APD/GBA (Belgium) - 73/2020: Difference between revisions

From GDPRhub
(Updated in line with the Style Guide, improved language, removed Dispute section)
 

Latest revision as of 17:00, 12 December 2023

APD/GBA - 73/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Article 30 GDPR
Article 37(5) GDPR
Article 37(7) GDPR
Article 38(1) GDPR
Article 83(7) GDPR
Art. 6 § 2 Camera law
Art. 6 § 3 Camera law
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 13.11.2020
Published:
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: 73/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 73/2020 van 13 November 2020 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA (APD/GBA) imposed an administrative fine of €1500 on a social housing company for breaching several fundamental principles and obligations of the GDPR.

English Summary

Facts

The data subject lives in the social housing of the controller.

Several cases are bundled in this one decision, the data subject raised several issues at different times:

1) They exercised their right of access and said the controller wasn't sufficiently clear or thorough in the information they provided.

2) The website of the controller wasn't sufficiently secure and the privacy policy was short and vague.

3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed.

4) It is unclear why certain personal data of medical nature are required.

5) The usage of digital meters of gas wasn't communicated, nor with whom the data was shared.

6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras.

Holding

The DPA split the cases in several subtopics:

- Privacy Policy & Right of Access

- DPO

- Cookie Policy

- Processing of health data

- Law on cameras

- Processing through digital meters

The DPA points out that, pursuant to Article 5(2) and Article 24 GDPR, the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed.

1) Privacy Policy & Right of Access

The DPA upheld that a privacy policy should serve to fully inform the data subject about what is actually done with his or her personal data and in what context those data are processed. Any processing of personal data should be lawful, proper and transparent. Data subjects should be clearly informed of what data is being processed, how the processing is being carried out and why the personal data is being processed. It is not possible to deduce from the Privacy Sheet presented what exactly the personal data is used for. Clear and concrete language must be used when communicating to data subjects.

Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain.

The word "concise" in Article 12(1) GDPR, however, does not mean incomplete, all mandatory information from Article 13 GDPR must still be included. The contact details of the DPO must be filled in correctly as well.

The controller does not fulfil their requirement of transparency by inadequately informing the data subjects.

2) DPO

Pursuant to Article 37(5) GDPR, the DPO should be designated, inter alia, on the basis of their in data protection law and practice. Article 37(7) GDPR provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subject as a single point of contact.

Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO.

Lastly, the DPO was not properly involved in all data protection manners, which means the controller breached Article 38(1) GDPR.

3) Cookie policy

For a Google-DoubleClick.net cookie, no consent was asked. In the Planet49 judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information.

The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply.

The processing of personal data through cookies without consent is a breach of Article 6(1) GDPR as there is no legal basis for the processing.

4) Processing of health data

The e-mail exchanges between the parties show that the data subject voluntarily informed the controller of his health situation and indicated that he could provide the controller with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of Article 9(2)(h) GDPR.

5) CCTV surveillance

The data subject argues that there is camera surveillance in several residential units of the apartment. According to the data subject, the privacy policy does not mention anything about camera surveillance. The data subject also wants to know the legal basis and purpose of this processing.

In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras.

No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law).

The DPA found a violation of the requirement to keep a register of processing activities of Article 30 GDPR and storage limitation Article 5(1)(e) GDPR.

6) Digital meters

The data subject complains that the controller uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The data subject indicates that they had not given their consent to the processing of data relating to their consumption of gas and electricity.

During the hearing, the controller indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The controller receives a list of this and links it to the tenant files, according to the controller.

On the basis of Article 6 GDPR, the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of Article 24 and Article 25 GDPR, the controller must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR.

In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the controller has not been able to demonstrate that any privacy policy has been developed with respect to the digital remote reading of meter readings. Moreover, it is unclear on what legal basis the data are processed in accordance with Article 6 GDPR. This constitutes a breach of Article 6 GDPR.

The data subject indicates that they had not given permission for the processing. The controller does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of Article 5(1)(a) GDPR now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The controller indicates that a third party reads out the consumption data and forwards them to the controller. The DPA points out that according to Article 28(3) GDPR the processing by a processor should be regulated in a contract between the controller and the processor.

Sanction

The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept.

In the opinion of the DPA, a private law organization such as the controller's housing company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing.

On these grounds, the DPA orders the controller to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                              1/31

                                    Dispute room
                                    Decision on the substance 73/2020 of 13 November
                                    2020



File reference : DOS-2018-04368, DOS-2018-06611, DOS-2019-02464, DOS-2019-
04329, DOS-2020-00543 and DOS 2020-00574.

Subject: Complaints against the social housing company for failure to comply with
several principles of data processing, including those of lawfulness, and
transparency.



The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, Chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, Members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data and repealing directive
95/46/EC (general data protection regulation), hereinafter AVG;

Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter
WOG;

Having regard to the Internal Rules of Procedure approved by the Court of Auditors of
Members of Parliament on 20 December 2018 and published in the Moniteur belge on
15 January 2019;

Having regard to the documents in the file;



                                                                                                        .
                                                                                                        .
                                                                                                        .                                                                             Decision on the substance 73/2020 - 2/31

has taken the following decision on:
    - The complainant: Mr X
    - The defendant: Y Housing company .


    1. Facts and procedure

    1.  At various points in time, the Complainant submitted a total of six complaints against
        defendant. Since the defendant, who is also the person responsible for processing, in all files
        is the Y Housing Company, the complaints will be dealt with jointly. The

        The Inspectorate has issued an inspection report on the first three complaints.

Complaint 1: DOS-2018-04368, Right of inspection
    2.  This complaint was lodged on 19 November 2018 and declared admissible by the
        First-line service on 14 January 2019. The complaint concerns the exercise of the right to

        access by the defendant in accordance with Article 15 of the AVG.

    3.  On 4 October 2018, the complainant requested access to all the information that the defendant had obtained from him.
        processed since his registration as candidate tenant. In doing so, the complainant has processed a number of
        questions put to the defendant. Those questions concern the purposes of the processing, the
        categories of personal data, the recipients or categories of recipients to whom
        the data are provided and in particular the recipients abroad, the
        retention periods, question or right to rectify or erase personal data
        exists, the source of data in the case of indirect data collection, and finally the
        the question of automated decision-making.

    4.  In response to this request, the complainant received a document called Extract
        Personal details Candidate - tenant Y Housing CVBA. The personal data provided on
        the extract includes the following: name, address and place of residence as well as
        the national register number, bank account, e-mail address, income details and
        telephone number. The same extract states that personal data will only be used for the following purposes
        shared with "authorised parties". In his complaint, the complainant asks who
        which are authorised parties, what is the function of the personal data on the extract
        and what purpose the extract serves. The defendant claims to use these data;
        However, the complainant wonders how and for what purposes the various data
        are processed.                                                                             Decision on the merits 73/2020 - 3/31


    5.  Furthermore, the complainant considers that the defendant does not make it clear and unambiguous
        how, inter alia, the right of rectification and erasure of data can be addressed to data subjects
        shall be exercised. In addition, the complainant notes that the legal texts and relevant
        documents are difficult to find and consult.


Complaint 2 : dos-2018-06611, Website [...]
    6.  The second complaint was lodged on 20 November 2018 and declared admissible on 14 January.
        2019. This complaint concerns the website [...]. The complainant complains that the website
        does not comply at all with privacy legislation. According to the complainant, the website is inadequate
        secure, as an http connection is used instead of a
        https connection while, according to the complainant, confidential information is being processed. At the
        use of an https connection, according to the complainant the data is encrypted at the time of the
        send it. In addition, a non-secure website (which uses an http-
        connection) subject to possible external attacks, according to the complainant. The complainant asks
        wonder what mechanisms are in place by the defendant to deal with possible attacks
        to avert them. According to the complainant, no explanation or information is given anywhere about how the
        data will be secured. The part of the website where you can log in to see
        at which point on the waiting list the prospective tenant also goes via a
        unsecured http connection, according to the complainant. Requesting a new password to be entered in
        logging via the same http connection and, according to the complainant, is totally against the
        principles of data protection.

    7.  According to the complainant, the forms used on the website are also as follows
        unsecured. Secure forms should be used in order to make everything
        more orderly and streamlined.

    8.  According to the complainant, nowhere is it made clear whether and to what extent use is made of
        made from Google Analytics.

    9.  The complainant claims that the defendant also uses cookies on the website [...] (see also the

        separate complaint on this subject: complaint 3). According to the complainant, there is no indication of what the
        cookies are used, with what content and who their recipients are.
        In addition, there is no possibility of rejecting cookies. There
        in addition, according to the complainant, use is made of 'keywords' and 'description' of the
        website which, according to the complainant, indicates that the defendant wishes to be found through
        search engines. This will lead to more visitors on an unsecured website.                                                                            Decision on the merits 73/2020 - 4/31


    10. According to the complainant, the privacy statement is of a very general nature and refers to
        legislative texts, deliberations, etc., without indicating where to find them, and
        can be consulted. According to the complainant, the defendant is attempting to avoid the liability of
        to disclaim the use of a disclaimer by stating that the website should not be
        visits in the event of disagreement with the defendant's general terms and conditions.

    11. With regard to the protection of personal data, the privacy statement shall
        indicate that the data collected will be processed for the purposes of efficient and
        correct composition of the file and that it is stored in the files of
        Y Housing and that of the Vlaamse Maatschappij voor Sociaal Wonen. Here is according to
        there is no uniformity and consistency between the complainant.

    12. The Complainant further complains about the fact that the information on the website of
        the defendant is completely incomprehensible and unclear. He points out that most
        (candidate) tenants of a social housing company such as that of the defendant
        belong to vulnerable groups of persons for whom it is difficult to obtain this information
        is fathom.

    13. Finally, the complainant asks what other personal data are collected from
        visiting the website, through whom it is done and how it is done. The complainant also points out
        once on 'GO4it media group' which is the operator of the defendant's website. Complainant
        notes that that website does use https security.


Complaint 3 DOS-2019-02464, Website www.[...].be
    14. The Complainant filed a complaint on 1 July 2019. The complaint was admissible on 3 July 2019.
        declared by the First Line Service.

    The complainant complains about the website [...] used by the defendant. According to the complainant
        the website does not comply with current privacy legislation. The complainant states that the only thing there is
        in function of data protection, a document called "privacy policy" is a
        contains very brief text. The complainant indicates that it is a new additional website of
        concerns the defendant. The complainant is disturbed that there is no correct and complete
        There would be a privacy statement and there would be no cookie policy either.

    16. The complainant states that personal data are collected by means of a web form. Also
        a number of preferred themes should be passed on and agreed upon
        with the defendant's privacy statement, according to the complainant. In addition, according to the complainant
        use of cookies from Google Analytics and others. In addition, the Complainant complains that Judgment on the merits 73/2020 - 5/31

    no indication is given as to which third parties are involved in the processing of the
    content of the web forms.

17. Personal data are stored and, according to the complainant, no indication is given as to how long

    the data are kept and for which they will be used. According to
    Neither does the complainant indicate how and by whom the data will be processed.

    Complaint 4 DOS-2019-04329, Processing medical data

18. This complaint was lodged on 16 August 2019 and declared admissible on 30 September.
    2019. The complainant complains that the defendant has provided personal data, and in particular
    medical data, are processed and these processes are carried out in violation of the AVG. In order to be able to
    to be eligible for a ground floor/adapted dwelling the complainant has medical
    provides information to the defendant. From the annexes, it appears that the complainant will receive a medical certificate
    mailed to the defendant so that his housing preferences could be adjusted. Defendant
    replied to that e-mail that the housing preferences following the submission of the
    medical certificate would be adapted to ground floor residences only. On
    the list of documents to be produced at the time of registration includes medical certificates
    mentioned. According to the complainant, it is completely unclear what the processing purposes are.
    The complainant argues that the processing of health data in the present case is contrary to the articles.
    5, 6, 12 and 13 AVG. Also in this complaint, the complainant discusses the general privacy policy of
    Defendant reiterating that the defendant has violated privacy laws
    violates the policies being pursued.


    Complaint 5 DOS-2020-00543, Use digital meters

19. The complaint was lodged on 23 January 2020 and declared admissible on 4 February 2020.
    On 10 January 2020, the complainant received a letter from the defendant called
    "interim review - consumption of gas. On the document you can read what the consumption is on
    heating and hot water over the last two months. The complainant does not claim
    to have given consent to the defendant to process his consumption data.
    Consumption of gas and electricity is recorded by the defendant without the plaintiff
    The complainant stated that he knew, let alone gave his consent. According to the complainant
    unnecessary processing as customers can pass on the meter readings themselves.
    In an email dated 20 January 2020 from the email address [...], the defendant writes that
    the data is read automatically and sent to the defendant via an Internet connection
    are sent.                                                                             Decision on the merits 73/2020 - 6/31


     Complaint 6 DOS-2020-00574, Use of surveillance cameras

    20. The complainant submitted a complaint on 30 January 2020, which was admissible on 4 February 2020.
        was declared by the First Line Service. The complainant alleges that the defendant's personal data
        Processed by means of various fixed cameras in various residential entities. There are
        according to the complainant 4 security cameras placed on the roof, 2 in the common
        entrance halls and 1 in the communal basement entrance. About the use of the cameras
        According to the complainant, the privacy policy does not mention anything. The rental agreement contains
        according to the complainant, only the use of surveillance cameras is reported. The complainant also requests
        this processing to know the legal basis and the purpose.

Continuation of the procedure

    21. The Inspectorate was set up on 7 June 2019 with regard to complaints 1 to 3 .   1


    22. On 9 August 2019, the Inspectorate wrote a letter with questions to the
        defendant.


    23. The letter contained questions to the defendant, in which the Inspectorate identified possible infringements of
        wished to examine and improve Articles 5, 6, 12, 13, 15, 24, 37, 38 and 39 of the AVG
        wishes to gain insight into the complaints.

    24. The inspectorate requested the following information in relation to the defendant:

        (a) The communication from the defendant to the complainant concerning the request for access to
            the complainant, and the opinions thereon delivered by the Data Protection Officer
            of the defendant.

        b.) As regards the privacy policy of the website [...] , a copy of the decisions that

            were taken on the privacy policy which can be consulted on the website, as well as
            copy of the opinions of the Data Protection Officer on the
            privacy policy on the website.

        (c) Copy of the decisions concerning legal information and the disclaimer on the website
            of the defendant and a copy of the official's opinions for
            data protection on this information and the disclaimer.

1
 Concerning DOS-2018-06611, DOS-2018-04368 and DOS-2019-02464.                                                                         Decision on the merits 73/2020 - 7/31


    d.) Copy of the register of processing operations.


    e.) A reasoned and documentary reply to the question whether the defendant
        has or does not have a data protection officer. If so, did the
        inspectorate to receive an organisation chart showing the place of the official
        for data protection, his title and the tasks he carries out, including
        orders not related to data protection.


25. On 2 July 2019, the Inspectorate received a reply to its letter of 7 June 2019. At
    the reply was annexed to a letter from the defendant dated 25 October 2018
    in response to the complainant's request of 4 October 2018 for access to his file, to
    to obtain the defendant. The response shall contain an extract of personal data from
    the prospective tenant, in this case the complainant. The extract contains the name, address and
    residence details as well as the national register number, bank account, e-mail address, income
    and telephone number.

26. In addition, a privacy datasheet has been added as an appendix which states that
    information and personal data are kept of (candidate) tenants to see
    whether a person is entitled to social housing. The information which, according to the defendant
    kept are: identification data, national register number, address and
    contact details, family composition, language knowledge, financial data, ownership details,
    and, in some cases, accompanying services. It is mentioned that the
    data are kept for 10 years, in accordance with the Archives Act.

27. The defendant also indicated that it queried a number of bodies in order to obtain data on the following
    obtain. These bodies are :

        a) Federal Public Service Finance: data on taxable income and
            ownership data;
        (b) National Register: national register number, surname and forenames, date of birth, gender,
            main residence and history, the place and date of death, civil
            State, composition of the family, nationality and history, legal
            cohabitation, the register of registration and legal capacity;

        c) Federal Public Service Social Security: data on living wage;
        d) Flemish Agency for Integration and Integration: data on integration and
        linguistic readiness; decision on the merits 73/2020 - 8/31


        (e) VREG (independent authority of the Flemish energy market): housing data on
        the energy value of social housing.

28. On 9 July 2019, following the replies it received on 2 July
    2019 received from the defendant, in response to its questions, provisional findings and
    supplementary questions put to the defendant. The provisional findings of the
    The Inspectorate was as follows :

    a. The defendant does not have at his disposal any advice given by the official for
        data protection has been provided in relation to the complainant's request for access;
    b. The defendant does not have access to opinions of the Data Protection Officer.
        concerning the privacy policy on the website [...] ;

    c. Respondent does not have at his disposal decisions taken on privacy policy
        on the website;
    d. The copy of the processing register does not contain the name and contact details of the
        controller and data-processing official and shall include
        nor the processing purposes;
    e. The defendant does not explain the duties and powers of the official for
        data protection.

29. The Inspectorate also put further questions to the defendant about the
    Data Protection Officer. For example, a copy of the
    documents justifying the choice of that person as
    Data Protection Officer, the date of notification to the
    Data protection authority of that Data Protection Officer and finally
    a copy was requested of the documents proving the effective exercise of
    his mission appears to be, more specifically, advice, correspondence and the like.

30. By email of 8 August 2019, the defendant's response to the temporary injunction was made public.
    the inspectorate's findings. The response contains a number of annexes including
    email correspondence between the defendant and the data protection officer who
    works at Infosentry. This e-mail is referred to as advice from the officer for
    data protection on the complaint.

31. As a privacy policy communication requested by the Inspectorate,
    the defendant sent an e-mail from the Vlaamse Maatschappij voor Sociaal Wonen (VMSW) (Flemish Social Housing Company)
    enclosed. The mail contains the message that the VMSW has new privacy statements for customers Decision on the merits 73/2020 - 9/31


        of social housing companies. This is an e-mail addressed to all
        social landlords. In addition, general information sheets have always been added.

    32. It should also be noted that the processing register has been amended as a result of
        of the Inspectorate's temporary findings.

    33. The Inspectorate's questions to the defendant concerning the designation of the
        Article 37 AVG Data Protection Officer (outside the scope)
        were also answered. It was indicated that the appointment of the official for
        data protection was carried out on the initiative of the VMSW, which, by means of a call for tenders, issued an
        had concluded a framework agreement with the company Infosentry NV.


    34. The defendant points out in this connection that : The defendant points out in this connection that: "The companies could, on their own initiative
        subscribe to the services of Infosentry NV, which offers all its employees on top of an
        minimum experience is also required to obtain a minimum number of certificates in the

        domain of knowledge of data protection'.


    35. The date of notification of the Data Protection Officer shall be 25.
        May 2018. The defendant points out that it has submitted a new notification to the GBA
        in which another person was registered as an official. The latter is according to
        Therefore, the defendant is the actual Data Protection Officer.

    36. On 16 September 2019, the Inspectorate made its report to the Disputes Chamber
        on the basis of Article 92, 3° of the WOG.

    37. The inspection report shall identify potential breaches of Articles 5, 6, 12, 13, 15, 30, 31,
        32 and 37 to 39 of the AVG.

    38. The Inspectorate finds that the defendant has failed to comply with the obligations imposed by Articles 5
        and 6 of the AVG. The Inspectorate has now reached the following conclusion
        the answers given by the defendant do not show any justification as to which decisions there are
        have been taken concerning the legal info / legal disclaimer and general terms and conditions
                               2
        on the webpage [...]




2
 See page 3 of inspection report DOS-2018-006611 document 21.                                                                       Decision on the merits 73/2020 - 10/31


39. In addition, the defendant acknowledges that no advice was given by the officer for
    data protection since, in the defendant's view, that advice is not normally covered by
    the duties of the official.

40. Nor do the replies of the defendant indicate what decisions were taken
    on those parts of the website [...] which involve the processing of personal data

    Facilitate such as the contact page.

41. According to the Inspectorate, the privacy policy Y Housing is not transparent and not
    understandable to those concerned. It is not made clear what happens to the
    personal data obtained. According to the Inspectorate, the privacy policy is confusing and
    contains all kinds of concepts that are incomprehensible to those concerned. In addition, the
    policy indicating that in the event a data subject contacts the defendant and does so
    via an electronic medium other than the website, the privacy statement of that other
    medium has priority. According to the Inspectorate, this also indicates that there are no
    Transparency is towards those involved.

42. The Inspectorate points out that, despite its express request, it did not
    has received opinions from the defendant from the Data Protection Officer.

43. According to the Inspectorate, technical investigations have shown that use is being made of
    made from cookies on the website [...] . One of these concerns a necessary technical
    cookie called "hs_js" and another, a marketing cookie called "IDE" originating
    from Google-Doubleclick. No permission is asked for the latter cookie
    to the visitors of the website. The processing of personal data which, in that context
    takes place, is therefore, according to the Inspectorate, unlawful.

44. With regard to Articles 12, 13 and 14 of the AVG, the Inspectorate also has
    infringements detected. The service comes to these findings as the Annex Internal
    rental regulations annex 11 which is not related to the privacy policy of the defendant
    is transparent and comprehensible to those concerned, thus infringing Article 12.1
    AVG is established by the Inspectorate. It is not made clear what should
    various terms used in that Annex shall be understood to mean
    11. The contact details of the data protection officer of the defendant
    are missing. The processing purposes and the legal basis for the processing are lacking.
    Finally, the data subjects are not made aware of the right of access, according to the Court.
    Inspectorate.                                                                            Decision on the substance 73/2020 - 11/31


    45. As of 1 July 2019, an amended privacy policy has been published by the defendant on its website.
                 3
        website. The document containing the defendant's privacy policy is, according to the
        Inspectorate not transparent and comprehensible to those concerned and therefore not satisfactory
        meet the requirements of Article 12.1 AVG. In addition, not all information provided in accordance with the
        Articles 13 and 14 of the AVG are actually prescribed in the privacy policy.
        described. Different terms are used interchangeably and the contact details
        of the Data Protection Officer is missing, according to the inspection report.

    46. In response to the complainant's request for access on the basis of Article 15 AVG, the defendant
        reacted by sending, inter alia, a document called "GDPR". Also this
        document is neither transparent nor comprehensible, according to the Inspectorate, to
        involved, as a result of which the defendant does not meet the requirements set out in Article 12.1 AVG.
        According to the Inspectorate, the answer does not meet the requirements of Article 15.1 AVG either.
        The obligatory information to be stated, such as stating the recipients of the

        personal data is missing.

    47. An infringement of Articles 28 and 30 was also found by the Inspectorate and
        for the following reasons. The defendant has indicated that a company called
        C-Works designed the website [...]. Via that website, personal data of
        tenants collected and processed. The defendant does not regard the company as a processor. It
        it is not clear to the inspectorate, in view of the information provided, whether
        a processor and whether there is thus a processor's contract in accordance with Article 28 of the CMR
        should have been closed.


Additional findings ( outside the scope of the complaints )

    48. The obligations imposed by articles 37.5 and 37.7 of the AVG are, according to the

        Inspectorate not complied with by the defendant. The justification for the choice of the
        The data protection officer shall not be given by the defendant. Defendant
        indicates only that this was done on the initiative of VMSW which, by means of a call for tenders, issued a
        had a framework agreement with Infosentry. The contact details of the official for
        data protection is also not disclosed and this implies a breach of
        Article 37.7 AVG according to the Inspectorate.

    49. Finally, the Inspectorate has established that the obligations set out in Articles 38.1 and 38.3
        AVG are also not being complied with by the defendant. From the various documents provided by the

3
  Decision on the substance 73/2020 - 12/31


        Inspectorate received from the defendant it may be concluded that the
        No opinion was sought from the Data Protection Officer for, inter alia, the
        processing of personal data via the website [...].


Treatment on the merits by the Dispute Chamber

    50. On 21 March 2020, the Dispute Settlement Chamber shall inform the parties that the six individually
        Complaints submitted will be joined and the Chamber of Disputes will decide on
        on the basis of art. 95, §1, 1° and art. 98 of the WOG that the dossier is ready to be processed at the end of the year.
        ground. The parties shall also be notified of the
        time limits for submitting their defences. The final date for receipt of the
        conclusion of the defendant's response was thereby recorded on 26 March 2020, that

        for the conclusion of the reply of the complainant of 27 April 2020 and the conclusion of
        Reply of the defendant on 27 May 2020.

    51. On 26 March 2020, the Data Protection Officer, employed by
        the company Infosentry, on behalf of the defendant, by e-mail in the form of order sought by the defendant,
        in which he also expresses his desire to be heard.

    52. On 19 August 2020, the parties were informed that the oral hearing would
        take place on 23 September 2020.

    53. On 23 September 2020, the parties will be heard by the Chamber of Disputes.

    54. The minutes of the hearing will be presented to the parties on 29 September 2020.

    55. On 2 October 2020, the Data Protection Officer, on behalf of the defendant, issued an

        send a response to the minutes to the Chamber of Disputes, stating that
                                                                     4
        asked for a number of corrections to be made to the minutes.

    56. On 8 October 2020, the complainant replied to the official report by e-mail. The complainant replied in
        his reaction to the official report is a detailed reiteration of his earlier arguments. The
        The Dispute Settlement Chamber points this out, as already mentioned at the hearing,
        no new facts can be added as the debates have already taken place
        closed. The official report is only sent to see if everything is correct.


4
 See e-mail of 2 October 2020 with feedback on DPO Cranium's official report on behalf of the defendant to the Chamber of Disputes.                                                                             Decision on the merits 73/2020 - 13/31


        displayed. Therefore, the arguments put forward after the closure of the debates will not
                                                5
        will be taken into account in the decision.


    57. In its conclusions of 26 March 2020, the defendant acknowledges that, with regard to the legal information /
        legal disclaimer no opinions have been issued by the officer for
        data protection. It should be noted that the document will be
        removed as it does not contain any conditions attached to the exchange of
        personal data shall apply.

    58. As regards the Inspectorate's findings concerning the website [...] responds

        defendant as follows : "With regard to the technical examination carried out on the website
        Y Housing rests in the fact that findings made by the Inspectorate
        are correct and a marketing cookie did work on the web page. Considering
        the one-off event that was organised and the brief use of the website is Y
        Housing continued in good faith on explanation of the website builder (Go4IT), a
        e-mail to substantiate this was attached as a document to the previous file, which does not contain cookies.
        were active on the website. Y Housing acknowledges that not submitting the website
        a test on this can constitute a reprehensible omission and learns the necessary lessons from it.
        for the future. “


    59. The defendant further states that it has taken note of the findings of the
        Inspectorate for the establishment of transparent information, communication and
        detailed arrangements for exercising the rights of the person concerned (Articles 12 and 13)
        AVG). The defendant indicates that it will amend the privacy statements.


    60. With regard to the findings concerning the right of inspection in Article 15 of the AVG, the following replies are given
        Defendant as follows. The defendant states that it is always seeking to ensure transparency and transparency.
        provide clear information in response to questions received from her (candidate)
        tenants. The defendant then states that it "to the best of its ability, the necessary documentation
        has transmitted, following the exercise of the right of access of the person concerned, acknowledges the
        society that some elements of this document may not be fully clear after
        its first reading. As a modest SME, it is the first time that Y Housing

        was faced with such a request. The organisation recognises that areas for improvement and
        efficiency gains would be possible if such a request were to recur".


5
 E-mail from the complainant to the Chamber of Disputes of 8 October 2020 following the minutes of the hearing.                                                                       Decision on the merits 73/2020 - 14/31


61. The defendant points out that it is open at all times to questions from and communication with
    (candidate) tenants. The defendant was ignorant of the circumstance that
    the document contained ambiguities and would rather expect the complainant to first

    had communicated to the defendant before lodging a complaint.

62. The defendant indicates that it has taken note of the Inspectorate's findings.
    concerning the register of processing operations. The register has now been updated
    according to the defendant.


63. The defendant concludes as follows :

     "In conclusion, Y Housing stresses that the necessary efforts to be made in
     The AVG has been delivered in conformity with the AVG. Furthermore, Y Housing acknowledges
     the importance of the protection of personal data and the role played by the
     Data protection authority has a role to play here. Nevertheless, Y Housing
     In recent weeks and months, this procedure has had to undergo most of all. Although Y
     Housing always tries to accommodate its (prospective) tenants in the most suitable way.
     comply with the necessary legislation, while also being in contact as far as possible
     with stakeholder organisations, it has been shown that, as a modest social
     rental company required an excessive workload, and financial effort, to
     deal with this administrative procedure to the necessary level of detail. With this
     Consideration Y Housing would like to stress once again the importance of being heard
     in this case."

64. By email of 23 October 2020, the Chamber of Disputes notifies the defendant of the
    intention to impose an administrative fine as well as the amount of the
    fine and the possibility for the defendant to communicate his defences in this respect.

65. On 30 October 2020, the defendant replied by email to the intention to impose an injunction.
    fine. The Dispute Chamber points out in this regard that there can be no new facts.
    be added as the debates were already closed. The reaction of
    In summary, the defendant is as follows: The amount of the fine, according to the defendant, is as follows
    high. The defendant indicates that these are difficult times for them financially. That is why
    the defendant would have been compelled, inter alia, to sell dwellings in order to
    to be able to continue. This has a direct impact on their target group, namely the
    weaker members of society, according to the defendant. The defendant shares the view of the
    Litigation chamber on the (in)accessibility of the Data Protection Officer Decision on the merits 73/2020 - 15/31

    does not. According to the defendant, the official can be reached in the manner prescribed by
    the AVG. The defendant states that the positive result of EUR 528,355 such as
    included in the penalty form is incorrect and adds other figures. As regards the
    Infringements detected in relation to the surveillance cameras, the defendant pleads

    largely in the opinion of the Dispute Settlement Chamber, but with the
    addition that the images were not consulted by the defendant but were merely consulted
    saved.



2. Reasons Dispute Chamber

66. In view of the number and size of the cases submitted, the Litigation Chamber assesses the following
    complaints, for reasons of procedural economy, the degree to which they are well-founded, to
    the subject of the complaint. Consequently, complaints 1 to 6 will not be included in those
    order but shall be grouped under the themes to which they relate
    belong. The themes which are the subject of the various complaints and
    on which the Chamber of Disputes will give its verdict are the following:


    - privacy policy & right of access in accordance with article 15 AVG (section 2.1)
    - data processing officer (section 2.2)
    - cookie policy (section 2.3)
    - health data processing (section 2.4)
    - camera law (section 2.5)
    - processing by means of digital meters (section 2.6)


67. The Dispute Chamber points out that, pursuant to the articles, the controller
    5.2 and 24 AVG must take appropriate technical and organisational measures to
    ensure and be able to demonstrate that the processing of personal data in
    be carried out in accordance with the AVG. In doing so, the AVG requires, among other things
    account shall be taken of the nature and volume of the processing operations and of the
    Risks to those involved. In assessing whether and to what extent
    Sanctions will have to be imposed, these elements will play an important role.


    2.1 Privacy Policy & Right of Access in accordance with Article 15 AVG Decision on the merits 73/2020 - 16/31


    68. As regards the right of access to Article 15 AVG and the information provided by the complainant (especially in complaint 1)
        alleged infringements, the Litigation Chamber argues as follows.

    69. The document called "Extract Personal Data Candidate - Tenant Y Housing
        CVBA" contains various data, including the national register number, name, address and
        residence data as well as nationality, email address, sex, date of birth and
        Family income of (prospective) tenants. In addition to the extract, a document to the complainant
        transferred called: "Privacy: what information does Y Housing have?". This info sheet contains
        the following opening paragraph : "Via Y Housing you can rent a social housing. We
        Therefore, keep information about you in lists and files to see if you have a right to a particular item.
        on. Or to help you better. “ 6

        Articles 13.1 and 13.2 AVG stipulate as follows:
        1.   When personal data relating to a data subject become

        the controller shall provide the data subject with the following information at the time of obtaining
        the personal data already contain the following information:
        (a) the identity and contact details of the controller and, in
        where appropriate, of the representative of the controller;
        (b) where appropriate, the contact details of the officer for
        data protection;
        (c) the processing purposes for which the personal data are intended, as well as the
        legal basis for processing;
        (d) the legitimate interests of the controller or of a third party,
        if the processing is based on Article 6(1)(f);
        (e) where appropriate, the recipients or categories of recipients of the
        personal data;
        (f) where appropriate, that the controller intends to delete the
        to transfer personal data to a third country or an international organisation; or
        whether or not an adequacy decision by the Commission exists; or, in the case of

        Article 46, Article 47 or the second subparagraph of Article 49(1), which shall include the transfers referred to in
        are appropriate or suitable safeguards, how a copy can be obtained or where
        they can be consulted.
        2.   In addition to the information referred to in paragraph 1, the controller shall provide the
        data subject at the time of obtaining the personal data, the following additional information
        to ensure proper and transparent processing:



6
 See attachment to e-mail of 4 October 2018 from complainant to GBA Decision on the merits 73/2020 - 17/31

    (a) the period for which the personal data will be stored, or if
    that is not possible, the criteria for setting that deadline;
    (b) the legitimate interests of the controller or of a third party,
    if the processing is based on Article 6(1)(f);

    (c) that the data subject shall have the right to request the controller to
    access, rectification or erasure of personal data or limitation of personal data relating to him or her
    concerning processing, as well as the right to object to such processing and to have it carried out
    right to data portability;
    (d) where the processing is pursuant to Article 6(1)(a) or Article 9(2)(a)

    based on the fact that the person concerned has the right to withdraw consent at any time,
    without prejudice to the lawfulness of processing based on the
    consent before its withdrawal;
      (e) that the data subject has the right to lodge a complaint with a supervisory authority
    authority;
      (f) whether the transmission of personal data is a legal or contractual obligation
      or a necessary condition for the conclusion of an agreement, and whether the
      the data subject is obliged to provide the personal data and what the possible consequences are
      are when these data are not provided;
      (g) the existence of automated decision making, including that referred to in Article 22,
      profiling as referred to in paragraphs 1 and 4 and, at least in those cases, useful information on
      the underlying logic as well as the importance and the expected consequences of that processing
      for the person concerned.

70. During the hearing, the defendant stated that the privacy statement on the website is
    published after having been reviewed and endorsed by the Board of Directors. It is a
    privacy statement derived from the example of the VMSW, according to the defendant.

71. The Dispute Settlement Chamber finds that the aforementioned privacy statement - also in the form of a
    information sheet after the declaration has been adapted and is in force
    entered into force on 1 July 2019 - does not meet the requirements for processing
    in accordance with Articles 12 and 13 AVG. Such a privacy data sheet should
    must fully inform the person concerned of what is actually happening.
    personal data is done and in the context of which it is processed.
    Any processing of personal data must be lawful, adequate and transparent.
    happen. Those concerned should be clearly informed which
    data are processed, how the processing is carried out and why the personal data is processed
    are processed. It cannot be deduced from the privacy sheet what exactly the
    personal data are used.                                                                                   Decision on the substance 73/2020 - 18/31

     72. The Privacy Sheet contains the following paragraph concerning the processing of personal data:
         "Via Y Housing you can rent a social housing. We therefore keep in lists and

         files information about you. We use this information to find out if you have any information about you.
         have a right to it. Or to be able to help you better."


     73. The Disputes Chamber is of the opinion that the above is a very vague, general and
         concerns unclear text from which it is in no way possible to deduce what the collected

         personal data are actually used. This text does not comply with the AVG. It is
         For example, it is absolutely unclear what is meant by 'we use this information to
         to see if you have a right to something. Or to be able to help you better." There should be a clear
         and clear language to be communicated to those concerned.


     74. Transparency requirements are laid down in the AVG and further explained in the
         Guidelines on transparency in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council
         Article 29 Data Protection Working Party which states that "One of the key elements of
         the principle of transparency as referred to in these provisions is that interested parties shall be informed in advance
         be able to determine the scope and effects of the processing and not subsequently
                                                                                                       7
         be surprised by other ways in which their personal data have been used'. The
         specific interest in question must be identified for the benefit of the person concerned.

     75. In addition, information and communication concerning privacy should comply with the
         principle of transparency, i.e. that information is simple, accessible and

         must be comprehensible in accordance with Article 12.1 AVG. Under "comprehensible" is understood that
         the message must contain, inter alia, a certain level of linguistic usage, namely
         "clear and simple language". In addition, the use of language should be adapted to
         the target group . This means communicating in clear and simple language.
         to those concerned. The defendant would, (all the more so) now that

         (candidate) tenants of a social housing company, more understandable and clearer
         have to draw up. After all, these are tenants with low incomes and in general



7
 Transparency guidelines p.8.
8 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259,
p. 4.; Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260, p. 7: "The requirement that information shall
must be "comprehensible" means that the information must be comprehensible to an average member of the intended
public. Understandability is closely linked to the requirement to use clear and simple language. A
Processing controller respecting the principle of accountability will have knowledge of the
persons from whom information is collected and can use this knowledge to determine what the target group is likely to be
understand. For example, a data controller who collects personal data of working professionals may assume
that his or her target group has a higher level of understanding than the target group of a data controller who
collects children's personal data. […]”.
9Recital 39 at AVG.                                                                               Decision on the merits 73/2020 - 19/31


         (barring exceptions) a low level of education which makes the policy more comprehensible
         is all the more necessary.

    76. In addition to the infringements mentioned above, the defendant's privacy policy is even more difficult to enforce.
         now understand, in different places and different times, various concepts such as
         "personal data", "information" and "data" are used interchangeably in the
         privacy sheet. In addition, references are made without an explanatory statement.
         glossary or clear explanations. The information provided is often not up to date. As
         example can be given of the referral to the website of the supervisory authority

         authority, as both the complainant and the Inspectorate are right to do, for example
         commented, referred to www.privacycommission.be while the current website since May
         2018 www.gegevensbeschermingsautoriteit.be.

    77. The Disputes Chamber also finds that the defendant's privacy policy is incomplete,
         as it does not contain the mandatory information as laid down in Article 13 of the AVG.
         According to Article 12 of the AVG, the privacy information must be "concise"; this does not in any way mean
         that the obligation to provide information in accordance with the following may be waived
         Article 13 AVG.

    78. The privacy policy of the defendant contains this mandatory information in accordance with Article 13.1 under
         (b) AVG, such as the contact details of the Data Protection Officer not on
                                                                                               10
         a manner that complies with the legislation and the guidelines of the Working Party 29 on the
         Data Protection Officer. In order to comply with the requirement of the
         provision of prior information, these contact details should indeed
         be included in the privacy policy.

    79. As rightly pointed out by the Inspectorate, the e-mail address [...] is indicated on the
         privacy sheet, according to the "Explanation of organisation chart" provided by the defendant linked to
         the mailbox of the defendant's IT administrator while the function of
         According to the defendant, the data protection officer has been subcontracted to a third party in
                                                       11
         the framework contract of VMSW.         The Data Protection Officer
         appears to be employed by that third party, in this case the company Infosentry. The e-mail address
         of the official is [...], according to various documents and mail correspondence between
         the defendant and the official. Accordingly, the data relating to the persons concerned are inaccurate
         of the Data Protection Officer and may, in the event of need


10Group on Data Protection, WP243 rev.01, Guidelines on Data Protection Officers p.12.
11Stuk 10 of dos-2018-06611.                                                                           Decision on the merits 73/2020 - 20/31

        do not turn to the right person. As a result of this
        list of findings finding an infringement of Article 13(1)(b)
        AVG. The fact that, as of 1 September 2020, a new official for the
        data protection has been infringed, the infringement up to that date

        continued and a new appointment does not retroactively rectify the infringement committed
        makes.

   80. The Litigation Chamber deduces from the findings of infringements listed above that the
        the defendant's obligations of transparency under Article 12 of the AVG and its obligation to provide information
        has failed to comply with Article 13 of the AVG. The defendant acknowledges this in its conclusion. As a result
        the defendant has acted imputably negligently in breach of his duty of accountability, such as
        determined in Articles 5.2 and 24 of the AVG. This information must be in accordance with
        with Articles 12 and 13 of the AVG.

   81. Article 15 AVG in which the right of inspection of the person concerned is laid down reads as follows :

1. The data subject shall have the right to obtain from the controller confirmation of the following
whether or not to process personal data concerning him and, where that is the case, to have access to them
obtain those personal data and the following information:

 (a) the processing purposes;

 (b) the categories of personal data concerned;

 (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed
 provided, in particular to recipients in third countries or international organisations;

 (d) if possible, the period during which the personal data are expected to be kept
 stored or, if that is not possible, the criteria for setting that time limit;

 (e) that the data subject shall have the right to ask the controller for that personal data
 be rectified or erased, or that the processing of personal data concerning him/her be carried out
 limited, as well as the right to object to such processing;

 (f) that the data subject has the right to lodge a complaint with a supervisory authority;

 (g) where personal data are not collected from the data subject, all available information
 on the source of that data;

 (h) the existence of computerised decision-making, including those referred to in Article 22(1) and (4),
 and, at least in those cases, useful information on the underlying logic,
 as well as the importance and the expected consequences of such processing for the data subject.                                                                          Decision on the substance 73/2020 - 21/31



  2. Where personal data are transferred to a third country or an international
  organisation, the person concerned shall have the right to be informed of the appropriate safeguards

  in accordance with Article 46 on transfers.
  3. The controller shall provide the data subject with a copy of the personal data which
  are processed.   If the data subject requests additional copies, the
  a reasonable charge on the basis of administrative costs
  charge. Where the person concerned submits his application electronically, and not for any other arrangement

  request, the information shall be provided in a common electronic format.
  4. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to rights and freedoms
  of others.



 82. The defendant's privacy policy does not contain several mandatory elements from Article 15.1 AVG. From
     the privacy document does not disclose the exact purposes of the processing of the data which
     request the defendant to (candidate) tenants. It should be precisely defined for which
     every piece of data collected is used precisely. If data on the

     health then it will have to be stated that these data are being processed, for example
     with the aim of being able to ascertain whether, on the basis of a given health situation, an
     Adapted accommodation can be granted. There is also no indication as to who the recipients and
     are categories of recipients. In addition, there is no mention of the right
     that the data subject has the right to request that his/her data be rectified and/or deleted in accordance with
     Article 15.1 under e. It is also not stated that the processing of personal data will
     be restricted. By doing so, the Disputes Chamber also deems a violation of Article 15.1 to have been proven.

 83.  In addition, the complainant claims that he has not been granted access to all of his personal data transmitted by
 defendant are processed. According to the complainant, this is a sheet containing only general information from the
 National Registry. There is no indication as to whether the information provided is complete, according to the complainant.

 84. The Chamber of Disputes recalls that Article 15 AVG "gives the person concerned the right to
 to have access to personal data collected about him, and to exercise that right simply and with reasonable
 to carry out periodic checks to ensure that he is aware of the processing operation and that it is lawful
 ...can control it." 12


 It is clear from all of the above that the information provided by the defendant on their
 processed data of the complainant does not comply with the requirements of Article 15. The complainant has rightly noted

12
  Introductory recital 63 to AVG.                                                                           Decision as to substance 73/2020 - 22/31

 that he has not been able to exercise his right of inspection properly. Between the personal data of
 complainants processed by the defendant and those to which the complainant had had access were as follows
 for example, not the medical certificates that the plaintiff will provide to the defendant, as will be shown below in section 2.4
 had submitted.


2.2 Data Protection Officer

    85. Additional findings were also made in the inspection report with regard to the
        Data Protection Officer, which are outside the scope of the complaint. The

        The Inspectorate has established that the defendant has acted in violation of Article 37.5 and
        Article 37.7 AVG. On the basis of article 37.5, the officer must be appointed, under
        more, on the basis of its expertise in the field of legislation and practice on the
        data protection. Article 37.7 states that the contact details of the officer shall be known
        must be made and communicated to the supervisory authority.

    86. From the defendant's replies to the Inspectorate concerning the appointment of the official
        as regards data protection, it appears that that appointment was made on the initiative of the VMSW through
        a company with which it had a framework agreement. The Chamber of Disputes finds that
        the defendant fails to comply with the duty to choose the Data Protection Officer
        to be accounted for. The defendant refers only to very general information and communication from
        the VMSW to the defendant. Moreover, the defendant cites several times that there is a
        Framework agreement was concluded between the VMSW and Infosentry NV as DPO. The Chamber of Disputes
        points out that the defendant is ultimately responsible and has a duty to comply with Article 37.5
        AVG which provides that the Data Protection Officer shall be designated on the basis of
        of his professional qualities and, in particular, his expertise in the field of the
        data protection legislation and practice. This shows a lack of
        justification for the defendant's choice of official. In addition, the data are
        of the officer not disclosed as prescribed in Article 37.7 AVG. In doing so, the
        Disputes Chamber established infringements of articles 37.5 and 37.7 AVG.

    87. The Dispute Settlement Chamber refers to the guidelines of the Working Group 29 for officials for
        data protection which provides for the following with regard to external officers: "With the
        in order to ensure legal transparency and good organisation and to avoid conflicts of interest for members of the
        team, it is recommended in the Guidelines to avoid the tasks within the external team.
        Data Protection Officer to be clearly set out in a service contract Decision on the substance 73/2020 - 23/31


         as well as a single person for the customer as the main contact person and "responsible person
                         13
         to be appointed.

    88. At the hearing, the current Data Protection Officer, who has been in office since 1
         September 2020 the official is that, as a new official for
         data protection, in line with the WP29 guidelines on the role of data protection in the protection of personal data.
         Data Protection Officer. Essentially, the officer for
         data protection must be available to the controller. That some
         correspondence first arrived at the defendant's IT administrator and was forwarded to

         the Data Protection Officer was, according to the Data Protection Officer
                 14
         correct.  The Dispute Chamber points out that according to the Guidelines of the Working Party 29, the
         requirements to disclose the contact details of the official in order to ensure
         that both data subjects (both inside and outside the organisation) and supervisory authorities
         be able to contact the Data Protection Officer easily and directly. The
         access should be direct, without having to involve another part of the organisation
         contact. In the present case, the contact was made via the defendant's IT manager, which was
         goes against the intention of the regulator. Confidentiality is equally important.
         employees are reluctant to complain to the Data Protection Officer
         if the confidentiality of their communications is not guaranteed.


    89. Article 38.1 and Article 38.3 AVG stipulate that the data-processing controller must ensure that
         shall ensure that the Data Protection Officer is involved in all matters that

         relate to the protection of personal data. The official for
         Data protection must not be instructed in the performance of those tasks. The
         The Inspectorate stated that in the light of the replies and the documents obtained
         noted that no opinion was sought from the Data Protection Officer concerning
         privacy issues. The Dispute Settlement Chamber finds that indeed no justification is given for
         the person responsible for processing has been presented with the decisions taken for the
         website [...] , on legal information and general terms and conditions. There are no opinions from the
         Data Protection Officer as regards the processing of data via this website.
         Moreover, in its conclusion, the defendant acknowledges indeed that it did not request an opinion from the

         Data Protection Officer. The Litigation Chamber therefore finds that the defendant
         infringed Article 38.1 of the AVG.


2.3 Cookie policy

13Directions for Data Protection Officers of the Working Party 29 p.28.
14Page 5 of the verbal proceedings of the hearing of 23 September 2020.                                                                                Decision on the substance 73/2020 - 24/31



     90. As already mentioned above, the plaintiff claims that the defendant uses cookies on the
         website [...] . and [...]. According to the complainant, no consent is sought for the use of the
         cookies. The Inspectorate has established by means of a technical report that on the website

         [...] use was made of cookies. As previously indicated, this is a necessary
         technical cookie called "hs_js" from the defendant himself and a cookie called "IDE" derived from it
         from Google-Doubleclick.net. For this last "IDE" cookie no consent was given.
         asked of visitors to the website, according to the Inspectorate's report.       15

     91. At the hearing, the defendant acknowledged that the website dates from the year 2010 and therefore
         does not comply with the current regulations. There is no question of unwillingness; however, the technical

         Restrictions do not allow, for example, the display of a pop-up for the use of cookies. Also
         setting up a secure connection via https domain name is not possible on the current website, according to
         defendant. A new website is currently under construction. According to the defendant
         will most probably be finished by the end of this year.


     92. The Court of Justice ruled in the Planet49 judgment that, for the placing of cookies
         information must be provided by the controller.          16 From the data
         information must show for how long cookies will remain active and whether third parties will also have access
         may have up to those cookies. This is necessary in order to ensure proper and transparent information.
         guarantees.


     93. Article 129 of the Electronic Communications Act stipulates that the user shall
         must have given his consent for placing and consulting cookies on his computer.
         terminal equipment. The consent requirement shall not apply to the technical storage of information. Also
         when the placement of cookies is necessary for the delivery of a cookie expressly requested by the
         subscriber or end-user requested service, the consent requirement does not apply.         17


     94. The Chamber of Disputes also draws attention to the following considerations from the abovementioned judgment
         Planet49: "Regulation 2016/679 now explicitly provides for active consent

         prescribed. In this context, it should be noted that, according to recital 32 of these
         Regulation, the consent may be expressed in particular by clicking on a box next to a
         visit to a website. On the other hand, this recital expressly excludes "silence, the

15Inspection report, p5.
16
  Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801.
17See also Decision No 12/2019 of the Disputes Chamber of 17 December 2019.                                                                                   Decision on the merits 73/2020 - 25/31


         use of already ticked boxes or inactivity" may constitute consent. It follows from this
         that the consent provided for in Articles 2(f) and 5(3) of Directive 2002/58, read in conjunction with
         in conjunction with Articles 4(11) and 6(1)(a) of Regulation 2016/679, not
         is validly granted when the storage of information or the gaining of access to
         information which is already stored in the terminal equipment of the user of a website shall be

         allowed by means of a standard checkbox to be unchecked by the user
         if he refuses to give his consent. .    18


     95. The consent must also be 'specific'. The Dispute Chamber refers to the Guidelines
                                                                            19
         on consent under regulation 2016/679 endorsed by the EDPB:


"Article 6(1)(a) confirms that the person's consent must be given with
in relation to "one or more specific" purposes, and that a data subject has a choice in relation to
                            20
each of these purposes' . This means 'that a data controller who wishes to obtain consent
for a number of different purposes, must offer a separate opt-in for each purpose in order to allow users to
to enable specific authorisations to be granted for specific purposes".          21


     96. On the basis of the technical report drawn up by the inspectorate, the Dispute Settlement Chamber states that
         ascertained that the consent of the complainant has not been sought by the defendant on the websites
         for placing a cookie for marketing purposes, namely the "IDE" cookie. In addition,
         the defendant answered the Inspectorate's question as to whether cookies had been used
         On the websites, no. The defendant returned to the foregoing by concluding that

         acknowledge that they have made use of cookies for which consent was required. Defendant
         indicates that he has changed his cookie policy and will ask for permission from now on.
         of the users.   22


     97. In view of the above facts and findings, the Litigation Chamber considers the processing of
         personal data through the placement of cookies, without a valid legal basis of
         to have permission in accordance with Article 6.1 AVG, unlawful.


     98. The controller must, pursuant to Articles 5.2 and 24 AVG, provide appropriate technical information to the controller.
         and take organisational measures to ensure and demonstrate that the


18
19Arrest Planet49, ro. 62 and 63.
  Working Party on Data Protection, Guidelines on consent under Regulation 2016/679, WP259, p. 4.
20
  Ibid., p. 14.
21Ibid., p. 14.                                                                           Decision on the merits 73/2020 - 26/31

        processing of personal data using cookies in accordance with Articles 12
        and 13 AVG is being carried out. In its conclusion, the defendant acknowledges that certain mandatory
        statements such as the processing purposes in the original privacy statement of the website
        were missing.



2.4 Health data

    99. The complainant claims that the defendant is also processing medical data. The Complainant states that his medical

        to have issued certificates to the defendant. According to the complainant, the defendant is processing on systematic
        wrongful medical data. The complainant takes the view that it is not the task of the defendant
        to make a substantive assessment of the health situation of a (prospective) tenant.

    100. Attached to the complaint are mail exchanges between the complainant and the defendant. From the
        In any case, several e-mails reveal the following. In an e-mail dated 30 August 2016
        defendant to have received the doctor's certificate from the complainant, but not to be able to provide a guarantee
        that a positive decision will be taken on the complainant's request for candidates higher up the
        list for the allocation of a dwelling. The complainant therefore requested a
        higher up the list. From another email dated 6 February 2019 from the complainant to the defendant, it appears that
        that the complainant voluntarily sent an e-mail to the defendant in which he wrote to the
        informed him of his changed medical condition. The complainant closed the e-mail with " Supplementary
        a medical certificate may be provided for again, should you again have doubts as to whether there is a
        I have my own opinion about my medical condition. I therefore urge you
        to want to take due account of my medical physical limitations and to live close to my home.
        to want to put hospital first. In view of the seriousness of the problem of (...) I would ask you to
        to absolutely avoid living in a busy residential environment".

    101.        At the hearing, the defendant indicated that only a medical certificate was requested.
        in the event that the (prospective) tenant requests special housing preferences as in this case.
        The defendant states that the medical certificates do not contain any diagnoses. Complainant speaks
        not against it. The doctor asks for the situation of the person concerned to be taken into account and asks
        than, for example, a house with a lift or a house in a quiet area. The medical
        According to the defendant, the only purpose of attestations is to enable a correct allocation to be made.

    102.        On the basis of the above, the Disputes Chamber decides that there is no question of a
        unlawful processing of health data. Such processing is necessary and
        can be based on Article 9(h) the processing is necessary for the purposes of the substantive decision 73/2020 - 27/31

        preventive or occupational medicine, for the assessment of fitness for work of the
        worker, medical diagnosis, the provision of health care or social services, or
        treatment or the management of health care systems and services or social systems, and
        services, on the basis of Union or Member State law, or under an agreement with an

        health professional and subject to the conditions and safeguards laid down in paragraph 3, in the absence of any
        diagnoses in the medical certificates. Moreover, it appears from the exchanges of e-mails that the complainant has his own
        movement informed the defendant of his state of health, indicating that he was
        may, if necessary, provide a further medical certificate.

2.3 Camera surveillance

    103.        The complainant alleges that there is camera surveillance in various residential entities of the
        flat. According to the complainant, the privacy policy says nothing about camera surveillance. Complainant wishes
        to know the legal basis and purpose of this processing as well.


    104.        It appears from the documents submitted that point 11 of the tenancy agreement mentions
        made from the surveillance cameras that are installed on the roof, in the communal entrance halls and the
        communal cellar entrances have been suspended. Apart from this information, nothing is known about the
        Use of cameras.

    105.        At the hearing, the defendant indicated, upon request, that the surveillance cameras in
        2012 at the request of residents in cellars and corridors have been hung for safety. The cameras
        are legally registered and used as a kind of deterrent, according to the defendant. There
        nothing else would be done with the images. A year and a half ago, the camera images
        according to the defendant, consulted once. The cameras are, according to the defendant, difficult to consult.
        management because there is too little budget for its maintenance. There is currently no
        maintenance contract for the surveillance cameras. Respondent indicates that the images can
        consult and be responsible for the processing of the images. The official for
        data protection points out that the Camerawet is the legal basis for the
        processing of the camera images.

    106.        On the basis of the documents available in the file, the Chamber of Disputes and
        what emerged from the hearing shows that there are very many uncertainties as to what
        concerns the use of surveillance cameras. As a processing purpose, first of all the
        The prevention of nuisance has been mentioned. Subsequently, during the hearing, the defendant indicated that there was also
        once asked to consult the images in connection with illegal dumping. The Dispute Room is
        considers that the defendant is not entirely clear as to what the cameras actually do Decision 73/2020 - 28/31 on the merits

        serve. In addition, according to the Dispute Chamber, from the elements that are available
        are insufficiently drawn up as to whether the Camerawet is correctly complied with by the defendant. In article
        6 § 2 of the Camerawet provides that the controller shall keep a register containing
        keeps a record of the image processing activities of the surveillance cameras and this register on request

        made available to the Data Protection Authority and the police services. Such a
        register is not kept by the defendant. Moreover, it is apparent from what the defendant said at the hearing
        has declared that the retention period in Article 6 § 3 is also not complied with now that this article
        it appears that if "the images cannot contribute to proving a crime, of
        damage or nuisance", these should in principle be removed after one month. The
        The Dispute Chamber thus establishes infringements of Article 30 of the AVG (keeping of register of
        processing activities) and article 5.1 under e AVG (storage restriction).


2.4 Digital Consumption Meters

    107.        The plaintiff complains that the defendant is using digital consumption meters and on those
        the way in which tenants' consumption is recorded and data on that consumption unlawfully without
        valid legal basis processed. The complainant indicates that he has not given his consent for the
        processing of data relating to its consumption of gas and electricity.

    108.        During the hearing, the defendant indicated that the digital meters will be linked to the
        address. In this way, you can see how much has been consumed at a particular address. These data
        are also passed on to a third party (local company) with whom there is a processing agreement
        is. That company reads the consumption. The defendant receives a list of this and links it to the
        tenants' files, according to the defendant.


    109.        On the basis of Article 6 of the AVG, the person responsible for processing the
        to have a legal basis for the processing of personal data in order to ensure that the processing
        would be lawful. On the basis of Articles 24 and 25 of the AVG, the defendant must therefore
        take appropriate technical and organisational measures to ensure and be able to
        demonstrate that processing takes place in accordance with the AVG. The person responsible for processing must
        in doing so, effectively implement the principles of data protection, the rights of the
        protect data subjects and process only those personal data that are necessary for each of the following
        specific purpose of processing. On the basis of the facts and documents presented, the
        Litigation Chamber finds that the defendant has not been able to prove that there is any privacy policy
        Developed for the digital remote reading of meter readings. It is also
        unclear on the basis of which legal basis the data are processed in accordance with Article 6 of the AVG.
        An infringement of Article 6 of the Data Protection Act is thus established. The complainant states that he does not consent to the decision on the merits 73/2020 - 29/31

        have given for processing. The defendant does not rely on any other legal basis.
        for processing. In addition, the Disputes Chamber alleges in the present case a breach of Article 5.1(a)
        AVG now that it is clear from the above that the personal data are not in a lawful, legitimate and proper manner.
        and are processed transparently. The defendant indicates that a third party is processing the data.

        read out the consumption and forward it to the defendant. The Chamber of Disputes points out that
        according to article 28.3 GC, the processing by a processor must be arranged in a
        agreement between the controller and the processor.

Sanction to be imposed


In view of the above, the Dispute Settlement Chamber will impose two sanctions:
1. order that the processing be brought into conformity in accordance with Article 100 § 1, 9°;
2. impose an administrative fine in accordance with Article 100 § 1, 13°.

Taking into account Article 83 of the AVG and the case law of the Market Court, the Disputes Chamber gives its reasons
the imposition of an administrative fine in concrete terms:
- Seriousness of the infringement: the reasons given above show the seriousness of the infringement.
- The duration of the infringement: the defendant sought to rectify certain infringements and to comply with
privacy rules; however, many of the breaches identified are still ongoing.
- This is a necessary deterrent to prevent further infringements. As regards the nature and seriousness of the
infringement (Art. 83.2 a) AVG), the Chamber of Disputes stresses that compliance with the principles provides for
in Article 5 of the AVG - in the present case, in particular, the principle of legality - is essential, since the
concerns fundamental principles of data protection. The Litigation Chamber considers the infringement of
the defendant relies on the principle of lawfulness set out in Article 6 of the AVG, therefore, as a serious
Infringement. The Disputes Chamber finds that article 83.7 AVG stipulates the following: "Without prejudice to the
powers of the supervisory authorities to take remedial action
In accordance with Article 58(2), each Member State may lay down rules on whether and to what extent
administrative pecuniary sanctions may be imposed on public authorities established in that Member State, and
public bodies. The AVG does not give any further explanation on the scope of what is covered by public bodies.
and public bodies' is to be understood. However, according to the Dispute Chamber, it is certain that these
derogation must be interpreted strictly.

The Litigation Chamber considers it particularly necessary in this case to give a strict interpretation to the
(optional) exemption from an administrative fine provided for in Article 83.7 of the AVG for
"public authorities and public bodies". For this reason, Article 221, § 2, Law
Data protection, which implements Article 83.7 AVG, to be interpreted strictly. Article 83.7 AVG leaves
Moreover, it does not allow the Member States to define the concept of 'public authorities and bodies'. The decision in substance 73/2020 - 30/31


It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It will come
Therefore, only the Union institutions, in particular the Court of Justice, should be required to respect the limits of
to define that concept.

In the opinion of the Disputes Chamber, a private law organisation such as the Y
It does not include housing companies, even though this organisation carries out tasks in the public interest
the area of social housing.  23

The Dispute Chamber finds that there is a serious attributable shortcoming on the part of
defendant. As explained in detail above, the Litigation Chamber has a considerable number of
identified shortcomings. Among those deficiencies are breaches of fundamental principles of
data protection. The infringements established justify, in the opinion of the
A high fine in its own right. In determining the administrative fine
However, the Chamber of Disputes takes into account a number of moderating factors, including the following shown

the defendant's willingness to adapt certain matters, the appointment of an expert
Data Protection Officer and a new website which, according to the defendant, will be AVG compliant
are. In addition, when determining the amount of the fine, the Dispute Chamber shall take into account
that this is a not-for-profit social housing company. The fact that
In its response to the penalty form, the defendant states that it is not financially sound, and this
If the decision is supported by figures, the Dispute Settlement Chamber will take the decision into account.




FOR THESE REASONS,

the Data Protection Authority's Litigation Chamber shall, after deliberation, decide :

        Pursuant to Article 100, §1, 9° WOG, order the defendant to order that the processing in

        is brought into line with Articles 5.1(a) and (b), 5.2, 6.1, 12.1, art.
        13.1. b) and c) , Art. 13.2. b), Art. 15.1, Art. 25.2, Art. 37.5, Art. 37.7, Art. 38.1, Art. 38.3, and
        Article 39 of the AVG, no later than three months after notification of the decision, and within three months of the date of notification of the decision.
        the same deadline, to the Data Protection Authority (Disputes Chamber) by e-mail (via
        to inform the e-mail address: litigationchamber@apd-gba.be ) that the above order
        was carried out.



23
  See recital 52 of the judgment 31/2020 of 16 June 2020 of the Chamber of Disputes Decision on the merits 73/2020 - 31/31


         - on the basis of art. 100 § 1, 13° and art. 100 WOG an administrative fine on
             of EUR 1 500.


This decision may be appealed against under Article 108(1) of the WOG within one of the following days.
period of thirty days from the date of notification to the Court of Justice of the European Communities with the
Data protection authority as defendant.





Hielke Hijmans
President of the Chamber of Disputes