APD/GBA - 61/2020

From GDPRhub
APD/GBA - 61/2020
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 08.09.2020
Published: 08.09.2020
Fine: None
Parties: n/a
National Case Number/Name: 61/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: BE DPA (in NL)
Initial Contributor: n/a

The Belgian DPA (APD/GBA) held that an environmental regulation enforcement agency violated Article 5 and 6 GDPR by disclosing the name of a complainant's flatmate, and their familial relationships in a decision addressed towards the complainant for littering.

English Summary[edit | edit source]

Facts[edit | edit source]

An enforcement authority competent for environment established violation of regional regulations on littering by the first complainant. In the Decision, the agency state that the first complainant is living together with the second complainant, as well as that the third complainant is the father of the second complainant. According to the complainants, these personal data are not necessary to issue the decision, and therefore infringements of the legislation on personal data protection. More specifically, the consultation of the personal data of the complainants in the National Register is also questioned by the 3 complainants.

Dispute[edit | edit source]

Holding[edit | edit source]

While the consultation of the National Register and the subsequent processing of data of complainants 1 and 3 was justified, the mention of the name and family relationships of complainant n°2 with the two other complainants was not justified and therefore not compliant with article 5 and 6 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Page 1
Dispute chamberDecision on the merits 61/2020 of 8 September 2020File number: DOS-2019-04058Concerns: complaint about the unlawful processing of personal dataconsultation in the National Register by an institution of public interestThe Disputes Chamber of the Data Protection Authority, composed of Mr HielkeHijmans, chairman and Messrs. Jelle Stassijns and Christophe Boeraeve, members;Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing ofpersonal data and on the free movement of such data and repealing Directive95/46 / EC (General Data Protection Regulation), hereinafter GDPR;In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafterWOG;Having regard to the rules of internal procedure, as approved by the Chamber ofRepresentatives on December 20, 2018 and published in the Belgian Official Journal onJanuary 15, 2019;Considering the documents in the file;.
Page 2
Decision on the merits 61/2020 - 2has taken the following decision regarding:1. Mrs. X1, hereinafter “the first complainant”, Mr. X2, hereinafter “the second complainant” and Mr. X3, hereinafter “thethird complainant ”, or hereinafter jointly as“ the complainants ”and,2. Y1. Facts and procedureFacts1. On July 23, 2019, the Data Protection Authority receives a complaint from the three complainants.2. The complaint can be summarized as follows. Pursuant to one by the defendant - asenforcement authority - established violation of regional regulations 1 withregarding illegal dumping by the first complainant, the defendant had the personal dataconsulted and continued to use the National Register with regard to the first complainant. In theDecision of Mr Director General of the defendant following the infringements of theOrdinances […] (hereinafter: “ the Decision ”) state that the first complainant is living togetherwith the second complainant, as well as that the third complainant is the father of the second complainant.According to the complainants, these personal data are not necessary for the implementation of thelegal orders of the defendant, and therefore infringements of the legislation onpersonal data protection. More specifically, questions are asked during the consultation (s)of the personal data of the complainants in the National Register.Procedure3. On August 8, 2019, the Primary Care Service declares the complaint admissible on the basis of Article62, §1 WOG.4. On 23 August 2019, the Disputes Chamber will decide in accordance with Article 95, §1, 1 ° and Article98 WOG that the file is ready for consideration on the merits.1 This concerns the Ordinance of 14 June 2012 (Brussels-Capital Region) on waste, BS 27 June 2012,hereinafter ' the first Order' and the Order of 25 March 1999 (Brussels-Capital Region) containing theCode of prevention, determination and punishment of environmental crimes, and environmental liability, BS June 24, 1999, hereafter" the second Ordinance" ; together the first Ordinance and the second Ordinance are hereinafter referred to as' theOrdinances' .
Page 3
Decision on the merits 61/2020 - 35. By registered letter of 23 August 2019, the complainants and the defendant will be notified of theinformed of the aforementioned decision of the Disputes Chamber. Also included in this letterthe closing deadlines communicated to the parties in accordance with Articles 98 and 99 of the WOG.The Disputes Chamber asks, among other things, in particular about the position of thepartieswithrelationuntilthetwonext onepoints:- whether or not the personal data were requested from the National Register and on the basis ofwhat authorization this possible access, and subsequent retrieval of personal data,took place;- the principle of minimum processing of personal data (Article 5 (1) point c) GDPRtested against the processing of personal data that was carried out in the context ofthe Defendant's Decision;The defendant's defenses6. On September 27, 2019, the defendant will submit its conclusion to the Dispute Chamber.A copy is sent by the defendant to the complainants by registered mail.7. The defendant points out that on 14 September 2018 there were several infringements of the firstOrdinances were established, after which an official report was drawn up.In accordance with the second Ordinance, the first complainant, according to the findingof the defendant committed the infringements of the first Order, written to with acopy of the official report establishing the aforementioned violations and “an invitation topay the costs of disposal of the waste in accordance with the applicable scheme. "8. This letter was addressed to the first complainant by registered letter after a search bythe defendant in the National Register, in order to be able to complete and correct the first complainantand in order to be able to write to her at the correct address.9. On November 12, 2018, according to the defendant, the official report was returned to the firstcomplainant, as there had been no reply to the registered letterof the defendant.10. On the registered letter, nor on the ordinary letter dd. November 12, 2018, aanswer of the first complainant. At the same time it was decided by the defendant,in accordance with the provisions of the second Ordinance, for an administrative fineto impose on the first complainant.
Page 4
Decision on the merits 61/2020 - 411. On 5 March 2019, the defendant performed a second search in the National Register, from whichit appeared that the name of the first complainant had been changed and that she was no longer residentat the same address where the defendant had the first complainant the first timeswritten to.12. The defendant then sent a registered letter to the first complainant, with theinvitation to submit defenses in the proceedings before the defendant.The defendant received a reply signed by the third complainant. Thisresponse, according to the defendant, was given to her “without justification of anyrepresentative mandate, in which [the third complainant] accepts it, based on his titleretired [police] commissioner, committed to formulate a dispute on the merits onbased on the use of languages ​​of administrative affairs on the one hand and the denial of the factson the other hand."13. The defendant then communicated with the third complainant, acting on behalf of the first complainantcorresponded, but had not submitted a representative mandate for this. It isafter the occurrence of that correspondence that the decision was made by the defendanttaken, referring to the second and third complainants, and one possiblefamily relationship between the latter two.14. The defendant points out that it is important - in the context of its sanctioningpowers - that its employees have access to certain personal data in theNational Register. The defendant also points out that in the present case this access is limited to informationSuch as surname, first name, date of birth, nationality, address of legal residenceand the family composition […] ”15. The defendant also states that he “is unable to conduct a less intrusive search [inthe National Register] ” . The family composition is found in a search thatis necessary for a search within the framework of the aforementioned powers regarding thecombating illegal dumping, always mentioned in a search. The defendant confirms thisthe personal data of the first complainant in the National Register are divided into twotimes were consulted, namely on September 17, 2018 and on March 5, 2019.16. The mention of the names and first names of the second and third complainant by thedefendant are the result of the intervention of the third complainant, according to the defendant.The defendant argues that the personal data of the third complainant “by the data subject himselfprovided to the defendant ” . This was the indication of the surname and first nameof the third complainant in the Decision “ necessary ”. In addition, the
Page 5
Decision on the merits 61/2020 - 5name and first name of the second complainant in the Decision from the consultation of thepersonal data of the first complainant in the National Register. Collecting that datathe defendant calls in its conclusion “an unfortunate but necessary consequence of theinvestigation into [the first complainant]. It does not therefore infringe the principle ofminimal data processing as imposed in Article 5 [GDPR] ”17. Citing a possible family relationship between the second and third complainant, in their viewbearing the same name does not follow “ from a specific data collection ”, states thedefendant. The indication of that possible family connection in the decision is according to thedefendant “just an assumption in a statement of reasons which is certainly diligent, but de factodoes not harm the privacy of the [complainants]. ”18. The defendant states that it follows from its defense “that the processing of personal datais legally justified by the defendant, proportionate and compatible with the principleof data minimization as stipulated in Article 5 (1) (c) of the [GDPR]. Thethe complaint is therefore unfounded. "The statement of reply of the complainants19. The complainants' reply states first of all that both the communication ofthe Data Protection Authority, as that of the (representatives of) the defendant,does not contain the statement 'PERSONAL - CONFIDENTIAL', something according to the complainants"Inherent in the confidential content of personal data." In addition, theenvelopes used by the defendant to submit its initial claimBe “of inferior quality ”. The complainants do not provide any visual or any kind with their conclusiondocumentary evidence in this regard. The complainants also have reservations about the request of thecounsel for the defendant defendant for acknowledgment of receipt of its documentsto be delivered by e-mail, “without, however, stating whether he has a sufficiently securedconnection. ”20. Next, the complainants question whether they are adequately protectedpersonal dataanditto respectfromthebasicsregardingpersonal data processing by the defendant's counsel.21. The complainants further point out the possible further dissemination of the personal datathe Decision, including in appeal procedures, as well as the inadequately motivated purposefor which the processing of the said personal data takes place. Also the inaccuracyof the processed personal data constitutes a breach of the provisions for the complainants
Page 6
Decision on the merits 61/2020 - 6in the GDPR. This is especially the case with regard to the incorrect address of the first complainant ”atthe moment of the facts and the defendant's findings ” , and in addition for thealleged family relationship between the second and third complainant. The latter was not possible withcertainty is evidenced by the defendant's search of the first complainant in theNational register, the complainants said.22. Finally, the complainants point out that the documents attached to the statement of defense of thedefendant contain personal data, in particular of the first complainant, which is not strictnecessary for the defense put forward.23. Quite a number of other elements cited by the complainants in theirThe Dispute Resolution Chamber does not consider it relevant to the handling of the replythe present file by the Data Protection Authority, where the facts stated in thecomplaint relate to. For example, it is about respecting itdue diligence by the defendant and the duties and identification of its agents andother servants in the exercise of the defendant's powers underthe Ordinances.24. In particular, the Disputes Chamber leaves all new elements in the complainants' replydisregarded:o given that in this file the complainants' complaint is clear and formally conclusivewas formulated;o given that the Disputes Chamber was arrested in accordance with Article 92, 1 ° WOG and hasdecided on the basis of Article 94, 3 ° WOG to handle the complaint without theTo summarize inspection service;o given that it is the intention of the legislator in accordance with article 98 WOG that theparties can properly defend themselves regarding the elements of the file - thesubstantive scope is by definition limited to the content of the complaint;o seen on the basis of the foregoing considerations, it is not just substantiveit is undesirable to deal with the new elements in the reply claims -because of the large number of new elements and the prima facie limited burden of proofdue to the lack of any additional documents and the involvement of otherscontrollers - but also in the given circumstancesprocedurally it is not desirable to expand the scope of the file to such an extent;
Page 7
Decision on the merits 61/2020 - 7o given that the complainants are free to submit a new complaint or new complaintsto the Data Protection Authority if they feel they have been violated in therights over which the Data Protection Authority exercises supervision.25. The Disputes Chamber hereby recalls its earlier decision 17/2020 2 . where theyexplains that, in principle, the Disputes Chamber is not bound by the content of the complaint,as some conditions are met. Those conditions do not arise here.The reply of the defendant26. The defendant's statement of reply largely repeats the elements from theConclusion of answer. In principle, the defendant argues that the GDPR is based on the factsto which the complaint relates does not apply:As your Authority will have determined from aboverepresentation of the legal framework, the defendant in the present disputeacted with a view to enforcing criminal law regulations.In accordance with Article 2, §2, d) of the GDPR, the Regulation does not applyto the processing of personal data by the competent authorities for the purposeon the prevention and detection of criminal offenses, on investigation and prosecutionin matter or on the execution of penalties, including theprotection against and prevention of threats to public security. ”27. Furthermore, the defendant responds to what was stated by the claimants in the replyregarding substantive and procedural aspects that are not relatedon the elements stated in the complaint. With regard to those elements, thedefendant that there is some breach of data protection legislationcommitted.2 GBA Disputes Chamber, Decision on the merits 17/2020 of 28 April 2020, paragraphs 20-35 of the decision.
Page 8
Decision on the merits 61/2020 - 82. Justification2.1Procedural elements in this file and the competence of theDisputes Chamber (Article 100 WOG)28. Although the Disputes Chamber has already stated that a number of elements in the conclusion ofreply of the complainants are not relevant to the handling of the present complaintto explain a number of matters to the Disputes Chamber, in order to ensure the proper progress of theprocedure. Also with regard to the alleged lack of competence of theThe Disputes Chamber cited by the defendant will inform the Disputes Chamber below with an andanother.2.1.1. Language of the procedure and the course of the procedure29. The language of the proceedings that the Data Protection Authority - including the Dispute Chamber- used in this file is Dutch, in accordance with Article 57 of the WOG. Thisdoes not prevent evidence from being lodged with the Dispute Chamber byone or more parties, in another national language or in English.30. Without hic et nunc to determine whether or not there are breaches of the GDPR and other relevantlegislation regarding personal data protection have been committed by thethe defendant on the basis of the present file following a complaint, underlines theDisputes Chamber that the defendant is entitled to a fair course of the proceedings (withincluding the acts by its representatives, in this case a lawyer); pursuant toArticle 98 of the WOG, the defendant has the right to submit defenses to theLitigation chamber. 331. In this sense, reference can be made to the documents submitted by the defendant to the Disputes Chamberhave been transferred and added to the file. Those pieces were used as evidence for thattaking the Decision that is the subject of this complaint. Indeed,the documents contain a number of personal data, such as the surname, first name, addressand financial data. Transferring the aforementioned pieces also creates aprocessing of personal data within the meaning of Article 4 (2) GDPR.32. However, the Disputes Chamber cannot accept any abuse in this context, let alone a blatant abuse,establish the rights of the complainants during the proceedings on the merits in the present3 Article 98, 2 ° WOG.
Page 9
Decision on the merits 61/2020 - 9procedure, in the sense that there is an unlawful processing of personal data of thecomplainants or third parties. Processing of personal data thattake place during - and as part of - a treatment on the merits of a fileat the Dispute Chamber of the Data Protection Authority, are by definition not partout of the complaint that is the basis of that file or of the contents of the file. TheThe Disputes Chamber will therefore not proceed further in the context of the integrity of the proceedingscomment on the complainants' allegations in their reply to this effect,as explained above.33. For the sake of completeness, the Disputes Chamber wishes to highlight that the submission ofdefendant's defendants have a certain discretionary assessment for that partyentails, in the sense that the defendant can decide for itself which documents it wishes to receiveto her file, as long as this is considered necessary in the context offair trial. 4 This also applies to the other parties to the proceedings.2.1.2. The scope of the GDPR and the jurisdiction of the Disputes Chamber34. In principle, the defendant argues that the GDPR would not apply in thisfile, given that the defendant in the present dispute would have acted “with a view toenforcing compliance with criminal law regulations. " The defendant refers to Article2,member2,pointd)AVG.35. For the sake of completeness, it can be noted that in accordance with Article 55 (3) GDPR and Article4, §2, first paragraph WOG, the Data Protection Authority is not competent to superviseprocessing by courts in the exercise of their judicial functions. This does not meanthat the GDPR does not apply to the activities of courts and judiciaryauthorities. 536. Next, it is possible to consider what the defendant puts forward in concrete terms , namelythe applicability of Article 2 (2) point d) GDPR, which reads as follows:“2. This Regulation does not apply to the processing of personal data:(…)(d) by the competent authorities for the purposes of prevention, investigation,4 Article 98, 3 ° WOG - the parties are informed of “the possibility to obtain any documents they consider useful in thefile. ”5 Recital 20 GDPR.
Page 10
Decision on the merits 61/2020 - 10investigation and prosecution of criminal offenses or the execution of criminal penalties, withincluding protection against and prevention of dangers to the publicsafety."37. Recital 19 GDPR clarifies that there is a special regulation in force in this contextthe form of a European directive. 6 This Directive is in Belgian national lawimplemented by the Law of July 30, 2018 on the protection of natural resourcespersonswithrelationuntiltheprocessingfrompersonal data). 738. Article 26, 7 ° Data Protection Act exhaustively defines the competent authorities in thisbox listed. The defendant, including its employees, are not among theauthorities competent in this regard within the meaning of Article 2 (2) point d) GDPR. Whichcertain officials of the defendant under Article 5, §2 of the Second Ordinanceare appointed to give them the capacity of officers of the judicial police,after all, does not mean that the aforementioned officials are part of the police services. 839. Finally, it can be stated that the defendant is authorized to act in specificcircumstances to consult the National Register. 9 This is set out in a RoyalDecree, which also sets out the conditions of access to the National Register. 10 Dieauthorization is thus granted to the defendant as a government agency. 11 The provisionsof the GDPR and the provisions of the National Register Act that the Disputes Chamber considers relevantfor the assessment of this file, therefore apply in full to the defendant.40. Pursuant to Article 4 of the WOG, the Data Protection Authority is competent for supervisionto adhere to the “laws containing provisions on the protection of processingof personal data. " Considering there is no other supervisory authority competent in this caseis under current legislation, and given no competence in this particular one6 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of naturalpersons in connection with the processing of personal data by competent authorities for the purpose of prevention, theinvestigation, detection and prosecution of criminal offenses or the execution of criminal penalties, and on freedommovement of such data and repealing Council Framework Decision 2008/997 / JHA.7 BS 5 September 2018, hereinafter: Data Protection Act.8 Police services within the meaning of Article 2 of the Law of 7 December 1998 on the organization of an integrated police force,structured on 2 levels (BS January 5, 1999).9 In this Decision, “the National Register” means: the information processing system within the meaning of Article 1 of theLaw of 8 August 1983 regulating a National Register of natural persons, BS April 21, 1984 (hereinafter: LawNational Register).10 Royal Decree authorizing Y to have access to the information data of the National Register of thenatural persons, (hereinafter: Royal Decree Y).11 The defendant concerns an institution of public utility in accordance with Order establishing Y.
Page 11
Decision on the merits 61/2020 - 11context is removed from the Data Protection Authority, it is the competent onesupervisory authority. 122.2The lawfulness of the processing of personal data,obtained after consulting the National Register (Article 6 (1) GDPR)2.2.1. Access to and use of personal data from the National Register41. The Disputes Chamber has already expressed its opinion in a case that related to a consultationof the National Register. 13 Here, however, the complaint concerned the lawfulness of the consultation ofthe National Register itself. In the present case, the complaint concerns a processing ofpersonal data, whereby the initial consultation of the data of the first complainantthe National Register was admitted under the prevailing regulations and authorizations.42. The Disputes Chamber wishes to explain all this in this sense, in order to avoid anyto remove any ambiguity in this regard.43. Article 5, §1 of the National Register Act stipulates that the Minister of the Interior is competentis to authorize, inter alia, public institutions under Belgian lawsuch as the defendant, to have access to the "information data" in the National Register.This is especially relevant for information data that such institutions are authorized to useknow by virtue of a legislative document such as an ordinance. 14 At the time of theauthorization given to the defendant, the National Register Act stated that theKing who granted this authorization. 1544. Article 1 of Royal Decree Y specifies that it is the defendant's Director-General whohas access to the National Register, and any staff member of the defendant who is authorized by theDirector-General is designated by name and in writing, on the basis of her or his position andwithin the limits of their respective competences.12 Article 4, §2, second paragraph of the WOG.13 GBA Disputes Chamber, Decision on the merits 19/2020 of 19 April 2020.14 Article 5, §1, 2 ° Law - for the legal basis, both the first Ordinance and the secondOrdinance.15 KB Y.
Page 12
Decision on the merits 61/2020 - 1245. According to Article 3 of the Royal Decree Y, the defendant must annually “to the Commission for theprotection of privacy ”provide a list of the designatedpersons for consultation of the National Register. The defendant has come to its conclusionsattached a document containing a list which was submitted to the Commission for theprotection of privacy (hereinafter: CPP) and dates from 1 February 2018.46. ​​The Data Protection Authority no longer has any powers that pertainauthorizations, or deliberations, to grant access to the National Register. ThereIn this respect it can be pointed out that the Royal Decree Y was not brought into conformitywith the GDPR - which focuses on the processing responsibility - as well as with the LawNational Register. For the sake of completeness, it can also be mentioned that theInformation Security Committee is not competent when other regulatory standards require theregulates access to personal data in government databases and applications. 16 This is inthis is the case, given Section 5 of the National Register Act, the power to access theNational Register, specifically allocated to the Minister of the Interior. 172.2.2. The two extractions from the National Register by the defendant of the personal data ofthe first complainant47. Whether the consultation of personal data is lawful, and whether the further processing ofthose personal data after that consultation each separate, lawful processingmust be examined more specifically in the light of Article 6 GDPR.48. The Disputes Chamber repeats and clarifies that what was raised by the complainantswith regard to the course of the proceedings before the defendant (including complianceof the current language legislation by the defendant), not under the discretionof the Data Protection Authority. This does not prevent the Disputes Chamber from setting itself upto rule on those aspects related to the protection of thepersonal data protection of the complainants.49. The defendant retrieved the personal data from theNational register regarding the first complainant consulted. This was particularly the caseon September 17, 2018 and on March 5, 2019.16 Article 35/1, second paragraph of the Federal Services Integrator Act concerns the Law of 15 August 2012 on incorporationand Organization of a Federal Service Integrator, BS August 29, 201217 And therefore not to the federal government chamber of the information security committee in accordance with Article 86 Law of 5September 2018 establishing the Information Security Committee and amending various laws related to implementationRegulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the protection ofnatural persons with regard to the processing of personal data and with regard to the free movement of such dataand repealing Directive 95/46 / EC, BS September 10, 2019.
Page 13
Decision on the merits 61/2020 - 1350. The first consultation of the National Register dd. September 17, 2018 was promptedof the defendant's determinations made in accordance with the first Ordinance and thesecond Ordinance has done. 18 The defendant, it states in its summary statement,has “sent an official report establishing violations of thewaste legislation […] ” .51. With " the waste legislation" the defendant refers more specifically to the powerswho have one or more of its employees in the context of the determinations ofviolations of the first Order - this concerns violations of article 18, §1 andarticle 19, §4 - based on article 5, §2 of the second Ordinance.52. As at the beginning of section 2.2. was explained, the defendant has the optionto consult the National Register, and in particular for the following reason:“ (…) For the performance of the duties entrusted to [the defendant] in respect ofprevention and management of waste, in particular the detection, determination,prosecution and punishment of environmental crimes. ” 1953. The second consultation resulted from the lack of any answer by the firstcomplainant to the defendant's letters dated. September 25, 2018 (by registered letter)and then dd. November 12, 2018 (by regular letter). The second consultation dd. March 5th2019 brought forward that both the name of the first complainant and her postal address have changedgoods. This necessitated the sending of a new letter by the defendant to the formercomplainant on 15 March 2019 (by registered letter).54. Consultation of the National Register by the Director General or by a Directorgeneral staff member designated in writing, following the findings withwith regard to illegal dumping made by the defendant's employees,in the exercise of the official authority vested in the defendant. Thelegality therefore serves more particularly in the light of Article 6 (1) point e) GDPRtoturn intoexamined.55. The Disputes Chamber establishes that the powers and associated public authority thatassigned to the defendant are specifically assigned to the defendant pursuant tothe first Ordinance and the second Ordinance. Recording the tasks of public18 An excerpt from the first consultation was provided in the defendant's statement of defense, document 2.19 Article 1, paragraph 1 RD Y.
Page 14
Decision on the merits 61/2020 - 14authority in these two legal texts is necessary in accordance with Article 6 (2) of the GDPRthe legal basis within the meaning of Article 6 (1) point e) GDPR. 2056. The question is also whether the consultation of the personal data in the National Registerwas 'necessary' in the exercise of public authority functions. In that senseonly processing of personal data that contains information that is useful for thepurpose of exercising public authority are necessary. 2157. The Disputes Chamber considers both consultations of the personal data of the formercomplainant in the National Register, and the further processing of her personal data, and withname her name, first name and address details, indeed necessary for the exercisevtasks of the public authorities. The consultation is necessary for a correct and completeidentification of the first complainant, including her contact details. This can only be donetake place lawfully and adequately by means of a consultation with itpersonal data in the National Register.58. The second consultation was more specifically necessary as there was no response from theThe first complainant came to the first letters from the defendant, and thus one in good faithThe defendant suspected that the address details of the first complainantwere changed. This proved to be the case, and is additionally illustrated by the factthat after the letters by the defendant following the second consultation of the National Register(at a different postal address), a reply did come from the first complainant, although that onecommunication without a mandate for representation was conducted by the third complainant inhis own name. In addition, the name of the first complainant appeared to have changed during the periodbetween the first and second consultation of the National Register, something the defendant alonecould have established itself in a formal manner by consulting the National Register.59. For the sake of completeness, it can be stated that the personal data of the second complainantwere visible when consulting the personal data of the first complainant in theNational Register, given that it is not possible for the defendant to properly identify theto consult the personal data of the first complainant, without changing somepersonal data of the second complainant are visible, given the second complainant is legallives with the first complainant.20 In that sense: W. KOTSCHY, “Lawfulness of processing” in C. KUNER, LA BYGRAVE and C. DOCKSEY, The EU General DataProtection Regulation (GDPR): A Commentary, Oxford, 2020, (321) 335.21 Cfr. analogous reasoning in CJEU judgment, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, ECLI: EU: C: 2008: 724, par.59: “However, it should be noted that such a register may not contain any information other than for the purposeis necessary. "
Page 15
Decision on the merits 61/2020 - 1560. However, it is necessary to mention the link between the first and second complainantseparate analysis of the processing basis, which also includes the rights of the first complainantgiven the mere relationship with another natural person, in itself onepersonal data. This is further investigated in section On the basis of all the foregoing, the Disputes Chamber concludes that the two extractions of thepersonal data of the first complainant from the National Register, and the further processing ofthat personal data is lawful in accordance with Article 6 (1) point e) GDPR, given therea necessity is to keep the personal data of those first complainants accurate, complete and up-to-dateand all this fits within the proportional implementation of the powers that theTo assign orders to the defendant.2.2.3. The extraction of personal data concerning the second complainant during the consultationof the personal data of the first complainant in the National Register and thethe defendant assumes a family relationship between the second complainant and the third complainant62. Whether the mention of the personal data of the second and third complainant in theThe defendant's decision was "necessary" in the exercise of thepublic authority in accordance with Article 6 (1) point e) GDPR, is for the Disputes Chamberto be treated separately.63. It may be noted that the complainants and the defendant argue that the third complainant inown name but for the account of the first complainant put forward defenses in theproceedings which the defendant has in its powers in accordance with the Ordinancesconducted. So there is a real interest for the defendant to identify the third complainantmention in the Decision, in order to defend the first complainant - in fact carried throughthe third complainant without a representative mandate - to be clearly explained.64. The Disputes Chamber, on the other hand, considers that the second complainant, as legalcohabiting partner of the first complainant, at no point in the proceedings at thethe defendant was involved, and the indication of his personal data in the decisionwere in no way relevant to the purpose of that Decision - in particular to sanctionof the first complainant. The rights of the first complainant are also violated here, given themention of her family or legal ties is by no means necessary processingof personal data within the meaning of Article 6 (1) point e) GDPR.65. In addition, it can be indicated that establishing a possible family relationship betweenthe second complainant and the third complainant, on the one hand, is not relevant for the purpose of the Decision,
Page 16
Decision on the merits 61/2020 - 16and on the other hand has not been formally adopted by the defendant. Regarding this last aspect,the Disputes Chamber establishes that family ties are assumed to be personal databy the defendant, which means that this personal data could possibly be incorrect. This is notin the spirit of personal data protection law. Which states in Article 5 (1) pointd) GDPR, among other things that personal data that is processed must be correct.66. The Disputes Chamber finds first that no lawful processing takes place in themeaning of Article 6 (1) point e) GDPR, if the defendant uses the personal data of thesecond complainant - which it obtained when consulting the personal data of thefirst complainant in the National Register - stated in the Decision, without being necessary forthe purpose of exercising its official authority. This also damages the rights of thefirst complainant, given the mention of the legal and family relationship between her and thesecond complainant, does not constitute lawful processing within the meaning of Article 6 (1) (e)AVG. The defendant also cites no other possible basis, and the Dispute Chambercannot establish any other lawfulness basis in Art.6 para. 1 GDPR, based onwhat was presented to her.67. Secondly, the Disputes Chamber ruled that the tightening of a possible family relationshipthere is no lawful processing between the second complainant and the third complainantArticle 6 (1) (e) GDPR, as this is not necessary information for the purpose of theexercise of official authority by the defendant by means of the Decision. Moreoverthe family relationship is an assumption, which is not in the spirit of Article 5 (1) (d)AVG, which states that personal data that is processed must be correct.Finally, mentioning a possible family connection is not limited to what is necessaryfor the purposes of the Decision, which is not in accordance with the principleof data minimization within the meaning of Article 5 (1) point c) GDPR.3. Breaches of the GDPR and the complainant's requests68. The Disputes Chamber considers that the defendant has infringed the following provisions:a.Article 6 (1) point e) GDPR, given the mention in the Decision of thepersonal data of the second complainant, as well as the link between the first and thesecond complainant and between the second and third complainant, was not necessary in thethe defendant's duties of public authorityby the provisions of the Ordinances;b. Article 5 (1) (d) and (c) GDPR , in view of the defendant insufficienthas taken steps to verify that the allegation that there is
Page 17
Decision on the merits 61/2020 - 17a family relationship would exist between the second and third complainant is correct, and given itestablishing such a family relationship is not necessary for thepurposes for which the personal data are processed.69. Given the importance of transparency with regard to the decision-making process of theDisputes Chamber, this decision will be published on the website of theData protection authority, where the direct identification data of the saidparties and natural persons will be removed.FOR THESE REASONS,the Disputes Chamber of the Data Protection Authority will, after consultation, decide to issue thedefendant:• to be reprimanded in accordance with Article 100, §1, 5 ° WOG and Article 58, paragraph 2, point b) GDPRbecause of the unlawful copying and therefore processing of the personal data ofthe second complainant from the National Register, and the further use of those personal data toestablish certain unnecessary links between the first and second complainant,the second and third complainants respectively, which constitutes an infringement of Article 6, paragraph1 GDPR; moreover, the defendant has not taken all appropriate measures to preventensure that those relationships as personal data would be accurate in accordance with Article5,member1,pointd)AVG;• Article 100, § 1, 5 ° WOG and Article 58, paragraph 2, point a) AVG towarn that the consultation and further use of personal data from theNational Register should always be lawful, proper and necessary in the spirit of theGDPR - and more specifically the principles regarding the processing of personal data in Article5 GDPR - and in accordance with current legislation on the National Register, and morethe National Register Act.Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within oneterm of thirty days, from the notification at the Marktenhof, with theData protection authority as defendant.
Page 18
Decision on the merits 61/2020 - 18(get.) Hielke HijmansChairman of the Disputes Chamber