It comes to the fiscal administration to exercise their legal competences, as such, the government claims that the DPA is not competent in this matter because the terms used by the fiscal administrators do not include personal data.


The DPA states that the term "personal data" must be broadly interpreted and based on four elements: "any information, "relating to", "an identifiable", "natural person".  
The DPA states that the term "personal data" must be broadly interpreted and based on four elements: "any information, "relating to", "an identified or identifiable", "natural person".
 
"Any information" includes objective and subjective states such as opinions, untrue or unconfirmed information, referencing CJEU 16 Februari 2000, nr. 27798, regardless of the position or capacity of the person (consumer, patient, employee, etc.), referencing WP29 Guidance 4/2007 p. 7.
"Relating to" means that the data because of its content, purpose or consequence is linked to a specific person.
"An identified or identifiable" means that a person can be distinguished from a specific group based on one or more parameters.
"Natural person" relates to the person behind the legal entity.
 
 
All elements are present in case, the terms used are personal data and thus the DPA holds that it has competence. The fiscal administration determines the means of processing by law and is also a data controller, de facto, as they collected personal data of the complainant and added it to the investigation regarding fraud.
 
The DPA holds that the right of access in light of the legislation regarding transparency of governance does not interfere with the right of access according to the GDPR. The complainant did not receive an answer to her right of access in due time. This is a breach of [[Article 12 GDPR#3|Article 12(3) GDPR]] and [[Article 12 GDPR#4|Article 12(4) GDPR]].


== Comment ==
== Comment ==

Revision as of 19:46, 9 June 2021

APD/GBA (Belgium) - 66/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(3) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 04.06.2021
Published: 04.06.2021
Fine: None
Parties: Federal Governmental Agency: Financial
National Case Number/Name: 66/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 66/2021 van 04 juni 2021 (in NL)
Initial Contributor: Enzo Marquet

placeholder

English Summary

Facts

The complainant asked the government to rectify information about her in a financial investigation regarding tax evasion as she is labeled as stooge for another company. The government refused to do this.

Dispute

Holding

The defendant states that the complainant has right of access, but that she does not have right of rectification as this would prevent them from exercising their function. It comes to the fiscal administration to exercise their legal competences, as such, the government claims that the DPA is not competent in this matter because the terms used by the fiscal administrators do not include personal data.

The DPA states that the term "personal data" must be broadly interpreted and based on four elements: "any information, "relating to", "an identified or identifiable", "natural person".

"Any information" includes objective and subjective states such as opinions, untrue or unconfirmed information, referencing CJEU 16 Februari 2000, nr. 27798, regardless of the position or capacity of the person (consumer, patient, employee, etc.), referencing WP29 Guidance 4/2007 p. 7. "Relating to" means that the data because of its content, purpose or consequence is linked to a specific person. "An identified or identifiable" means that a person can be distinguished from a specific group based on one or more parameters. "Natural person" relates to the person behind the legal entity.


All elements are present in case, the terms used are personal data and thus the DPA holds that it has competence. The fiscal administration determines the means of processing by law and is also a data controller, de facto, as they collected personal data of the complainant and added it to the investigation regarding fraud.

The DPA holds that the right of access in light of the legislation regarding transparency of governance does not interfere with the right of access according to the GDPR. The complainant did not receive an answer to her right of access in due time. This is a breach of Article 12(3) GDPR and Article 12(4) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                              1/33











                                                                              Dispute room

                                            Decision on the merits 66/2021 of 04 June 2021





File number : DOS-2020-00818



Subject : Processing of personal data by the Federal Public Service


Finance - request for information, access, rectification and limitation of the

processing





The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman, and Messrs Yves Poullet and Jelle Stassijns, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 August 2012 containing provisions regarding the processing of

personal data by the Federal Public Service Finance in the context of its assignments,

hereinafter “the law of 3 August 2012” ;1



In view of the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;



Having regard to the internal rules of procedure, as approved by the Chamber of

Members of Parliament on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;






1As amended following the entry into force of the GDPR by the Law of 5 September 2018 establishing the
Information Security Committee and amending various laws concerning the implementation of Regulation (EU) 2016/679 of

27 April 2016 of the European Parliament and of the Council on the protection of individuals with regard to the
processing of personal data and on the free movement of such data and repealing Directive 95/46/EC,
BS 10 September 2018. Decision on the merits 66/2021 - 2/33



Having regard to the documents in the file;



has made the following decision regarding:



                                                                                                         .
      - Mrs X, , hereinafter referred to as “the complainant”; and
                                                                                                         .
      - the Federal Public Service Finance (Directorate General Administration of the
                                                                                                         .
          Special Tax Inspectorate), Koning AlbertII-laan 33bus 49 - 1030 Schaerbeek, met

          company number 0308.357.159, hereinafter referred to as “the defendant”.




          1. Facts and procedure




      1. On 6 February 2020, the complainant submits a complaint to the

          Data protection authority against the defendant.



      2. The subject of the complaint concerns a request for information, inspection, rectification and

          restriction of the processing of personal data addressed by the complainant to the

          defendant on July 18, 2019 and August 9, 2019. The complainant specifies that she is active

          as a bookkeeper in the Grand Duchy of Luxembourg. This sets the aforementioned

          to have made requests to the defendant in response to the mention of

          his name in various files concerning tax investigations regarding

          taxpayers, executed by the defendant. More specifically, the complainant states

          that it is incorrectly mentioned as “straw man” in the relevant files where, in

          on the part of the taxpayers concerned, there would be tax evasion.

          The complainant specifies that the request to exercise her rights by the

          defendant was rejected by letter dated 28 October 2019, as a result of which

          submitted this complaint to the Data Protection Authority.


      3. On February 20, 2020, the complaint will be declared admissible on the basis of Article 58


          in conjunction with article 60 of the WOG, the complainant is informed in accordance with

          Article 61 WOG and the complaint pursuant to Article 62, §1 WOG is forwarded to

          the Disputes Chamber.


      4. On March 23, 2020, the Disputes Chamber will decide on the basis of Articles 95, §1, 1°, and 98

          WOG that the complaint is ready for treatment on the merits.



      5. By letter dated 23 March 2020, the parties are informed that the

          complaint is ready for treatment on the merits and these are also

          Article 99 WOG of the deadline to submit their defences. Decision on the merits 66/2021 - 3/33





6. On April 24, 2020, the defendant submits its statement of defense.


7. In its conclusion of the answer, the defendant states that it provided information on January 4, 2018

    obtained from abroad under the Common Reporting Standards. He

    specifies that an investigation was launched on the basis of the aforementioned information, in which

    the official concerned carried out searches in internal and external databases,

    including Orbis, Mémorial Luxembourgeois, POW and Sitran.




8. The defendant specifies that the results of this preliminary investigation and the position of

    the case officer were subsequently included in a document that

    was classified in file X, in which the following data and positions relate to:

    regarding the complainant were included:



          "Mrs. X is the founder and director of […] SA.
          (…)

          […] SA has its registered office in […] It is therefore located in this […].
          It was founded on […] by […] SaRL (represented by […]) and
          Mrs X […]).

          The capital at incorporation amounted to […] ([…]), of which […]and X each 50% ([…])
          to own.
          Upon incorporation (Constitution), the following persons are appointed as directors

  appointed:


          • […] SARL
          • Mrs. X

          • […] SARL

          […] SA SPF was transformed into […] with effect from […] (…)

          Mrs. X is the founder and director of […]SA.
          She has Belgian nationality and was domiciled in Belgium until […].
          Since 2003 she has had her domicile in […] at the address: […]. She has mandates in

          […], but also in Belgium. (…)
          - Director of […] since […];

          - Director of […] ([…]) since […];
          - (Managing) Director of […] (…) since […];
          - Director of […] (…) since […].

          When looking for X in Mémorial Lux we find […], mainly mandates like
          driver.
          (…)

          When reviewing its mandates, we find that most companies
          are located in […] at these 3 addresses:
          oh […]

          oh […]
          oh […]
          Mrs. X is […]of several “SA SPF” companies in […]. Presumably occurs

          them as “...”
          (…)
          She owns .. […] real estate in Belgium (POW):

          - […] Decision on the substance 66/2021 - 4/33



         - 1/2 full ownership (together with spouse) in 3 apartments in […]

         - […]
         (…)


         However, no file has yet been opened on behalf of Ms. X”.

9. The defendant specifies that, on the basis of the preliminary investigation, a tax investigation


    was started to person Y but not to the complainant herself.



10. With regard to the request for information, access, rectification and restriction of the

    processing submitted by the complainant on July 18, 2019, the defendant states that access

    was granted on August 21, 2019 both under the law on

    public administration and on the basis of privacy legislation. He points out that

    it was hereby clarified to the complainant that no specific investigation regarding

    of the latter was opened, which can also be read in the report of the

    preliminary investigation.



11. The defendant argues that on 8 August 2019, the complainant filed a similar request for

    exercise of its rights addressed to the Data Protection Officer

    of the Information Security and Protection of Personal Information

    Defendant's privacy. The latter specifies that this request was made on 28 October

    2019 was rejected as access has already been granted and since the

    personal data were collected only for a specific legitimate purpose and the

    processing was necessary for the performance of the legal tasks of the

    defendant.



12. In its conclusion of response, the defendant asks the Dispute Chamber for a complaint

    filed by the complainant to be unfounded and hereby submits the following:

    resources on:



     • Means 1: the words “straw man” or “presumed straw man” do not constitute a

         personal data



13. The defendant argues that the law of 3 August 2012 containing provisions regarding

    the processing of personal data by the Federal Public Service Finance in

    does not define the term “personal data” in the context of its assignments. The

    defendant refers to the definition of the aforementioned term in the GDPR.



14. The defendant argues that what the complainant in


    identifies file X and in the letter to person Y, her name and national number is Decision on the merits 66/2021 - 5/33



    but that the statements “straw man” or “presumably she acts as a straw man” are not

    constitute personal data within the meaning of the law or the GDPR. He adds that this

    concerns a position or opinion of the defendant with regard to the intervention

    of the complainant in company Z.




15. The defendant argues that, in accordance with its legal mandate, it is entitled to

    to take a position on tax-relevant data in order to determine the correct levy

    of the tax and points out that this follows from article 322, §1 WIB92 that

    states: “The administration may, with regard to a particular taxable person,

    collect written attestations, hear third parties, conduct an investigation, and within the

    period specified by it, which may be extended for lawful reasons, from

    natural or legal persons, as well as associations without legal personality

    to request all information it deems necessary to determine the correct levying of the tax

    to ensure."



16. The defendant submits that, therefore, in a prior notice of

    indications of tax evasion with regard to person Y may state that

    The complainant is suspected of acting as a front man and argues that a different reading of

    the aforementioned provision would not only be contrary to Article 322 WIB92 itself, but

    also with the civil servant's right to freedom of expression within the meaning of Article

    10 ECHR.



17. The defendant argues that it is the jurisdiction of the tax courts to decide

    to do with regard to disputes concerning the tax law and, consequently, whether

    the former qualified the complainant rightly or wrongly as a 'straw man'.



18. The defendant adds that the complainant, on the pretext of the


    processing of personal data cannot prevent the officials of

    take the former position on tax-relevant data. The

    the defendant reiterates in this regard that an opinion formulated by him does not

    personal data, so that the complainant does not have the rectification, limitation or

    may ask for a change.



19. Finally, the defendant argues that it should be noted that the report of the

    preliminary investigation in which the position of the civil servant with regard to a particular tax

    problem is displayed, there is no processing of personal data that is in

    a file has been included or is intended to be included therein (article Decision on the merits 66/2021 - 6/33



    4, § 6 GDPR) and that the report itself is not a structured set of

    constitutes personal data that is accessible through criteria.








      • Agent2: the [defendant] has provided [defendant] with sufficient information



20. The defendant argues that the complainant's right to information was respected

    and that sufficient information has been provided to the latter in accordance with Article 14 GDPR

    provided.



21. The defendant points out in this regard that “The Law of 3 August 2012 in Article 11

    a derogation [specifies] that the right to information may be limited

    to achieve the general interest objectives of monetary, fiscal and fiscal

    to ensure matters.



    In particular, reference is made to the processing of personal data that

    The purpose of this is the preparation, organisation, management and follow-up of the

    the investigations conducted, among others, by AABBI that can lead to an administrative

    fine or administrative sanction.



    In the event of a restriction of the right to information, these personal data may be

    be kept for a maximum of 1 year after the final termination of the judicial,

    administrative and extrajudicial proceedings.



    This limitation of the right to information applies (1) during the period in which the


    the person concerned is the subject of (2.1.) an inspection or (2.2.) an investigation or the

    related preparatory work carried out by in this case

    the AABBI and (2) the period during which the documents will be processed to initiate prosecutions

    set.



    This limitation applies where the exercise of the right would be prejudicial

    for the control, investigation or preparatory work or secrecy

    of criminal investigation or threatens to violate the safety of persons”.




      • Ground 3: the right of access was respected. Decision on the merits 66/2021 - 7/33



22. With regard to the complainant's request to exercise the right of access,

    the defendant that it provided the necessary explanation on 21 August 2019 regarding

    the processing of the complainant's personal data and has granted access.



23. He maintains that this was supplemented by a statement from the official for


    data protection that states that no tax investigation is conducted into the

    complainant but an investigation is being conducted into person Y, in the context of which

    complainant by name.


24. The defendant states that the complainant was specifically mentioned in the report

    of the preliminary investigation, which the latter was submitted to, as well as in the letter addressed to

    the taxpayer concerned. As for this letter - which the complainant herself has

    obtained (document 7) – the defendant states that he can invoke the

    ground for exception of article 11/1 of the law of 3 August 2012.



25. The defendant hereby specifies that it has the right to claim in whole or in

    partially restrict it if it is feared that the right of access may adversely affect

    would have consequences for the investigation. He believes that this is directly

    more can be limited in case of danger of collusion and argues that here

    it is not required that a specific investigation be conducted into the complainant, but only

    that it is involved in the subject of the investigation.


      • Remedy 4: the right to rectification and the right to limitation of

         personal data does not apply



26. With regard to the request for rectification of the personal data by the complainant,

    the defendant first of all reiterates that the opinion of the official in question that the

    complainant would probably act if straw man does not constitute personal data in the in

    sense of the GDPR, so that the data subject cannot request rectification.



27. The defendant adds that the complainant does not correctly spell her

    name and thus does not contest the correctness of the personal data, as a result of which there is no

    reason to proceed with any restriction on the processing of the

    personal data of the complainant.



28. In subordinate order, the defendant invokes the grounds for exception of the

    Articles 11/2 and 11/3 of the law of 3 August 2012.



      • Means 5: there is no reason to delete the personal data of the
         complainant Decision on the merits 66/2021 - 8/33





29. The defendant argues that it is entitled to request the erasure of data

    refuse, as these fall within the scope of the exceptions to Article 17

    GDPR falls.



30. The defendant specifies that, in accordance with the tax provisions - including

    Articles 317 and 322 WIB92 – may use the personal data of third parties in the

    as part of its tax investigation in order to ensure the correct levying of taxes

    to ensure. He argues that the processing of the complainant's personal data

    meets the objectives of the GDPR and is sufficiently proportional.



31. He argues that whether or not the defendant correctly describes the complainant as

    (presumed) straw man, falls under the jurisdiction of the tax courts.


32. The defendant concludes that he therefore sees no reason to keep the personal data

    from the complainant.



33. Finally, in this plea, the defendant submits that it also considers that the

    erasure of the personal data would in this case create an obstacle to “official”

    or judicial investigations and would adversely affect the

    prevention, detection, investigation or prosecution of criminal offences”. He

    specifies that, in this case, the data subjects by deleting their data

    (possible) involvement in tax malpractice already in the course of the investigation

    erase, which may not be the intention.



      • Ground 6: The claim for a penalty is without object


34. Finally, the defendant argues that the complainant's claim for periodic penalty payments

    unfounded, as the former has correctly provided information to the

    complainant with regard to the processing of her personal data and access

    has granted. It reiterates that the claims for rectification, limitation of the

    data processing and data erasure are unfounded.


35. On 8 May 2020, the complainant submitted her statement of reply.



36. In its conclusion, the complainant argues that, without any apparent reason, in internal


    documents of the defendant concerning tax investigations on behalf of other

    taxpayers are listed as “straw”, whereby -by means of this statement of

    the complainant - on behalf of the aforementioned taxpayers, it is decided to Decision on the merits 66/2021 - 9/33



          existence of indications of tax evasion. The complainant makes this

          evidence about.



      37. The complainant further states that on 18 July 2019, it filed a request for access to the

          administrative file of the defendant addressed to the latter, as well as a request een


          to information, access, rectification and restriction of the personal data of the

          complainant.



      38. The complainant argues that the above requests were not complied with

          within the one month period, as required by Article 12 GDPR.


      39. The complainant further argues that the defendant failed to act on its

          requests for information, rectification and restriction of processing.



      40. The complainant requests the Disputes Chamber to declare her claim admissible and well-founded

          declare and hold that the defendant has complied with Articles 5, 12 to 18, 21 and 23

          GDPR as well as Article 11 of the Law of 3 August 2012 as well as

          order that requests to exercise its rights are complied with, on

          penalty of a penalty of EUR 1000 per day of delay.



      41. On 25 May 2020, the defendant lodged its statement of defense.



      42. By e-mail of 3 May 2020, the complainant requests, pursuant to Article 98, 2° WOG

          to be heard. The defendant also requests to be heard in his opinion.




      43. On January 18, 2021, the parties shall, in accordance with article 53 of the Rules of

          internal order heard by the Disputes Chamber.


      44. On 29 January 2021, in accordance with Article 54 of the Rules of Internal

          the minutes of the hearing are forwarded to the parties.



      45. By e-mail dated 4 February 2021, the complainant makes her comments regarding

          this report.




        2. Justification




2.1. The concept of “personal data” and the competence of the Disputes Chamber Decision on the merits 66/2021 - 10/33




   2.1.1. The concept of “personal data” (Article 4.1 of the GDPR)


       46. In its statement of defense and reply, the defendant first of all points out that the

           terms “straw man” and “presumed straw man” do not constitute personal data in the

           sense of the GDPR, but that this is only a position taken by the

           defendant with regard to the complainant's intervention in certain

           companies. The defendant argues that, as a result, the complainant has exercised its right to


           rectification and restriction of processing in this regard.



       47. The defendant argues that it is up to the tax administration to take a position

           on tax matters in accordance with its legal powers and that it is up to the

           jurisdiction of the tax courts should rule on any

           disputes regarding these positions. The defendant decides that the

           In this case, the data protection authority is not competent to make a decision.



       48. Article 4.1 GDPR defines the term “personal data” as being “all information

           about an identified or identifiable natural person ("the data subject"); if

           identifiable is a natural person who can directly or indirectly

           be identified, in particular by means of an identifier such as a name,

           an identification number, location data, an online identifier or of one or more


           elements characteristic of the physical, physiological, genetic, psychological,

           economic, cultural or social identity of that natural person”. This definition

           thus includes four constitutive and cumulative elements:

           i. "all information"

           ii. "about"

           iii. “an identified or identifiable”

           iv. "natural person"




    i. "All information"




       49. The Disputes Chamber points out that the term “personal data”, as explained in

           Article 4.1 GDPR, Recital 26 GDPR as well as Group Opinion 4/2007

           Data protection and the case law of the Court of Justice should be broad

           interpreted and that this includes both objective and subjective information, regardless of

           whether or not this information is correct or proven. The concept of “all information”



2FOCQUET, A. and DECLERCK, E., Data protection in practice, Intersentia, Antwerp, 2019, p. 6; C. DOCKSEY and H.
HIJMANS, “The Court of Justice as a Key Player in Privacy and Data Protection: An Overview of Recent Trends” in Case Law at

the Start of a New Era of Data Protection Law, EDPL Review 2019, p. 302-304. Decision on the merits 66/2021 - 11/33




           used in Article 4.1 GDPR must therefore be interpreted literally and this en

           regardless of the nature, content or form of the information.




       50. Recital 26 GDPR emphasizes this extensive interpretation of the term

           “personal data” and states that “the principles of data protection for everyone”

           data concerning an identified or identifiable person [must]

           apply". 3




       51. This has also already been confirmed by the Data Protection Working Party in its Opinion

           4/2007 on the concept of personal data, in which it states the following in this regard:

           “In terms of the nature of the information, “personal data” includes all types

           statements about a person. Also “subjective” information, opinions and judgments


           fall below. (…) To be classified as “personal data”, it is not necessary
                                                    4 5
           that the information is true or proven.”



       52. The foregoing was also emphasized several times by the Court of Justice of the

           European Union. In its judgment of 20 December 2017 Nowak, the Court stated in this regard

           more specifically:



           “The use of the words “any information” in the definition of the term

           Indeed, “personal data” (…) indicates that it is the intention of the EU legislature

           was to give a broad meaning to this concept, which is not limited to sensitive

           or personal information but potentially extends to any kind of information, whether


           objective information as subjective information in the form of opinions or

           assessments, provided that this information ‘relates to’ the data subject”.



       53. Furthermore, the Working Party on Data Protection and the Court of Justice specified that these


           information can relate both to the personal life of the data subject
                                      6
           if its professional or public activities: “Include “Personal Data”

           information relating to a person's private or family life in

           strict sense, but also information about all kinds of activities that a person undertakes,

           for example about a person's professional relationships or economic or social behaviour. It's alright










3The Disputes Chamber underlines.
4
 Working Party on Data Protection Article 29, Advice 4/2007, 20 June 2007, p. 6.
5The Disputes Chamber underlines.

6Cf. ECtHR 16 February 2000, no. 27798. Decision on the merits 66/2021 - 12/33




           so here to provide information about persons, regardless of their position or capacity

           persons (consumer, patient, employee, customer, etc.).” 7




      54. More specifically, the Court of Justice ruled in its Nowak judgment that the evaluation and evaluatie

           comments from an examiner with regard to a test taken by the person concerned

           exam if personal data within the meaning of current Article 4.1 of the GDPR must be

           considered.



      55. The Court points out that the non-classification of these data as being

           personal data would completely remove this information from the protection of

           the principles and safeguards relating to personal data and in particular to the

           rights of access, rectification and opposition as well as the supervision of the

           supervisory authorities. 8



      56. The Disputes Chamber establishes on the basis of the above that, contrary to what

           is stated by the defendant in his statement of defense and reply, also in this case

           the information processed by the defendant falls within the scope of


           Article 4.1 GDPR and should be regarded as personal data within the meaning of

           aforementioned article. In particular, the documents at issue, on the one hand, mention the name and

           first name of the complainant as well as her national registration number, and, on the other hand, the

           statement as if the person concerned would act as a “straw man”.




    ii. "About"




      57. A second constitutive element of the definition of the term “personal data”

           of Article 4.1 GDPR means that the information must be “about” a natural person

           person, the person concerned. In its Opinion 4/2007, the Data Protection Working Party

           points out that this may be the case either directly or indirectly, to the extent that the information


           “refers to the identity, characteristics or behavior of a person or if

           such information is used to inform the way that person is treated
                                                          9
           or judged to determine or influence”.










7
 Working Party on Data Protection Article 29, Advice 4/2007, 20 June 2007, p. 7. See also in the same sentence the conclusion of
Advocate General E. Sharpston delivered on 12 December 2013 in Joined Cases C-141/12 and C-372/12 (Y.S.), para. 45.
8
 Nowak, par. 49.
9Data Protection Group Article 29, Advice 4/2007, 20 June 2007, p. 10. Decision on the substance 66/2021 - 13/33




      58. The Data Protection Group specifies in this regard that information that is not directly

           relates to a natural person as yet as “information about” the person concerned

           natural person can be considered in the following two cases:



           1) When the data will be used or can be expected to be

               used for the purpose of assessing the data subject,

               treat or influence his status or behavior; or



           2) When the use of the data is expected to have an impact on


               certain persons, where it is irrelevant whether this impact is large or small. The

               The Data Protection Group would like to point out that, as long as the possibility exists

               that, for example, the data subject will be treated differently as a result of the

               processing of the data concerned, there is an impact on the

               person. 10



      59. This was also confirmed by the Court of Justice, which stated in this regard that these


           second condition “is fulfilled when the information because of its content, purpose or
                                                           11
           consequence is associated with a particular person”.



      60. In the present case, it must be noted that the processing of the data concerned - i.e.

           the complainant's identification details in combination with the qualification

           '(probable) straw man' - and the use of this data (e.g. its mention

           in the notifications) can be unequivocally linked to the complainant and a


           may have an impact on the latter.




    iii. “Identified or Identifiable”



      61. A person is considered “identified” when that person

           distinguishable from other persons within a certain group, by means of one

                                        12
           or multiple identifiers.



      62. In view of the fact that the complainant, in addition to being qualified by the defendant

           if “straw man” is also mentioned by name and first name in the relevant documents

           as well as the national registration number of the complainant, the





10Group Data Protection Article 29, Advice 4/2007, 20 June 2007, p. 11-12.
11
  CJEU, C434/16, Nowak, para. 35.
12Data Protection Group Article 29, Advice 4/2007, 20 June 2007, p. 13. Decision on the merits 66/2021 - 14/33/



       The Court of Appeal finds that the person concerned was indeed identified and the

       the information processed by the defendant in this case relates to a

       “identified or identifiable person” within the meaning of Article 4.1 GDPR.




 iv. "A natural person"




   63. The Disputes Chamber notes that, although the information processed by the defendant verweer

       also relates to the complainant's companies, it also appears that

       it also relates to the person of the complainant herself, as the latter

       expressly stated in the relevant documents, as stated above, by

       by stating her name, first name and national register number.



   64. It must therefore be stated that the fourth constitutive element in

       case is present.












2.1.2. The jurisdiction of the Disputes Chamber


   65. On the basis of the above, it must be concluded that the processing at issue is

       well within the scope of the AVG, therefore, the jurisdiction of the

       Data Protection Authority - and in particular the Disputes Chamber - falls.



   66. The Disputes Chamber points out in this regard that, in accordance with Article 4, §1 WOG, the

       Data Protection Authority is competent for “supervising compliance with the

       basic principles of the protection of personal data, in the context of this

       law and of the laws containing provisions for the protection of the

       processing of personal data” and that the supervision of the law of 3 August 2012

       therefore also falls under its jurisdiction, as it relates in its entirety to

       to the processing of personal data by the Federal Public Service Finance.



   67. The Disputes Chamber also points out that, in the context of this task, it

       monitor compliance with the provisions of the GDPR and the laws

       containing provisions on the protection of the processing of

       personal data assigned to it by the European (Article 58 GDPR) and the

       Belgian legislator (article 4WOG), the facts presented by the plaintiff and both Decision on the merits 66/2021 - 15/33




          has investigated in the light of the provisions of the GDPR mentioned by the latter

          and other data protection legislation mentioned in the complaint form

          as well as in light of the legal provisions of which the violation was alleged in

          the statement of the latter's reply.


      68. The Disputes Chamber emphasizes - as it already did in its decisions

          19/2020 and 38/2021 - after all, the complainant cannot be expected to


          his complaint indicates in a precise and exhaustive manner the legal provisions

          defendant (possibly) have been infringed. This task of qualifying the facts rests

          at the Inspectorate and the Disputes Chamber of the GBA.


      69. If the Disputes Chamber should refuse to take into account the complainant in the

          charges brought forward during the proceedings, it would prejudice

          the effectiveness of the right of complaint contained in Article 77 GDPR.



      70. In the present case, the Disputes Chamber finds, however, that the . submitted by the complainant

          complaint form including its appendices already contains a very detailed and

          detailed statement of the facts as well as the alleged violations

          of the GDPR and of the law of 3 August 2012 and that the reply statement is not

          contains new indictments. Consequently, the Disputes Chamber points out

          that the defendant has had the opportunity ab initio, both in writing and

          to defend orally with regard to the integrality of the indictments.




2.2. Identification of the controller (Article 4.7 GDPR)




      71. In accordance with Article 4.7 of the GDPR, the controller should be


          considered: the “natural or legal person, government agency, service or

          other body which, alone or jointly with others, has the purpose and means of

          the processing of personal data”.



      72. In its case-law, the Court of Justice has used the concept of

          “controller” has been interpreted broadly on several occasions in order to

          ensure effective and full protection of data subjects. 13










13
  See, inter alia, ECJ, 5 June 2018, C-210/16 - Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388, recitals 27-29. Decision on the merits 66/2021 - 16/33




      73. In accordance with Opinion 1/2010 of the Data Protection Working Party, the

          capacity of the data controller(s) concerned in concrete terms

          be assessed. 14



      74. In the present case, the Disputes Chamber first finds that the defendant has

          of personal data within the meaning of Article 4.2 GDPR, in particular “a


          operation or set of operations relating to personal data or

          a set of personal data, whether or not carried out by automated means

          processes, such as collecting, recording, organizing, structuring, storing, updating

          or modify, request, consult, use, provide by means of

          transmit, distribute or otherwise make available, align or

          combining, blocking, deleting or destroying data”. 15 The Defendant

          collected the complainant's personal data (surname, first name,

          national register number) and included it in the report of his preliminary investigation as well as

          in the notification sent to the taxpayer(s) concerned.



      75. Still in accordance with Opinion 1/2010 of the Data Protection Working Party

          the concepts of “the goal” and “the means” are treated inseparably together and

          it must be determined who is the 'why' (the goal) and the 'how' (the

          resources) of the processing concerned. 16



      76. The Disputes Chamber further finds that the defendant de facto set the purpose and

          means certain of the processing of personal data concerned,

          as, first of all, it initiated the processing by the personal data

          from the complainant through the sources listed above as well as the


          to qualify the complainant as being a “straw man” and, secondly, by deciding the

          to include collected data in the preliminary investigation report as well as the

          notification sent to the concerned taxpayer(s).


      77. The defendant is also de jure referred to as being the


          controller of the personal data concerned and this more

          determined by articles 2 and 3 of the law of 3 August 2012 on the

          processing of personal data by the Federal Public Service Finance in the



14
  See Group 29, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010 (WP 169),
as clarified by the DPA in a note “Overview of the concepts of controller/processor in the light
of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons in connection with the processing of personal data (GDPR) and some specific applications for
liberal professions such as lawyers”.
15
  The Disputes Chamber underlines.
16Group 29, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010 (WP 169), p.
15. This opinion has been replaced by Guidelines 7/2020 of the EDPB. Decision on the merits 66/2021 - 17/33




          within its missions, which stipulate: “The Federal Public Service Finance is the

          person responsible for the processing referred to in this chapter of

          personal data” and “The Federal Public ServiceFinance collect processed

          personal data to carry out its legal tasks. the collected

          data may not be used by the Federal Public Service Finance for other

          purposes other than for the performance of its legally defined assignments

          used".



      78. Moreover, the defendant disputes its status as controller

          not for the personal data concerned.


      79. On the basis of the above, the Disputes Chamber decides that the defendant must

          are considered a controller within the meaning of Article 4.7 GDPR

          for the processing of personal data that is the subject of the

          complaint. He is therefore there in this capacity in accordance with the provisions of Articles 5.2


          and 24 GDPR accountability to ensure compliance with the

          principles of the GDPR .













2.3. With regard to requests to exercise its rights formulated by the

        complainant




   2.3.1. Processing time for requests (Article 12.3 GDPR and Article 11 Law 3

           August 2012)




      80. In accordance with Article 12.3 GDPR, the controller must

          data subject “without undue delay and in any event within one month of receipt of the

          request under Articles 15 to 22” to provide information about the

          action given to the request. 17Depending on the complexity of the

          requests and of the number of requests, that period may be extended by an additional two if necessary

          months to be extended. The controller should inform the data subject






17
  The Disputes Chamber underlines. Decision on the merits 66/2021 - 18/33




          if necessary, within one month of receipt of the request

          of such extension.



      81. Article 12.4 GDPR states that “when the controller fails to act

          gives the request of the person concerned, he the latter without delay and at the latest within

          one month after receipt of the request [shall state] why the request

          has been unsuccessful, and informs him of the possibility of lodging a complaint

          should lodge an appeal with a supervisory authority and a judicial remedy”.



      82. The Law of 3 August 2012 also specifies in its Article 11 §3 (right to

          information) , 11/1 3 (right of access) , 11/2 §3 (right to rectification) and 11/3 §3 (right

          restriction of processing) that “the data protection officer of

          the controller [informs] the data subject in writing, without undue delay,

          and in any event within one month of receipt of the request, on any

          refusal or limitation of his right (…) to the personal data concerning him

          as well as the reasons for such refusal or restriction. (…) Depending on the

          complexity of the requests the number of requests and the deadline if necessary

          be extended for a further two months. The controller states

          inform the data subject of this within one month of receipt of the request

          extension and of the reasons for the postponement.”




      83. It is apparent from the documents in the file that the first request for access by the


          The complainant was filed on the date of July 18, 2019. On August 7, the . shared

          defendant informed the complainant that his request should be addressed to

          the Information Security and Personal Protection Service

          lifestyle. It appears from the documents in the file that the complainant denied her request

          next day, on August 8, 2019, to the aforementioned service. at 26

          September 2019, the complainant addressed a reminder to the defendant

          concern the aforementioned request. 18




      84. By decision of 28 October 2019, the defendant replied to the request for

          information, access, rectification and restriction of processing, submitted on behalf of

          the complainant by her counsel, as follows:









18
  cf. documents 1-5 of the complainant's bundle of documents. Decision on the merits 66/2021 - 19/33



          “It appears from the elements of the file that your client herself is not the subject


          is part of an investigation by the [defendant]. There were no

          investigative acts performed on behalf of your client. The [defendant] has to

          as a result of some tax investigations with regard to third parties, information

          from public sources about your client. The information that your client

          has mandates in various companies comes from public sources.



          On August 7, 2019, the [defendant] already provided an explanation and inspection of the

          administrative file of your client allowed under the law of 11 April

          1994 on open government. During this inspection, which

          took place on 21 August 2019, barring misunderstanding, you have already

          requested relevant data.



          Your client's personal data were only legalized for a specific purpose

          purpose collected.



          Finally, the right to erasure on the basis of Article 17, paragraph 3 b) GDPR is not

          applies as the processing is necessary for the fulfillment of a

          legal processing obligation of the [defendant].”19




      85. It follows from the foregoing that the defendant withdrew the request to exercise the

          rights of the complainant not within the scope of Article 12.3 and 12.4 GDPR and by the

          law of 3 August 2012 prescribed period of one month treated e,norn

          has informed the latter within the aforementioned period in connection with a

          possible extension due to the complexity of the request.




      86. The Disputes Chamber points out that the access to the

          framework of the legislation on public access to government the latter is not released from being

          obligation in accordance with Articles 12.3 and 12.4 GDPR as well as the law of 3 August

          2012 to inform the complainant within the time limit provided for the

          action given to the request to exercise its rights

          pursuant to the GDPR, which furthermore concerned not only a request for access but

          also a request for information, rectification and limitation of the

          data processing.







19
  cf. piece 6 piece bundle complainant. Decision on the merits 66/2021 - 20/33



   87. The Disputes Chamber therefore finds that the defendant has thus committed an infringement

       committed to Article 12.3 and 12.4 GDPR as well as to Articles 11 §3, 11/1 § 3, 11/2§3

       and 11/3 §3 of the law of 3 August 2012 .




2.3.2. With regard to the defendant's response to the requests of the

        complainant pursuant to Articles 14, 15, 16 and 18 GDPR



 i. The request for information (Article 14 GDPR)




   88. The complainant, by means of her letter dated 18 July 2019, first addressed a

       request for information to the defendant in accordance with Article 14 GDPR, which

       contains the information to be provided to the data subjects in the event

       in which the personal data concerned were not collected by the latter itself

       obtained.




   89. With regard to this request made by the complainant under Article 14 GDPR

       for information, the defendant first argues that it has sufficient information informatie

       provided to the person concerned. The defendant hereby refers to its privacy policy

       published on the website https://financien.belgium.be/nl/over_de_fod/privacy

       and states that it provides extensive information about the processing of

       personal data by the defendant.



   90. Second, the defendant argues that in the present case it can rely on the

       derogation contained in article 11 of the law of 3 August 2012 .


   91. The aforementioned article provides in its §1 as follows:


           “By way of derogation from Articles 13 and 14 of Regulation (EU) 2016/679 of 27 April

           2016 of the European Parliament and of the Council on the protection of

           natural persons in connection with the processing of personal data and

           on the free movement of such data and repealing Directive

           95/46/EC (General Data Protection Regulation), the right to

           information will be deferred, restricted or excluded as to

           processing of personal data for which the Federal Public Service


           Finance controller is to achieve the objectives of general

           safeguard the importance of monetary, budgetary and fiscal matters, and

           to the extent that Article 14(5)(d) cannot be invoked in the specific case.” Decision on the merits 66/2021 - 21/33



    ii. The request for access (Article 15 GDPR)




      92. By letter dated 18 July 2019, the complainant also addressed


          a request for access to the defendant:




      The client also has the right to (sic) inspect the personal data

      that are processed and of the following information (i.e. the right of access in accordance with

      article 15 GDPR):

      - the processing purposes;

      - the categories of personal data concerned;

      - the recipients or categories of recipients to whom the personal data is or

          will be provided, in particular to recipients in third countries or international

          organizations;

      - if possible, the period during which the personal data is expected

          will be stored, or if that is not possible, the criteria to meet that deadline

          determine;

      - that the data subject has the right to request from the controller that

          personal data are rectified or erased, or that the processing of him

          concerning personal data is restricted, as well as the right against that

          to object to processing;


      - that the data subject has the right to lodge a complaint with a supervisory authority

          authority;

      - where the personal data is not collected from the data subject, all

          available information about the source of that data;

      - the existence of automated decision-making, including those referred to in Article 22,

          profiling referred to in paragraphs 1 and 4 and, at least in those cases, useful information about

          the underlying logic, as well as the importance and expected consequences of that

          processing for the data subject.


      On the basis of the aforementioned established processing of personal data,

      client to obtain information about the processed personal data and to

      obtain in the documents in which it is mentioned. She also wishes to

      in particular to obtain explanations from your Administration about the

      processing purposes, the recipients of this information and any available

      information about the source of the personal data. (…) ”20





20
  Piece 1 bundle of documents complainant. Decision on the merits 66/2021 - 22/33




      93. In its statement of defense, the defendant submits, with regard to that request

          for inspection that the latter gave the complainant access on 21 August 2019

          and has provided the necessary explanations regarding the processing of

          personal data.



      94. Furthermore, also with regard to this right, the defendant invokes the derogations provided for

          article 11/1 of the law of 3 August 2012 (cf. supra edge no. 80), and this in the

          particularly with regard to the document that the complainant herself has from third parties

          obtained 21 – and in which no access was granted by the defendant. The

          Defendant argues that it may fully or partially deny the right of access

          restrict it if it fears that this will be detrimental to the research and states that

          casu was feared for collusion. The defendant further argues that it is not required

          that an investigation be conducted into the person concerned himself so that he


          could legally invoke the aforementioned deviations.




    iii. The request for rectification (Article 16 GDPR)



      95. The complainant also addressed a correction request to the defendant.

          In accordance with Article 16 of the GDPR, the data subject has the right to obtain “from the

          controller without delay rectification of inaccuracies concerning him

          obtain personal data”.



      96. The complainant invokes the aforementioned right as it is of the opinion that the

          personal data processed by the defendant – and in particular the qualification as

          Plaintiff's 'straw man' – incorrect and in no way substantiated by the defendant.

          The complainant hereby points out that on the defendant as controller

          pursuant to Article 5.1 d) GDPR, there is an obligation to ensure that the

          processed personal data “are correct and updated if necessary;” and all


          [must take] reasonable steps to protect the personal data that, in view of the

          purposes for which they are processed are incorrect, delete them without delay or

          rectify (“correctness”)”.



      97. In its statement of defense and reply, the defendant argues that the right to

          rectification in this case does not apply as 1° the term 'straw man' is not used as a

          personal data can be considered within the meaning of Article 4.1 GDPR and 2° in





21
  Piece 7 bundle of documents complainant. Decision on the merits 66/2021 - 23/33



      subordinate order, the defendant can invoke the ground for exception

      contained in article 11/2 of the law of 3 August 2012 (cf. supra paragraph 80).




iv. The request for restriction of processing (Article 18 GDPR)




  98. Finally, the complainant also made a request for limitation of the

      processing to the defendant, pursuant to Article 18 .1 a) GDPR, which provides:




      “The data subject has the right of the controller to restrict

      obtain the processing if one of the following applies:



      a) the correctness of the data is disputed by the data subject, during

      a period that allows the controller to verify the accuracy of the

      check personal data; (…)”




  99. In its statement of defense and reply, the defendant argues that the right to

      limitation of the processing in this case also does not apply as 1° the term

      'straw man' cannot be regarded as personal data within the meaning of Article 4.1

      GDPR and 2° in subordinate order, the defendant can invoke the

      grounds for exception contained in Article 11/3 of the Law of 3 August 2012 (cf. supra

      marginal number 80).




v. Judgment by the Disputes Chamber regarding points i to iv




  100. The defendant thus invokes the . provided for under Article 23 GDPR

      restrictions on the rights of data subjects provided for in the law of 3 August

      2012 which further regulates the processing of personal data by the former.

      These derogations are contained in particular in Articles 11 §1 (right to information),

      11/1 §1 (right of access), 11/2 § 1 (right of rectification) and 11/3 §1 (right of limitation

      of the processing).




  101. As regards (inter alia) the rights exercised by the complainant, Article

      23 GDPR in particular that:


     “the scope of the obligations and rights referred to in Articles 12 to

    22 and Article 34, as well as in Article 5, insofar as the provisions of those Articles Decision on the substance 66/2021 - 24/33




        correspond to the rights and obligations referred to in Articles 12 to

        with 20, [may] be limited by means of Union or Member State law

        provisions applicable to the controller or processor,

        provided that such limitation affects the substance of the fundamental rights and

        fundamental freedoms and in a democratic society a samenleving

        necessary and proportionate measure to ensure: (…)




        d) the prevention, investigation, detection and prosecution of criminal offenses or

        the enforcement of sentences, including protection against and

        prevention of dangers to public safety;

        (e) other important objectives of general interest of the Union or of a Member State,

        in particular an important economic or financial interest of the Union or of a Member State,

        including monetary, budgetary and fiscal matters, public health

        and social security; (…)”.2



                                           23
      102. Under this provision, the Belgian legislature provided for the derogations

          included in the articles mentioned above.



      103. In accordance with the aforementioned Article 23 GDPR, as explained in recital 73

          GDPR, however, the rights of data subjects can only be limited under

          the conditions and within the limits set out in this provision, which are based

          is on Article 52 of the Charter of Fundamental Rights of the European Union and

          should be read in the light of the case law of the Court of Justice and

          Article 8 of the European Convention on Human Rights (ECHR).



      104. These restrictions should in particular be necessary in order to

          economic or financial interest and must be justified and

          to be proportionate. Article 2 3 GDPR hereby specifies in accordance with 52 of the

          Charter that the restrictions concerned are the substance of the rights


          should be left untouched.


      105. The Disputes Chamber notes, however, that the restrictions included in the law

          of 3 August 2012 are very broadly formulated and go further than what is beingword

          provided by Article 23 GDPR . First of all, this law does not only allow the


          rights of the data subjects are limited but also makes it possible



22
  The Disputes Chamber underlines.
23M.n. the former Article 13 of Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the
protection of natural persons with regard to the processing of personal data and on free movement
of that data. Decision on the merits 66/2021 - 25/33




          exclude them completely and deny any right to the data subject (“can it

          right(…) to be deferred, limited or excluded") . In addition, there is no clear

          time limitation attached to this complete exclusion of the rights of

                         25
          involved.


      106. The former Commission for the Protection of Privacy

          (hereinafter: CPP) stated in this regard in its Recommendation 02/2012 of 8 February 2012


          and in its Opinion 11/2012 of 11 April 2012 that “with regard to the suspension of the

          rights of the data subject, in particular the right to information, access and opposition,

          due caution [should be] shown ” and states that they are “the

          [makes] the greatest reservations regarding the lack of criteria allowing

          determine from which moment a tax investigation starts and ends

          (period during which the right to information, access and opposition is exercised)


          denied to the data subject)”. Furthermore, the CPP emphasized that “these rights

          after all [constitute] an extremely important protection mechanism” and that it

          denying the rights of data subjects raises questions as a

          tax research can extend over a long period of time.



      107. The Council of State also pointed to the (too) far-reaching limitation of the rights of
                                       26
          stakeholders in his advice on the preliminary draft law of 21 May 2012 and suggested

          in particular that Article 11 “thus has the effect that any taxable person

          the right to information is denied as well as the right of access and the right to

          opposition / improvement” while “Article 13 of Directive 95/46 of the European


          Parliament and the Council of 24 October 1995 “on the protection of

          natural persons in connection with the processing of personal data and
                                                              27
          on the free movement of such data', transposed into Belgian law at the

          the aforementioned law of December 8, 1992, the only exceptions and limitations

          enumerated that the Directive allows with regard to the right to

          information, the right of access and the right to rectification”.



      108. Although the above cannot be blamed on the defendant, the

          The Disputes Chamber that the law of 3 August 2012 provided for

          derogations, which imply a restriction on the fundamental right to





24Cf. § 1, first paragraph, of Articles 11, 11/1, 11/2 and 11/3 of the Law of 3 August 2012.
25
  The relevant provisions of the law of 3 August 2012 only specify that the preparatory
activities may not last longer than one year from the receipt of a request to exercise the rights by
a person concerned. However, no maximum period has been set within which the check or investigation must be completed
closed (and after which the rights can be exercised again).
26
  RvS, advice no. 51.291/2 of 21 May 2012, https://www.dekamer.be/FLWB/pdf/53/2343/53K2343001.pdf, 20.
27Current Article 23 GDPR. Decision on the merits 66/2021 - 26/33




           data protection , should be made restrictive by the latter

           interpreted and applied in accordance with the higher legal standard and,


           in particular Article 23 GDPR, quod non in casu (see below).




       109. Thus, Article 11, § 2 of the Law of 3 August 2012 specifies - with regard to

           right to information (cf. art. 11/1 §2, 11/2 §2 and 11/3 §2 for respectively the right of access,

           rectification and restriction of processing) - that the

           derogations only “apply during the period in which the person concerned has the object”


           forms part of an audit or investigation or the related

           preparatory work carried out by the aforementioned services in the context of

           of the execution of their legal tasks as well as during the period in which

           the documents originating from these services are processed to enable prosecutions

           in this regard”. 28 It follows from that provision that the

           derogations can only be invoked in cases where the data subject himself/herself


           is the subject of an audit, investigation or preparatory work

           of the defendant.




       110. This is also apparent from the preparatory work of the Law of 3

           August 2012, expressly specified in the Explanatory Memorandum


           that the provisions in question “establish an exception to the right to information,

           on access and on correction when the natural person is the subject of a
                                    29
           control or investigation” and that “the Administration, however, respects the principle of these rights

           not [shall] erode by invoking a control option. The access can

           only be refused if an audit or investigation is already underway, or if the

           preparations have already been made”. 30



       111. As regards the rationale of the restrictions in question, the Explanatory Memorandum states

           further that the performance of the defendant's duties could be adversely affected


           influenced “by the exercise of the right of access of those who want the tax”

           and who, thanks to the access, could have knowledge of the data contained in
                                                31
           be the property of the administration”.



       112. That the restrictions on the rights of data subjects pursuant to Article 11 et seq. of

           the law of 3 August 2012 should be interpreted restrictively,



28The Disputes Chamber underlines.

29DOC 53 2343/001, p. 3 and p. 9-10 (The Disputes Chamber underlines).
30
  DOC 53 2343/001, p. 12.
31DOC 53 2343/001, p. 11. Decision on the substance 66/2021 - 27/33




          also confirmed by the judgment 51/2014 of the Constitutional Court of 27

          March 2014, whereby this partially annulled the former Article 11 as it ruled

          that it was contrary to the principle of equality and non-discrimination in so far as

          it “allows the data controller to

          to refuse the exercise of [the rights] in respect of personal data that

          independent of the purpose of the ongoing investigation or audit and in

          to the extent that it does not provide for a time limitation on the possibility to

          to make an exception to the application of those rights which is justified by the

          performing work in preparation for an audit or investigation .2



      113. In the present case, however, it is apparent from the file in the file that it is not the complainant but

          third parties - in particular other taxpayers - were the subject of the

          investigations in the context of which, however, the complainant's personal data

          were processed. In particular, this is expressly stated by the defendant in

          the disputed document was also communicated to the complainant's counsel via

          its letter of 28 October 2019, in which it states:


          “It appears from the elements of the file that your client herself is not the subject

          is part of an investigation by the [defendant]. There were no

          investigative acts performed on behalf of your client. The [defendant] has to

          as a result of a number of tax investigations with regard to third parties, information

          from public sources about your client.”




      114. Articles 11 et seq. of the law of 3 August 2012 also provide in their § 1 that the

          derogations from the exercise of the rights described above may

          be applied if the data subject would be the subject of

          “preparatory work” in connection with an investigation or

          control of which the data subject is or will be the subject. From the

          documents of the file, it does not appear – for obvious reasons – whether this is too much or not in the present case

          was not the case.



      115. However, in its § 2, Article 11 of the Law of 3 August 2012 (as well as the

          Articles 11/1, 11/2 and 11/3 with regard to the right of access, rectification and

          restriction of processing) from now on that the duration of the aforementioned

          preparatory work, during which a deviation from the aforesaid

          rightscontained in articles 14 to 18 GDPR can be applied, “no longer [may]





32GwH 51/2014, March 27, 2014, p. 15.
33
  cf. supra marginal 8. Decision on the merits 66/2021 - 28/33




          exceed one year from receipt of the request [to exercise the

          rights]”.



      116. Regardless of whether or at the time of the invocation of the law of August 3

          2012 contained deviations by the defendant whether or not preparatory

          activities were ongoing with a view to initiating an investigation into

          with regard to the complainant, should therefore, on the basis of the above, be

          concluded that the defendant is no longer relying on the aforementioned deviations

          can appeal, since the period of one year from receipt of the request for

          exercise of the rights by the complainant has expired.



      117. In addition, it was found during the hearing that the defendant did not

          informed of the lifting of the invoked derogations, as required

          by Articles 11, 11/1, 11/2 and 11/3, §2 in conjunction with § 3 of the Law of 3 August 2012.

          After all, the aforementioned provisions state that “the duration of the preparatory

          activities, referred to in paragraph 2, second paragraph, during which the articles

          13 and 14 of the General Data Protection Regulation do not apply,

          may not exceed one year” and “when the Federal Public Service

          Finance has made use of the exception provided for in paragraph 1, first paragraph,

          and with the exception of the situations referred to in paragraphs 6 and 7 of paragraph

          3 , the exception rule [is] lifted immediately after the closure of the


          control or of the investigation. The data protection officer of the

          controller shall inform the data subject of this without undue delay”.

          In the present case, however, the one-year period was already amply exceeded without

          that the complainant was informed of the withdrawal of the invoked

          deviations.



          The above should not only be regarded as a violation of the

          relevant provisions but also as a violation of Article 12. 2 GDPR, that

          imposes an obligation on the controller to exercise the

          facilitate the rights of data subjects.



      118. The Disputes Chamber also determines on the basis of the statements of the defendant

          during the hearing that the latter does not seem to have an internal procedure


          to have a complete overview of all personal data

          of a data subject, in this case the complainant , who processes it . During the hearing



34I.e. “when a file is transferred to another service of the Federal Public Service Finance or to the

competent institution to decide on the findings of the investigation”. Decision on the merits 66/2021 - 29/33



         after all, the defendant stated that “there are many different departments within the

         [defendant] ” and that “not all documents prepared by all concerned

         officials can be screened or indexed to verify that the name de

         of the complainant or other personal data were used”. The

         The Disputes Chamber points out, however, that the defendant as


         controller of the personal data concerned

         in accordance with the accountability obligations set out in Articles 5.2 and 24 GDPR

         and the principle of data protection by design contained in Article 25 GDPR

         the obligation rests on the “appropriate technical and organizational measures [to

         take] (…) with the aim of complying with data protection principles, such as minimum

         data processing, in an effective manner and the necessary

         incorporate safeguards into processing to comply with the requirements of this

         Regulation and to protect the rights of data subjects” and such

         also be able to demonstrate. The controller should therefore:

         to ensure that it is technically possible to request personal data in all

         systems within his organization, especially when these are on a large scale

         processing personal data. The Disputes Chamber emphasizes that this

         accountability is one of the cornerstones of the GDPR, in that the defendant

         as a public service, it has an exemplary function in terms of compliance with the

         data protection principles.



      119. The Disputes Chamber rules on the basis of the above that the defendant

         has committed an infringement of Articles 11 §1, 11/1 §1, 11/2 §1 and 11/3 §1 of the

         Law of 3 August 2012 and thus Articles 12.2 in conjunction with Articles 14, 15, 16 and

         18 GDPR has violated .




Conclusion on the defendant's infringements



      120. Based on the above, the Disputes Chamber rules that:




      - the defendant does not timely notify the complainant - i.e. within the period of one month -

         inquired about the follow-up to the submitted by it on 18 July 2019

         requests for information, access, rectification and restriction of processing ex

         Articles 14, 15, 16 and 18 GDPR and thus infringed the

         Articles 12.3 and 12.4 GDPR as well as Articles 11 §3, 11/1 § 3, 11/2 §3 and 11/3 §3 of the

         law of 3 August 2012; and Decision on the substance 66/2021 - 30/33




      - the defendant, with regard to the above-mentioned addressed to him by the complainant,

          requests can no longer rely on the provisions of Articles 11, 11/1, 11/2 and 11/3 of the Act

          derogations foreseen from 3 August 2012 and is therefore obliged to

          requests to exercise rights by the complainant in accordance with the

          to deal with the aforementioned articles. The defendant informed the complainant in this regard

          does not agree with regard to the elimination of the invoked deviations, as required by the

          Articles 11, 11/1, 11/2 and 11/3, §2 in conjunction with § 3 of the law of 3 August 2012, and

          thus committed an infringement of the aforementioned provisions as well as of Article 12.2 GDPR

          in conjunction with Articles 14, 15, 16 and 18 GDPR.


      121. The Disputes Chamber therefore considers it appropriate to order the defendant that


          the complainant's requests to exercise her rights are met,

          in particular the right to information and access (Articles 14 and 15 GDPR and

          articles 11 and 11/1 of the law of 3 August 2012) . The Disputes Chamber orders

          the defendant, in particular the complainant in accordance with Articles 14.1 and 15.1

          GDPR at least :

          i) provide information about the processed personal data and more

                  determines the processing purposes, the recipients of the data subject

                  personal data and all available information about the source of the

                  data;

          ii) allow access to all letters and/or communications in which the complainant

                  is stated and for which it is no longer possible to invoke the

                  derogations provided for in the law of 3 August 2012.



      122. As regards the request to exercise the right to rectification (Article 16

          GDPR and Article 11/2 of the law of 3 August 2012) by the complainant , emphasize t

          the Disputes Chamber that the classification as a “straw man” of the complainant by the

          defendant - contrary to what is stated by the latter - as a

          personal data must be considered (cf. supra margin nos. 46-65). This

          data cannot therefore be exempted from data protection and is

          also subject to the provisions concerning the rights of the

          involved. 35The Disputes Chamber, however, points out because this - contrary to

          for example, the name of the e-mail concerned - “subjective” information, there

          it concerns a conclusion or qualification by the controller. In

          his judgment Nowak the Court of Justice there, with regard to this type

          personal data, that the scope of the rights should be

          assessed in function of the purposes for which the personal data was collected



35
  Judgment Nowak, margin no. 49. Decision on the substance 66/2021 - 31/33




          processed and that the purpose of data protection law is not to

          ensure the correctness of a decision-making process.



      123. The Data Protection Working Party, in turn, pointed out in its Opinion 04/2017

          that data protection rules do take into account the possibility

          that such subjective information is incorrect and gives the data subject the right to access

          to improve that information. He hereby points out that rectification in this case

          is possible by having different comments added, or by

          the use of appropriate legal remedies, such as appeal procedures . 36



      124. In view of the fact that the personal data in question in the present case is subjective

          information relating to the complainant, the latter of which states that

          it is incorrect and where the Disputes Chamber is not in a position to verify the correctness


          of this fact and cannot take the place of the

          defendant , it orders its rectification by admitting to the

          complainant to allow a statement to the contrary in the files concerned

          add, the latter indicating that it does not agree with the correctness of the

          data involved. In accordance with Article 19 of the GDPR in conjunction with Article 16 of the GDPR, the

          Dispute Chamber It is also appropriate to recommend the defendant to any recipient

          notify who the personal data concerned was provided to

          rectification. The application of Article 19 GDPR hereby results from the application

          of Article 16 GDPR.



      125. The Disputes Chamber emphasizes that the obligation rests on the defendant

          pursuant to Article 5.1 d) GDPR to ensure that the processed data

          personal data “are correct and updated if necessary;” and “all reasonable”

          [must take] measures to protect the personal data that, in view of the purposes


          for which they are processed are incorrect, erase or rectify without undue delay

          (“correctness”)”.



      126. The Disputes Chamber also considers it appropriate, in addition to this corrective

          measure and, in accordance with Article 58.2 b) GDPR and Article 100, §1, 5° WOG a

          to impose a reprimand. The Disputes Chamber takes into account the fact that

          the defendant is a government agency that sets an example in terms of

          compliance with data protection legislation and which, if

          tax authorities, also processes a large amount of personal data.




36
  Working Party on Data Protection Article 29, Advice 4/2007, 20 June 2007, p. 7. Decision on the merits 66/2021 - 32/33



          Accordingly, in accordance with the “lead by example” principle, it should at all times be

          to act in accordance with this legislation and in particular the above

          the aforementioned essential provisions of the GDPR regarding the exercise of the

          rights by data subjects.




Publication of the decision



      127. In view of the importance of transparency with regard to the decision-making of the


          Disputes Chamber, this decision is made in accordance with Article 95, §1, 8° WOG

          published on the website of the Data Protection Authority and this with

          indication of the identification data of the defendant in view of the general

          importance of the present decision, on the one hand, and the inevitable re-identification of

          the defendant in case of pseudonomisation, on the other hand.


FOR THESE REASONS,



the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:



      - a reprimand pursuant to Article 58.2 b) GDPR and Article 100, §1, 5° WOG

          formulate in respect of the defendant for the infringements of Articles 11, 11/1,

          11/2 and 11/3 § 2 in conjunction with § 3 of the law of 3 August 2012 and articles 14, 15, 16

          and 18 GDPR (failure to inform the complainant about the withdrawal of the

          invoked derogations and failing to comply with the requests to exercise

          of the rights of the person concerned);



      - pursuant to Article 58.2 c) GDPR and Article 100, § 1, 6° WOG, the defendant to

          order that the complainant's requests to exercise her rights are complied with

          to exercise, in particular the request for information and access (Art. 14 and 15 GDPR)

          and this within the period of one month from the notification of this

          decision and to notify the Disputes Chamber within the same period of

          the follow-up given to the present decision;



      - pursuant to Article 58.2 c) GDPR and Article 100, §1, 6° WOG, the defendant to

          order that the complainant's request to exercise her rights is complied with

          exercise, in particular the request for rectification (Art. 16 GDPR), and this within the

          period of one month from the notification of this decision,

          as well as to notify the Disputes Chamber within the same period of the

          consequence of this decision. The Disputes Chamber orders Decision on the merits 66/2021 - 33/33



          in this regard, in particular, allow the defendant to allow the complainant to


          have a statement to the contrary added to the files concerned with

          with regard to the qualification of “straw man” ; and


      - pursuant to Article 58.2 c) GDPR and Article 100, §1, 10° WOG, the defendant to

          recommend any recipient to whom the personal data concerned has been

          provided to notify the aforementioned rectification (Art. 19 GDPR in conjunction with Art. 16

          GDPR) and this within one month from the notification of

          to notify this decision, as well as the Disputes Chamber within the same period

          the follow-up given to this decision.






Under Article 108, §1 WOG, an appeal can be lodged against this decision within


a period of thirty days, from the notification, to the Marktenhof, with the

Data Protection Authority as Defendant.







(Get). Hielke Hijmans

Chairman of the Disputes Chamber