APD/GBA - 34/2020

From GDPRhub
APD/GBA - 34/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 23.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 34/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
French
Original Source: GBA (in NL)
APD (in FR)
Initial Contributor: n/a

GBA found that the use of personal data obtained from the national data-bank of vehicles by insurance companies for the purpose of creating personalized price offers constitutes violation of Articles 5, 6, 12, 13 and 14 of GDPR. The agency that maintains this data base, the Federal Public Service Mobility and Transportation, was ordered to bring its data processing in compliance with Articles 5 and 6 within 6 months and Articles 12, 13 and 14 within 3 months. GBA has also issued a reprimand for the violation of Articles 12-14. No fines were issued because the predecessor of GBA had reviewed and issued conditions under which this processing could be approved back in 2017 under the previous data protection law.

English Summary[edit | edit source]

Facts[edit | edit source]

In May 2019 the Inspection service of the GBA started an investigation into the Federal Public Service Mobility and Transportation. GBA wanted to know about the information portal NV Informex, its access to the national data-bank of vehicles and the fact that data from this data-bank was shared with insurance companies for the purposes of creating personalized price offers to its potential customers. The report of the Inspection service found the following violations: 1. Breach of the principles of purpose limitation (Article 5) and lawfulness (Article 6) of processing; 2. Breach of the responsibilities of a controller (Article 24), security of processing (Article 32) and violation of the obligation to notify supervisory authority of the personal data breach (Article 33); 3. Breach of the requirements for designation (Article 37) and position (Article 38) of data protection officer; 4. Breach of the obligation to cooperate with the supervisory authority (Article 31); 5. Breach of transparency (Article 12) and information provision (Article 13) obligations.

Dispute[edit | edit source]

Holding[edit | edit source]

The Dispute Chamber of the GBA found that the use of personal data obtained via the data-bank of vehicles by customers of NV Informex, in particular insurance companies, for the purpose of creating personalized price offers constitutes direct marketing and violates Articles 5 and 6 of the GDPR and Article 25 of the Royal Decree of 8th of July 2013. The Federal Public Service Mobility and Transportation was ordered to bring this personal data processing in compliance with GDPR within 6 months.

The Dispute Chamber also issued a reprimand against the Federal Public Service Mobility and Transportation for violating Articles 12, 13, 14 of GDPR and ordered to bring the relevant information provisions in compliance with GDPR within 3 months.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Page 1
1/35
Litigation room
Substance decision 34/2020 of 23 June 2020
File number: DOS-2019-02426
Subject: Processing of personal data entered in the Crossroads Bank of the
vehicles
The Litigation Chamber of the Data Protection Authority, composed of Mr. Hielke
Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Page 2
Substance decision 34/2020 - 2/35
has taken the following decision on:
- the Federal Public Service for Mobility and Transport, City Atrium, Vooruitgangstraat 56 -
1210 Brussels, with company number 0308.357.852, hereinafter “the defendant”.
1. Facts and procedure
1. On 3 April 2019, the Executive Committee of the Data Protection Authority shall decide on the basis of
Article 63, 1 ° WOG to file a file with the Inspection Service as it
found serious indications that certain insurance companies are gaining access
to the personal data contained in the Crossroads Bank for the vehicles and that this access
would be used for the commercial reuse of this
personal data. More specifically, these insurance companies would have this access
available through the information platform Informex NV.
2. On 3 May 2019, the Inspection Service will send a letter to the
respondent, who is the controller of the personal data included in the
Crossroads Bank for Vehicles, in which it asks a number of questions to the latter:
1. “Since when have you been aware of the aforementioned practice of NV Informex (please
with copy of correspondence and supporting documents added)? Since when is your
data protection officer (please add
copy of supporting documents)?
2. What specific measures have been taken since you became aware of the
aforementioned practice of NV Informex (please add relevant documents
hereby supporting your approach)? What was the advice of your official before
data protection (please include a copy of that advice)?
3. How do you appreciate the purpose limitation and legality of the practice that exists in it
systematic reuse of personal data from the KBV by Informex NV through it
platform www.audagarage.com on behalf of various insurers for the online
determining a premium proposal in accordance with the KBV Act 1 and its implementing decrees and
having regard to the privacy statement of the Federal Public Service for Mobility and Transport on the
webpage https.//mobilit.belgium.be/en/privacy?
1 Law of 19 May 2010 establishing the Crossroads Bank for Vehicles, BS 28 June 2010.
Page 3
Substance decision 34/2020 - 3/35
4. Who is since when you became your data protection officer and how
that choice actually justified? Became your data protection officer
registered with the GBA? You may have tasks, including any tasks that are unrelated
with data protection, and its precise position in your organization chart
document organization based on relevant documents?
5. Is the aforementioned practice of NV Informex qualified by you as an infringement?
in connection with personal data: why or not? And why was that made
if necessary, have not yet reported to the GBA? ”
3. The respondent replied to these questions from the Inspection Service by letter of 29 May 2019.
4. By letter of 6 June 2019, the Inspection Service makes its preliminary findings and one
number of additional questions to the defendant.
5. On 19 August 2019, the Inspection Service will be in accordance with Article 91, §2 WOG
inspection report to the chairman of the Disputes Chamber, as a result of which the Disputes Chamber
is based on Article 92, 3 ° WOG.
In its report, the inspection service does within the scope of the serious indications
observations related to:
• compliance with the purpose limitation (Article 5.1 b) GDPR) and the legality of the
processing (Article 6.1 GDPR); as well
• compliance with the responsibility of the controller
(Article 24 GDPR), security of processing (Article 32 GDPR) and notification
of a personal data breach to the supervisory authority
government (Article 33 GDPR).
The Inspection Service also makes a number of additional findings, outside the scope of the
serious indications, in particular concerning:
• compliance with the provisions regarding the appointment of an official for
data protection (Article 37 GDPR) and the position of the official for
data protection (Article 38 GDPR);
• compliance with the obligation to cooperate (Article 31 GDPR and Article 66.2 WOG); and
• compliance with the transparency obligations (Article 12 GDPR) and the te
provide information (Article 13 GDPR).
Page 4
Substance decision 34/2020 - 4/35
6. On 24 September 2019, the Disputes Chamber will decide on the basis of Articles 95, §1, 1 °, and 98
WOG that the complaint is ready for substantive treatment.
7. The respondent will be informed of the registered letter of 24 September 2019
fact that the complaint is ready for substantive treatment and it will also be processed on the basis of
Article 99 WOG notified of the deadline to submit his defenses.
8. On 28 October 2019, the defendant lodges and requests its reply
under Article 98, 2 ° WOG to be heard.
9. On 4 May 2020, the defendant will become, in accordance with Article 53 of the Internal Rules of Procedure
order heard by the Disputes Chamber.
10. On 6 May 2020, in accordance with Article 54 of the Rules of Procedure
official report of the hearing to the defendant.
11. On 15 May 2020, the defendant submits his observations, which, in accordance with Article 54,
Paragraph 2 of the Internal Rules of Procedure as an appendix to the minutes of questioning
attached.
2. Legal basis
Article 5.1 b) GDPR
1. Personal data must: (…)
(a) processed in a manner that is lawful, proper and
is transparent ('lawfulness, fairness and transparency'); b) for specific, express
defined and legitimate purposes are collected and may not continue further
processed in a manner incompatible with those purposes; the further processing with a view to
archiving in the public interest, scientific or historical research or statistical
purposes shall not be considered incompatible with the original in accordance with Article 89 (1)
purposes considered ('purpose limitation');
Article 6.1 GDPR
Page 5
Substance decision 34/2020 - 5/35
1. Processing is lawful only if and to the extent that at least one of the following is provided
conditions are met:
(a) the data subject has consented to the processing of his personal data for
one or more specific purposes;
b) the processing is necessary for the performance of an agreement involving the data subject
or, at the request of the person concerned, to take measures before concluding an agreement
take;
c) the processing is necessary to comply with a legal obligation imposed on the
controller responsible for rest;
d) the processing is necessary for the vital interests of the data subject or of another
protect natural person;
(e) the processing is necessary for the performance of a task carried out in the public interest or a task
as part of the exercise of official authority vested in the controller
ordered;
(f) the processing is necessary for the defense of the legitimate interests of the
controller or of a third party, except where interests or fundamental rights and
the fundamental freedoms of the data subject requiring the protection of personal data,
outweigh those interests, especially when the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing by public authorities under the
performing their duties.
Article 12 GDPR
1. The controller shall take appropriate measures to ensure that the data subject in the
Articles 13 and 14 and the information referred to in Articles 15 to 22 and 34
communication related to the processing in a concise, transparent, understandable and
easily accessible form and in plain and simple language, especially when
the information is specific to a child. The information is provided in writing or with others
resources, including, where appropriate, electronic resources. If the
the person concerned so requests, the information may be provided orally, provided that
the person's identity has been proved by other means. (…)
5. The provision of the information referred to in Articles 13 and 14 and the provision of the
communication and taking the measures referred to in Articles 15 to 22 and Article
34 are provided free of charge. When requests from a data subject are manifestly unfounded or excessive
Due in particular to their repetitive nature, the controller may either: (a) a
charge a reasonable fee in light of the administrative costs involved in providing it
of the requested information or communication and taking the requested measures
Page 6
Substance decision 34/2020 - 6/35
to go; or b) refuse to act on the request. It is up to the controller
to demonstrate the manifestly unfounded or excessive nature of the request.
6. Without prejudice to Article 11, the controller may, where he has reasons to
question the identity of the natural person making the request as referred to in the Articles
15 to 21, request additional information necessary to confirm the identity of
the data subject.
7. Information to be provided to data subjects under Articles 13 and 14 may be provided
using standardized icons, to give the data subject a useful overview, in one
clearly visible, understandable and clearly legible form of the intended processing.
When the icons are displayed electronically, they are machine-readable.
8. The Commission is empowered to adopt delegated acts in accordance with Article 92 to
determine which information the icons should display and through which procedures the
standardized icons should be created.
Article 13 GDPR
1. When personal data concerning a data subject is collected from that person,
the controller shall provide the data subject with the acquisition of the personal data
all the following information:
(a) the identity and contact details of the controller and, where applicable,
from the controller's controller;
(b) where applicable, the contact details of the data protection officer;
c) the processing purposes for which the personal data are intended, as well as the legal basis
for processing;
(d) the legitimate interests of the controller or of a third party, if the
processing is based on Article 6 (1) (f); (d) where appropriate, the recipients or
categories of recipients of the personal data;
(e) where applicable, the controller intends to do the
transfer personal data to a third country or an international organization; whether or not there
there is no adequacy decision by the Commission; or, in the case of Article 46, Article 47
or transfers referred to in the second subparagraph of Article 49 (1), which provide the appropriate or appropriate safeguards
how to get a copy of it or where to get it.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with
obtaining the personal data the following additional information to ensure proper and
ensure transparent processing:
a) the period during which the personal data will be stored, or if not
is possible, the criteria for determining that period;
Page 7
Substance decision 34/2020 - 7/35
(b) that the data subject has the right to request the controller to inspect and
rectification or erasure of the personal data or limitation of the processing concerning him,
as well as the right to object to the processing and the right to
data portability;
(c) where the processing is based on Article 6 (1) (a) or Article 9 (2) (a), that the
data subject has the right to withdraw consent at any time, without prejudice to this
the lawfulness of the processing based on the consent before its withdrawal;
(d) that the data subject has the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a legal or contractual obligation or a
necessary condition to conclude an agreement and whether the data subject is obliged to
provide personal data and the possible consequences if this data is not
be provided;
(f) the existence of automated decision-making, including those referred to in Article 22 (1) and (4),
referred profiling, and, at least in those cases, useful information about the underlying logic,
as well as the importance and expected consequences of that processing for the data subject.
3. If the controller intends to proceed with the personal data
for a purpose other than that for which the personal data was collected, the
controller before further processing information about the other
purpose and any relevant further information referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply if and insofar as the data subject already has information on the
information.
Article 14 GDPR
1. Where personal data has not been obtained from the data subject, the
controller shall provide the data subject with the following information:
(a) the identity and contact details of the controller and, where applicable,
from the controller's controller;
(b) where applicable, the contact details of the data protection officer;
(c) the processing purposes for which the personal data are intended, and the legal basis for
the processing;
(d) the categories of personal data concerned;
(e) where applicable, the recipients or categories of recipients of the personal data;
(f) where applicable, the controller has the intention to process the
transfer personal data to a recipient in a third country or an international
organization; whether or not there is an adequacy decision by the Commission; or, in the case of
the transfers referred to in Articles 46, 47 or 49 (1), second subparagraph, which are the appropriate ones
Page 8
Substance decision 34/2020 - 8/35
whether there are appropriate safeguards, how to obtain a copy or where to get them
consulted.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the
following information to ensure that the data subject is properly and transparently processed
to ensure:
a) the period during which the personal data will be stored, or if not
the criteria for determining that period are possible;
(b) the legitimate interests of the controller or of a third party, if the
processing is based on Article 6 (1) (f);
(c) that the data subject has the right to request the controller to inspect and
rectification or deletion of personal data or limitation of the processing concerning him,
as well as the right to object to processing and the right to
data portability;
(d) where processing is based on Article 6 (1) (a) or Article 9 (2) (a), that the
data subject has the right to withdraw consent at any time, without prejudice to this
the lawfulness of the processing based on the consent before its withdrawal;
(e) that the data subject has the right to lodge a complaint with a supervisory authority;
(f) the source of the personal data and, where appropriate, whether they originate
from public sources;
(g) the existence of automated decision-making, including those referred to in Article 22 (1) and (4),
referred profiling, and, at least in those cases, useful information about the underlying logic,
as well as the importance and expected consequences of that processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period of time, but no later than one month after the acquisition of the
personal data, depending on the concrete circumstances in which the personal data are
processed;
b) if the personal data will be used for communication with the data subject, at the latest
at the time of the first contact with the data subject; or
(c) if communication of the data to another recipient is envisaged, at the latest
time when the personal data is first provided. (…)
Article 24 GDPR
1. Taking into account the nature, scope, context and purpose of the processing, as well as
the likelihood and severity of the various risks to the rights and freedoms of natural life
persons, the controller will find appropriate technical and organizational
measures to ensure and demonstrate that processing is in accordance with
Page 9
Substance decision 34/2020 - 9/35
this Regulation is being implemented. Those measures are evaluated and if necessary
updated.
2. Where proportionate to the processing activities, include those referred to in paragraph 1
measures an appropriate data protection policy established by the controller
is carried out. 3. Joining approved codes of conduct as referred to in Article 40 or
approved certification mechanisms as referred to in Article 42 may be used as an element
to demonstrate that the obligations of the controller have been fulfilled.
Article 31 GDPR
The controller and the processor and, where applicable, their representatives,
cooperate with the supervisory authority, when requested, in carrying out its duties.
Article 66, §2 WOG
The persons who are the subject of an inspection must cooperate to that end
grant .
Article 33 GDPR
1. If a personal data breach has occurred, the
controller without unreasonable delay and, if possible, no later than 72 hours
after having taken cognizance of it, to the supervisory body competent in accordance with Article 55
authority, unless it is unlikely that the personal data breach is a risk
means for the rights and freedoms of natural persons. If the notification to the
supervisory authority does not take place within 72 hours, it shall be accompanied by a statement of reasons
the delay.
2. The processor shall inform the controller without unreasonable delay as soon as he
has taken cognizance of a personal data breach.
3. The notification referred to in paragraph 1 shall at least describe or communicate:
(a) the nature of the personal data breach, indicating, where possible, the
categories of data subjects and personal data registers concerned and, approximately, the number
data subjects and personal data registers concerned;
(b) the name and contact details of the data protection officer or other person
contact point where more information can be obtained;
(c) the likely consequences of the personal data breach;
Page 10
Substance decision 34/2020 - 10/35
(d) the measures proposed or taken by the controller to remedy the infringement
related to personal data, including, where appropriate, measures
to limit any adverse effects thereof.
4. If and insofar as it is not possible to provide all information simultaneously, the
information is provided in steps without unreasonable delay.
5. The controller shall document all personal data breaches,
including the facts regarding the personal data breach, the consequences
thereof and the corrective measures taken. That documentation establishes the supervisory authority
authority to verify compliance with this Article.
Article 37 GDPR
1. The controller and processor shall appoint an official
data protection in any case where:
(a) the processing is carried out by a public authority or agency, except in the case
courts in the exercise of their judicial functions;
(b) a controller or the processor is primarily responsible for processing that
due to their nature, their size and / or their purposes, regular and systematic observation on
require large scale of stakeholders; or
(c) the controller or processor is mainly responsible for large-scale operations
processing of special categories of data under Article 9 and of
personal data related to criminal convictions and offenses as referred to
in Article 10.
2. A group may appoint one data protection officer, subject to the official for
data protection is easy to contact from any location.
3. Where the controller or processor is a public authority or
governmental authority, one data protection officer may be appointed for
various such bodies or bodies, taking into account their organizational structure and
size.
4. In cases other than those referred to in paragraph 1, it may or, where appropriate, be governed by Union or Member State law
is mandatory, the controller or processor or associations and others
bodies representing categories of controllers or processors, a
appoint a data protection officer. The data protection officer may
to act for such associations and other bodies carrying categories of
represent controllers or processors.
5. The data protection officer shall be appointed on the basis of his professional duties
qualities and, in particular, expertise in the field of legislation and practice
on data protection and its ability to perform the tasks referred to in Article 39.
Page 11
Substance decision 34/2020 - 11/35
6. The data protection officer may employ a staff member of the
controller or processor, or may perform the tasks under a
provide service agreement.
7. The controller or processor shall provide the contact details of the official
for data protection and inform the supervisory authority.
Article 38 GDPR
1. The controller and the processor shall ensure that the official for
data protection is properly and timely involved in all matters related
with the protection of personal data.
2. The controller and processor shall support the officer
data protection in the performance of the tasks referred to in Article 39 by accessing it
provision of personal data and processing activities and the necessary means by him
to make available for the fulfillment of these tasks and the maintenance of them
expertise.
3. The controller and the processor shall ensure that the official before
data protection does not receive instructions regarding the performance of those tasks. He
shall not be fired or punished by the controller or processor for the
performance of his duties. The data protection officer reports directly
to the senior manager of the controller or processor.
4. Data subjects can contact the data protection officer about all
matters related to the processing of their data and to the exercise
of their rights under this Regulation.
5. The data protection officer is in the performance of his duties
in accordance with Union or Member State law on confidentiality or confidentiality
kept. 6. The data protection officer may perform other duties and obligations. The
controller or the processor ensures that these tasks or duties do not become one
conflict of interest.
Page 12
Substance decision 34/2020 - 12/35
3. Justification
3.1.1. Regarding the purpose limitation findings (Article 5.1 b) GDPR) and the
lawfulness of processing (Article 6.1 GDPR)
12. In its report 2, the Inspection Service essentially determines that from the documents in the file
it appears that the defendant had been aware since 2017 that Informex NV had previously
ensures that insurance companies can make use of certain
personal data from the Crossroads Bank for the vehicles, so that these
companies can provide a personalized price offer based on this information
drafting for potential policyholders.
13. The Inspection Service points out in this respect that Article 5 of the Law of 19 May 2010
establishing the Crossroads Bank for Vehicles (hereinafter “KBV Act”) what
the personal data contained in this Crossroads Bank concerns a limited number of purposes
lists the general interest and that the personal data obtained through the Crossroads Bank
should not be used for other purposes. The Inspection Service states that a
confirmation of this can be found in article 25 of the Royal Decree of 8
July 2013 pursuant to the Act of 19 May 2010 establishing the
Crossroads Bank for Vehicles (hereinafter “KB KBV”) that prohibits personal data
obtained through the Crossroads Bank of the vehicles would be used for direct
marketing purposes .
3.1.2. The situation before May 25, 2018: the advice of the CPP dated May 11, 2017
14. In his response, the defendant puts forward the first charge
of the Inspection Service have indeed been aware of the
Informex NV's intention to introduce new activities, the so-called IRES
activities, based on a vehicle registration plate, to vehicle identification
can do. The defendant clarifies that NV Informex is in the context of the aforementioned
activities wished to offer a service to insurance companies based on the
from the license plate would obtain technical data from the vehicle to them
allow online precise pricing for car insurance immediately
to feed.
2 In response to a serious instruction from the Executive Committee.
Page 13
Substance decision 34/2020 - 13/35
15. It is apparent from the documents in the file that this practice consists in practice of the
insurers, customers of NV Informex, via an online form to potential
policyholders are able to offer a personalized price calculation
requesting data subjects to choose their vehicle data
manually or provide their number plate, on the basis of which the
the insurer involved then provides the vehicle data of
the person concerned from the Crossroads Bank. This practice ensures, among other things, that
under- or overinsurance is excluded.
16. The defendant points out that, in this respect, NV Informex requested access to the
Crossroads bank of the vehicles to the defendant, but the latter this request
rejected as he believed that the intended activities were not part of the project
within the objectives of.. listed by Article 4, 4 ° Royal Decree KBV
public interest with which NV Informex, as an information platform with regard to
vehicles that are the subject of an accident 3 are charged, in particular:
"- security, and improving consumer protection (eg through
provide services on the budget for damage to vehicles after an accident, the
compilation of vehicle accident statistics, communication of information on
vehicles after an accident to the government, and the fight against fraud to the
vehicle insurance and the protection of vehicle safety);
- enable global fleet management, including disused
vehicles (for example, by providing services for the damage assessment to
vehicles after an accident, the provision of methods to vehicles carrying it
subject to an expertise to sell publicly, compiling statistics of
vehicle accidents, and communication of vehicle information after an accident to the
government);
- enabling the technical inspection of vehicles after an accident (eg
by providing services related to the budget for damage to vehicles after an accident,
and communication of information about vehicles after an accident to the government);
- the control by the competent authorities of the regulations governing the management of
vehicles scrapped due to an accident;
- avoiding fraud in vehicle insurance. "
17. The defendant therefore considered that Informex NV could not appeal in this matter
to the exemption for obtaining an authorization from the Sectoral Committee in accordance with
3 Cf. www.informex.be .
Page 14
Substance decision 34/2020 - 14/35
Article 5 of the Royal Decree that states: “ The natural and legal persons listed in Article 4 are…
also exempt from prior authorization from the Sectoral Committee for the
information they need to achieve the information set out in Article 4
purposes ”.
18. The defendant claims that he consequently referred Informex NV to the competent court
Sectoral Committee established at the Commission for the Protection of Personal Rights
Privacy (hereinafter “CPP”) in order to obtain an authorization in accordance with article
18 KB KBV.
19. It appears from the documents in the file that NV Informex had various contacts thereon
with the CBPL, which was finally delivered in an opinion of 11 May 2017 to NV Informex
confirmed that the IRES activities under the exemption of Article 4 of the Royal Decree in conjunction with
Article 5 of the Royal Decree on KBV. The CBPL states that although these activities are not specific
relate to vehicles which were the subject of an accident, these
nevertheless fall within the scope of the purposes of Article 4 of the Royal Decree
since they stem from a preventive use of Informex's damage platform
NV.
20. However, the CPP attached a number of conditions to the use of this data
in the context of the above-mentioned activities, in particular:
1. Obtaining the license plate of the vehicle from the person concerned by the customers
of NV Informex can only take place on the basis of the permission of
data subject.
2. Informex NV must conclude a contract with its customers, the latter of which
guarantee that the purposes of the processing will be stated in the RBFA
respected.
3. Informex NV must ensure that those involved are informed in advance
regarding the use of their license plate.
4. Informex NV must ensure access logging and ensure that it
lawful use of its services by its customers.
5. The contracts with Informex NV's customers must provide for provisions
concerning the use of the registration plate as an access key for the technical
vehicle data.
6. Informex NV and its customers must comply with the provisions of the (applicable at the time
being) Act of 8 December 1992 on the protection of privacy
to comply with the processing of personal data (hereinafter “WPV”),
especially regarding the retention periods and the security of the processing.
Page 15
Substance decision 34/2020 - 15/35
21. The defendant points out that, on the basis of this advice from the CPP, the defendant subsequently
NV Informex provided access to the data of the Crossroads Bank of the
vehicles.
22. However, he adds that he has access to it before it is granted
supervised that the conditions imposed by the CBPL were set by NV Informex
adhered to.
23. With regard to the above, the Disputes Chamber points out that the advice is provided
by the CBPL predates the application of the GDPR and that the CBPL as well as its
sectoral committees were abolished by the law of 30 July 2018 on the
protection of individuals with regard to the processing of
personal data (hereinafter “the Framework Act ”). 4
The processing involved
personal data in the context of the IRES activities of NV Informex
consequently, to be assessed under the new legal framework since 25 May 2018, in particular
the provisions of the GDPR. The GDPR assumes an accountability of one
controller and does not provide prior consultation and
authorization by an external body with public authority. 5
3.1.3. The situation after May 25, 2018: assessment against the GDPR
A. Identification of the controllers involved (Article 4.7 GDPR)
24. In accordance with Article 4.7 GDPR, it must be the controller
considered: the “ natural or legal person, government agency, service or other
body that, alone or together with others, the purpose and means of the processing
of personal data ”.
25. In its case-law, the Court of Justice has the concept of “controller”
has been widely interpreted several times in order to ensure effective and complete protection of the
insure those involved. The Court also pointed out that this notion “ does not
necessarily refers to a single body and can refer to several
4 Cf. Article 280 of the Law of 30 July 2018 on the protection of natural persons with regard to the
processing of personal data.
5 Subject to Article 36 GDPR, not relevant here.
Page 16
Substance decision 34/2020 - 16/35
participants in this processing, each of which is subject to the provisions in the field of
data protection ”. 6
26. In accordance with Group Opinion 1/2010 29, the Disputes Chamber assesses the
status of the controller (s) concerned in concrete terms . 7
27. In the present case , the Disputes Chamber finds that, in the processing of
personal data obtained through the Crossroads Bank for vehicles in the context of
the IRES activities, both the defendant and NV Informex as well as its customers (the
insurance companies) should become controllers
qualified as they each have the purpose and means of their respective
determine processing processes.
28. For the defendant, this role arises as controller of the
personal data concerned derives from Article 6 of the KBV Act in conjunction with Article 30 of the KBV KBV
determine that these are administrators of the Crossroads Bank for vehicles
is the controller of the personal data stored in this Crossroads Bank
are located.
29. With regard to NV Informex, Article 5 of the KBV Act in conjunction with Article 4, 4 ° of the KBV stipulates that
it processes the personal data contained in the Crossroads Bank for the vehicles in the
in the context of the fulfillment of the general objectives stated in Article 5 of the Royal Decree
interest with which it was entrusted (see marginal 16 above ).
30. In addition to the defendant and NV Informex, the customers of the latter serve, in particular
the insurance companies, also as controllers within the meaning
of Article 4.7 GDPR to be qualified for the processing processes they
, in particular the processing of the personal data in the context of the
prepare their personalized quotes.
31. Accordingly, each of the aforementioned parties is in its capacity of
controller in accordance with the provisions of Articles 5.2 and 24 GDPR
6 See, inter alia, CJEU, 5 June 2018, C-210/16 - Wirtschaftsakademie Schleswig-Holstein, ECLI: EU: C: 2018: 388, recitals 27-29.
7 See Group 29, Opinion 1/2010 on the terms “controller” and “processor”, 16 February 2010 (WP 169),
as clarified by the GBA in a note “Overview of the concepts of controller / processor in light
of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
of natural persons in connection with the processing of personal data (GDPR) and some specific applications for
liberal professions such as lawyers ”.
Page 17
Substance decision 34/2020 - 17/35
accountability for its processing process responsible for compliance with
the principles of the GDPR and its demonstration.
B. Lawfulness grounds for processing (Article 6.1 GDPR)
32. According to Article 6.1 GDPR, processing of personal data is only
lawfully if and insofar as this occurs under one of the provisions of this article
listed grounds for legality.
33. The processing of personal data contained in the Crossroads Bank for vehicles
is done by each of the controllers identified above on
on the basis of another lawfulness ground.
34. However, the question arises whether these legitimacy grounds can be used for
the processing under discussion in the present proceedings, whereby, in the context
of the IRES activities of NV Informex, data obtained via the Crossroads Bank
of the vehicles are passed on to third parties (especially the insurers that customer
the latter).
35. The defendant processes the data from the Crossroads Bank of the vehicles on land
of Article 6 of the KBV Act in conjunction with Article 30 of the KBV KBV, which stipulate that these
is responsible for the processing of personal data held in the Crossroads Bank
are located. In this capacity, the defendant is therefore responsible for the
processing of this data and serves it on the basis of the provisions in Articles 5.2 and
24 GDPR contained an accountability obligation to ensure that it complied with the principles
regarding the processing of personal data of Article 5.1 GDPR.
36. NV Informex uses for the processing of the personal data obtained via the
Crossroads bank of the vehicles as processing ground the tasks of general interest
which are granted to it by the RBFA (see marginal 16 above ).
37. It appears from the documents in the file that NV Informex communicates the data
from the Crossroads Bank for vehicles to insurers under the IRES
activities - with a view to drawing up personalized quotes for
insurance - specifically based on the public interest objectives contained in
Article 4, 4 °, points 1 and 5 of the KBV, in particular: “ the security and the improvement of the
Page 18
Substance decision 34/2020 - 18/35
consumer protection (…) ”and“ avoiding fraud to the
vehicle insurance ”. 8
38. The customers of NV Informex - the insurers - process the personal data
pursuant to Article 6.1 a) GDPR based on the consent of the data subjects.
39. In particular, it is apparent from the documents in the file that, within the framework of the IRES
activities, the clients of NV Informex potential policyholders who online an
request price calculation for a vehicle insurance, offer them the opportunity
license plate, which is subsequently issued by NV Informex customers as
identification key is used to retrieve the vehicle data in the
Crossroads Bank for the Vehicles.
40. The consent of those involved is requested by means of a pop-up
message that must answer the question “ Do you accept that we are your
use number plate to make you an offer? With " I accept " or " I.
refuse ”.
41. With regard to this ground of legality, the Disputes Chamber notes that the
permission can only be legally valid if it meets the conditions contained in it
in Article 4.11 and recital 32 GDPR 9 and if it relates to a processing
which is not prohibited by law (cf. infra under C.2.).
C. Purpose limitation (Article 5.1 b) GDPR)
C.1. General
42. In accordance with Article 5.1 b) of the GDPR, personal data is used “ for specific,
explicitly defined and legitimate purposes [to] be collected and allowed
[these] subsequently no longer become incompatible with those purposes
processed; further processing for archiving in the public interest,
8 Section 7 respondent's file.
9 Article 4.11 GDPR defines consent as: “any free, specific, informed and unambiguous expression of will with which the
data subject by means of a statement or unequivocal active act concerning him processing
accepts personal data ”. Recital 32 of the GDPR states that “consent must be given by means of a
clear active action, for example a written statement, including by electronic means, or an oral one
statement, which shows that the data subject is free, specific, informed and unambiguous with the processing of
personal data. This could include clicking a box when visiting an Internet website, it
selecting technical bodies for information society services or another statement or another
act clearly demonstrating in this context that the data subject agrees to the proposed processing of his data
personal data".
Page 19
Substance decision 34/2020 - 19/35
scientific or historical research or statistical purposes shall be in accordance
Article 89 (1) not considered incompatible with the original objectives. " This
article defines one of the basic principles concerning the processing of
personal data, in particular the so-called “purpose limitation”.
43. As regards the processing of personal data contained in the Crossroads Bank of the
vehicles, in the light of this provision of the GDPR, reference should be made to
Article 5 of the KBV Act in conjunction with Article 4 of the KBV KBV, which is an exhaustive list
contain the legal persons who have access to the Crossroads Bank and the
purposes for which they may process the aforementioned data ( see above ).
44. It is on the basis of these legal provisions (and more specifically article 4, 4 ° Royal Decree KBV)
that NV Informex, as controller, also processes the data from the
Crossroads Bank processed for the realization of its allocated by the Royal Decree
powers and purposes.
45. As mentioned above, NV bases Informex as an information platform
concerning vehicles subject to an accident the person concerned
processing in particular for the purposes of general interest contained in Article 4, 4 °,
points 1 and 5 RBFA, in particular: “ security, and improving the protection of
the consumer (…) ”and“ avoiding fraud in vehicle insurance ”.
46. ​​However, the Disputes Chamber considers that the service offered by insurers,
where on the basis of the registration plate the data of the vehicle in the Crossroads Bank of
vehicles are called up in order to prepare personalized quotes, not
can be classified under these general interest purposes of the RBFA.
After all, this service concerns the commercial relationship between the insurer and its customers and
not the realization by NV Informex of the tasks assigned to it by this Royal Decree
(among other things) consumer protection and the fight against fraud.
47. The Disputes Chamber therefore considers that this processing complies with Article 5.1 b) GDPR
violates the purpose limitation principle .
C.2. "Direct Marketing Purposes"
48. Second, it should be noted that, in accordance with Article 25 of the Royal Decree of the Royal Decree, the 'via
personal data obtained at the crossroads bank may not be used for
purposes of 'direct marketing' ”.
Page 20
Substance decision 34/2020 - 20/35
49. The question therefore arises whether or not it can be considered in this case that the processing of
the number plate by the customers of NV Informex and in particular the use of this
personal data as identification key with a view to drawing up personalized
quotes for potential policyholders (those involved) as "direct marketing"
the meaning of Article 25 of the Royal Decree must be considered.
50. Although the RBFA contains an express prohibition on the use of the data contained in
the Crossroads Bank for direct marketing purposes, the KB itself does not define this
understanding.
51. In the report to the King to the Royal Decree, this ban is explained as follows: “ Because not
only public services and non-profit organizations that offer adequate guarantees of independence
with regard to the commercial sector and application of the WFP, but also associations with a
private law capacity, should be able to transfer certain data via
to consult the Crossroads Bank, it is expressly provided that through the Crossroads Bank
personal data obtained may not be used for purposes of 'direct
marketing '”.
52. The GDPR also uses the term “direct marketing” in its article 21 on the right of
objection, but does not contain a definition of this concept either.
53. Partly for this reason, the Data Protection Authority notified it on 17 January 2020
Recommendation 1/2020, in which it builds on the definition included in the proposal
of Regulation of the European Parliament and of the Council on respect for the
privacy and the protection of personal data in electronic communications and up to
repeal of Directive 2002/58 / EC 10, "Direct marketing" defines as follows:
“ Any communication, in whatever form, requested or unsolicited, from a
organization or person and aimed at the promotion or sale of services, products (whether or not
not for payment), as well as brands or ideas addressed by an organization or person
acting in a commercial or non-commercial context directly addressed to
one or more natural persons in a private or professional context and who handle the processing
of personal data entails ”. 11
10 COM (2017) 10. Art. 4 of the proposal defines "direct marketing messages": "Any form of advertising, both
written as oral, addressed to one or more identified or identifiable electronic end users
communication services, including the use of automatic calling and communication systems with or without human
interaction, e-mail, SMS, etc. ”.
11
Recommendation Data Protection Authority No. 01/2020 of 17 January 2020 on the processing of
personal data for direct marketing purposes, marg. 14.
Page 21
Substance decision 34/2020 - 21/35
54. It follows from this definition, first, that not only unsolicited but also solicited
communication should be regarded as direct marketing, if and insofar as this
is aimed at the promotion and / or sale of goods or services, is directly aimed at
to one or more natural persons and involves the processing of personal data.
55. Recommendation 01/2020 specifies in this regard that “ messages addressed to a
interested or to a customer / affiliate / subscriber / member equally under direct
marketing communication [falling] ”and that a prospect or interested person stands out
from a customer in the sense that it concerns a potential customer who has information about the products
whether has requested services from the organization concerned but is not yet an undertaking
contracted with the latter.
56. In view of the above, the Disputes Chamber is of the opinion that the present practice,
whereby the customers of NV Informex - being car insurers and consequently trading in
a private law capacity - personal data obtained “ via the Crossroads Bank of
indeed process the vehicles ” 12 with a view to drawing up individual price offers
should be regarded as direct marketing and thus under the prohibition of article 25 KB
KBV falls.
57. The relevant processing of personal data from the Crossroads Bank concerns:
i.
" A requested or unsolicited communication ", in this case in particular the transfer of
a personalized quote to potential policyholders;
ii.
" Originating from an organization acting for commercial purposes ", in particular the
insurance company, customer of NV Informex;
iii.
" Aimed at the sale of products or services ", in this case the sale of a
vehicle insurance;
iv.
" Which is addressed directly to one or more natural persons ", in particular the
data subjects who are applicants for an insurance offer; and
v.
" Which involves the processing of personal data ", in this case the
license plate as identification key for retrieving data from the
Crossroads bank of the vehicles, as well as the identification data of those involved.
58. The Disputes Chamber considers that the fact that the processing of the relevant
data by the customers of NV Informex is based on the consent of
involved in this case does not mean that this process is valid, since it
12 Cf. article 25 KBV KBV.
Page 22
Substance decision 34/2020 - 22/35
use of the personal data concerned for this processing purpose - especially direct
marketing - absolutely and explicitly prohibited by law (Article 25 of the KBV). The
consent can never be legally valid if it relates to a processing
which is prohibited by law.
59. Moreover, this practice requires the processing of personal data by various actors,
including NV Informex, which - at the request of its customers and on the basis of the
license plate as identification key - the necessary data from the Crossroads Bank of the
requests vehicles. In the present case , Informex NV processes this data for the purpose of it
allow its customers a personalized price offer for a vehicle insurance policy
to set. As mentioned above, the aforementioned purpose does not appear in the exhaustive
list of purposes of Article 4, 4 ° RBFA, making such processing a violation
implies the principle of purpose limitation of Article 5.1 b) GDPR on behalf of the NV
Informex.
3.1.4. Conclusion
60. The Disputes Chamber points out with regard to the findings of the Inspection Service
on the lawfulness of processing and purpose limitation, on that a
processing is not lawful when the lawfulness ground is based on
of which a controller processes certain personal data
used for the processing of those personal data for purposes other than
those that are determined in an exhaustive manner by the legal basis used.
61. In the present case , the Disputes Chamber is of the opinion that the processing involving personal data
from the Crossroads Bank of the vehicles are transferred by NV Informex to
its customers in order to allow the latter to provide personalized quotes
cannot fall under the general interest objectives of Article 4 of the Royal Decree
and therefore violates Articles 5.1 (b) (principle of the
purpose limitation) and 6.1 GDPR (lawfulness of processing). This processing concerns
after all, the commercial relationship between the insurers and their (potential) customers is
not necessary for the fulfillment of the information supplied by NV KBV to NV Informex
assigned tasks of general interest.
62. In addition, the Disputes Chamber points out that under the terms of Article 25 of the Royal Decree KBV via the
Crossroads Bank for vehicles may not be personal data obtained
used for direct marketing purposes. The present practice, whereby the customers of
Page 23
Substance decision 34/2020 - 23/35
NV Informex - being car insurers acting in a private law capacity -
personal data obtained " via the Crossroads of the vehicles ' 13 handle with an eye
on drawing up individual price offers should indeed be considered as direct marketing
considered and thus falls under the prohibition of Article 25 of the Royal Decree.
63. The Disputes Chamber states that the GDPR carries out the processing in question by the
insurance companies under the consent of those involved as
does not stand in the way of this, under the conditions set in the GDPR, but that it
current legal framework - in particular the RBFA - does not allow this processing. If the
however, the legislator considers that this practice serves the public interest
if necessary, the statutory regulation should be amended. The Dispute Chamber
gives the defendant a longer period than usual in this respect (viz
six months) to reconcile processing.
64. The Disputes Chamber emphasizes that the defendant, in his capacity as administrator
of the Crossroads Bank for the vehicles and controller of the
personal data, should ensure that it complies with the principles of
the processing of personal data and in accordance with the applicable legal framework
are processed.
65. However, the Disputes Chamber finds on the basis of the documents in the file that the
the respondent in this case in good faith and in accordance with the advice of the former CPPL
acted, and in his capacity as controller also supervised
exercised on compliance with this advice. The Dispute Chamber therefore considers that
in accordance with the principle of legal certainty, it is aroused by the opinion of the CPP
trust should not be betrayed 14 and therefore the defendant for the past should not be
can be sanctioned for violation of the principle of purpose limitation under article 5.1
b) GDPR and the requirement of the lawfulness of the processing of Article 6.1 GDPR.
66. The Disputes Chamber therefore considers that an infringement of Articles 5.1 b)
and 6.1 GDPR can be ascertained, however - having regard to the principle of legal certainty and
the confidence generated by the CPP's advice of 11 May 2017
defendant - no penalty can be imposed on the latter.
13 Cf. article 25 KBV KBV.
14 A. MAST, J. DUJARDIN, M. VAN DAMME, J. VANDE LANOTTE, Overview of Belgian administrative law, Mechelen,
Wolters Kluwer, 2014, 53-54.
Page 24
Substance decision 34/2020 - 24/35
3.1.5. The deliberations of the Information Security Committee
67. Further to the findings of the Inspection Service in the present case concerning the
lawfulness of processing and purpose limitation, the defendant explained a number
deliberations of the Information Security Committee (hereinafter “IVC”) for the
Data protection authority with a view to assessing it against the higher
legal standards. 15 By means of this application, the defendant seeks to provide legal certainty
to find out whether the deliberations concerned by the deliberations allowed
communication of personal data is in accordance with the GDPR. The defendant requested the
Data protection authority in this regard also confirm that, despite this
deliberations to authorize the transfer of personal data from the IVC
capacity of controller can still decide not to transfer
to the transfer of this data.
68. The above deliberations are of particular relevance to the present case
as the IVC allows the communication of data from the
Intersection of vehicles - in particular the registration plate - to the applicant
controllers for processing purposes with a commercial aspect. 16
This is despite the defendant's reasoned position on the matter, which is in both cases
ruled that such processing would not be in accordance with the principles of the GDPR. The
in the first case, the defendant stated more specifically that there is no valid ground for admissibility
is available as the registration plate processing is not necessary to
comply with a legal obligation imposed on the controller concerned
tranquility, nor is it necessary for the performance of a task carried out in the public interest
assigned to the same controller. 17 In the second case, the
respondent that the processing of the registration plate is not in accordance with the principle of minimum
data processing of Article 5.1 c) is GDPR, since it can fulfill the intended purpose
are realized by processing the chassis number. 18 19
69. In other words, the content of these IVC deliberations creates potential
expectations with regard to the defendant that go against the view that this - in
his capacity as controller of the personal data concerned and
15 Documents 32A and 32B file defendant.
16 Deliberation No. 19/027 of 3 September 2019, amended on 14 January 2020 and Deliberation No. 20/005 of 4 February 2019
2020, both from the Federal Government Chamber of the IVC.
17 Deliberation No. 19/027, Edge No. 5.
18 Deliberation No. 20/005, marg. 6.
19 The Disputes Chamber emphasizes, however, that in the context of the present file where Informex NV personal data
passes from the Crossroads Bank for vehicles to insurance companies, no deliberation has been granted by the
IVC.
Page 25
Substance decision 34/2020 - 25/35
based on the accountability principle laid down in the GDPR - initial intake for
the relevant communications of personal data.
70. Within the current legal framework, and more specifically on the basis of Article 35/1 of the Law of
August 15, 2012 establishing and organizing a federal services integrator and
the law of 5 September 2018 establishing the Information Security Committee is the IVC
in particular, authorized to deliberate on certain communications from
personal data, including also the communication of data contained in the
Crossroads Bank for the Vehicles. 20
71. Article 35/1, § 4 of the Federal Services Integrator Act states that “ the deliberations
of the Information Security Committee, the reasons [and] a general one
binding scope [have] between the parties and towards third parties ”. 21
72. The preparatory works of the Law of September 5, 2018 state that “ it
crucial [is] that decisions can become of general binding scope
issued in the form of deliberations [so that] all actors have legal certainty
about the fact that a data sharing is legally permitted if it contains the conditions
contained in the deliberation correctly observe ” 2 2 .
73. The Disputes Chamber understands the importance of obtaining legal certainty from actors
prior to processing personal data. However, she believes it
issue binding decisions regarding the processing of personal data in
is contrary to the philosophy and provisions of the GDPR. This is particularly important
as these decisions directly affect the rights of third parties to the
protection of their personal data.
74. In particular, the Dispute Chamber refers to the one introduced by the GDPR
accountability contained in Article 5.2 in conjunction with Article 24 GDPR, which is one of the central
pillars of the GDPR and according to which controllers must state
can demonstrate that they process personal data in accordance with the principles of the
processing of personal data contained in Article 5.1 GDPR.
75. The Litigation Chamber emphasizes that such a system is therefore an ambiguous situation
creates for controllers, such as the defendant in the present case , of whom, on the one hand,
20 Law of August 15, 2012 establishing and organizing a federal services integrator, BS August 29, 2012.
21 Own underline.
22 Cf. Parl. St. Kamer, 2017-2018, no. 3185/001, p. 6; own underline.
Page 26
Substance decision 34/2020 - 26/35
is expected to provide access to the affected personal data by the
deliberations granted by the IVC, but on the other hand, pursuant to the
accountability is bound to take proactive action itself in order to
ensure that the principles on the processing of personal data have been
respected and must be able to demonstrate this 23 . All this carries a risk up to
the responsiveness of controllers, which is incompatible with
the principles of the GDPR and is contrary to Articles 5.2 in conjunction with 24 GDPR. 24
76. It is not up to the Disputes Chamber to question the role of the IVC - this is on
the legislator - nor about the appropriateness of judgments by a body such as the IVC for the
questioning practice. However, the Disputes Chamber finds that the deliberations of
the IVC cannot in itself form the basis for the processing. Obviously have
these deliberations have an important significance within the current legal framework, having regard to
a possible appeal by controllers to the principle of the protection of legitimate expectations.
77. The Disputes Chamber emphasizes that the delivery of a deliberation by the
IVC never has an obligation to notify the controller concerned
of personal data may imply. After all, the latter retains complete freedom to act
to make an opportunity assessment yourself. 25 26
78. Furthermore, the Disputes Chamber emphasizes that after a deliberation of the IVC all principles
of the GDPR, of course, continue to apply, including the principle of accountability
(Articles 5.2 in conjunction with 24 GDPR). However, the opinion of the IVC can play an important role in this
the fulfillment of the accountability by a controller. After all,
when assessing whether a controller complies with the
accountability in a specific case, the Disputes Chamber will be based on the
presumption that a judgment of an expert government body such as the IVC may be used
familiar.
25 Opinion no. 34/2018 of 11 April 2018 of the Commission for the Protection of Privacy (CBPL)
on the preliminary draft law establishing the Information Security Committee and amending various laws
on the implementation of Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on
the protection of individuals with regard to the processing of personal data and on free movement
of that data and repealing Directive 95/46 / EC (CO-A-2018-017), marginal 13.
26 Explanatory Memorandum to Article 18 of the Law of 5 September 2018 establishing the Information Security Committee.
Page 27
Substance decision 34/2020 - 27/35
3.2.
As regards the findings on compliance with the responsibility of the
controller (Article 24 GDPR), security of processing (Article 32
GDPR) and reporting a personal data breach to the
supervisory authority (Article 33 GDPR)
79. In its report, the Inspection Service states that “ documents 4, 5 and 13 show that [the defendant]
to write to the Commission for the Protection of Privacy of
11/05/2017 (…) uses to substantiate its position that (1) the fact that Informex NV
ensures that insurance companies can make use of certain
personal data from the Crossroads Bank of the vehicles so that it
insurance companies can provide a personalized price offer to
data subjects are justified and (2) that Informex NV must take measures to
better protect the personal data concerned ”. The Inspection Service further states that the
defendant “ does not [demonstrate] that [he] took appropriate security measures and reported them
to the GBA of a personal data breach ”.
80. With regard to this charge, the defendant states in its reply that
his original position was that the so - called "IRES activities" of the
NV Informex did not fall under the exemption from authorization in accordance with Article 4 in conjunction
article 5 Royal Decree KBV, and points out that he changed this position in response to the
advice from the CPP dated 11 May 2017.
81. The defendant adds that, prior to the provision of the
access to the Crossroads Bank for vehicles, supervised by those imposed by the CPP
conditions were complied with by NV Informex (see above ). 27
82. Finally, the defendant maintains that there can be no question of unauthorized disclosure of
data and no breach related to personal data may have occurred
as he could legitimately rely on the above-mentioned CPP advice.
83. The Disputes Chamber determines on the basis of the documents in the file that the defendant has
acted in accordance with the advice given by the CPP to NV Informex on 11 May 2017.
After all, the defendant appends the exchange of letters with the NV in his reply
Informex where the defendant is the latter in his capacity of
27 See above.
Page 28
Substance decision 34/2020 - 28/35
controller requests to provide all information and documentation
on the processing of registration plates in the framework of the IRES activities of the
NV Informex.
84. Although the Disputes Chamber considers that the processing in question is an infringement related to
personal data within the meaning of Article 33 GDPR, it repeats in this respect
in accordance with the principle of legal certainty, it is aroused by the opinion of the CPP
trust should not be betrayed 28 and the defendant should therefore not be put to the past
can be sanctioned for providing access to the Crossroads Bank of
the vehicles to NV Informex as part of the so-called “IRES activities”.
The Dispute Chamber therefore considers that an infringement of Articles 24, 32 and
33 GDPR can be established, but that - having regard to the principle of legal certainty and the
confidence generated by the CBPL dated 11 May 2017
defendant - no penalty can be imposed on the latter.
3.3.
As regards the findings concerning the appointment of the official for
data protection (Article 37 GDPR) and its position (Article 38 GDPR)
86. In its report, the Inspection Service finds that “[the defendant] did not [demonstrate] how the
choice of Mr Y to exercise the function of data protection officer
is concretely justified ”and that“ [the defendant] is not a copy of documents
[submitted] demonstrating that Mr Y was notified to the GBA as an official for
data protection ”. Finally, the Inspection Service states that “[the defendant] does not demonstrate
that as a data protection officer, Mr Y will be properly and timely
involved in all matters related to the protection of
personal data and that he can carry out his assignments independently ”.
87. With regard to this charge, the defendant states in its reply that
Mr Y was chosen on the basis of his in-depth knowledge of the organization
knowledge of ICT as well as his strong analytical and synthetic thinking. The defendant points it out
further note that Mr. Y successfully completed the training to become a “certified Data Protection Officer”
and obtained ISO 27005 ('Risk Manager') and ISO 27001 ('Lead Implementer') and
attach proof of this. 29
28 A. MAST, J. DUJARDIN, M. VAN DAMME, J. VANDE LANOTTE, Overview of Belgian administrative law, Mechelen,
Wolters Kluwer, 2014, 53-54.
29 Document 23 respondent's file.
Page 29
Substance decision 34/2020 - 29/35
88. As regards the registration of Mr Y as a data protection officer with the
Data protection authority, the defendant states that it was on September 24, 2019
informed about the fact that apparently something was technical
failed to register his data protection officer as the
Inspection service could not find its registration in the database of the
Data protection authority. The defendant maintains that after taking note of this fact, he
re-registered online and received confirmation of this.
89. The Disputes Chamber points out that the defendant - in view of the fact that he is a
public authority is - pursuant to Article 37.1 (a) GDPR the obligation rests with an official
for data protection which must comply with the provisions of Articles 37 to 39
GDPR listed requirements.
90. On the basis of the documents submitted, the Disputes Chamber finds that the
data protection officer designated as defendant in accordance with Article 37.5
AVG was designated on the basis of its professional qualities and expertise on
in the field of data protection law and practice. This appears to be more specific
from the supporting documents relating to the training to
“Certified DPO” and the certificates obtained by the person concerned.
91. The Disputes Chamber is of the opinion that no infringement of Articles 37 and 38 GDPR is possible
be determined.
3.4.
As regards the findings concerning compliance with the obligation to cooperate (Article 31
GDPR and Article 66, §2 WOG)
92. In its report, the Inspection Service states with regard to compliance by the defendant with the
obligation to cooperate pursuant to Articles 31 GDPR and 66, § 2 of the WOG that the latter does not
replied to the questions asked by her within the imposed period of one month.
Second, the Inspection Service claims that the defendant did not provide a copy of the
documents that indicate the choice for Mr. Y as a data protection officer
account.
93. With regard to the first part of this indictment, the defendant states in its
conclusion of reply that this non-compliance with the inspection imposed by the Inspection Service
Page 30
Substance decision 34/2020 - 30/35
term was caused by a situation of force majeure, in particular the death of a
family member of the employee responsible for answering these questions and
the short absence of the latter as a result of this. The defendant further points out
that this was done by another employee on 2 July 2019 (in particular four days before the expiry of
the imposed term) was reported to Data Protection Authority and that became
it was announced that the reply letter would therefore be delayed by a few days
sent. Finally, the defendant adds that the answer is ultimately only three
days after the expiry of the reply period.
94. The Disputes Chamber considers that, with regard to the first indictment, the defendant's
force majeure situation justifies a delay of three days and that this does not
can be considered as an infringement of the obligation to cooperate within the meaning of Article 31
GDPR under the latter.
95. With regard to the second part of this indictment, it should be noted
The defendant sent a copy of the
documents that support the choice of Mr Y as a data protection officer.
More specifically, this concerns the job description for the position as well as the person concerned
obtained ISO certificates. 30
96. The Disputes Chamber is of the opinion that there is no infringement of Articles 31 GDPR and 66.2
WOG can be determined.
3.5.
As regards the findings on compliance with the transparency obligations
(Article 12 GDPR) and information to be provided (Articles 13 and 14 GDPR)
97. In its report, the Inspection Service states with regard to compliance with the
transparency obligations and the information to be provided pursuant to Article 13 GDPR
that some elements required by the GDPR are not mentioned in the
defendant's privacy statement, in particular:
- “the indication of the processing purposes for which the personal data are
intended (as expressed in the sentence “The purposes for which we hold your personal data
mainly relate to compliance with legal requirements
obligations and the performance of our public interest missions or those
related to the exercise of official authority ”), as well as the legal basis
30 Documents 23 and 24 of the respondent's file.
Page 31
Substance decision 34/2020 - 31/35
for processing (as expressed as “the applicable legislation”) [are] general and
vaguely worded so that they are not transparent and accessible to those involved;
- the indication of the recipients of the personal data (as expressed as
"Administrative services of the state", "Countries with which conventions or Belgium
has entered into agreements ”,“ […] ”and“ Third Parties ”) is worded in a general and vague manner such that
without additional information the list of recipients is not clear to the
data subjects; (…) ”
98. The defendant states in its reply and at the hearing on 4 May 2020
with regard to this indictment that already during the procedure an initial correction
has been implemented, but that the new version of the privacy statement is still in draft. The
The defendant adds that this was put on the agenda of a meeting of the
management committee that could not continue because of the corona crisis and says that soon
is on the agenda.
99. The Disputes Chamber points out that, in accordance with Article 12.1 GDPR, the
controller “ should take appropriate measures to ensure that the data subject
the information referred to in Articles 13 and 14 and the information referred to in Articles 15 to 22 and
communication referred to in Article 34 in connection with the processing in a summary,
transparent, understandable and easily accessible form and in clear and simple
language receives (…) ”.
100. Recitals 58 and 60 GDPR specify that “in accordance with the principles of due diligence
and transparent processing [must be] notified to the data subject
that processing is taking place and its purposes ”and that“ in accordance with the
transparency principle information intended for the public or the data subject
be concise, simple, accessible and understandable (…) ”.
101. The Disputes Chamber first establishes that the defendant's privacy statement
is incomplete as regards the personal data collected and processed by the latter.
After all, the defendant states under point 6 of its privacy statement that it
Can process " personal data of various kinds " and that it " may [in particular] be about
identification data (name, first name, date of birth, ...), contact details (address,
telephone number, ...) ”. Section 6 of the privacy statement repeats again:
“ The categories of personal data processed by the FPS Mobility and Transport are more
determined:
• identification data (name, first name, date of birth,…)
Page 32
Substance decision 34/2020 - 32/35
• contact details (address, telephone number,…)
• [...] ”
102. If and insofar as personal data are processed that are not of the data subjects
However, in accordance with Article 14.1, d) GDPR, the data subjects must be informed
categories of personal data to be specified. More generally, one
privacy statement do not contain any impediments as this indicates the inaccuracy
and incompleteness.
103. Second, it should be noted that the privacy statement is not sufficient
details the legal basis of Article 6.1 GDPR on the basis of which
the respondent processes the personal data collected by him.
104. In connection with this, thirdly, the Disputes Chamber finds that the defendant also
does not sufficiently describe the processing purposes for which the
personal data is collected. Under point 6, §2 of the privacy statement, the
legal ground and the purposes of the processing become confused
and is stated: “ The purposes for which we process your personal data,
relate mainly to compliance with legal obligations and to the
exercising our public interest missions or relating to the
exercise of official authority ”.
105. The information thus provided to data subjects is too succinct and vague
and does not allow the latter the lawfulness ground or the purposes of the
adequately understand processing.
106. In accordance with the Guidelines on Transparency drawn up by the Group 29, the
information provided on the basis of Articles 13 and / or 14 GDPR to be concrete and final and
it must not contain abstract or ambivalent formulations. The Group 29 states more
determined that “ constructions or words such as“ can ”,“ could ”,“ certain ”,“ often ”and
“Possible” (…) should be avoided ”and that,“ when controllers
choose to use indefinite language, in accordance with the principle of
accountability should demonstrate why using such language
could not be avoided and how the language used did not ensure the proper processing
undercut ”. 31 The Group 29 emphasizes that this applies in particular for the purposes of
and the legal basis for the processing.
31 “Guidelines on transparency in accordance with Regulation (EU) 2016/679” adopted on 29 November 2017 by the
Group 29, p. 9-10.
Page 33
Substance decision 34/2020 - 33/35
107. Fourth, it should be noted that the retention period of the
personal data is insufficiently specified to meet the requirements of
Articles 13.2 and 14.2, a) GDPR. After all, point 6, §3 of the privacy statement only states that the
personal data concerned “are not kept longer than is necessary for the purposes
what they are processed for. " However, the Group Guidelines 29 show that
such wording is not sufficient. In this respect Group 29 points out that the (mention
of the) retention period is related to the principle of minimal data processing
contained in Article 5.1, c) GDPR as well as the requirement of storage limitation of Article 5.1, e) GDPR.
She states that “ the storage period (or the criteria for determining it) may become
dictated by factors such as legal requirements or sectoral guidelines, but always such
should be worded that the data subject can, based on his or her own situation
assess the retention period for specific data / purposes ”. 32
108. Fifth, the Disputes Chamber finds that the defendant's privacy statement does not
contains an exhaustive list of the (categories of) recipients of the data collected by him
personal data as required by Articles 13.1 and 14.1, e) GDPR. Point 9 of the
privacy statement states in this respect the following:
“Your data may be passed on to third parties based on our legal and
regulatory obligations, but also in the context of the performance of our assignments
in the public interest or the exercise of public authority. (…)
[The defendant] is sometimes obliged to perform his statutory assignments
receive or communicate your personal data, in particular to the following
recipients:
• Yourself
• Other recipients subject to legal obligations and permissions for
information and exchange of information, such as:
o Other FPS services
o State administrative services
o Countries with which Belgium has concluded conventions or agreements
o […]
• Third parties
• […] ”
32 “Guidelines on transparency in accordance with Regulation (EU) 2016/679” adopted on 29 November 2017 by the
Group 29, p. 45.
Page 34
Substance decision 34/2020 - 34/35
109. Also on this point, the privacy statement contains conditional wording and impediments,
which indicates that those involved are not fully informed of any
transfer of their personal data.
110. The Disputes Chamber emphasizes the importance of compliance with the transparency obligations
on behalf of a controller in view of its impact on the exercise
of the rights of data subjects contained in Articles 15 to 22 GDPR, such as
illustrated by the case law of the Court of Justice. 33
111. In addition, the Disputes Chamber points out that as a public authority the defendant is a
sets an example in terms of compliance with protection legislation
of personal data and also processes a large amount of personal data and
that it should therefore always do so in accordance with the “ lead by example ” principle
to act in accordance with this legislation and in particular the above mentioned
GDPR essential provisions on transparency. 34
112. The Disputes Chamber considers, for the reasons set out above, an infringement
Articles 12, 13 and 14 GDPR should be established.
3.6.
Publication of the decision
113. Having regard to the importance of transparency in the decision-making process of the
Disputes Chamber, this decision will be published in accordance with Article 95, §1, 8 ° WOG
on the website of the Data Protection Authority indicating the
defendant's identification data 35, and this because of the specificity of the present
decision - leading to the fact that even in case of omission of the identification data the
re-identification is inevitable - as is the public interest of this decision.
33 CJEU 1 October 2015, Bara, C-201/14.
34 Data Protection Authority, “Strategic Plan 2020-2025”,
https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/GBA_Strategisch_Plan_28012020.p
df , p. 22.
35 However, omitting the name of the defendant's data protection officer.
Page 35
Substance decision 34/2020 - 35/35
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority, after deliberation:
-
that the use of personal data obtained through the Crossroads Bank of the vehicles by
customers of NV Informex, in particular insurance companies, with a view to drafting
of personalized quotations violates Articles 5.1 b) and 6.1 GDPR
as well as Article 25 of the Royal Decree of 8 July 2013 implementing the Law of
May 19, 2010 establishing the Crossroads Bank for Vehicles . The Dispute Chamber
accordingly orders the defendant pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG ,
in his capacity as controller of the aforementioned personal data, the
to conform processing within six months of notification of this
inform the decision and the Disputes Chamber within the same period;
-
based on article 100, §1, 5 ° WOG to formulate a reprimand with regard to the
respondent for violation of Articles 12, 13 and 14 GDPR ; and
-
pursuant to Article 58.2, d) GDPR and Article 100, §1, 9 ° WOG to order the defendant to
to align information it provides about its processing operations with
Articles 12 to 14 GDPR within three months of notification of this decision
and to inform the Disputes Chamber within the same period.
*
Pursuant to Article 108, §1 WOG, an appeal can be lodged against
a period of thirty days, from the notification, at the Marktenhof, with the
Data protection authority as defendant.
(get.) Hielke Hijmans
Chairman of the Disputes Chamber