APD/GBA - 72/2020

From GDPRhub
APD/GBA - 72/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 7(3) GDPR
Article 9(2) GDPR
Article 24(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 09.11.2020
Published: 09.11.2020
Fine: None
Parties: n/a
National Case Number/Name: 72/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: BE DPA (in FR)
Initial Contributor: n/a

A hospital was retaining a part of the salary of its employees being members of a trade union. This practice was based on an oral agreement with the work council, plus a written document from the employees. However, the DPA concluded that - the consent could not be considered as valid due to the fact that no mention made of the right of the employees to withdraw their consent. The litigation chamber also concluded that the precise purpose was not expressly communicated to the data subjects. No sanction was issued, considering that the processing at stake was stopped in June 2019.

English Summary[edit | edit source]

Facts[edit | edit source]

A hospital was retaining a part of the salary of its employees being members of a trade union 'A". This practice existed before another trade union "B" existed within the hospital. Fees were retained only for the membership fees of the members of the workers Union "A". The complainant, asks the DPA to answer on the legality of a practice consisting of collecting data on the membership of workers to trade unions.

Dispute[edit | edit source]

Holding[edit | edit source]

The DPA considered that the consent was not valid (not because there was a subordination but) considering that the right to withdraw consent was not mentioned to the data subjects. The litigation chamber also concluded that the purpose of the processing was not explicit enough.

Comment[edit | edit source]

Interesting to note that the consent of the employees was not considered invalid because of the subordination relationship, but on the basis of the lack of mention of the right to withdraw the consent. The DPA indeed considered that the refuse to consent could not lead to adversary effects on the data subjects.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/14
Litigation Chamber
Decision on the merits 72/2020 of November 09th
2020
File No.: DOS-2018-02075
Subject: Complaint against a hospital (processing of membership data)
union)
The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke
Hijmans, Chairman and Messrs. Yves Poullet and Christophe Boeraeve, members ;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the
protection of natural persons with regard to the processing of personal data and to the
free movement of such data, and repealing Directive 95/46/EC (General Regulation on the free movement of
data protection), hereinafter referred to as RGPD ;
Having regard to the law of 3 December 2017 creating the Data Protection Authority (hereinafter DPA);
Having regard to the internal rules of procedure as approved by the House of Representatives on
December 20, 2018 and published in the Moniteur belge on January 15, 2019 ;
Having regard to the documents in the file ;
has taken the following decision concerning :
- the plaintiff : Mr. X
- the defendant: Y Hospital
Decision on the merits 72/2020 - 2/14
1. Facts and procedure
1. On May 6, 2018, the complainant sends an email to the Data Protection Authority (DPA)
requesting an opinion on a data processing operation carried out by his employer, which he identifies
then as a hospital institution, established in the Walloon Region.
2. According to his e-mail, the complainant is a union representative for union A in the institution.
hospital in question. It is seeking the MPA's opinion on the employer's direct debit on the following issues
their salary from the union dues of Union B affiliates.
3. The plaintiff questions the legality of such a practice under the DMPP. He states
also that this sampling would take place under unclear conditions and not in accordance with the will
of the workers, as well as the confidentiality of their data. He adds that the treatment of
union data would lead to discrimination between employees on the basis of their membership of a union
union. He wondered in general terms about the interest that an employer would have in collecting
data on the union membership of its employees.
4. After exchanging letters, the complainant filed a complaint with the ODA on August 28, 2020,
for the facts evoked in the various exchanges of letters. The plaintiff's employer, who is
also the treatment manager, is identified as the Y hospital.
5. On September 12, 2018, the complaint is declared admissible by the President of APD. Admissibility
is confirmed to the complainant by letter dated October 4, 2018. During session n°2 of October 23rd
2018, the Litigation Chamber decides to request an investigation from the Inspection Service. The request
The investigation report will be forwarded to the Inspection Service on October 29, 2018. The complainant will be notified on October 29, 2018.
same day by mail.
6. The Inspection Service will contact the complainant by mail dated March 05, 2019. In this letter,
the Inspection Service asks if the complainant can provide the contact information of the
data protection officer of the data controller, from the highest level of the
Management of the Y hospital and the highest level of the human resources hierarchy. By a
series of questions, the Inspection Service also asks the complainant for any type of documents that may be of interest.
that can support the content of his complaint. A reminder e-mail is sent to the complainant by the Service.
inspection on June 4, 2019.
7. On June 12, the complainant responds to the Inspection Service by email. He explained that the Y hospital has taken
the decision to end the system of payroll deduction of union dues from affiliates
to Union B. A first permanent discontinuance date was set at March 31, 2019, prior to which the 
Decision on the merits 72/2020 - 3/14
to be postponed to June 30, 2019. The complainant further confirms the data that the Service
inspection team asked him to check it out.
8. On June 19, 2019, the Inspection Service sent a letter to the Data Protection Officer
of Hospital Y, which asks him to provide certain information within a month, including
the purposes, the basis for the lawfulness of the processing, as well as the list of the data processed and the documentation
relating to the said treatment. In a letter dated August 13, 2019, received by ODA on August 19, 2019, the
Hospital Management Y provides answers to questions from the Inspection Department.
9. The letter from the person in charge of treatment begins with a historical summary of the treatment which
was in effect at the Y Hospital and which is outlined in the paragraphs below.
10. 10. The manager explains that the treatment was implemented at a time when there was only a
the only union delegation at the Y hospital, namely union B. It had been agreed orally
that affiliated workers who wished to do so could mandate the Y Hospital to deduct union dues from their wages. An example of a mandate signed by a worker on
April 17, 2018 is provided as an appendix to the letter. According to the data controller, the social inspectorate
had confirmed several times that each worker could give a mandate of this type to his or her
employer.
11. In the 2008 social elections, a second trade union organization, Union A, won the right to vote.
union representatives. It was proposed that they subscribe to the payroll deduction system, which they have been
which they refused. According to the data controller, following the coming into force of the DMPP, the union
A has made it known that he considers this system to be illegal.
12. The Management of Hospital Y has requested an opinion from its Data Protection Officer on this
question. The notice was provided on September 11, 2018. The notice is attached to the letter. The Delegate y
recommends, in particular, that the practice be discontinued since it does not appear to be useful for the objectives.
of the institution.
13. Hospital Y has decided to stop withholding union dues as of June 30.
2019. Attached to the letter are two excerpts from PVs of Conseils d'entreprise. The first dated
of January 10, 2019, states that "the problem of dues deduction will be resolved within 3
months". The second, dated April 4, 2019, states that "the system of levies will be discontinued at
As of June 30, 2019".
14. In the second part of the letter, the data controller answers questions from
the Inspector General. It specifies in particular that the basis for the lawfulness of the data processing revealing 
Decision on the merits 72/2020 - 4/14
the union membership of the worker is the "individual and written mandate given by the worker to
the Y hospital".
15. Regarding the purpose of the treatment, the treatment manager states that it was never done
any other use of this data than the one intended.
16. Hospital Y adds that the system was implemented as a result of a "historic oral agreement between a
union and management. There was no formalized writing. "He also explains that it was not a matter of
not a system generalized by the employer but a facility granted by the employer on request
specific to the worker.
17. The Inspection Service issues its investigation report on August 27, 2019. It notes in particular that the
purpose of the salary was to deduct union dues from the salary and that the salary was
based on consent. He also adds that the legitimacy of the purpose does not appear to be
consistent with social law, but that according to the complainant (Exhibit 1) and the hospital's management
Y (Exhibit 21), the social inspectorate admits such a practice. Furthermore, the Inspection Service
raises the question of whether, in view of the obvious imbalance in labour relations
between the person concerned/employee and the controller/employer, the free
of the worker's consent can be questioned (Recital 43 of the GDGR and opinion of the Group of
Article 29" on data protection n°2/2017 of June 8, 2017 on the processing of personal data.
workplace data (WP249). The Inspection Service finally finds that it has been terminated
to treatment as of June 30, 2019.
18. On September 20, 2019, the President of the Litigation Chamber shall decide, pursuant to Article 98 of the
the ACL that the file can be examined on its merits. On the same date, the Litigation Chamber has
transmitted the complaint and exhibits to the defendant by registered letter and invited the parties to
argue their case according to a set timetable.
19. By e-mail sent on October 3, 2019, the data controller informs the Chamber
Litigation that it will not conclude in this case, considering that it has brought to the attention of
the Data Protection Authority all the elements in its possession.
20. The plaintiff did not send any conclusions to the Litigation Chamber. 
Decision on the merits 72/2020 - 5/14
2. Motivation
21. On the basis of the complaint transferred to him and the investigation report provided by the Service
inspection, the Litigation Chamber considers it established that the Y hospital was responsible for your
processing for processing of data concerning the trade union membership of certain
workers, with the aim of deducting the union dues from the salaries of the persons concerned
(Parts No. 1, 21 and 23).
22. The Chamber considers that a number of issues need to be considered. First, given the
period during which the events took place, the House wishes to consider the issue of the
applicable law and on its jurisdiction (section 3.1 below). Second, the Chamber considers that the
The legality of the data processing at issue must be analyzed from the perspective of its lawfulness (section 2.2 below) and purpose (section 2.3 below). Finally, it will address the issue of the
sanction (section 2.4 below)
2.1 Applicable Law and ODA Jurisdiction
23. It is apparent from the documents in the file that the processing of union data for the purpose of carrying out the
a payroll deduction of union dues for workers affiliated with Union B exists at least
since 2008.
24. 24. Furthermore, it is clear from the statements of both the plaintiff (Exhibit No. 17) and the defendant (Exhibit No. 18) that the
21), that the treatment was definitively terminated as of June 30, 2019. The Litigation Chamber
therefore considers that the data processing in question took place over a period from 2008 to 2009.
as of June 30, 2019, i.e. more than 10 years.
25. The law applicable to this data processing differs according to the period under consideration. Since its implementation
in place until May 25, 2018, the treatment was subject to the HPPA. Applicable legislation has changed
from the coming into force of the DMPP on May 25, 2018.
26. The Data Protection Authority, and hence the Litigation Chamber, were created by the
LCA, which came into force on the same day as the DPGR, i.e. May 25, 2018. Therefore,
the Litigation Chamber does not consider itself competent to verify the legality of the processing for the
period prior to May 25, 2018. It will therefore analyze the data processing for the period
from May 25, 2018 to June 30, 2019.
Decision on the merits 72/2020 - 6/14
2.2 Lawfulness of the processing
27. The Litigation Chamber recalls first of all that the processing of data concerning
union membership are in principle prohibited (article 9.1 of the RGPD). The second paragraph of the
However, the same article provides for a series of exceptions, including "consent" and "consent
the data subject] to the processing of such personal data for one or more of the following purposes
several specific purposes".
1
.
28. Even if it is not directly claimed, the Litigation Chamber notes that the
data controller uses explicit consent as a basis of lawfulness for the treatment
of data in question, since he states that it is based on "an individual written mandate
given by the worker at the Y hospital". He adds that "it is not a system generalized by
the employer, but of a facility granted by the latter at the specific request of the worker" (Exhibit
No. 21, p. 2). The data controller provides a copy of the mandate, signed by a worker
(from which identification data has been removed) as of April 17, 2018.2
29. 29. It is therefore necessary to consider whether the elements of explicit consent are in fact
filled on this occasion. A definition of "consent" is provided in section 4.11 of the DP Regs that
states that it must be "free, specific, enlightened and unambiguous". Section 9.2.a) adding by
other than for the processing of data related to trade union membership, consent shall
also be "explicit".
30. As regards the free nature of consent, it is clear from the documents in the file (see point No. 2.2.1) that the consent must be "explicit".
27) that it was given by written mandate, as a facility given by the employer to the employee.
Neither the parties, nor the inspection, provide any evidence to conclude that the
consent would have been vitiated or given under duress.
31. However, the investigation report notes that, in view of the apparent imbalance in the
labour relations, between the data subject who is employed and the controller who is responsible for the processing
is an employer, the free nature of the treatment can be questioned. The Inspection Service is based on
on Recital 43 of the GDGR and on an opinion of the Article 29 Working Group on the treatment of
workplace data3 to make this finding. The guidelines for the

1 Section 9.2.a) of the GDMP.
2 In the absence of specification to the contrary by the data controller, the Dispute Chamber presumes that
mandate form has not been modified since then and that the same mandate form has continued to be used
after the coming into force of the DPGR.
3 "ARTICLE 29" Working Party on Data Protection, "Opinion 2/2017 on the processing of data at the place of
adopted on June 8, 2017 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169).
Decision on the merits 72/2020 - 7/14
consent4
which were in effect at the time the treatment in question took place5
The following are mentioned
also this risk of an imbalance of power between the data controller and the individual
consent, particularly in the area of the relationship between the individual and the
work, which is the case here. However, the guidelines do state that as a
exceptional, the consent of the worker may be considered validly given, when
there are no consequences for the worker to give or withhold his or her consent
negative for his or her person6
.
32. In other words, exceptionally, a worker may validly consent to the treatment
of data from his employer, when the latter does not derive any benefit from the processing.
As developed below (see points n° 41-44 and 56), the Litigation Chamber does not have at its disposal
any element allowing him to conclude that the processing in question would be carried out for a purpose
other than the ease given to the worker. The Litigation Chamber therefore considers that the
data controller does not derive any benefit from the consent of the worker, and that the
power imbalance between the parties does not therefore risk vitiating consent. The worker
can therefore be considered to have been freely given consent.
33. As to the specific nature of consent, the Litigation Chamber considers that it is
is completed by the individual mandate that the worker is asked to complete (a copy of which is
provided in Exhibit 21, Appendix 1). The mandate in fact only seeks the consent of the worker if
for a single data processing operation, which is the one related to the collection of union dues
directly on the salary.
34. With respect to the informed nature of the consent obtained, the guidelines on consent
adopted in 2018 identify several criteria against which it can be assessed. For a person to
consent, it must in particular have received the information and information that is necessary for the
following :
- The identity of the data controller,
- The purpose of each of the processing operations for which consent is sought,
- The data that will be collected and used,
- The existence of the right to withdraw consent,
- […] »
7

4 "ARTICLE 29" Data Protection Working Party, "Guidelines on Consent under the
By-law 2016/679", adopted on April 10, 2018 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051)
5 These guidelines have since been replaced by a new EDPB document adopted on May 4, 2020.
(https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf)
6 "ARTICLE 29" Data Protection Working Group, "Guidelines on Consent under the
Regulation 2016/679", op. cit. at p. 8.
7
Ibid, p. 15.
Decision on the merits 72/2020 - 8/14
35. The Litigation Chamber observes that the first three elements appear in a way that the
relatively clear on the copy of the Terms of Reference provided (Exhibit 21, Appendix 1). It notes, however, that it
nowhere is there any mention of the fact that the person concerned (the worker) can withdraw his
consent at any time to terminate treatment, whereas the guidelines state that the
it is a required element based on article 7.3 of the GDMP. The Litigation Chamber considers
Therefore, consent cannot be considered to have been given in an informed manner.
36. In view of the elements set out above (and in particular in point n°35), the Chamber
Litigator concludes that section 9.2(a) juncto 7.3 of the MOPP has not been complied with, in the sense that the
consent cannot be qualified as informed.
37. As for the explicit nature of the consent required by article 9.2.a) of the RGPD, the Chambre
Litigator believes that this is fulfilled by the written mandate signed by the person concerned and which
explicitly and specifically specifies the data processing that will be carried out.
38. In these communications, the complainant repeatedly refers to the fact that the
consent of the persons concerned would not be systematically requested, and that the processing
would thus sometimes take place without a basis of legality (part n°1). The Litigation Chamber notes however
that the complainant does not bring any documentation to demonstrate these elements and that the
data controller specifies that the consent of the worker is systematically asked for
(see point 43 above). The Inspection Service also did not make any findings.
particular in this respect, the Litigation Chamber does not have at its disposal any elements allowing it to
consider that worker consent would not have been systematically required.
2.3 The purpose of the treatment
39. Article 5.1(b) of the GDMP establishes that personal data must be collected
for specified, explicit and legitimate purposes, and not be further processed for a "specific" purpose.
in a manner incompatible with these purposes".
40. For the interpretation of this principle, the Litigation Chamber may base itself on the opinion
developed at the time by the Article 29 Working Group, which details what is meant by the term "Article 29".
an explicit purpose8
. It is important to note that the main characteristics of the principle of

8 "ARTICLE 29" Working Party on Data Protection, "Opinion 03/2013 on purpose limitation", adopted on 2 December 2003.
April 2013 (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf)
Decision on the merits 72/2020 - 9/14
purpose limitation have remained identical between Directive 95/469 and the RGPD. The lines
guidelines developed in 2013 therefore remain valid for the interpretation of the three
essential characteristics of the purpose principle.
41. As to the determinate character of finality, the Litigation Chamber notes that in its
request for information, the complainant clearly refers to a "levy of
Union B union dues directly on remuneration" (Exhibit 1).
42. It also appears from the letter from Hospital Y (Exhibit No. 21), that "workers affiliated with the union
B who wished to do so, could give a mandate to Hospital Y to deduct from their salary
the amount of union dues". This is confirmed by the sample mandate provided by the
responsible for processing, which includes the following sentence: "I, the undersigned, [...] request
expressly to the management of Hospital Y that my union dues for Union B be taken from
my remuneration from ... " (Exhibit No. 21, Appendix 1).
43. 43. The note from the Data Protection Officer also mentions this purpose (Exhibit No. 21,
Appendix 2) and the Inspection Service's investigation report arrives at the same finding (Exhibit #23
).
44. On the basis of these documents, the Litigation Chamber considers that the purpose of the processing was indeed
determined, insofar as it was intended to allow the direct deduction of union dues
on the salary.
45. As to the explicit nature of the purpose, the Article 29 Working Group opinion explains
the following:
"The purpose of the collection should not only be specified in the minds of the people
responsible for data collection. They should also be made explicit. […]
The ultimate objective of this requirement is to ensure that the objectives are unambiguously specified, or
imprecise as to their meaning or intent. The meaning must be clear and must not leave
no doubts or difficulties in understanding. […]
The requirement to "explicitly" specify objectives contributes to transparency and predictability.
It makes it possible to determine unambiguously the limits of the use that data controllers may make of the data.
may make personal data collected, with a view to protecting persons

9 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of natural persons
with regard to the processing of personal data and the free movement of such data
Decision on the merits 72/2020 - 10/14
concerned. It assists all those who process data on behalf of the data controller, as well as
data subjects, data protection authorities and other stakeholders,
to have a common understanding of how the data can be used. This
reduces the risk that the expectations of those involved will differ from those of the
data controller".
10
.
46. The opinion of the working group therefore insists on the need for an explanation of the purpose which
allow everyone to understand the purpose of the data processing and to avoid the need for
misunderstandings. On the question of how this purpose should be made explicit, the opinion emphasizes the
following items :
"In terms of accountability, the specification of the objective in writing and the production of documents
will help to demonstrate that the data controller has complied with the requirement of the article
6(1)(b)11. This would also allow the persons concerned to exercise their
rights more efficiently - for example, it would provide evidence of the original purpose and
would allow a comparison with subsequent processing purposes. »
12
47. According to the data controller, the data processing in question has been implemented on
basis" of a historic oral agreement between a union and management. There has been no formalized written agreement".
(Exhibit 21, p. 2). The purpose of the processing is, however, indicated on the individual written mandate given by
the worker, as indicated above (see point n°42).
48. The fact that the purpose of the treatment is only described on the individual mandate of the
There are several reasons why the worker in question is asking questions. Indeed, this means first of all that the aim
is only made explicit at the time when consent is requested from the worker and with respect to
this worker. It is therefore not made explicit for other workers, for example. This
The lack of documentation formalizing the mechanism contributes to maintaining a certain ambiguity.
49. The Litigation Chamber recalls once again (see point n°27) that the processing of the data
concerning union membership is in principle prohibited. Article 24.1 of the GDMP also states that
that :

10 "ARTICLE 29" Working Party on Data Protection, "Opinion 03/2013 on purpose limitation", op. cit., p.
17. Free translation.
11 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the protection of privacy, op. cit.
physical with respect to the processing of personal data and the free movement of such data.
12 "ARTICLE 29" Working Party on Data Protection, "Opinion 03/2013 on purpose limitation", op. cit, p.
18. Free translation. 
Decision on the merits 72/2020 - 11/14
"Taking into account the nature, scope, context and purposes of the treatment as well as
that there are risks to rights and freedoms that vary in their degree of probability and severity
of natural persons, the data controller implements technical measures and
to ensure and be able to demonstrate that the treatment is appropriate for the patient.
made in accordance with this by-law. »
13
50. The Litigation Chamber considers that the processing of trade union data by the employer
presents an obvious risk for the workers concerned, since it grants the employer a data
of a sensitive nature that could be misused to put pressure on workers or employers to
discriminate in particular during promotion procedures. It is therefore appropriate to
takes special precautions when processing this type of data. At this
In this respect, the Litigation Chamber considers that the absence of any written agreement and the fact that the
mechanism was decided on the basis of a simple oral agreement constitutes a significant negligence.
51. The Chamber notes moreover that this absence of a written document contributes to maintaining a vagueness
the intentions of the data controller and raises doubts as to the intentions of the data controller.
workers not affected by the treatment, as revealed by the request for information and the
motion of the plaintiff. This lack of documentation also creates some uncertainty as to whether or not
the limits and modalities of treatment. Indeed, as noted in the complaint, there are issues that arise from the
ask, for example, whether unpaid Union B dues amounts can make a difference to the
the subject of a reminder from the data controller to the workers (exhibit 1).
52. Only after obtaining information from the complainant and requesting an investigation from the Service
(which questioned the controller) that the Litigation Chamber has been able to
determine the purpose of the treatment (see points no. 41-44). In other words, it is only after an
in-depth analysis on the part of the Litigation Chamber that the purpose could be clarified. It is,
for the Litigation Chamber, it is undeniable that a purpose that requires this type of examination to be
clarified, cannot be considered explicit.
53. As to the legitimacy of the purpose, which is repeatedly questioned by the plaintiff
(Exhibits 1, 3, 6), the investigation report notes that it "is nevertheless problematic: a
such a systematic deduction does not seem to be practicable on the salary given the provision
imperative of article 23 of the law of April 12, 1965 concerning the protection of the remuneration of the
which in principle prohibits any deduction from remuneration, even in the presence of an agreement
beforehand. "However, the report states that "it is apparent from the complainant's statements (Exhibit 1) and

13 It is the Litigation Chamber that emphasizes.
Decision on the merits 72/2020 - 12/14
of the general management of the Y hospital (room 21) that the social inspectorate admits such a
practice".
54. By virtue of article 4, § 1
er of the LCA, "the Data Protection Authority is responsible for the
monitoring compliance with the fundamental principles of personal data protection,
under this Act and laws containing provisions for the protection of the
processing of personal data". The Chamber therefore considers itself incompetent.
to determine the legality of a practice (in casu, a direct levy by the employer of an
contribution on employees' salaries) in relation to social law. It notes, in the same way as the
Inspection Service, that both the complainant and the data controller declare that the
practice would have been accepted or at least tolerated by the social inspectorate. Therefore, the Chamber
cannot find a violation of article 5.1.b regarding the legitimacy of the purpose of the processing.
55. On the issue of further processing of trade union data for other purposes
than those provided for, treatment alleged by the complainant (see point n°3) and consisting in particular in
the granting of benefits on the basis of trade union membership, the Litigation Chamber notes that no
no evidence is provided to support these allegations. The investigation report also does not make any
particular observation in this respect, and the data controller shall indicate that the data are not
processed for no other purpose than payroll deduction (Exhibit No. 21, p. 2). Therefore, the
The Chamber believes that this element is unfounded.
2.4 Sanction
56. On the basis of the above analysis, the Litigation Chamber considers that the data controller
has violated the following articles of the GDPS:
- section 9.2(a) juncto 7.3 in the sense that the consent was not informed (see item 36) ;
- section 5.1.,b) juncto 24.1 of the GDMP in the sense that the purpose was not explicit (see point
n°52).
57. The Litigation Chamber notes, however, that according to both parties and the report of the investigation, he
was definitively terminated as of June 30, 2019, in particular following a notice to the Company's shareholders.
in this sense from the data protection officer of the data controller.
58. The Dispute Chamber considers that even if these violations were of a structural nature,
since they concerned the entire mechanism and not just a few isolated cases, they do not proceed
likely not a deliberate attempt to circumvent protective legislation
personal data. 
Decision on the merits 72/2020 - 13/14
59. It is also important to note that the complainant has never been involved in the treatment of
The data in question, since he is a member of the union that refused to participate in the scheme. The
The Litigation Chamber further considers that it has not been shown that he has suffered any
prejudice.
60. The fact that the data controller has requested an opinion from its DPO is not a precondition for the processing of the data.
and that it has decided to implement this advice demonstrates a clear commitment to the
obligations under the DPGR. Furthermore, the permanent interruption of processing exempts its
responsible for further compliance.
61. On the basis of these elements, the Chamber considers that it is not necessary to pronounce one of the
measures provided for in Article 100, §1 of the LCA.
2.5 Transparency
62. Given the importance of transparency in the decision-making process and the importance of the
the decisions of the Litigation Chamber, this decision will be published on the Authority's website
data protection by deletion of directly identifying data of the parties
and the persons mentioned, whether they are individuals or legal entities.
Decision on the merits 72/2020 - 14/14
BY THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation :
- that there has been a violation of articles 5.1.,b) juncto 24.1 and 9.2.a) juncto 7.3 of the RGPD;
- that it is not necessary to pronounce one of the measures provided for in Article 100, §1 of the
ACL.
Pursuant to Article 108, § 1 ACL, this decision may be appealed within 30 days.
days, as of the notification, to the Market Court, with the Data Protection Authority
as a defendant.
Hielke Hijmans
President of the Litigation Chamber