| APD/GBA - 37/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 25 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 16.03.2021 |
| Published: | |
| Fine: | None |
| Parties: | Mrs Y (The Complainant) Y representing Y1 (Defendant - Public body) |
| National Case Number/Name: | 37/2021 |
| European Case Law Identifier: | DOS-2020-00310 |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | Mathieu Desmet |
The Belgian DPA (APD/GBA) ordered the defendant (a public institution) to comply with the principles of purpose limitation and data minimization, by removing the mention of the title of nobility from the identity card of the complainant.
English Summary
Facts
The complainant, a member of the nobility (countess) addressed her municipality in order to be able to have her identity card and passport drawn up without the mentioning of her title.
The defendant considered that the claim was not admissible to the extent that the title would, in her view, be an integral part of the name of the complainant and therefore should appear on the identity card as well as on the passport for the purpose of identification.
Dispute
Does the mentioning of the title of a member of the nobility on his or her identity card comply with the principles of purpose limitation and data minimization and is there a legal basis (public interest mission) justifying this?
Holding
As for the respect of the principles of minimization and purpose limitation (Article 5(1)(c) and Article 5(1)(b) of the GDPR):
The Belgian DPA considers that the indication of the surname, first name, date and place of birth, as well as the complainant's national registry number are sufficient to identify her.
The fact that until 2011, the mention of the title of nobility on the passport was optional furthermore tends to show that the title is not necessary for the identification of the concerned person.
The Belgian DPA further considers that insofar as the identity card is called upon to be used regularly and on a daily basis, it is necessary to be all the more vigilant that only the information which is strictly necessary for identification should appear on it.
As for the legal basis for the exercise of a public interest mission (Article 6(1)(e) of the GDPR):
In the current state of the law, the Belgian DPA notes that there is an uncertainty concerning the obligation or not to display the title next to the name on identity documents.
Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect, the lex specialis, the law of 19 July 1991 relating to population registers, identity, foreigner's cards and residence documents does not mention the title as a mandatory mention on the identity card.
The Belgian DPA is therefore of the opinion that the only useful interpretation which is capable of give full effect to the notion of necessity as required by the case law of the ECHR and of the ECJ is that which consists in qualifying as "necessary for the performance of the mission of public interest", the only data necessary for the purpose of identifying the person concerned.
The mention of the title is not necessary for the fulfillment of the mission of public interest.
Decision:
The Belgian DPA concludes that there is no basis of lawfulness for the processing on behalf of the defendant, and consequently conclude to a breach of Article 6(1)(e) of the GDPR as well as Articles (5)(1)(b) and 5(1)(c) and issues a reprimand to the defendant as well as the order to comply with the aforementioned obligations (principles) set in the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/15
Litigation Chamber
Decision on the merits 37/2021 of March 16, 2021
File No .: DOS-2020-00310
Subject: Complaint for refusal to remove the mention of the title of nobility from the documents
identity and other official documents
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs Yves Poullet and Christophe Boeraeve, members, taking over the case
in this composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of individuals with regard to the processing of personal data and the
free movement of such data, and repealing Directive 95/46 / EC (general regulation on the
data protection), hereinafter GDPR;
Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA);
Having regard to the internal regulations as approved by the House of Representatives on December 20
2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
took the following decision regarding:
- the complainant: Mrs X,
- the defendant: Y, as representative of Y1
1. Facts and procedural history
1. In December 2015 and January 2016, the complainant addressed her administration
municipality in order to be able to have an identity card drawn up without mentioning its title Decision on the merits 37/2021 - 2/15
nobility (Countess). The defendant considered that the claim was not admissible in
the extent to which the title would, in her view, be an integral part of the name and must therefore
appear on the identity card.
2. In September 2016, the complainant applied for a new passport from her municipality. In
this framework, she chose the option "title of nobility: optional" (her title did not appear
on previous versions of his passport). However, shortly after his request,
the municipal administration contacted the complainant to inform her that the title
must be indicated on the passport.
3. By letter of March 28, 2016, the predecessor of the APD, the Commission for the Protection of
privacy (CPVP) questioned the defendant (more precisely the general manager of
the General Directorate of Institutions and Population (DGIP)), on the compulsory nature or
optional mention of the title of nobility on the identity card.
4. By letter of April 14, 2016, the defendant indicated that the insertion of the title of
nobility in deeds is mandatory and is therefore mentioned on the identity card
provided that it is included in the National Register of Natural Persons. To support its
say, the defendant is based on:
- Article 1 of the Royal Decree of January 26, 1822 relating to titles of nobility and qualities;
- the Elementary Treaty of Belgian Civil Law by Professor Henri De Page;
- the Y2 FAQ.
5. By letter of July 12, 2016, the CPVP replied to the defendant that it was not joining
not the arguments developed in the letter of April 14, 2016 given that,
after the Royal Decree of January 26, 1822 relating to titles of nobility and qualities,
new legislation and decrees which must be taken into account have been adopted, namely:
- the law of July 19, 1991 relating to population registers, maps
identity cards, foreigner's cards and residence documents and amending
the law of August 8, 1983 organizing a national register of persons
physical, which specifies in its article 6, § 2, the data which must
be mentioned on the identity card, among which are not found
not explicitly titles of nobility;
- the law of 8 December 1992 on the protection of privacy with regard to
processing of personal data which stipulates in its
article 4 § 1, 3 ° that “the data must be: (…) adequate, Decision on the merits 37/2021 - 3/15
relevant and not excessive in relation to the purposes for which they
are obtained and for which they are subsequently processed (…) ”.
6. On September 30, 2016, the defendant requested the opinion of the Y2 Nobility Council regarding
to the arguments raised by the CPP. The latter, in its opinion of 18 January 2017, joined the
arguments developed by the defendant in its letter of April 14, 2016.
7. The opinion of Y3 was also requested by the defendant on March 8, 2017. The Y3
agrees with the defendant's position.
8. On May 9, 2017, the various departments concerned met. At the end of this
meeting:
- the Y3 reaffirmed the maintenance of the title of nobility on civil status documents, the title
nobiliary forming an integral part of the name;
- according to Y2, the title of nobility must be maintained on passports;
- the CPVP, for its part, requested the deletion, at the request, of the reference to the title of
nobility on the identity card.
No consensus could be reached.
9. On May 16, 2017, the CPVP by means of a summary note, repeated the arguments
justifying its position and proposed a solution consisting in systematically indicating the
title of nobility on the identity card and passport, unless requested by the interested party
title is not mentioned.
10. A letter repeating the various arguments formulated by the defendant and rejecting
reasoned the solution proposed by the CPVP was then sent by the defendant to
the CPP (dated May 28, 2018), who forwarded it to the complainant on October 18, 2018. The
letter in question repeats the various arguments formulated by the defendant
demonstrating that the solution proposed by the CPVP cannot be followed.
11. By letter of March 24, 2019 addressed to the defendant, the complainant reiterates her request
removal of the title of nobility from their identity card and passport, and offers three
solutions.
12. The complainant also wishes that her title no longer appears on any document issued by
administration.
2. Legal basis Decision on the merits 37/2021 - 4/15
- Article 5.1.b of the GDPR
“Personal data must be (…) collected for specific purposes,
explicit and legitimate, and not be further processed in a manner incompatible with these
purposes; further processing for archival purposes in the public interest, for research purposes
scientific or historical or for statistical purposes is not considered, in accordance with Article 89,
paragraph 1, as incompatible with the initial purposes (limitation of purposes) "
- Article 5.1.c of the GDPR
"Personal data must be (...) adequate, relevant and limited to what is
necessary with regard to the purposes for which they are processed (data minimization) "
- Article 6.1 .e of the GDPR
"Processing is only lawful if, and insofar as, at least one of the following conditions is
fulfilled: (...) the processing is necessary for the performance of a task of public interest or falling within the
the exercise of public authority vested in the controller '
3. The arguments of the parties
13. The defendant argues that the title of nobility is part of the name, and that it must therefore appear
on identity documents. Any exemption would be subject to legislative amendment. The
complainant considers conversely that the title is not part of the name, and that it is not
necessary for its identification.
14. The defendant emphasizes that certain texts relating to civil status documents impose the
mention of the title. However, civil status documents and identity documents must necessarily
use the same information, on the basis of the necessary consistency between the register
national and civil status registers. Therefore, according to the defendant, the title must
appear on both civil status documents and identity documents.
15. The complainant argues that according to the European Court of Human Rights, the "right to
name "implies the right not to be forced to include any particulars in their name
which is not part of it (the title). However, the defendant replies that the title is an integral part
by name.
16. According to the complainant, the mention of the title is a source of discrimination because it creates
prejudices in the collective imagination. The defendant replies that the title is not a criterion
protected constitutive of social origin, within the meaning of the law of May 10, 2007 tending to fight
against certain forms of discrimination. Decision on the merits 37/2021 - 5/15
4. Motivation
As a preliminary point, the Chamber notes that although the provisions of the GDPR mentioned below
are not included in the submissions of the parties, the Contentious Chamber notes that the
complaint is brought before it and, therefore, qualifies the legal arguments invoked and related
the disputed facts included in the complaint with regard to the GDPR, in the context of the dispute brought before
it and in the context of the competences assigned to it.
The Litigation Chamber specifies that this decision focuses on the identity card, and
does not address the passport or other documents issued by the administration (such as the permit
driving, for example), insofar as only the competence of the
defendant identity card.
4.1- As to the mention of the title next to the name on the identity card
17. In the current state of the law, the Contentious Chamber notes an uncertainty concerning
1
whether or not the title should appear next to the name on identity documents.
Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect
application, since it has not been repealed, it seems obsolete. It would seem that the usage has by
subsequently introduced the insertion of the title on civil status documents. This use is notably
taken up by the Royal Decree of January 8, 2006 as well as that of February 3, 2019 relating to state acts
3
civil, which explicitly mention that the title must be indicated (other legislative texts
invoked do not comment on the mention of the title).
18. However, the lex specialis, the law of 19 July 1991 relating to population registers,
identity, foreigner's cards and residence documents do not mention the title
as part of the identity card. Its article 6 § 2 indicates in fact:
Ҥ 2. [8 The identity card and the foreigner's card contain, in addition to the signature of the holder,
personal information visible to the naked eye and electronically readable.] 8
Personal information visible to the naked eye and electronically readable
concern:
1 ° the name;
2 ° the first two names;
3 ° the first letter of the third given name;
4 ° nationality;
1It should be noted at the outset that this question is different from whether the title is an integral part of the name,
discussed below.
2AR of 8 January 2006 determining the types of information associated with the information referred to in Article 3, paragraph 1, of the Law of
August 8, 1983 organizing a National Register of Natural Persons
3 AR of 3 February 2019 fixing the models of extracts and copies of civil status documents Decision on the merits 37/2021 - 6/15
5 ° [8 ...] 8 the date of birth;
6 ° sex;
7 ° the place of issue of the card;
8 ° the start and end date of the card's validity;
9 ° the name and number of the card;
10 ° the holder's photograph;
11 ° (...); <L 2004-07-09 / 30, art. 95, 011; In force: 25-07-2004>
12 ° the identification number of the National Register. "
Insofar as this law specific to identity cards constitutes the lex specialis, thus
that under the hierarchy of norms, this law must take precedence over the Royal Decree of 1822.
4.2- As to the question of whether the title is an integral part of the name
19. The question of whether the title is an integral part of the name is similarly debated. In
Indeed, no normative text invoked by the parties is positioned on this subject (the RD
mentioned above from 1822 only indicates that the title must appear next to the name, without
make it clear that it is part of it). However, recent case law seems to distinguish
between title and name.
20. To the extent that the argument based on the right to a name (invoked by the complainant to reject
the inclusion in its name of its title) is directly linked to the question of whether the title
is an integral part of the name or not, and that this aspect does not fall within the competence of
the Litigation Chamber, this issue is not addressed in this decision.
21. The complainant also alleges discrimination linked to the mention of her title on her card.
identity, because of the collective imagination frequently associated with titles of nobility. The
Litigation Chamber considers that although this does not fall within its direct competence,
to the extent that the “rules governing the protection of individuals with regard to
processing of personal data concerning them should (...) respect their
fundamental rights and freedoms ”, and that in addition the right to data protection
is a fundamental right, aiming, among other things, to "contribute to the creation of an area of
freedom, security and justice ”, this argument about discrimination can be taken
for consideration by the Chamber, a fortiori insofar as the mention of the title is not
4 See in particular the C. App. Brussels, 2020-6638, 01 October 2020, p17-18
5 Recital 2 of the GDPR: "The principles and rules governing the protection of individuals with regard to processing
personal data concerning them should, regardless of the nationality or residence of these persons
individuals, respect their fundamental rights and freedoms, in particular their right to the protection of personal data
staff. This Regulation aims to contribute to the achievement of an area of freedom, security and justice and of a united
economic, economic and social progress, consolidation and convergence of economies within the internal market,
as well as the well-being of natural persons ”. Decision on the merits 37/2021 - 7/15
necessary for the purpose of the processing pursued for an identity card (as listed
infra).
4.3- As for the consistency between the national register and civil status registers
22. The defendant emphasizes that certain texts relating to civil status documents (the Royal Decrees
of January 8, 2006 "determining the types of information associated with
information referred to in article 3 paragraph 1 of the law of August 8, 1983 organizing a register
national of natural persons "and the Royal Decree of February 3, 2019" fixing the models of extracts
and copies of civil status documents ") require the mention of the title in civil status documents.
However, the defendant argues that civil status documents and identity documents must
necessarily use the same terms, on the basis of the necessary consistency between
the national register and civil status registers. It also specifies that the intention of the legislator
to reduce the discrepancies between these registers is all the more clear since the creation of
the Bank of Civil Status Acts (BAEC) in 2018, one of the purposes of which is to
update the data of the National Register on the basis of the data it contains. By 6
Therefore, according to the defendant, the title must appear on both civil status documents and
on identity documents.
23. However, although it is sensitive to the need for consistency between the data appearing in
the BAEC, in the national register and in the population registers, the Chamber
Litigation, in its role as guardian of the GDPR and other laws relating to protection
data and privacy, recalls the fundamental importance of respecting the right to
the protection of personal data. The GDPR thus devotes in the same
6
Art. 72 of the law of 18 June 2018 laying down various provisions on civil law and provisions to promote
alternative forms of dispute resolution
“The BAEC's mission is:
1 ° to assist civil status officers and consular agents in the exercise of their legal missions in matters of
establishment and updating of acts and registers of civil status;
2 ° to guarantee, as an authentic source, the storage, preservation and availability of all acts of the State
civil included in the BAEC, without affecting the legal missions of the National Register as an authentic source of
identification data of natural persons;
3 ° to provide a service to citizens, wherever they are;
4 ° to simplify administrative procedures via the obligation to reuse documents and data available in the
BAEC;
5 ° to assist the judiciary in the exercise of its missions;
6 ° to provide for a central and uniform control at the level of the establishment and conservation of acts, as well as the
issuance of extracts and copies thereof;
7 ° to allow the application of international treaties and agreements in matters of civil status;
8 ° to allow the establishment of global and anonymous statistics relating to civil status;
9 ° to ensure the conservation of civil status documents until the moment of their transfer to the [1 General Archives of the Kingdom
and State Archives in the Provinces] 1;
10 ° to provide for simultaneous updating of the data in the National Register on the basis of the data listed in the
BAEC. »Decision on the merits 37/2021 - 8/15
Article 25 (Data protection by design and data protection by default)
than :
“1- Taking into account the state of knowledge, the costs of implementation and the nature,
scope, context and purposes of the processing as well as the risks, including the degree of probability
and of varying severity, which the processing presents for the rights and freedoms of individuals,
the controller implements, both when determining the means of
processing that at the time of the processing itself, technical and organizational measures
appropriate, such as pseudonymization, which are intended to implement the principles
relating to data protection, for example data minimization, in order to
effective and to provide the processing with the necessary guarantees to meet the requirements of the
this Regulation and to protect the rights of the data subject.
2- The data controller implements the technical and organizational measures
appropriate to ensure that, by default, only personal data that is
are necessary for each specific purpose of the processing are processed.
This applies to the amount of personal data collected, to the extent of their
treatment, their shelf life and accessibility. In particular, these measures
ensure that, by default, personal data is not made accessible
to an unspecified number of natural persons without the intervention of the natural person
concerned. ”
4.3.1- As regards respect for the principles of minimization and finality (article 5.1.c. and article
5.1.b of the GDPR)
24. In its capacity as data controller, the defendant is required to respect the
data protection principles and must be able to demonstrate that these are
respected (principle of responsibility - article 5.2. of the GDPR). She must, moreover, always
in his capacity as data controller, implement all the necessary measures
for this purpose (article 24 of the GDPR). Article 5.1.b) of the GDPR enshrines the principle of finality,
either the requirement that the data be collected for specific, explicit purposes
and legitimate and are not further processed in a manner inconsistent with these
purposes. It is in terms of the finality that other principles may also apply
devoted to Article 5 of the GDPR including the principle of minimization, according to which only
adequate, relevant and limited data to what is necessary for the purpose
may be processed (article 5.1.c) of the GDPR).
25. In other words, each processing of personal data pursues its purpose
clean. Treatment carried out as part of a family composition document or
election convocation does not pursue the same purpose as processing carried out under Decision on the merits 37/2021 - 9/15
an identity card. The purpose pursued in this context of the identity card is
in the identification of the person concerned.
26. In application of the principle of finality, the Litigation Chamber is of the opinion that the logic
of a concordance between the national register and civil status documents does not imply that the
The complainant's title must appear on her identity card. Indeed, the fact that the title of the
complainant is included in the BAEC does not imply that each document whose data
are generated on the basis of the BAEC must necessarily include exhaustively the
data present in this database. As indicated above, the data included
BAEC should be selected according to the purpose of the document generated (and
also keeping in mind the principle of minimization - see next point -). This
applies a fortiori to the identity card, a document used on a regular basis and for
diverse in everyday life.
27. The notion of necessity is also included in Article 6.1.e of the GDPR, which provides
that "the processing is necessary for the performance of a task of public interest or relevant
of the exercise of public authority vested in the controller ”(we
underline). This notion of necessity must be read in conjunction with the principle of
data minimization (5.1.c of the RGPD -cf supra-), which must be "adequate,
relevant and limited to what is necessary in relation to the purposes for which they
are processed ”. The purpose of the mentions of personal data on documents
identity and civil status documents is the identification of the person concerned. It suits
therefore to question the extent to which the mention of the title is necessary to
the identification of the complainant.
28. The CJEU recalled in its Huber judgment that the notion of necessity is a “notion
independent of Community law which must be interpreted in such a way as to
fully subject to this directive as defined in Article 1 (1) of that directive
this. "(§52).
29. She also stressed that "(...) it is the responsibility of the authority responsible for a register [...] of
ensure that the stored data is, where appropriate, updated, so that,
on the one hand, they correspond to the actual situation of the people concerned and, on the other hand
part, that the superfluous data be deleted from said register. »(§60) (emphasis added)
30. This case-law, formulated admittedly in the light of Article 7 of Directive 95/46 / EC, is valid
for all the bases of lawfulness which retain this condition of necessity. She remains
relevant today even though Directive 95/46 was repealed since this
7
Compliance with this article of the processing in the present case is examined below in points 36 et seq.
8CEDH, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, December 16, 2008 Decision on the merits 37/2021 - 10/15
condition of necessity is maintained under Article 6.1 b) to f) of the GDPR. The article
6.1 of the GDPR replaces Article 7 of the Directive, without the relevant provisions being
modified.
31. The Article 29 Group also referred to the case law of the ECHR for
identify the requirement of necessity and concludes that the adjective "necessary" thus does not have the
flexibility of terms such as "permissible", "normal", "useful", "reasonable" or
10
"Timely".
32. The Litigation Chamber considers that the indication of the surname, first name, date and place of
birth, as well as the complainant's national registry number are sufficient to identify her.
The fact that until 2011, the mention of the title of nobility on the passport was optional
furthermore tends to show that the title is not necessary for the identification of the
concerned person.
33. The Contentious Chamber further considers that it is necessary to distinguish, during the assessment
the need for the mention of the title of nobility, the identity card, in that it is a
document required and used daily on a regular basis, civil status documents (such as
family composition for example). Insofar as the identity card is called upon to be
used regularly on a daily basis, it is necessary to be all the more vigilant that there is
only the information strictly necessary for identification.
34. The Contentious Chamber considers that the mention of the title of nobility, in any case
cause, on the identity documents, is not a strictly necessary
identification, and is therefore superfluous. Based on the principle of minimization (article
5.1, c) of the GDPR), the title does not have to appear on the identity card.
35. Abundantly, and without taking a position as to whether the title is part
integral part of the name or not, the Litigation Chamber notes that the Royal Decree of 1822 relating to
titles of nobility and qualities, requiring that the title be indicated next to the name (which
indicates that the title of nobility is not the name but a complement to it), poses
question under Article 5.1, c) of the GDPR (minimization principle).
4.3.2- As to the legal basis for the exercise of a public interest mission (Article 6.1.e of
GDPR)
36. It is not disputed that there is indeed a processing of personal data in
the head of the defendant. Insofar as the processing in question is carried out by the
9Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the data controller
data within the meaning of Article 7 of Directive 95/46 / EC, WP 217.
10
ECHR, March 25, 1983, Silver and others v. United Kingdom, para 97. Decision on the Merits 37/2021 - 11/15
defendant in its capacity as an organ of the Belgian State, it is appropriate to wonder on the basis
lawfulness of the processing and its compliance with Article 6.1.e of the GDPR.
37. The Contentious Chamber considers that the assessment by a data controller of the
lawfulness of the processing carried out on the basis of its public interest mission (which, as a reminder, must be
"Necessary for the performance of a mission of public interest or relating to the exercise of
the public authority vested in the controller) cannot be detached from the
purpose of the processing concerned, in this case, the identification of the person
concerned.
38. To assert the contrary would amount to exempting the controller from any examination
the relevance of the data processed, even though the implementation of this principle
founder of data protection provided for in Article 5.1.c) of the GDPR comes to him in his
quality of data controller.
39. The Contentious Chamber is of the opinion that the only useful interpretation which is capable of
give full effect to the notion of necessity as required by the case law of the ECHR and
of the CJEU is that which consists in qualifying as "necessary for the performance of the mission
of public interest ", the only data necessary for the purpose of identifying the person
concerned. The mention of the title is not necessary for the fulfillment of the mission
of public interest. Therefore, the Contentious Chamber concludes that there is no
basis of lawfulness for the processing on behalf of the defendant, and consequently to
a breach of Article 6.1.e of the GDPR.
4.3.3- As to the "opt out" system proposed by the complainant
40. The complainant also proposes an "opt-out" system, in which a holder of a
title of nobility could request that the title be removed from their identity documents
and civil status documents. In the absence of a request, the title would be indicated systematically. The
defendant rejects this proposition, arguing, in its conclusions, that it cannot
operate on an individual basis and that the same regime must be applied to all holders
of a noble title, at the risk of undermining the principles of legality, equality, and therefore
legal certainty.
41. It emerges from a reading of the letter of May 28, 2018 from the Respondent to the APD (Exhibit 8 of
the defendant) that the costs of adapting the defendant's computer system
in order to automatically withdraw the title of nobility, in the event of such a request,
would be too high for an individual request. If the Litigation Chamber is sensitive
to this argument, it nevertheless recalls that the Court of Markets previously considered that
the argument made by a bank of the technical difficulties and costs to adapt a
computer program by inserting an acute accent on a customer name is not
relevant. The Court also indicates that the computer programs used must comply with Decision on the merits 37/2021 - 12/15
to the requirements of the GDPR. It is reasonable to think that this reasoning would apply
all the more so under the title of nobility.
42. In any event, the aforementioned letter of 28 May 2018 from the defendant refers to
also the possibility of a one-off manual modification in the file (s) concerned,
but reject this way of proceeding because the risk of error and forgetting would be too great. Gold,
particularly in view of the defendant's indication that, on the date of the letter,
the only holder of a nobiliary title who has made such a request is the complainant, the
risk of error linked to manual manipulation in the computer system appears to be low.
43. The Contentious Chamber finally underlines that although it does not consider it necessary in the
case in point that the defendant adapts its computer system to allow
automatic withdrawal of the title of nobility, she recalls that a technological obstacle, according to the
context and as far as is reasonable and proportional, cannot prevent the exercise
one of his fundamental rights by a data subject.
44. For the sake of completeness and in view of the technical arguments raised by the defendant,
the Contentious Chamber draws the attention of the defendant to the necessary respect of the
data protection by design and data protection by default, based on
12
Article 25 of the GDPR. These concepts are among the cornerstones of the GDPR and the
responsibility which is at the heart of it, in article 5.2 in conjunction with article 24 GDPR. They
are contained in article 25 of the AVG mentioned above and are explained in more detail in
recital 78 GDPR. The defendant therefore has the obligation to adopt the "measures
appropriate technical and organizational to ensure that, by default, only data
of a personal nature which are necessary for each specific purpose of the
treatment are processed ”in addition to having incorporated such measures from the design stage.
45. In its Guidelines 4/2019 on data protection by design and
data protection by default, the EDPB specifies that article 25.1 GDPR implies that
data controllers must take data protection into account from the
design and protect data by default at an early stage when planning a
11C. App. Brussels, 2019/7537, 09 October 2019, p15
12 Art. 25 GDPR:
1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and
the purposes of the processing as well as the risks, varying in probability and severity, that the processing presents for
the rights and freedoms of natural persons, the controller implements, both at the time of determining
the means of processing that at the time of the processing itself, appropriate technical and organizational measures,
such as pseudonymisation, which are intended to implement the principles relating to data protection, for example
example the minimization of data, effectively and to match the processing with the necessary guarantees in order to meet
to the requirements of this Regulation and to protect the rights of the data subject.
2. The controller implements the appropriate technical and organizational measures to ensure that,
by default, only the personal data that are necessary for each specific purpose of the processing
are processed. This applies to the amount of personal data collected, to the extent of their processing, to their
shelf life and accessibility. In particular, these measures ensure that, by default, data of a
personnel are not made accessible to an unspecified number of natural persons without the intervention of the person
physical concerned. Decision on the merits 37/2021 - 13/15
new treatment. Data controllers must implement the protection
data from design by default before processing, and also continuously to
duration of treatment, regularly reviewing the effectiveness of the chosen measures and
guarantees. These same principles also apply to existing systems that deal with
personal data. In other words, the protection of their data
personal data is inherent (integrated) in the processing.
46. The CJEU has also underlined the importance of these concepts in its case law and, in
particularly in its Digital Rights Ireland judgment according to which the essence of Article 8 of the
Charter of Fundamental Rights of the European Union requires technical measures
and organizational are taken to ensure that personal data
are effectively protected against any risk of misuse and against any access
and any unauthorized use. 14
5. Corrective measures and sanctions
47. On the basis of the above analysis, the Contentious Chamber considers that by refusing to make
following the complainant's request to withdraw the mention of her title of nobility on her
identity card, the data controller violated Article 5.1.c, 5.1.b and 6.1.e of the RPGD.
48. Under Article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of the data and the notification thereof
ci to data recipients;
13
EDPB, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, Version 2.0, Adopted on 20 October 2020,
p 4
14CJUE, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, para. 40 and 66-67. Decision on the merits 37/2021 - 14/15
11 ° order the withdrawal of accreditation of certification bodies;
12 ° give periodic penalty payments;
13 ° issue administrative fines;
14 ° order the suspension of transborder data flows to another State or an organization
international;
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences
data on file;
16 ° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority
Datas.
49. It is important to contextualize the breach of Articles 5.1.c, 5.1.b and 6.1.e of the GDPR
on the other hand, with a view to identifying the most appropriate sanctions and / or corrective measures.
In accordance with Article 83 of the GDPR, administrative fines must be
"Effective, proportionate and dissuasive". To this end, it is particularly advisable to keep
account for "the nature, seriousness and duration of the violation". As indicated above, the
principles of minimization (article 5.1.c) and finality (article 5.1.b) constitute stones
Angulars of the GDPR, especially when combined with the principle of lawfulness (Article 6 GDPR)
and data protection by design and data protection by default, by
that they fall under the fundamental principles of data protection. Bedroom
Litigation also notes that the complainant has been trying since 2016 to have the
mention of his title of nobility in his administrative documents, without success.
50. However, insofar as Article 83 of the GDPR is not applicable to the authorities
public, the Contentious Chamber considers that a reprimand constitutes the sanction
more appropriate for the past failures mentioned above, and orders for the future the setting
in accordance with the processing with the principles of finality and minimization, by withdrawing the
mention of the title of nobility on the identity card of the complainant.
51. In view of the importance of transparency in the decision-making process
and the decisions of the Litigation Chamber, this decision will be published on the website
of the Data Protection Authority by deleting the data
15Article 83.2.a) of the GDPR
16Article 221 § 2 of the Law of 30 July 2018 on the protection of individuals with regard to data processing
of a personal nature: "Article 83 of the Regulation does not apply to public authorities and their officials or agents.
except in the case of legal persons governed by public law which offer goods or services on a market. »Decision on the merits 37/2021 - 15/15
direct identification of the parties and persons named, whether physical or
moral.
FOR THESE REASONS,
THE LITIGATION CHAMBER
Decide, after deliberation:
- To impose a reprimand
- Order the processing to comply with the principles of finality and minimization, in
removing the mention of the title of nobility from the identity card of the complainant, within
30 days from the notification of this decision
- to order the data controller to inform the Data Protection Authority by e-mail
data (Litigation Chamber) of the result of this decision within the same period via the address
e-mail litigationchamber@apd-gba.be
Under Article 108, § 1 of the LCA, this decision may be appealed against to the
Cour des marchés (Court of Appeal of Brussels) within 30 days of its notification,
with the Data Protection Authority as respondent.
(se.) Hielke Hijmans
President of the Litigation Chamber
