APD/GBA - 36/2021
|APD/GBA - 36/2021|
|Relevant Law:||Article 5(1) GDPR|
Article 6(1) GDPR
Article 8 GDPR
Article 83(7) GDPR
Article 221(2) Wet Gegevensbescherming
Article 5(2) Wet Gegevensbescherming
|National Case Number/Name:||36/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Beslissing ten gronde 36/2021van 15 maart2021 (in NL)|
|Initial Contributor:||Enzo Marquet|
The Belgian DPA held that an educational institution is not exempt from receiving administrative fines under Article 83(7) GDPR and Article 221(2) of the Belgian Data Protection Law.
English Summary[edit | edit source]
Facts[edit | edit source]
This decision is a reconsideration of decision APD/GBA - 31/2020 of the Dispute Resolution Chamber dated June 16, 2020, and implements the judgment of the Markets Court dated November 18, 2020, number 2020/AR/990.
The Markets Court approved appeal of Article 5(1)(a), Article 12(1), Article 13(1) and Article 13(2). The appeal for Article 5(1)(c), Article 6(1) and Article 8 GDPR was not approved. This partial annulment means the DPA must reassess and motivate its original fine of €2,000.
Dispute[edit | edit source]
Can a not for profit private educational institution be seen as a public body in Article 83(7) and article 221(2) of the Belgian Data Protection Law and thus be exempt from receiving an administrative fine?
Holding[edit | edit source]
Governmental Bodies[edit | edit source]
The DPA clarifies its vision on why the defendant does not qualify for an exemption for administrative fines for public entities and/or government bodies. What falls under this definition is not defined in Article 83(7) and it is up to the member states to implement this in line with Union law.
In Belgium, Article 83(7) is not applicable to government bodies unless it is a legal entity under public law that offers goods or services on a market.
According the Article 5(2) of the Belgian Data Protection Law (Wet Gegevensbescherming), the defendant is classified as a government because it is an educational institution, in the form of a private not for profit. They were established for the specific purpose of meeting needs in the general interest that are not of an industrial or commercial nature (namely, to provide primary and secondary education), and its activities are primarily financed by the Flemish government and it is also under government supervision.
However, the exemption is not applicable when this 'government body' offers goods or services on a market. In Belgium, there is a market for private education as there is (non-)recognised private education available and thus competition.
The DPA holds that the term "public authorities and public bodies" in Article 83(7) cannot be interpreted so broadly as to include legal persons under private law that perform a task of general interest, such as free educational institutions.
The DPA holds that giving a broad interpretation to article 221(2) Wet Gegevensbescherming would contradict, on the one hand, the explicit will of the Belgian legislator not to exempt schools from administrative fines and, on the other hand, the restrictive interpretation that Article 83(7) should be given as an exception;
As such, Article 83(7) is not applicable which means article 221(2) Wet Gegevensbescherming is not applicable and thus free educational institutions are not exempt from administrative fines for violations of the GDPR.
Administrative fine[edit | edit source]
There are three factors which the DPA takes into consideration to determine a fine: gravity, duration and dissuasive effect.
Regarding the duration, there was an earlier complaint against the defendant in 2016 concerning the same survey. In 2018, the survey was used again. The survey of 2016 is not taken into account since the GDPR was not yet into effect.
The DPA does take into account that the defendant anonymised the survey and that it is prepared to take additional measures. On top of that, it is also a not for profit organisation.
Lastly, a part of the infractions from Decision 31/2020 have been annulled.
Considering the above, the DPA lowers the fine to €1,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/21 Dispute Chamber Decision on the merits 36/2021 of 15 March 2021 File number: DOS-2019-03499 Subject: Use of Smartschool to conduct a "well-being" survey at underage pupils without parental consent (reconsideration after judgment Marktenhof) The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs. Christophe Boeraeve and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; . . . Decision on the merits 36/2021 - 2/21 has taken the following decision regarding: - Mr X, hereinafter “the complainant” - Educational establishments Y, hereinafter “the defendant 1. Facts and procedure 1. This decision is a reconsideration of decision 31/2020 of the Disputes Chamber of June 16 2020, and implements the judgment of the Marktenhof of 18 November 2020, with number 2020 / AR / 990. 2. This decision must be read in conjunction with decision 31/2020 and contains a reconsideration which is limited to the elements of the latter decision not by it Marktenhof have been destroyed. 3. On 22 July 2019, the complainant lodged a complaint with the Data Protection Authority against defendant. The subject of the complaint concerns the survey “well-being” given to the students of Z via the Smartschool system was presented to his underage students. In addition, a several provisions of the GDPR have been violated. The complainant states that there is a lack of it information provision, parental consent is required to carry out the survey, an information society service is used and more data are processed then necessary for the purposes for which they are processed. According to the complainant, a DPIA should also have been carried out carried out by the defendant, but this did not happen. 4. On 6 August 2019, the complaint will be declared admissible on the basis of Articles 58 and 60 of the law of 3 December 2017, the complainant will be informed of this on the basis of art. 61 of the law of 3 December 2017 and the complaint under art. 62, §1 of the law of 3 handed over to the Disputes Chamber in December 2017. 5. On August 27, 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 of the law of 3 December 2017 that the file is ready for treatment on the merits. 6. On 28 August 2019, the parties involved will be notified by registered mail of the provisions as stated in article 95, §2, as well as of those in art. 98 of the Law of 3 Decision on the merits 36/2021 - 3/21 December 2017. The parties involved were also informed on the basis of art. 99 of the law of 3 December 2017 of the deadlines for submitting their defenses. The the deadline for receipt of the complainant's reply was set on October 7, 2019 and for the defendant November 7, 2019. 7. On September 9, 2019, the defendant reports to the Disputes Chamber that he has taken cognizance of the complaint, he asks for a copy of the file (art. 95, §2, 3 ° of the law of 3 December 2017) and electronically accepts all communication regarding the case (art.98, 1 ° of the law December 3, 2017). 8. A copy of the file will be sent to the defendant on 11 September 2019. 9. On September 26, 2019, the Disputes Chamber will receive the statement of defense from the defendant. Respondent states in the conclusion that it is relying on a legal basis for the survey obligation and no consent is required, from which, according to the defendant, this would follow Article 8 GDPR would not apply. The defendant also denies that there is any special categories of personal data within the meaning of Art. 9.1 GDPR would be processed on the basis of the survey. The defendant also explains how to post the data of the survey are processed (who has access to the individual survey, storage of the general data (anonymised) at class level, deletion of the completed surveys at the end of the school year). The next survey would be based on the "Well-being questionnaire" used by the Education Inspectorate in order to implement the principle of minimal respect data processing. Finally, a proposal letter is added, so that in the future the school can better inform parents and pupils about the purpose of the inquiry. 10. On October 23, 2019, the Disputes Chamber will receive the statement of reply from the complainant. In there a detailed answer is given to the defendant's statement of defense and become listed a number of new elements that were not yet addressed in the complaint: • According to the complainant, Y is the organizing body above the school Z and the Vrij Centrum for it pupil guidance W, but since a CLB must be able to act independently, they appear to be acting as joint controllers. • The complainant provides an overview of the provisions that he believes have been infringed committed. He also asks: 1. that a fine would be imposed on the defendant, 2. that all those involved are informed about the committed offenses (in 2016 and 2018 and, where applicable, for the 2017 survey) that an infringement related to personal data, Decision on the substance 36/2021 - 4/21 3. as well as the decision of the Disputes Chamber on the websites of the defendant and CLB, as well as to all parents would be communicated via Smartschool. 11. On November 8, 2019, the Disputes Chamber receives the statement of reply from the defendant, which further discusses the lawfulness of the processing; the designation of the controller; the consent requirement and the non-application of Article 8 GDPR; the principle of data minimization, the obligation of the controller to provide transparent information and argumentation in support of the proposition that no DPIA is necessary is. 12. On 4 May 2020, the Disputes Chamber notified the defendant of its intention to to impose an administrative fine, as well as the amount thereof in order to give the defendant the opportunity to defend himself before the sanction becomes effective is imposed. 13. On May 22, 2020, the Disputes Chamber will receive the respondent's response to the intention to imposing an administrative fine, as well as the amount thereof. The defendant repeats the reasoning set out in the claims to argue that the processing is lawful on the basis of the decree of 27 April 2018 on the pupil guidance in primary education, secondary education and the centers for student guidance, as well as to state that Article 8.1 GDPR would not apply. The defendant also emphasizes that it has already responded to earlier comments. Finally, the defendant also argues that the Dispute Chamber does not have an administrative fine can impose, since the defendant being an educational institution funded by the Flemish Community aims to provide education, which is a task of public interest. It follows, according to the defendant, that he must become like "government" considered within the meaning of article 5 of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and thereby article 221, §2 of the same law would apply. 14. On June 16, 2020, the Disputes Chamber ruled in its Decision on the merits of 31/2020 as follows: - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in is brought into line with art. 5.1.a); art. 12.1. and 13.1. c) and d) and 13.2. b) GDPR. Decision on the merits 36/2021 - 5/21 - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine laying EUR 2,000 as a result of the violations of Article 5.1. a), Article 5.1. c), Article 6.1., Article 8, article 12.1. and Article 13 GDPR. 15. On 23 July 2020, the Disputes Chamber will receive the notification of an application against the GBA, lodged at the Registry of the Court. 16. The introductory session in front of the Marktenhof will take place on 2 September 2020, at which the conclusion deadlines for the parties are set, as well as the case is set for pleadings at the session on October 21, 2020. The Marktenhof will pass judgment on 18 November 2020. The judgment contains the following points for attention with regard to the assessment of the subject of the petition: Rejection of the pleas put forward by the defendant in relation to the infringements determined by the Disputes Chamber on Article 6.1 GDPR, as well as Articles 8 and 5.1 c) GDPR Annulment of decision on the merits no. 31/2020 of June 16, 2020, only to the extent that it does the defendant is ordered to bring the processing into line with the Articles 5.1 a), 12.1, 13.1 c) and d) and 13.2 b) GDPR and an administrative fine of € 2,000.00 is imposed. The Marktenhof does not only make the decision of 16 June 2020 of the Disputes Chamber of partially nullified, but also says that the Dispute Chamber will be within four months from the date of delivery of the judgment, the decision to impose a administrative fine will reconsider and re-motivate. The Court will put the case for review by the Marktenhof at the public hearing on 14 April 2021. 17. Following up on the judgment, the Disputes Chamber now decides to determine whether, and if necessary, to what extent the administrative fine should be maintained. 2. Legal basis 1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 36/2021 - 6/21 Lawfulness of the processing Article 6.1. GDPR 1. The processing is only lawful if and insofar as at least one of the following conditions are met: a) the data subject has consented to the processing of his / her personal data for one or more specific purposes; […] c) the processing is necessary to comply with a legal obligation on the controller rests; […] Conditions for the consent of children with regard to services of the information society Article 8 GDPR 1. Where point (a) of Article 6 (1) applies in relation to a direct offer of information society services to a child, is the processing of personal data of a child lawfully when the child is at least 16 years old. When the child is younger than 16 years old such processing is only lawful if and insofar as the consent or authorization to do so Consent in this regard is granted by the person having parental responsibility for the child. Member States may provide for a lower age in this respect by law, op provided that that age is not less than 13 years old. 2. Taking into account available technology, the controller shall act reasonably efforts to verify in such cases whether the person is the parental bears responsibility for the child, has given consent or authorizes consent has granted. 3. Paragraph 1 leaves the general contract law of the Member States, such as the rules on validity, the formation or the consequences of agreements with regard to children, unaffected. Minimal data processing Article 5.1. c) GDPR Decision on the merits 36/2021 - 7/21 1. Personal data must: […] (c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimization'); 3. Justification A. Understanding government 18. Pursuant to the judgment of the Marktenhof dated November 18, 2020, the dispute by the defendant of the infringement of Article 6.1 GDPR, as well as Articles 8 and 5.1 c) GDPR as being rejected unfounded, while the challenge of the infringement of Articles 5.1 a), 12.1, 13.1 c) and d) and 13.2 b) GDPR was accepted as justified. This partial destruction leads to the Marktenhof determine that the Data Protection Authority should have the option to reconsider the decision to impose an administrative fine and remotivate. 19. In its decision of 16 June 2020, the Disputes Chamber for all of the by its established violations of article 5.1. a), Article 5.1. c), Article 6.1., Article 8, Article 12.1. and Article 13 GDPR imposed an administrative fine. In view of the fact that the Marktenhof only the violations of article 5.1. c), Article 6.1. and Article 8 GDPR, the The Disputes Chamber will determine whether or not the administrative fine of € 2000.00 will be imposed maintained and adjusted if necessary. As for the violations of article 5.1. c), Article 6.1. and Article 8 GDPR refers the Disputes Chamber to the motivation such as set out in paragraphs 20 to 42 of its decision on the merits 31/2020 of 16 June 2020. 20. Since the imposition of an administrative fine is directly related to the The defendant's capacity as a subsidized independent educational institution which, according to the Disputes Chamber does not fall under the exemption from administrative fine as stipulated in article 83.7 GDPR and article 221, §2 of the law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter Law Data protection), the Disputes Chamber explains its position in the present decision that the defendant not as a government, nor as an agent or agent of the government, can are considered. Decision on the merits 36/2021 - 8/21 21. In the opinion of the Disputes Chamber in its decision of 16 June 2020, a private-law organization such as Y not covered by the exemption from administrative fine in accordance with Article 221, §2 of the Data Protection Act, even if this organization carries out tasks in the public interest in the field of education. The Marktenhof ruled that the Disputes Chamber the defendant's arguments that the sanctions are not applicable to authorities and that it complies with all the requirements of Article 5, 3 ° of the Data Protection Act and consequently, pursuant to the exemption of Article 221, §2 Data Protection Act, the sanction does not apply of Article 83.7 of the GDPR can be imposed, not disproved. The Marktenhof adds to this allows the Disputes Chamber not to investigate whether the defendant or at least none Government's appointee or agent is when they perform duties of government - existing in providing education - provides. 22. The Disputes Chamber clarifies below its position that the defendant does not qualify comes for the exemption from administrative fine in accordance with Article 221, §2 Law Data protection. Article 83.7 GDPR states: “Without prejudice to the powers to take corrective measures of the supervisory authorities in accordance with Article 58 (2), each Member State may adopt rules on whether and to what extent administrative fines can be imposed on public authorities and public bodies established in that Member State. ” 23. Article 83.7 GDPR thus offers the Member States the option to determine that administrative fines cannot or only to a limited extent be imposed on “government authorities and government bodies ”. The GDPR defines the term “government agencies and government bodies” nothing more. Unless EU law itself explicitly refers to the law of the Member States for the definition of a concept, concepts appearing in EU law must be autonomous and uniform are explained throughout the Union. The content of that interpretation is (in principle) through determined by the Court of Justice on the basis of the context of the provision in question and the purpose of the scheme concerned. 2 See e.g. H.v.J., C-260/17, Anodiki Services EPE, October 25, 2018, EU: C: 2018: 864, § 25; C-15/16, Baumeister, June 19, 2018, EU: C: 2018: 464, § 24; C ‑ 174/14, Saudaçor, October 29, 2015, EU: C: 2015: 733, § 52; C-279/12, Fish Legal and Shirley, December 19, 2013, EU: C: 2013: 853, § 42; C-400/10, McB, October 5, 2010, EU: C: 2010: 582, § 41; C-195/06, Österreichischer Rundfunk, October 18, 2007, EU: C: 2007: 613, § 24; C-66/08, Kozłowski, 17 July 2008, § 42. Decision on the merits 36/2021 - 9/21 24. The national discretion that Article 83.7 GDPR grants to the Member States applies here only on the autonomy to: exempt or not exempt public authorities and government bodies from administrative ones fines, and in the case of an exemption, determine whether it is wholly or partly in nature; a partial exemption may, for example, consist of lower maximum fines for government agencies and government bodies, or in an exemption that only applies to specific government agencies and government bodies. 25. Article 83.7 GDPR does not explicitly allow Member States to use the term “public authorities and government bodies ”. It is therefore a concept of EU law that constitutes an autonomous and uniform meaning. It is therefore only up to the institutions of the Union, with in particular to the Court of Justice, to define the limits of that concept. It is possible a Member State, subject to compliance with the principle of equality, then still autonomously determine which of those “government agencies and government bodies” he exempts, but it only comes from the Court Justice to determine where the extreme limits of that EU law concept lie. Until today the Court of Justice has not yet considered the interpretation of the concept of government in Article 83.7 GDPR, but it is in any case established that in its interpretation the context of Article 83.7 GDPR and the purpose of the GDPR. 26. The Belgian legislator has made use of Article 221, § 2, Data Protection Act the possibility that Article 83.7 GDPR offers the member states. Article 221, § 2, Data Protection Act determines: “Article 83 of the Regulation does not apply to the government and their employees or authorized representatives, unless it is a legal entity under public law who sells goods or offers services in a market. ” 27. The term “government” is further defined in Article 5, second paragraph, of the Act Data protection: “For the purposes of this law," government "means: 1 ° the Federal State, the federal states and local authorities; 2 ° legal persons under public law that of the Federal State, the federal states or local ones governments depend; 3 ° persons, regardless of their shape and nature, who: - established for the specific purpose of meeting needs in the general interest are not of an industrial or commercial nature; and Decision on the merits 36/2021 - 10/21 - have legal personality; and - of which the activities are mainly carried out by the authorities or institutions mentioned in the provisions under 1 ° or 2 ° are financed or the management is subject to supervision by these authorities or institutions, i.e. the members of the administrative body, more than half of the management or supervisory body authorities or institutions have been designated; 4 ° the associations consisting of one or more authorities as referred to in the provisions under 1 °, 2 ° or 3 °. " 28. The Disputes Chamber argues that subsidized independent educational institutions, such as the respondent, are sufficient to the criteria of the term “government” as defined in Article 5, second paragraph, of the Act Data protection. The defendant belongs to the Catholic educational umbrella organization and thus to the “Free” (i.e. non-official) education and therefore takes the form of a private non-profit organization. Nevertheless, it was established for the specific purpose of meeting needs in the general interest that are not of an industrial or commercial nature (namely primary and secondary education it has legal personality, and its activities are mainly carried out by the Funded by the Flemish government and it is also under government supervision. By virtue of Article 5, second paragraph, 3 °, Data Protection Act, the defendant is therefore a “government” in the sense of that 3 law. 29. However, this fact alone is not sufficient to qualify for the exemption in Article 221, § 2 of the Law Data protection. This exemption does not apply if a “government” in the sense of Article 5 Data Protection Act “offers goods or services on a market”. This shows that the legislator wants to limit the exempted authorities to the traditional authorities. The For the sake of completeness, the Disputes Chamber notes that there is also a market in education. After all, the offer in Belgium also consists of recognized (and even non-recognized) private education so that competition in this service market is not limited to just the official and the free education. 30. The Data Protection Act does not specify what is to be understood by “the offering goods or services on a market. But both (1) the parliamentary preparation as (2) the required strict interpretation of Article 83.7 GDPR, to which Article 221, § 2, Law 3 In the contested decision, the Disputes Chamber did not rule on the scope of Article 5, second paragraph, 3 °, Data Protection Act, because this article has no relevance in this case. The fact that free education among the general definition of “government” in the Data Protection Act is not sufficient, after all, Article 221, § 2, of the Act To be able to apply data protection. Only “public authorities and government bodies” within the meaning of Article 83.7 GDPR can after all be exempted from administrative fines. A broader interpretation of the exemption in Article 221, § 2, Data Protection Act would be against EU law and should therefore be disapplied by the national authorities, including the DPA's Dispute Chamber. Decision on the merits 36/2021 - 11/21 Data protection implementation indicates clearly that subsidized free educational institutions not covered by the exemption of Article 221, § 2, Data Protection Act fall. 1. The will of the Belgian legislator 31. The parliamentary preparation shows that the phrase “unless it concerns a public law legal entity offering goods or services on a market ”was added after a negative opinion of the Legislative Department of the Council of State on the original designed exemption from administrative fines for the government. In the initial design, the Exemption formulated in a broader sense: it applied to all controllers who use the have the capacity of a government agency or public body. The Council considered this distinction between the public and private sectors not reasonably justified and therefore contrary to the Articles 10 and 11 of the Constitution. The Council suggested that the drafters should also order subject the public sector to administrative fines, but lower fines for those fines 4 fixing ceilings, so as not to jeopardize the continuity of the public service. 32. The suggestion of the Council of State was ultimately not followed by the legislator, but the original bill was amended. In principle, the government remains exempt from this administrative pecuniary fines, unless it concerns a legal person governed by public law who sells goods 5 6 or offers services in a market. During the parliamentary debates it was explained that the in particular, the intention was to promote the federal public services (FPS) and the to exempt programmatic government services (POD) from administrative fines. Only 7 the traditional government agencies would therefore still be covered by the exemption. During the parliamentary debates were specifically referred to municipal schools as an example of this authorities that can no longer benefit from the exemption thanks to the amendment. Also a municipal school could be imposed an administrative fine, just like a free one school, because it “provides a service” to the citizens. 8 4R.v.St., Legislative Section, Opinion No. 63.192 / 2 of 19 April 2018, Parl. St. Room 2017-2018, No. 54-3126 / 1, 451. 5 Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54- 3126/3, 97. 6 Amendment No 44 by E. Lachaert, P. Dedecker and others, Parl. St. Room 2017-2018, no. 54-3126 / 2, 55. 7 Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54- 3126/3, 98. 8 Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54- 3126/3, 98. See also p. 44, for the comment concerned: “Pursuant to paragraph 2 of Article 221 of the preliminary draft apply the administrative pecuniary sanctions not apply to data controllers holding the capacity of public authority or have a public body. However, they do apply to data controllers in the private sector. This difference pending cannot be justified according to the Council of State and thus constitutes a violation of the principle of equality. Organizations that carry out essentially the same activities should be treated in the same way, Decision on the merits 36/2021 - 12/21 33. It is therefore unmistakable from the parliamentary preparation that it is the express will of the The Belgian legislator was also responsible for schools, both from official and free education administrative fines could be subject. Since an unclear or vague legal provision, according to the settled case law of the Constitutional Court, must be interpreted 9 in the light of the will of the legislature, the defendant cannot appeal for that reason alone do on the exemption from Article 221, § 2, Data Protection Act. 2. Article 83.7 GDPR 34. The second reason why Article 221, § 2, Data Protection Act cannot be so broad interpreted as exempting free educational institutions such as the defendant from administrative fines is that Article 221, § 2, Data Protection Act should be interpreted in accordance with the GDPR, and in particular with Article 83.7, the provision to which it executes. Article 83.7 GDPR leaves the member states free to determine whether and to what extent also “government agencies and government bodies” may be subject to administrative fines subject (see also recital 150 GDPR). 35. The optional exemption from administrative fines for public authorities and bodies was not included in the original Commission proposal, but was later added to the 10 GDPR inserted at the direction of the Council. In the initial Commission proposal were the foreseen maximum amounts of the administrative fines are much lower (i.e. EUR 250,000, EUR 500,000 respectively EUR 1,000,000). 11 These ceilings have been significantly increased by the Council (up to 20,000,000 EUR), to be sufficiently dissuasive for large companies, such as Facebook and Google. As compensation, Member States were left free to control their public authorities and to exempt government bodies from such large administrative fines. regardless of whether they belong to the public or private sector. For example, it cannot be justified that a OCMW hospital no administrative fine can be imposed while this could be for a hospital in the form of a non-profit organization, the same applies to schools that belong to free education as compared to schools that belong to it community education, for example. ” 9 See, e.g., GwH, No. 50/2008, March 19, 2008, B.15.12; No. 35/2011, March 10, 2011, B.5-B.6; No. 23/2016, 18 February 2016, B.14.3. See also A. ALEN and K. MUYLLE, Handbook of Belgian Constitutional Law, Mechelen, Kluwer, 2011, 167. 10 See Council position at first reading with a view to adopting a regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation data protection), 8 April 2016, https://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf. 11 See art. 79 Commission proposal for a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and with regard to free movement of that data (General Data Protection Regulation), COM / 2012/011 final - 2012/0011 (COD), https: // eur- lex.europa.eu/legal-content/EN/TXT/?qid=1599056276058&uri=CELEX:52012PC0011. Decision on the merits 36/2021 - 13/21 36. What is to be understood by “public authorities and public bodies” is not specified specified in the GDPR. As emphasized above (marginal 25), this in no way means that it is on Member States are entitled to determine themselves the limits of the government concept in Article 83.7 GDPR. It is a concept of EU law that must be given an autonomous and uniform meaning, taking into account the context of Article 83.7 GDPR and the purpose of the GDPR. 37. The context of Article 83.7 GDPR and the purpose of the GDPR require a restrictive interpretation of the government concept in that provision. After all, Article 83.7 GDPR provides for a exception to the general rule that breaches of the GDPR, where appropriate, with a administrative fine can be sanctioned (art.58.2.i) GDPR). It's fixed case law of the Court of Justice that exceptions should be strict 12 explained. In particular with regard to European data protection rules, the Court has of Justice has already ruled several times that the laid down in European legislation exceptions should be interpreted restrictively, “since they favor the protection regime personal data provided for in this Directive [now Regulation], and with it deviate from the objective underlying the latter, to ensure the protection of the freedoms and fundamental rights of natural persons in connection with the processing of personal data, such as the right to respect for private life and family and family life, as enshrined in Article 7 of the Charter of Fundamental Rights of the European Union (…), and the right to the protection of personal data, that is guaranteed by Article 8 thereof. " 13 38. By softening the sanctions for government agencies and bodies, article 83.7 GDPR makes a departure unmistakably away from the purpose underlying the GDPR, namely the protection of the right of natural persons to the protection of personal data (art. 1.2 GDPR). The After all, the sanction of the administrative fine offers an effective means of pressure and thus a additional assurance for citizens that data protection rules will be complied with. 14 39. It is precisely to strengthen the enforcement of data protection rules, that the EU legislature has explicitly stipulated in the GDPR that administrative fines, where appropriate, should be imposed for infringements of this Regulation. The old Directive Data protection, which has been lifted by the GDPR, imposed no such sanction 12 See, e.g., H.v.J., C-288/07, Isle of Wight Council and Others, September 16, 2008, EU: C: 2008: 505, § 60; C ‑ 174/14, Saudaçor, October 29 2015, EU: C: 2015: 733, § 49. 13 See e.g. H.v.J., C ‑ 73/16, Puškár, 27 September 2017, EU: C: 2017: 725, § 38 (own underlining); C ‑ 25/17, Weersan todistajat, July 10, 2018, EU: C: 2018: 551, § 37; C ‑ 345/17, Buivids, February 14, 2019, EU: C: 2019: 122, § 41. 14 Overw. 148 GDPR (own underlining): “With a view to stronger enforcement of the rules of this regulation penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition or in lieu of appropriate measures imposed by the supervisory authorities under this Regulation. ” Decision on the merits 36/2021 - 14/21 expressly. Article 24 of that directive merely stated in general that Member States “appropriate [take] measures to ensure the full application of the provisions of this Directive guarantee and (…) in particular [establish] the sanctions applicable in the event of breach of the implementation of this Directive ”(own underlining). This is also the usual working method of the EU legislature with regard to the enforcement of the regulations it issues. 15 Overall, 16 European legislative acts merely require Member States to infringements impose penalties that are “effective, proportionate and dissuasive”, but they leave it Member States themselves to determine the nature of those penalties (e.g. compensation to the victim, administrative fine, criminal sanction, ...). 17 The organization of the enforcement of In principle, European rules in a member state therefore belong to the autonomy of the member states. 40. In the opinion of the EU legislature, enforcement of the old Directive However, data protection is inadequate in some Member States. To enforce the strengthen and harmonize data protection rules, 18 the GDPR itself provides for a 19 system of administrative fines for the entire Union (art.83 GDPR). The GDPR has the national procedural autonomy is therefore severely restricted. 41. By providing for an (optional) exception to this enforcement system, article 83.7 gives way GDPR deviates from the purpose of the Regulation and must, in accordance with established case law of the Court of Justice can be interpreted restrictively. This applies a fortiori now to the purpose of the GDPR in it there is a fundamental right to protect, namely the right to protection of personal data (Art.1 (2) GDPR), and the EU legislature has set itself the particular objective of strengthen and harmonize enforcement of that fundamental right. 15 See K. LENAERTS et al., EU Procedural Law, Oxford, Oxford University Press, 2014, 108. 16 However, the GDPR is by no means the only exception to the rule. Also write other European legislative acts specific penalties for. See e.g. art. 65-66 Directive 2013/36 / EU of the European Parliament and of the Council of 26 June 2013 "On access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87 / EC and repealing Directives 2006/48 / EC and 2006/49 / EC ". 17 See e.g. art. 15 Council Directive 2000/43 / EC of 29 June 2000 "applying the principle of equality treatment of persons regardless of racial or ethnic origin "; art. 25 Directive 2006/54 / EC of the European Parliament and the Council of 5 July 2006 "on the implementation of the principle of equal opportunities and equal treatment for men and women in work and occupation "; art. 15 Directive 2009/45 / EC of the European Parliament and of the Council of 6 May 2009 "on safety regulations and standards for passenger ships "; art. 87 Regulation (EU) No 528/2012 of the European Parliament and the Council of 22 May 2012 "concerning the making available on the market and use of biocidal products". 18 See also rec. 150 GDPR (own underlining): “In order to reduce administrative penalties for violations of this regulation strengthening and harmonizing, each supervisory authority should have the power to impose administrative fines to lay." 19 Be it with a little nuance for Member States whose legal system does not provide for administrative fines (viz Denmark and Estonia). See art. 83.9 and rec. 151 GDPR. Decision on the merits 36/2021 - 15/21 42. It follows that the terms “public authorities and public bodies” in Article 83.7 GDPR must be interpreted restrictively. In concrete terms, this means that it is not the intention of the Union legislator may have been to allow Member States the optional exemption from Article 83.7 GDPR can also be extended to all private law organizations that have a task of general interest and who receive government support as compensation, such as the respondent. Should such private law organizations by definition also be the means of pressure of To escape the administrative fine, this would achieve the purpose of the GDPR after all, can seriously jeopardize. 43. The broad definition used by the Belgian legislator in Article 5, second paragraph, Data Protection Act has given to the concept of government, therefore clearly cannot be reconciled with the strict one interpretation that Article 83.7 GDPR should be given. The definition of the government concept in article 5 of the Data Protection Act corresponds almost literally to the description of the concept of "public entity" in Directive 2003/98 / EC "on the re-use of public sector information ”, 20 and of the term“ contracting authority ”in the European public procurement law. 21 But the purpose of those European legislative acts is precisely benefits from an interpretation of the government concept that is as broad as possible, that after all, the the scope of these legislative acts. It is therefore settled case law of the Court of Justice that the concept of “contracting authority” in the public procurement directives “should be given a functional and broad interpretation”, “having regard to the dual objective of opening up to competition and transparency that the said Directive pursues ”. Such a broad interpretation is, according to the Court of Justice, “the only one that makes it useful 22 effect of the [public procurement] Directive (…) ”. 44. The same applies to the interpretation of the term “public authority or body” in the context of Article 37.1.a) GDPR, which provides for the obligation to notify an officer for data protection when the processing of data is carried out by a government agency or government body. The purpose of the GDPR, which is to protect personal data, exactly benefits from a broad obligation to appoint a data protection officer, and thus in a broad interpretation of the government concept in Article 37.1.a) GDPR. 20 Art. 2, points 1 and 2, Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 "on the reuse of government information ". 21 See in particular art. 2.1 points 1 and 4, Directive 2014/24 / EU of the European Parliament and of the Council of 26 February 2014 "On public procurement and repealing Directive 2004/18 / EC". 22 See, e.g., H.v.J., C-373/00, Truley, EU: C: 2003: 110, § 43; C-214/00, Commission v. Spain, May 15, 2003, EU: C: 2003: 276, §§ 53 and 56; C-283/00, Commission v. Spain, October 16, 2003, EU: C: 2003: 544, §§ 73 and 75. Decision on the merits 36/2021 - 16/21 45. After all, the context of the term “public authorities and public bodies” in Article 83.7 GDPR is completely different, now that it does not determine the personal scope of the GDPR, but one an exception to a general rule from the GDPR, namely that breaches of the GDPR are possible are curbed with an administrative fine. As an exception to that general rule Article 83.7 GDPR must be interpreted narrowly (see above marginal 37). 46. By analogy, reference can be made to the case law of the Court of Justice on the concept “Other public sector entities” in Article 13.1 of Directive 2006/112 “on the 23 common system of value added tax ". That provision establishes a exception to the general rule on which the common system of VAT is based, namely the rule that the scope of VAT extends to all services that are supplied performed for consideration. Article 13.1 provides an exception to that rule for activities that “public bodies” perform “as a government”. The Court of Justice in the Saudaçor judgment explicitly ruled that the concept of “public law bodies” included in that exemption clause should not be interpreted as broadly as the term “contracting party 24 service ”in the public procurement directives (own underlining): 44 In this regard, the referring court asks whether, as Saudaçor submits, for the interpretation of the term "other public law entities" within the meaning of Article 13, paragraph 1, of the said Directive, the definition of the term "bodies governed by public law" Article 1 (9) of Directive 2004/18 must be taken into account. 45 Article 13 (1) of Directive 2006/112 cannot be interpreted in that way. 46 Article 1 (9) of Directive 2004/18 gives a broad definition of the concept "Bodies governed by public law" and, consequently, of the term "contracting authorities" in order to delimit the scope of that Directive so broadly that the scope of the award of public contracts applicable rules in the field of inter alia transparency and non-discrimination apply to a range of public sector bodies that do not participate form the public administration, but which are nevertheless controlled by the state, including through their funding or management. 47 The context of the term "other public law entities" in Article 13 (1) of However, Directive 2006/112 is completely different. 48 That concept is not intended to determine the scope of VAT, but contains it an exception to the general rule to which the common system of those tax is based on, namely the rule that the scope of that tax is very 23 Council Directive 2006/112 / EC of 28 November 2006 on the common system of taxation of the added value. 24 C-174/14, Saudaçor, October 29, 2015, EU: C: 2015: 733. Decision on the merits 36/2021 - 17/21 is broadly defined and covers all services rendered for consideration title, including the services provided by public law bodies (see in that sense judgment Commission v Netherlands, C-79/09, EU: C: 2010: 171, paragraphs 76 and 77). 49 As an exception to the general rule that all economic activity is subject to VAT subject, Article 13 (1) of Directive 2006/112 must be interpreted narrowly (see below more judgment in Isle of Wight Council and Others, C-288/07, EU: C: 2008: 505, paragraph 60, and order Gmina Wrocław, C-72/13, EU: C: 2014: 197, point 19). " 47. By analogy with this case law, the concept of government in Article 83.7 GDPR must also become narrow explained. In no case can this term be interpreted as broadly as the terms “contracting party service ”and“ public body ”in the public procurement directives respectively 25 access to government information. A fortiori now the GDPR (in contrast to the above-mentioned VAT Directive) aims to protect a fundamental right, Article 83.7 GDPR cannot be interpreted so broadly that Member States include all legal persons governed by private law who perform a task in the public interest and which are primarily government-funded and / or government-supervised, should be allowed to exempt from administrative fines for GDPR violations. 48. The Disputes Chamber emphasizes that citing the above analogy regarding the restrictive interpretation of exceptional provisions does not mean that the defendant will not accept the The Disputes Chamber is regarded as a “legal entity under public law”. 49. Having regard to the principles of the primacy and full effect of EU law, Article 221, §2 Data Protection Act to be interpreted in accordance with the restrictive interpretation that Article 83.7 GDPR should be given. This means that Article 221, § 2, Law Data protection should not be interpreted so broadly that it is also free educational establishments, such as defendant, would by definition exempt from administrative ones fines. 50. Since the Disputes Chamber finds that the defendant is not covered by the application of Article 83.7 GDPR falls because it is not a “government agency or body” within the meaning of that provision, and thus decides that Article 83.7 GDPR does not apply, the After all, inevitably, Article 221, § 2, Data Protection Act, that implements article 83.7 GDPR in Belgian law does not apply. Precise attention on this implementation falls the notion “government agency or government body” of article 83.7 GDPR 25 The definitions of the terms “public body” and “body governed by public law” from Directive 2003/98 / EC are taken from to the public procurement directives (recital 10 Directive 2003/98 / EC). Decision on the merits 36/2021 - 18/21 used in conjunction with the conceptual framework “government and their appointees or agents” article 221, §2 Data Protection Act. Because the defendant does not act as “public authority or government body ”, it is ipso facto also not a“ government, appointee or agent of a government ” 51. The Disputes Chamber decides that: - the GDPR the concept of “public authorities and public bodies” within the meaning of Article 83.7 GDPR does not define; - It follows from the settled case law of the Court of Justice that the concept of “public authorities and public bodies ”in Article 83.7 GDPR is an autonomous EU law concept, that account taking into account the context of that provision and the purpose of the GDPR; that since Article 83.7 GDPR concerns an exceptional provision, the government concept here in particular, must be interpreted restrictively; - the term “public authorities and public bodies” in article 83.7 GDPR is certainly not the case can be broadly explained that it is also private law legal persons who have a task of to perform in the public interest, such as free educational institutions; - give a broad interpretation to Article 221, § 2, Contradictory Data Protection Act would be with, on the one hand, the express will of the Belgian legislator to schools not free to impose administrative fines and, on the other hand, the restrictive interpretation of that article 83.7 GDPR as an exception; - also Article 221, § 2, Data Protection Act must therefore be interpreted as free educational institutions are not exempt from administrative fines for violations of the GDPR. B. Administrative Fine 52. The fact that the defendant as a subsidized independent educational institution qualifies for imposing an administrative fine will lead the Dispute Chamber to the enforce an administrative fine. This sanction does not extend to one made violation, but with a view to vigorous enforcement of the rules of the GDPR. After all, as is clear from Recital 148 GDPR, the GDPR puts first and foremost that with every serious infringement - including when an infringement is first established - penalties, including administrative fines are imposed in addition to or instead of appropriate measures. 26 26 Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties, including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of appropriate measures imposed by the supervisory authorities under this Regulation. If it comes for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person, instead of a fine, a reprimand can be chosen. However, the decision on the substance 36/2021 - 19/21 should be taken into account In the following, the Disputes Chamber shows that the violations committed by the defendant on Article 5.1 c), Article 6.1 and Article 8 GDPR in no way concern minor infringements, nor that the fine would cause a disproportionate burden to a natural person as referred to in Recital 148 GDPR, where a fine can be waived in either case. The The Disputes Chamber imposes the administrative fine in application of Article 58.2 i) GDPR. It The instrument of administrative fine is by no means intended to end infringements. To that end the GDPR and the WOG provide for a number of corrective measures, including the orders referred to in Article 100, §1, 8 ° and 9 ° WOG. 27 53. Taking into account article 83 GDPR and the case law of the Marktenhof, the Disputes Chamber imposing an administrative sanction in concrete terms: - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement. - The duration of the breach: since the GDPR came into effect, the survey found “well-being” which is the subject of the complaint only once. - The necessary deterrent effect to prevent further infringements. 54. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes that compliance with the principles set out in art. 5 GDPR - in the present case in particular the lawfulness principle, as well as the principle of data minimization - is essential, because it concerns fundamental principles of data protection. The Dispute Chamber considers the defendant's infringement of the principle of legality that is being stated in art. 6 GDPR as a serious violation. In addition, an infringement is committed on Article 8 GDPR which aims to offer a special protection to young people, which thus also constitutes a serious violation. 55. Despite a previous complaint lodged against the defendant in 2016 with the then Commission for the protection of privacy related to the same survey, the respondent will do the survey again in 2018. However, the Dispute Chamber does not hold any take into account the 2016 complaint when determining the administrative fine. First of all no consequences were linked to the 2016 complaint by the Commission for the nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage, with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the supervisory authority has come up with compliance with the measures taken against the controller or processor, with affiliation to a code of conduct and any other aggravating or mitigating factors. Imposing penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a effective remedy and due process. [own underlining] 27 Brussels Court of Appeal (Marktenhof section), Verreydt N.V. t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 36/2021 - 20/21 protection of privacy and was not yet subject to the GDPR at that time application. 56. In determining the administrative fine, the Disputes Chamber does take into account the the fact that the defendant states that it is willing and has already made efforts to provide in a survey that in the future may be conducted in anonymous form, provided the defendant takes the necessary measures to ensure its anonymity (as set out in marginal nos. 39-40 of decision on the merits 31/2020 of June 16, 2020). In addition, the When determining the amount of the fine, the Disputes Chamber takes into account that this is the case to be an educational institution, not for profit. 57. An important element in determining the amount of the fine is also the fact that to following the judgment of the Marktenhof dated November 18, 2020, the infringements single article 5.1 c), Article 6.1 and Article 8 GDPR, and not also Article 5.1. a), Article 12.1. and Article 13 GDPR. This leads the Disputes Chamber to reconsider the fine and reduce it to € 1000.00. 58. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2. GDPR in this case are not such as to lead to an administrative fine other than that which the Disputes Chamber has determined in the context of this decision. C. Publication of the decision 59. Considering the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision will be published on the GBA website. However, it is does not require that the identification data of the parties be directly announced. Decision on the merits 36/2021 - 21/21 FOR THESE REASONS, the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her to review decision 31/2020 of June 16, 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine of € 1,000.00 for the infringement of article 5.1. c), Article 6.1. and Article 8 GDPR. On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within a period of thirty days from the notification at the Marktenhof, with the Data protection authority as defendant. (get.) Hielke Hijmans Chairman of the Disputes Chamber