APD/GBA (Belgium) - 36/2021

From GDPRhub
Revision as of 14:09, 23 March 2021 by FeestHoed (talk | contribs)
APD/GBA - 36/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 8 GDPR
Article 83(7) GDPR
Article 221 §2 Wet Gegevensbescherming
Article 5 (2) Wet Gegevensbescherming
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 15.03.2021
Published: 16.03.2021
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: 36/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 36/2021van 15 maart2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA holds that an educational institution is not exempt from receiving administrative fines under Article 83 (7) GDPR and article 221 §2 of the Belgian Data Protection Law.

English Summary

Facts

This decision is a reconsideration of decision 31/2020 of the Dispute Resolution Chamber dated June 16, 2020, and implements the judgment of the Markets Court dated November 18, 2020, number 2020/AR/990.

The Markets Court approved appeal of Article 5(1)(a), Article 12(1), Article 13(1) and Article 13(2). The appeal for Article 5(1)(c), Article 6(1) and Article 8 GDPR was not approved. This partial annulment means the DPA must reassess and motivate its original fine of €2000.

Dispute

Can a not for profit private educational institution be seen as a public body in [[Article 83 GDPR#7] Article 83 (7) GDPR] and article 221 §2 of the Belgian Data Protection Law and thus be exempt from receiving an administrative fine?

Holding

Governmental Bodies

The DPA clarifies its vision on why the defendant does not qualify for an exemption for administrative fines for public entities and/or government bodies. What falls under this definition is not defined in Article 83(7) and it is up to the member states to implement this in line with Union law.

In Belgium, Article 83(7) is not applicable to government bodies unless it is a legal entity under public law that offers goods or services on a market.

According the article 5 (2) of the Wet Gegevensbescherming, the defendant is classified as a government because it is an educational institution, in the form of a private not for profit. They were established for the specific purpose of meeting needs in the general interest that are not of an industrial or commercial nature (namely, to provide primary and secondary education), and its activities are primarily financed by the Flemish government and it is also under government supervision.

However, the exemption is not applicable when this 'government body' offers goods or services on a market. In Belgium, there is a market for private education as there is (non-)recognised private education available and thus competition.

The DPA holds that the term "public authorities and public bodies" in Article 83(7) cannot be interpreted so broadly as to include legal persons under private law that perform a task of general interest, such as free educational institutions.

The DPA holds that giving a broad interpretation to article 221 §2 Wet Gegevensbescherming would contradict, on the one hand, the explicit will of the Belgian legislator not to exempt schools from administrative fines and, on the other hand, the restrictive interpretation that Article 83(7) should be given as an exception;

As such, Article 83(7) is not applicable which means article 221 §2 Wet Gegevensbescherming is not applicable and thus free educational institutions are not exempt from administrative fines for violations of the GDPR.

Administrative fine

There are three factors which the DPA takes into consideration to determine a fine: gravity, duration and dissuasive effect.

The severity of the infraction on Article 6 GDPR and Article 8 GDPR is very high because it concerns fundamental principles of data protection and special protection of minors.

Regarding the duration, there was an earlier complaint against the defendant in 2016 concerning the same survey. In 2018, the survey was used again. The survey of 2016 is not taken into account since the GDPR was not yet into effect.

The DPA does take into account that the defendant anonymised the survey and that it is prepared to take additional measures. On top of that, it is also a not for profit organisation.

Lastly, a part of the infractions from Decision 31/2020 have been annulled.

Considering the above, the DPA lowers the fine to €1000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                             1/21






                                                                          Dispute Chamber




                                      Decision on the merits 36/2021 of 15 March 2021



File number: DOS-2019-03499



Subject: Use of Smartschool to conduct a "well-being" survey at

underage pupils without parental consent (reconsideration after judgment

Marktenhof)





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs. Christophe Boeraeve and Jelle Stassijns, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;



Having regard to the rules of internal procedure, as approved by the Chamber of

Representatives of the people on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Considering the documents in the file;






                                                                                                      .

                                                                                                      .

                                                                                                      . Decision on the merits 36/2021 - 2/21





has taken the following decision regarding:

    - Mr X, hereinafter “the complainant”

    - Educational establishments Y, hereinafter “the defendant




    1. Facts and procedure




1. This decision is a reconsideration of decision 31/2020 of the Disputes Chamber of June 16

    2020, and implements the judgment of the Marktenhof of 18 November 2020, with number

    2020 / AR / 990.



2. This decision must be read in conjunction with decision 31/2020 and contains a

    reconsideration which is limited to the elements of the latter decision not by it

    Marktenhof have been destroyed.




3. On 22 July 2019, the complainant lodged a complaint with the Data Protection Authority against

    defendant.



    The subject of the complaint concerns the survey “well-being” given to the students of Z via

    the Smartschool system was presented to his underage students. In addition, a

    several provisions of the GDPR have been violated. The complainant states that there is a lack of it

    information provision, parental consent is required to carry out the

    survey, an information society service is used and more

    data are processed then necessary for the purposes for which they are processed.

    According to the complainant, a DPIA should also have been carried out

    carried out by the defendant, but this did not happen.



4. On 6 August 2019, the complaint will be declared admissible on the basis of Articles 58 and 60

    of the law of 3 December 2017, the complainant will be informed of this on the basis of art. 61

    of the law of 3 December 2017 and the complaint under art. 62, §1 of the law of 3

    handed over to the Disputes Chamber in December 2017.



5. On August 27, 2019, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 of the

    law of 3 December 2017 that the file is ready for treatment on the merits.



6. On 28 August 2019, the parties involved will be notified by registered mail

    of the provisions as stated in article 95, §2, as well as of those in art. 98 of the Law of 3 Decision on the merits 36/2021 - 3/21



    December 2017. The parties involved were also informed on the basis of art. 99 of the law of 3

    December 2017 of the deadlines for submitting their defenses. The

    the deadline for receipt of the complainant's reply was set

    on October 7, 2019 and for the defendant November 7, 2019.




7. On September 9, 2019, the defendant reports to the Disputes Chamber that he has taken cognizance

    of the complaint, he asks for a copy of the file (art. 95, §2, 3 ° of the law of 3 December

    2017) and electronically accepts all communication regarding the case (art.98, 1 ° of the law

    December 3, 2017).



8. A copy of the file will be sent to the defendant on 11 September 2019.



9. On September 26, 2019, the Disputes Chamber will receive the statement of defense from the

    defendant. Respondent states in the conclusion that it is relying on a legal basis for the survey

    obligation and no consent is required, from which, according to the defendant, this would follow

    Article 8 GDPR would not apply. The defendant also denies that there is any special

    categories of personal data within the meaning of Art. 9.1 GDPR would be processed on the basis

    of the survey. The defendant also explains how to post the data

    of the survey are processed (who has access to the individual survey, storage

    of the general data (anonymised) at class level, deletion of the completed

    surveys at the end of the school year). The next survey would be based on the

    "Well-being questionnaire" used by the Education Inspectorate in order to implement the principle of minimal

    respect data processing. Finally, a proposal letter is added, so that

    in the future the school can better inform parents and pupils about the purpose of the

    inquiry.



10. On October 23, 2019, the Disputes Chamber will receive the statement of reply from the complainant. In there

    a detailed answer is given to the defendant's statement of defense and become

    listed a number of new elements that were not yet addressed in the complaint:

          • According to the complainant, Y is the organizing body above the school Z and the Vrij Centrum for it

           pupil guidance W, but since a CLB must be able to act independently,

           they appear to be acting as joint controllers.

          • The complainant provides an overview of the provisions that he believes have been infringed

          committed. He also asks:

              1. that a fine would be imposed on the defendant,

              2. that all those involved are informed about the committed offenses (in 2016 and

              2018 and, where applicable, for the 2017 survey) that an infringement related to

              personal data, Decision on the substance 36/2021 - 4/21



              3. as well as the decision of the Disputes Chamber on the websites of the defendant

              and CLB, as well as to all parents would be communicated via Smartschool.



11. On November 8, 2019, the Disputes Chamber receives the statement of reply from the defendant,


    which further discusses the lawfulness of the processing; the designation of the

    controller; the consent requirement and the non-application of Article

    8 GDPR; the principle of data minimization, the obligation of the

    controller to provide transparent information and argumentation

    in support of the proposition that no DPIA is necessary

    is.



12. On 4 May 2020, the Disputes Chamber notified the defendant of its intention to

    to impose an administrative fine, as well as the amount thereof

    in order to give the defendant the opportunity to defend himself before the sanction becomes effective

    is imposed.



13. On May 22, 2020, the Disputes Chamber will receive the respondent's response to the intention to

    imposing an administrative fine, as well as the amount thereof.

    The defendant repeats the reasoning set out in the claims to argue that the

    processing is lawful on the basis of the decree of 27 April 2018 on the

    pupil guidance in primary education, secondary education and the centers for

    student guidance, as well as to state that Article 8.1 GDPR would not apply.

    The defendant also emphasizes that it has already responded to earlier comments.

    Finally, the defendant also argues that the Dispute Chamber does not have an administrative fine

    can impose, since the defendant being an educational institution funded by the

    Flemish Community aims to provide education, which is a task of

    public interest. It follows, according to the defendant, that he must become like "government"

    considered within the meaning of article 5 of the law of 30 July 2018 on the protection of

    natural persons with regard to the processing of personal data, and thereby article

    221, §2 of the same law would apply.











14. On June 16, 2020, the Disputes Chamber ruled in its Decision on the merits of 31/2020 as follows:

    - on the basis of art. 100, §1, 9 ° WOG, to order the defendant that the processing in

    is brought into line with art. 5.1.a); art. 12.1. and 13.1. c) and d) and 13.2. b) GDPR. Decision on the merits 36/2021 - 5/21




    - on the basis of art. 100, §1, 13 ° WOG and art. 101 WOG to impose an administrative fine

    laying EUR 2,000 as a result of the violations of Article 5.1. a), Article 5.1. c), Article 6.1., Article

    8, article 12.1. and Article 13 GDPR.



15. On 23 July 2020, the Disputes Chamber will receive the


    notification of an application against the GBA, lodged at the Registry of the Court.



16. The introductory session in front of the Marktenhof will take place on 2 September 2020, at which the

    conclusion deadlines for the parties are set, as well as the case is set for

    pleadings at the session on October 21, 2020.

    The Marktenhof will pass judgment on 18 November 2020.

    The judgment contains the following points for attention with regard to the assessment of the


    subject of the petition:



     Rejection of the pleas put forward by the defendant in relation to the infringements

         determined by the Disputes Chamber on Article 6.1 GDPR, as well as Articles 8 and 5.1 c) GDPR

     Annulment of decision on the merits no. 31/2020 of June 16, 2020, only to the extent that it does

         the defendant is ordered to bring the processing into line with the

         Articles 5.1 a), 12.1, 13.1 c) and d) and 13.2 b) GDPR and an administrative fine of €

         2,000.00 is imposed.



    The Marktenhof does not only make the decision of 16 June 2020 of the Disputes Chamber of

    partially nullified, but also says that the Dispute Chamber will be within four months

    from the date of delivery of the judgment, the decision to impose a

    administrative fine will reconsider and re-motivate.

    The Court will put the case for review by the Marktenhof at the public hearing on 14 April

    2021.



17. Following up on the judgment, the Disputes Chamber now decides to determine whether, and if necessary,


    to what extent the administrative fine should be maintained.





    2. Legal basis









1
   The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 36/2021 - 6/21



       Lawfulness of the processing


Article 6.1. GDPR



1. The processing is only lawful if and insofar as at least one of the following

conditions are met:

a) the data subject has consented to the processing of his / her personal data for

one or more specific purposes;

[…]

c) the processing is necessary to comply with a legal obligation on the


controller rests;

[…]



        Conditions for the consent of children with regard to services

           of the information society


Article 8 GDPR



1. Where point (a) of Article 6 (1) applies in relation to a direct offer of

information society services to a child, is the processing of personal data of

a child lawfully when the child is at least 16 years old. When the child is younger than 16 years old

such processing is only lawful if and insofar as the consent or authorization to do so

Consent in this regard is granted by the person having parental responsibility

for the child. Member States may provide for a lower age in this respect by law, op

provided that that age is not less than 13 years old.

2. Taking into account available technology, the controller shall act reasonably

efforts to verify in such cases whether the person is the parental

bears responsibility for the child, has given consent or authorizes consent

has granted.

3. Paragraph 1 leaves the general contract law of the Member States, such as the rules on validity,

the formation or the consequences of agreements with regard to children, unaffected.












       Minimal data processing


Article 5.1. c) GDPR Decision on the merits 36/2021 - 7/21





    1. Personal data must:

    […]

    (c) adequate, relevant and limited to what is necessary for the purposes for which


    they are processed ('data minimization');



        3. Justification



A. Understanding government




    18. Pursuant to the judgment of the Marktenhof dated November 18, 2020, the dispute by the

        defendant of the infringement of Article 6.1 GDPR, as well as Articles 8 and 5.1 c) GDPR as being rejected

        unfounded, while the challenge of the infringement of Articles 5.1 a), 12.1, 13.1 c) and d) and 13.2

        b) GDPR was accepted as justified. This partial destruction leads to the Marktenhof

        determine that the Data Protection Authority should have the option to

        reconsider the decision to impose an administrative fine and

        remotivate.



    19. In its decision of 16 June 2020, the Disputes Chamber for all of the by

        its established violations of article 5.1. a), Article 5.1. c), Article 6.1., Article 8, Article 12.1.

        and Article 13 GDPR imposed an administrative fine. In view of the fact that the Marktenhof

        only the violations of article 5.1. c), Article 6.1. and Article 8 GDPR, the

        The Disputes Chamber will determine whether or not the administrative fine of € 2000.00 will be imposed

        maintained and adjusted if necessary. As for the violations of article

        5.1. c), Article 6.1. and Article 8 GDPR refers the Disputes Chamber to the motivation such as

        set out in paragraphs 20 to 42 of its decision on the merits 31/2020 of 16 June

        2020.



    20. Since the imposition of an administrative fine is directly related to the

        The defendant's capacity as a subsidized independent educational institution which, according to the

        Disputes Chamber does not fall under the exemption from administrative fine as stipulated in

        article 83.7 GDPR and article 221, §2 of the law of 30 July 2018 on the protection of

        natural persons with regard to the processing of personal data (hereinafter Law

        Data protection), the Disputes Chamber explains its position in the present decision that

        the defendant not as a government, nor as an agent or agent of the government, can

        are considered. Decision on the merits 36/2021 - 8/21




21. In the opinion of the Disputes Chamber in its decision of 16 June 2020, a

    private-law organization such as Y not covered by the exemption from administrative fine

    in accordance with Article 221, §2 of the Data Protection Act, even if this organization carries out tasks

    in the public interest in the field of education. The Marktenhof ruled that the

    Disputes Chamber the defendant's arguments that the sanctions are not applicable to

    authorities and that it complies with all the requirements of Article 5, 3 ° of the Data Protection Act and

    consequently, pursuant to the exemption of Article 221, §2 Data Protection Act, the sanction does not apply

    of Article 83.7 of the GDPR can be imposed, not disproved. The Marktenhof adds to this

    allows the Disputes Chamber not to investigate whether the defendant or at least none


    Government's appointee or agent is when they perform duties of government - existing

    in providing education - provides.



22. The Disputes Chamber clarifies below its position that the defendant does not qualify

    comes for the exemption from administrative fine in accordance with Article 221, §2 Law

    Data protection.



    Article 83.7 GDPR states:

    “Without prejudice to the powers to take corrective measures of the

    supervisory authorities in accordance with Article 58 (2), each Member State may adopt rules

    on whether and to what extent administrative fines can be imposed on

    public authorities and public bodies established in that Member State. ”




23. Article 83.7 GDPR thus offers the Member States the option to determine that administrative

    fines cannot or only to a limited extent be imposed on “government authorities and

    government bodies ”. The GDPR defines the term “government agencies and government bodies”

    nothing more.



    Unless EU law itself explicitly refers to the law of the Member States for the

    definition of a concept, concepts appearing in EU law must be autonomous and uniform

    are explained throughout the Union. The content of that interpretation is (in principle) through

    determined by the Court of Justice on the basis of the context of the provision in question and the purpose of

    the scheme concerned.










2 See e.g. H.v.J., C-260/17, Anodiki Services EPE, October 25, 2018, EU: C: 2018: 864, § 25; C-15/16, Baumeister, June 19, 2018,
EU: C: 2018: 464, § 24; C ‑ 174/14, Saudaçor, October 29, 2015, EU: C: 2015: 733, § 52; C-279/12, Fish Legal and Shirley,
December 19, 2013, EU: C: 2013: 853, § 42; C-400/10, McB, October 5, 2010, EU: C: 2010: 582, § 41; C-195/06, Österreichischer
Rundfunk, October 18, 2007, EU: C: 2007: 613, § 24; C-66/08, Kozłowski, 17 July 2008, § 42. Decision on the merits 36/2021 - 9/21



24. The national discretion that Article 83.7 GDPR grants to the Member States applies here

    only on the autonomy to:



      exempt or not exempt public authorities and government bodies from administrative ones

         fines, and


      in the case of an exemption, determine whether it is wholly or partly in nature; a

         partial exemption may, for example, consist of lower maximum fines for

         government agencies and government bodies, or in an exemption that only applies to

         specific government agencies and government bodies.


25. Article 83.7 GDPR does not explicitly allow Member States to use the term “public authorities and

    government bodies ”. It is therefore a concept of EU law that constitutes an autonomous and

    uniform meaning. It is therefore only up to the institutions of the Union, with

    in particular to the Court of Justice, to define the limits of that concept. It is possible

    a Member State, subject to compliance with the principle of equality, then still autonomously determine which of

    those “government agencies and government bodies” he exempts, but it only comes from the Court

    Justice to determine where the extreme limits of that EU law concept lie. Until

    today the Court of Justice has not yet considered the interpretation of the concept of government in Article

    83.7 GDPR, but it is in any case established that in its interpretation

    the context of Article 83.7 GDPR and the purpose of the

    GDPR.



26. The Belgian legislator has made use of Article 221, § 2, Data Protection Act

    the possibility that Article 83.7 GDPR offers the member states. Article 221, § 2, Data Protection Act

    determines:

        “Article 83 of the Regulation does not apply to the government and their employees


        or authorized representatives, unless it is a legal entity under public law who sells goods or

        offers services in a market. ”

27. The term “government” is further defined in Article 5, second paragraph, of the Act

    Data protection:




        “For the purposes of this law," government "means:

        1 ° the Federal State, the federal states and local authorities;

        2 ° legal persons under public law that of the Federal State, the federal states or local ones

        governments depend;

        3 ° persons, regardless of their shape and nature, who:

         - established for the specific purpose of meeting needs in the general interest

         are not of an industrial or commercial nature; and Decision on the merits 36/2021 - 10/21




         - have legal personality; and

         - of which the activities are mainly carried out by the authorities or institutions mentioned in the

          provisions under 1 ° or 2 ° are financed or the management is subject to

          supervision by these authorities or institutions, i.e. the members of the administrative body,

          more than half of the management or supervisory body

          authorities or institutions have been designated;

          4 ° the associations consisting of one or more authorities as referred to in the provisions under


          1 °, 2 ° or 3 °. "



28. The Disputes Chamber argues that subsidized independent educational institutions, such as the respondent, are sufficient

    to the criteria of the term “government” as defined in Article 5, second paragraph, of the Act

    Data protection. The defendant belongs to the Catholic educational umbrella organization and thus to the

    “Free” (i.e. non-official) education and therefore takes the form of a private non-profit organization.

    Nevertheless, it was established for the specific purpose of meeting needs in the general interest

    that are not of an industrial or commercial nature (namely primary and secondary education

    it has legal personality, and its activities are mainly carried out by the


    Funded by the Flemish government and it is also under government supervision. By virtue of Article

    5, second paragraph, 3 °, Data Protection Act, the defendant is therefore a “government” in the sense of that
         3
    law.



29. However, this fact alone is not sufficient to qualify for the exemption in Article 221, § 2 of the Law

    Data protection. This exemption does not apply if a “government” in the sense of

    Article 5 Data Protection Act “offers goods or services on a market”. This shows

    that the legislator wants to limit the exempted authorities to the traditional authorities. The

    For the sake of completeness, the Disputes Chamber notes that there is also a market in education.


    After all, the offer in Belgium also consists of recognized (and even non-recognized) private education

    so that competition in this service market is not limited to just the official and the

    free education.



30. The Data Protection Act does not specify what is to be understood by “the

    offering goods or services on a market. But both (1) the parliamentary preparation

    as (2) the required strict interpretation of Article 83.7 GDPR, to which Article 221, § 2, Law






3
 In the contested decision, the Disputes Chamber did not rule on the scope of Article 5, second
paragraph, 3 °, Data Protection Act, because this article has no relevance in this case. The fact that free education among the
general definition of “government” in the Data Protection Act is not sufficient, after all, Article 221, § 2, of the Act
To be able to apply data protection. Only “public authorities and government bodies” within the meaning of Article 83.7 GDPR
can after all be exempted from administrative fines. A broader interpretation of the exemption in Article 221,
§ 2, Data Protection Act would be against EU law and should therefore be disapplied by the
national authorities, including the DPA's Dispute Chamber. Decision on the merits 36/2021 - 11/21




     Data protection implementation indicates clearly that subsidized free


     educational institutions not covered by the exemption of Article 221, § 2, Data Protection Act

     fall.




     1. The will of the Belgian legislator





31. The parliamentary preparation shows that the phrase “unless it concerns a public law

     legal entity offering goods or services on a market ”was added after a negative

     opinion of the Legislative Department of the Council of State on the original designed

     exemption from administrative fines for the government. In the initial design, the


     Exemption formulated in a broader sense: it applied to all controllers who use the

     have the capacity of a government agency or public body. The Council considered this distinction

     between the public and private sectors not reasonably justified and therefore contrary to the

     Articles 10 and 11 of the Constitution. The Council suggested that the drafters should also order

     subject the public sector to administrative fines, but lower fines for those fines

                                                                                                               4
     fixing ceilings, so as not to jeopardize the continuity of the public service.



32. The suggestion of the Council of State was ultimately not followed by the legislator, but the

     original bill was amended. In principle, the government remains exempt from this

     administrative pecuniary fines, unless it concerns a legal person governed by public law who sells goods

                                            5 6
     or offers services in a market. During the parliamentary debates it was explained that the

     in particular, the intention was to promote the federal public services (FPS) and the

     to exempt programmatic government services (POD) from administrative fines. Only 7

     the traditional government agencies would therefore still be covered by the exemption. During the


     parliamentary debates were specifically referred to municipal schools as an example of this

     authorities that can no longer benefit from the exemption thanks to the amendment. Also a

     municipal school could be imposed an administrative fine, just like a free one

     school, because it “provides a service” to the citizens. 8






4R.v.St., Legislative Section, Opinion No. 63.192 / 2 of 19 April 2018, Parl. St. Room 2017-2018, No. 54-3126 / 1, 451.
5
  Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54-
3126/3, 97.
6
 Amendment No 44 by E. Lachaert, P. Dedecker and others, Parl. St. Room 2017-2018, no. 54-3126 / 2, 55.
7 Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54-
3126/3, 98.

8 Report issued on behalf of the Justice Committee by Mr P. Dedecker, Parl. St. Room 2017-2018, no. 54-
3126/3, 98. See also p. 44, for the comment concerned: “Pursuant to paragraph 2 of Article 221 of the preliminary draft apply
the administrative pecuniary sanctions not apply to data controllers holding the capacity of public authority or

have a public body. However, they do apply to data controllers in the private sector. This difference
pending cannot be justified according to the Council of State and thus constitutes a violation of the
principle of equality. Organizations that carry out essentially the same activities should be treated in the same way, Decision on the merits 36/2021 - 12/21








33. It is therefore unmistakable from the parliamentary preparation that it is the express will of the

     The Belgian legislator was also responsible for schools, both from official and free education

     administrative fines could be subject. Since an unclear or

     vague legal provision, according to the settled case law of the Constitutional Court, must be interpreted

                                                 9
     in the light of the will of the legislature, the defendant cannot appeal for that reason alone

     do on the exemption from Article 221, § 2, Data Protection Act.




     2. Article 83.7 GDPR





34. The second reason why Article 221, § 2, Data Protection Act cannot be so broad

     interpreted as exempting free educational institutions such as the defendant from

     administrative fines is that Article 221, § 2, Data Protection Act should be

     interpreted in accordance with the GDPR, and in particular with Article 83.7, the provision to which


     it executes. Article 83.7 GDPR leaves the member states free to determine whether and to what extent

     also “government agencies and government bodies” may be subject to administrative fines

     subject (see also recital 150 GDPR).



35. The optional exemption from administrative fines for public authorities and


     bodies was not included in the original Commission proposal, but was later added to the
                                                    10
     GDPR inserted at the direction of the Council. In the initial Commission proposal were the foreseen

     maximum amounts of the administrative fines are much lower (i.e. EUR 250,000, EUR 500,000

     respectively EUR 1,000,000). 11 These ceilings have been significantly increased by the Council (up to


     20,000,000 EUR), to be sufficiently dissuasive for large companies, such as Facebook

     and Google. As compensation, Member States were left free to control their public authorities and

     to exempt government bodies from such large administrative fines.







regardless of whether they belong to the public or private sector. For example, it cannot be justified that a
OCMW hospital no administrative fine can be imposed while this could be for a hospital in the form

of a non-profit organization, the same applies to schools that belong to free education as compared to schools that belong to it
community education, for example. ”
9 See, e.g., GwH, No. 50/2008, March 19, 2008, B.15.12; No. 35/2011, March 10, 2011, B.5-B.6; No. 23/2016, 18 February 2016,

B.14.3. See also A. ALEN and K. MUYLLE, Handbook of Belgian Constitutional Law, Mechelen, Kluwer, 2011, 167.
10 See Council position at first reading with a view to adopting a regulation of the European Parliament
and the Council on the protection of individuals with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46 / EC (General Regulation
data protection), 8 April 2016, https://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf.
11 See art. 79 Commission proposal for a Regulation of the European Parliament and of the Council on the

protection of natural persons with regard to the processing of personal data and with regard to free movement
of that data (General Data Protection Regulation), COM / 2012/011 final - 2012/0011 (COD), https: // eur-
lex.europa.eu/legal-content/EN/TXT/?qid=1599056276058&uri=CELEX:52012PC0011. Decision on the merits 36/2021 - 13/21




36. What is to be understood by “public authorities and public bodies” is not specified

    specified in the GDPR. As emphasized above (marginal 25), this in no way means that it is on


    Member States are entitled to determine themselves the limits of the government concept in Article 83.7 GDPR.

    It is a concept of EU law that must be given an autonomous and uniform meaning,

    taking into account the context of Article 83.7 GDPR and the purpose of the GDPR.




37. The context of Article 83.7 GDPR and the purpose of the GDPR require a restrictive interpretation

    of the government concept in that provision. After all, Article 83.7 GDPR provides for a

    exception to the general rule that breaches of the GDPR, where appropriate, with a

    administrative fine can be sanctioned (art.58.2.i) GDPR). It's fixed

    case law of the Court of Justice that exceptions should be strict

               12
    explained. In particular with regard to European data protection rules, the Court has

    of Justice has already ruled several times that the laid down in European legislation

    exceptions should be interpreted restrictively, “since they favor the protection regime

    personal data provided for in this Directive [now Regulation], and with it

    deviate from the objective underlying the latter, to ensure the protection of

    the freedoms and fundamental rights of natural persons in connection with the processing


    of personal data, such as the right to respect for private life and family

    and family life, as enshrined in Article 7 of the Charter of Fundamental Rights of the

    European Union (…), and the right to the protection of personal data, that is

    guaranteed by Article 8 thereof. " 13




38. By softening the sanctions for government agencies and bodies, article 83.7 GDPR makes a departure

    unmistakably away from the purpose underlying the GDPR, namely the protection of

    the right of natural persons to the protection of personal data (art. 1.2 GDPR). The

    After all, the sanction of the administrative fine offers an effective means of pressure and thus a

    additional assurance for citizens that data protection rules will be complied with.



                                                                                                      14
39. It is precisely to strengthen the enforcement of data protection rules, that

    the EU legislature has explicitly stipulated in the GDPR that administrative fines, where

    appropriate, should be imposed for infringements of this Regulation. The old Directive

    Data protection, which has been lifted by the GDPR, imposed no such sanction





12 See, e.g., H.v.J., C-288/07, Isle of Wight Council and Others, September 16, 2008, EU: C: 2008: 505, § 60; C ‑ 174/14, Saudaçor, October 29
2015, EU: C: 2015: 733, § 49.

13 See e.g. H.v.J., C ‑ 73/16, Puškár, 27 September 2017, EU: C: 2017: 725, § 38 (own underlining); C ‑ 25/17, Weersan todistajat,
July 10, 2018, EU: C: 2018: 551, § 37; C ‑ 345/17, Buivids, February 14, 2019, EU: C: 2019: 122, § 41.
14
  Overw. 148 GDPR (own underlining): “With a view to stronger enforcement of the rules of this regulation
penalties, including administrative fines, should be imposed for any breach of the Regulation, in addition
or in lieu of appropriate measures imposed by the supervisory authorities under this Regulation. ” Decision on the merits 36/2021 - 14/21




    expressly. Article 24 of that directive merely stated in general that Member States “appropriate


    [take] measures to ensure the full application of the provisions of this Directive

    guarantee and (…) in particular [establish] the sanctions applicable in the event of breach of the implementation

    of this Directive ”(own underlining). This is also the usual

    working method of the EU legislature with regard to the enforcement of the regulations it issues. 15

    Overall, 16 European legislative acts merely require Member States to


    infringements impose penalties that are “effective, proportionate and dissuasive”, but they leave it

    Member States themselves to determine the nature of those penalties (e.g. compensation to the

    victim, administrative fine, criminal sanction, ...). 17 The organization of the enforcement of

    In principle, European rules in a member state therefore belong to the autonomy of the member states.





40. In the opinion of the EU legislature, enforcement of the old Directive

    However, data protection is inadequate in some Member States. To enforce the

    strengthen and harmonize data protection rules, 18 the GDPR itself provides for a

                                                                       19
    system of administrative fines for the entire Union (art.83 GDPR). The GDPR has the

    national procedural autonomy is therefore severely restricted.



41. By providing for an (optional) exception to this enforcement system, article 83.7 gives way


    GDPR deviates from the purpose of the Regulation and must, in accordance with established case law of the

    Court of Justice can be interpreted restrictively. This applies a fortiori now to the purpose of the GDPR in it

    there is a fundamental right to protect, namely the right to protection of personal data

    (Art.1 (2) GDPR), and the EU legislature has set itself the particular objective of

    strengthen and harmonize enforcement of that fundamental right.












15 See K. LENAERTS et al., EU Procedural Law, Oxford, Oxford University Press, 2014, 108.
16
  However, the GDPR is by no means the only exception to the rule. Also write other European legislative acts
specific penalties for. See e.g. art. 65-66 Directive 2013/36 / EU of the European Parliament and of the Council of 26 June 2013
"On access to the activity of credit institutions and the prudential supervision of credit institutions and
investment firms, amending Directive 2002/87 / EC and repealing Directives 2006/48 / EC and

2006/49 / EC ".
17 See e.g. art. 15 Council Directive 2000/43 / EC of 29 June 2000 "applying the principle of equality
treatment of persons regardless of racial or ethnic origin "; art. 25 Directive 2006/54 / EC of the European Parliament and

the Council of 5 July 2006 "on the implementation of the principle of equal opportunities and equal treatment for men and
women in work and occupation "; art. 15 Directive 2009/45 / EC of the European Parliament and of the Council of 6 May 2009 "on
safety regulations and standards for passenger ships "; art. 87 Regulation (EU) No 528/2012 of the European
Parliament and the Council of 22 May 2012 "concerning the making available on the market and use of biocidal products".
18
  See also rec. 150 GDPR (own underlining): “In order to reduce administrative penalties for violations of this regulation
strengthening and harmonizing, each supervisory authority should have the power to impose administrative fines
to lay."
19
  Be it with a little nuance for Member States whose legal system does not provide for administrative fines (viz
Denmark and Estonia). See art. 83.9 and rec. 151 GDPR. Decision on the merits 36/2021 - 15/21




42. It follows that the terms “public authorities and public bodies” in Article 83.7

    GDPR must be interpreted restrictively. In concrete terms, this means that it is not the intention of the

    Union legislator may have been to allow Member States the optional exemption from Article

    83.7 GDPR can also be extended to all private law organizations that have a task of general

    interest and who receive government support as compensation, such as the respondent.

    Should such private law organizations by definition also be the means of pressure of

    To escape the administrative fine, this would achieve the purpose of the GDPR

    after all, can seriously jeopardize.





43. The broad definition used by the Belgian legislator in Article 5, second paragraph, Data Protection Act

    has given to the concept of government, therefore clearly cannot be reconciled with the strict one

    interpretation that Article 83.7 GDPR should be given. The definition of the government concept in article 5 of

    the Data Protection Act corresponds almost literally to the description of the

    concept of "public entity" in Directive 2003/98 / EC "on the re-use of

    public sector information ”, 20 and of the term“ contracting authority ”in the European

    public procurement law. 21 But the purpose of those European legislative acts is

    precisely benefits from an interpretation of the government concept that is as broad as possible, that after all, the

    the scope of these legislative acts. It is therefore settled case law

    of the Court of Justice that the concept of “contracting authority” in the


    public procurement directives “should be given a functional and broad interpretation”, “having regard to the

    dual objective of opening up to competition and transparency that the said Directive

    pursues ”. Such a broad interpretation is, according to the Court of Justice, “the only one that makes it useful
                                                                                22
    effect of the [public procurement] Directive (…) ”.



44. The same applies to the interpretation of the term “public authority or body” in the

    context of Article 37.1.a) GDPR, which provides for the obligation to notify an officer for

    data protection when the processing of data is carried out by a

    government agency or government body. The purpose of the GDPR, which is to protect

    personal data, exactly benefits from a broad obligation to appoint a

    data protection officer, and thus in a broad interpretation of the

    government concept in Article 37.1.a) GDPR.








20 Art. 2, points 1 and 2, Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 "on the
reuse of government information ".
21
  See in particular art. 2.1 points 1 and 4, Directive 2014/24 / EU of the European Parliament and of the Council of 26 February 2014
"On public procurement and repealing Directive 2004/18 / EC".
22 See, e.g., H.v.J., C-373/00, Truley, EU: C: 2003: 110, § 43; C-214/00, Commission v. Spain, May 15, 2003, EU: C: 2003: 276, §§ 53
and 56; C-283/00, Commission v. Spain, October 16, 2003, EU: C: 2003: 544, §§ 73 and 75. Decision on the merits 36/2021 - 16/21




45. After all, the context of the term “public authorities and public bodies” in Article 83.7 GDPR is

    completely different, now that it does not determine the personal scope of the GDPR, but one

    an exception to a general rule from the GDPR, namely that breaches of the GDPR are possible

    are curbed with an administrative fine. As an exception to that general rule

    Article 83.7 GDPR must be interpreted narrowly (see above marginal 37).





46. By analogy, reference can be made to the case law of the Court of Justice on the concept

    “Other public sector entities” in Article 13.1 of Directive 2006/112 “on the
                                                                                 23
    common system of value added tax ". That provision establishes a

    exception to the general rule on which the common system of VAT is based,

    namely the rule that the scope of VAT extends to all services that are supplied

    performed for consideration. Article 13.1 provides an exception to that rule for

    activities that “public bodies” perform “as a government”. The Court of Justice

    in the Saudaçor judgment explicitly ruled that the concept of “public law bodies” included in that


    exemption clause should not be interpreted as broadly as the term “contracting party
                                                                           24
    service ”in the public procurement directives (own underlining):

         44 In this regard, the referring court asks whether, as Saudaçor submits,

         for the interpretation of the term "other public law entities" within the meaning of Article 13,

         paragraph 1, of the said Directive, the definition of the term "bodies governed by public law"

         Article 1 (9) of Directive 2004/18 must be taken into account.

         45 Article 13 (1) of Directive 2006/112 cannot be interpreted in that way.

         46 Article 1 (9) of Directive 2004/18 gives a broad definition of the concept

         "Bodies governed by public law" and, consequently, of the term "contracting authorities"


         in order to delimit the scope of that Directive so broadly that the scope of

         the award of public contracts applicable rules in the field of inter alia

         transparency and non-discrimination apply to a range of public sector bodies that do not participate

         form the public administration, but which are nevertheless controlled by the state,

         including through their funding or management.

         47 The context of the term "other public law entities" in Article 13 (1) of

         However, Directive 2006/112 is completely different.

         48 That concept is not intended to determine the scope of VAT, but contains it

         an exception to the general rule to which the common system of those

         tax is based on, namely the rule that the scope of that tax is very







23 Council Directive 2006/112 / EC of 28 November 2006 on the common system of taxation of

the added value.
24 C-174/14, Saudaçor, October 29, 2015, EU: C: 2015: 733. Decision on the merits 36/2021 - 17/21




        is broadly defined and covers all services rendered for consideration

        title, including the services provided by public law bodies (see in that sense

        judgment Commission v Netherlands, C-79/09, EU: C: 2010: 171, paragraphs 76 and 77).

        49 As an exception to the general rule that all economic activity is subject to VAT

        subject, Article 13 (1) of Directive 2006/112 must be interpreted narrowly (see below

        more judgment in Isle of Wight Council and Others, C-288/07, EU: C: 2008: 505, paragraph 60, and order

        Gmina Wrocław, C-72/13, EU: C: 2014: 197, point 19). "




47. By analogy with this case law, the concept of government in Article 83.7 GDPR must also become narrow

    explained. In no case can this term be interpreted as broadly as the terms “contracting party

    service ”and“ public body ”in the public procurement directives respectively
                                     25
    access to government information. A fortiori now the GDPR (in contrast to the above-mentioned VAT Directive)

    aims to protect a fundamental right, Article 83.7 GDPR cannot be interpreted so broadly

    that Member States include all legal persons governed by private law who perform a task in the public interest

    and which are primarily government-funded and / or government-supervised,

    should be allowed to exempt from administrative fines for GDPR violations.



48. The Disputes Chamber emphasizes that citing the above analogy regarding the

    restrictive interpretation of exceptional provisions does not mean that the defendant will not accept the

    The Disputes Chamber is regarded as a “legal entity under public law”.




49. Having regard to the principles of the primacy and full effect of EU law, Article 221,

    §2 Data Protection Act to be interpreted in accordance with the restrictive

    interpretation that Article 83.7 GDPR should be given. This means that Article 221, § 2, Law

    Data protection should not be interpreted so broadly that it is also free

    educational establishments, such as defendant, would by definition exempt from administrative ones

    fines.




50. Since the Disputes Chamber finds that the defendant is not covered by the application of Article

    83.7 GDPR falls because it is not a “government agency or body” within the meaning of that

    provision, and thus decides that Article 83.7 GDPR does not apply, the

    After all, inevitably, Article 221, § 2, Data Protection Act,

    that implements article 83.7 GDPR in Belgian law does not apply. Precise attention

    on this implementation falls the notion “government agency or government body” of article 83.7 GDPR






25 The definitions of the terms “public body” and “body governed by public law” from Directive 2003/98 / EC are taken from

to the public procurement directives (recital 10 Directive 2003/98 / EC). Decision on the merits 36/2021 - 18/21




         used in conjunction with the conceptual framework “government and their appointees or agents”

         article 221, §2 Data Protection Act. Because the defendant does not act as “public authority or

         government body ”, it is ipso facto also not a“ government, appointee

         or agent of a government ”



    51. The Disputes Chamber decides that:

    - the GDPR the concept of “public authorities and public bodies” within the meaning of Article 83.7 GDPR

             does not define;

    - It follows from the settled case law of the Court of Justice that the concept of “public authorities and


             public bodies ”in Article 83.7 GDPR is an autonomous EU law concept, that account

             taking into account the context of that provision and the purpose of the GDPR;

             that since Article 83.7 GDPR concerns an exceptional provision, the government concept here

             in particular, must be interpreted restrictively;

    - the term “public authorities and public bodies” in article 83.7 GDPR is certainly not the case

             can be broadly explained that it is also private law legal persons who have a task of

             to perform in the public interest, such as free educational institutions;

    - give a broad interpretation to Article 221, § 2, Contradictory Data Protection Act

             would be with, on the one hand, the express will of the Belgian legislator to schools not free

             to impose administrative fines and, on the other hand, the restrictive interpretation of that article

             83.7 GDPR as an exception;

    - also Article 221, § 2, Data Protection Act must therefore be interpreted as free


             educational institutions are not exempt from administrative fines for violations of the

             GDPR.



B. Administrative Fine




    52. The fact that the defendant as a subsidized independent educational institution qualifies for

         imposing an administrative fine will lead the Dispute Chamber to the

         enforce an administrative fine. This sanction does not extend to one made

         violation, but with a view to vigorous enforcement of the rules of

         the GDPR. After all, as is clear from Recital 148 GDPR, the GDPR puts first and foremost that with every

         serious infringement - including when an infringement is first established - penalties, including

         administrative fines are imposed in addition to or instead of appropriate measures. 26






    26 Recital 148 states: “With a view to more vigorous enforcement of the rules of this Regulation, penalties,
    including administrative fines, to be imposed for any breach of the Regulation, in addition to or instead of
    appropriate measures imposed by the supervisory authorities under this Regulation. If it comes
    for a minor infringement or if the foreseeable fine would cause a disproportionate burden on a natural person,
    instead of a fine, a reprimand can be chosen. However, the decision on the substance 36/2021 - 19/21 should be taken into account




    In the following, the Disputes Chamber shows that the violations committed by the defendant on Article

    5.1 c), Article 6.1 and Article 8 GDPR in no way concern minor infringements, nor that the fine

    would cause a disproportionate burden to a natural person as referred to in Recital 148

    GDPR, where a fine can be waived in either case. The

    The Disputes Chamber imposes the administrative fine in application of Article 58.2 i) GDPR. It

    The instrument of administrative fine is by no means intended to end infringements. To that end

    the GDPR and the WOG provide for a number of corrective measures, including the orders

    referred to in Article 100, §1, 8 ° and 9 ° WOG.



                                                                    27
53. Taking into account article 83 GDPR and the case law of the Marktenhof, the

    Disputes Chamber imposing an administrative sanction in concrete terms:

         - The seriousness of the infringement: the reasoning below shows the seriousness of the infringement.

         - The duration of the breach: since the GDPR came into effect, the survey found “well-being”

             which is the subject of the complaint only once.

         - The necessary deterrent effect to prevent further infringements.




54. With regard to the nature and seriousness of the infringement (art. 83.2 a) GDPR), the Disputes Chamber emphasizes

    that compliance with the principles set out in art. 5 GDPR - in the present case in particular the


    lawfulness principle, as well as the principle of data minimization - is essential,

    because it concerns fundamental principles of data protection. The Dispute Chamber

    considers the defendant's infringement of the principle of legality that is being stated

    in art. 6 GDPR as a serious violation. In addition, an infringement is committed on

    Article 8 GDPR which aims to offer a special protection to young people, which

    thus also constitutes a serious violation.



55. Despite a previous complaint lodged against the defendant in 2016 with the then Commission

    for the protection of privacy related to the same survey,

    the respondent will do the survey again in 2018. However, the Dispute Chamber does not hold any

    take into account the 2016 complaint when determining the administrative fine. First of all


    no consequences were linked to the 2016 complaint by the Commission for the







nature, gravity and duration of the infringement, including the intentional nature of the infringement, with measures to mitigate damage,
with the degree of responsibility, or with previous relevant breaches, with the manner in which the breach became known to the
supervisory authority has come up with compliance with the measures taken against the

controller or processor, with affiliation to a code of conduct and any other aggravating or
mitigating factors. Imposing penalties, including administrative fines, should be subject to
appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including a
effective remedy and due process. [own underlining]
27 Brussels Court of Appeal (Marktenhof section), Verreydt N.V. t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 36/2021 - 20/21



        protection of privacy and was not yet subject to the GDPR at that time

        application.





    56. In determining the administrative fine, the Disputes Chamber does take into account the

        the fact that the defendant states that it is willing and has already made efforts to provide

        in a survey that in the future may be conducted in anonymous form, provided the defendant

        takes the necessary measures to ensure its anonymity (as set out in

        marginal nos. 39-40 of decision on the merits 31/2020 of June 16, 2020). In addition, the

        When determining the amount of the fine, the Disputes Chamber takes into account that this is the case

        to be an educational institution, not for profit.




    57. An important element in determining the amount of the fine is also the fact that to

        following the judgment of the Marktenhof dated November 18, 2020, the infringements single article

        5.1 c), Article 6.1 and Article 8 GDPR, and not also Article 5.1. a), Article 12.1. and Article 13

        GDPR. This leads the Disputes Chamber to reconsider the fine and reduce it to € 1000.00.




    58. The totality of the elements set out above justifies an effective,

        proportionate and dissuasive sanction as referred to in art. 83 GDPR, taking into account the therein

        certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.

        GDPR in this case are not such as to lead to an administrative fine other than that

        which the Disputes Chamber has determined in the context of this decision.



C. Publication of the decision




    59. Considering the importance of transparency with regard to the decision-making of the

        Disputes Chamber, this decision will be published on the GBA website. However, it is

        does not require that the identification data of the parties be directly

        announced. Decision on the merits 36/2021 - 21/21



FOR THESE REASONS,



the Dispute Chamber of the Data Protection Authority, after deliberation, will decide for her

to review decision 31/2020 of June 16, 2020 and to review the defendant pursuant to art. 100, §1, 13 ° WOG


and art. 101 WOG to impose an administrative fine of € 1,000.00 for the infringement of

article 5.1. c), Article 6.1. and Article 8 GDPR.



On the basis of Article 108, §1 WOG, an appeal can be lodged against this decision within

a period of thirty days from the notification at the Marktenhof, with the

Data protection authority as defendant.







(get.) Hielke Hijmans

Chairman of the Disputes Chamber