APD/GBA (Belgium) - 31/2022

From GDPRhub
APD/GBA - DOS-2020-00186 ( 31/2022 )
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 14(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2020-00186 ( 31/2022 )
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 31/2022 van 4 maart 2022 (in NL)
Initial Contributor: Sophia Hassel

The Belgian DPA determined that the Belgian City of Kortrijk did not have a legal basis for sharing personal data with the Belgian FOD to issue a parking fine. Both controllers also violated Articles 5(1)(a), 12(1) and 14(1)(a) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

This decision involves two controllers, the Belgian City of Kortrijk (controller 1) and the Belgian federal service of mobility and transport (controller 2). AGB Parko is a public company who acted on behalf of Controller 1.

AGB Parko had a lawful legal basis under deliberation FO No. 02/2016 to use controller’s 2 database to identify owners who owed fees on their vehicles and issue fines. On 01/01/2020, AGB Parko’s services was integrated into the city services of controller 1. Controller 1, via AGB Parko, issued the data subject a parking fine on the 28/05/2020.

The data subject questioned the legal basis that controller 1 relied on to request personal data about the holder of the license plate from controller 2. On 05/11/2020, the data subject filed a complaint at the Belgian DPA against controller 1 and 2. The data subject claimed, that at the time of the facts, both controllers did not have a valid legal basis for sharing their personal data and should not have been able to identify his license plate to issue a fine.

Holding[edit | edit source]

Controller 1 could not rely on deliberation FO No. 02/2016 as a legal basis for accessing controller 2’s database. Unlike AGB Parko, Controller 1 did not fall under the category of possible beneficiaries to the deliberation. At the time of the fine, Controller 1 was only beneficiary to deliberation FO No. 18/2015 which they also could not rely on as the deliberation does not allow identification for the purposes of fees or tax.

While only the lack of legal basis was discussed during the hearings, the DPA went beyond finding a violation on the lawfulness of processing under Article 6(1) for controller 1, to also find violations of Articles 5(1)(a), 12(1) and 14(1)(a) GDPR for both controllers. This was because they failed to process the subject’s data in a transparent manner which consequently did not allow to complainant to easily learn about the processing of his data.

It should be noted that during the hearing, one of the three members of the DPA had stepped down due to a conflict of interest. Therefore, the chair decided to issue the decision alone, since it was not allowed to issue a decision with only two members.

This decision was appealed by controller 1 based on incompatibility with the rights of the defense as well as with the general principles of good administration.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/27





                                                                                  Litigation room



                                               Decision on the substance31/2022 of 4 March 2022

                                       This decision was overturned by judgment 2022/AR/457
                                                            of the Marktenhof dd. October 26, 2022






File number : DOS-2020-00186



Subject: Identification of number plate following parking ticket followed by

assessment notice for tax on parking




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

sole chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (general

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



Having regard to the rules of internal order, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                  .

The complainant: Mr X, hereinafter referred to as “the complainant”; .

                                                                                                  .
The defendants: City of Kortrijk, Grote Markt 54, 8500 Kortrijk, represented by lawyers Bart

                   Martel and Anneleen Van de Meulebroucke, hereinafter “defendant 1”; Decision on the substance 31/2022 - 2/27




                    FPS Mobility and Transport, Directorate-General for Road Transport and Road Safety,

                    Rue du Progrès 56, 1210 Brussels, represented by counsel Frederic

                    Debusseré and Ruben Roex, hereinafter “defendant 2”.





I. Factual Procedure



    1. On 5 November 2020, the complainant filed a complaint with the Data Protection Authority against

        the defendants.


        The object of the complaint concerns the identification of the license plate belonging to the complainant

        following a determination by a Parko parking attendant on May 28, 2020 that

        resulted in a parking ticket and subsequently in a tax assessment notice on it

        parking. The complainant argues that defendant 1, who has been responsible for the

        parking policy, although it has joined the deliberation FO no. 14/2016 of 21 January

        2016 , but this affiliation took place through an agreement that was not finalized

                                          3
        concluded on September 1, 2020 and in which point 13 states that the agreement
                                                                                                 4
        enters into force on January 1, 2020. The date of entry into force is stated as August 28, 2020.

        According to the complainant, defendant 1 did not have the necessary equipment at the time of the facts

        authorization to proceed with the identification of his number plate.


        Defendant 1's safety consultant who was contacted by the complainant referred to the
                                                         5
        authorization FO No. 18/2015 of May 28, 2015 to verify the number plate identification

        justify. However, this deliberation concerns the identification and punishment of

        violators of municipal regulations or ordinances and does not concern a fee or

        tax. This leads the complainant to the conclusion that both defendant 1 and defendant 2, during

        have relied on an incorrect authorization for a number of months to inform the holder of a

        number plate through the Vehicle Registration Service (DIV), thereby

        the protection of his personal data would have been violated. The complainant poses the question


        what legal basis defendant 1 relies on for the period from 1 January 2020 to 1 September 2020






1Deliberation regarding the one-off authorization to grant the municipalities access to the directory of the DIV for the

identification of persons liable to pay a parking fee, tax or parking fee due to the use of a vehicle - Revision of
the deliberation FO n° 05/2015 of 19 March 2015 (AF-MA-2015-099)
2https://mobilit.belgium.be/nl/wegverkeer/inschrijven_van_vehicles/data exchange/parking management

3The connection agreement can be found via the following link:
https://mobilit.belgium.be/sites/default/files/DGWVVV/kortrijk_14_2016.pdf
4
 https://dt.bosa.be/nl/beneficiaries_beraadslaging_fo_nr_142016
5Deliberation on the granting of a general authorization to the Cities and Municipalities, the autonomous municipal companies and the
Brussels Capital Parking Agency to receive by electronic means the personal data from the Registration Directorate of
Vehicles (hereinafter the "DIV") for the identification and punishment of violators of municipal bylaws or ordinances (AF-
MA-2014-068) Decision on the substance 31/2022 - 3/27




        bases to request personal data concerning the holder of a license plate from

        defendant 2 for the identification of persons affected by the use of a vehicle,

        parking fee, tax or parking fee and on what legal basis the defendant 2
        provided personal data to defendant 1 for that same period . 6


    2. On January 18, 2021, the complaint will be declared admissible by the First Line Service on the basis of

        Articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the

        Litigation room.


    3. On February 25, 2021, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG that it

        file is ready for consideration on the merits and the parties involved are informed

        of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. also become
        they pursuant to Art. 99 WOG of the deadlines to file their defences

        serve.



        The deadline for receipt of the statement of defense from the defendants was thereby extended
        recorded on 8 April 2021, those for the complainant's statement of reply on 29 April 2021 and

        these for the statement of defense of the defendants on 20 May 2021.


    4. On February 26, 2021, the complainant electronically accepts all communication regarding the case,

        in accordance with Article 98 WOG.


    5. On March 15, 2021, the complainant requests a copy of the file (art. 95, §2, 3° WOG), which he

        was transferred on March 23, 2021.

    6. On March 19, 2021, defendant 2 requests a copy of the file (art. 95, §2, 3° WOG), which

        was transferred to him on March 23, 2021. Also, on April 7, 2021, he electronically accepts all

        communication about the case, in accordance with Article 98 WOG.


    7. On 25 March 2021, the defendant 1 electronically accepts all communication regarding the case and gives

        to know that you wish to make use of the opportunity to be heard, accordingly

        article 98 WOG, as well as a copy of the file (art. 95, §2, 3° WOG) is requested, which

        will be transferred on April 7, 2021.

    8. On April 6, 2021, respondent 2 requests an extension of the submission deadlines, which the

        Litigation room will be allowed on April 7, 2021.


        The deadline for receipt of the statement of defense from the defendants was thereby extended

        recorded on 15 April 2021, this for the conclusion of the complainant's reply on 6 May 2021 and this

        for the statement of defense of the defendants on 27 May 2021.





6See also Decision on the substance 81/2020 of 23 December 2020. Decision on the substance 31/2022 - 4/27



9. On 15 April 2021, the Disputes Chamber will receive the statement of defense from Defendant 1.

    First, defendant 1 disputes the admissibility of the complaint and argues that the

    Data protection authority, but the Flemish supervisory committee is the competent authority

    is to judge the complaint. She also puts forward a number of procedural points that

    the rights of defense would have been violated. As to the substance of the matter

    defendant 1 that she is the legal successor of AGB Parko and could use it in that capacity
    making the deliberations of the Sectoral Committee for the Federal

    Government. It also adds that it has always acted in good faith.


10. On April 15, 2021, the Disputes Chamber will receive the statement of defense from defendant 2

    who also refers to the relevant deliberations of the Sectoral Committee for the

    Federal Government and the legal succession on the part of defendant 1 to decide that the
    data of the complainant in the DIV directory could be provided to defendant 1.


11. On 6 May 2021, the Disputes Chamber will receive the statement of reply from the complainant in which it

    explains that the authorization on the basis of which his personal data were processed in order to

    may proceed to the levying of a parking tax, which was incorrect and had no legal basis

    to process his personal data for that purpose.

12. On 27 May 2021, the Disputes Chamber received the statement of reply from defendant 1

    in which the defenses as put forward in the statement of defense are stated

    resumed, supplemented by pleas regarding additional allegations made by the complainant.


13. On 27 May 2021, the Disputes Chamber received the statement of reply from defendant 2
    in which he again cites the defenses as in his statement of defense, with the

    addition that he denies being a defendant in these proceedings and raises that the principles

    of good governance would have been violated.


14. On 8 July 2021, the parties are informed that the hearing will take place on 29

    October 2021.

15. On October 29, 2021, the defendants will be heard by the Disputes Chamber. became the complainant

    duly summoned to participate in the hearing, but did not appear.


16. Following the hearing that took place, the Disputes Chamber requests on October 29, 2021

    both defendants to take a position on the

    next one:

    How do the deliberations referred to in the documents of the case relate as well

    during the hearing turned to the AVG? More specifically, after the entry into force of the GDPR there will be a

    sufficient legal basis for the City of Kortrijk to collect data on the basis of a deliberation

    questions to the DIV on the one hand, and for the FPS Mobility and Transport, Directorate-General Decision on the substance 31/2022 - 5/27



    Road Transport and Traffic Safety to disclose data on the basis of a deliberation

    on the other hand, this in the light of article 6.1.ejuncto 6.3 GDPR (legal basis of public interest) and article

    24 GDPR (accountability).


    The complainant will also be notified on the same date.

17. On 8 November 2021, the minutes of the hearing will be submitted to the parties.


18. On November 15, 2021, the Litigation Chamber receives some comments from the defendant1

    with regard to the official report, which it decides to include in its deliberations.


19. On November 16, 2021, the Disputes Chamber received a number of comments from Defendant 2
    with regard to the official report, which it decides to include in its deliberations.


20. On November 16, 2021, defendant 2 will submit his argumentation to the Disputes Chamber

    question as it was addressed at the hearing, as well as in the subsequent letter

    dated October 29, 2021. This is essentially limited to stating that they are federal

    public service on the grounds that the legislator is presumed to have higher legal standards such as
    did not want to violate EU law, and on the basis of the principle of legal certainty there

    it may be assumed that the legal instruments that Belgian law and regulations provide it with,

    be in compliance with the GDPR. It does not consider it its task or competence as FPS Mobility and

    Transport to question, defend or not apply those legal instruments.


21. On November 15, 2021, respondent 1 asks for clarification regarding the aforementioned question from the
    Litigation Chamber, as well as a postponement is requested to take a position.


22. On November 24, 2021, the Disputes Chamber will explain the scope of the question to

    Defendant 1 and allows it to express its position by 8 December at the latest

    2021.

23. On December 8, 2021, defendant 1 submits his argumentation to the Disputes Chamber

    question as it was addressed during the hearing, as well as in the subsequent one

    letters dated October 29, 2021 and November 24, 2021. Respondent 1 states in it that it does not

    can meet the request of the Disputes Chamber to provide a

    answer for which the following reasons are given: incompatible with the rights of

    defense and general principles of good administration, not belonging to the task of a
    controller to ensure compliance with Belgian regulations on

    check the processing of personal data with the GDPR, and exceed the saisine of the

    Litigation room.


24. The hearing on 29 October 2021 took place with three sitting members. Between the

    hearing and the deliberation on the decision has left one of the sitting members

    manage to withdraw from the case, with reference to Article 43 of the WOG. Consequently and Decision on the substance 31/2022 - 6/27



        since the WOG does not allow a decision by two members, this decision is made

        by the chairman, sitting alone (Article 33, §1, paragraph 3 WOG).




II. Motivation


    a) Competence of the Data Protection Authority



    25. The defendants argue that the Data Protection Authority, including its

        bodies, including the Disputes Chamber, would be without jurisdiction in this case. The

        After all, the defendants argue that the Flemish Supervisory Commission is authorized to carry out supervision

        practice compliance with (constitutional) legal and other regulatory provisions

        personal data protection carried out by an authority as referred to in Article 10/1, §1 of

        the Decree of 18 July 2008 on electronic administrative data traffic (hereinafter:

        the “decree of 18 July 2008”) when this supervision is part of a state competence.


    26. As already explained in its decision 15/2020 of 15 April 2020 8 , the

        Data Protection Authority (“DPA”) competent to handle this case.


     Regulatory Powers on Personal Data Protection



    27. First of all, the Litigation Chamber emphasizes that the GDPR is a regulation that directly

        applicable in the Union and may not be transposed into national law by the Member States.

        Provisions from the GDPR may also not be specified in national regulations,

        except on the points where the AVG expressly makes this possible. The data protection

        has therefore in principle become a matter of European law. 9


    28. The issuance of any regulatory provisions on personal data by the

        federal or state government must therefore take place within the framework that has been established

        by the GDPR. In this regard, the Litigation Chamber refers to article 22 of the Constitutional Law

        case law on this matter of the Constitutional Court, which states that the right to respect for the

        private life, as guaranteed in Article 22 of the Constitution (as well as in treaties), a wide









7Cf. Article 10/1 of the Decree of 18 July 2008 “regarding electronic administrative data traffic”, as inserted by
Article 20 of the Decree of 8 June 2018 “adapting the Decrees to Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
(general data protection regulation)” (hereinafter the “GDPR Decree”). B.S. June 26, 2018.

8https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-15-2020.pdf,§§32-35en66ennext.
See also Decision 23/2022, § 6, https://www.dataprotectionauthority.be/publications/zonder-gevolg-nr.-23-2022.pdf
9
 See e.g. C. KUNER, L.A. BYGRAVE and C. DOCKSEY (eds.), The EU General Data Protection Regulation: A Commentary, Oxford
University Press, 2020, 54-56. Decision on the substance 31/2022 - 7/27




        scope and, inter alia, the protection of personal data and personal data

        information includes. 10



    29. With regard to the right to respect for private life, article 22 of the Constitution provides that:


        “Everyone has the right to respect for his private and family life, except in cases

        and under the conditions laid down by law.

        The law, decree or rule referred to in Article 134 shall ensure the protection of that right.”


    30. Since article 22 of the Constitution dates from after the state reform of 1980, the

        The word “law” in that provision means a federal law. Restrictions on the by that


        rights guaranteed by a constitutional provision cannot, in principle, therefore be granted by a decree or a

        ordinance be established. This would mean that an interference in private life - including

        understood the processing of personal data – cannot result from decrees or

        ordinances. 11


    31. Since such an interpretation limits the powers of the Communities and Regions

        would erode, have, among others, the Constitutional Court and the Legislation Department of the Council


        of State held that imposing general restrictions is a matter for the federal legislature

        reserved matter. In that case, the sub-areas retain the possibility to, within their

        powers, to provide specific restrictions, provided they are general federal

        respect legislation in this regard. 12


    32. In short, the Litigation Chamber finds that the federal government and the communities and the


        regions are empowered to issue general and specific rules respectively

        on the protection of private and family life and this only on the points where the

        AVG allows this and within the rules of the AVG that are directly applicable in the Belgian

        legal order. Also where specific rules on the protection of personal data are

        set by the federal governments, within the space that the AVG allows for this, the

        general rules arising from federal legislation on personal data protection te


        are respected.









10See e.g.GwH,no.29/2018,15March2018,B.11;no.104/2018,19July2018,B.21;no.153/2018,8November2018,B.9.1.See alsoA.ALEN
and K. MUYLLE, Handbook of Belgian Constitutional Law, Kluwer 2011, p. 917 ff.
11A. ALENen K. MUYLLE, Handbook of Belgian Constitutional Law, Mechelen, Kluwer, 2011, 918EYBROUCK and S. OTTIAUX, De

federal powers, Antwerp, Intersentia, 2019, 122; ANDE LANOTTE, G. OEDERTIER, Y. AECK, J. OOSSENS and T. DE
12LSMAEKER , Belgian Public Law, Bruges, die Keure, 2015, 449.
  Court of Arbitration, no. 50/2003, 30 April 2003, B.8.10; no. 51/2003, 30 April 2003, B.4.12.; no. 162/2004, 20 October 2004 and 16/2005, 19
January2005;GwH,20October2004,14February2008;Adv.RvSnr.37.288/3of15July2004, Parl.St.Vl.Parl.2005-2006,nr.531/1:
“[…] the Communities and the Regions [are] only competent […] to impose specific restrictions on the right to respect for
to allow and regulate private life insofar as they adapt or supplement the federally determined basic standards, but […] they
[are] not authorized … to affect those basic federal standards.”

13J. VAN PRAET, The latent state reform, Bruges, die Keure, 2011, 249-250. Decision on the substance 31/2022 - 8/27



    Supervisory authorities in the context of personal data protection



    33. The defendant refers to Article 57(1)(f) GDPR and Article 51(1) GDPR from which it follows that

        all member states determine which public authority will carry out the supervisory tasks and that it

        it is possible to designate more than one supervisory authority.


    34. Following the GDPR, the law of 3 December 2017 establishing the
                                          14
        Data Protection Authority (hereinafter: “WOG”) adopted.


        The GBA was thus established on the basis of Article 4, §1, first paragraph WOG. It is true that, as Article 4, §

        1, second paragraph WOG expressly confirms, also the federal states themselves

        data protection authorities, as already indicated by the Council
                                                                   15
        van State in its advice no. 61.267/2/AV of 27 June 2017 (see below). In implementation of this article

        the Flemish legislator has established the Flemish Supervisory Commission (hereinafter: “VTC”)by article 10/1
                                        16
        of the decree of 8 June 2018.




    Supervisory powers of the supervisory authorities




    35. In view of the competing powers set out above

        personal data protection, Article 141 of the Constitution instructs the legislator
                                                                                                           17
        procedure to avoid conflicts of competence between legislative standards.

        This task was entrusted to the legislation section of the Council of State. Regarding

        the powers of the aforementioned supervisory authorities refer to the Disputes Chamber

        to advice no. 61.267/2/AV of 27 June 2017 of the Legislation Division of the Council of State

        which was issued in response to the preliminary draft that led to the WOG. In this

        In its opinion, the Council discussed in detail the rules that divide competences with regard to the supervision of
                                18
        data protection.


    36. In the aforementioned preliminary draft, the Council of State stated that the federal government should have a

        supervisory authority with “general authority (…) over all






14B.S. January 10, 2018.
15
  Advisory Council No. 61.267/2 of 27 June 2017 on the preliminary draft law 'reforming the Commission for the protection of
privacy', rn.7.1-7.2.See also bv.Adv.RvS, no.66.033/1/AVof3June2019on a draft decision of the Flemish
Government of 10 December 2010 "implementing the decree on private job placement, with regard to the introduction
of a registration obligation for sports agents', 4; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decision of the
Flemish Government 'containing further rules for the processing, storage and probative value of electronic data
on allowances under family policy', 6-7.
16
  B.S. June 26, 2018.
17 Article 141 Constitution: “The law establishes the procedure to settle the conflicts between the law, the decree and the provisions referred to in Article 134,
as well as between decrees and between the rules referred to in Article 134.”
18
  Ibid., 8, p. 28-45. Decision on the substance 31/2022 - 9/27



        processing of personal data, including those that take place in matters for which

                                                             19
        the Communities and the Regions are competent”. Such an arrangement is without prejudice
                                                                                                         20
        to the competence of the Communities and Regions, […]”, said the Council of State.

        Consequently, according to the Council of State, the regional supervisory authorities can only

        be empowered to monitor the specific rules they have issued

        for data processing in the context of activities that fall within their competence, and this

        of course only insofar as the GDPR still allows Member States to adopt specific provisions

        and the provisions of the WOG are not prejudiced. The Council confirms this

        van State stated its position in advice no. 37.288/3 of 15 July 2004, as cited in advice no.

        61.267/2/AV of 27 June 2017, in which the Council of State considered the following about the

        competence of the Commission for the protection of privacy, the

        predecessor of the GBA:


        “The authors of the draft rightly assume that the legislature cannot detract

        to the powers of the Commission for the Protection of Privacy,

        established by the law of 8 December 1992. In implementation of the directive, the federal legislator has

        establish a supervisory body, which has general authority over all

        processing of personal data, including those that take place in matters for which

        the communities and the regions are competent.” 21


    37. In short, the GBA, as a federal supervisory authority, is the competent authority for supervision


        abide by the general rules, including the mandatory provisions of the GDPR that do not contain any further
                                        22
        need national implementation. This is also the case if the data processing is related

        has on a matter that falls under the competence of the Communities or Regions and/or

        if the controller is a public authority that falls under the communities

        or the regions, such as a municipality, even if the federal state itself has one

        supervisory authority within the meaning of the GDPR.


    38. In view of the above, the Disputes Chamber concludes that in order for a federal state

        supervisor would be competent, it is by no means sufficient that the data processing relates

        has on a federal state matter, in this case the matter of the additional traffic regulations.

        The federal state in question must also, within the space that the GDPR still leaves for the member states,





19Ibid., 8, marg. 5, referring to Adv.RvS, no. 37.288/3 of 15 July 2004 on a preliminary draft decree 'concerning the

health information system,” Parl.St. Vl. Parl. 2005-06, no. 531/1, 153 ff.
20Ibid., 8, marg. 6.
21
  Adv. Stainless steel. no. 37.288/3 of 15 July 2004.
22See also BVAdv.RvS, no.66.033/1/AVofJune 3, 2019 on a draft decision of the FlemishGovernment of December 10, 2010
'for the implementation of the decree on private job placement, with regard to the introduction of a registration obligation
for sports agents', 5; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decree of the Flemish Government 'containing the
further rules for the processing, storage and probative value of the electronic data concerning the allowances in the

framework of family policy', 7. Decision on the substance 31/2022 - 10/27




        have issued specific rules for the processing of personal data in the framework

        of that matter. It is only the supervision of compliance with those specific state rules that

        can be entrusted to the state supervisor.


    39. The Disputes Chamber emphasizes that the notion of 'specific rules' should not be interpreted too broadly.

        It appears from the advice of the Council of State cited above that the term 'specific rules' refers

        to specific limitations or special warranties, which differ from or go beyond the

        general provisions, warranties and limitations contained in, or arising from, the

        GDPR or federal law. In other words, the mere fact that the Länder (by decree

        or decision) implementing or confirming a general rule does not mean that rule is the

        character of a 'specific rule'. There is only a specific rule when the

        federal states, using the space that the GDPR leaves for this, additional safeguards or

        set restrictions.

    40. In addition, any limitations of an authority's powers for the

        data protection under the GDPR would only be possible if at the level of a

        state a supervisor would have been established that meets all the requirements under the

        European Treaties are assigned to the supervisor, which also includes all tasks and

        authority from the supervisory authority. In this connection, they refer in particular to the

        Articles 51 to 59 of the GDPR.


    41. The Litigation Chamber notes that the disputed processing operations were carried out on the basis of three

        general deliberations 23 granted by the sectoral committee set up by the

        Commission for the Protection of Privacy (hereinafter: “CPP”). TheCBPL end

        sectoral committees were abolished by the law of 30 July 2018 on protection

        of natural persons with regard to the processing of personal data. 24 The

        authorizations and the relevant processing of personal data by the defendant in the

        within the framework of the relevant authorizations, namely the communication of data from the

        Crossroads database of the vehicles - in particular the registration plate - to the applicant

        controller in the context of its additional powers

        parking regulations, must therefore be checked against the new legal since 25 May 2018

        framework, in particular the provisions of the GDPR.











23 Deliberation FO no. 02/2016 of 21 January 2016, Deliberation FO no. 14/2016 of 21 January 2016 and Deliberation FO no.
18/2015 of 28 May 2015.

24Article 280 Law of 30 July 2018 on the protection of natural persons with regard to the processing
of personal data. Decision on the substance 31/2022 - 11/27




    42. Within the current legal framework, and in particular pursuant to Article 35/1 of the Law of 15
       August 2012 establishing and organizing a federal services integrator and the law25

       of September 5, 2018 establishing the Information Security Committee, it is

       Information Security Committee (hereinafter: “ICC”), in particular authorized to hold deliberations

       regarding certain communications of personal data, including the notice

       of data contained in the Crossroads Bank for Vehicles. Article 35/1, § 4, of the Federal Law

       Service Integrator specifies that “the deliberations of the Information Security Committee with

       reasons and [have] a general binding scope between the parties and
       towards third parties”. Based on the same article, the Data Protection Authority can

       deliberation of the Information Security Committee at all times, regardless of when it became

       granted, check against higher legal standards, such as the GDPR. Consequently, the Litigation Chamber

       authorized to assess whether the authorizations and the processing based on this are

       performed comply with the obligations as provided for in the GDPR.


    43. In view of the above, the Disputes Chamber concludes that this case does not concern an assessment
       of a data processing by an authority in accordance with article 10/1, §1 of the decree

       of 18 July 2008 on electronic administrative data traffic to a specific

       rule issued by the state government within its state jurisdiction. As

       the permissions in question have been shown to be general in nature and the testing against the GDPR of these

       authorizations together with the personal data processing carried out on the basis thereof

       have been carried out thus belong to the Disputes Chamber.



    b) Rights of defense and principles of good administration

       The complaint



    44. Defendant 1 asserts that the rights of defense would have been violated because it did not
       would be clear against which complaint they should defend themselves. Defendant 1 holds before three

       complaints would have been submitted by the complainant and refers to the documents submitted by the complainant

       complainant were transferred on 10 August 2020, 5 November 2020 and 7 December 2020.


    45. In this regard, the Litigation Chamber notes that the complainant first attempted to

       to be filed on August 10, 2020, but since the complaint only contains the last page of the

       complaint form–which concerned only the date of the complaint, the signature as well as the name and
       contains the complainant's first name – did the complainant submit the full complaint form on 5

       November 2020. Subsequently, documents were provided by the complainant on 6 December 2020

       substantiation of his complaint filed on November 5, 2020. Contrary to what Defendant 1





25B.S. 28 August 2012. Decision on the substance 31/2022 - 12/27



    states, the complainant has thus lodged a single complaint, namely that which was lodged on

    complete manner dated November 5, 2020. This complaint was therefore enclosed with the letter sent on 25

    February 2021 was communicated to the parties to establish the calendar of conclusions and with

    the request to file defenses. It is only after the complaint became complete

    submitted and the complainant has provided the necessary supporting documents that the complaint has been accepted by the

    First-line service could be declared admissible, as was done. In addition, has
    Defendant 1 received a copy of the file, making all elements available to him

    had to defend himself.


    Decision on admissibility and decision on readiness for treatment on the merits


46. Respondent 1 argues that the 'alleged' decision of the First Line Service, according to her, does not
    contains clarification of the facts or the alleged infringements. Defendant 1 also believes in the letter

    of the Disputes Chamber dated February 25, 2021, it is not possible to deduce which the alleged

    infringements, nor what the possible sanctions would be. Defendant 1 adds that it

    it is unknown to her whether there is still an actual decision of the First Line Service, as well

    that she was not notified of any decision of the Litigation Chamber regarding the ready

    are for treatment. This leads defendant 1 to the conclusion that the rights of
    defense have been violated, as have the principles of good administration.


47. The Litigation Chamber clarifies that the decision of the First-line service on the admissibility of

    the complaint is included in an e-mail addressed to the Disputes Chamber and the relevant e-mail

    forms an integral part of the administrative file. As a result, the Litigation Chamber has

    the procedure for treatment has commenced on the merits. The Litigation Chamber brings the parties (both
    complainant, as well as defendants) in a single letter of both the admissibility of the

    complaint in accordance with Article 61 WOG – this provision strictly requires that only the complainant

    is notified of the admissibility of his complaint – as well as the commencement of the procedure

    on the merits containing all information in accordance with Article 98 WOG in conjunction with Article 95, §2 WOG.


48. With regard to the decision on admissibility, as well as the decision that the file
    is ready for consideration on the merits, the Disputes Chamber therefore refers to the e-mail dated 25

    February 2021 with the letter and accompanying documents attached thereto, in which

    parties are expressly informed of the fact that the complaint will be lodged by the

    First-line service was declared admissible and the Disputes Chamber decided that the file

    is ready for treatment. This means that the letter with conclusion calendar as

    such shall serve as notification to the parties, both of the decision on admissibility and
    with regard to being ready for treatment on the merits, so that both Article 61 WOG and Article

    98 WOG in conjunction with Article 95, § 2 were respected.


    Insofar as defendant 1 raises that neither the decision of the First Line Service regarding

    admissibility, nor the decision of the Litigation Chamber regarding the readiness for Decision on the substance 31/2022 - 13/27



    indicate the grounds on which the treatment is based on, the Litigation Chamber must do so

    to point out that the aforementioned decisions on the one hand of the Primary Service, and on the other hand of the

    Litigation Chamber are not final decisions, but merely decisions that precede the

    final decision of the Litigation Chamber. Only the final decision needs to be motivated. The

    letter with conclusion calendar contains all information prescribed by article 98 WOG and is

    precisely aimed to based on the defenses filed by the parties, with respect
    for the rights of defence, to motivate the final decision of the Litigation Chamber. The

    current decision constitutes this final decision and must be motivated as such.


49. Respondent 1 also argues that it is unknown to her why the Disputes Chamber does not have

    decided to follow up on the complaint in a different way. The Disputes Chamber emphasizes that there is

    there is in no way a negative obligation to state reasons, so that it is not obliged to do so
    explain why it would not have used the other options provided for

    article 95, §1 WOG.


50. Insofar as necessary, the Litigation Chamber emphasizes that of course the procedural guarantees

    must be complied with and if there may have been any ambiguity, this is

    lifted in the follow-up process, ensuring impartial and fair treatment
    elements raised by defendant 1 do not affect the rights of the defense

    have been violated, as the defendants have been given the opportunity to present their arguments

    to be brought forward in full by means of the statement of defense and rejoinders.

    In addition, the defendants have been able to fully exercise their right to contradict

    during the hearing of the Litigation Chamber. The defendants are therefore not at any disadvantage

    encountered; their right of defense has been fully respected.



c) Legal basis



51. The complainant asks what legal basis defendant 1 relies on for the period from 1 January

    2020 until September 1, 2020 to process personal data concerning the holder of a

    request number plate from defendant 2 for the identification of persons affected by the use

    owe a parking fee, tax or parking fee for a vehicle and on what legal basis
    the defendant 2 has provided personal data to the defendant 1 for that same period

    provided. Decision on the substance 31/2022 - 14/27



        Deliberation and legal succession


    52. Defendant 1 invokes deliberation FO no. 02/2016 of 21 January 2016, as well as 26

        deliberation FO no. 18/2015 of 28 May 2015 to state that they already have their own access

        to the DIV directory for the identification of persons who, through the use of a

        vehicle parking tax.


    53. As defendant 1 itself cites, the beneficiaries of deliberation FO no. 02/2016 are the private

        concession holders of the Flemish cities and municipalities, as well as the municipal ones

        independent agencies. As an autonomous municipal company, AGB Parko is an external company

        independent agency of defendant 1, and AGB Parko has committed itself in that capacity to 5


        May 2015 joined the deliberation FO no. 17/2010, which was replaced by

        deliberation FO no. 02/2016, but in which deliberation FO no. 17/2010 is maintained for

        with regard to the validity of the approved individual declarations of commitment, including

        also this one from AGB Parko. This means that AGB Parko is a beneficiary of deliberation FO No.

        02/2016 and is thus authorized by the Directorate for Registration of Vehicles (DIV)

        receive identification data from the holders of a registered vehicle that pays a fee,

        tax due. Defendant 1 could not join this authorization herself, since she

        does not fall under the category of potential beneficiaries of that particular deliberation.


    54. Defendant 1, on the other hand, is a beneficiary of deliberation FO No. 18/2015, but this

        concerns the authorization to obtain notification of personal data on behalf of the DIV for

        theidentificationandpunishmentofoffendersofmunicipalregulationsorregulations

        within the framework of the law of 24 June 2013 on municipal administrative sanctions.

        This means that defendant 1 can obtain information from the DIV on the basis of this deliberation,

        but limited to the imposition of municipal administrative sanctions and therefore not for the

        levying a parking tax, as in the present case.


    55. Based on these elements, the Disputes Chamber establishes that defendant 1 is trying to demonstrate

        that at the time of the facts forming the subject of the complaint they have an authorization to

        access to the DIV directory was available for the identification of persons, including the complainant, who

        due to the use of a vehicle parking fee, tax or parking fee due by

        to invoke, on the one hand, a deliberation of which defendant 1 is not himself the beneficiary

        (Deliberation FO no. 02/2016) and on the other hand a deliberation of which defendant 1 admittedly





26
  Deliberation concerning the one-off authorization and amendment, for what the private concessionaires of the Flemish cities and
municipalities and the Flemish municipal autonomous agencies, of the deliberation FO no. 17/2010 of 21 October
2010
27Deliberation on the granting of a general authorization to the Cities and Municipalities, the autonomous municipal companies and

the Brussels-Capital Parking Agency to receive the personal data from the Management by electronic means
Registration of Vehicles (hiden"DIV") for the identification and the punishment of violators of municipal
rules or regulations Substantive decision 31/2022 - 15/27




         beneficiary, but does not authorize him to obtain data from DIV for the

         levying a parking tax (Deliberation FO no. 18/2015).


    56. Such argumentation in which defendant1 combines the two aforementioned deliberations to

         then proceeding to assert that it was authorized to disclose the identification data of the

         request the complainant from DIV in order to be able to pay the parking tax owed to him

         however, cannot be accepted, as explained below.


    57. To the extent that defendant 1 argues that in view of the dissolution and liquidation of AGB Parko

         with effect from 1 January 2020 and its incorporation into the city services, from that moment the

         rights and obligations, including those as determined in deliberation FO no. 02/2016,

         has taken over as the legal successor of AGB Parko, the Disputes Chamber


         set on the basis of article 244, §3 of the decree of 22 December 2017 on the local
                  28
         board that Defendant 1 was by operation of law the legal successor of AGB Parko, as confirmed

         in the decision of the municipal council of the defendant 1.

                                                                                                              29
    58. With regard to legal succession, respondent 1 refers to Opinion no. 14/2004 and the

         Recommendation No. 03/2015 30 of the Commission for the Protection of Privacy

         in which the principle is assumed that the legal successor does not apply for a new authorisation

         subject to the purpose for which the legal successor uses the relevant personal data

         processed, remains unchanged and can thus use the authorization as it was

         granted to his legal predecessor.


    59. However, the Litigation Chamber should note that in recommendation no. 03/2015 as a condition

         to take over the existing authorization by the legal successor - so without this one


         to apply for new authorization – it has been included that the relevant sectoral committee should

         can assess whether the applicant who wishes to continue using the existing authorisation

         is indeed the legal successor. In addition, the sectoral committee must be able to

         assess whether the legal successor offers sufficient safeguards in the field of security.

         Respondent 1 itself refers in this context to Deliberation FO no. 31/2015 of 10 December








28Art. 244, § 3. The rights and obligations of the dissolved autonomous municipal company are taken over by the municipality.

29Opinion No. 14/2004 of 25 November 2004 on the request for an opinion from the Chairman of the Board of Directors of the Federal
Public Service Personnel and Organization with regard to the Royal Decree of 29 January 1991 by which certain
employees of the Ministry of the Interior and Public Service access to the National Register of the
natural persons and authorization to use the identification number of that register are granted: can this be done royally
decision suffices as a legal basis to assign the Directorate-General e-HR of the Federal Public Service Personnel and Organization
have access to the information data of the National Register of Natural Persons and the National Register number

to be used for the fulfillment of the tasks related to the implementation of Royal Decree No. 141 of December 1982
establishing a database on public sector employees.
30Recommendation no. 03/2015 of 25 February 2015 on the procedure to be followed with regard to authorisations, by both the sectoral
committees, the regional service integrators and the regional administrations in the context of the subsequent transfers of competence
of the Sixth State Reform. Decision on the substance 31/2022 - 16/27



               31
         2015 which refers to opinion no. 14/2004, but fails to show that such

         notification of legal succession has been made, so that there is no assessment of the foregoing

         stated conditions have taken place. However, these conditions are also express

         included in Recommendation No. 03/2015 , but were not respected by Defendant 1 who

         has not reported the legal succession and has not demonstrated the necessary

         provide security guarantees with regard to the deliberation FO no. 02/2016. It follows


         that defendant 1 can therefore not validly rely on deliberation FO no. 02/2016

         to obtain data from defendant 2 with a view to levying a parking tax

         at the expense of the complainant.


    60. With regard to advice no. 14/2004 and recommendation no. 03/2015, the Disputes Chamber states that

         although they do not have a directly legally enforceable character, they must

         be tested against the current legal context, which means that it must be verified whether the

         requirements set by the GDPR are complied with, in particular in view of the transparency obligation

         (articles 5. 1, a) GDPR , 12.1 GDPR 34 and 14.1 a) GDPR ) requiring that with regard to the

         data subject's personal data are processed in a transparent manner.



    61. It appears from the factual elements of the file that it was completely unclear to the complainant

         defendant 1 has requested his data from defendant 2 purely as being the legal successor

         of AGB Parko, since Defendant 1 has not provided any form of transparency

         in this regard, which meant that it was therefore not possible for the complainant to make a simple claim

         accessible and understandable form of the processing of the data concerning him






31 Deliberation FO no. 31/2015 of 10 December 2015 regarding the application of the Flemish Tax Authorities (“VLABEL”) to be
legal successor of the Department of Finance and Budget of the Flemish government to be able to use the authorization that was

granted by deliberation FO Nos. 39/2013 and 40/2013 of December 12, 2013:
“The investigation of the committee can therefore be limited to verifying whether the applicant is the legal successor of the Finance Department
and Budget of the Flemish government, specifically with regard to the purposes/tasks that were the subject of deliberations
FO Nos. 39/2013 and 40/2013. In addition, the Committee also examines whether the applicant offers sufficient guarantees in terms of the

data security.”
32“In the context of a transfer of competence, it is important to specify which body takes over the competence, or with the transfer
the same purposes or only part of them, as well as providing information regarding security.”

33 Article 5.1 a) GDPR. Personal data must:
a) processed in a manner that is lawful, fair and transparent in relation to the data subject ('lawfulness, fairness

and transparency”);
[…]
34
  Article 12.1. AVG. The controller shall take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14
information referred to and the communication referred to in Articles 15 to 22 and Article 34 in relation to the processing in a
in a concise, transparent, intelligible and easily accessible form and in clear and plain language, in particular
when the information is specifically intended for a child. The information shall be in writing or by other means, including, if
appropriate, by electronic means, provided. If requested by the data subject, the information may be communicated orally,
provided that the identity of the data subject is proven by other means.

35Article 14.1. AVG. Where personal data have not been obtained from the data subject, the controller shall provide the
data subject the following information:

a) the identity and contact details of the controller and, where applicable, of the representative of the
controller;
[…] Decision on the substance 31/2022 - 17/27




        personal data by the defendant 1. In view of the total lack of providing the

        necessary transparency with regard to Defendant 1, Defendant 2 also did not have the

        correct information, so that the latter will therefore also have the complainant on 15 February 2021

        stated that the communication by defendant 2 of the data of the complainant to defendant 1

        happened on the basis of deliberation 18/2015 on municipal administrative sanctions and

        that at the time of the levying of the parking tax in respect of the complainant, defendant 1 has no
                                                       36
        legal basis for parking management. The Disputes Chamber decides on the basis of the

        above that the defendant1 has infringed article 5.1, a) GDPR, article 12.1 GDPR and article 14.1
        a) AVG committed because the complainant was not informed about the

        legal succession of AGB Parko by defendant 1, as a result of which the latter has the capacity of

        controller has obtained with regard to data processing such as

        described in deliberation FO no. 02/2016, and on the other hand the resulting ones

        data processing on behalf of the defendant 1.


        Deliberation and GDPR


    62. In addition, the Litigation Chamber draws attention to the fact that the defendants ignore

        the fact that the deliberation(s) as such do not constitute an independent legal basis for
                                                                                         37
        a data processing. Since the GDPR became applicable, every

        controller to respect all principles contained therein. More in it

        in particular, a controller should base itself on one of the six

        legal bases listed in Article 6 of the GDPR. In the public sector, the

        legal basis of Article 6.1.c) (processing is necessary to comply with a legal
        obligation on the controller) or Article 6.1.e) (processing is

        necessary for the performance of a task of general interest or of a task within the framework of

        the exercise of public authority vested in the controller)

        be used. In such cases, the processing must be based on a legal

        provision that meets the requirements of Article 6.3 GDPR.


    63. The deliberations relied on by the defendants were given by the Sectoral Committee

        of the Federal Government, which has ceased to exist pursuant to Article 109 WOG.

        although it does not alter the fact that, in accordance with Article 111 WOG, it remains possible to join

        the aforementioned general authorisations, provided that the person requesting accession submits a written and

        signed declaration of commitment in which he confirms that he agrees to the terms of

        the relevant deliberation, to the Information Security Committee, being the body







36
  See below under margin nos. 62 ff.
37The GDPR has been applicable since 25 May 2018 (article 99.2 GDPR). Decision on the substance 31/2022 - 18/27




        which was established by the legislature to provide deliberations regarding the

        exchange of personal data or the use of the National Register number.

        a) With regard to Defendant 1


    64. Defendant 1 has yet, albeit late - i.e. after the facts that are the subject of

        the complaint –, connected to deliberation FO no. 14/2016 of January 21, 2016 38 whereby they

        due to defendant 2 notification can obtain personal data included in the DIV-

        directory for the identification of the complainant with a view to levying the parking tax.


    65. Not only did entry to deliberation FO No. 14/2016 only take place on 28 August 2020,
        so well after Defendant 1 has requested the details of the complainant from Defendant 2 and also

        has gotten. Defendant 1 believes that it can claim that in the context of this accession

        agreement concluded on September 1, 2020 between defendant 1 and defendant 2, in which is

        provide that it takes effect retroactively on 1 January 2020, is fully legally valid and

        relies on deliberation FO no. 02/2016 in its capacity as

        legal successor stating that the Accession Agreement, upon deliberation FO No. 14/2016, merely

        constitutes a legal confirmation of a factual situation, since since 1 January 2020 it has been regarded as

        legal successor believes that it can derive rights from deliberation FO no. 02/2016, of which it

        claims that it is almost identical to deliberation FO No. 14/2016.

    66. The Disputes Chamber can only establish that at the time of the facts defendant 1 nor op

        based on legal succession (see above, marginals 52 - 61), nor on the basis of deliberation FO no.

        14/2016 in the absence of timely accession thereto, was authorized to file with defendant 2nd

        request personal data of the complainant with a view to his identification in the context of

        a parking tax. The retroactive effect of the accession agreement is included

        completely irrelevant. With regard to the Accession Agreement, it should be noted that

        contrary to what defendant 1 states, this can indeed be done by the Disputes Chamber

        assessed to the extent that it has an impact on the data processing of third parties who are not a party

        to that agreement, including in this case the complainant. It is certain that at the time of

        the facts that occurred on 28 May 2020, it was completely unclear to the complainant
        that defendant 1 would still enter into an accession agreement on September 1, 2020 in the future

        close at deliberation FO no. 14/2016, so that at the time of the facts the complainant was not

        had the information to which he is entitled in accordance with Articles 5.1, a), 12.1 and 14.1

        a) GDPR. The Disputes Chamber also notes that deliberation FO no. 14/2016 as such

        itself also already requires that the persons involved, including the complainant, must in all cases clearly






38Deliberation regarding the one-time authorization to grant municipalities access to the directory of the DIV for the
identification of persons liable to pay a parking fee, tax or parking fee due to the use of a vehicle - Revision
of the deliberation FO n° 05/2015 of 19 March 2015 Decision on the substance 31/2022 - 19/27




        should be informed of the name of the controller, in this case

        defendant 1, the purpose of the processing, the origin of the collected data and the

        existence of the right to access and correct the data. The deliberation adds

        to the fact that a clear provision of information is also particularly important in

        situations in which it falls less within the reasonable expectations of those involved that

        his/her personal data are processed. It is clear from the facts that the complainant is not

        possessed this information, which meant that he also had no knowledge of the legal basis on which the

        processing of his personal data would be based

        5. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR.


    67. Moreover, a controller, in this case defendant 1, cannot suffice with it

        to have an authorization and to act solely on the basis of the relevant deliberation

        based on the assumption that you are entitled to the rights set out in that authorization

        personal data. After all, the controller has been there since the application

        are obliged by the GDPR to comply with the obligations imposed on them therein and thus the

        to test the deliberation that he wishes to make use of against the higher legal standard in order to

        check whether the communication of personal data is permitted by the relevant deliberation

        complies with the GDPR. In this sense, the federal government chamber of the

        Information Security Committee on August 28, 2020 Defendant 1 expressly pointed out that

        her participation in deliberation FO No. 14/2016 does not release her from her obligations to

        GDPR compliance.


    68. However, it appears from the defense of Defendant 1 that she has completely changed her method of data processing

        has aligned with the relevant deliberations by being as set out in its conclusion

        relied entirely on the opinion of defendant 2 regarding the application of the three

        deliberations 39 on which it relies. For example, Defendant 1 indicates that both before and after the

        collapse of AGB Parko in the city services has inquired with defendant 2 whether there

        additional formalities had to be fulfilled. The Disputes Chamber finds that

        on 2 December 2019 the defendant 1 addressed the defendant 2. Defendant 1 alleges

        in addition that it will again take up the parking policy itself and already has an agreement

        with the Crossroads Bank for Vehicles in function of an identification of holders of a






39 Deliberation FO no. 02/2016 of January 21, 2016 concerning the one-off authorization and amendment, as far as the private
concessionaires of the Flemish cities and municipalities and the Flemish municipal autonomous agencies, of the
deliberation FO no. 17/2010 of 21 October 2010

Deliberation FO no. 18/2015 of 28 May 2015 on the granting of a general authorization to the Cities and Municipalities, the
autonomous municipal companies and the Brussels-Capital Parking Agency to process the personal data electronically
received from the Directorate of Registration of Vehicles (the "DIV") for the identifiers and the penalty of
violators of municipal regulations or ordinances

Deliberation FO no. 14/2016 containing the one-time authorization to grant municipalities access to the directory of the
DIV for the identification of persons who owe a parking fee, tax or parking fee due to the use of a vehicle
are - Revision of the deliberation FO n° 05/2015 of 19 March 2015 Decision on the substance 31/2022 - 20/27




        number plate that cities and municipalities, … owe a parking fee, tax or money,

        citing deliberation FO No. 18/2015 – as stated by Defendant 1 – revised by

        deliberation FO no. 14/2016. The Disputes Chamber must also determine this
        that defendant 1 incorrectly establishes a connection between, on the one hand, deliberation FO no. 18/2015 which

        municipal administrative sanctions and to which it has acceded, and on the other hand

        deliberationFOnr.14/2016concerning parking fees, taxes and moneyof which they want

        is not the beneficiary at the moment. Defendant 1 therefore passes on an incorrect representation of the facts

        to state that deliberation FO No. 18/2015 would have been revised by deliberation FO No. 14/2016.

        Defendant 2 subsequently fails to notice this and argues that Defendant 1 should not take any further action

        to undertake. On June 26, 2020, Defendant 2 reconfirms that Defendant 1 has access to

        the directory of the DIV has, however, without specifying which deliberation it refers to

        access is based.

    69. Defendant 1 hides behind the fact that, despite two previous confirmations

        because of defendant 2, did not have the correct authorization to consult the DIV-

        repertory for penalizing violations of the municipal fee regulations in connection with

        parking, but that the lack of the authorization in question is based on a misunderstanding. She

        adds that the city could and should rely on the correctness of the outgoing message

        of DIV confirming in writing that the required authorization is in order by the city
            40
        used to be .


    70. It is only at the moment that Defendant 2 deems it appropriate that Defendant 1 joins
        deliberation FO no. 14/2016 that defendant 1 also actually does this, however, for quite some time

        after the facts presented by the complainant have occurred.


    71. Defendant 1 then also tries to shift its own responsibility onto the

        Sectoral committee for the Federal Government and the FPS Policy and Support. So claims

        defendant 1 that the Sectoral Committee for the Federal Government has given the impression that they as

        city had joined deliberationFO No. 17/2010 –as later revised by deliberationFO

        No. 02/2016 – by naming the city as a beneficiary in the approval of the

        declaration of commitment during the deliberation of FO no. 17/2010, as well as because the FPS Policy and

        Support Defendant 1 would have been listed in the list of beneficiaries on its website.

    72. However, this argument is by no means convincing, since the possible beneficiaries of

        deliberation FO no. 17/2010 – later deliberation FO no. 02/2016 – in no case the municipality

        itself, but only the private concession holders and municipal privatized

        agencies. The entry to which respondent 1 refers is: “Parko AGB/Stad Kortrijk”,





40Decision of the Board of Mayor and Aldermen dated 22 February 2021 regarding the objection regarding tax on the
parking, as submitted by the complainant. Decision on the substance 31/2022 - 21/27



    where the mention of the name of the city only gives an indication where the

    actual beneficiary, namely AGB Parko, is active. Defendant 1 is unable to do so

    deduce that she was a self-beneficiary with respect to this deliberation, in view of the clear in the

    deliberation defined target group of possible beneficiaries, which does not include municipalities

    belong.

73. It follows from all of the above elements that the Disputes Chamber has found an infringement of the

    Articles 5.2 and 24 GDPR in respect of Defendant 1.


    b) In relation to Defendant 1 and Defendant 2


74. A controller is obliged to comply with data protection principles
    and must be able to demonstrate compliance with these principles (accountability -

    article 5.2 GDPR). Defendant 1 is a data controller in relation to the

    personal data that it requests and obtains on behalf of Defendant 2. Defendant 2 is itself

    a controller with regard to the personal data it provides to

    defendant 1. Although defendant 2 denies that he is the defendant because the complaints would only

    are directed against Defendant 1, there is no doubt whatsoever about the fact that the Complainant
    not only against Defendant 1, but also against Defendant 2 because of the finding that

    the complainant expressly states that his privacy was violated because both defendant 1, and

    Defendant 2 used an incorrect authorization as the basis to identify him to the

    on the basis of his license plate via the DIV directory for which defendant 2 de

    controller. There can be no doubt that the complainant is not acting alone

    against Defendant 1, but also against Defendant 2, since the identification of the holder of the
    number plate is only possible if defendant2 provides the necessary personal data for this purpose

    to the defendant 1. In other words: the identification of the complainant on the basis of his

    number plate is only possible if defendant 1 requests the identification data from

    Defendant 2 and Defendant 2 subsequently also provide the Defendant with identification data

    1. Without the provision by defendant 2 of the identification data concerning the complainant

    to defendant 1 was an identification of the complainant based on his number plate
    simply not been possible. It is therefore in this sense that the complainant, as evidenced by the

    documents of the file, turns several times to defendant 2. The complaint concerns in particular

    the identification by means of the number plate of the vehicle in the complainant's name

    registered and is therefore undeniably directed against both defendant 1 and defendant 2.


75. Both defendants base their claims on the actions performed by each of them
    data processing (defendant 1 with regard to the processing of the requested and

    data obtained from defendant 2; defendant 2 with regard to the provision of the

    data to the defendant 1) on Article 6.1 e) GDPR. Article 6.1 GDPR which is the concretization of it

    principle of lawfulness as referred to in Article 5.1 a) GDPR, prescribes that all processing




        must be based on a legal basis. This means that before starting the

        processing activities the controller must determine which of the six
                                                                                  41
        legal bases applies and for what specific purpose. It appears from the file
        not that the complainant was informed of the legal basis on which the defendants relied

        currently appealed in the proceedings before the Disputes Chamber, in particular the necessity of the

        processing for the ‘performance of a task in the public interest’ (article 6.1 e) GDPR). This

        legal basis is only invoked after the facts and therefore after the processing of the

        personal data has taken place. Consequently, the defendants have

        personal data of the complainant processed against his expectations and therefore without any

        provision of information by the defendants prior to data processing.

        In this regard, the Disputes Chamber notes that this provision of information is not only the

        legal basis (article 14.1 c) GDPR), but all information as stipulated in article 14.1 GDPR

        in order to comply with the transparency principle (article 5.1 a) GDPR).

    76. Both defendants simply relied on the deliberations granted by the

        Sectoral Committee for the Federal Government without any review against the requirements of the GDPR

        requirements since its entry into force.


    77. Based on the factual elements of the file, it appears that neither Defendant 1 nor Defendant

        2 has complied with its accountability in relation to the principle of

        lawfulness, fairness and transparency, which the Disputes Chamber decides that

        an infringement of Articles 5.2 and 24 GDPR was committed on the part of both defendants.

    78. The Disputes Chamber specifies that a deliberation has no legal significance whatsoever

        the light of the GDPR. A deliberation can at most be regarded as an opinion of the Board

        IVC, being a body that can be distinguished from the controller who

        recipient of the deliberation. Such deliberation discharges the

        controller, in the present case both defendant 1 and defendant 2, not of

        their obligations under the GDPR, including in particular their accountability

        (article 5.2 in conjunction with 24 GDPR).


    79. Within the current legal framework, and in particular pursuant to Article 35/1 of the Law of 15
        August 2012 establishing and organizing a federal service integrator and the law

        of September 5, 2018 establishing the Information Security Committee, the IVC is competent

        to provide consultations regarding certain communications of personal data.









41 In accordance with Article 13(1)(c) and/or Article 14(1)(dc), the controller must
notify the person concerned. Decision on the substance 31/2022 - 23/27



80. Article 35/1, § 4, of the Federal Services Integrator Act specifies that “the deliberations of

    the information security committee with reasons and a general binding

    scope between the parties and towards third parties”.


81. The preparatory works of the Law of 5 September 2018 state that “it [is] crucial
    thatdecisionswithcommonbindingscopecanbepromulgatedintheformof

    deliberations [so that] all actors [have] legal certainty about the fact that a

    data sharing is legally permitted if the conditions contained in the deliberation are correct

    comply”

82. The Litigation Chamber understands the importance of obtaining legal certainty for actors

    prior to any processing of personal data. However, she believes it

    issuing binding decisions regarding the processing of personal data

    with the philosophy and provisions of the GDPR. This is particularly important since these

    decisions directly affect the rights of third parties to the protection of

    their personal data.

83. In particular, the Litigation Chamber refers to the

    accountabilitycontained in article 5.2 in conjunction with article 24GDPR, which is one of the central pillars of

    the GDPR constitutes and according to which controllers must be able to demonstrate that

    they process personal data in accordance with the processing principles
    personal data contained in Article 5.1 GDPR.


84. The Disputes Chamber emphasizes that such a system therefore creates an ambiguous situation

    for controllers, such as in this case defendant 1 and defendant 2, expect it

    on the basis of a consultation or to be able to obtain notification of data, or

    to be able to provide data from the DIV directory, but on the other hand on the basis of the
    accountability principle, are obliged to take proactive action themselves in order to

    ensure that the principles governing the processing of personal data have been respected

    and must also be able to demonstrate this. All this entails a risk of de-responsibility

    the controllers, which is totally incompatible with the principles of the

    GDPR and is contrary to articles 5.2 in conjunction with 24 GDPR.

85. The Disputes Chamber establishes that a deliberation/deliberations in itself is not a basis

    can form for processing. The Disputes Chamber underlines that a

    deliberation or participation in a deliberation for the person concerned

    controller is never allowed an obligation to communicate personal data

    imply. After all, the latter retains complete freedom to make its own decision in this regard
    to make an opportunity judgement. Substantive decision 31/2022 - 24/27



86. Furthermore, the Disputes Chamber emphasizes that after a deliberation by the IVC, all principles of the

    GDPR will of course continue to apply, including the accountability principle (articles 5.2 in conjunction with

    24 GDPR).


87. Finally, the Disputes Chamber points out that the defendants were offered the option of na

    the taking place of the hearing, to take an explicit position with regard to the mutual
    relationship of deliberations to the GDPR, in particular the principle of accountability, this with

    in order to ensure full respect for the rights of defence.


88. Defendant 2 has made use of that possibility, but confines itself to stating that

    it as a federal public service on the grounds that the legislature is presumed to be higher

    not wanting to violate legal norms such as Union law, and on the basis of it
    principle of legal certainty, it may be assumed that the legal instruments that the Belgian law

    and regulations provide it, are in conformity with the GDPR. She doesn't consider it her job or

    authority to question, defend or not apply those legal instruments.


89. Once again, the Disputes Chamber must establish that defendant 2 fully relies on the

    instrument of the deliberation and is limited to this without any further assessment against the
    AVG, notwithstanding the IVC itself also states that participation in a deliberation is the

    does not release the controller from its obligations to comply with the GDPR. This applies

    obviously not only for the acceding party, but for each controller, that is

    also defendant 2.


90. Respondent 1 has chosen not to respond to the request of the Disputes Chamber
    to take a position on the question posed in the letter of October 29, 2021, as before

    formulated during the hearing, because of its incompatibility with the

    rights of defence, as well as the general principles of good administration. Defendant 1

    continues by stating that the Litigation Chamber does not exceed the limits set by the complainant

    limits of the proceedings and cannot pass judgment ultra petita.


91. Notwithstanding the additional clarification that the Litigation Chamber gave to Defendant 1
    regarding the question asked during the hearing and repeated in the letter dated October 29, 2021,

    Defendant 1 persists in her refusal to take a stand. Defendant 1 argues

    discrepancies between the explanation at the hearing, the question in the letter of 29 October

    2021 and the additional clarification in the letter of November 24, 2021. It goes without saying that

    It goes without saying that the Disputes Chamber subsequently answered the question that was discussed during the hearing

    formulated as accurately as possible in the letter of October 29, 2021, precisely with a view to
    respect for the rights of defence. When defendant 1 turns out to be even more precise

    necessary, the Disputes Chamber will respond to this in order to offer defendant 1 the opportunity to be

    rights of defense in full and the Litigation Chamber refers to the earlier Decision on the substance 31/2022 - 25/27




        takenpositiononthereindecisions34/2020of23 June 2020 .Erkandan 42

        then not be argued by Defendant 1 that for the sake of any alleged

        discrepancy the question would not be clear, nor that the Litigation Chamber would not have

        indicated what specific objections it would have to see a possible non-conformity.

        Defendant 1 maintains that during the run-up to the hearing of October 29, 2021, she has no

        some indication has been given that there might be a shortcoming due to the legal basis

        for data processing in the context of parking fees and taxes.


    92. According to Defendant 1, it cannot be expected to analyze all of them

        possible points and hypotheses she can think of to check their agreement with the

        assess articles from the GDPR mentioned in the letter. Well, the Litigation Chamber finds that

        Defendant 1 hereby once again denies her accountability, which she also immediately does

        confirms that the data processing is fully based on the data invoked by it

        deliberation(s) which it believes it can use as a legal basis (qoud non) and fails to
        deliberation(s) against the requirements of the GDPR. The legal basis forms from the outset

        of the procedure is the bottleneck for the complainant and has been the direct reason for the

        filing his complaint. The complainant has moreover expressly stated in his statement of reply

        that the defendants have violated articles 5 and 6 GDPR.

        argue that when assessing the legal basis, the Disputes Chamber should rule ultrapetita

        doing.


    93. Also according to Defendant 1, who agrees with the position of Defendant 2, a

        supervisory authority does not require an administrative authority to verify legality

        of a regulatory framework when it has not established this framework itself, but merely

        appeals to, and when not even the beginning of evidence of a non-conformity becomes

        raised by the complainant or the supervisory authority itself. The Litigation Chamber notes

        that respondent 1 reformulates the question as asked by the Disputes Chamber as a question about

        the conformity of the current Belgian regulations regarding the processing of

        personal data with the GDPR, why the defendants state that it does not belong to them

        to the legality of the existing Belgian regulation on the processing of

        to question, defend or (knowingly) not apply personal data.











42https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-34-2020.pdf, in particular marginal nos. 67-78.
43 In the statement of reply, the complainant states:

“A fortiori, the defendants have, inter alia, but not exclusively, violated Articles 5 and 6 GDPR. Nor on the payment invitation
with the determination, nor on the tax bill for additional payment for parking, it is stated that my personal data is being processed
became. There is no trace anywhere of the processing of personal data or of privacy legislation.” Decision on the substance 31/2022 - 26/27



    94. It is clear that the Litigation Chamber has not asked for any review of the Belgian

       Regulations concerning GDPR. It has been requested, as clarified repeatedly, or the defendants

       are of the opinion that it is sufficient for them to have a deliberation in order to

       can proceed to the processing of personal data of the data subjects, and whether they believe

       that they thus have a legal basis within the meaning of Article 6.1 GDPR, or whether they op

       still have obligations based on their accountability under the GDPR. Leave this point
       both defendants unanswered, notwithstanding they do have the opportunity

       to take a position on this matter and to assert their rights of defence. She

       however, both explicitly chose not to take a position.


    95. In the circumstances outlined above, in particular the fact that possible ambiguities in

       the Belgian regulatory framework are mainly the result of choices of a regulatory nature, it is
       however, it is appropriate for the defendants not to impose any sanction other than the order de

       processing in accordance with the GDPR, as set out below.





III. Publication of the decision


    96. Given the importance of transparency with regard to decision-making by the

       Litigation Chamber, this decision will be published on the website of the
       Data Protection Authority. However, it is not necessary for this to include the identification data

       of the complainant are disclosed directly, however, stating the

       identification data of the defendants in view of the public interest of the present case

       decision, on the one hand, and the inevitable re-identification of the defendants in case of

       pseudonymization, on the other hand. Decision on the substance 31/2022 - 27/27





   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, on the basis

   of art. 100, §1, 9° WOG, to order the defendants that the processing becomes compliant

   brought with Articles 5.1, a); 12.1. and 14.1 a) GDPR, as well as articles 5.2 and 24 GDPR, namely

   within a period of two months, and the Data Protection Authority

   same deadline.


   Against this decision, pursuant to Art. 108, §1 WOG, appeals are lodged within a

   term of thirty days, from the notification, at the Marktenhof, with the

   Data Protection Authority as defendant.








(Get). Hilke Hijmans

Chairman of the Litigation Chamber