APD/GBA - 37/2021

From GDPRhub
APD/GBA - 37/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 25 GDPR
Type: Complaint
Outcome: Upheld
Decided: 16.03.2021
Published:
Fine: None
Parties: Mrs Y (The Complainant)
Y representing Y1 (Defendant - Public body)
National Case Number/Name: 37/2021
European Case Law Identifier: DOS-2020-00310
Appeal: Unknown
Original Language(s): French
Original Source: APD (in FR)
Initial Contributor: Mathieu Desmet

The Belgian DPA (APD/GBA) ordered the defendant (a public institution) to comply with the principles of purpose limitation and data minimization, by removing the mention of the title of nobility from the identity card of the complainant.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant, a member of the nobility (countess) addressed her municipality in order to be able to have her identity card and passport drawn up without the mentioning of her title.

The defendant considered that the claim was not admissible to the extent that the title would, in her view, be an integral part of the name of the complainant and therefore should appear on the identity card as well as on the passport for the purpose of identification.

Dispute[edit | edit source]

Does the mentioning of the title of a member of the nobility on his or her identity card comply with the principles of purpose limitation and data minimization and is there a legal basis (public interest mission) justifying this?

Holding[edit | edit source]

As for the respect of the principles of minimization and purpose limitation (Article 5(1)(c) and Article 5(1)(b) of the GDPR):

The Belgian DPA considers that the indication of the surname, first name, date and place of birth, as well as the complainant's national registry number are sufficient to identify her.

The fact that until 2011, the mention of the title of nobility on the passport was optional furthermore tends to show that the title is not necessary for the identification of the concerned person.

The Belgian DPA further considers that insofar as the identity card is called upon to be used regularly and on a daily basis, it is necessary to be all the more vigilant that only the information which is strictly necessary for identification should appear on it.

As for the legal basis for the exercise of a public interest mission (Article 6(1)(e) of the GDPR):

In the current state of the law, the Belgian DPA notes that there is an uncertainty concerning the obligation or not to display the title next to the name on identity documents.

Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect, the lex specialis, the law of 19 July 1991 relating to population registers, identity, foreigner's cards and residence documents does not mention the title as a mandatory mention on the identity card.

The Belgian DPA is therefore of the opinion that the only useful interpretation which is capable of give full effect to the notion of necessity as required by the case law of the ECHR and of the ECJ is that which consists in qualifying as "necessary for the performance of the mission of public interest", the only data necessary for the purpose of identifying the person concerned.

The mention of the title is not necessary for the fulfillment of the mission of public interest.

Decision:

The Belgian DPA concludes that there is no basis of lawfulness for the processing on behalf of the defendant, and consequently conclude to a breach of Article 6(1)(e) of the GDPR as well as Articles (5)(1)(b) and 5(1)(c) and issues a reprimand to the defendant as well as the order to comply with the aforementioned obligations (principles) set in the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                                 1/15








                                                                      Litigation Chamber




                                        Decision on the merits 37/2021 of March 16, 2021





File No .: DOS-2020-00310



Subject: Complaint for refusal to remove the mention of the title of nobility from the documents

identity and other official documents





The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke

Hijmans, chairman, and Messrs Yves Poullet and Christophe Boeraeve, members, taking over the case

in this composition;



 Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of individuals with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (general regulation on the

data protection), hereinafter GDPR;



Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA);



Having regard to the internal regulations as approved by the House of Representatives on December 20

2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;



took the following decision regarding:



    - the complainant: Mrs X,

    - the defendant: Y, as representative of Y1




    1. Facts and procedural history


      1. In December 2015 and January 2016, the complainant addressed her administration

          municipality in order to be able to have an identity card drawn up without mentioning its title Decision on the merits 37/2021 - 2/15



    nobility (Countess). The defendant considered that the claim was not admissible in

    the extent to which the title would, in her view, be an integral part of the name and must therefore

    appear on the identity card.


2. In September 2016, the complainant applied for a new passport from her municipality. In

    this framework, she chose the option "title of nobility: optional" (her title did not appear

    on previous versions of his passport). However, shortly after his request,

    the municipal administration contacted the complainant to inform her that the title

    must be indicated on the passport.


3. By letter of March 28, 2016, the predecessor of the APD, the Commission for the Protection of

    privacy (CPVP) questioned the defendant (more precisely the general manager of

    the General Directorate of Institutions and Population (DGIP)), on the compulsory nature or

    optional mention of the title of nobility on the identity card.


4. By letter of April 14, 2016, the defendant indicated that the insertion of the title of

    nobility in deeds is mandatory and is therefore mentioned on the identity card

    provided that it is included in the National Register of Natural Persons. To support its

    say, the defendant is based on:


  - Article 1 of the Royal Decree of January 26, 1822 relating to titles of nobility and qualities;


  - the Elementary Treaty of Belgian Civil Law by Professor Henri De Page;

  - the Y2 FAQ.




5. By letter of July 12, 2016, the CPVP replied to the defendant that it was not joining

    not the arguments developed in the letter of April 14, 2016 given that,

    after the Royal Decree of January 26, 1822 relating to titles of nobility and qualities,

    new legislation and decrees which must be taken into account have been adopted, namely:


                    - the law of July 19, 1991 relating to population registers, maps

                        identity cards, foreigner's cards and residence documents and amending

                        the law of August 8, 1983 organizing a national register of persons

                        physical, which specifies in its article 6, § 2, the data which must

                        be mentioned on the identity card, among which are not found

                        not explicitly titles of nobility;




                    - the law of 8 December 1992 on the protection of privacy with regard to

                        processing of personal data which stipulates in its

                        article 4 § 1, 3 ° that “the data must be: (…) adequate, Decision on the merits 37/2021 - 3/15



                          relevant and not excessive in relation to the purposes for which they

                          are obtained and for which they are subsequently processed (…) ”.




   6. On September 30, 2016, the defendant requested the opinion of the Y2 Nobility Council regarding

       to the arguments raised by the CPP. The latter, in its opinion of 18 January 2017, joined the

       arguments developed by the defendant in its letter of April 14, 2016.


   7. The opinion of Y3 was also requested by the defendant on March 8, 2017. The Y3

       agrees with the defendant's position.


   8. On May 9, 2017, the various departments concerned met. At the end of this

       meeting:


    - the Y3 reaffirmed the maintenance of the title of nobility on civil status documents, the title

         nobiliary forming an integral part of the name;


    - according to Y2, the title of nobility must be maintained on passports;

    - the CPVP, for its part, requested the deletion, at the request, of the reference to the title of

         nobility on the identity card.

    No consensus could be reached.




   9. On May 16, 2017, the CPVP by means of a summary note, repeated the arguments

       justifying its position and proposed a solution consisting in systematically indicating the

       title of nobility on the identity card and passport, unless requested by the interested party

       title is not mentioned.


   10. A letter repeating the various arguments formulated by the defendant and rejecting

       reasoned the solution proposed by the CPVP was then sent by the defendant to

       the CPP (dated May 28, 2018), who forwarded it to the complainant on October 18, 2018. The

       letter in question repeats the various arguments formulated by the defendant

       demonstrating that the solution proposed by the CPVP cannot be followed.


   11. By letter of March 24, 2019 addressed to the defendant, the complainant reiterates her request

       removal of the title of nobility from their identity card and passport, and offers three

       solutions.


   12. The complainant also wishes that her title no longer appears on any document issued by

       administration.





2. Legal basis Decision on the merits 37/2021 - 4/15



- Article 5.1.b of the GDPR


“Personal data must be (…) collected for specific purposes,

explicit and legitimate, and not be further processed in a manner incompatible with these

purposes; further processing for archival purposes in the public interest, for research purposes

scientific or historical or for statistical purposes is not considered, in accordance with Article 89,

paragraph 1, as incompatible with the initial purposes (limitation of purposes) "



- Article 5.1.c of the GDPR

"Personal data must be (...) adequate, relevant and limited to what is


necessary with regard to the purposes for which they are processed (data minimization) "



- Article 6.1 .e of the GDPR


"Processing is only lawful if, and insofar as, at least one of the following conditions is

fulfilled: (...) the processing is necessary for the performance of a task of public interest or falling within the

the exercise of public authority vested in the controller '



    3. The arguments of the parties


       13. The defendant argues that the title of nobility is part of the name, and that it must therefore appear

           on identity documents. Any exemption would be subject to legislative amendment. The

           complainant considers conversely that the title is not part of the name, and that it is not

           necessary for its identification.


       14. The defendant emphasizes that certain texts relating to civil status documents impose the

           mention of the title. However, civil status documents and identity documents must necessarily

           use the same information, on the basis of the necessary consistency between the register

           national and civil status registers. Therefore, according to the defendant, the title must

           appear on both civil status documents and identity documents.


       15. The complainant argues that according to the European Court of Human Rights, the "right to

           name "implies the right not to be forced to include any particulars in their name

           which is not part of it (the title). However, the defendant replies that the title is an integral part

           by name.


       16. According to the complainant, the mention of the title is a source of discrimination because it creates

           prejudices in the collective imagination. The defendant replies that the title is not a criterion

           protected constitutive of social origin, within the meaning of the law of May 10, 2007 tending to fight

           against certain forms of discrimination. Decision on the merits 37/2021 - 5/15







     4. Motivation



         As a preliminary point, the Chamber notes that although the provisions of the GDPR mentioned below

         are not included in the submissions of the parties, the Contentious Chamber notes that the

         complaint is brought before it and, therefore, qualifies the legal arguments invoked and related

         the disputed facts included in the complaint with regard to the GDPR, in the context of the dispute brought before

         it and in the context of the competences assigned to it.



         The Litigation Chamber specifies that this decision focuses on the identity card, and

         does not address the passport or other documents issued by the administration (such as the permit

         driving, for example), insofar as only the competence of the

         defendant identity card.


     4.1- As to the mention of the title next to the name on the identity card


       17. In the current state of the law, the Contentious Chamber notes an uncertainty concerning

                                                                                                                 1
            whether or not the title should appear next to the name on identity documents.

            Although the Royal Decree (RD) of 1822 relating to titles of nobility and qualities remains in effect

            application, since it has not been repealed, it seems obsolete. It would seem that the usage has by

            subsequently introduced the insertion of the title on civil status documents. This use is notably

            taken up by the Royal Decree of January 8, 2006 as well as that of February 3, 2019 relating to state acts

                3
            civil, which explicitly mention that the title must be indicated (other legislative texts

            invoked do not comment on the mention of the title).


       18. However, the lex specialis, the law of 19 July 1991 relating to population registers,

            identity, foreigner's cards and residence documents do not mention the title

            as part of the identity card. Its article 6 § 2 indicates in fact:



Ҥ 2. [8 The identity card and the foreigner's card contain, in addition to the signature of the holder,

personal information visible to the naked eye and electronically readable.] 8

  Personal information visible to the naked eye and electronically readable

concern:

  1 ° the name;


  2 ° the first two names;

  3 ° the first letter of the third given name;

  4 ° nationality;



1It should be noted at the outset that this question is different from whether the title is an integral part of the name,

discussed below.
2AR of 8 January 2006 determining the types of information associated with the information referred to in Article 3, paragraph 1, of the Law of
August 8, 1983 organizing a National Register of Natural Persons

3 AR of 3 February 2019 fixing the models of extracts and copies of civil status documents Decision on the merits 37/2021 - 6/15




  5 ° [8 ...] 8 the date of birth;

  6 ° sex;

  7 ° the place of issue of the card;


  8 ° the start and end date of the card's validity;

  9 ° the name and number of the card;

  10 ° the holder's photograph;

  11 ° (...); <L 2004-07-09 / 30, art. 95, 011; In force: 25-07-2004>

  12 ° the identification number of the National Register. "



         Insofar as this law specific to identity cards constitutes the lex specialis, thus


         that under the hierarchy of norms, this law must take precedence over the Royal Decree of 1822.


     4.2- As to the question of whether the title is an integral part of the name


       19. The question of whether the title is an integral part of the name is similarly debated. In

            Indeed, no normative text invoked by the parties is positioned on this subject (the RD

            mentioned above from 1822 only indicates that the title must appear next to the name, without

            make it clear that it is part of it). However, recent case law seems to distinguish

            between title and name.


       20. To the extent that the argument based on the right to a name (invoked by the complainant to reject


            the inclusion in its name of its title) is directly linked to the question of whether the title

            is an integral part of the name or not, and that this aspect does not fall within the competence of

            the Litigation Chamber, this issue is not addressed in this decision.


       21. The complainant also alleges discrimination linked to the mention of her title on her card.

            identity, because of the collective imagination frequently associated with titles of nobility. The

            Litigation Chamber considers that although this does not fall within its direct competence,

            to the extent that the “rules governing the protection of individuals with regard to


            processing of personal data concerning them should (...) respect their

            fundamental rights and freedoms ”, and that in addition the right to data protection

            is a fundamental right, aiming, among other things, to "contribute to the creation of an area of

            freedom, security and justice ”, this argument about discrimination can be taken

            for consideration by the Chamber, a fortiori insofar as the mention of the title is not







4 See in particular the C. App. Brussels, 2020-6638, 01 October 2020, p17-18
5 Recital 2 of the GDPR: "The principles and rules governing the protection of individuals with regard to processing

personal data concerning them should, regardless of the nationality or residence of these persons
individuals, respect their fundamental rights and freedoms, in particular their right to the protection of personal data
staff. This Regulation aims to contribute to the achievement of an area of freedom, security and justice and of a united
economic, economic and social progress, consolidation and convergence of economies within the internal market,
as well as the well-being of natural persons ”. Decision on the merits 37/2021 - 7/15




            necessary for the purpose of the processing pursued for an identity card (as listed

            infra).


     4.3- As for the consistency between the national register and civil status registers



        22. The defendant emphasizes that certain texts relating to civil status documents (the Royal Decrees

            of January 8, 2006 "determining the types of information associated with

            information referred to in article 3 paragraph 1 of the law of August 8, 1983 organizing a register

            national of natural persons "and the Royal Decree of February 3, 2019" fixing the models of extracts

            and copies of civil status documents ") require the mention of the title in civil status documents.

            However, the defendant argues that civil status documents and identity documents must


            necessarily use the same terms, on the basis of the necessary consistency between

            the national register and civil status registers. It also specifies that the intention of the legislator

            to reduce the discrepancies between these registers is all the more clear since the creation of

            the Bank of Civil Status Acts (BAEC) in 2018, one of the purposes of which is to

            update the data of the National Register on the basis of the data it contains. By 6


            Therefore, according to the defendant, the title must appear on both civil status documents and

            on identity documents.


        23. However, although it is sensitive to the need for consistency between the data appearing in

            the BAEC, in the national register and in the population registers, the Chamber

            Litigation, in its role as guardian of the GDPR and other laws relating to protection

            data and privacy, recalls the fundamental importance of respecting the right to


            the protection of personal data. The GDPR thus devotes in the same






6
 Art. 72 of the law of 18 June 2018 laying down various provisions on civil law and provisions to promote
alternative forms of dispute resolution

“The BAEC's mission is:
 1 ° to assist civil status officers and consular agents in the exercise of their legal missions in matters of
establishment and updating of acts and registers of civil status;

 2 ° to guarantee, as an authentic source, the storage, preservation and availability of all acts of the State
civil included in the BAEC, without affecting the legal missions of the National Register as an authentic source of
identification data of natural persons;

 3 ° to provide a service to citizens, wherever they are;

 4 ° to simplify administrative procedures via the obligation to reuse documents and data available in the
BAEC;
 5 ° to assist the judiciary in the exercise of its missions;

 6 ° to provide for a central and uniform control at the level of the establishment and conservation of acts, as well as the
issuance of extracts and copies thereof;

 7 ° to allow the application of international treaties and agreements in matters of civil status;

 8 ° to allow the establishment of global and anonymous statistics relating to civil status;
 9 ° to ensure the conservation of civil status documents until the moment of their transfer to the [1 General Archives of the Kingdom
and State Archives in the Provinces] 1;

 10 ° to provide for simultaneous updating of the data in the National Register on the basis of the data listed in the
BAEC. »Decision on the merits 37/2021 - 8/15



       Article 25 (Data protection by design and data protection by default)

       than :


“1- Taking into account the state of knowledge, the costs of implementation and the nature,

scope, context and purposes of the processing as well as the risks, including the degree of probability

and of varying severity, which the processing presents for the rights and freedoms of individuals,

the controller implements, both when determining the means of

processing that at the time of the processing itself, technical and organizational measures

appropriate, such as pseudonymization, which are intended to implement the principles

relating to data protection, for example data minimization, in order to


effective and to provide the processing with the necessary guarantees to meet the requirements of the

this Regulation and to protect the rights of the data subject.

2- The data controller implements the technical and organizational measures

appropriate to ensure that, by default, only personal data that is

are necessary for each specific purpose of the processing are processed.


This applies to the amount of personal data collected, to the extent of their

treatment, their shelf life and accessibility. In particular, these measures

ensure that, by default, personal data is not made accessible

to an unspecified number of natural persons without the intervention of the natural person

concerned. ”


    4.3.1- As regards respect for the principles of minimization and finality (article 5.1.c. and article

    5.1.b of the GDPR)

  24. In its capacity as data controller, the defendant is required to respect the

       data protection principles and must be able to demonstrate that these are

       respected (principle of responsibility - article 5.2. of the GDPR). She must, moreover, always


       in his capacity as data controller, implement all the necessary measures

       for this purpose (article 24 of the GDPR). Article 5.1.b) of the GDPR enshrines the principle of finality,

       either the requirement that the data be collected for specific, explicit purposes

       and legitimate and are not further processed in a manner inconsistent with these

       purposes. It is in terms of the finality that other principles may also apply

       devoted to Article 5 of the GDPR including the principle of minimization, according to which only

       adequate, relevant and limited data to what is necessary for the purpose

       may be processed (article 5.1.c) of the GDPR).


  25. In other words, each processing of personal data pursues its purpose

       clean. Treatment carried out as part of a family composition document or

       election convocation does not pursue the same purpose as processing carried out under Decision on the merits 37/2021 - 9/15




           an identity card. The purpose pursued in this context of the identity card is

           in the identification of the person concerned.


       26. In application of the principle of finality, the Litigation Chamber is of the opinion that the logic

           of a concordance between the national register and civil status documents does not imply that the

           The complainant's title must appear on her identity card. Indeed, the fact that the title of the

           complainant is included in the BAEC does not imply that each document whose data

           are generated on the basis of the BAEC must necessarily include exhaustively the


           data present in this database. As indicated above, the data included

           BAEC should be selected according to the purpose of the document generated (and

           also keeping in mind the principle of minimization - see next point -). This

           applies a fortiori to the identity card, a document used on a regular basis and for

           diverse in everyday life.


       27. The notion of necessity is also included in Article 6.1.e of the GDPR, which provides

           that "the processing is necessary for the performance of a task of public interest or relevant

           of the exercise of public authority vested in the controller ”(we

           underline). This notion of necessity must be read in conjunction with the principle of

           data minimization (5.1.c of the RGPD -cf supra-), which must be "adequate,


           relevant and limited to what is necessary in relation to the purposes for which they

           are processed ”. The purpose of the mentions of personal data on documents

           identity and civil status documents is the identification of the person concerned. It suits

           therefore to question the extent to which the mention of the title is necessary to

           the identification of the complainant.


       28. The CJEU recalled in its Huber judgment that the notion of necessity is a “notion

           independent of Community law which must be interpreted in such a way as to

           fully subject to this directive as defined in Article 1 (1) of that directive

           this. "(§52).


       29. She also stressed that "(...) it is the responsibility of the authority responsible for a register [...] of

           ensure that the stored data is, where appropriate, updated, so that,


           on the one hand, they correspond to the actual situation of the people concerned and, on the other hand

           part, that the superfluous data be deleted from said register. »(§60) (emphasis added)


       30. This case-law, formulated admittedly in the light of Article 7 of Directive 95/46 / EC, is valid

           for all the bases of lawfulness which retain this condition of necessity. She remains

           relevant today even though Directive 95/46 was repealed since this




7
 Compliance with this article of the processing in the present case is examined below in points 36 et seq.
8CEDH, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, December 16, 2008 Decision on the merits 37/2021 - 10/15




           condition of necessity is maintained under Article 6.1 b) to f) of the GDPR. The article

           6.1 of the GDPR replaces Article 7 of the Directive, without the relevant provisions being

           modified.


       31. The Article 29 Group also referred to the case law of the ECHR for

           identify the requirement of necessity and concludes that the adjective "necessary" thus does not have the


           flexibility of terms such as "permissible", "normal", "useful", "reasonable" or
                          10
           "Timely".


       32. The Litigation Chamber considers that the indication of the surname, first name, date and place of

           birth, as well as the complainant's national registry number are sufficient to identify her.

           The fact that until 2011, the mention of the title of nobility on the passport was optional

           furthermore tends to show that the title is not necessary for the identification of the

           concerned person.


       33. The Contentious Chamber further considers that it is necessary to distinguish, during the assessment

           the need for the mention of the title of nobility, the identity card, in that it is a


           document required and used daily on a regular basis, civil status documents (such as

           family composition for example). Insofar as the identity card is called upon to be

           used regularly on a daily basis, it is necessary to be all the more vigilant that there is

           only the information strictly necessary for identification.


       34. The Contentious Chamber considers that the mention of the title of nobility, in any case

           cause, on the identity documents, is not a strictly necessary

           identification, and is therefore superfluous. Based on the principle of minimization (article

           5.1, c) of the GDPR), the title does not have to appear on the identity card.



       35. Abundantly, and without taking a position as to whether the title is part

           integral part of the name or not, the Litigation Chamber notes that the Royal Decree of 1822 relating to

           titles of nobility and qualities, requiring that the title be indicated next to the name (which

           indicates that the title of nobility is not the name but a complement to it), poses

           question under Article 5.1, c) of the GDPR (minimization principle).


         4.3.2- As to the legal basis for the exercise of a public interest mission (Article 6.1.e of

         GDPR)


       36. It is not disputed that there is indeed a processing of personal data in

           the head of the defendant. Insofar as the processing in question is carried out by the





9Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the data controller
data within the meaning of Article 7 of Directive 95/46 / EC, WP 217.
10
  ECHR, March 25, 1983, Silver and others v. United Kingdom, para 97. Decision on the Merits 37/2021 - 11/15



    defendant in its capacity as an organ of the Belgian State, it is appropriate to wonder on the basis

    lawfulness of the processing and its compliance with Article 6.1.e of the GDPR.


37. The Contentious Chamber considers that the assessment by a data controller of the

    lawfulness of the processing carried out on the basis of its public interest mission (which, as a reminder, must be

    "Necessary for the performance of a mission of public interest or relating to the exercise of

    the public authority vested in the controller) cannot be detached from the

    purpose of the processing concerned, in this case, the identification of the person

    concerned.


38. To assert the contrary would amount to exempting the controller from any examination

    the relevance of the data processed, even though the implementation of this principle

    founder of data protection provided for in Article 5.1.c) of the GDPR comes to him in his

    quality of data controller.


39. The Contentious Chamber is of the opinion that the only useful interpretation which is capable of

    give full effect to the notion of necessity as required by the case law of the ECHR and

    of the CJEU is that which consists in qualifying as "necessary for the performance of the mission

    of public interest ", the only data necessary for the purpose of identifying the person

    concerned. The mention of the title is not necessary for the fulfillment of the mission

    of public interest. Therefore, the Contentious Chamber concludes that there is no

    basis of lawfulness for the processing on behalf of the defendant, and consequently to


    a breach of Article 6.1.e of the GDPR.

  4.3.3- As to the "opt out" system proposed by the complainant


40. The complainant also proposes an "opt-out" system, in which a holder of a

    title of nobility could request that the title be removed from their identity documents

    and civil status documents. In the absence of a request, the title would be indicated systematically. The

    defendant rejects this proposition, arguing, in its conclusions, that it cannot

    operate on an individual basis and that the same regime must be applied to all holders

    of a noble title, at the risk of undermining the principles of legality, equality, and therefore

    legal certainty.


41. It emerges from a reading of the letter of May 28, 2018 from the Respondent to the APD (Exhibit 8 of

    the defendant) that the costs of adapting the defendant's computer system

    in order to automatically withdraw the title of nobility, in the event of such a request,

    would be too high for an individual request. If the Litigation Chamber is sensitive

    to this argument, it nevertheless recalls that the Court of Markets previously considered that

    the argument made by a bank of the technical difficulties and costs to adapt a


    computer program by inserting an acute accent on a customer name is not

    relevant. The Court also indicates that the computer programs used must comply with Decision on the merits 37/2021 - 12/15




            to the requirements of the GDPR. It is reasonable to think that this reasoning would apply

            all the more so under the title of nobility.


       42. In any event, the aforementioned letter of 28 May 2018 from the defendant refers to


            also the possibility of a one-off manual modification in the file (s) concerned,

            but reject this way of proceeding because the risk of error and forgetting would be too great. Gold,

            particularly in view of the defendant's indication that, on the date of the letter,

            the only holder of a nobiliary title who has made such a request is the complainant, the

            risk of error linked to manual manipulation in the computer system appears to be low.


       43. The Contentious Chamber finally underlines that although it does not consider it necessary in the


            case in point that the defendant adapts its computer system to allow

            automatic withdrawal of the title of nobility, she recalls that a technological obstacle, according to the

            context and as far as is reasonable and proportional, cannot prevent the exercise

            one of his fundamental rights by a data subject.


     44. For the sake of completeness and in view of the technical arguments raised by the defendant,

         the Contentious Chamber draws the attention of the defendant to the necessary respect of the


         data protection by design and data protection by default, based on
                                 12
         Article 25 of the GDPR. These concepts are among the cornerstones of the GDPR and the

         responsibility which is at the heart of it, in article 5.2 in conjunction with article 24 GDPR. They

         are contained in article 25 of the AVG mentioned above and are explained in more detail in

         recital 78 GDPR. The defendant therefore has the obligation to adopt the "measures


         appropriate technical and organizational to ensure that, by default, only data

         of a personal nature which are necessary for each specific purpose of the

         treatment are processed ”in addition to having incorporated such measures from the design stage.


       45. In its Guidelines 4/2019 on data protection by design and

            data protection by default, the EDPB specifies that article 25.1 GDPR implies that

            data controllers must take data protection into account from the


            design and protect data by default at an early stage when planning a


11C. App. Brussels, 2019/7537, 09 October 2019, p15

12 Art. 25 GDPR:

1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and
the purposes of the processing as well as the risks, varying in probability and severity, that the processing presents for
the rights and freedoms of natural persons, the controller implements, both at the time of determining
the means of processing that at the time of the processing itself, appropriate technical and organizational measures,
such as pseudonymisation, which are intended to implement the principles relating to data protection, for example

example the minimization of data, effectively and to match the processing with the necessary guarantees in order to meet
to the requirements of this Regulation and to protect the rights of the data subject.
2. The controller implements the appropriate technical and organizational measures to ensure that,

by default, only the personal data that are necessary for each specific purpose of the processing
are processed. This applies to the amount of personal data collected, to the extent of their processing, to their
shelf life and accessibility. In particular, these measures ensure that, by default, data of a
personnel are not made accessible to an unspecified number of natural persons without the intervention of the person
physical concerned. Decision on the merits 37/2021 - 13/15




           new treatment. Data controllers must implement the protection

           data from design by default before processing, and also continuously to

           duration of treatment, regularly reviewing the effectiveness of the chosen measures and

           guarantees. These same principles also apply to existing systems that deal with

           personal data. In other words, the protection of their data


           personal data is inherent (integrated) in the processing.


       46. The CJEU has also underlined the importance of these concepts in its case law and, in

           particularly in its Digital Rights Ireland judgment according to which the essence of Article 8 of the

           Charter of Fundamental Rights of the European Union requires technical measures

           and organizational are taken to ensure that personal data

           are effectively protected against any risk of misuse and against any access

           and any unauthorized use. 14


    5. Corrective measures and sanctions


       47. On the basis of the above analysis, the Contentious Chamber considers that by refusing to make


           following the complainant's request to withdraw the mention of her title of nobility on her

           identity card, the data controller violated Article 5.1.c, 5.1.b and 6.1.e of the RPGD.


       48. Under Article 100 LCA, the Litigation Chamber has the power to:


    1 ° dismiss the complaint;


    2 ° order the dismissal;


    3 ° pronounce a suspension of the pronouncement;


    4 ° propose a transaction;


    5 ° issue warnings or reprimands;


    6 ° order compliance with the requests of the person concerned to exercise these rights;


    7 ° order that the person concerned be informed of the security problem;


    8 ° order the freezing, limitation or temporary or definitive prohibition of processing;


    9 ° order that the processing be brought into conformity;


    10 ° order the rectification, restriction or erasure of the data and the notification thereof


    ci to data recipients;





13
  EDPB, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, Version 2.0, Adopted on 20 October 2020,
p 4
14CJUE, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland, para. 40 and 66-67. Decision on the merits 37/2021 - 14/15




    11 ° order the withdrawal of accreditation of certification bodies;


    12 ° give periodic penalty payments;


    13 ° issue administrative fines;


    14 ° order the suspension of transborder data flows to another State or an organization

    international;


    15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences


    data on file;


    16 ° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority

    Datas.





       49. It is important to contextualize the breach of Articles 5.1.c, 5.1.b and 6.1.e of the GDPR

           on the other hand, with a view to identifying the most appropriate sanctions and / or corrective measures.

           In accordance with Article 83 of the GDPR, administrative fines must be

           "Effective, proportionate and dissuasive". To this end, it is particularly advisable to keep

           account for "the nature, seriousness and duration of the violation". As indicated above, the

           principles of minimization (article 5.1.c) and finality (article 5.1.b) constitute stones


           Angulars of the GDPR, especially when combined with the principle of lawfulness (Article 6 GDPR)

           and data protection by design and data protection by default, by

           that they fall under the fundamental principles of data protection. Bedroom

           Litigation also notes that the complainant has been trying since 2016 to have the

           mention of his title of nobility in his administrative documents, without success.


       50. However, insofar as Article 83 of the GDPR is not applicable to the authorities

           public, the Contentious Chamber considers that a reprimand constitutes the sanction

           more appropriate for the past failures mentioned above, and orders for the future the setting


           in accordance with the processing with the principles of finality and minimization, by withdrawing the

           mention of the title of nobility on the identity card of the complainant.


       51. In view of the importance of transparency in the decision-making process

           and the decisions of the Litigation Chamber, this decision will be published on the website

           of the Data Protection Authority by deleting the data







15Article 83.2.a) of the GDPR

16Article 221 § 2 of the Law of 30 July 2018 on the protection of individuals with regard to data processing
of a personal nature: "Article 83 of the Regulation does not apply to public authorities and their officials or agents.
except in the case of legal persons governed by public law which offer goods or services on a market. »Decision on the merits 37/2021 - 15/15




           direct identification of the parties and persons named, whether physical or

           moral.





FOR THESE REASONS,


THE LITIGATION CHAMBER


Decide, after deliberation:


- To impose a reprimand

- Order the processing to comply with the principles of finality and minimization, in

    removing the mention of the title of nobility from the identity card of the complainant, within

    30 days from the notification of this decision

- to order the data controller to inform the Data Protection Authority by e-mail

    data (Litigation Chamber) of the result of this decision within the same period via the address

    e-mail litigationchamber@apd-gba.be


Under Article 108, § 1 of the LCA, this decision may be appealed against to the

Cour des marchés (Court of Appeal of Brussels) within 30 days of its notification,

with the Data Protection Authority as respondent.






(se.) Hielke Hijmans

President of the Litigation Chamber