APD/GBA (Belgium) - 136/2023

From GDPRhub
APD/GBA - DOS-2022-00360
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 30(1) GDPR
Article 38(3) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 20.01.2022
Decided: 28.09.2023
Published: 03.10.2023
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2022-00360
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: Matthias Vandamme

The Belgian DPA reprimanded a Flemish municipality for violating Article 5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR, as a result of their insufficient technical and organisational measures, and insufficient privacy policy.

English Summary[edit | edit source]

Facts[edit | edit source]

On 22 August 2020, the data subject sent an email to the controller, a Flemish municipality, in which he stated that he had previously received two letters from them, but suspected one to be a fraudulent letter. The data subject noticed a difference in the use of fonts and numbers between the two letters and therefore believed one to be fake. In their email of 22 August 2020, the data subject informed the controller of the letters, and asked whether the controller's templates for correspondence had been changed.

The controller had not changed their letter template, therefore they considered the data subject's email to be a report of a fraud attempt and launched an investigation into the matter. As part of the fraud investigation, the controller contacted the data subject's ex-wife regarding the matter. However, in the controller's communications to the data subject's ex-wife, the controller shared the data subject's name and email address without the data subject's knowledge or consent. After, the data subject discovered that the controller had shared his contact details with his ex-wife without his consent.

On 14 November 2021, the data subject lodged a complaint with controller, as a municipal public body, regarding the transmission of his contact details to his ex-wife.

On 14 December 2021, one month after the original complaint, the controller informed the data subject that the investigation into his complaint could not yet be concluded and that they would provide a reply as soon as possible.

On 10 January 2022, the controller communicated to the results of their fraud investigation to the data subject. However, they did not address his original clarification request regarding the transmission of his contact details to his ex-wife. Following this communication, on 31 January 2022, the data subject filed a complaint with the Belgian DPA, as the controller's response was insufficient.

On 22 February 2022, the Belgian DPA before considering the complaint, transferred it to the DPA's Inspectorate, as the data subject's complaint was against a public body. Consequently, an investigation was launched into the overall compliance of the municipality's processing operations.

Holding[edit | edit source]

It is not clear from the DPA's decision what the outcome of their investigation was regarding the data subject's original complaint. However, following the results of the Inspectorate's investigations, the Belgian DPA found that the controller had committed several GDPR violations, including of Article 5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR.

Firstly, the DPA found that the controller's internal technical and organisational measures were in violation of the following Articles: Article 5(1)(f) GDPR ('integrity and confidentiality'), Article 5(2) GDPR ('accountability'), Article 24(1) GDPR, Article 25(1) GDPR and Article 25(2) GDPR. The DPA found that the controller had breached the above Articles because there were several deficiencies in their internal organisation, which left the controller vulnerable to a data breach. The DPA emphasised that the controller as a public body, was subject to higher data security standards, because of the significant amount of sensitive personal data it processes in the fulfilment of its tasks and duties. Moreover, the controller was in breach of the principle of accountability because they were unable to demonstrate that they had implemented the necessary technical and organisational measures.

Secondly, the DPA found that the controller's privacy policy was in violation of the following Articles: Article 5(1)(a) GDPR ('transparency'), Article 12(1) GDPR, Article 13(1) GDPR, Article 13(2) GDPR, Article 14(1) GDPR and Article 14(2) GDPR. The DPA found that the controller's privacy policy failed to provide a sufficiently detailed account of the precise legal bases, processing purposes, and the personal data used. The privacy policy was not clear regarding what data was processed for what purpose and under which legal basis. The DPA held that the controller should provide an overview of distinct, well-defined purposes for which personal data is processed, along with an indication of the (categories of) personal data used, their sources, and the (categories of) recipients with whom they may be shared. Moreover, the DPA noted that the controller's privacy policy did not clearly state the retention periods for the relevant personal data or the criteria used to determine them. The policy only referred to legal retention periods under public administration law, the DPA found this to be insufficient

Lastly, the DPA found that the controller was in violation of Article 30(1) GDPR ('records of processing activities'). The register of processing activities (ROPA) was incomplete. The contact details of the controller and the data protection officer, as well as a description of the categories of data subjects and categories of personal data were missing.

As a result, the Belgian DPA reprimanded the controller for the infringements of Article 5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR, and ordered the controller to bring its processing into compliance.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Dispute Chamber Decision on the merits 136/2023 of September 28, 2023
File number: DOS-2022-00360

Subject: Complaint against the processing of personal data in the context of a fraud investigation


 The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Mr Jelle Stassijns and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter WOG;

Considering the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;

Made the following decision regarding:

The complainant: Mr.

The defendant: Y, having as counsel Mr. Bert Beelen, with office at 3000 LEUVEN, Justus Lipsiusstraat 24, hereinafter “the defendant”.
 

I. Facts and procedure

1. On January 20, 2022, the complainant files a complaint with the Data Protection Authority against the defendant.
On August 22, 2020, the complainant sent an email to the defendant's services in which he reported that he had previously received two letters from the defendant, namely on January 29, 2020 and March 10, 2020. The complainant had noted that there was a difference in use. of font and number type would be between the two letters. The complainant informed the defendant of this and inquired whether the templates for the correspondence had been changed by the defendant. Since this was not the case, this email from the complainant was considered by the defendant as a notification of a possible case of fraud. Given the legal obligation to investigate reports of possible fraud, an investigation was launched. Since the complainant and his ex-wife are known to the defendant, the complainant's ex-wife was also contacted during the investigation into the possible fraud. On November 14, 2021, the complainant submitted a complaint to the defendant regarding the transfer of the emails in question - with the name and email address of the complainant - to his ex-partner. This complaint was described by the defendant as very confusing. Therefore, on November 24, 2021, the defendant's services addressed a reply to the complainant asking him to clarify his complaint during a conversation. This conversation took place on November 30, 2021. On December 14, 2021, the complainant was informed by the defendant that the investigation of his complaint could not yet be completed and that the defendant would provide him with an answer as soon as this was possible. The response to the complainant's complaint was sent to him on January 10, 2022. The investigation showed that the difference in font in the templates was the result of the use of a different printer and that therefore there was no fraud. Additional questions from the Complainant on January 12, 2022 and January 18, 2022 were answered by the Respondent on January 17, 2022 and January 24, 2022, respectively. Since the Complainant was of the opinion that the answers provided by the Respondent were insufficient, he filed the present complaint.
2. On January 31, 2022, the complaint will be declared admissible by the First Line Service on the basis of Articles 58 and 60 of the WOG and the complaint will be transferred to the Disputes Chamber on the basis of Article 62, § 1 of the WOG.
3. On February 22, 2022, in accordance with Article 96, § 1 WOG, the request from the Disputes Chamber to conduct an investigation will be submitted to the Inspection Service, together with the complaint and the inventory of the documents.
 

4. On April 6, 2022, the investigation by the Inspection Service will be completed, the report will be added to the file and the file will be transferred by the Inspector General to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG).
The report contains findings regarding the subject of the complaint and concludes that:
1. an infringement of Article 5 of the GDPR, Article 24.1 of the GDPR and Articles 25.1 and 25.2 of the GDPR; and
2. an infringement of Articles 12.1, 12.2 and 12.6 of the GDPR, Articles 13.1 and 13.2 of the GDPR and Articles 14.1 and 14.2 of the GDPR, Article 5.2 of the GDPR, Article 24.1 of the GDPR and Article 25.1 of the GDPR.
The report also contains findings that go beyond the subject of the complaint. The Inspection Service determines, in broad terms, that:
3. an infringement of Article 30.1 of the GDPR; and

4. an infringement of Articles 38.1 and 38.3 of the GDPR and Article 39.1 of the GDPR.

5. On April 12, 2022, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG that the file is ready for treatment on the merits.
6. On April 12, 2022, the parties involved will be informed by email of the provisions stated in Article 95, § 2, as well as those in Article 98 WOG. They are also informed, pursuant to Article 99 of the WOG, of the deadlines for submitting their defenses.
As regards the findings relating to the subject matter of the complaint, the deadline for receipt of the defendant's response was set at May 24, 2022, that for the complainant's response on June 14, 2022 and finally this for the defendant's response on July 5, 2022.
The deadline for receipt of the response for findings going beyond the subject of the defendant's complaint was set at May 24, 2022.
7. On April 19, 2022, the complainant will electronically accept all communications regarding the case.

8. On May 2, 2022, the defendant will electronically accept all communications regarding the case.

9. On May 23, 2022, the Disputes Chamber will receive the response statement from the defendant regarding the findings regarding the subject of the complaint. First of all, the defendant challenges the authority of the Data Protection Authority (hereinafter: GBA) by stating that the Flemish Supervisory Commission (hereinafter: VTC) is competent to handle this case, or that a
 

a preliminary question in this regard should be submitted to the Constitutional Court. On the merits, the defendant does not dispute the findings of the Inspection Service, but points out that the infringements raised have already been remedied. This conclusion also contains the defendant's response regarding the findings made by the Inspection Service outside the scope of the complaint. The defendant does not dispute these findings either, but it also points out that it has since done what is necessary to remedy these infringements.
10. On June 27, 2022, the Disputes Chamber will receive notification from the complainant that he will not submit a response.
11. Subsequently, the defendant also did not submit any statements of rejoinder.

12. On May 8, 2023, the parties will be notified that the hearing will take place on June 23, 2023.
13. On June 23, 2023, the parties will be heard by the Disputes Chamber.

14. The minutes of the hearing will be submitted to the parties on June 28, 2023.

15. On July 3, 2023 and July 5, 2023, the Disputes Chamber will receive some comments from the complainant regarding the official report, which it decides to include in its deliberations.
16. The Disputes Chamber does not receive any comments from the defendant regarding the official report.
II. Justification

II.1. Competence of the Disputes Chamber

1. The defendant argues that the Data Protection Authority, including its bodies and therefore also including the Disputes Chamber, would have no jurisdiction in this case. The defendant states that the VTC is authorized to monitor compliance with the (constitutional) legal and other regulatory provisions on personal data protection implemented by an authority as referred to in Article 10/1,
§1 of the Decree of 18 July 2008 on electronic administrative data traffic1 (hereinafter: the “Decree of 18 July 2008”) when this supervision falls within a regional authority.




1 Cf. Article 10/1 of the Decree of 18 July 2008 “concerning electronic administrative data traffic”, as inserted by Article 20 of the Decree of 8 June 2018 “adapting the Decrees to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)” (hereinafter the “GDPR decree”). B.S. June 26, 2018.
 

2. Pursuant to Article 57.1.f) GDPR and Article 51.1 GDPR, all Member States determine which public authority will carry out the supervisory functions and that it is possible to designate more than one supervisory authority. Following the GDPR, the law of 3 December 2017 establishing the Data Protection Authority2 (hereinafter: “WOG”) was adopted.
3. The GBA was thus established on the basis of Article 4, §1, first paragraph of the WOG. It is true that, as Article 4, § 1, second paragraph, WOG expressly confirms, the Länder can also set up data protection authorities themselves, as already indicated by the Council of State in its opinion no. 61.267/2/AV of 27 June 2017 3 ( see below). In implementation of this article, the Flemish legislator has established the Flemish Supervisory Commission (hereinafter: “VTC”) by Article 10/1 of the Decree of 8 June 2018”.4
4. In its judgment of October 26, 2022, the Market Court ruled that the plea relied on by the defendant contesting the authority of the GBA to monitor compliance with the GDPR by municipalities and that only the Flemish supervisory committee for the processing of personal data is competent is to monitor the processing of personal data by Flemish municipalities and to handle complaints in that regard in accordance with Article 10/1, §1, and Article 10/7, §4, of the decree of 18 July 2008 on electronic administrative data traffic, legally fails. The Market Court hereby confirms that the GBA, and therefore the Disputes Chamber, is indeed authorized to hear a complaint about the processing of personal data by a Flemish municipality.
II.2. Article 5 GDPR.

II.2.1. Article 5. 1.f) GDPR

II.2.1.1. Findings in the Inspection Report

5. The first element that is the subject of the Inspectorate's investigation concerns the assessment of the extent to which the defendant has taken the necessary technical and organizational measures to comply with the basic principles of data protection, in accordance with Article 5.1.f GDPR.



2 BS January 10, 2018.
3 Adv.RvS no. 61.267/2 of 27 June 2017 on the preliminary draft law 'reforming the Commission for the Protection of Privacy', rn. 7.1-7.2. See also, for example, Adv.RvS, no. 66.033/1/AV of 3 June 2019 on a draft decision of the Flemish Government of 10 December 2010 'implementing the decree on private employment mediation, with regard to the introduction of a registration obligation for sports agents', 4; Adv.RvS., no. 66.277/1 of 2 July 2019 on a draft decision of the Flemish Government 'containing further rules for the processing, storage and evidentiary value of electronic data regarding allowances in the context of family policy ', 6- 7.
4 B.S. June 26, 2018.
 

6. The Inspection Service determines that these obligations have not been met and the following considerations apply:
• the defendant did not provide documents showing what measures and decisions were taken to safeguard these personal data principles. The documents provided by the defendant only relate to the security of personal data (Article 5.1.f) GDPR);
• The defendant's “Safety Charter” and “Safety Principles” documents state that they have not yet been approved;
• The documents “Information Security Plan” and “Presentation on Security to the Board of Mayor and Aldermen” do not state when they were approved and it also states at the bottom of each page “City of Leuven” which is not the defendant;
• The document “Information Security Cell Steering Committee Report” does not state when it was approved and what decisions were taken by the defendant;
• The document “KSZ Compliance based on the KSZ questionnaire” does not state when it was approved and what decisions were taken by the defendant;
• Training on “professional secrecy” for employees of the defendant is useful, but in itself insufficient to make them aware of the importance of appropriate security of personal data.
II.2.1.2. Defendant's position

7. The defendant answers these findings in her conclusions. The defendant argues that additional measures and decisions have been taken that ensure that the principles regarding personal data are indeed guaranteed, both in terms of internal organization and privacy policy. A full-time internal information security advisor was recruited and a 2021 information security plan with a focus on IT security was drawn up. The principles and timing of the current information security plan 2021 were incorporated in the explanation given to the Mayor and Aldermen. All policies and frameworks have been created for local government as a whole (such as the city itself, but also the Y and its non-profit organizations). Furthermore, a three-year plan is drawn up with a technical and legal-organizational component. At the municipal council of April 26, 2021, an additional budget was provided to focus on information security and privacy. On June 28, 2021, the cooperation agreement was approved involving the support of a data protection officer for the city of Leuven and, among others, the Y with Interleuven
 

was closed. The security charter, including privacy policy, was further refined and tested. In addition to professional confidentiality training, data protection training was also developed for staff. An internal phishing campaign was developed to make employees aware of the dangers of phishing. Due to technical problems, this action had not yet been rolled out organization-wide at the time of the exchange of the conclusions. The report of the Information Security Cell Steering Committee will be approved at the next meeting on June 23, 2022. With regard to the document “KSZ Compliance based on the KSZ questionnaire), the defendant argues that the date of signing is stated with each individual signature. The general manager signed the document on August 4, 2021. The findings and possible adjustments listed as a result of completing the KSZ questionnaire were included in the preparation of the new information security plan. Finally, the defendant states that the Y employment regulations strictly sanction violations of the GDPR and that the professional secrecy, to which every employee of the Y is bound, is criminally sanctioned on the basis of Article 458 of the Criminal Code.
8. On June 21, 2023 and during the hearing, the defendant will submit the information security plan together with the approval decision of the Board of Mayor and Aldermen dated. June 16, 2023.
II.2.1.3. Assessment by the Disputes Chamber

9. Pursuant to Article 5.1.f) GDPR, personal data must be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”).
10. The Dispute Chamber notes that the Inspectorate had identified several shortcomings, both in terms of internal organization and data protection policy. As also argued by the defendant in its conclusions, additional measures and decisions were taken to safeguard data protection principles. As far as the information security cell is concerned, it was divided into a steering group at strategic level with directors and experts on the one hand and a working group at tactical-operational level with staff members and experts on the other.
11. Regarding the data protection policy, a full-time internal information security advisor was hired to support the external data protection officer, and an information security plan was drawn up, including a strong focus on technical IT security measures.
12. The Disputes Chamber also refers to the information security plan that was submitted on June 21, 2023. The Disputes Chamber notes that this approved information security plan
 

sets out the policy on the protection of personal data, as well as its practical implementation.
13. The Disputes Chamber takes into account the statements of the defendant and the documents submitted during the hearing and concludes that there is a historical infringement of Article 5.1.f) GDPR as the established infringements have been remedied in the meantime.
14. The Disputes Chamber points out that the defendant, due to its status as a government service, has an exemplary role in the field of compliance with the legislation on the protection of personal data. Another factor is that this government service processes a large amount of (sensitive) personal data. In accordance with the “lead by example” principle, it must therefore ensure at all times that it acts in accordance with the aforementioned legislation and in particular the above-mentioned essential provisions of the GDPR. A properly functioning government service can be expected to have the necessary policy documents that meet the requirements of the GDPR.
II.2.2. Article 5. 1. b)-e) GDPR

15. With regard to the other basic principles from Article 5.1.b) to e) the Dispute Chamber determines that the Inspection Report does not contain sufficient indications or evidence to demonstrate that there has been a violation of these principles.
II.3. Article 5.1.a (transparency), Article 12.1, 12.2 and 12.6, Article 13.1 and 13.2, Article 14.1 and 14.2 GDPR

II.3.1. Findings of the Inspection Service

16. In implementation of the transparency principle in Article 5.1.a GDPR, it is necessary, on the basis of Article 12.1, Articles 13.1 and 13.2 and Articles 14.1 and 14.2 GDPR, that the controller, in this case the defendant, provides concise, transparent and understandable information to data subjects. concerns about the personal data that are processed. In its capacity as controller, the defendant must implement Articles 12, 13 and 14 of the GDPR.
17. In the present case, the Inspection Service concludes that the defendant has committed a violation of Articles 12.1, 12.2 and 12.6 GDPR, Articles 13.1 and 13.2 GDPR and Articles 14.1 and 14.2 GDPR as the privacy statement contains incorrect information and is incomplete.
18. First, the Inspection Report concludes that the defendant's privacy statement is not transparent and understandable, as required by Article 12.1 GDPR, and contains incorrect information from a data protection perspective, due to the following findings:
 

• firstly, the defendant wrongly creates the perception in its privacy statement that it fully complies with the GDPR. However, the report shows that the defendant commits several violations of the GDPR;
• secondly, the defendant's privacy statement incorrectly states that data subjects will receive an answer to exercise their right "at the latest 30 days after we have received your application and proof of identity"; and
• thirdly, the defendant's privacy statement is not clear and therefore not transparent to those involved with regard to:
i. the terms “personal data” and “data” used interchangeably,
ii. the purposes and legal grounds of the processing as these are only described in vague terms,
iii. the transfer of personal data, as there is no transparent information available about the possible legal basis for transfer to others;
iv. the storage period of personal data, as it is clear which (legal) retention periods this applies in practice, and
v. the changes that were made as it is not stated when the last change was made nor what exactly was changed.
19. Secondly, the Inspection Service also notes that the defendant's privacy statement is incomplete because not all information required to be stated under Articles 13 and 14 GDPR is actually stated, as no information is provided about:
• the contact details of the data protection officer;

• the processing purposes and legal basis for the processing;

• the recipients or categories of recipients; and

• the storage period or the criteria for determining that period.

II.3.2. Defendant's position

20. In its conclusions, the defendant states that its entire privacy statement has been completely revised to respond to all comments formulated by the Inspection Service in the Inspection Report, thereby complying with Article 12.1 GDPR. The privacy statement has also been completed, so that the following information is no longer missing: the contact details of the data protection officer, the
 

processing purposes and the legal basis for processing, the recipients or categories of recipients of personal data and the storage period or the criteria for determining that period. The defendant emphasizes that it has always shown the will to comply with all provisions of the GDPR. After receiving the Inspection Report, the defendant took the necessary steps to remedy the violations.
II.3.3. Assessment by the Disputes Chamber

21. The Disputes Chamber must assess whether the defendant's privacy statement meets the requirements as prescribed by Article 5.1.a (transparency), Article 12.1, 12.2,
12.6. Articles 13.1, and 13.2, and Articles 14.1 and 14.2 GDPR.

22. Article 12.1 GDPR requires the controller to take “appropriate measures” to ensure that the data subject receives the information referred to in Articles 13 and 14 relating to the processing in a concise, transparent, intelligible and easily accessible form and in clear and simple language, especially when the information is specifically intended for a child'.
23. In this regard, the Litigation Chamber refers to the Data Protection Working Party's transparency guidelines5 which provide as follows: "Every company with a website should publish on that site a statement or notice on the protection of privacy. A direct link to this privacy statement or notice should be clearly visible on each page of the website, under a commonly used term (e.g. "Confidentiality", "Confidentiality Policy" or "Privacy Notice". 6 The Data Protection Working Party states that "all information sent to a data subject should also be accessible in a single place or in the same document (on paper or in electronic format) that can be easily consulted by that person if he or she sent to him wishes to consult."7
24. The Disputes Chamber notes that the complainant was informed about the disputed processing via the privacy statement available on the website. However, the Disputes Chamber notes that not all essential information was communicated in an understandable manner.
25. First of all, the Disputes Chamber notes in this context that the privacy statement does not state in sufficient detail the precise legal basis(s), the


5 Predecessor of the European Data Protection Board (EDPB).
6 Working Party "Article 29", "Guidance on transparency under Regulation (EU) 2016/679", revised version adopted on 11 April 2018 (available at: https://ec.europa.eu/newsroom/article29/items/622227 ), point 11. 7 Working Party "Article 29", "Guidance on transparency under Regulation (EU) 2016/679", revised version adopted on 11 April 2018 (available at: https://ec.europa.eu/newsroom/ article29/items/622227), point 17.
 

purposes of the processing and the personal data used, as required by Article 13.1 13.2 and Article 14.1 GDPR. The Disputes Chamber notes that the privacy statement does mention these elements, but that the manner in which this is done is not understandable and transparent for those involved, as it is not clear to the data subject which data is processed for what purpose and on what legal basis this is done. Ideally, the controller should provide an overview of the various clearly defined purposes for which it processes personal data, each indicating which (categories of) personal data are processed for this purpose, from which source they were obtained, for how long they are kept and with which (categories of) recipients they (can) be shared.8
26. Secondly, the Disputes Chamber notes that the privacy statement does not clearly state the retention periods of the personal data involved or the criteria for determining this, as required by Article 13.2.a) and Article 14.2.a) GDPR. As also appears from the Guidelines of the Data Protection Working Party, a reference to the statutory retention periods is not sufficient. This specifies that “the storage period (or the criteria for determining it) may be dictated by factors such as legal requirements or sectoral guidelines, but must always be formulated in such a way that the data subject, on the basis of his or her own situation, can assess the retention period for specific data/purposes”.9
27. Thirdly, the Disputes Chamber points out that in the context of the transparency principle, the controller must facilitate the exercise of the data subject's rights under, among others, Article 15 of the GDPR, pursuant to Article 12.2 of the GDPR.
28. The Disputes Chamber notes that the current privacy statement on the defendant's website10 contains the following passage:
“If we are not convinced of your identity, we may ask you to submit or send a copy of your ID.”
29. As explained by the EDPB, a request to exercise the rights under Chapter III. of the GDPR in principle only relate to personal data of the data subject who submits the request.11



8 This allows data subjects to request specific information via a request for the right of access to which individual recipients the personal data are communicated, see, among others, CJEU, January 12, 2023, Österreichische Post AG, C-154/21, ECLI:EU:C :2023:3.
9 Guidelines on Transparency in accordance with Regulation (EU) 2016/679, WP260rev1 adopted on 29 November 2017, p 25.
10 Consulted on September 18, 2023.
11 EDPB – Guidelines 01/2022 on data subject rights - Right of access, v1.0, January 18, 2022, para. 46.
 

30. Although the GDPR does not impose any requirements on the methods for establishing the identity of the data subject, Article 12.6 of the GDPR provides for the possibility for the controller, where appropriate and to the extent that he can demonstrate that he is unable to identify the data subject submits the request, request additional information from the data subject before acting on his request. However, in this regard, the general rule is that a controller cannot request more personal data than is necessary to enable that identification, and that the use of that information should be strictly limited to complying with the request of the data subjects.12 Recital 57 GDPR furthermore clarifies that the controller is under no obligation to collect additional identification data solely in order to respond to a request from a data subject.
31. In other words, the controller who duly demonstrates — as required by the accountability obligation under Article 5.2 of the GDPR — that he cannot identify a data subject may lawfully refuse to respond to a request to exercise the rights, but in such cases he must, under Article 11.2 GDPR to inform the data subject of this situation and to inform him or her what additional information is required for identification.13
32. The European Guidelines also clarify that, in cases where the controller requests additional information necessary to confirm the identity of the data subject, the controller must assess each time which information will specifically enable him to confirm the identity of the data subject . If necessary and to the extent that this is proportionate, he may ask additional questions to the requesting person or request the data subject to provide some additional identification elements.14
33. The defendant will therefore always have to make such a consideration when requesting additional identification data in the context of the exercise of rights by a data subject. Neither the complaint, nor the Inspection Report or other documents in the file indicate that the defendant would have requested additional identification data in the context of the complainant's exercise of his rights. The Disputes Chamber points out that it agrees with the Inspection Service that a general provision regarding the transfer of additional identification data as initially formulated in the privacy statement is not proportionate in the light of the aforementioned European guidelines.


12 EDPB – Guidelines 01/2022 on data subject rights - Right of access, v1.0, January 18, 2022, para. 59-60.
13 EDPB – Guidelines 01/2022 on data subject rights - Right of access, v1.0, January 18, 2022, para. 64.
14 EDPB – Guidelines 01/2022 on data subject rights - Right of access, v1.0, January 18, 2022, para. 65.
 

34. In view of all the foregoing, the Disputes Chamber finds a violation of Article 5.1.a) (transparency), Article 12.1, Article 13. 1 and 13.2 and Article 14.1 and 14.2 of the GDPR with regard to stating the necessary information in an unclear manner, as well as not explicitly stating the retention period in the privacy statement. . The Disputes Chamber determines that there was a violation of Articles 12.2 and 12.6 of the GDPR to the extent that the aforementioned general provision in the privacy statement examined by the inspection service regarding the submission of additional identification data is not proportional in the light of the aforementioned European guidelines, but that this has now been remedied in the new privacy statement.
II.4. Article 5.2, Article 24.1 and Article 25. 1 and 25.2 GDPR.

II.4.1. Findings in the Inspection Report

35. The controller must comply with the principles set out in Article 5 GDPR and be able to demonstrate this. This follows from the accountability obligation as included in Article 5.2 in conjunction with Article 24.1 GDPR. Pursuant to Articles 24 and 25 GDPR, each controller must take appropriate technical and organizational measures to ensure and demonstrate that the processing takes place in accordance with the GDPR.
36. In its Inspection Report, the Inspection Service determines that Articles 5.2, Articles 24.1 and 25.1 and 25.2 GDPR were violated.
37. Firstly, the Inspectorate notes that the defendant has not complied with its obligations under Article 5.2, Article 24.1 and Articles 25.1 and 25.2 GDPR. To this end, the Inspection Service refers to the measures and decisions taken to ensure compliance with the principles regarding personal data to the documents and their shortcomings set out in section II.2.1.1.
38. Secondly, the Inspection Service concludes that the defendant does not demonstrate which appropriate technical and organizational measures were taken to comply with the information obligations provided for in Articles 12 to 14 GDPR, as set out in part II.3.1 of this decision .

II.4.2. Defendant's position

39. As already explained in parts II.2.1.2 and part II.3.2, the defendant argues that the infringements found had already been remedied at the time of filing the claims.
II.4.3. Assessment by the Disputes Chamber
 

40. The Dispute Chamber recalls that each controller must comply with the basic principles of the protection of personal data as set out in Article
5.1 GDPR must be complied with and must be able to demonstrate this. This follows from the accountability obligation in Article 5.2 of the GDPR in conjunction with Article 24.1 of the GDPR as confirmed by the Disputes Chamber15.
41. Pursuant to Articles 24 and 25 of the GDPR, the defendant must take appropriate technical and organizational measures to ensure and demonstrate that the processing takes place in accordance with the GDPR. The defendant must effectively implement the data protection principles, protect the rights of data subjects and only process personal data that is necessary for each specific purpose of the processing.
42. As part of its investigation, the Inspection Service assessed the extent to which the defendant has taken the necessary technical and organizational measures to comply with these principles from Article 5.1 GDPR and in particular the principle of transparency and integrity.
43. The Disputes Chamber determined in part II.2.1.3 that there was a breach of the obligations under Article 5.1.f) GDPR regarding the principle of integrity. The Disputes Chamber ruled in part II.3.3 that there was also a breach of the transparency obligations as included in Articles 12.1, 12.2, 12.6 and Article 13. 1 and
13.2 GDPR with regard to plain language and the indication of retention periods in the privacy statement.
44. The Disputes Chamber therefore concludes that the defendant could not demonstrate that it has taken the necessary technical and organizational measures to comply with these obligations. Consequently, the Disputes Chamber decides that there was a violation of Article 5.2, Article 24.1 and Article 25.1 and 25.2 GDPR with regard to the obligations arising from Article 5.1, f) GDPR on the one hand and Article 5.1.a) (transparency), Article 12.1 ,
12.2 and 12.6, articles 13.1 and 13.2 and articles 14.1 and 14.2 GDPR on the other hand.

45. With regard to accountability in the context of compliance with the basic principles of the GDPR as included in Article 5.1, b) to e) GDPR, the Disputes Chamber determines that there are insufficient elements to conclude that this has been violated.
II.5. Article 30. 1 GDPR

46. Pursuant to Article 30 GDPR, each controller must keep a record of the processing activities carried out under its responsibility.

15 Decision on the merits 34/2020 of June 23, 2020 available via the web page https://www.gegevensbeschermingsautoriteit.be/professioneel/publicaties/besluit.
 

Article 30.1.a) to g) GDPR stipulates that, with regard to the processing operations carried out in the capacity of controller, the following information must be available:
(a) the name and contact details of the controller and any joint controllers and, where applicable, of the representative of the controller and of the Data Protection Officer;
b) the purposes of processing;

c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
e) where applicable, transfers of personal data to a third country or an international organization, including the indication of that third country or international organization and, in the case of transfers referred to in Article 49.1, second paragraph of the GDPR, the documents on the appropriate safeguards;
f) where possible, the envisaged time limits within which the different categories of data are to be erased;
g) if possible, a general description of the technical and organizational security measures referred to in Article 32.1 GDPR.
47. In order to effectively implement the obligations contained in the GDPR, it is essential that the controller (and processors) have an overview of the processing of personal data that they carry out. This register is therefore primarily an instrument to assist the controller in complying with the GDPR for the various data processing operations it carries out because the register makes its main characteristics visible. The Disputes Chamber is of the opinion that this processing register is an essential instrument in the context of the aforementioned accountability obligation (Article 5.2 and Article 24 GDPR) and that this register forms the basis for all obligations that the GDPR imposes on the controller. It is therefore important that this is complete and correct.
48. The Inspection Service makes the following observations regarding the defendant's register of processing activities. The register of the defendant's processing activities does not meet the minimum requirements referred to in Article 30.1 of the GDPR. In concrete terms, the following mandatory information is missing:
 

a) the contact details of the defendant and the data protection officer (cf. Article 30.1.a) of the GDPR); and
b) a description of the categories of data subjects and of the categories of personal data (cf. Article 30.1.c) of the GDPR).
49. In its conclusions, the defendant does not dispute the Inspection Service's finding. However, the defendant points out that after taking note of the Inspection Service's report, the necessary efforts were made to adjust the register of processing activities in accordance with the obligations arising from the GDPR.
50. The defendant submitted the amended register of processing activities. The Disputes Chamber notes that this amended register of processing activities includes the contact details of the controller and the data protection officer, as well as a description of the categories of data subjects and the categories of personal data.
51. The Disputes Chamber does point out that the defendant has made efforts to comply with the obligations arising from Article 30 GDPR, albeit after receiving the comments from the Inspection Service.
52. The Disputes Chamber therefore establishes that the register of processing activities at the time of the Inspectorate's investigation did not meet the requirements of Article 30 GDPR, resulting in a violation of Article 30 GDPR. This does not change the fact that this has now been resolved.

II.6. Articles 38.1 and 38.3 of the GDPR and Article 39.1 of the GDPR

II.6.1. Findings in the Inspection Report

53. The Inspectorate's report finds that the defendant has not complied with the requirements regarding the position of the Data Protection Officer under Articles 38.1 and 38.3 GDPR and the duties of the Data Protection Officer under Article 39.1 GDPR.
54. The Inspection Service makes the following findings regarding the data protection officer, as summarized below:
• the defendant does not demonstrate that its data protection officer was properly and timely involved in the context of the complaint. A consultation via MS Teams of which no report is submitted is insufficient for proper and timely (documented) involvement; and
 

• the defendant does not demonstrate that its data protection officer reports effectively to the highest management level, i.e. the Y council.
II.6.2. Defendant's position

55. With regard to the Inspection Service's determination regarding Article 38.1 GDPR, the defendant argues that the consultation moments via MS Teams demonstrate that the data protection officer was involved in a timely manner. The defendant received an email from the complainant regarding the problems in the complaint on November 16, 2021. Consultations were scheduled on November 18 and 24, 2021.
56. The defendant disputes the findings of the Inspection Service in connection with Article 38.3 GDPR and argues that they are incorrect. As already stated, the Inspection Service has established on the defendant's website that the Y-council is the highest administrative body of the defendant, and deduces from this, wrongly according to the defendant, that the Y-council is also the highest management body of the defendant. The defendant points out that there is a difference between the highest administrative body and the highest management body. According to Article 38.3 GDPR, the data protection officer must report to the highest management body and not the highest administrative body. The Y council does not manage the Y's staff. In accordance with Article 170 of the Decree of 22 December 2017 on local government16 (hereinafter: Local Government Decree), the general director is responsible for the general management of the Y's services. and is in charge of the Y's staff. Neither the permanent office nor the municipal council can interfere in the organization of the management of the Y's services, nor can they provide any guidance to the Y's staff since this is the exclusive authority of the general manager. The defendant argues that the data protection officer reports to the general manager, who therefore reports to the most senior manager and therefore acts in accordance with Article 38.3 GDPR.
II.6.3. Assessment by the Disputes Chamber

57. The Disputes Chamber recalls that Article 38.1 GDPR requires the controller to ensure that the data protection officer is involved in a timely and proper manner in all matters related to the protection of personal data.
58. The Disputes Chamber establishes that the defendant has provided screenshots
which shows that MS Teams consultation moments with the subject 'GDPR complaint M.R'


16 BS February 15, 2018.
 

have taken place, on the basis of which the Disputes Chamber cannot determine that the data protection officer would not have been involved (in a timely manner). The Disputes Chamber therefore finds no infringement of Article 38.1 GDPR. However, the Disputes Chamber points out that, in view of the accountability obligation as understood in Article 5.2 and Articles 24 and 25 of the GDPR, a report on these consultation moments could have better demonstrated that the data protection officer was involved in a timely and proper manner in response to the email from the complainant.
59. Article 38.3 GDPR states that the Data Protection Officer should report directly to the senior management of the controller or processor. The Data Protection Working Party guidelines on the Data Protection Officer provide the following explanation for the reporting to the senior management referred to in Article 38.3 GDPR: “If the controller or processor makes decisions that are not in line with the General Data Protection Regulation and the advice of the Data Protection Officer, the latter should be given the opportunity to express his/her dissent to the top management and those making the decisions”. In this regard, Article 38.3 GDPR provides that the Data Protection Officer shall “report directly to the most senior management of the controller or processor”.17 Such reporting ensures that senior management (e.g. the board of directors ) is aware of the advice and recommendations provided by the Data Protection Officer in the context of his mission to inform and advise the controller or processor.
60. The Disputes Chamber notes that the defendant states that the general manager is competent for personnel matters on the basis of Article 170 of the Local Government Decree. However, the Disputes Chamber points out that the data protection policy is much broader than just personnel matters. The Disputes Chamber cannot therefore agree with this position of the defendant. The Disputes Chamber recalls that it has already stated that in a municipality, the mayor and aldermen are the highest day-to-day management level. Consequently, the data protection officer must report directly to this council in accordance with Article 38.3 GDPR.18 By analogy with the foregoing, it must therefore be stated that the data protection officer of a Y must report directly to the permanent office, the body that the highest daily management level of the Y. Considering it

17 Guidelines for the Working Group Data Protection Officer 29, WP 243 rev.01, p.19, adopted by the EDPB.
18 Decision 15/2020 dated. April 15, 2020, can be consulted via https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-15-2020.pdf.
 

above, the Disputes Chamber concludes that the data protection officer does not report directly to the highest management level, which constitutes a violation of Article 38.3 GDPR.
61. Pursuant to Article 39.1 GDPR, the Data Protection Officer must (a) inform and advise the controller of its obligations under the GDPR and other Union or Member State data protection provisions and (b) monitor compliance with the GDPR, other Union or Member State law Member State data protection provisions and the policies of the controller or processor relating to the protection of personal data, including the allocation of responsibilities, awareness and training of staff involved in the processing and the relevant audits. The Dispute Chamber notes that the defendant provides several documents showing that the data protection officer is involved and informs and advises the defendant on data protection aspects. The Disputes Chamber therefore determines that there is no infringement of Article 39.1 GDPR.
III. Sanction

1. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to:

1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order a suspension of the ruling; 4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance;
10° order the correction, restriction or deletion of data and its notification to the recipients of the data;
11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or an international institution;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the action taken on the file;
 

16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
2. When assessing the appropriate sanction and/or corrective measure, the Disputes Chamber takes into account the corrective measures taken by the defendant.
3. In these circumstances, the Dispute Chamber decides to reprimand the defendant in accordance with Article 100, § 1, 5° of the WOG with regard to:
• the historical breaches of Article 5.1.f) GDPR regarding the lack of a detailed and implemented information security plan. The Disputes Chamber takes into account the approved information security plan that was submitted on June 21, 2023 and the measures that the defendant had already taken after receiving the Inspection Report.
• the historic infringement of Articles 12.2 and 12.6 GDPR for not facilitating the exercise of the rights of data subjects by incorrectly stipulating that data subjects “will receive a response to their request no later than 30 days after we have received your application and proof of identity”.
• violations of Article 5.1.a) (transparency), Article 12.1, Article 13.1 and 13.2 and Article 14.1 and 14.2 GDPR with regard to stating the necessary information in an unclear manner, as well as not explicitly stating the retention period in the privacy statement.
• The infringements regarding the obligation of accountability under Article 5.2 GDPR and the obligation to take appropriate technical and organizational measures to comply with the requirements of the GDPR and to protect the rights of data subjects (Article 24. 1 and Article 25 . 1 and 25.2 GDPR) in view of the established historical infringements of Article 5.1.f) GDPR on the one hand and Articles 12.1, 12.2, 12.6, Articles 13.1 and 13.2 and Articles 14. 1 and 14.2 GDPR on the other.
• the historical infringements of Article 30.1 GDPR as several mandatory entries from Article 30.1 GDPR were not included in the register of processing activities. The Disputes Chamber takes into account the fact that the defendant had already submitted an amended register of processing activities before the hearing.
• not reporting violations of Article 38.3 GDPR directly to the highest management level.
4. The Disputes Chamber will dismiss the other grievances and findings of the Inspection Service because, based on the facts and documents from the file, they do not belong to the
 

it may be concluded that there has been an infringement of the GDPR. These grievances and findings of the Inspection Service are therefore considered manifestly unfounded within the meaning of Article 57. 4 of the GDPR.19


IV. Publication of the decision

1. Given the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary to directly disclose the identification data of the parties for this purpose.



Pursuant to Article 108, § 1 of the WOG, an appeal against this decision can be lodged with the Market Court (Brussels Court of Appeal) within a period of thirty days from the notification, with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition which must contain the information listed in Article 1034ter of the Judicial Code20. It

19 See point 3.A.2 of the Dismissal Chamber's dismissal policy, dated. June 18, 2021, can be consulted via https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschilkamer.pdf.
20 The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned;
4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought;
 

an inter partes petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Judiciary Code21, or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code).




(get). Hielke HIJMANS
Chairman of the Disputes Chamber










































6° the signature of the applicant or his lawyer.
21 The petition with its appendix shall be sent by registered letter to the clerk of the court or deposited at the registry, in as many copies as there are parties involved.