APD/GBA (Belgium) - 81/2020: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
(27 intermediate revisions by 3 users not shown)
Line 46: Line 46:




|Party_Name_1=Anonymous (Plaintive - physical person)
|Party_Name_1=Anonymous (Complainant - physical person)
|Party_Link_1=
|Party_Link_1=
|Party_Name_2= Anonymous (Defendant 1 - company specialized in controlling "street parking"
|Party_Name_2= Anonymous (Defendant 1 - a company specialized in controlling the respect of street parking regulations.)
|Party_Link_2=
|Party_Link_2=
|Party_Name_3= Anonymous (Defendant 2- bailiff's study)
|Party_Name_3= Anonymous (Defendant 2- a bailiff's study)
|Party_Link_3=
|Party_Link_3=
|Party_Name_4=
|Party_Name_4=
Line 66: Line 66:
}}
}}


Belgian DPA holds that two data controllers intervening successively have commited various breaches of the GDPR principles (lawfulness, data minimisation, accountability ,rights of information and access of the data subjects).
The Belgian DPA (APD/GBA) imposed a fine of €50,000 and €15,000 on two different data controllers for breaching various principles of the GDPR, such as the principles of lawfulness, data minimisation and  accountability.


==English Summary==
==English Summary==


===Facts===
===Facts===
A data subject made access requests with the private company ensuring the control of the respect of communal street parking regulations which had imposed him (or her) with a parking fine as well with the bailiff's study charged to insure that such fines are paid.  
The complainant was fined by the first defendant ( a private company mandated to ensure the respect of municipal street parking regulations) for a violation of municipal street parking regulations.
 
In order to establish the violation of municipal regulations and issue the fine, the first defendant collected personal data directly from the complainant including data extracted from the Belgian national register, the DIV (department for vehicle registration) and a photo of her car. The DIV was consulted by the first defendant the day after the fine was issued (which was not necessary).
 
The first defendant claims to have sent a reminder to the complainant concerning the payment of the fine. Having received no response, it transferred this data to the second defendant, a bailiff's office to be reused and processed in the context of the collection of the fee (processing allowed by article 519 of the Belgian judiciary code).
 
After having received a formal notice from the second defendant asking her to pay the fine with interests, the complainant wrote to the second defendant claiming she had not received an invitation to pay , nor a reminder from the first defendant and also asked to exercise her right of access and information concerning the data processed by the second defendant. 
 
The complainant then also made a similar request with the first defendant.
 
The complainant only received a partial response from the second defendant in the allotted time. The first defendant did not respond to her request and redirected her to the second defendant.
 
Pursuant to this lack of satisfactory answers from the defendants, the complainant lodged a complaint with the Belgian Data Protection Authority stating the following violations :
 
As to the first defendant: 
 
- a breach of her right to information (Articles 12 and 14 of the GDPR) 
 
- a breach of her right of access (article 15 of the GDPR) 
 
- a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second defendant 
 
- a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the consultation of the DIV)
 
- a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second defendant - a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of photograph of his vehicle when the violation of the rules of parking
 
As for the second defendant :
 
- a breach of his right to information (Articles 12 and 14 of the GDPR) 
 
- a breach of his right of access (article 15 of the GDPR) 
 
- a breach of Article 28 of the GDPR with regard to its status as a processor 
 
- a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the GDPR) which are communicated to him by the first defendant. 
 
- a breach of the principles of data minimization and the use of consent forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice (formal notice).


===Dispute===
===Dispute===
To which extend should a data controller responsible for compliance with municipal regulations and a subsequent data controller to which personal data is transferred inform the data subject about the processing of his or her data as well as subsequent processing and justify the lawfulness and proportionality (data minimisation ) of the processing.
The dispute between the parties involved the following questions : 
 
To which extent can a data controller responsible for compliance with municipal regulations (regulations which does not address the processing of data)  collect and process personal data of a data subject without complying with general data protection principles such as timely information, access and the principle minimization ? Can this first controller rely on an exception to collect this data ?
 
Under which circumstances and to what extent may this data controller transfer the data collected for this first processing to a subsequent (but not joint) data controller mandated to  collect the unpaid fine ? 
 
To which extent should the the subsequent but distinct data controller comply with the right to access and information of the data subject ? 
 
What is the relation between the two controllers as regard to data protection principles ?


===Holding===
===Holding===
The Litigation Chamber of the Belgian DPA notes the following breaches in respect of the first defendant:
The Litigation Chamber of the Belgian DPA notes the following breaches are established in respect of the first defendant:


- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.of the GDPR)
- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.of the GDPR)
Line 83: Line 127:
- a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)
- a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)


- a breach of the principle of minimization during the premature consultation of the DIV (register concerning immatriculation of cars) - (article 5.1 c) of the GDPR.
- a breach of the principle of minimization during the premature consultation of the DIV (register concerning matriculation of cars) - (article 5.1 c) of the GDPR.


- a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.
- a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.
                
                
As to the second defendant the Belgian DPA found that the following breaches were commited :
As to the second defendant the Belgian DPA found that the following breaches are established :


- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
GDPR)
GDPR)
- a lack of legal basis with regard to the collection of data by way of the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of data minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data.
- a lack of legal basis with regard to the collection of data by way of the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of data minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data.


- a breach of Articles 5.2. and 24. 1-2 of the GDPR.                                                                                                       
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.                                                                                                       


In consequence with the breaches mentionned above the first defendant was sanctionned (In accordance with the Belgian Law of 3 December 2017 establishing the Data Protection Authority) with a reprimand, an order to adopt necessary actions to comply with the GDPR and a 50.000 euro fine.
'''Sanctions :''' In consequence with the breaches mentioned above :
 
- the first defendant was sanctioned (In accordance with the [http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2017120311&table_name=loi Belgian Law of 3 December 2017 establishing the Data Protection Authority]) with a reprimand, an order to adopt necessary actions to comply with the GDPR as well as a 50.000 euro fine.


The second  defendant was sanctionned with a reprimand, an order to adopt necessary action to comply with gdpr and a 15.000 euro fine.     
- the second  defendant was sanctioned with a reprimand, an order to adopt necessary action to comply with GDPR as well as a 15.000 euro fine.     


==Comment==
==Comment==
Line 106: Line 153:


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
The decision below is a machine translation of the French original. Please refer to the French original for more details.
The decision below is a machine translation of the French original. Please refer to the French original for more details.


<pre>
<pre>
1/45
1/45
Chambre Contentieuse
'''Litigation Chamber'''
Décision quant au fond 81/2020
 
du 23 décembre 2020
Decision on the merits 81/2020of 23 December 2020
N° de dossier : DOS-2019-02751
File No .: DOS-2019-02751
Objet : Décision relative à deux responsables de traitement intervenant successivement
 
constatant différents manquements aux principes du RGPD (licéité, minimisation,
Subject: Decision relating to two data controllers intervening successively
accountability ) et aux droits des personnes concernées (information, accès, facilitation
noting various breaches of the GDPR principles (lawfulness, minimization,
des droits)
accountability) and the rights of the people concerned (information, access, facilitation
La Chambre Contentieuse de l'Autorité de protection des données, constituée de Monsieur Hielke
Rights)
Hijmans, président, et de Messieurs J. Stassijns, C. Boeraeve, membres, reprenant l’affaire dans cette
 
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs J. Stassijns, C. Boeraeve, members, taking up the case in this
composition;
composition;
Vu le Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to
protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la
protection of individuals with regard to the processing of personal data and the
libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la
free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection), hereinafter GDPR;
protection des données), ci-après RGPD;
Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA);
Vu la loi du 3 décembre 2017 portant création de l'Autorité de protection des données (ci-après LCA);
Having regard to the rules of procedure as approved by the House of Representatives on December 20
Vu le règlement d'ordre intérieur tel qu'approuvé par la Chambre des représentants le 20 décembre
2018 and published in the Belgian Official Gazette on January 15, 2019;
2018 et publié au Moniteur belge le 15 janvier 2019 ;
Considering the documents in the file;
Vu les pièces du dossier ;
 
A pris la décision suivante concernant :
Took the following decision regarding:
La plaignante : X
 
Décision quant au fond 81/2020- 2/45
The complainant: X
La première défenderesse : Y ;
Decision on the merits 81 / 2020- 2/45
Ayant pour conseils, Maîtres Frédéric Dechamps et Nathan
 
Vanhelleputte, avocats.
The first defendant: Y;
La seconde défenderesse : Z ;
Having for advice, Masters Frédéric Dechamps and Nathan
Ayant pour conseil Maître S. Parsa, avocate.
Vanhelleputte, lawyers.
Ci-après également désignées ensemble par « les défenderesses » ;
 
1. Rétroactes de la procédure
The second defendant: Z;
Vu la plainte déposée le 15 mai 2019 par la plaignante auprès de l’Autorité de protection des données
Advised by Maître S. Parsa, lawyer.
(ci-après APD);
Hereinafter also referred to together as "the defendants";
Vu la décision prise par la Chambre Contentieuse lors de sa séance du 12 juillet 2019 de saisir
 
l’Inspecteur général sur la base des articles 63, 2° et 94, LCA et la saisine de ce dernier à cette
1. Feedback from the procedure
même date;
Considering the complaint filed on May 15, 2019 by the complainant to the Data Protection Authority
Vu le rapport et procès-verbal d’enquête de l’Inspecteur général transmis le 6 janvier 2020 à la
(hereinafter APD);
Chambre contentieuse ;
Having regard to the decision taken by the Litigation Chamber during its session of July 12, 2019 to seize
Vu les courriers du 21 janvier 2020 et du 18 février 2020 de la Chambre Contentieuse informant les
the Inspector General on the basis of Articles 63, 2 ° and 94, 1 ° LCA and the latter's referral to this
parties de sa décision de considérer le dossier comme étant prêt pour traitement au fond sur la base
same date;
de l’article 98 LCA et leur communiquant un calendrier d’échange de conclusions ;
Having regard to the Inspector General's report and investigation report sent on January 6, 2020 to the
Vu les conclusions principales de la seconde défenderesse déposées par son conseil, reçues le 12 mars
Contentious chamber;
2020 ;
Having regard to the letters of January 21, 2020 and February 18, 2020 from the Litigation Chamber informing
Vu les conclusions de la plaignante, reçues le 27 mars 2020;
parts of its decision to consider the case ready for substantive processing based on
Vu les conclusions additionnelles et de synthèse de la première défenderesse déposées par son conseil,
Article 98 LCA and providing them with a timetable for the exchange of conclusions;
reçues le 14 avril 2020 ;
Having regard to the main conclusions of the second defendant filed by its counsel, received on March 12
Vu les conclusions additionnelles et de synthèse de la seconde défenderesse déposées par son conseil,
2020;
reçues le 14 avril 2020 ;
Having regard to the conclusions of the complainant, received on March 27, 2020;
Vu la demande formulée par les défenderesses aux termes de leurs conclusions d’être entendues par
Having regard to the additional and summary conclusions of the first defendant filed by its counsel,
la Chambre Contentieuse en application de l’article 51 du règlement d’ordre intérieur de l’APD;
received on April 14, 2020;
Décision quant au fond 81/2020- 3/45
Having regard to the additional and summary conclusions of the second defendant filed by its counsel,
Vu l’invitation à l’audition adressée par la Chambre Contentieuse aux parties le 16 juin 2020 ;
received on April 14, 2020;
Vu l’information transmise le 25 juin 2020 à l’Inspecteur général quant à la tenue de l’audition en date
In view of the request made by the defendants in the terms of their pleadings to be heard by
du 13 juillet 2020 en application de l’article 48.2. du règlement d’ordre intérieur de l’APD ;
the Litigation Chamber in application of article 51 of the internal regulations of the APD;
Vu l’audition lors de la séance de la Chambre Contentieuse du 13 juillet 2020 en présence de la
Decision on the merits 81 / 2020- 3/45
plaignante, [...], de la première défenderesse représentée par l’un de ses conseils, Maître Van
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on June 16, 2020;
Helleputte ainsi que de la seconde défenderesse représentée par son conseil Maître S. Parsa ;
Considering the information sent on June 25, 2020 to the Inspector General regarding the holding of the hearing to date
Vu le procès-verbal d’audition et les observations formulées sur celui - ci par les conseils respectifs
of July 13, 2020 in application of article 48.2. the internal rules of the ODA;
des défenderesses lesquelles ont été jointes à ce procès-verbal ;
Having regard to the hearing during the session of the Litigation Chamber of July 13, 2020 in the presence of the
Vu le formulaire de réaction à l’encontre d’une amende administrative envisagée adressé le 18
plaintiff, [...], of the first defendant represented by one of its counsel, Maître Van
novembre 2020 à la première défenderesse. Aux termes de ce formulaire, la Chambre Contentieuse
Helleputte as well as the second defendant represented by its counsel Maître S. Parsa;
lui communique qu’elle envisage une amende à son encontre ainsi que les motifs pour lesquels les
Having regard to the minutes of the hearing and the observations made thereon by the respective counsel
manquements constatés au RGPD justifient le montant d’amende;
the defendants who were attached to these minutes;
Vu la réaction du 9 décembre de la première défenderesse à ce formulaire ;
Having regard to the reaction form against a proposed administrative fine sent on the 18th
Vu le formulaire de réaction à l’encontre d’une amende administrative envisagée adressé le 18
November 2020 to the first defendant. Under this form, the Litigation Chamber
novembre 2020 à la seconde défenderesse. Aux termes de ce formulaire, la Chambre Contentieuse lui
informs him that he is considering a fine against him as well as the reasons for which the
communique qu’elle envisage une amende à son encontre ainsi que les motifs pour lesquels les
breaches of the GDPR justify the amount of the fine;
manquements constatés au RGPD justifient ce montant d’amende;
Having regard to the reaction of the first defendant on December 9 to this form;
Vu la réaction du 10 décembre 2020 de la seconde défenderesse à ce formulaire.
Having regard to the reaction form against a proposed administrative fine sent on the 18th
2. Les faits
November 2020 to the second defendant. Under this form, the Litigation Chamber
1. La première défenderesse est une société spécialisée en matière de « stationnement de rue ».
communicates that it is considering a fine against it as well as the reasons for
Elle réalise le contrôle du stationnement dans les communes dont elle est concessionnaire des missions
breaches of the GDPR justify this fine amount;
d’intérêt public. La première défenderesse emploie [...] personnes. Elle fait par ailleurs partie du
Considering the reaction of December 10, 2020 of the second defendant to this form.
Groupe [...].
 
2. La première défenderesse gère, en vertu du règlement communal de la Ville de [...], le
2. The facts
stationnement de certaines rues de cette commune.
 
3. La seconde défenderesse est une Etude d’huissiers de justice située à [] qui s’occupe, dans
1. The first defendant is a company specializing in “street parking”.
le cadre de ses prérogatives légales définies à l’article 519 du Code judiciaire, notamment du
It carries out parking control in the municipalities for which it is the concessionaire of the missions
recouvrement amiable et du recouvrement judiciaire de dettes de ses clients. La première
of public interest. The first defendant employs [...] people. It is also part of the
Décision quant au fond 81/2020- 4/45
Group [...].
défenderesse est l’une de ses clientes. L’étude s’occupe pour son compte de la gestion du
 
recouvrement amiable, puis, si nécessaire judiciaire, des dettes impayées telles que des redevances
2. The first defendant manages, under the municipal regulations of the City of [...], the parking of certain streets of this municipality.
de stationnement.
 
4. Le 2 janvier 2019, la plaignante a stationné son véhicule dans une des rues de [...] dont la
3. The second defendant is an office of bailiffs located in [...] which deals, in
première défenderesse est chargée de la gestion des stationnements. La première défenderesse
within the framework of its legal prerogatives defined in Article 519 of the Judicial Code, in particular of amicable recovery and judicial recovery of debts from its clients. The first one defendant is one of his clients. The firm is responsible for the management of amicable collection, then, if necessary judicial, of unpaid debts such as royalties parking.
expose que la plaignante était garée dans une zone bleue dans laquelle le stationnement est limité à
 
trente (30) minutes. En l’absence de disque bleu apposé par la plaignante sur son pare-brise et à
4. On January 2, 2019, the complainant parked her vehicle in one of the streets of [...] whose first defendant is responsible for the management of parking lots. The first defendant states that the complainant was parked in a blue zone in which parking is limited to thirty (30) minutes. In the absence of a blue disc affixed by the complainant to her windshield and
défaut d’autorisation de stationnement dont elle aurait été titulaire, la première défenderesse indique
lack of a parking permit which it would have held, the first defendant indicates
avoir, en application de l’article [...] du règlement communal [...] applicable, placé une invitation à
have, in accordance with article [...] of the applicable municipal [...] regulations, placed an invitation to
payer de [...] euros sur le pare-brise du véhicule de la plaignante. Ce montant correspond au montant
pay [...] euros on the windshield of the complainant's vehicle. This amount corresponds to the amount
de la redevance « Tarif 1 » du règlement communal. La plaignante conteste pour sa part avoir trouvé
the “Tariff 1” charge of the municipal regulations. The complainant, for her part, denies having found
une quelconque invitation à payer sur son pare-brise.
any invitation to pay on his windshield.
5. La première défenderesse indique avoir envoyé un rappel de paiement à la plaignante le 24
 
janvier 2019, rappel qui majore la dette initiale de cinq (5) euros conformément à l’article [...] du
5. The first defendant indicates that it sent a payment reminder to the plaintiff on the 24th.
règlement communal déjà cité. La plaignante conteste également avoir jamais reçu un tel rappel.
January 2019, reminder which increases the initial debt by five (5) euros in accordance with article [...] of
6. A défaut de paiement reçu dans les 15 jours de l’envoi dudit rappel du 24 janvier 2019, et
municipal regulation already cited. The complainant also denies ever having received such a reminder.
conformément à l’article [...] du règlement communal applicable, la première défenderesse a transmis
 
le dossier à son huissier de justice, soit à la seconde défenderesse, afin que cette dernière se charge
6. In the absence of payment received within 15 days of sending the said reminder of January 24, 2019, and
de récupérer le montant dû par la plaignante.
in accordance with article [...] of the applicable municipal regulations, the first defendant transmitted
7. Le 25 février 2019, la plaignante a reçu une mise en demeure de la part de la seconde
the file to his bailiff, or to the second defendant, so that the latter takes charge
défenderesse afin de récupérer le montant dû en application de l‘article [...] du règlement communal
to recover the amount owed by the complainant.
déjà cité. A la dette initiale, comme annoncé dans le courrier de rappel du 24 janvier 2019 (point 5 cidessus) s’ajoutent des frais conformément à l’arrêté royal du 30 novembre 1976 fixant le tarif des
 
actes accomplis par les huissiers de justice en matière civile et commerciale auquel renvoie l’article
7. On February 25, 2019, the complainant received a formal notice from the second
[...] du règlement communal. La plaignante indique avoir reçu cette mise en demeure le 1er mars
defendant in order to recover the amount due in application of article [...] of the municipal regulation
already cited. To the initial debt, as announced in the reminder letter of January 24, 2019 (point 5 above), there are additional costs in accordance with the Royal Decree of November 30, 1976 fixing the tariff for
acts performed by bailiffs in civil and commercial matters referred to in article
[...] of the municipal regulations. The complainant indicates that she received this formal notice on March 1
2019.
2019.
8. Le 3 mars 2019, la plaignante écrit à la seconde défenderesse pour recevoir des explications,
 
indiquant qu’elle n’a jamais reçu d’invitation à payer ni de rappel. Elle s’oppose par ailleurs au paiement
8. On March 3, 2019, the complainant wrote to the second respondent to receive explanations,
de la redevance. Par le même courrier, la plaignante interroge la seconde défenderesse quant aux
indicating that she never received a payment invitation or reminder. She also opposes payment
bases légales qui lui permettant d’accéder à la Direction de l’Immatriculation des Véhicules (DIV) du
of the royalty. By the same letter, the complainant questioned the second respondent as to the
SPF Mobilité et au Registre national. Toujours aux termes de ce courrier, la plaignante exerce
legal bases which allow it to access the Vehicle Registration Department (DIV) of
également son droit d’accès à ses données à caractère personnel que lui reconnait le RGPD (article 15
SPF Mobilité and the National Register. Also under the terms of this letter, the complainant exercises
du RGPD).  
also his right of access to his personal data as recognized by the GDPR (article 15
Décision quant au fond 81/2020- 5/45
of the GDPR).
9. A cette même date, la plaignante adresse les mêmes demandes à la première défenderesse.
 
10. Le 4 mars 2019, la première défenderesse renvoie la plaignante à la seconde défenderesse
 
en ces termes : « Arrangez-vous avec l’huissier ».
9. On the same date, the complainant addressed the same requests to the first respondent.
11. Le 29 mars, à défaut de réponse reçue de la part de la seconde défenderesse, la plaignante
 
lui réécrit signalant que le délai légal d’un (1) mois pour répondre à sa demande d’accès est sur le
10. On March 4, 2019, the first defendant referred the complainant to the second defendant
point d’expirer.
in these words: "Arrange with the bailiff".
12. Le 2 avril 2019, la seconde défenderesse écrit à la plaignante en réponse à son courrier du 3
 
mars (point 8 ci-dessus) et lui fournit un certain nombre d’informations d’une part sur les données
11. On March 29, in the absence of a response received from the second defendant, the complainant
qu’elle traite en réponse à sa demande d’accès et d’information relative aux bases légales mobilisées
wrote back to him noting that the legal deadline of one (1) month to respond to his request for access is on the
ainsi que d’autre part, quelques informations sur les traitements opérés par sa cliente (la première
point to expire.
défenderesse). S’en suit un échange de correspondance entre la plaignante et l’étude des huissiers de
 
justice (seconde défenderesse) aux termes duquel des photos – peu lisibles selon la plaignante – lui
12. On April 2, 2019, the second defendant wrote to the complainant in response to her letter of 3
sont communiquées.
March (point 8 above) and provides it with a certain amount of information on the one hand on the data
13. Le 8 avril 2019, la plaignante demande à la seconde défenderesse de lui communiquer la
which it processes in response to its request for access and information relating to the legal bases mobilized
preuve de l’envoi de la lettre de rappel du 24 janvier 2019 (point 5 ci-dessus).
as well as on the other hand, some information on the treatments operated by his client (the first
14. S’en suit également une demande du 29 avril 2019 de la plaignante à la première défenderesse
defendant). There followed an exchange of correspondence between the complainant and the study of the bailiffs of
de se voir communiquer la preuve de l’envoi de cette lettre de rappel du 24 janvier 2019. En réponse,
justice (second defendant) under the terms of which photos - difficult to read according to the complainant - him
la première défenderesse communique une copie de la lettre de rappel et renvoie la plaignante aux
are communicated.
huissiers de justice pour le surplus.
 
15. Le 15 mai 2019, la plaignante dépose une plainte à l’APD à l’encontre tant de la première
13. On April 8, 2019, the complainant asked the second respondent to communicate the
défenderesse que de la seconde défenderesse. La plaignante apportera un addendum à sa plainte en
proof of sending the reminder letter of January 24, 2019 (point 5 above).
date du 6 juin 2019.
 
16. La plaignante a par ailleurs adressé une demande d’accès à la DIV. De la réponse reçue par
14. This also follows a request of April 29, 2019 from the complainant to the first respondent
la plaignante le 17 mai 2019, il ressort que la première défenderesse a consulté les données de la
to receive proof of the sending of this reminder letter of January 24, 2019. In response,
plaignante le 3 janvier 2019 à 22h03, soit le lendemain de la constatation (du 2 janvier 2019 – voir
the first respondent provides a copy of the reminder letter and refers the complainant to
point 4 ci-dessus) du manquement aux règles de stationnement reproché.
bailiffs for the rest.
17. En juin 2019, la plaignante écrit à nouveau tant à la première qu’à la seconde défenderesse
 
pour obtenir des précisions sur l’infraction qui lui est reprochée.  
15. On May 15, 2019, the complainant filed a complaint with the DPA against both the first
Décision quant au fond 81/2020- 6/45
defendant that of the second ddefendant. The complainant will bring an addendum to her complaint in
18. Le 11 juillet 2019, la seconde défenderesse répond à la demande de précision de la plaignante
date of June 6, 2019.
en indiquant que ce qui lui est reproché est de ne pas avoir apposé un ticket de stationnement valable
 
sur son pare-brise. La première défenderesse reproche quant à elle à la plaignante d’avoir omis
16. The complainant also made a request for access to the DIV. From the response received by
d’apposer son disque de stationnement requis en zone bleue.
the complainant on May 17, 2019, it appears that the first respondent consulted the data of the
3. L’objet de la plainte déposée par la plaignante
complainant on January 3, 2019 at 10:03 p.m., i.e. the day after the finding (from January 2, 2019 - see
19. Aux termes de sa plainte, la plaignante demande que sa plainte à l’encontre de la première et
point 4 above) of the infringement of the parking rules complained of.
de la seconde défenderesses soit déclarée recevable et fondée et qu’en conséquence, les
 
défenderesses soient condamnées à la mise en conformité au RGPD et aux lois belges, dans le délai
17. In June 2019, the complainant wrote again to both the first and the second respondent
que la Chambre Contentieuse estimera raisonnable et ce, sous peine d’astreinte.
for details of the alleged offense.
20. A cet égard, la plaignante estime que les défenderesses se sont rendues coupables :
 
Quant à la première défenderesse:
 
- d’un manquement à son droit à l’information (articles 12 et 14 du RGPD)
18. On July 11, 2019, the second respondent responded to the complainant's request for clarification
- d’un manquement à son droit d’accès (article 15 du RGPD)
by indicating that he is accused of not having affixed a valid parking ticket
- d’un manquement à l’article 28 du RGPD eu égard à la qualité de sous-traitant de la seconde
on his windshield. The first defendant criticizes the complainant for having failed
défenderesse
to affix the required parking disc in the blue zone.
- d’un manquement à l’article 5 du RGPD (respect du principe de nécessité eu égard à la
 
consultation de la DIV)
3. The subject of the complaint lodged by the complainant
- d’un manquement aux principes de proportionnalité et réutilisation illégale des données
 
(articles 5 et 6 du RGPD) eu égard à la communication de ses données à la seconde
19. Pursuant to her complaint, the complainant requests that her complaint against the first and
défenderesse
of the second defendants be declared admissible and well founded and that consequently, the
- d’un manquement au principe de minimisation (article 5 du RGPD) eu égard à la prise de
defendants are ordered to comply with the GDPR and Belgian laws, within the
photographie de son véhicule lors de la constatation de l’infraction aux règles de
that the Contentious Chamber will consider reasonable, under penalty of penalty.
stationnement
 
Quant à la seconde défenderesse
20. In this regard, the complainant considers that the defendants are guilty:
- d’un manquement à son droit à l’information (articles 12 et 14 du RGPD)
As to the first defendant:
- d’un manquement à son droit d’accès (article 15 du RGPD)
- a breach of his right to information (Articles 12 and 14 of the GDPR)
- d’un manquement à l’article 28 du RGPD eu égard à sa qualité de sous-traitant
- a breach of his right of access (article 15 of the GDPR)
- d’un manquement aux principes de proportionnalité et réutilisation illégale des données
- a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second
(articles 5 et 6 du RGPD) qui lui sont communiquées par la première défenderesse alors même
defendant
qu’elle n’y serait pas valablement fondée
- a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the
- d’un manquement aux principes de minimisation des données et le recours au consentement
consultation of the DIV)
forcé (articles 5 et 6 du RGPD) eu égard au formulaire joint à la mise en demeure de paiement.  
- a breach of the principles of proportionality and illegal reuse of data
Décision quant au fond 81/2020- 7/45
(Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second
21. La plaignante demande également que les défenderesses soient condamnées à une sanction
defendant
proportionnée à la gravité des faits, compte tenu de l’objet et de l’ampleur de leur activité
- a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of
professionnelle qui touche un grand nombre de citoyens.
photograph of his vehicle when the violation of the rules of
22. Enfin, la plaignante sollicite la condamnation des défenderesses à la publicité non anonymisée
parking
de la décision de la Chambre Contentieuse de manière à informer le public des pratiques illégales en
As for the second defendant
matière de gestion des redevances de parking à l’encontre desquelles ils peuvent revendiquer le
- a breach of his right to information (Articles 12 and 14 of the GDPR)
respect de leurs droits en matière de protection des données.
- a breach of his right of access (article 15 of the GDPR)
4. Le rapport d’inspection du 6 janvier 2020
- a breach of Article 28 of the GDPR with regard to its status as a processor
23. Aux termes de son rapport, l’Inspecteur général fait les constats suivants :
- a breach of the principles of proportionality and illegal reuse of data
24. Constat 1 : Il ne ressort pas des éléments du dossier et des réponses apportées par la
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
première défenderesse que la licéité des traitements opérés par la première et la seconde
that it would not be validly founded
défenderesses afin de procéder au recouvrement de la créance réglementaire de stationnement
- a breach of the principles of data minimization and the use of consent
communal puisse être mise en doute.
forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice.
25. Constat 2 : L’information fournie aux personnes concernées sur le site de la
Decision on the merits 81 / 2020- 7/45
première défenderesse est lacunaire.
 
La déclaration de vie privée figurant sur le site de la première défenderesse [...] ne concerne en effet
21. The complainant also requests that the defendants be sentenced to a sanction
pas les données à caractère personnel qu’elle traite à l’occasion du contrôle, de l’envoi du rappel et
proportionate to the seriousness of the facts, taking into account the object and scope of their activity
de la transmission du dossier à l’huissier de justice (seconde défenderesse). Les coordonnées de
professional activity that affects a large number of citizens.
l’agent de protection de la vie privée de la première défenderesse en charge de traiter les demandes
 
de droit d’accès des personnes concernées ne sont pas mentionnées dans cette déclaration. La
22. Finally, the complainant seeks the condemnation of the defendants to non-anonymized advertising
première défenderesse ne remplit dès lors pas son obligation de fournir une information
of the decision of the Litigation Chamber in order to inform the public of illegal practices in
aisément accessible, notamment par voie électronique aux personnes concernées, prescrite à
management of parking fees against which they can claim the
l’article 12.1. du RGPD.
respect for their data protection rights.
26. Constat 3 : Le droit d’accès de la plaignante aux données la concernant traitées par la
4. The inspection report of January 6, 2020
première défenderesse n’a pas été respecté, en contravention avec l’article 15 du RGPD.
 
Pour seule réponse à sa demande d’accès, la plaignante a en effet été renvoyée à deux reprises vers
23. According to his report, the Inspector General made the following observations:
l’huissier de justice [lisez la seconde défenderesse] et une copie du rappel de paiement qu’elle
 
contestait avoir reçu lui a été fournie. A cet égard, il apparait qu’il n‘y a pas de procédure en place
24. Finding 1: It does not emerge from the information in the file and the responses provided by the
afin que le service clientèle de la première défenderesse en charge des plaintes fasse parvenir les
first defendant that the lawfulness of the processing operations carried out by the first and second
demandes relatives à l’exercice des droits de la personne concernée à l’agent de protection de la vie
defendants in order to recover the regulatory parking debt
privée de la première défenderesse.  
communal can be questioned.
Décision quant au fond 81/2020- 8/45
 
27. Constat 4 : L’accès à la DIV par la première défenderesse a été opéré dès le lendemain
25. Finding 2: The information provided to the persons concerned on the site of the
du contrôle du véhicule de la plaignante. Des données à caractère personnel la concernant
first defendant is incomplete.
(nom, prénom et adresse) ont été traitées sans nécessité dans la période pendant laquelle la
The privacy statement appearing on the site of the first defendant [...] does indeed concern
personne concernée a la possibilité d’acquitter la redevance avant l’envoi d’un rappel envoyé à son
not the personal data that it processes during the monitoring, sending of the reminder and
nom et à son adresse, ce qui n’est pas conforme avec le principe de minimisation des données prévu
transmission of the file to the bailiff (second defendant). The contact details of
à l’article 5.c [lisez article 5.1 c)] du RGPD. Suivant l’article [...] du règlement redevance de la Ville de
the privacy officer of the first defendant in charge of processing requests
[...] du [……….. ], ce délai est de 10 jours. La première défenderesse fait valoir que dans ce cas-ci
rights of access for data subjects are not mentioned in this declaration. The
une erreur technique a été rencontrée dans l’accès automatisé à la DIV. Elle joint un échange de mails
the first defendant therefore does not fulfill its obligation to provide information
des 14 et 22 novembre 2019 avec son fournisseur duquel il ressort que les données de la DIV sont
easily accessible, in particular by electronic means to the persons concerned, prescribed
alors reçues après 48 heures pour l’ensemble de ses sites.
section 12.1. of the GDPR.
28. La Chambre Contentieuse relève que dans le cadre de son enquête, les courriers de réponse
 
aux questions posées à la seconde défenderesse par l’Inspecteur général sont signés du groupe [...].
26. Finding 3: The complainant's right of access to data concerning her processed by the
5. L’audition du 13 juillet 2020
first defendant was not complied with, in contravention of Article 15 of the GDPR.
29. De l’audition du 13 juillet 2020 - dont un procès-verbal a été établi – sont, outre les arguments
Pour only response to her request for access, the complainant was in fact twice referred to
développés en terme de conclusions, ressortis les éléments suivants :
the bailiff [read the second defendant] and a copy of the payment reminder she
- la qualité de responsable de traitement de chacune des défenderesses ;
disputed having received was provided to him. In this regard, it appears that there is no procedure in place
- les modifications décidées par la première défenderesse à la procédure mise en place avec la
so that the customer service of the first defendant in charge of complaints can send the
seconde défenderesse pour l’exercice des droits en matière de protection des données des
requests relating to the exercise of the rights of the data subject to the life protection officer
personnes concernées et plus particulièrement, la décision de conserver en interne la gestion
deprived of the first defendant.
des demandes d’exercice de leurs droits par les personnes concernées ;
Decision on the merits 81 / 2020- 8/45
- le travail de mise en conformité avec le RGPD effectué par les huissiers de justice dès le 25
 
mai 2018, notamment l’adoption d’une privacy policy détaillée disponible sur son site Internet ;
27. Finding 4: Access to the DIV by the first defendant was made the next day
- la désignation d’un délégué à la protection des données (DPO) tant par la première que la
control of the complainant's vehicle. Personal data concerning him
seconde défenderesses ;
(surname, first name and address) were processed unnecessarily in the period during which the
- la demande de publication de la décision de la Chambre Contentieuse sous une forme
data subject has the option of paying the fee before sending a reminder to their
anonymisée formulée tant par la première que la seconde défenderesses motivée notamment
name and address, which does not comply with the principle of data minimization provided
par l’image de la fonction d’huissier de justice (seconde défenderesse) ainsi que la crainte de
in article 5.c [read article 5.1 c)] of the GDPR. According to article [...] of the royalty by-law of the City of
voir, compte tenu du nombre de personnes dont des données personnelles sont traitées par
[...] from [……… ..], this period is 10 days. The first defendant argues that in this case
l’une et l’autre défenderesses, se multiplier le nombre de plaintes à leur égard.
a technical error was encountered in the automated access to the DIV. She joins an exchange of mails
- la confirmation de ce que la première défenderesse fait partie du groupe [...].
of 14 and 22 November 2019 with its supplier from whom it appears that the data of the DIV are
EN DROIT
then received after 48 hours for all of its sites.
6. Structure de la décision
 
Décision quant au fond 81/2020- 9/45
28. The Litigation Chamber notes that in the context of its investigation, the response letters
30. Au titre de remarques liminaires, la Chambre Contentieuse formulera un certain nombre de
to the questions put to the second defendant by the Inspector General are signed by the group [...].
précisions quant à sa compétence (7.1.), quant à l’erreur de référence de la base de licéité du
5. The hearing of July 13, 2020
traitement spontanément relevée par la première défenderesse (7.2.) ainsi que quant à la qualité de
29. From the hearing of July 13, 2020 - of which a record has been drawn up - are, in addition to the arguments
la première et de la seconde défenderesses au regard des traitements de données concernés (7.3.).
developed in terms of conclusions, the following elements emerged:
Ces clarifications sont un préalable nécessaire à la cohérence et à la bonne compréhension de la suite
- the status of data controller for each of the defendants;
de la présente décision.
- the modifications decided by the first defendant to the procedure put in place with the
31. Ensuite, au titre 8, la Chambre Contentieuse examinera successivement les manquements
second defendant for the exercise of data protection rights of
pouvant être retenus à charge de la première défenderesse d’une part (titre 8.1.) et à charge de la
people concerned and more particularly, the decision to keep internal management
seconde défenderesse d’autre part (titre 8.2).
requests for the exercise of their rights by data subjects;
32. Enfin, au titre 9, la Chambre Contentieuse motivera les mesures correctrices et sanctions
- the work of compliance with the GDPR carried out by the judicial officers from the 25th
qu’elle décide d’imposer à la première défenderesse d’une part (titre 9.1.) et à la seconde défenderesse
May 2018, in particular the adoption of a detailed privacy policy available on its website;
d’autre part (titre 9.2.).
- the appointment of a data protection officer (DPO) by both the first and the
7. Remarques liminaires
second defendants;
7.1. Quant à l’appréciation souveraine de la Chambre Contentieuse nonobstant les constats du
- the request for publication of the decision of the Contentious Chamber in a form
rapport d’inspection et les termes de la plainte
anonymized formulated by both the first and the second defendants, in particular
33. A plusieurs reprises dans ses conclusions, la seconde défenderesse met en évidence que
by the image of the function of bailiff (second defendant) as well as the fear of
compte tenu de ce que le rapport d’inspection n’a constaté aucun manquement à son égard, aucun
see, given the number of people whose personal data is processed by
manquement ne pourrait être retenu à son encontre par la Chambre Contentieuse.
both defendants and the number of complaints against them.
34. La Chambre contentieuse rappelle à cet égard que le recours à l’Inspection n’est pas
- confirmation that the first defendant is part of the group [...].
systématiquement requis par la LCA. En effet, c’est à la Chambre Contentieuse de déterminer à la
 
suite du dépôt d’une plainte, si une enquête par l’Inspection est nécessaire ou pas (article 63, LCA
PLACE
art. 94, LCA). La Chambre Contentieuse peut également décider de traiter la plainte sans avoir
 
saisi le service d’inspection (art. 94, LCA).
6. Structure of the decision
35. Lorsqu’elle est saisie, les constatations de l’Inspection éclairent assurément la Chambre
Decision on the merits 81 / 2020- 9/45
Contentieuse sur les éléments de fait de la plainte, sur la qualification de ces faits au regard de la
 
réglementation en matière de protection des données et peuvent venir appuyer l’un ou l’autre
30. By way of introductory remarks, the Litigation Chamber will formulate a number of
manquement retenus in fine par la Chambre Contentieuse aux termes de ses décisions. Toutefois, la
details as to its jurisdiction (7.1.), as to the reference error of the basis of legality of the
Chambre Contentieuse demeure libre, à l’appui de l’ensemble des pièces produites durant la procédure
treatment spontaneously noted by the first defendant (7.2.) as well as with regard to the quality of
et des arguments développés dans le cadre du débat contradictoire qui suit sa décision de traiter
the first and second defendants with regard to the data processing concerned (7.3.).
l’affaire quant au fond (article 98 LCA) - le cas échéant après recours à l’Inspection -, de conclure de
These clarifications are a prerequisite for consistency and a good understanding of what follows.
manière motivée à l’existence de manquements que n’aurait pas soulevé le rapport d’inspection.  
of this decision.
Décision quant au fond 81/2020- 10/45
 
36. Quant aux termes de la plainte, ils constituent tant pour l’Inspection que pour la Chambre
31. Then, in Title 8, the Contentious Chamber will successively examine the breaches
Contentieuse un point de départ. La Chambre Contentieuse rappelle qu’à plusieurs reprises déjà, elle
which may be retained at the expense of the first defendant on the one hand (Title 8.1.) and at the expense of the
a tranché que durant la procédure consécutive à la plainte, elle a la possibilité de faire évoluer la
second defendant on the other hand (Title 8.2).
qualification juridique des faits qui lui sont soumis, ou d’examiner de nouveaux faits liés à la plainte,
 
sans nécessairement faire appel à l’intervention de l’Inspection, notamment en posant des questions
32. Finally, in Title 9, the Contentious Chamber will motivate the corrective measures and sanctions
aux parties ou en tenant compte de faits nouveaux ou de qualifications invoqué(e)s par voie de
that it decides to impose on the first defendant on the one hand (Title 9.1.) and on the second defendant
conclusion, et ce, dans les limites du débat contradictoire, à savoir, pour autant que les parties aient
on the other hand (section 9.2.).
eu l’occasion de débattre de ces faits ou qualifications juridiques de manière conforme aux droits de
7. Introductory remarks
la défense1
7.1. As for the sovereign appreciation of the Litigation Chamber notwithstanding the findings of the
inspection report and the terms of the complaint
 
33. On several occasions in its submissions, the second defendant points out that
given that the inspection report did not find any breach in its regard, no
breach could not be held against him by the Litigation Chamber.
 
34. The Contentious Chamber recalls in this regard that recourse to the Inspection is not
systematically required by the LCA. Indeed, it is for the Litigation Chamber to determine at the
following the filing of a complaint, whether an investigation by the Inspectorate is necessary or not (article 63, 2 ° LCA
- art. 94, 1 ° LCA). The Litigation Chamber may also decide to deal with the complaint without having
referred to the inspection service (art. 94, 3 ° LCA).
 
35. When seized, the findings of the Inspection certainly enlighten the Chamber
Litigation on the facts of the complaint, on the qualification of these facts with regard to the
data protection regulations and can support one or the other
breach ultimately retained by the Litigation Chamber under the terms of its decisions. However, the
Litigation Chamber remains free, in support of all the documents produced during the procedure
and the arguments developed in the context of the adversarial debate that follows his decision to deal with
the case on the merits (Article 98 LCA) - if necessary after recourse to the Inspectorate -, to conclude
reasoned for the existence of shortcomings that the inspection report did not indicate.
Decision on the merits 81 / 2020- 10/45
 
36. As for the terms of the complaint, they constitute both for the Inspectorate and for the Chamber
Litigation a starting point. The Litigation Chamber recalls that on several occasions it
ruled that during the procedure following the complaint, it has the possibility of changing the
legal qualification of the facts submitted to it, or to examine new facts related to the complaint,
without necessarily calling on the intervention of the Inspection, in particular by asking questions
to the parties or taking into account new facts or qualifications invoked by way of
conclusion, and this, within the limits of the adversarial debate, namely, provided that the parties have
had the opportunity to discuss these facts or legal qualifications in a manner consistent with the rights of
defense1
.
.
7.2. Quant à la base de licéité
7.2. As to the basis of legality
37. Aux termes de ses conclusions, la première défenderesse précise qu’elle se doit de corriger
 
une erreur. Elle précise que le règlement communal du [...] sur lequel a été fondé la licéité du
37. According to its conclusions, the first defendant specifies that it must correct
traitement et dont la légitimité est reconnue à travers le rapport d’enquête s’applique dans le cas de
a mistake. It specifies that the municipal regulations of [...] on which the lawfulness of the
redevances de stationnement en cas de non-paiement via un horodateur.
treatment and whose legitimacy is recognized through the investigation report applies in the case of
38. En l’espèce, la première défenderesse relève que la redevance due par la plaignante est due
parking fees in the event of non-payment via a parking meter.
en raison de l’absence de disque bleu apposé. C’est dès lors le règlement communal du [...] relatif au
 
stationnement en zone bleue qui doit s’appliquer.
38. In the present case, the first defendant observes that the fee due by the complainant is due
39. La première défenderesse indique que cependant, puisque les deux règlements communaux
due to the lack of an affixed blue disc. It is therefore the municipal regulation of [...] relating to
sont rédigés de manière identique – à tout le moins en ce qui concerne les articles pertinents dans le
parking in the blue zone which must apply.
cadre du présent litige – il convient simplement d’adapter les références faites.
 
40. Dans ses conclusions, la plaignante soulève le fait que le règlement communal du [...] invoqué
39. The first defendant states that, however, since the two municipal regulations
cette fois par la seconde défenderesse au bas de la mise en demeure qu’elle lui a envoyée le 25 février
are drafted identically - at least as regards the relevant articles in the
2019 (point 7 ci-dessus) est arrivé à échéance le [...], soit avant l’envoi de ladite mise en demeure et
context of this dispute - it is simply necessary to adapt the references made.
avant la date de l’infraction qui lui est reprochée (2 janvier 2019). Elle conclut dès à l’absence de licéité
 
du traitement. Dans ses conclusions et dans son dossier de pièces, la seconde défenderesse s’appuie,
40. In her conclusions, the complainant raises the fact that the municipal regulation of the [...] invoked
contrairement à la référence figurant au bas de ladite mise en demeure, sur le règlement communal
this time by the second defendant at the bottom of the formal notice she sent him on February 25
du [...] relatif au stationnement en zone bleue.
2019 (point 7 above) expired on [...], i.e. before the said formal notice was sent and
before the date of the alleged offense (January 2, 2019). It immediately concludes that there is no legality
processing. In its pleadings and in its file of exhibits, the second defendant relies,
contrary to the reference appearing at the bottom of said formal notice, on the municipal regulations
the [...] relating to parking in the blue zone.


1 Voy Chambre Contentieuse, Décisions 17/2020 (points 26 à 33)
1 Voy Litigation Chamber, Decisions 17/2020 (points 26 to 33)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf; 41/2020 (point
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf; 41/2020 (point
12 et points 14-15) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-41-
12 and points 14-15) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-41-
2020.pdf et 63/2020 (points 16 à 22): https://www.autoriteprotectiondonnees.be/publications/decision-quantau-fond-n-63-2020.pdf disponibles sur le site Internet de l’APD.
2020.pdf and 63/2020 (points 16 to 22): https://www.autoriteprotectiondonnees.be/publications/decision-quantau-fond-n-63-2020.pdf available on the APD website.
Décision quant au fond 81/2020- 11/45
Decision on the merits 81 / 2020- 11/45
41. La Chambre Contentieuse conclut de ce qui précède que les défenderesses s’accordent pour
 
considérer que la base de licéité de leurs traitements trouve, en partie à tout le moins, sa source dans
41. The Contentious Chamber concludes from the foregoing that the defendants agree to
le règlement communal du [...] relatif au stationnement en zone bleue.
consider that the basis of lawfulness of their processing finds, at least in part, its source in
42. La Chambre Contentieuse ne peut toutefois que constater une grande confusion autour de
the municipal [...] regulations relating to parking in the blue zone.
l’identification de cette base de licéité. Cet élément fait pourtant désormais partie des éléments
 
d’information listés aux articles 13.1 c) et 14.1 c) du RGPD dont il convient d’informer les personnes
42. The Contentious Chamber can, however, only note a great confusion around
concernées (voy. infra). De même, sans être obligatoire, cette information peut également figurer
identifying this basis of lawfulness. However, this element is now part of the elements
dans le Registre des activités de traitement lequel doit être régulièrement mis à jour (art. 30 du RGPD).
of information listed in Articles 13.1 c) and 14.1 c) of the GDPR which should be informed
Des erreurs comme celle intervenue dans le chef des défenderesses pourraient peut-être être ainsi
concerned (see below). Likewise, without being compulsory, this information may also appear
évitées2
in the Register of processing activities which must be regularly updated (Art. 30 GDPR).
Errors such as the one made by the defendants could perhaps be thus
avoided2
.
.
43. En l’espèce, la Chambre Contentieuse est d’avis que l’erreur dans l’identification et la
43. In the present case, the Contentious Chamber is of the opinion that the error in the identification and
communication de la base de licéité n’est pas synonyme d’absence de base de licéité au sens de
communication of the basis of legality is not synonymous with the absence of a basis of legality within the meaning of
l’article 6 du RGPD. Quant à l’obligation d’information - de la base de licéité notamment (articles 13.1
Article 6 of the GDPR. As for the information obligation - in particular the basis of lawfulness (Articles 13.1
c) et 14.1 c) du RGPD) - et, plus généralement, quant à la mise en œuvre effective de l’article 24 du
c) and 14.1 c) of the GDPR) - and, more generally, as regards the effective implementation of Article 24 of
RGPD à cet égard, la Chambre Contentieuse renvoie aux points 8.1.1 et 8.1.4. ci-après.
GDPR in this regard, the Litigation Chamber refers to points 8.1.1 and 8.1.4. below.
7.3. Quant à la qualification des première et seconde défenderesses
7.3. As to the qualification of the first and second defendants
44. La plaignante relève que la première défenderesse déclare avoir mis en place une procédure
de gestion des plaintes avec la seconde défenderesse. Aux termes de celle-ci, la seconde défenderesse
gère l’ensemble des réclamations ou plaintes dès l’instant où le dossier relatif à celles-ci lui a été
transmis et se charge du recouvrement du montant dû. La plaignante estime que « si l’on doit
comprendre que la seconde défenderesse intervient comme sous-traitant de la première
défenderesse », les prescrits de l’article 28 du RGPD doivent s’appliquer et partant, les défenderesses
doivent être en mesure de démontrer leur application effective.
45. La Chambre Contentieuse a, aux termes de l’audition du 13 juillet 2020 (titre 5 ci-dessus), pris
note de ce que tant la première défenderesse que la seconde défenderesse se qualifient de
responsable de traitement chacune pour les traitements qu’elles opèrent et dont elles déterminent
respectivement les finalités et les moyens.


2 Voy. Commission de la protection de la vie privée, Recommandation 06/2017 du 14 juin 2017 relative au Registre
44. The complainant notes that the first respondent states that it has put in place a procedure
des activités de traitement (article 30). Voy. le point 42 de la recommandation
management of complaints with the second defendant. According to the latter, the second defendant
manages all claims or complaints from the moment the file relating to them has been received
transmitted and is responsible for collecting the amount due. The complainant considers that "if we have to
understand that the second defendant acts as a subcontractor of the first
defendant ", the requirements of Article 28 of the GDPR must apply and therefore the defendants
must be able to demonstrate their effective application.
 
45. The Contentious Chamber has, at the end of the hearing of July 13, 2020 (title 5 above),
note that both the first respondent and the second respondent qualify as
data controller each for the processing operations they perform and for which they determine
respectively the purposes and the means.
 
2 See. Commission for the Protection of Privacy, Recommendation 06/2017 of 14 June 2017 relating to the Register
processing activities (Article 30). See. point 42 of the recommendation
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf
Décision quant au fond 81/2020- 12/45
Decision on the merits 81 / 2020- 12/45
46. Indépendamment de la qualification que se donnent les parties, laquelle ne la lie pas3
 
, La
46. ​​Regardless of the qualification given to themselves by the parties, which is not binding3
Chambre Contentieuse est d’avis, sur la base de la description donnée par les défenderesses de la
, The
collaboration mise en place entre-elles, que chacune d’elle est responsable de traitement. Leurs
Litigation Chamber is of opinion, on the basis of the description given by the defendants of the
interventions dans le cadre du recouvrement amiable de dettes se succèdent en cette qualité. La
collaboration between them, that each of them is responsible for processing. Their
Chambre Contentieuse note relève à cet égard que celle collaboration s’appuie, aux dires mêmes des
interventions in the context of amicable debt collection follow one another in this capacity. The
défenderesses, sur la seule base du règlement communal, à l’exception de tout autre document
Litigation Chamber notes in this regard that this collaboration is based, according to the
étayant leur collaboration.
defendants, on the sole basis of the municipal regulations, with the exception of any other document
47. La Chambre Contentieuse rejette également toute qualification de co-responsables de
supporting their collaboration.
traitement au sens de l’article 26 du RGPD entre les défenderesses. En effet, la coresponsabilité
 
nécessite une détermination conjointe tant des finalités que des moyens du traitement identifié, ce
47. The Contentious Chamber also rejects any qualification of co-responsible for
qui n’est pas le cas en l’espèce.4 Chacune des défenderesses opère successivement des traitements
processing within the meaning of Article 26 of the GDPR between the defendants. Indeed, the co-responsibility
requires a joint determination of both the purposes and the means of the identified processing, this
which is not the case in this case.4 Each of the defendants successively carries out


3 Comité Européen de la Protection des Données (CEPD), Guidelines 07/2020 on the concepts of controller and
3 European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of controller and
processor in the GDPR, version 1.0. du 2 septembre 2020. Ces lignes directrices n’existent actuellement qu’en
processor in the GDPR, version 1.0. of September 2, 2020. These guidelines currently exist only in
anglais. Elles ont été soumises à consultation publique et sont susceptibles d’être modifiées
English. They have been submitted for public consultation and are subject to change
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
4
4
Idem ci-dessus points 50-55 tout particulièrement et les références citées :
Idem above points 50-55 in particular and the references cited:
 
50. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in
50. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in
the determination of the purposes and means of a processing operation. Joint participation can take the form of
the determination of the purposes and means of a processing operation. Joint participation can take the form of
a common decision taken by two or more entities or result from converging decisions by two or more entities,
a common decision taken by two or more entities or result from converging decisions by two or more entities,
where the decisions complement each other and are necessary for the processing to take place in such a manner
where the decisions complement each other and are necessary for the processing to take place in such a manner
that they have a tangible impact on the determination of the purposes and means of the processing. An important
that they have a tangible impact on the determination of the purposes and means of the processing. Important year
criterion is that the processing would not be possible without both parties’ participation in the sense that the
criterion is that the processing would not be possible without both parties ’participation in the sense that the
processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the
processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the
determination of purposes on the one hand and the determination of means on the other hand. ( …)
determination of purposes on the one hand and the determination of means on the other hand. (…)
 
55. It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller
55. It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller
with the other(s) only in respect of those operations for which it determines, jointly with others, the means and
with the other (s) only in respect of those operations for which it determines, jointly with others, the means and
the purposes of the processing. If one of these entities decides alone the purposes and means of operations that
the purposes of the processing. If one of these entities decides alone the purposes and means of operations that
precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this
precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this
preceding or subsequent operation.
preceding or subsequent operation.
Traduction libre par le Secrétariat de l’APD
Free translation by the ODA Secretariat
50. Le critère global déterminant la présence d’une responsabilité conjointe du traitement est la participation
50. The overall criterion determining the presence of joint responsibility for the processing is participation
conjointe de deux entités ou plus dans la détermination des finalités et des moyens d'une opération de traitement.
joint venture of two or more entities in determining the purposes and means of a processing operation.
La participation conjointe peut prendre la forme d'une décision commune prise par deux entités ou plus, ou
Joint participation may take the form of a joint decision taken by two or more entities, or
résulter de décisions convergentes émanant de deux entités ou plus, lorsque ces décisions se complètent
result from convergent decisions from two or more entities, when these decisions complement each other
mutuellement et sont nécessaires à la réalisation de l'opération de traitement de manière telle qu'elles ont un
mutually and are necessary for carrying out the processing operation in such a way that they have a
impact tangible sur la détermination des finalités et des moyens du traitement. Un critère important est que le
impact your ngible on determining the purposes and means of processing. An important criterion is that the
traitement ne serait pas possible sans la participation des deux parties, en ce sens que le traitement par chaque
processing would not be possible without the participation of both parties, in the sense that processing by each
partie est indissociable, c'est-à-dire que ces traitements sont inextricablement liés. La participation conjointe doit
part is inseparable, that is to say that these treatments are inextricably linked. Joint participation must
inclure la détermination des finalités, d'une part, et la détermination des moyens, d'autre part.
include the determination of purposes, on the one hand, and the determination of the means, on the other.
55. Il est également important de souligner, comme l'a clarifié la CJUE, qu'une entité ne sera considérée
 
comme responsable conjoint du traitement, avec une ou plusieurs autres entités, qu'à l'égard des opérations pour
55. It is also important to stress, as clarified by the CJEU, that an entity will not be considered
lesquelles elle détermine, conjointement avec les autres entités, les finalités et les moyens du traitement. Si l'une
as joint controller, with one or more other entities, only with regard to operations for
de ces entités décide seule des finalités et des moyens d'opérations antérieures ou postérieures dans la chaîne
which it determines, together with the other entities, the purposes and means of processing. If one
de traitement, cette entité doit être considérée comme le seul responsable du traitement de cette opération
of these entities alone decides on the purposes and means of previous or subsequent operations in the chain
antérieure ou postérieure.  
processing, this entity must be considered as the sole controller of this operation
Décision quant au fond 81/2020- 13/45
anterior or posterior.
sur des données qui sont certes identiques jusqu’à un certain stade de la procédure (la seconde
 
défenderesse recevant un certain nombre de données de la première défenderesse) sans toutefois
 
déterminer la finalité et les moyens du ou des traitements de manière conjointe. Au contraire, chacune
48. The Contentious Chamber nonetheless shares the impression of confusion and the lack of
des défenderesses détermine, au départ de la mission qui lui est attribuée (au terme de la concession
clarity with regard to the persons concerned relayed by the complainant. This is particularly evident in the
publique qui lui a été reconnue pour la première défenderesse ; au terme de la loi pour la seconde
response provided by the second defendant to a request to exercise his rights in matters of
défenderesse), la finalité et les moyens des traitements qu’il lui incombe d’opérer certes
data protection sent by the complainant to the first respondent (points 10 and
successivement, mais distinctement.
14 above and 75 below).
48. La Chambre Contentieuse n’en partage pas moins l’impression de confusion et le manque de
 
clarté à l’égard des personnes concernées relayés par la plaignante. En témoigne notamment la
49. Nevertheless, the second defendant is neither the subcontractor of the first defendant, nor
réponse fournie par la seconde défenderesse à une demande d’exercice de ses droits en matière de
joint responsible with her. Therefore, their relationship should not be governed by a subcontract and no breach of Article 28 of the GDPR can be blamed. Their relationship does
protection des données adressée par la plaignante auprès de la première défenderesse (points 10 et
should not be framed by an agreement between them as required by Article 26 of the GDPR in
14 ci-dessus et 75 ci-dessous).
joint liability cases.
49. Néanmoins, la seconde défenderesse n’est ni le sous-traitant de la première défenderesse, ni
8. As to breaches
responsable conjoint avec elle. Partant, leur relation ne doit pas être régie par un contrat de soustraitance et aucun manquement à l’article 28 du RGPD ne peut leur être reproché. Leur relation ne
8.1. As regards the breaches on the part of the first defendant
doit pas non plus être encadrée par un accord entre-elles comme le requiert l’article 26 du RGPD en
8.1.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)
cas de responsabilité conjointe.
 
8. Quant aux manquements
50. In its capacity as controller, the first defendant is required to
8.1. Quant aux manquements dans le chef de la première défenderesse
implement Articles 12, 13 and 14 of the GDPR and to be able to demonstrate this effective implementation
8.1.1. Quant au manquement à l’obligation d’information (articles 12 et 14 du RGPD)
(Articles 5.2. and 24 of the GDPR).
50. En sa qualité de responsable de traitement, la première défenderesse est tenue de mettre en
 
œuvre les articles 12, 13 et 14 du RGPD et de pouvoir démontrer cette mise en œuvre effective
51. Pursuant to Article 12.1 of the GDPR, it is the first defendant's responsibility to take
(articles 5.2. et 24 du RGPD).
appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in a manner
51. Aux termes de l’article 12.1 du RGPD, il incombe à la première défenderesse de prendre des
concise, transparent, understandable and easily accessible in clear and simple terms.
mesures appropriées pour fournir toute information visée aux articles 13 et 14 du RGPD d’une façon
in writing or by other means including electronic.
concise, transparente, compréhensible et aisément accessible en des termes clairs et simples et ce,
 
par écrit ou par d’autres moyens en ce compris électronique.
52. In the present case, as regards data which were not collected directly from the
52. En l’espèce, s’agissant de données qui n’ont pas été recueillies directement auprès de la
complainant, the first defendant was required to provide her with information with regard to
plaignante, la première défenderesse était tenue de lui fournir une information au regard des
Decision on the merits 81 / 2020- 14/45 data processing carried out concerning it in the context of the collection of the fee due.
As for the content of this information, in accordance with the case law of the Litigation Chamber,
Décision quant au fond 81/2020- 14/45
the elements listed in both § 1 and § 2 of Article 14 had to be communicated to it. 5 The Chamber
traitements de données opérés la concernant dans le contexte de la perception de la redevance due.
Litigation has already specified above that these elements include the exact identification of the
Quant au contenu de cette information, conformément à la jurisprudence de la Chambre Contentieuse,
lawfulness of the processing (Article 14.1 c) of the GDPR) (point 42 above).
les éléments listés tant au § 1er qu’au § 2 de l’article 14 devaient lui être communiqués.5 La Chambre
 
Contentieuse a déjà précisé ci-dessus que ces éléments incluent l’identification exacte de la base de
53. The Litigation Chamber is of the opinion that in light of the amount of information to be provided to
licéité du traitement (article 14.1 c) du RGPD) (point 42 ci-dessus).
data subject, controllers such as defendants should adopt a
53. La Chambre Contentieuse est d’avis qu’à la lumière de la quantité d’informations à fournir à
multi-level approach. On the one hand, the person concerned must immediately have a
la personne concernée, des responsables du traitement tel les défenderesses devraient adopter une
clear, accessible information on the fact that information on the processing of their data
approche à plusieurs niveaux. D’une part, la personne concernée doit d’emblée disposer d’une
personal character (privacy policy) exist and where it can be found in
information claire, accessible sur le fait que des informations sur le traitement de ses données à
their entirety.
caractère personnel (politique de confidentialité) existent et du lieu où elle pourra les trouver dans
 
leur intégralité.
54. On the other hand, without prejudice to the accessibility of the privacy policy in its
54. D’autre part, sans préjudice de l’accessibilité de la politique de confidentialité dans son
completeness, the data subject must, from the first communication from the controller
intégralité, la personne concernée doit, dès la première communication du responsable de traitement
with them, to be informed of the details of the purpose of the processing concerned, of the identity of the controller
avec elle, être informée des détails de la finalité du traitement concerné, de l’identité du responsable
the processing and the rights available to it. The importance of providing this information upstream
du traitement et des droits dont elle dispose. L‘importance de fournir ces informations en amont
follows in particular from recital 39 of the GDPR. Any additional information needed to
découle en particulier du considérant 39 du RGPD. Toute information supplémentaire nécessaire pour
allow the persone concerned to understand, from the information provided to this first
permettre à la personne concernée de comprendre, à partir des informations fournies à ce premier
level, what the consequences of the treatment in question will have to be added 6
niveau, quelles seront pour elle les conséquences du traitement en question devra être ajoutée 6
.
.
55. Aux termes de son rapport d’inspection du 6 janvier 2020, l’Inspecteur général, ainsi qu’il a
55. According to his inspection report of 6 January 2020, the Inspector General, as well as
été rappelé au titre 3, constate, au regard de la politique de confidentialité, que :
been recalled in Title 3, notes, with regard to the confidentiality policy, that:
« La déclaration de vie privée figurant sur le site de la première défenderesse [...] ne concerne
"The privacy statement appearing on the site of the first defendant [...] does not concern
en effet pas les données à caractère personnel qu’elle traite à l’occasion du contrôle, de l’envoi
indeed not the personal data that it processes during the control, the sending
du rappel et de la transmission du dossier à l’huissier de justice (seconde défenderesse). Les
the reminder and the transmission of the file to the bailiff (second defendant). The
coordonnées de l’agent de protection de la vie privée de la première défenderesse en charge
contact details of the first defendant's privacy officer in charge
de traiter les demandes de droit d’accès des personnes concernées ne sont pas mentionnées
to process requests for the right of access from data subjects are not mentioned
dans cette déclaration. La première défenderesse ne remplit dès lors pas son obligation de
in this statement. The first defendant therefore does not fulfill its obligation to
fournir une information aisément accessible notamment par voie électronique aux personnes
provide easily accessible information, particularly electronically, to individuals
concernées, prescrite à l’article 12.1. du RGPD ».
concerned, prescribed in Article 12.1. of the GDPR ”.


5 Groupe de l’Article 29, Lignes directrices sur la transparence au sens du règlement (UE) 2016/679, WP 260,
5 Article 29 Group, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260,
version révisée du 11 avril 2018 (reprises à son compte par le Comité européen de la protection des données):
revised version of April 11, 2018 (taken over by the European Data Protection Board):
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23).
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23).
6
6
Idem (points 35-38).  
Idem (points 35-38).
Décision quant au fond 81/2020- 15/45
Decision on the merits 81 / 2020- 15/45
56. En d’autres termes, la politique de confidentialité de la première défenderesse ne vise pas les
 
traitements de données mis en cause par la plaignante. En effet, l’Inspecteur général détaille dans
56. In other words, the first defendant's privacy policy does not cover
son rapport que la politique de confidentialité disponible sur le site de la première défenderesse lors
data processing questioned by the complainant. Indeed, the Inspector General details in
de sa consultation, concernait exclusivement la manière dont les traitements de données « que vous
its report that the confidentiality policy available on the site of the first defendant during
nous transmettez par l’intermédiaire de site et/ou autrement » était opérée (étape 5 du rapport
of its consultation, concerned exclusively the way in which the data processing "that you
d’inspection).
send us through the site and / or otherwise "was carried out (step 5 of the report
57. La Chambre Contentieuse constate par ailleurs que le premier courrier de rappel adressé par
inspection).
la première défenderesse à la plaignante le 24 janvier 2019 (point 5 ci-dessus) contient la clause
 
suivante :
57. The Litigation Chamber further notes that the first reminder letter sent by
the first defendant to the complainant on 24 January 2019 (point 5 above) contains the clause
next :
PRIVACY
PRIVACY
Vos données à caractère personnel en notre possession ne seront traitées que dans le cadre
Your personal data in our possession will only be processed within the framework of
du présent rappel et, le cas échéant, los de futurs échanges entre vous et nos services à
of this reminder and, where applicable, of future exchanges between you and our services at
propos du règlement de la redevance concernée. Ces données ne seront conservées que pour
About the payment of the fee concerned. These data will only be kept for
la durée correspondante à ce règlement. Conformément au Règlement (UE) 2016/679 du
the duration corresponding to this regulation. In accordance with Regulation (EU) 2016/679 of
Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des données à
European Parliament and of the Council of 27 April 2016 on data protection at
caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE
personal nature and the free movement of such data, and repealing Directive 95/46 / EC
(règlement général sur la protection des données), vous pouvez librement exercer vos droits
(general data protection regulation), you can freely exercise your rights
et questions en envoyant une demande à [...] ou par courriel [...]. L’agent de la protection de
and questions by sending a request to [...] or by email [...]. The protection officer
la vie privée vous contactera pour confirmer votre identité et prendre les mesures nécessaires
privacy will contact you to confirm your identity and take the necessary action
pour répondre à votre demande.
to respond to your request.
58. Ledit courrier mentionne également le site Internet de la première défenderesse sans
 
référence toutefois à la politique de confidentialité en général ni a fortiori, aux dispositions pertinentes
58. The said letter also mentions the website of the first defendant without
eu égard au rappel envoyé (d’autant que comme mentionné ci-dessus cette politique de confidentialité
however, reference to the privacy policy in general and a fortiori to the relevant provisions
ne porte pas sur ce type de traitements). La Chambre Contentieuse est d’avis que cette clause ne peut
with regard to the reminder sent (as far as as mentioned above this privacy policy
à elle combler l’absence d’information sur les éléments des §§ 1 et 2 de l’article 14 du RGPD (dès lors
does not cover this type of treatment). The Contentious Chamber is of the opinion that this clause cannot
que comme déjà mentionné, la politique de confidentialité de la première défenderesse ne vise pas
to fill in the lack of information on the elements of §§ 1 and 2 of Article 14 of the GDPR (therefore
les traitements mis en cause).
that as already mentioned, the privacy policy of the first defendant does not cover
59. Quant à l’absence de mention des données de contact de l’agent de protection de la vie privée
the treatments in question).
de manière générale également relevé par le rapport d’enquête, la Chambre Contentieuse est d’avis
 
que la communication de coordonnées du DPO ou de toute autre adresse de contact dédiée à l’exercice
59. As to the failure to mention the contact details of the privacy protection officer
des droits des personnes concernées s’inscrit dans l’obligation des responsables de traitement de
generally also noted by the investigation report, the Litigation Chamber is of the opinion
faciliter l’exercice des droits des personnes concernées (article 12.2. du RGPD)7
that the communication of contact details of the DPO or any other contact address dedicated to the exercise
the rights of data subjects is part of the obligation of data controllers
facilitate the exercise of the rights of data subjects (article 12.2. of the GDPR) 7
.
.


7 Au cours de l’audition du 13 juillet 2020, la première défenderesse a précisé que son agent de protection de la
7 During the hearing on July 13, 2020, the first defendant clarified that its protection officer
vie privée est en effet un délégué à la protection des données (DPO) au sens de l’article 37 du RGPD.
privacy is in fact a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR.
Décision quant au fond 81/2020- 16/45
Decision on the merits 81 / 2020- 16/45
60. Aux termes de ses conclusions, la première défenderesse indique qu’elle « ne peut que
 
prendre acte de la conclusion du rapport d’enquête qui énonce que « l’information fournie aux
60. According to its submissions, the First Respondent states that it "can only
personnes concernées sur le site web de [...] est lacunaire ». Elle indique également prendre acte que
take note of the conclusion of the investigation report which states that "the information provided to
l’Inspecteur considère que l’information « n’est pas aisément accessible » aux personnes concernées
data subjects on the website of [...] is incomplete ”. It also indicates that it takes note that
(point 41 des conclusions de la première défenderesse) et prend un certain nombre d’engagements
the Inspector considers that the information "is not easily accessible" to the persons concerned
vis-à-vis de l’APD pour y remédier (voy infra au titre 9.1. relatif à la discussion sur les mesures
(point 41 of the conclusions of the first defendant) and makes a number of commitments
correctrices et sanctions).
vis-à-vis ODA to remedy this (see below under section 9.1. relating to the discussion on the measures
61. Quant au moment de l’information, l’article 14.3 du RGPD précise que les éléments listés aux
corrective measures and sanctions).
§§ 1 et 2 doivent être fournis dans un délai raisonnable après avoir été obtenus mais au plus tard
 
dans le mois de cette obtention eu égard aux circonstances particulières dans lesquelles les données
61. When at the time of information, Article 14.3 of the GDPR specifies that the elements listed in
à caractère personnel sont traitées.
§§ 1 and 2 must be provided within a reasonable time after having been obtained but at the latest
62. En l’espèce, la plaignante et la première défenderesse sont en désaccord sur la question de
within the month of this obtaining in view of the particular circumstances in which the data
savoir si cette information a été fournie en temps utile. La première défenderesse soutient en effet
of a personal nature are processed.
que des informations se trouvent sur l’invitation à payer adressé à la plaignante ainsi que dans son
 
courrier de rappel (points 4 et 5 ci-dessus). La plaignante affirme n’avoir jamais reçu ni papillon ni
62. In the present case, the Complainant and the First Respondent disagree on the issue of
courrier de rappel et relève l’absence de preuve de la communication de ces documents – et donc de
whether this information was provided in a timely manner. The first defendant indeed maintains
l’information relative à la protection des données – par la première défenderesse. La première
that information can be found on the invitation to pay sent to the complainant as well as in her
défenderesse renvoie quant à elle également aux informations fournies sur son site Internet, tout en
reminder letter (points 4 and 5 above). The complainant claims that she never received a butterfly or
admettant que celle-ci est lacunaire (point 60 ci-dessus).
reminder letter and notes the absence of proof of the communication of these documents - and therefore of
63. Il n’appartient pas à la Chambre Contentieuse de déterminer la manière dont le manquement
data protection information - by the first defendant. The first one
aux règles de stationnement doit être porté à la connaissance des contrevenants (papillon, rappel par
the defendant also refers to the information provided on its website, while
courrier ordinaire, par courrier recommandé). Il n’en demeure pas moins que l’information sur les
admitting that this is incomplete (point 60 above).
traitements de données qui interviennent tant dans le cadre du constat de la violation que de la gestion
 
du recouvrement du montant consécutif à celle-ci, doit être communiquée dans le respect du délai
63. It is not for the Contentious Chamber to determine how the breach
prescrit à l’article 12.3 du RGPD et ce, de manière utile (tenant compte par exemple du délai de
parking rules must be brought to the attention of offenders (flyer, reminder by
paiement donné), soit, en fonction du contexte, sans attendre l’expiration dudit délai.
regular mail, by registered mail). The fact remains that information on
64. A l’appui des constats qui précèdent et de l’obligation d’information qui pèse sur la première
data processing which takes place both within the framework of the finding of the violation and of the management
défenderesse, la Chambre Contentieuse constate un manquement à l’article 14.1-2 du RGPD dès lors
recovery of the amount resulting from this, must be communicated within the deadline
que la politique de confidentialité de la première défenderesse ne porte pas sur les traitements de
prescribed in Article 12.3 of the GDPR in a useful manner (taking into account, for example, the deadline for
données opérés en l’espèce (recouvrement amiable de dettes). La clause « Privacy » figurant sur son
payment given), or, depending on the context, without waiting for the expiry of the said deadline.
courrier de rappel, insuffisante quant à son contenu, n’est pas de nature à y remédier. Ce manquement
 
est par ailleurs combiné à l’article 12.3 du RGPD. La Chambre Contentieuse est à cet égard d’avis que
64. In support of the foregoing findings and the information obligation that weighs on the first
si l’information n’est pas donnée ou est incomplète, a fortiori elle n’a pas été fournie dans le délai
defendant, the Litigation Chamber finds a breach of Article 14.1-2 of the GDPR therefore
Décision quant au fond 81/2020- 17/45
that the privacy policy of the first defendant does not cover the processing of
requis. Enfin, ces manquements sont combinés à un manquement à l’article 12.1 du RGPD (défaut
data processed in this case (amicable debt collection). The "Privacy" clause appearing on its
d’accessibilité des coordonnées du DPO dans la politique de confidentialité).
reminder mail, insufficient in content, is not likely to remedy this. This failure
8.1.2. Quant au manquement au droit d’accès (article 15 du RGPD)
is also combined with Article 12.3 of the GDPR. The Litigation Chamber is of the opinion that
65. Aux termes de l’article 15 du RGPD, la personne concernée a le droit d’obtenir du responsable
if the information is not given or is incomplete, a fortiori it was not provided within the time limit
de traitement la confirmation que des données à caractère personnel la concernant sont ou ne sont
Decision on the merits 81 / 2020- 17/45
pas traitées et, lorsqu’elles le sont, l’accès aux dites données à caractère personnel ainsi que les
required. Finally, these breaches are combined with a breach of Article 12.1 of the GDPR (default
éléments d’information listés aux littéras a) à h) de l’article 15.1. du RGPD.
accessibility of the DPO's contact details in the privacy policy).
66. En l’espèce, aux termes de son rapport, l’Inspecteur général fait à cet égard le constat
8.1.2. As for the breach of the right of access (article 15 of the GDPR)
suivant :
 
« Le droit d’accès de Madame X (lisez la plaignante) aux données la concernant traitées par
65. According to Article 15 of the GDPR, the data subject has the right to obtain from the controller
[...] (lisez la première défenderesse) n’a pas été respecté, en contravention avec l’article 15
of processing the confirmation that personal data concerning him are or are not
du RGPD.
not processed and, when they are, access to said personal data as well as
Pour seule réponse à sa demande d’accès, Madame X (lisez la plaignante) a en effet été
information items listed in letters a) to h) of Article 15.1. of the GDPR.
renvoyée à deux reprises vers l’huissier de justice (lisez la seconde défenderesse) et une copie
 
du rappel de paiement qu’elle contestait avoir reçu lui a été fournie. A cet égard, il apparait
66. In the present case, according to the terms of his report, the Inspector General finds in this regard
qu’il n‘y a pas de procédure en place afin que le service clientèle de [...] (lisez la première
next :
défenderesse) en charge des plaintes fasse parvenir les demandes relatives à l’exercice des
"Ms. X's right of access (read the complainant) to data concerning her processed by
droits de la personne concernée à l’agent de protection de la vie privée de [...] (lisez la
[...] (read the first defendant) was not respected, in contravention of article 15
première défenderesse) ».
of the GDPR.
67. Aux termes de ses conclusions, la première défenderesse décrit qu’eu égard à la nature de
The only response to her request for access was Ms. X (read the complainant) was in fact
ses activités, elle fait face à un nombre conséquent de réclamations et de plaintes. En pratique, elle y
twice referred to the bailiff (read the second defendant) and a copy
décrit (et confirme lors de l’audition du 13 juillet 2020) que dès qu’il est constaté que le contrevenant
of the payment reminder she disputed having received was provided to her. In this regard, it appears
n’a pas payé sa redevance dans le délai requis, le dossier est transféré à la seconde défenderesse qui
that there is no procedure in place for customer service [...] (read the first
se charge du recouvrement du montant dû. La première défenderesse précise que toute demande
defendant) in charge of complaints send requests relating to the exercise of
effectuée postérieurement à la transmission du dossier à l’huissier doit faire l’objet d’un traitement
rights of the data subject to the privacy officer of [...] (read the
directement auprès de l’huissier afin d’éviter que des informations contradictoires ne soient transmises
first defendant) .
au plaignant. Ce qu’elle expose comme étant une procédure organisée avec la seconde défenderesse
 
n’est toutefois, hormis le règlement communal auquel les défenderesses se réfèrent toutes les deux
67. According to its submissions, the first defendant describes that, having regard to the nature of
lors de l’audition, pas encadré par une procédure écrite précise et détaillée entre elles (point 46 cidessus).
its activities, it faces a significant number of complaints and complaints. In practice, there
68. Quant à la gestion des demandes d’exercice de leurs droits en matière de protection des
described (and confirmed during the hearing on July 13, 2020) that as soon as it is found that the offender
données par les personnes concernées, la première défenderesse expose que leur gestion distincte de
has not paid his fee within the required time, the case is transferred to the second defendant who
celle de gestion des plaintes décrite au point 67 ci-dessus, nécessite qu’un courriel soit envoyé à une
is responsible for collecting the amount due. The first defendant specifies that any request
adresse e-mail dédiée à ce type de demande, soit l’adresse [...].
carried out after the file has been transmitted to the bailiff must be processed
Décision quant au fond 81/2020- 18/45
directly with the bailiff to prevent contradictory information from being transmitted
69. La première défenderesse relève à cet égard que la plaignante n’a pas correspondu avec elle
to the complainant. What she describes as being a procedure organized with the second defendant
via cet e-mail spécifique. La plaignante a dès lors (point 67 ci-dessus), pour seule réponse, été
However, apart from the municipal regulations to which the defendants both refer
renvoyée vers la seconde défenderesse comme dans le cas d’une réclamation non liée à l’application
during the hearing, not framed by a precise and detailed written procedure between them (point t 46 above).
des droits des personnes concernées en matière de protection des données : « Veuillez-vous adresser
 
à l’huissier » ; et ce dès lors que sa demande était postérieure à la communication du dossier à la
68. As for the management of requests to exercise their rights in terms of the protection of
seconde défenderesse.
data by the data subjects, the first defendant states that their separate management of
70. Comme le constate l’Inspecteur général dans son rapport, la Chambre Contentieuse relève
that of complaints management described in point 67 above, requires that an email be sent to a
qu’alors que la demande de la plaignante soulevait des questions de protection des données, il n’y a
e-mail address dedicated to this type of request, ie the address [...].
pas eu de renvoi en interne vers l’agent de protection des données de la première défenderesse. Cette
Decision on the merits 81 / 2020- 18/45
manière de procéder apparait contraire à la clause « Privacy » figurant sur la mise en demeure de la
 
première défenderesse laquelle indique que pour l’exercice de leurs droits en matière de protection
69. The first respondent notes in this regard that the complainant did not correspond with her
des données, les débiteurs sont invités à contacter la première défenderesse (premier interlocuteur
via this specific email. The complainant therefore (paragraph 67 above), for only answer, was
« naturel » somme toute), ce qui donne à penser que c’est bien la première défenderesse qui
referred to the second defendant as in the case of a non-application related complaint
examinera leur demande (point 57 ci-dessus).
of the rights of data subjects in terms of data protection: "Please contact
71. La seconde défenderesse a, au nom de la première défenderesse, répondu à la plaignante par
to the bailiff "; and this since his request was subsequent to the communication of the file to the
courrier du 2 avril 2019, soit selon la première défenderesse, dans le délai d’un mois requis par l’article
second defendant.
12.3. du RGPD. Aux termes de ce courrier, la seconde défenderesse lui fournit un certain nombre
 
d’éléments quant aux traitements opérés par la première défenderesse.8 Elle joint également les
70. As the Inspector General notes in his report, the Litigation Chamber notes
photographies (point 12) et la lettre de rappel du 24 janvier 2019.
that while the complainant's request raised data protection issues, there is no
72. Par ailleurs, dans ce même courrier, la seconde défenderesse communique également à la
no internal referral to the first defendant's data protection officer. This
plaignante des éléments relatifs à la demande d’accès qui lui est adressée directement quant à ses
way of proceeding appears contrary to the "Privacy" clause appearing on the formal notice of the
propres traitements (voy. infra point 8.2.2.).
first defendant which indicates that for the exercise of their rights in matters of protection
73. La Chambre Contentieuse est d’avis que la mise en place de procédures internes et
data, debtors are invited to contact the first defendant (first contact
standardisées dédiées à l’exercice des droits des personnes concernées en matière de protection des
"Natural" after all), which suggests that it is indeed the first defendant who
données est essentielle et de nature à contribuer à l’application effective de ces droits. Elle facilite
will examine their request (point 57 above).
assurément leur exercice comme le requiert l’article 12.2. du RGPD. Dans une structure telle la
 
première défenderesse, compte tenu du volume de données traitées, la Chambre Contentieuse la juge
71. The second respondent, on behalf of the first respondent, replied to the complainant by
letter of April 2, 2019, or according to the first defendant, within the one month period required by article
12.3. of the GDPR. According to this letter, the second defendant provides it with a certain number
information on the processing carried out by the first defendant.8 It also attaches the
photographs (point 12) and the reminder letter of January 24, 2019.
 
72. Moreover, in the same letter, the second defendant also communicates to the
complainant of the elements relating to the request for access addressed to her directly regarding her
own processing (see point 8.2.2 below).
 
73. The Litigation Chamber is of the opinion that the establishment of internal procedures and
standards dedicated to the exercise of the rights of data subjects in terms of the protection of
data is essential and likely to contribute to the effective application of these rights. It facilitates
certainly their exercise as required by Article 12.2. of the GDPR. In a structure such as
first defendant, given the volume of data processed, the Litigation Chamber considers it
 
8 Extract from the letter of April 2 from the second defendant: “As for our client, he is mandated by the city of
[...] to operate the recovery of unpaid parking fees. It is registered with the
Commission for the Protection of Privacy and, to this end, has received the attached document authorizing him to receive
IVD data for the sole purpose of collecting unpaid royalties. As part of its mandate, our
customer obtains name, first name and address in order to send a reminder letter. Subsequently if the file is not
paid, it is sent to the study as provided for by municipal regulations. According to him, this data is deleted
upon receipt of payment ”.
Decision on the merits 81 / 2020- 19/45
essential. However, the persons concerned cannot be criticized for using another channel
communication to address their requests. No adverse consequences for the person
concerned cannot be drawn from the fact - even in the hypothesis that it would have been correctly
informed - that they have not used the correct form or have contacted the person in charge of
processing by another means, via an incorrect e-mail address for example. Abundantly, the
Litigation Chamber is of the opinion that in this case, the distinction between "complaint" and "exercise of a right
access to his data "in the context of a request for payment of a
parking is not easy to operate for any citizen.
 
74. The Contentious Chamber therefore notes that in any event, the first defendant does not
could hide behind the "error" that she invokes on the part of the complainant to consider
that she herself would have been exempted from her obligation to respond to the request to exercise the right
access of the complainant.
 
75. In the present case, each of the defendants being a separate person responsible (and not
jointly responsible as it has already been explained in section 7.3. above), it is their responsibility to give
following the exercise of the rights of data subjects with regard to the processing operations they carry out
each respectively. The Litigation Chamber ne can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.
 
76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45
 
77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.
 
78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV
 
79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).
 
80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.
 
81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.
 
82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.
 
83. The Contentious Chamber can only note, in support of the documents produced in e can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.
76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45
77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.
78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV
79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).
80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.
 
81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.
82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.
83. The Contentious Chamber can only note, in support of the documents produced in s the file
and the Inspector General's finding that there was a breach of the minimization principle provided for in
Article 5.1 c) of the GDPR in respect of the first defendant.
8.1.3.2. In view of the communication of the complainant's data to the second defendant
 
84. As regards the transfer of the complainant's data by the first respondent to the
second defendant, the Litigation Chamber insists that this communication not take place
only when necessary otherwise it would violate the principle of minimization. So,
the data subject should be allowed the time allotted to him to pay the fee
before entering the bailiff. The second defendant is indeed justified in intervening and
therefore to be provided with the data of debtors such as the complainant, that in default of payment in
the time limit provided for by the municipal implementing regulations.
8.1.3.3. In view of the taking of photographs and their conservation for the purpose of establishing
the offense
 
85. According to its conclusions, the complainant also criticizes the first respondent
to process (including keeping) a certain number of personal data
concerning in violation of the principle of minimization and this, for the purposes of establishing the lack of
payment of the royalty due. Thus, the complainant considers, for example, that the photographs of her
vehicle (including their professional card on the passenger compartment, the name of their garage)
do not provide any element likely to specify the offense with which it is charged and are therefore without
relevance. The same goes for the photograph of her license plate which she is wondering about
on the necessity of the treatment (including conservation).
 
86. The first defendant indicates in the terms of its conclusions that its agents collect
such data as part of the establishment of the offense. It must, in accordance with Article 870
of the Judicial Code and taking into account the case law of the courts and tribunals, provide evidence
of the offense it alleges before the competent courts. Finally, she adds:
"That by taking the photos to ensure with certainty that no ticket or disc of
parking is not shown on the windshield of the vehicle, as the car is parked in a
place where parking is paid and / or in the blue zone on a date when the person concerned
must pay for this parking, the conclusive one does not violate the principle of minimization ”(page
14 of the conclusions of the first defendant).
Decision on the merits 81 / 2020- 22/45
 
87. The Contentious Chamber recalls that was it for the purpose of obtaining the necessary evidence
for a breach of a parking rule, the data controller is required to respect
all the obligations incumbent upon it under the GDPR throughout the duration of the
processing (collection, communication, storage, etc.) of personal data. It does not appear from
the primary competence of the Contentious Chamber to determine what evidence would be
sufficient and relevant to present to the competent courts. The fact remains that
as soon as this evidence constitutes personal data - including images
as in the present case - processed for the purposes of establishing the alleged facts, this data must be
relevant to the purpose pursued. Without finding a breach of the principle of
minimization in the case of the first defendant in this case, the Litigation Chamber invites
the latter to be attentive to the future and to sensitize its employees who make the findings on the
ground to act with discernment in this regard. The Litigation Chamber also recalls the principle
according to which personal data cannot be kept for a period not exceeding
that necessary with regard to the purposes for which they are processed (article 5.1 e) of the GDPR).
8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR
 
88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to the obligations of
data controllers (and subcontractors) and which reflects the principle set out in Article 5.2. of
RGPD, provides that "taking into account the nature, scope, context and purposes of the processing
as well as risks, of varying degrees of probability and severity, for the rights and freedoms of
natural persons, the controller implements the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that the treatment is
carried out in accordance with these regulations. These measures are reviewed and updated if
necessary. "
 
89. Section 24.2. of the GDPR specifies that when this is proportionate to the activities of
treatment, the measures referred to in Article 24.1. of the above GDPR include the implementation
appropriate policies in data protection by the controller.
 
90. The Contentious Chamber is of the opinion, in view of what has been noted above in Headings 8.1.1.,
8.1.2. and 8.1.3. , which the first defendant was at the time of the facts failing to implement
the appropriate technical and organizational measures required by Articles 24.1 and 2 of the GDPR to
guarantee not only an effective exercise of the rights of data subjects such as the complainant -
in particular his right to information and his right of access - as well as respect for the principle of
minimization when consulting the DIV.
Decision on the merits 81 / 2020- 23/45
 
91. With regard more particularly to the rights of data subjects, the Chamber
Litigation insists on the fact that the municipal regulation, which certainly describes the succession of
interventions by the first and second defendant in the context of amicable recovery
parking fee, cannot by itself constitute an adequate measure within the meaning of Article
24 of the GDPR. It does not allow the first defendant or to ensure that the processing is carried out
in accordance with the GDPR nor to demonstrate it. The Litigation Chamber nevertheless takes note of the
commitments made by the first defendant to comply with its obligations in this regard (see.
infra title 9.1.).
8.1.5. Conclusion as to the breaches of the first defendant
 
92. In conclusion, the Contentious Chamber notes the following failings in the area of
the first defendant:
- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.
of the GDPR)
- a breach of its obligation to follow up on the exercise of the complainant's right of access
within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of
GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights))
- a breach of the principle of minimization during the premature consultation of the IVD
(article 5.1 c) of the GDPR)
- a breach of its obligation to put in place technical measures and
adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.
8.2. As to the breaches on the part of the second defendant
8.2.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)
 
93. The complainant criticizes the second defendant for not having informed her in accordance
to the requirements of Article 14 of the GDPR when it first comes into contact with it, or through the setting
formal notice that it sent to it on February 25, 2019 (point 7 above).
 
94. The second defendant considers that the exception provided for in Article 14.5. c) from
GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...]
reproduced below9


8 Extrait de la lettre du 2 avril de la seconde défenderesse : « Quant à notre client, il est mandaté par la ville de
:[……]
[...] pour opérer le recouvrement des redevances de stationnement impayées. Il est inscrit auprès de la
Commission de la protection de la vie privée et, à cet effet a reçu le document annexé qui l’autorise à recevoir
les données DIV à unique but du recouvrement des redevances impayées. Dans le cadre de son mandat, notre
client obtient nom, prénom et adresse afin d’adresser un courrier de rappel. Par la suite si le dossier n’est pas
payé, il est transmis à l’étude comme prévu par le règlement communal. D’après lui, ces données sont supprimées
à la réception du paiement ».
Décision quant au fond 81/2020- 19/45
indispensable. Pour autant, il ne peut être fait grief aux personnes concernées d’utiliser un autre canal
de communication pour adresser leurs demandes. Aucune conséquence préjudiciable pour la personne
concernée ne peut être tirée du fait – même dans l’hypothèse où elle en aurait correctement été
informée – qu’elle n’aurait pas utilisé le formulaire adéquat ou se serait adressée au responsable de
traitement par une autre voie, via une adresse e-mail erronée par exemple. Surabondamment, la
Chambre Contentieuse est d’avis qu’en l’espèce, la distinction entre « plainte » et « exercice d’un droit
d’accès à ses données » dans le contexte d’une demande de paiement d’une redevance de
stationnement n’est par ailleurs pas aisée à opérer pour tout citoyen.
74. La Chambre Contentieuse relève donc qu’en toute hypothèse, la première défenderesse ne
pourrait se retrancher derrière « l’erreur » qu’elle invoque dans le chef de la plaignante pour considérer
qu’elle-même aurait été dispensée de son obligation de réponse à la demande d’exercice du droit
d’accès de la plaignante.
75. En l’espèce, chacune des défenderesses étant un responsable distinct (et non des
responsables conjoints comme il a déjà été explicité au titre 7.3. ci-dessus), il leur incombe de donner
suite à l’exercice des droits des personnes concernées au regard des traitements qu’elles opèrent
chacune respectivement. La Chambre Contentieuse ne peut exclure que dans les faits, sans être ni
sous-traitants, ni responsables conjoints, des responsables de traitement conviennent entre eux que
l‘un répond à la demande d’exercice des droits des personnes concernées au nom de l’autre qui le
mandate pour ce faire. Si tel devait être le cas, la procédure mise en place devrait être parfaitement
claire et compréhensible pour les personnes concernées qui devront en avoir été informées. En effet,
cette manière de procéder est grandement susceptible de prêter à confusion sur le rôle de chacun. En
l’espèce, cela a donné à penser à la plaignante que la seconde défenderesse était le sous-traitant de
la première défenderesse. En l’espèce, l’interlocuteur premier pour le débiteur de la redevance est, eu
égard aux faits et à défaut d’autre information claire, naturellement la première défenderesse. La
Chambre Contentieuse note à cet égard que la première défenderesse a indiqué à la Chambre
Contentieuse privilégier désormais une réorganisation des procédures qui conserverait en interne la
gestion des plaintes relatives aux traitements de données qu’elle opère.
76. La première défenderesse ne peut pas non plus considérer que dès lors que la seconde
défenderesse a répondu à la plaignante le 2 avril 2019, elle aurait elle-même été dispensée de le faire
sauf à considérer que la seconde défenderesse, mandatée par la première, aurait répondu de manière
complète, transparente et conforme à l’article 15 du RGPD quant aux traitements opérés par la
première défenderesse, ce qui n’est pas le cas. La seconde défenderesse fournit certes un certain
nombre d’éléments mais ceux-ci ne répondent pas tout à fait entièrement aux prescrits de l’article
15.1 du RGPD.
Décision quant au fond 81/2020- 20/45
77. La Chambre Contentieuse relève surabondamment que la première défenderesse ne conteste
pas son absence de réponse, a fortiori dans le délai requis par l’article 12.3. du RGPD.
78. La Chambre Contentieuse conclut de ce qui précède que la première défenderesse n’a pas fait
droit à la demande d’accès de la plaignante de manière satisfaisante et qu’il y a eu manquement dans
son chef à l’article 15.1 du RGPD, combiné, a fortiori, à l’article 12.3. du RGPD. La première
défenderesse a par ailleurs également manqué à son obligation de faciliter l’exercice des droits des
personnes concernées requise par l’article 12.2. du RGPD.
8.1.3. Quant au manquement au principe de minimisation (article 5.1 c) du RGPD)
8.1.3.1. Eu égard à la consultation de la DIV
79. La plaignante reproche à la première défenderesse d’avoir consulté la DIV de manière
prématurée le 3 janvier 2019, soit avant l’écoulement du délai qui lui était donné pour s’acquitter
spontanément du montant de la redevance réclamée. Cette consultation a, selon elle, dès lors eu lieu
en violation du principe de minimisation aux termes duquel « les données à caractère personnel
doivent être: c) adéquates, pertinentes et limitées à ce qui est nécessaire au regard des finalités pour
lesquelles elles sont traitées (minimisation des données) » (article 5.1 c) du RGPD).
80. Aux termes de son rapport, l’Inspecteur général conclut à cet égard que « des données à
caractère personnel la [soit la plaignante] concernant (nom, prénom et adresse) ont été traitées sans
nécessité dans la période pendant laquelle la personne concernée a la possibilité d’acquitter la
redevance avant l’envoi d’un rappel envoyé à son nom et à son adresse, ce qui n’est pas conforme
avec le principe de minimisation des données prévu à l’article 5.c [lire article 5.1 c)] du RGPD. Suivant
l’article [...] du Règlement redevance de la Ville de [...] sur le stationnement horodateurs 2019, ce
délai est de 10 jours ».
81. La première défenderesse ne conteste pas que cette consultation de la DIV s’est faite le 3
janvier 2019 à 22h03, soit le lendemain du stationnement en infraction de la plaignante du 2 janvier
2019. Elle expose que dès qu’elle a été informée de ce qu’elle qualifie « d’erreur », elle a
immédiatement sollicité une adaptation du système de manière à prendre en compte les délais
imposés par les différents règlements communaux et mettre ainsi fin à cette pratique de consultation
immédiate de la DIV. La première défenderesse ajoute encore que lorsqu’elle a adressé cette demande
à son prestataire informatique, ce dernier l’a informée de ce que le système avait été corrigé dès le
26 août 2019.
82. La Chambre Contentieuse rappelle que l’accès à la DIV est strictement encadré compte tenu
de la sensibilité de cette base de données et que seules les instances habilitées sont autorisées à y
Décision quant au fond 81/2020- 21/45
accéder. Il incombait à la première défenderesse d’organiser cet accès dans le respect des principes
de la protection des données dès la conception et par défaut (article 25 du RGPD) de manière à mettre
en œuvre le principe de minimisation des données de manière effective.
83. La Chambre Contentieuse ne peut que constater, à l’appui des pièces produites dans le dossier
et du constat de l’Inspecteur général, qu’il y a eu manquement au principe de minimisation prévu à
l’article 5.1 c) du RGPD dans le chef de la première défenderesse.
8.1.3.2. Eu égard à la communication des données de la plaignante à la seconde défenderesse
84. S’agissant du transfert des données de la plaignante par la première défenderesse à la
seconde défenderesse, la Chambre Contentieuse insiste pour que cette communication n’intervienne
que lorsqu’elle est nécessaire à défaut de quoi elle contreviendrait au principe de minimisation. Ainsi,
il convient de laisser à la personne concernée le temps qui lui est imparti pour payer la redevance
avant de saisir l’huissier de justice. La seconde défenderesse n’est en effet justifiée à intervenir et
donc à se voir communiquer les données de débiteurs tels la plaignante, qu’à défaut de paiement dans
le délai prévu par le règlement communal d’application.
8.1.3.3. Eu égard à la prise de photographies et leur conservation aux fins de constat de
l’infraction
85. Aux termes de ses conclusions, la plaignante reproche également à la première défenderesse
de traiter (en ce compris de conserver) un certain nombre de données à caractère personnel la
concernant en violation du principe de minimisation et ce, aux fins d’établissement du défaut de
paiement de la redevance due. Ainsi, la plaignante estime par exemple que les photographies de son
véhicule (en ce compris sa carte professionnelle posée sur l’habitacle, le nom de son garage)
n’apportent aucun élément de nature à préciser l’infraction qui lui est reprochée et sont donc sans
pertinence. Il en va de même pour la photographie de sa plaque d’immatriculation dont elle s’interroge
sur la nécessité du traitement (en ce compris la conservation).
86. La première défenderesse indique aux termes de ses conclusions que ses agents collectent de
telles données dans le cadre de l’établissement de l’infraction. Elle doit, en application de l’article 870
du Code judiciaire et compte tenu de la jurisprudence des cours et tribunaux, se ménager la preuve
de l’infraction qu’elle allègue devant les juridictions compétentes en la matière. Elle ajoute enfin :
« qu’en prenant les photos permettant d’assurer avec certitude qu’aucun ticket ou disque de
stationnement ne figure sur le pare-brise du véhicule, que la voiture est stationnée dans un
lieu où le stationnement est payant et/ou en zone bleue à une date où la personne concernée
doit payer ce stationnement, la concluante ne viole pas le principe de minimisation » (page
14 des conclusions de la première défenderesse).
Décision quant au fond 81/2020- 22/45
87. La Chambre Contentieuse rappelle que fut-ce aux fins de se ménager la preuve nécessaire
d’un manquement à une règle de stationnement, le responsable de traitement est tenu de respecter
l’ensemble des obligations qui lui incombent en application du RGPD pendant toute la durée des
traitements (collecte, communication, conservation, …) des données personnelles. Il ne ressort pas de
la compétence première de la Chambre Contentieuse de déterminer quelles seraient les preuves
suffisantes et pertinentes à présenter aux juridictions compétentes. Il n’en demeure pas moins que
dès lors que ces éléments de preuve constituent des données à caractère personnel – dont des images
comme en l’espèce – traitées à des fins d’établissement des faits reprochés, ces données doivent être
pertinentes au regard de la finalité poursuivie. Sans conclure à un manquement au principe de
minimisation dans le chef de la première défenderesse en l’espèce, la Chambre Contentieuse invite
cette dernière à y être attentive à l’avenir et à sensibiliser ses préposés qui opèrent les constats sur le
terrain à agir avec discernement à cet égard. La Chambre Contentieuse rappelle également le principe
selon lequel les données personnelles ne peuvent être conservées pendant une durée n’excédant pas
celle nécessaire au regard des finalités pour lesquelles elles sont traitées (article 5.1 e) du RGPD).
8.1.4. Quant aux manquements aux articles 5.2. et 24 du RGPD
88. L’article 24.1 du RGPD qui chapeaute le Chapitre IV du RGPD consacré aux obligations des
responsables de traitement (et des sous-traitants) et qui traduit le principe énoncé à l’article 5.2. du
RGPD, prévoit que « compte tenu de la nature, de la portée, du contexte et des finalités du traitement
ainsi que des risques, dont le degré de probabilité et de gravité varie, pour les droits et libertés de
personnes physiques, le responsable du traitement met en œuvre les mesures techniques et
organisationnelles appropriées pour s’assurer et être en mesure de démontrer que le traitement est
effectué conformément au présent règlement. Ces mesures sont réexaminées et actualisées si
nécessaire. »
89. L’article 24.2. du RGPD précise que lorsque cela est proportionné au regard des activités de
traitement, les mesures évoquées à l’article 24.1. du RGPD ci-dessus comprennent la mise en œuvre
de politiques appropriées en matière de protection des données par le responsable de traitement.
90. La Chambre Contentieuse est d’avis, au vu de ce qui a été constaté ci-dessus aux titres 8.1.1.,
8.1.2. et 8.1.3. , que la première défenderesse était à l’époque des faits en défaut de mettre en œuvre
les mesures techniques et organisationnelles adéquates requises par l’article 24.1 et 2 du RGPD pour
garantir non seulement un exercice effectif des droits des personnes concernées telles la plaignante –
en particulier son droit à l’information et son droit d’accès - ainsi que le respect du principe de
minimisation lors de la consultation de la DIV.
Décision quant au fond 81/2020- 23/45
91. S’agissant plus particulièrement des droits des personnes concernées, la Chambre
Contentieuse insiste sur le fait que le règlement communal, lequel décrit certes la succession des
interventions de la première et de la seconde défenderesse dans le cadre du recouvrement amiable
de redevance de stationnement, ne peut à lui seul constituer une mesure adéquate au sens de l’article
24 du RGPD. Il ne permet à la première défenderesse ni de s’assurer que le traitement est effectué
conformément au RGPD ni de le démontrer. La Chambre Contentieuse n’en prend pas moins acte des
engagements pris par la première défenderesse pour se conformer à ses obligation à cet égard (voy.
infra titre 9.1.).
8.1.5. Conclusion quant aux manquements de la première défenderesse
92. En conclusion la Chambre Contentieuse constate les manquements suivants dans le chef de
la première défenderesse :
- un manquement à son obligation d’information (article 14.1-2, combiné à l’article 12.3 et 12.1.
du RGPD)
- un manquement à son obligation de donner suite à l’exercice du droit d’accès de la plaignante
dans le délai légal qui lui est imparti pour ce faire (article 15.1 combiné à l’article 12.3. du
RGPD ainsi qu’à l’article 12.2. du RGPD (obligation de facilitation de l’exercice des droits))
- un manquement au principe de minimisation lors de la consultation prématurée de la DIV
(article 5.1 c) du RGPD)
- un manquement à son obligation de mettre en place les mesures techniques et
organisationnelles adéquates qu’exige la mise en œuvre des articles 5.2 et 24. 1-2 du RGPD.
8.2. Quant aux manquements dans le chef de la seconde défenderesse
8.2.1. Quant au manquement à l’obligation d’information (articles 12 et 14 du RGPD)
93. La plaignante reproche à la seconde défenderesse de ne pas l’avoir informée conformément
aux prescrits de l’article 14 du RGPD lors de son premier contact avec elle, soit par le biais de la mise
en demeure qu’elle lui a adressée le 25 février 2019 (point 7 ci-dessus).
94. La seconde défenderesse considère pour sa part que l’exception prévue à l’article 14.5. c) du
RGPD lui est applicable. Elle s’appuie à cet égard sur l’article [...] du règlement communal du [...]
reproduit ci-dessous9
: [……]


9 A noter que dans sa mise en demeure du 25 février 2019, la seconde défenderesse évoque un règlement
9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement
communal (erroné – voy. le titre 7.2. ci-dessus) uniquement en ces termes : « les éventuels frais de recouvrement
communal (erroneous - see Title 7.2. above) only in these terms: "the possible recovery costs
amiable mis à charge de l’usager le sont conformément à l’article [...] du règlement communal du [...] de la
amicably charged to the user are in accordance with article [...] of the municipal regulations of [...] of the
commune de [...] relatif à la redevance sur le stationnement ».
municipality of [...] relating to the parking fee ”.
Décision quant au fond 81/2020- 24/45
Decision on the merits 81 / 2020- 24/45
95. La Chambre Contentieuse relève qu’aux termes de l’article 14.5.c) du RGPD, le responsable
 
de traitement est dispensé de son obligation d’information lorsque et dans la mesure où « l'obtention
95. The Litigation Chamber notes that under Article 14.5.c) of the GDPR, the person responsible
ou la communication des informations sont expressément prévues par le droit de l'Union ou le droit
processing is exempt from its obligation to provide information when and to the extent that "obtaining
de l'État membre auquel le responsable du traitement est soumis et qui prévoit des mesures
or the communication of information is expressly provided for by Union law or by law
appropriées visant à protéger les intérêts légitimes de la personne concernée »
of the Member State to which the controller is subject and which provides for measures
appropriate measures aimed at protecting the legitimate interests of the data subject '
10
10
.
.
96. La Chambre Contentieuse note une différence de langue entre la version française et, par
 
exemple, les versions néerlandaise et anglaise de cette disposition. En effet, alors que la version
96. The Contentious Chamber notes a language difference between the French version and, by
française de l’article 14.5.c) mentionne « lorsque et dans la mesure où l’obtention ou la communication
example, the Dutch and English versions of this provision. Indeed, while the version
des informations sont expressément prévues par le droit de l’Union ou de l’Etat membre », les versions
French of Article 14.5.c) mentions "when and to the extent that the obtaining or the communication
néerlandaise et anglaise du texte retiennent respectivement les termes suivants : « wanneer en voor
information is expressly provided for by Union or Member State law ", the versions
Dutch and English respectively use the following terms: "wanneer en voor
zover het verkrijgen of verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of
zover het verkrijgen of verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of
lidstaatelijk recht » et « where and insofar obtaining or disclosure is expressly laid down byUnion or
lidstaatelijk recht ”and“ where and insofar obtaining or disclosure is expressly laid down byUnion or
Member State law ». La Chambre Contentieuse est d’avis que c’est bien l’obtention et la
Member State law . The Litigation Chamber is of the opinion that it is the obtaining and the
communication de données qui doit être prévue par le droit national et ce nonobstant les termes de
communication of data which must be provided for by national law and notwithstanding the terms of
la version française de l’article 14.5.c) du RGPD.
the French version of Article 14.5.c) of the GDPR.
97. La Chambre Contentieuse estime que la seconde défenderesse ne peut s’appuyer sur la
 
dispense d’information prévue à l’article 14.5 c) du RGPD en l’espèce pour les motifs décrits ci-après.
97. The Contentious Chamber considers that the second defendant cannot rely on the
98. Ce qui est prévu à l’article 14.5. c) du RGPD constitue une exception au droit à l’information.
exemption from the information provided for in Article 14.5 c) of the GDPR in this case for the reasons described below.
A défaut d’être informée que des traitements de données la concernant sont opérés, la personne
 
concernée est privée d’une information qui lui est en principe spontanément fournie par le responsable
98. What is provided for in Article 14.5. c) of the GDPR constitutes an exception to the right to informationormation.
de traitement et qui facilite l’exercice de ses autres droits dont elle est par ailleurs informée de
Failing to be informed that data processing concerning him is carried out, the person
l’existence et des modalités d’exercice (article 13.2 b), c) et d) et 14.2 c), d) et e) du RGPD).
concerned is deprived of information which is in principle spontaneously provided to him by the manager
99. Cette dispense doit être interprétée de manière restrictive dès lors qu’elle constitue une
processing and which facilitates the exercise of its other rights of which it is also informed of
exception à l’obligation d’information prévue par le droit fondamental à la protection des données11 et
the existence and modalities of exercise (article 13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).
ce d’autant plus qu’elle prive, comme déjà mentionné, la personne concernée d’une information sur
 
l’existence et les modalités d’exercice de ses autres droits lesquels ne sont, quant à eux, PAS soumis
99. This exemption must be interpreted restrictively since it constitutes a
à la même exception « en cas d’obtention ou communication expressément prévue par la loi ». A titre
exception to the information obligation provided for by the fundamental right to data protection11 and
d’exemple, le droit d’accès (article 15 du RGPD) - qui ouvre à son tour la voie à l’exercice d’autres
all the more so as it deprives, as already mentioned, the data subject of information about
the existence and the modalities of exercise of its other rights which are NOT subject
with the same exception "in the event of obtaining or communicating expressly provided for by law". As
for example, the right of access (Article 15 of the GDPR) - which in turn paves the way for the exercise of others
 
10 It is the Litigation Chamber that emphasizes.
11 The Contentious Chamber recalls the constant case law of the Court of Justice of the European Union which
interprets the exceptions to the fundamental right to data protection restrictively: see. by
example: C. Docksey and H. Hijmans, The Court of Justice as a Key Player in Privacy and Data Protection, EDPL
Review (2019), pp. 300-316, and the case-law cited (in particular, p. 309).
Decision on the merits 81 / 2020- 25/45
rights such as the right to rectification, opposition or even erasure in particular - do not know
this exception (article 15.4. of the GDPR).
 
100. The Litigation Chamber notes that in this case, as already noted, the municipal regulations
relied on by the second defendant describes the succession of interventions by the first and
second defendants in the management of the collection of parking fees (as well as
surcharges due in default / or in the event of late payment). In other words, the regulation
municipality on which the second defendant bases its exemption from information does not inform
to the data processing carried out in execution thereof. At most it allows us to deduce that
information will be exchanged between the first and the second respondent in the context
a violation of the parking rules in order to recover the fee due. We design
certainly that these interventions will induce the obtaining and communication of personal data. Those -
However, these are not expressly provided for, at most they can be implicitly deduced.
 
101. Moreover, this exception can only be invoked if appropriate guarantees aimed at
protect the legitimate interests of the persons concerned are provided for by said regulation. The
Litigation Chamber considers that in the present case, these guarantees must consist of a set
minimum information relating to data processing which must appear in the act
regulatory under which the communication of information takes place.
 
102. The Litigation Chamber is of the opinion that at a minimum, the following information -
inspired by Article 23.2. of the GDPR - should have been included: purpose of the processing, categories of data
of a personal nature processed, identity of the controller, retention period and a
reference to the rights of data subjects.
 
103. Those guarantees must admittedly be provided for by national law. The lack of guarantees
appropriate is certainly not attributable to the second defendant. The fact remains that at
under the GDPR, it is the data controller who is responsible for verifying whether he can legitimately
invoke the exception provided for in Article 14.5.c) of the GDPR. The Litigation Chamber recognizes that in
depending on the case and in particular the quality of the data controller, this examination may
not be easy, especially with regard to the existence of appropriate guarantees. However, in this case,
the municipal regulation that the second defendant relies on in support of its exemption does not deal with
data protection aspects, which left little room for doubt as to
whether he could legitimize a waiver of information. The legal framework for
the profession of bailiffs and the respect due to their ethical rules are not enough in themselves
to constitute appropriate guarantees in terms of data protection within the meaning of Article 14.5.c)
of the GDPR.
Decision on the merits 81 / 2020- 26/45
 
104. In conclusion, the Contentious Chamber finds that the second defendant, relying on
wrong on the exemption provided for in Article 14.5 c) of the GDPR (since the municipal regulation does not provide
not expressly obtaining and communicating data and in the absence of guarantees
appropriate otherwise) failed to fulfill its obligation to provide information, thus contravening Article 14.1-2
taken together with section 123. of the GDPR.
 
105. According to its conclusions, the second defendant indicates to the Contentious Chamber
What does it say "if the exception should not apply, she noted that the reference to her website
appearing in his letters of formal notice does not, at least at first glance, allow
to inform the persons concerned that they can obtain information directly on the website of the
conclusive ”(page 9 of the main conclusions of the second defendant). She proposes
to add to the reference appearing on its model a specific mention concerning the protection of life
privacy policy referring to its privacy information document available on its site.
 
106. The Contentious Chamber is indeed of the opinion that the mere mention of a website
on a letter - site on which a privacy statement can be viewed - does not constitute
not information that complies with the requirements of the GDPR. At a minimum, a “protection of
data ”containing the essential elements of the processing operations concerned and an explicit reference to the
privacy policy (relevant part if applicable) available on the site for the surplus must
To be scheduled. The Contentious Chamber reviews in this regard what it has indicated above with regard to
the “Privacy” clause of the first defendant (point 57 et seq.).
 
107. The Contentious Chamber also wishes to clarify the following. As part of his
argument, the second defendant concludes that the GDPR does not impose on the person responsible for
processing to communicate to the persons concerned the references of the supporting normative act
which he considers to be exempted from his obligation to inform. However, failing any
information in this regard, it is illusory to think that the persons concerned will seek (and
will find) the normative act in question containing the required guarantees and allowing them to
get informed. The Contentious Chamber considers that it would be, when this exemption from information can be
invoked (quod non in this case), it is good practice to communicate this reference.
8.2.2. As for the breach of the right of access (article 15 of the GDPR)
 
108. As the Contentious Chamber recalled above with regard to the obligations of
first defendant, the data subject has the right to obtain from the controller the
confirmation that personal data concerning him is or is not being processed and,
when they are, access to said personal data as well as the elements
information listed in letters a) to h) of Article 15.1. of the GDPR.
Decision on the merits 81 / 2020- 27/45
 
109. The complainant reports a fragmentary response to the request for the right of access that she has
addressed to the second defendant. She is of the opinion that she was not fully informed
relative to the source of the data.
 
110. The second defendant points out that on page 3 of its letter in reply of 2 April 2019,
she specified that she was mandated by the first defendant who had communicated to her the
complainant and file data.
 
111. Based on the documents produced, the Contentious Chamber is not in a position to conclude that
a breach of Article 15 of the GDPR on the part of the second defendant.
8.2.3. Regarding the breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
that it would not be validly founded
 
112. The Contentious Chamber notes that the Complainant considers that the second Respondent
performs illegal data processing when it collects and stores data relating to
his vehicle (photos of the windshield and general photo of the vehicle sent to him by the
first defendant). The Contentious Chamber refers in this regard to the considerations it has
set out in Title 8.1.3.3. above with regard to this complaint also criticized in the first
defendant.
 
113. The Contentious Chamber does not find any breach in the head of the second
defendant in this regard.
8.2.4. As for the payment request form and the obtaining of a forced consent (article
6.1 a) of the GDPR - article 5.1 c) of the GDPR)
 
114. On February 25, 2019, the Complainant was sent by the Second Respondent a warning
remains to pay the amount of the fee of […] euros ([…] +5) plus the summons costs
and a collection fee, bringing the amount claimed to the sum of […] euros (point 7 above).
 
115. A form was attached to this formal notice, entitled "Form to be returned to us"
printed in larger letters, framed and immediately followed by the following statement, in bold
underlined: "Only this duly completed form and its annexes will be taken into account for the
processing of your payment request or your dispute ”.
 
116. The following data are requested at the ends of this form: surname, first name, date of
birth, address, postal code and town, telephone number, mobile number, e-mail address.
Decision on the merits 81 / 2020- 28/45
Three choices in terms of payment proposals are also mentioned under which
the debtor
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.
 
117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.
 
118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.
 
119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.
 
120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.


10 C’est la Chambre Contentieuse qui souligne.
121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
11 La Chambre Contentieuse rappelle la jurisprudence constante de la Cour de Justice de l’Union européenne qui
person concerned as being "any manifestation of will, free
interprète de manière restrictive les exceptions au droit fondamental à la protection des données : voy. par
exemple : C. Docksey and H. Hijmans, The Court of Justice as a Key Player in Privacy and Data Protection, EDPL
Review (2019), pp. 300-316, et la jurisprudence citée (notamment, p. 309).
Décision quant au fond 81/2020- 25/45
droits tels le droit à la rectification, d’opposition ou encore d’effacement notamment – ne connait pas
cette exception (article 15.4. du RGPD).
100. La Chambre Contentieuse constate qu’en l’espèce, comme déjà relevé, le règlement communal
invoqué par la seconde défenderesse décrit la succession des interventions de la première et de la
seconde défenderesses dans la gestion de la perception des redevances de stationnement (ainsi que
les majorations dues à défaut /ou en cas de retard de paiement). En d’autres termes, le règlement
communal sur lequel la seconde défenderesse fonde sa dispense d’information n’informe pas quant
aux traitements de données opérés en exécution de celui-ci. Tout au plus permet-il de déduire que
des informations seront échangées entre la première et la seconde défenderesse dans le contexte
d’une infraction aux règles de stationnement dans le but de récupérer la redevance due. L’on conçoit
certes que ces interventions induiront obtention et communication de données personnelles. Celles –
ci ne sont toutefois pas expressément prévues, tout au plus, peuvent-elles être implicitement déduites.
101. Cette exception ne peut par ailleurs être invoquée que si des garanties appropriées visant à
protéger les intérêts légitimes des personnes concernées sont prévues par ladite règlementation. La
Chambre Contentieuse estime qu’en l’espèce, ces garanties doivent consister en un ensemble
d’informations minimales relatives aux traitements de données lesquelles doivent figurer dans l’acte
réglementaire en exécution duquel la communication des informations a lieu.
102. La Chambre Contentieuse est d’avis qu’au minimum, les éléments d’information suivants -
inspirés de l’article 23.2. du RGPD - auraient dû y figurer : finalité du traitement, catégories de données
à caractère personnel traitées, identité du responsable de traitement, durée de conservation et une
référence aux droits des personnes concernées.
103. Ces garanties doivent certes être prévues par le droit national. L’absence de garanties
appropriées n’est certes pas imputable à la seconde défenderesse. Il n’en demeure pas moins, qu’aux
termes du RGPD, c’est au responsable de traitement qu’il incombe de vérifier si il peut légitimement
invoquer l’exception prévue à l’article 14.5.c) du RGPD. La Chambre Contentieuse reconnait qu’en
fonction du cas d’espèce et notamment de la qualité du responsable de traitement, cet examen peut
ne pas être aisé, en particulier quant à l’existence de garanties appropriées. Toutefois , en l’espèce,
le règlement communal que la seconde défenderesse invoque à l’appui de sa dispense n’aborde en
aucune manière les aspects de protection des données, ce qui laissait peu de place au doute quant à
la question de savoir s’il pouvait légitimer une dispense d’information. L’encadrement légal de la
profession d’huissiers et le respect dû à leurs règles déontologiques ne suffisent pas en elles-mêmes
à constituer des garanties appropriées en termes de protection des données au sens de l’article 14.5.c)
du RGPD.
Décision quant au fond 81/2020- 26/45
104. En conclusion, la Chambre Contentieuse constate que la seconde défenderesse, s’appuyant à
tort sur la dispense prévue à l’article 14.5 c) du RGPD (dès lors que le règlement communal ne prévoit
pas expressément l’obtention et la communication de données et en l’absence de garanties
appropriées par ailleurs) a manqué à son obligation d’information contrevenant ainsi à l’article 14.1-2
combiné à l’article 12.3. du RGPD.
105. Aux termes de ses conclusions, la seconde défenderesse indique à la Chambre Contentieuse
que dit « si l’exception ne devait pas s’appliquer, elle a pris note que le renvoi vers son site Internet
figurant sur ses courriers de mise en demeure ne permet pas, à première vue à tout le moins,
d’indiquer aux personnes concernées qu’elles peuvent s’informer directement sur le site Internet de la
concluante » (page 9 des conclusions principales de la seconde défenderesse). Elle se propose
d’ajouter au renvoi figurant sur son modèle une mention spécifique concernant la protection de la vie
privée renvoyant vers son document d’information relatif à la vie privée disponible sur son site.
106. La Chambre Contentieuse est effectivement d’avis que la simple mention d’un site Internet
sur un courrier – site sur lequel une déclaration de confidentialité peut être consultée – ne constitue
pas une information conforme aux prescrits du RGPD. Au minimum, une clause « protection des
données » reprenant les éléments essentiels des traitements concernés et un renvoi explicite vers la
politique de confidentialité ( partie pertinente le cas échéant) disponible sur le site pour le surplus doit
être prévu. La Chambre Contentieuse revoie à cet égard à ce qu’elle a indiqué ci-dessus à l’égard de
la clause « Privacy » de la première défenderesse (points 57 et suivants).
107. La Chambre Contentieuse tient par ailleurs à préciser ce qui suit. Dans le cadre de son
argumentation, la seconde défenderesse conclut que le RGPD n’impose pas au responsable de
traitement de communiquer aux personnes concernées les références de l’acte normatif à l’appui
duquel il considère être dispensé de son obligation d’information. Cependant, à défaut de toute
information à cet égard, il est illusoire de penser que les personnes concernées chercheront (et
trouveront) l’acte normatif en question contenant les garanties requises et leur permettant de
s’informer. La Chambre Contentieuse estime qu’il serait, lorsque cette dispense d’information peut être
invoquée (quod non en l’espèce), de bonne pratique de communiquer cette référence.
8.2.2. Quant au manquement au droit d’accès (article 15 du RGPD)
108. Comme la Chambre Contentieuse l’a rappelé ci-dessus au regard des obligations de la
première défenderesse, la personne concernée a le droit d’obtenir du responsable de traitement la
confirmation que des données à caractère personnel la concernant sont ou ne sont pas traitées et,
lorsqu’elles le sont, l’accès aux dites données à caractère personnel ainsi que les éléments
d’information listés aux littéras a) à h) de l’article 15.1. du RGPD.
Décision quant au fond 81/2020- 27/45
109. La plaignante fait état d’une réponse parcellaire à la demande de droit d’accès qu’elle a
adressée à la seconde défenderesse. Elle est d’avis qu’elle n’a pas été informée complétement
relativement à la source des données.
110. La seconde défenderesse souligne qu’en page 3 de son courrier en réponse du 2 avril 2019,
elle a précisé qu’elle était mandatée par la première défenderesse qui lui avait communiqué les
données de la plaignante et du dossier.
111. A l’appui des pièces produites, la Chambre Contentieuse n’est pas en mesure de conclure à
un manquement à l’article 15 du RGPD dans le chef de la seconde défenderesse.
8.2.3. Quant au manquement aux principes de proportionnalité et réutilisation illégale des données
(articles 5 et 6 du RGPD) qui lui sont communiquées par la première défenderesse alors même
qu’elle n’y serait pas valablement fondée
112. La Chambre Contentieuse relève que la plaignante considère que la seconde défenderesse
effectue des traitements de données illégaux lorsqu’elle collecte et enregistre les données relatives à
son véhicule (photos du pare-brise et photo générale du véhicule qui lui sont transmises par la
première défenderesse). La Chambre Contentieuse renvoie à cet égard aux considérations qu’elle a
énoncées au titre 8.1.3.3. ci-dessus au regard de ce grief également reproché à la première
défenderesse.
113. La Chambre Contentieuse ne retient aucun manquement dans le chef de la seconde
défenderesse à cet égard.
8.2.4. Quant au formulaire de demande de paiement et l’obtention d’un co..nsentement forcé (article
6.1 a) du RGPD – article 5.1 c) du RGPD)
114. Le 25 février 2019, la plaignante s’est vue adresser par la seconde défenderesse une mise en
demeure de payer le montant de la redevance de […] euros ([…] +5) majorée des frais de sommation
et d’un droit d’encaissement, portant le montant réclamé à la somme de […] euros (point 7 ci-dessus).
115. Un formulaire était joint à cette mise en demeure, intitulé « Formulaire à nous retourner »
imprimé en lettres plus grandes, encadré et immédiatement suivi de la mention suivante, en gras
souligné : « Seul ce formulaire dûment complété ainsi que ses annexes seront pris en compte pour le
traitement de votre demande de paiement ou votre contestation ».
116. Les données suivantes sont demandées aux termes de ce formulaire : nom, prénom, date de
naissance, adresse, code postal et localité, numéro de téléphone, numéro de GSM, adresse e-mail.
Décision quant au fond 81/2020- 28/45
Trois choix en termes de propositions de paiement sont par ailleurs mentionnés aux termes desquels
le débiteur
- (1) s’engage à payer la totalité du montant à une date à mentionner, ou
- (2) sollicite un plan d’apurement ou
- (3) indique être dans l’impossibilité de payer le montant.
117. A titre liminaire, la Chambre Contentieuse note que la plaignante dénonce l’utilisation de ce
formulaire par la seconde défenderesse sans qu’il soit établi qu’elle l’ait elle-même complété. Il n’y a
donc pas eu, à strictement parler, de « traitement de données à caractère personnel » de la plaignante
via ce formulaire. Le refus de compléter un formulaire qui s’avère contraire à la loi (ainsi qu’il sera
démontré ci-dessous), ne peut cependant résulter en une situation aux termes de laquelle la Chambre
Contentieuse ne pourrait exercer les missions et les pouvoirs que lui confèrent les articles 57 et 58 du
RGPD et la LCA au regard d’une pratique qui implique des traitements de données soumis au RGPD .
La Chambre contentieuse est, partant, indépendamment de la question de savoir s’il y a manquement
à l’égard de la plaignante, habilitée à examiner ce grief au regard duquel la seconde défenderesse a
par ailleurs eu l’occasion de se défendre.
118. La plaignante estime que compte tenu de la formulation du formulaire, de sa présentation, de
son contenu et du fait qu’il constitue une annexe à une mise en demeure de paiement, il ne peut être
considéré que le consentement de la personne concernée à fournir les données mentionnées sur ce
formulaire serait libre. La plaignante est également d’avis que la collecte de données via ce formulaire
méconnait le principe de minimisation.
119. La seconde défenderesse avance, a contrario, que ce formulaire permet aux personnes
concernées de faire entendre leur contestation ou leur souhait de bénéficier d’un plan d’apurement.
La seconde défenderesse ajoute que l’objectif du formulaire est clairement énoncé dans la mise en
demeure dont il constitue une annexe et qu’aucune obligation pour la personne concernée ne peut
être déduite de cette formulation. Partant, elle peut légitimement s’appuyer sur l’article 6.1 a) du
RGPD pour recueillir lesdites données et opérer les traitements subséquents. La mise en demeure
énonce que la consultation du dossier et les demandes d’apurement et/ou paiement en ligne peuvent
se faire via le site ou par e-mail et que des informations complémentaires peuvent être obtenues via
le formulaire.
120. Quant au principe de minimisation, la seconde défenderesse expose que le formulaire permet,
en proposant aux personnes concernées différentes possibilités (adresse postale, numéro de
téléphone, numéro de téléphone portable, adresse e-mail) de choisir le mode de communication et
les données de contact nécessaires à cet effet sans qu’il y ait ni obligation de compléter le formulaire
Décision quant au fond 81/2020- 29/45
(point 119 ci-dessus), ni – dans l’hypothèse où le débiteur souhaiterait en faire usage – obligation de
fournir de données pour chacune des rubriques dudit formulaire.
121. La Chambre Contentieuse rappelle que l’article 4.11. du RGPD définit le consentement de la
personne concernée comme étant « toute manifestation de volonté, libre
12
12
, spécifique, éclairée et
, specific, illuminated and
univoque par laquelle la personne concernée accepte, par une déclaration ou par un acte positif clair,
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
que des données à caractère personnel la concernant fassent l'objet d'un traitement.» Le
that personal data concerning him / her are processed. " The
consentement qui fonde un traitement de données en application de l’article 6.1. a) du RGPD doit
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
satisfaire à toutes les qualités requises par cette définition.
meet all the qualities required by this definition.
122. L’adjectif «libre» implique un choix et un contrôle réel pour les personnes concernées. Le
 
consentement ne peut être valable que si la personne concernée est véritablement en mesure
122. The adjective "free" implies choice and real control for those concerned. The
d’exercer un choix et s’il n’y a pas de risque de tromperie, d’intimidation, de coercition ou de
consent can only be valid if the data subject is genuinely able
conséquences négatives importantes (par ex. coûts supplémentaires importants) si elle ne donne pas
to exercise a choice and if there is no risk of deception, intimidation, coercion or
son consentement. Le consentement ne sera pas libre lorsque tout élément de contrainte, de pression
significant negative consequences (e.g. significant additional costs) if it does not give
ou d’incapacité d’exercer un véritable choix sera présent. Le consentement ne sera par conséquent
his consent. Consent will not be free when any element of coercion, pressure
pas considéré comme étant donné librement si la personne concernée n’est pas en mesure de refuser
or inability to exercise meaningful choice will be present. Consent will therefore not be
ou de retirer son consentement sans subir de préjudice. Le responsable du traitement doit par ailleurs
not considered to be freely given if the data subject is not able to refuse
démontrer qu’il est possible de refuser ou de retirer son consentement sans subir de préjudice
or withdraw consent without suffering prejudice. The controller must also
(considérant 42 du RGPD).13
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
123. Au moment de déterminer si le consentement est donné librement, il y a dès lors lieu de tenir
(recital 42 of the GDPR) 13
compte d’un éventuel déséquilibre des rapports de force entre la personne concernée et le responsable
 
de traitement. Le considérant 43 du RGPD indique clairement qu’il n’est pas probable que des autorités
123. When determining whether consent is freely given, it is therefore appropriate to
publiques puissent se fonder sur le consentement pour le traitement de données à caractère personnel,
account of a possible imbalance in the balance of power between the person concerned and the manager
dès lors que lorsque le responsable du traitement est une autorité publique, il existe souvent un
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations s of this form: surname, first name, date of
déséquilibre manifeste des rapports de force entre le responsable du traitement et la personne
birth, address, postal code and town, telephone number, mobile number, e-mail address.
concernée.
Decision on the merits 81 / 2020- 28/45
124. Toutefois, les déséquilibres de rapports de force ne se limitent pas aux autorités publiques (et
Three choices in terms of payment proposals are also mentioned under which
aux employeurs vis-à-vis desquels ce déséquilibre existe également le plus souvent). Ces déséquilibres
the debtor
peuvent également exister dans d’autres situations dans lesquelles, comme mentionné ci-dessus (point
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.
 
117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.
 
118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.
 
119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.
 
120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.
 
121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
person concerned as being "any manifestation of will, free, specific, illuminated and
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
that personal data concerning him / her are processed. " The
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
meet all the qualities required by this definition.
 
122. The adjective "free" implies choice and real control for those concerned. The
consent can only be valid if the data subject is genuinely able
to exercise a choice and if there is no risk of deception, intimidation, coercion or
significant negative consequences (e.g. significant additional costs) if it does not give
his consent. Consent will not be free when any element of coercion, pressure
or inability to exercise meaningful choice will be present. Consent will therefore not be
not considered to be freely given if the data subject is not able to refuse
or withdraw consent without suffering prejudice. The controller must also
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
(recital 42 of the GDPR) 13


12 C’est la Chambre Contentieuse qui souligne.
123. When determining whether consent is freely given, it is therefore appropriate to
13 Comité européen de la protection des données, Lignes directrices 05/2020 sur le consentement au sens du
account of a possible imbalance in the balance of power between the person concerned and the manager
règlement(UE) 2016/679 (points 121- 123) :
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations Similarly, the Litigation Chamber recalls that to be valid, consent must
also be enlightened. For consent to be considered informed, it is necessary that the
controller provides certain information to the data subject, in a form
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
for whom this personal data is intended.
 
131. The Contentious Chamber considers that other elements are also crucial for the
data subject can make an informed decision and that their consent is valid.
The controller should provide information on the type of data concerned
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
second defendant intends to rely in the future, the formal notice should include a
information in the form of a specific clause containing both the elements required for a
informed consent where applicable, and succinct information directly useful with regard to the
processing (s) concerned (point 106 above).
 
14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
Décision quant au fond 81/2020- 30/45
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
122), il y a tromperie, intimidation, coercition ou toute conséquence négative importante si la personne
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
concernée refuse de donner son consentement.
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
125. En l’espèce, la Chambre Contentieuse relève que le formulaire joint à la mise en demeure
Decision on the merits 81 / 2020- 32/45
s’intitule « Formulaire à nous retourner » et mentionne que seul le formulaire dûment complété ainsi
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
que ses annexes seront pris en compte pour le traitement des demandes de paiement ou
Litigation also notes that with regard to the various data requested under "Your
contestations.
contact details ", no asterisk or other indication indicates that the data subject is free to
126. La Chambre Contentieuse est d’avis que l’utilisation de termes tels que « seul le formulaire »
choose one of the communication modes (telephone number, GSM number, e-mail address) and
« dûment complété », combiné au titre du formulaire et au fait qu’il émane d’une étude d’huissiers
that certain data are therefore optional. Taken in isolation, these data appear relevant
de justice et est joint à une mise en demeure aux termes de laquelle il est précisé qu’défaut de
and not excessive, but here too, the presentation and wording used suggest that there is no
paiement dans le délai une majoration du montant sera appliquée, peut raisonnablement donner à
no alternative to collecting all the information regarding each section of the table.
penser qu’il n’’y a pas d’alternative à la fourniture par le débiteur des informations demandées. Le fait
 
que parmi les propositions de paiement, celui-ci soit invité à mentionner la date à laquelle il effectuera
134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
le paiement est de nature à donner à penser que le formulaire doit être complété en toute hypothèse
the head of the second defendant.
(et non uniquement en cas de demande d’échelonnement du paiement ou de contestation). La
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR
mention dans la lettre de mise en demeure déjà citée « Si vous souhaitez obtenir des informations
 
complémentaires, nous vous invitons à vous servir du formulaire en annexe » ne permet pas d’infirmer
135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
ce qui précède.
of opinion that the second defendant is in default of having implemented the technical measures and
127. A l’appui de ce qui précède, la Chambre Contentieuse constate que le consentement tel que
appropriate organizational structure to ensure and be able to demonstrate that
demandé par la seconde défenderesse ne peut être qualifié de libre et ce, en contradiction avec l’article
data that it processes are, in particular taking into account their nature, the context and
4.11 du RGPD. Partant, la seconde défenderesse ne peut, en l’état, s’appuyer sur celui-ci au titre de
purposes they pursue, carried out in accordance with the GDPR.
base de licéité (article 6.1 a) du RGPD). La Chambre Contentieuse relève également que la « Politique
 
Vie privée » de la seconde défenderesse ne liste pas le consentement au titre des bases de licéité
136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
utilisées (article 6 du RGPD).
GDPR in respect of the second defendant.
128. En conclusion sur ce point, la Chambre Contentieuse conclut à un manquement à l’article 6
8.2.6. Conclusion as to the breaches of the second defendant
du RGPD. La Chambre Contentieuse ne se prononce pas sur l’existence d’une éventuelle autre base
 
de licéité qui pourrait légitimer le traitement de tout ou partie des données visées par le formulaire
137. In conclusion, the following shortcomings are noted with regard to the second
par la seconde défenderesse. Il appartient en effet au responsable de traitement qui entreprend des
defendant:
activités de traitement de données personnelles (soit en l’espèce la seconde défenderesse) d’examiner,
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
avant de débuter l’activité de traitement en question, quelle serait, parmi les 6 bases de licéité listées
GDPR)
à l’article 6 du RGPD, la base juridique appropriée pour le traitement envisagé. La Chambre
- a lack of legal basis with regard to the collection of data under the form
Contentieuse insiste à cet égard sur le fait que si un responsable du traitement choisit de se fonder
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
sur le consentement, il doit être prêt à respecter ce choix. Autrement dit, le responsable du traitement
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
ne peut passer du consentement à une autre base juridique. Par exemple, il n’est pas autorisé à utiliser
requested data.
rétroactivement la base juridique de l’intérêt légitime (article 6.1 f) du RGPD) afin de justifier le
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
Décision quant au fond 81/2020- 31/45
9. Regarding corrective measures and sanctions
traitement lorsque des problèmes sont rencontrés ou soulevés concernant la validité du
138. Under article 100 LCA, the Litigation Chamber has the power to:
consentement14. Partant, sans affirmer ni infirmer l’existence d’une éventuelle autre base de licéité
1 ° dismiss the complaint;
admissible, la Chambre Contentieuse ne peut, en l’espèce, que conclure à l’absence de base de licéité
Decision on the merits 81 / 2020- 33/45
valable - le consentement utilisé ne pouvant être retenu comme il a été démontré ci-dessus - et donc
2 ° order the dismissal;
à un manquement à l’article 6 du RGPD dans le chef de la seconde défenderesse.
3 ° pronounce a suspension of the pronouncement;
129. La Chambre Contentieuse rappelle par ailleurs que l’article 7.2 du RGPD requiert que lorsque
4 ° propose a transaction;
le consentement de la personne concernée est donné dans le cadre d’une déclaration écrite qui
5 ° issue warnings or reprimands;
concerne également d’autres questions, la demande de consentement soit présentée sous une forme
6 ° order compliance with the requests of the person concerned to exercise these rights;
qui la distingue clairement de ces autres questions, sous une forme compréhensible et aisément
7 ° order that the person concerned be informed of the security problem;
accessible, et formulée en des termes clairs et simples.
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
130. De même, la Chambre Contentieuse rappelle que pour être valable, le consentement doit
9 ° order that the processing be brought into conformity;
également être éclairé. Pour que le consentement soit considéré comme éclairé, il faut que le
10 ° order the rectification, restriction or erasure of data and the notification Similarly, the Litigation Chamber recalls that to be valid, consent must
responsable de traitement fournisse certaines informations à la personne concernée, sous une forme
also be enlightened. For consent to be considered informed, it is necessary that the
compréhensible et aisément accessible. Le considérant 42 du RGPD exige que la personne concernée
controller provides certain information to the data subject, in a form
ait, au minimum, connaissance de l’identité du responsable de traitement et des finalités du traitement
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
auquel sont destinées ces données à caractère personnel.
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
131. La Chambre Contentieuse estime que d’autres éléments sont également cruciaux pour que la
for whom this personal data is intended.
personne concernée puisse se décider en connaissance de cause et que son consentement soit valable.
 
Il convient que le responsable de traitement apporte des informations sur le type de données visées
131. The Contentious Chamber considers that other elements are also crucial for the
par le traitement envisagé, sur l’existence d’un droit de retirer son consentement (art. 7.3 du RGPD),
data subject can make an informed decision and that their consent is valid.
sur l’utilisation éventuelle des données pour une prise de décision automatisée (art. 22.2 c) du RGPD)
The controller should provide information on the type of data concerned
et, le cas échéant, sur les risques liés au transfert des données vers un pays n’offrant pas de protection
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
adéquate et en l’absence de garanties appropriées (art. 49.1 a) du RGPD)15
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
.
132. La Chambre Contentieuse est d’avis que, quelle que soit la base de licéité sur laquelle la
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
seconde défenderesse entendrait se fonder à l’avenir, la mise en demeure devrait inclure une
second defendant intends to rely in the future, the formal notice should include a
information sous forme de clause spécifique reprenant à la fois les éléments requis pour un
information in the form of a specific clause containing both the elements required for a
consentement éclairé le cas échéant, et une information succincte directement utile au regard du/des
informed consent where applicable, and succinct information directly useful with regard to the
traitement(s) concerné(s) (point 106 ci-dessus).
processing (s) concerned (point 106 above).


14 Comité européen de la protection des données, Lignes directrices 05/2020 sur le consentement au sens du
14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
règlement(UE) 2016/679 (points 121-123) :
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
15 Comité européen de la protection des données, Lignes directrices 05/2020 sur le consentement au sens du
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
règlement 2016/679 (point 3.3. pp. 17 et s. de la version française) :
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
Décision quant au fond 81/2020- 32/45
Decision on the merits 81 / 2020- 32/45
133. Quant au respect du principe de minimisation (article 5.1 c) du RGPD), la Chambre
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
Contentieuse relève également qu’au regard des différentes données demandées au titre de « Vos
Litigation also notes that with regard to the various data requested under "Your
coordonnées », aucun astérisque ou autre mention n’indique que la personne concernée est libre de
contact details ", no asterisk or other indication indicates that the data subject is free to
choisir un des modes de communication (numéro de téléphone, numéro de GSM, adresse e-mail) et
choose one of the communication modes (telephone number, GSM number, e-mail address) and
que certaines données sont donc facultatives. Prises isolément, ces données apparaissent pertinentes
that certain data are therefore optional. Taken in isolation, these data appear relevant
et non excessives mais ici aussi, la présentation et la formulation utilisée donnent à penser qu’il n’y a
and not excessive, but here too, the presentation and wording used suggest that there is no
pas d’alternative à la collecte de toutes les informations au regard de chaque rubrique du tableau.
no alternative to collecting all the information regarding each section of the table.
134. La Chambre Contentieuse conclut dès lors à un manquement à l’article 5.1 c) du RGPD dans
134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
le chef de la seconde défenderesse.
the head of the second defendant.
8.2.5. Quant au respect des articles 5.2. et 24 du RGPD
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR
135. A l’appui des manquements retenus ci-dessus (8.2.1. et 8.2.4.), la Chambre Contentieuse est
 
d’avis que la seconde défenderesse est en défaut d’avoir mis en œuvre les mesures techniques et
135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
organisationnelles appropriées pour s’assurer et être en mesure de démontrer que les traitements de
of opinion that the second defendant is in default of having implemented the technical measures and
données qu’elle opère sont, compte tenu tout particulièrement de leur nature, du contexte et des
appropriate organizational structure to ensure and be able to demonstrate that
finalités qu’ils poursuivent, effectués conformément au RGPD.
data that it processes are, in particular taking into account their nature, the context and
136. La Chambre Contentieuse conclut dès lors à un manquement aux articles 5.2. et 24. 1-2 du
purposes they pursue, carried out in accordance with the GDPR.
RGPD dans le chef de la seconde défenderesse.
 
8.2.6. Conclusion quant aux manquements de la seconde défenderesse
136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
137. En conclusion, les manquements suivants sont constatés à l’égard de la seconde
GDPR in respect of the second defendant.
défenderesse :
8.2.6. Conclusion as to the breaches of the second defendant
- un manquement à son obligation d’information (article 14.1-2, combiné à l’article 12.3. du
RGPD)
- un défaut de base légale en ce qui concerne le recueil de données aux termes du formulaire
accompagnant la mise en demeure de paiement (article 6 du RGPD) et un manquement au
principe de minimisation (article 5.1 c) du RGPD) compte tenu du caractère excessif des
données demandées.
- un manquement aux articles 5.2. et 24. 1-2 du RGPD.
9. Quant aux mesures correctrices et aux sanctions
138. Aux termes de l’article 100 LCA, la Chambre Contentieuse a le pouvoir de :
1° classer la plainte sans suite ;
Décision quant au fond 81/2020- 33/45
2° ordonner le non-lieu ;
3° prononcer une suspension du prononcé ;
4° proposer une transaction ;
5° formuler des avertissements ou des réprimandes ;
6° ordonner de se conformer aux demandes de la personne concernée d'exercer ces droits;
7° ordonner que l'intéressé soit informé du problème de sécurité;
8° ordonner le gel, la limitation ou l'interdiction temporaire ou définitive du traitement;
9° ordonner une mise en conformité du traitement;
10° ordonner la rectification, la restriction ou l'effacement des données et la notification de celles-ci
aux récipiendaires des données;
11° ordonner le retrait de l'agréation des organismes de certification;
12° donner des astreintes;
13° donner des amendes administratives;
14° ordonner la suspension des flux transfrontières de données vers un autre Etat ou un organisme
international;
15° transmettre le dossier au parquet du Procureur du Roi de Bruxelles, qui l'informe des suites
données au dossier;
16° décider au cas par cas de publier ses décisions sur le site internet de l'Autorité de protection des
données.
139. Quant à l’amende administrative qui peut être imposée en exécution de l’ articles 83 du RGPD
et des articles 100, 13° et 101 LCA, l’article 83 du RGPD prévoit :
« Article 83 RGPD
1. Chaque autorité de contrôle veille à ce que les amendes administratives imposées en
vertu du présent article pour des violations du présent règlement, visées aux paragraphes 4,
5 et 6 soient, dans chaque cas, effectives, proportionnées et dissuasives.
2. Selon les caractéristiques propres à chaque cas, les amendes administratives sont
imposées en complément ou à la place des mesures visées à l'article 58, paragraphe 2, points
a) à h), et j). Pour décider s'il y a lieu d'imposer une amende administrative et pour décider
du montant de l'amende administrative, il est dûment tenu compte, dans chaque cas d'espèce,
des éléments suivants :
a) la nature, la gravité et la durée de la violation, compte tenu de la nature, de la portée ou
de la finalité du traitement concerné, ainsi que du nombre de personnes concernées affectées
et le niveau de dommage qu'elles ont subi;
b) le fait que la violation a été commise délibérément ou par négligence ;
c) toute mesure prise par le responsable du traitement ou le sous-traitant pour atténuer le
dommage subi par les personnes concernées;
Décision quant au fond 81/2020- 34/45
d) le degré de responsabilité du responsable du traitement ou du sous-traitant, compte tenu
des mesures techniques et organisationnelles qu'ils ont mises en œuvre en vertu des articles
25 et 32;
e) toute violation pertinente commise précédemment par le responsable du traitement ou le
sous-traitant;
f) le degré de coopération établi avec l'autorité de contrôle en vue de remédier à la violation
et d'en atténuer les éventuels effets négatifs;
g) les catégories de données à caractère personnel concernées par la violation;
h) la manière dont l'autorité de contrôle a eu connaissance de la violation, notamment si, et
dans quelle mesure, le responsable du traitement ou le sous-traitant a notifié la violation;
i) lorsque des mesures visées à l'article 58, paragraphe 2, ont été précédemment ordonnées
à l'encontre du responsable du traitement ou du sous-traitant concerné pour le même objet,
le respect de ces mesures;
j) l'application de codes de conduite approuvés en application de l'article 40 ou de mécanismes
de certification approuvés en application de l'article 42; et
k) toute autre circonstance aggravante ou atténuante applicable aux circonstances de
l'espèce, telle que les avantages financiers obtenus ou les pertes évitées, directement ou
indirectement, du fait de la violation.
140. ll importe de contextualiser les manquements dont chacune des défenderesses s’est rendue
responsable en vue d’identifier les mesures correctrices et sanctions les plus adaptées.
141. Dans ce cadre, la Chambre Contentieuse tiendra compte de l’ensemble des circonstances de
l’espèce, en ce compris - dans les limites qu’elle précise ci-après - de la réaction communiquée
par chacune des défenderesses au montant d’amende envisagée qui lui a été communiqué (point
I – rétroactes de la procédure)16. A cet égard, la Chambre Contentieuse précise que ledit formulaire
mentionne expressément qu’il n’implique pas de réouverture des débats. Il poursuit comme seul
but de recueillir la réaction des défenderesses sur le montant de l’amende envisagée. Eu égard
aux nouvelles pièces produites attestant des modifications intervenues ou en projet depuis
l’audition, la Chambre Contentieuse en tiendra compte au titre des engagements - par ailleurs
déjà formulés par chacune des parties via leurs conclusions - à se mettre en conformité (points
160 et 179 ci-dessous) sans toutefois en analyser le contenu à ce stade.
142. La Chambre Contentieuse tient également à préciser qu’à l’exception de la démarche évoquée
ci-dessus (point 141), il lui appartient souverainement en qualité d’autorité administrative


16 Voy. à cet égard : Cour d’appel de Bruxelles (19ème chambre A – Cour des marchés), arrêt du 19 février 2020,
137. In conclusion, the following shortcomings are noted with regard to the second
2019/AR/1600 et Cour d’appel de Bruxelles (19ème chambre A – Cour des marchés), arrêt du 2 septembre 2020,
defendant:
2020/AR/329 (disponibles uniquement en néerlandais).
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
Décision quant au fond 81/2020- 35/45
GDPR)
indépendante - dans le respect des articles pertinents du RGPD et de la LCA - de déterminer la/les
- a lack of legal basis with regard to the collection of data under the form
mesure(s) correctrice(s) et sanction(s) appropriée(s).
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
143. Ainsi, il n’appartient pas au plaignant de solliciter de la Chambre Contentieuse quelle ordonne
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
telle ou telle mesure correctrice ou sanction. Si, nonobstant ce qui précède, le/la plaignant(e)
requested data.
devait néanmoins demander à la Chambre Contentieuse qu’elle prononce l’une ou l’autre mesure
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
et/ou sanction, il n’incombe pas dès lors à cette dernière de motiver pourquoi elle ne retiendrait
9. Regarding corrective measures and sanctions
pas l’une ou l’autre demande formulée par le/la plaignant(e). Ces considérations laissent intacte
138. Under article 100 LCA, the Litigation Chamber has the power to:
l’obligation pour la Chambre Contentieuse de motiver le choix des mesure et sanction auxquelles
1 ° dismiss the complaint;
elle juge, (parmi la liste des mesures et sanctions mises à sa disposition par les articles 58 du
Decision on the merits 81 / 2020- 33/45
RGPD et 95.1 et 100.1 de la LCA) approprié de condamner la partie mise en cause.
2 ° order the dismissal;
144. En l’espèce, la Chambre Contentieuse relève que la plaignante sollicite notamment de la
3 ° pronounce a suspension of the pronouncement;
Chambre Contentieuse qu’elle ordonne une mise en conformité sous peine d’astreinte. Sans
4 ° propose a transaction;
préjudice de ce qui précède, mais dès lors qu’elle vient de publier sa politique à cet égard, la
5 ° issue warnings or reprimands;
Chambre Contentieuse renvoie sur ce point à la publication désormais disponible sur son site
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification e or such corrective measure or sanction. If, notwithstanding the above, the complainant
had nevertheless to ask the Litigation Chamber to pronounce one or the other measure
and / or sanction, it is therefore not up to the latter to justify why it would not retain
not one or the other request made by the complainant. These considerations leave intact
the obligation for the Litigation Chamber to justify the choice of measures and sanctions to which
it judges, (among the list of measures and sanctions made available to it by Articles 58 of
GDPR and 95.1 and 100.1 LCA) appropriate to condemn the party in question.
144. In the present case, the Contentious Chamber notes that the complainant seeks in particular
Litigation Chamber that it order compliance under penalty of penalty. Without
prejudice to the above, but since it has just published its policy in this regard, the
Litigation Chamber refers on this point to the publication now available on its website
Internet17
Internet17
.
.
145. S’agissant de l’amende administrative, la Chambre Contentieuse souligne qu’elle a pour but
145. With regard to the administrative fine, the Contentious Chamber emphasizes that its aim is
de faire appliquer efficacement les règles du RGPD. D’autres mesures, telles l’ordre de mise en
to effectively enforce the rules of the GDPR. Other measures, such as the order of
conformité ou l’interdiction de poursuivre certains traitements par exemple, permettent quant à
compliance or the prohibition to continue certain treatments, for example, allow
elles de mettre fin à un manquement constaté. Comme cela ressort du considérant 148 du RGPD,
they put an end to a breach found. As can be seen from recital 148 of the GDPR,
les sanctions, y compris les amendes administratives, sont infligées en cas de violations sérieuses,
sanctions, including administrative fines, are imposed in the event of serious violations,
en complément ou à la place des mesures appropriées qui s’imposent. Dès lors, l’amende
in addition to or in place of the appropriate measures that are required. Therefore, the fine
administrative peut assurément venir sanctionner un manquement grave auquel il aurait été
administrative can certainly come to sanction a serious breach to which it would have been
remédié en cours de procédure ou qui serait sur le point de l’être. Il n’en demeure pas moins que
remedied during the proceedings or which would be about to be remedied. The fact remains that
la Chambre Contentieuse tiendra compte de ce qu’il aura été mis fin ou de ce qu’il est en voie
the Litigation Chamber will take into account what has been terminated or what is in progress
d’être remédié aux dits manquements dans la fixation du montant de l’amende.
to remedy the said breaches in setting the amount of the fine.
9.1. Quant à la première défenderesse
9.1. As to the first defendant
146. La Chambre Contentieuse a constaté un manquement aux articles 14. 1-2 combiné à l’article
146. The Contentious Chamber noted a breach of Articles 14. 1-2 combined with Article
12.1 et 12.3, 15.1 combiné à l’article 12.3 et à l’article 12.2., 5.1 c) et 5.2. 24. 1-2 du RGPD (point 92
12.1 and 12.3, 15.1 combined with Article 12.3 and Article 12.2., 5.1 c) and 5.2. 24. 1-2 of the GDPR (point 92
ci-dessus).
above).
 
17 See. on the APD website, Section Authority - Organization - Litigation Chamber:
https://www.autoriteprotectiondonnees.be/citoyen/l-autorite/ organizations and
https://www.autoriteprotectiondonnees.be/professionnel/l-autorite/ organizations
Decision on the merits 81 / 2020- 36/45
 
147. In view of the observation of these breaches, the Contentious Chamber addresses to the first
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.
 
148. The Contentious Chamber further notes that the first defendant has, without
await the decision of the Litigation Chamber, upon its conclusions and during the hearing, taken a
a number of commitments to remedy the shortcomings identified by the Inspector General in
his report. The Litigation Chamber is of the opinion that a number of changes and measures
must in fact, as quickly as possible, be brought by the first defendant to
comply with its obligations under the GDPR. The Litigation Chamber therefore
imposes a detailed compliance order for the device in application of article 100. 1, 9 ° LCA
(see in this regard the clarification in point 141 above).
 
149. In addition to this reprimand18 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.
 
150. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 5.1 c) of the GDPR, it constitutes a breach of one of the principles
founders of the GDPR (and of data protection law in general), or the principle of
minimization devoted to Chapter II "Principles" of the GDPR.
 
151. As regards the breaches of Article 14. 1-2 combined with Articles 12.3 and 12.1 of the GDPR, in Article
15. 1 of the GDPR (combined with Article 12.3 and Article 12.2. Of the GDPR), they constitute breaches
the rights of data subjects. These information and access rights have also been strengthened
under the GDPR, which shows their particular importance. The Protection Authority
in this perspective, has made compliance with them a priority in its plan.
strategy 2020-2025.19 The appropriate corrective measure / sanction is nonetheless determined
case by case.


17 Voy. sur le site Internet de l’APD, Rubrique l’Autorité – Organisation – Chambre Contentieuse :
152. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
https://www.autoriteprotectiondonnees.be/citoyen/l-autorite/organisation et
breach of the key principle of accountability, introduced by the GDPR.
https://www.autoriteprotectiondonnees.be/professionnel/l-autorite/organisation
Décision quant au fond 81/2020- 36/45
147. Compte tenu du constat de ces manquements, la Chambre Contentieuse adresse à la première
défenderesse une réprimande sur la base de l’article 100. 1, 5° LCA.
148. La Chambre Contentieuse prend par ailleurs acte du fait que la première défenderesse a, sans
attendre la décision de la Chambre Contentieuse, dès ses conclusions et lors de l’audition, pris un
certain nombre d’engagements pour remédier aux manquements relevés par l’Inspecteur général dans
son rapport. La Chambre Contentieuse est d’avis qu’un certain nombre de modifications et de mesures
doivent en effet, le plus rapidement possible, être apportées par la première défenderesse pour se
mettre en conformité avec ses obligations découlant du RGPD. Partant, la Chambre Contentieuse lui
impose un ordre de mise en conformité détaillé au dispositif en application de l’article 100. 1, 9° LCA
(voy. à cet égard la précision au point 141 ci-dessus).
149. Outre cette réprimande18 et cet ordre de mise en conformité, la Chambre Contentieuse est
d’avis qu’en complément, une amende administrative est en l’espèce justifiée pour les motifs ci-après.
150. Quant à la nature de la violation, la Chambre Contentieuse relève qu’en ce qui concerne le
manquement à l’article 5.1 c) du RGPD, il est constitutif d’un manquement à l’un des principes
fondateurs du RGPD (et du droit de la protection des données en général), soit au principe de
minimisation consacré au Chapitre II « Principes » du RGPD.
151. Quant aux manquements à l’article 14. 1-2 combiné à l’article 12.3 et 12.1 du RGPD, à l’article
15. 1 du RGPD (combiné à l’article 12.3 et à l’article 12.2. du RGPD), ils sont constitutifs d’atteintes
aux droits des personnes concernées. Ces droits d’information et d’accès ont par ailleurs été renforcés
aux termes du RGPD, ce qui témoigne de leur importance toute particulière. L’Autorité de protection
des données a, dans cette perspective, inscrit le respect de ceux – ci au titre de priorité dans son plan
stratégique 2020-2025.19 La mesure correctrice/sanction appropriée n’en est pas moins déterminée
au cas par cas.
152. Enfin, quant au manquement à l’article 5.2. et 24. 1-2 du RGPD, il est lui aussi constitutif d’un
manquement au principe clé de l’accountability, introduit par le RGPD.


18 La Chambre Contentieuse entend ici clarifier la distinction entre avertissement et réprimande : l’avertissement
18 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
est destiné à avertir un responsable du traitement ou un sous-traitant du fait que les opérations de traitement
is intended to notify a controller or a processor that the trafficking operations is lying
envisagées sont susceptibles de violer les dispositions du RGPD (article 58.2 a) du RGPD, article 95.1, 4° et article
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, LCA). La réprimande (ou rappel à l’ordre) vise à rappeler à l’ordre un responsable de traitement ou un
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
sous-traitant lorsque les opérations de traitement ont entraîné une violation des dispositions du RGPD (article
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) du RGPD et article 100.1, LCA).
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
19 Autorité de protection des données (APD), Plan stratégique 2020-2025:
19 Data Protection Authority (DPA), Strategic Plan 2020-2025:
https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf
https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf
Décision quant au fond 81/2020- 37/45
Decision on the merits 81 / 2020- 37/45
153. Aux termes de l’article 83.5 a) du RGPD, les violations de toutes ces dispositions peuvent
 
s’élever jusqu’à 20.000.000 d’euros ou dans le cas d’une entreprise, jusqu’à 4% du chiffre d’affaire
153. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
annuel mondial total de l‘exercice précédent. Les montants maxima d’amende pouvant être appliqués
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
en cas de violation de ces dispositions sont supérieurs à ceux prévus pour d’autres types de
global annual total for the previous financial year. The maximum fine amounts that can be applied
manquements listés à l’article 83.4. du RGPD. S’agissant de manquements à un droit fondamental,
in case of violation of these provisions are higher than those provided for other types of
consacré à l’article 8 de la Charte des droits fondamentaux de l’Union européenne, l’appréciation de
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
leur gravité se fera, comme la Chambre Contentieuse a déjà eu l’occasion de le souligner, à l’appui de
devoted to Article 8 of the Charter of Fundamental Rights of the European Union, the appreciation of
l’article 83.2.a) du RGPD, de manière autonome20
their gravity will be, as the Litigation Chamber has already had the opportunity to point out, in support of
Article 83.2.a) of the GDPR, autonomously20
.
.
154 Il a déjà été relevé que dans le cadre de l’inspection, les courriers en réponse adressés à
154 It has already been noted that in the context of the inspection, the letters in response to
l’inspecteur général étaient signés du groupe [...]. Lors de l’audition du 13 juillet 2020, la première
the Inspector General were signed by the group [...]. At the hearing on July 13, 2020, the first
défenderesse a confirmé faire partie de ce groupe.
defendant confirmed to be part of this group.
155 Dans sa détermination du montant de l’amende, la Chambre contentieuse tient compte de la
 
notion d’entreprise (article 83. 5 du RGPD). La Chambre Contentieuse tient également compte de
155 In determining the amount of the fine, the Contentious Chamber takes into account the
l’opinion du Comité Européen de la Protection des données dont elle retient tout particulièrement ce
concept of company (article 83.5 of the GDPR). The Litigation Chamber also takes into account
qui suit:
the opinion of the European Data Protection Committee, of which it particularly retains this
« Pour infliger des amendes effectives, proportionnées et dissuasives, les autorités de contrôle
following:
s’en remettront à la définition de la notion d’entreprise fournie par la CJUE aux fins de
"In order to impose effective, proportionate and dissuasive fines, the supervisory authorities
l’application des articles 101 et 102 du traité FUE, à savoir que la notion d’entreprise doit
will rely on the definition of the concept of enterprise provided by the CJEU for the purposes of
s’entendre comme une unité économique pouvant être formée par la société mère et toutes
the application of Articles 101 and 102 of the TFEU, namely that the concept of company must
les filiales concernées. Conformément au droit et à la jurisprudence de l’Union, il y a lieu
be understood as an economic unit that can be formed by the parent company and all
d’entendre par entreprise l’unité économique engagée dans des activités commerciales ou
the subsidiaries concerned. In accordance with Union law and case law, it is necessary
économiques, quelle que soit la personne morale impliquée (considérant 150). »
to understand by enterprise the economic unit engaged in commercial activities or
economic, regardless of the legal person involved (recital 150). "
21
21
156. Quant au nombre de personnes concernées affectées par les violations, la Chambre
Contentieuse relève que les manquements constatés concernent, au-delà de la seule plaignante, un
grand nombre de personnes. En effet, la première défenderesse est titulaire de concessions de
stationnement dans […] communes. Les manquements constatés s’inscrivent dans la pratique
quotidienne de la première défenderesse et sont consécutifs à l’absence de mise en place de


20 Voy. à cet égard la décision 64/2020 de la Chambre Contentieuse (point 54) :
156. As to the number of persons concerned affected by the violations, the Chamber
Litigation notes that the breaches noted concern, beyond the sole complainant, a
large number of people. The first defendant is the holder of concessions of
parking in […] municipalities. The shortcomings observed are part of the practice
of the first defendant and are consecutive to the failure to set up
 
20 See in this regard, decision 64/2020 of the Contentious Chamber (point 54):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf
21 Comité européen de la protection des données, Lignes directrices sur l’application et la fixation des amendes
21 European Data Protection Board, Guidelines on the application and setting of fines
administratives aux fins du règlement (UE) 2016/679, WP 253, adoptées le 3 octobre 2017, p. 6, disponible sur
Administrative Rules for the purposes of Regulation (EU) 2016/679, WP 253, adopted on 3 October 2017, p. 6, available at
www.edpb.europa.eu. Voir également, la décision 37/2020 de la Chambre contentieuse.  
www.edpb.europa.eu. See also, decision 37/2020 of the Contentious Chamber.
Décision quant au fond 81/2020- 38/45
Decision on the merits 81 / 2020- 38/45
procédures effectives d’exercice des droits notamment. Le nombre de personnes concernées est donc
effective procedures for exercising rights in particular. The number of people concerned is therefore
élevé.
Student.
157. Quant à la qualité de la première défenderesse, la Chambre Contentieuse rappelle que dans
 
de précédentes décisions22, elle a déjà retenu la qualité de mandataire public du responsable de
157. As to the status of the first defendant, the Contentious Chamber recalls that in
traitement comme un facteur aggravant au sens de l’article 83.2. k) du RGPD. Sans constituer un
previous decisions22, it has already retained the status of public representative of the head of
mandataire public au sens strict du terme, la première défenderesse n’en exercice pas moins une
treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR. Without constituting a
compétence publique qui lui a été confiée par voie de concession. A ce titre, elle se doit d’adopter une
public representative in the strict sense of the term, the first defendant in office no less
attitude exemplaire. Le contexte « infractionnel » dans le cadre duquel interviennent les traitements
public competence which has been entrusted to it by concession. As such, it must adopt a
de données qu’elle opère exige, eu égard à leur finalité, également un respect tout particulièrement
exemplary attitude. The "infringement" context in which the processing takes place
rigoureux des droits des personnes concernées. Le traitement de données constitue par ailleurs une
of data that it processes requires, in view of their purpose, also particular respect
part substantielle de l’activité de la première défenderesse.
rigorous rights of the persons concerned. Data processing is also a
158. Quant au critère de durée, la Chambre Contentieuse constate que ces manquements ont duré
substantial part of the activity of the first defendant.
dans le temps (article 83. 1 a) du RGPD), à tout le moins depuis le 25 mai 2018, sauf pour ce qui est
 
du manquement à l’article 5.1 c) du RGPD plus circonscrit dans le temps.
158. As to the duration criterion, the Litigation Chamber notes that these breaches lasted
159. Quant à la question de savoir si les manquements ont été commis délibérément ou non (par
in time (Article 83.1 a) of the GDPR), at least since May 25, 2018, except for what is
négligence) (art. 83.2.b) du RGPD), la Chambre Contentieuse rappelle que «non délibérément» signifie
the breach of Article 5.1 c) of the GDPR more limited in time.
qu’il n’y a pas eu d’intention de commettre la violation, bien que le responsable du traitement ou le
 
sous-traitant n’ait pas respecté l’obligation de diligence qui lui incombe en vertu de la législation. En
159. As to the question of whether the breaches were committed willfully or not (para
l’espèce, la Chambre Contentieuse est d’avis que les faits et les manquements constatés - fussent-ils
negligence) (art. 83.2.b) of the GDPR), the Litigation Chamber recalls that "not deliberately" means
graves - ne traduisent pas une intention délibérée de violer le RGPD dans le chef de la première
that there was no intention to commit the violation, although the controller t or the
défenderesse.
subcontractor has not complied with its duty of care under the law. In
160. La Chambre Contentieuse relève enfin que la première défenderesse a coopéré avec l’APD
In the present case, the Litigation Chamber is of the opinion that the facts and the shortcomings noted - were they
tout au long de la procédure (article 83.2. f) du RGPD), en particulier avec l’Inspection, et admet que
serious - do not reflect a deliberate intention to violate the GDPR in the first instance
la gestion du cas de la plaignante lui impose d’apporter des améliorations conséquentes à son
defendant.
fonctionnement actuel eu égard aux droits des personnes concernées. La première défenderesse a,
 
comme déjà souligné, par ailleurs pris un certain nombre d’engagements de mise en conformité à cet
160. The Contentious Chamber finally notes that the first defendant cooperated with the APD
égard23
throughout the procedure (Article 83.2. f) of the GDPR), in particular with the Inspectorate, and admits that
the management of the complainant's case requires her to make substantial improvements to her
current functioning with regard to the rights of data subjects. The first defendant has,
as already underlined, moreover made a certain number of commitments to comply with this
respect23
.
.


22 Voy. la décision 10/2019 de la Chambre Contentieuse (page 12)
22 See decision 10/2019 of the Contentious Chamber (page 12)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf ainsi que sa
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as its
décision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf
decision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf
23 Quant à l’information, la première défenderesse prend un certain nombre d’engagements vis-à-vis de l’APD,
23 As for information, the first defendant makes a number of commitments vis-à-vis the ODA,
dont les termes sont reproduits ci-dessous (points 42 à 45 des conclusions de la première défenderesse) :
the terms of which are reproduced below (points 42 to 45 of the conclusions of the first defendant):
42. La concluante a pris conscience que l’information fournie n’était pas suffisante au regard des
42. The conclusive woman realized that the information provided was not sufficient with regard to
obligations qui lui incombent. La concluante s’engage donc à fournir à l’Autorité de Protection des
obligations incumbent upon him. The conclusive therefore undertakes to provide the Protection Authority with
Décision quant au fond 81/2020- 39/45
Decision on the merits 81 / 2020- 39/45
161. La Chambre Contentieuse constate que les autres critères de l’article 83.2. du RGPD ne sont
 
ni pertinents ni susceptibles d’influer sur sa décision quant à l’imposition d’une amende administrative
161. The Contentious Chamber notes that the other criteria of Article 83.2. of the GDPR are not
et son montant.
neither relevant nor likely to influence its decision on the imposition of an administrative fine
162. En conclusion, au regard des éléments développés ci-dessus propres à cette affaire, la
and its amount.
Chambre Contentieuse estime que les faits constatés et le manquement aux articles 14.1-2 combiné
 
à l’article 12.1 et 12.3, 15.1 combiné à l’article 12.3 et 12.2., 5.1 c) et 5.2. et 24.1-2 du RGPD, justifient
162. In conclusion, in view of the elements developed above specific to this case, the
qu’au titre de sanction effective, proportionnée et dissuasive telle que prévue à l’article 83 du RGPD
Litigation Chamber considers that the facts noted and the breach of Articles 14.1-2 combined
et compte tenu des facteurs d’appréciation listés à l’article 83.2. du RGPD et de la réaction de la
in Article 12.1 and 12.3, 15.1 combined with Article 12.3 and 12.2., 5.1 c) and 5.2. and 24.1-2 of the GDPR, justify
première défenderesse au formulaire d’amende envisagée, une réprimande (article 100.1, LCA) et
as an effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR
un ordre de mise en conformité détaillé ci-dessous (article 100.1, LCA) assortis d’une amende
and taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the
administrative d’un montant de 50.000 euros (article 100.1, 13° et 101 LCA) soient prononcés à
first defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and
l’encontre de la première défenderesse.
a compliance order detailed below (article 100.1, 9 ° LCA) accompanied by a fine
163. Dans la fixation de ce montant, la Chambre Contentieuse a tenu compte de ce que la première
administrative costs in the amount of 50,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced at
défenderesse fait partie du groupe [...], du chiffre d’affaire annuel de ce groupe et de l’assise financière
against the first defendant.
de ce dernier. Elle a également tenu compte de l’information donnée par la première défenderesse
 
dans sa réaction au formulaire d’amende envisagée selon laquelle le groupe connait une nette
163. In fixing this amount, the Litigation Chamber took into account that the first
diminution de ses recettes dans le contexte actuel de la pandémie du virus du covid-19.
defendant is part of the group [...], of the annual turnover of this group and of the financial base
164. Le montant de 50.000 euros demeure eu égard à ces éléments proportionné aux
of the last. It also took into account the information given by the first defendant
manquements dénoncés. La Chambre Contentieuse est d’avis qu’un montant d’amende inférieur à
in its reaction to the proposed fine form according to which the group is experiencing a clear
50.000 euros ne rencontrerait pas, en l’espèce, les critères requis par l’article 83.1. du RGPD selon
decrease in revenues in the current context of the covid-19 virus pandemic.
lesquels l’amende administrative doit être effective, proportionnée et dissuasive. Dans sa décision
 
01/2020 du 9 novembre 2020, le Comité européen de la protection des données insiste à cet égard
164. With regard to these elements, the amount of 50,000 euros remains proportionate to the
breaches denounced. The Litigation Chamber is of the opinion that an amount of fine less than
50,000 euros would not meet, in this case, the criteria required by Article 83.1. of the GDPR according to
which the administrative fine must be effective, proportionate and dissuasive. In his decision
01/2020 of 9 November 2020, the European Data Protection Board insists in this regard


Données, dans les meilleurs délais, un document d’information qui répondra aux prescrits de l’article 14
Data, as soon as possible, an information document that will meet the requirements of Article 14
du RGPD et qui figurera sur le site internet de celle-ci (Pièce 41).
of the GDPR and which will appear on its website (Exhibit 41).
43. En outre, la concluante fera en sorte que cette notice permette d’accéder aisément aux informations
43. In addition, the conclusive one will ensure that this notice allows easy access to the information
relatives à la protection des données en créant une notice explicative qui se trouvera à un endroit unique
relating to data protection by creating an explanatory note which will be located in a single place
sur son site web.1
on its website.1
44. De plus, la concluante mettra en place un renvoi clair sur l’invitation de payer permettant d’assurer
44. In addition, the conclusive one will put in place a clear reference on the invitation to pay to ensure
que les personnes concernées comprennent directement que toutes les informations sont accessibles
that data subjects understand directly that all information is accessible
sur son site internet. En outre, la concluante reverra, à nouveau, dans les meilleurs délais, le contenu
on its website. In addition, the conclusive one will review, again, as soon as possible, the content
du message relatif à la vie privée se trouvant au bas de sa lettre de rappel.
of the privacy message at the bottom of their reminder letter.
45. Enfin, la concluante s’engage à refaire auditer l’ensemble de son site web afin de mettre en place
45. Finally, the conclusive undertakes to redo audit its entire website in order to set up
l’ensemble des documentations, précisions et renvois sous les formulaires nécessaires afin que les
all the documentation, details and references in the necessary forms so that the
personnes concernées puissent accéder aisément à une information complète.
people concerned can easily access complete information.
Décision quant au fond 81/2020- 40/45
Decision on the merits 81 / 2020- 40/45
sur le fait que la hauteur du montant de l’amende participe du caractère effectif, proportionné et
on the fact that the height of the amount of the fine contributes to the effectiveness, proportion and
dissuasif que doit revêtir l’amende24
deterrent to the fine24
.
.
9.2. Quant à la seconde défenderesse
9.2. As for the second defendant
165. La Chambre Contentieuse a constaté un manquement à l’article 14.1-2 combiné à l’article
 
12.3, à l’article 6, à l’article 5.1 c) et aux articles 5.2. et 24. 1-2 du RGPD dans le chef de la seconde
165. The Contentious Chamber found a breach of article 14.1-2 combined with article
défenderesse (point 137 ci-dessus).
12.3, section 6, section 5.1 c) and sections 5.2. and 24. 1-2 of the GDPR in the case of the second
166. Compte tenu de ces manquements, la Chambre Contentieuse adresse à la seconde
defendant (paragraph 137 above).
défenderesse une réprimande sur la base de l’article 100. 1, LCA.
 
167. La Chambre Contentieuse prend par ailleurs acte du fait que la seconde défenderesse s’est,
166. In view of these shortcomings, the Litigation Chamber addresses the second
aux termes de ses conclusions et lors de l’audition, proposée d’apporter certaines modifications dans
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.
sa pratique. La Chambre Contentieuse est en effet d’avis qu’un certain nombre de modifications et de
 
mesures doivent en effet, le plus rapidement possible, être apportées par la seconde défenderesse
167. The Contentious Chamber also takes note of the fact that the second defendant is,
pour se mettre en conformité avec ses obligations découlant du RGPD. Partant, la Chambre
in terms of its findings and at the hearing, proposed to make certain changes in
Contentieuse lui impose un ordre de mise en conformité détaillé au dispositif en application de l’article
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
100. 1, LCA (voy. à cet égard la précision au point 141 ci-dessus).
measures must in fact, as quickly as possible, be brought by the second defendant
168. Outre cette réprimande25 et cet ordre de mise en conformité, la Chambre Contentieuse est
to comply with its obligations under the GDPR. Therefore, the Chamber
d’avis qu’en complément, une amende administrative est en l’espèce justifiée pour les motifs ci-après.
Litigation imposes a detailed compliance order on the device pursuant to article
169. Quant à la nature de la violation, la Chambre Contentieuse relève qu’en ce qui concerne le
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).
manquement à l’article 6 du RGPD (absence de base légale – consentement forcé) et à l’article 5.1 c)
 
168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.
 
169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)
 
24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)
 
See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Free translation by the ODA Secretariat:
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionate and dissuasive ”.
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or processor that the processing operations
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Decision on the merits 81 / 2020- 41/45
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
data protection in general), or the principles of lawfulness and minimization devoted to
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
mainly identification data and do not constitute sensitive data within the meaning of
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
below, in an “infringement” context. The Litigation Chamber will take this
double consideration.
 
170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
right to information has been strengthened under the GDPR, demonstrating its importance
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
However, the appropriate corrective / sanction is determined on a case-by-case basis.
 
171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.


24 Comité européen de la protection des données, Decision 01/2020 on the dispute arisen on the draft decision
172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1) (a) GDPR
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
(disponible uniquement en anglais)
global annual total for the previous financial year. The maximum fine amounts that can be applied
Voy. le § 199 : https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
enshrined in Article 8 of the Charter of Fundamental Rights of 5.2. and 24. 1-2 of the GDPR in the case of the second
defendant (paragraph 137 above).
166. In view of these shortcomings, the Litigation Chamber addresses the second
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.
167. The Contentious Chamber also takes note of the fact that the second defendant is,
in terms of its findings and at the hearing, proposed to make certain changes in
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
measures must in fact, as quickly as possible, be brought by the second defendant
to comply with its obligations under the GDPR. Therefore, the Chamber
Litigation imposes a detailed compliance order on the device pursuant to article
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).
168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.
169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)
 
24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)
See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83(1) GDPR of being effective, dissuasive and proportionate.”
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Traduction libre par le Secrétariat de l’APD:
Free translation by the ODA Secretariat:
« 199. En conséquence, le CEPD considère que le montant de l’amende proposé aux termes du projet
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
de décision est trop faible et, pour ce motif, ne remplit pas son rôle de mesure correctrice. En particulier,
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
ce montant ne satisfait pas aux exigences de l’article 83.1. du RGPD selon lesquelles l’amende doit être
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionnée et dissuasive ».
effective, proportionate and dissuasive .
25 La Chambre Contentieuse entend ici clarifier la distinction entre avertissement et réprimande : l’avertissement
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
est destiné à avertir un responsable du traitement ou un sous-traitant du fait que les opérations de traitement
is intended to notify a controller or processor that the processing operations
envisagées sont susceptibles de violer les dispositions du RGPD (article 58.2 a) du RGPD, article 95.1, 4° et article
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, LCA). La réprimande (ou rappel à l’ordre) vise à rappeler à l’ordre un responsable de traitement ou un
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
sous-traitant lorsque les opérations de traitement ont entraîné une violation des dispositions du RGPD (article
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) du RGPD et article 100.1, LCA).  
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Décision quant au fond 81/2020- 41/45
Decision on the merits 81 / 2020- 41/45
du RGPD, ils sont constitutifs de manquements aux principes fondateurs du RGPD (et du droit de la
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
protection des données en général), soit aux principes de licéité et de minimisation consacrés au
data protection in general), or the principles of lawfulness and minimization devoted to
Chapitre II « Principes » du RGPD. Certes les données recueillies au terme du formulaire sont des
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
données d’identification principalement et ne constituent pas des données sensibles au sens des
mainly identification data and do not constitute sensitive data within the meaning of
articles 9 et 10 du RGPD. Leur traitement intervient toutefois, comme il sera mentionné au point 176
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
ci-dessous, dans un contexte « infractionnel ». La Chambre Contentieuse tiendra compte de cette
below, in an “infringement” context. The Litigation Chamber will take this
double considération.
double consideration.
170. Quant à l’atteinte à l’article 14.1-2 combiné à l’article 12.3 du RGPD, elle est constitutive d’une
 
atteinte aux droits des personnes concernées - nonobstant l’existence d’une politique de confidentialité
170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
par ailleurs, ce que la Chambre Contentieuse n’ignore pas et dont elle tient compte (point 179). Le
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
droit à l’’information a été renforcé aux termes du RGPD, ce qui témoigne de son importance toute
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
particulière. L’Autorité de protection des données a, dans cette perspective, inscrit le respect des droits
right to information has been strengthened under the GDPR, demonstrating its importance
des personnes concernées au titre de priorité dans son plan stratégique 2020-202526. La mesure
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
correctrice/sanction appropriée n’en est pas moins déterminée au cas par cas.
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
171. Enfin, quant au manquement à l’article 5.2. et 24. 1-2 du RGPD, il est lui aussi constitutif d’un
However, the appropriate corrective / sanction is determined on a case-by-case basis.
manquement au principe clé de l’accountability, introduit par le RGPD.
 
172. Aux termes de l’article 83.5 a) du RGPD, les violations de toutes ces dispositions peuvent
171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
s’élever jusqu’à 20.000.000 d’euros ou dans le cas d’une entreprise, jusqu’à 4% du chiffre d’affaire
breach of the key principle of accountability, introduced by the GDPR.
annuel mondial total de l‘exercice précédent. Les montants maxima d’amende pouvant être appliqués
 
en cas de violation de ces dispositions sont supérieurs à ceux prévus pour d’autres types de
172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
manquements listés à l’article 83.4. du RGPD. S’agissant de manquements à un droit fondamental,
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
consacré à l’article 8 de la Charte des droits fondamentaux de l’Union européenne, l’appréciation de
global annual total for the previous financial year. The maximum fine amounts that can be applied
leur gravité se fera, comme la Chambre Contentieuse a déjà eu l’occasion de le souligner, à l’appui de
in case of violation of these provisions are higher than those provided for other types of
l’article 83.2.a) du RGPD, de manière autonome27
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
.
enshrined in Article 8 of the Charter of Fundamental Rights of ontentieuse notes that the other criteria of Article 83.2. of the GDPR are not
173. Aux termes de la réaction qu’elle a adressée à la Chambre Contentieuse en réponse au
neither relevant nor likely to influence its decision on the imposition of an administrative fine
formulaire d’amende envisagée, la seconde défenderesse fait état de ce que la crise sanitaire liée à la
and its amount.
pandémie du virus covid-19 a touché de manière extrêmement dure la profession d’huissier de justice.
 
La suspension forcée de la plupart des activités des huissiers (dont les mesures d’exécution) a conduit
181. In conclusion, in view of the elements developed above specific to this case, the
la seconde défenderesse à devoir mettre une partie de son personnel au chômage technique. La
Litigation Chamber considers that the facts noted and the breach of Article 14.1-2 combined with
Section 12.3, Section 6, Section 5.1 (c) and Section 5.2. and 24. 1-2 of the GDPR, justify that under
effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR and account
taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the second
defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and an order
of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine
in an amount of 15,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced against the
second defendant.
10. As for transparency
 
182. In view of the importance of transparency in the decision-making process
and the decisions of the Litigation Chamber, this decision will be published on the website of the APD
by deleting the direct identification data of the parties and persons mentioned,
whether they are physical or legal.
 
183. The Litigation Chamber is aware that the complainant requested the publication by name
of this decision. The contentious chamber is of the opinion that it is not for the complainant to request
such measure. In this case, the Litigation Chamber does not care less to clarify than in the context
of the wide margin of appreciation on the application of Article 100.1, 16 LCA which is its own, it decides
not to publish this decision mentioning the data controllers involved.


26 Autorité de protection des données (APD), Plan stratégique 2020-2025 :
Decision on the merits 81 / 2020- 44/45
https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf
When it decided to publish its decisions stating the identity of the defendant, the
27 Voy. à cet égard la décision 64/2020 de la Chambre Contentieuse (point 54) :
Litigation Chamber justified its decision by the fact that this advertisement would guarantee
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf
rapid compliance, would help reduce the risk of reoccurrence and aim to educate the public
Décision quant au fond 81/2020- 42/45
taking into account the data controller involved. In addition, any pseudonymization of the name
seconde défenderesse estime que son chiffre d’affaire à venir pour 2020 et 2021 sera, par ailleurs,
of the defendant would have been in these few cases illusory29. She doesn't think it necessary to do it
sans proportion avec celui des années passées.
in this case.
174. Quant au nombre de personnes concernées affectées par les violations, la Chambre
Contentieuse relève que les manquements constatés concernent, au-delà de la seule plaignante, un
grand nombre de personnes. La seconde défenderesse n’est assurément pas une société
multinationale mais bien une PME belge. La seconde défenderesse n’en est pas moins une étude
d’huissiers de justice de référence en Belgique, forte d’une expérience de […] années et qui compte [
…] collaborateurs.
175. Compte tenu de ce que les manquements s’inscrivent dans la pratique de la seconde
défenderesse, le nombre de personnes potentiellement concernées est à la hauteur du nombre de
personnes dont la seconde défenderesse traite les données dans le cadre de l’exercice de ses missions
de recouvrement amiable, soit un nombre important, et ce, même si le recouvrement amiable de
dettes ne constitue, ce que la Chambre Contentieuse n’ignore pas, qu’une partie des activités de la
seconde défenderesse.
176. Quant à la qualité de la seconde défenderesse, la Chambre Contentieuse rappelle que dans
de précédentes décisions, elle a retenu la qualité de mandataire public du responsable de traitement
comme un facteur aggravant au sens de l’article 83.2. k) du RGPD28
. La seconde défenderesse est
notamment un fonctionnaire ministériel disposant d’une autorité publique, qui peut exercer des
compétences dites «monopolistiques», qui lui sont conférées par la loi. En tant que profession libérale,
l’huissier de justice exerce quelques activités extrajudiciaires dont le recouvrement amiable de dettes.
La fonction est réglementée et les huissiers de justice sont nommés par le Roi. Leur nombre est limité.
Eu égard à ce statut, la seconde défenderesse se doit d’adopter une attitude exemplaire quelle que
soit la casquette avec laquelle elle exécute ses missions. Le contexte « infractionnel » dans le cadre
duquel interviennent les traitements de données qu’elle opère exige également, eu égard à leur
finalité, un respect tout particulièrement rigoureux des droits des personnes concernées. Le traitement
de données constitue par ailleurs une part substantielle de l’activité de la seconde défenderesse.
177. Quant au critère de durée, la Chambre Contentieuse constate que ces manquements ont duré
dans le temps dès lors qu’ils s’inscrivent dans les pratiques de la seconde défenderesse (article 83. 1
a) du RGPD), à tout le moins depuis janvier 2019.


28 Voy. la décision 10/2019 de la Chambre Contentieuse (page 12)
FOR THESE REASONS
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf ainsi que sa
THE LITIGATION CHAMBER
décision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf
After deliberating, decides to:
Décision quant au fond 81/2020- 43/45
 With regard to the first defendant
178. Quant à la question de savoir si les manquements ont été commis délibérément ou par
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
négligence (art. 83.2.b) du RGPD), la Chambre Contentieuse estime qu’ils ne sont pas délibérés. Elle
LCA;
retient également le fait que dès le 25 mai 2018, la seconde défenderesse disposait d’une politique de
- Issue an order of compliance in terms of the implementation of rights
confidentialité claire et détaillée et s’est employée à se conformer à l’ensemble des obligations
information and access for the persons concerned, on the basis of Article 100.1, 9 ° LCA.
découlant du RGPD qui lui incombent, notamment la désignation d’un DPO. Elle a pris contact avec
To this end, the first defendant is requested to communicate to the APD both its
des consultants spécialisés à cet effet et ce, nonobstant les annonces faites par la Chambre nationale
confidentiality policy applicable to the processing operations covered by this decision that his / her
des huissiers de justice qui indiquait qu’elle allait mettre en place des mesures concrètes pour
information clause (s) as well as the procedure put in place to respond to the exercise of
accompagner et aider les études ce qui in fine, n’a pas été le cas.
permission to access. This production of documents must take place within 3 months from
179. Enfin, la seconde défenderesse s’est montrée coopérante et soucieuse de modifier ses
of the notification of this decision via the address litigationchamber@apd-gba.be
pratiques en cours de procédure (aux termes de ses conclusions et lors de l’audition). La Chambre
- Impose an administrative fine against the defendant in the amount of 50,000
Contentieuse en a pris acte. (voy. à cet égard la précision au point 141 ci-dessus).
euros in application of articles 100.1, 13 ° and 101 LCA.
180. La Chambre Contentieuse constate que les autres critères de l’article 83.2. du RGPD ne sont
With regard to the second defendant:
ni pertinents ni susceptibles d’influer sur sa décision quant à l’imposition d’une amende administrative
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
et son montant.
LCA;
181. En conclusion, au regard des éléments développés ci-dessus propres à cette affaire, la
- Issue a compliance order in terms of information (confidentiality policy
Chambre Contentieuse estime que les faits constatés et le manquement à l’article 14.1-2 combiné à
and information clauses) and basic legality of the form attached to the formal notices of
l’article 12.3, à l’article 6, à l’article 5.1 c) et aux articles 5.2. et 24. 1-2 du RGPD, justifient qu’au titre
de sanction effective, proportionnée et dissuasive telle que prévue à l’article 83 du RGPD et compte
tenu des facteurs d’appréciation listés à l’article 83.2. du RGPD et de la réaction de la seconde
défenderesse au formulaire d’amende envisagée, une réprimande (article 100.1, 5° LCA) et un ordre
de mise en conformité détaillé ci-dessous (article 100.1, 9° LCA) assortis d’une amende administrative
d’un montant de 15.000 euros (article 100.1, 13° et 101 LCA) soient prononcés à l’encontre de la
seconde défenderesse.
10. Quant à la transparence
182. Compte tenu de l'importance de la transparence en ce qui concerne le processus décisionnel
et les décisions de la Chambre Contentieuse, cette décision sera publiée sur le site Internet de l'APD
moyennant la suppression des données d’identification directe des parties et des personnes citées,
qu’elles soient physiques ou morales.
183. La Chambre contentieuse n’ignore pas que la plaignante a demandé la publication nominative
de cette décision. La Chambre contentieuse est d’avis qu’il n’appartient pas au plaignant de solliciter
telle mesure. En l’espèce la Chambre Contentieuse n’en tient pas moins à préciser que dans le cadre
de la large marge d’appréciation sur l’application de l’article 100.1, 16 LCA qui est la sienne, elle décide
de ne pas publier cette décision en mentionnant les responsables de traitement mis en cause.
Décision quant au fond 81/2020- 44/45
Lorsqu’elle a décidé de publier ses décisions en mentionnant l’identité de la partie défenderesse, la
Chambre Contentieuse a motivé sa décision par le fait que cette publicité garantirait une mise en
conformité rapide, contribuerait à une diminution du risque de répétitions et visait à informer le public
compte tenu du responsable de traitement mis en cause. En outre, toute pseudonymisation du nom
de la défenderesse aurait été dans ces quelques cas illusoire29. Elle ne juge pas nécessaire de le faire
en l’espèce.
POUR CES MOTIFS
LA CHAMBRE CONTENTIEUSE
Après en avoir délibéré, décide de :
 A l’égard de la première défenderesse
- Prononcer à l’encontre de la défenderesse une réprimande sur la base de l’article 100.1, 5°
LCA ;
- Prononcer un ordre de mise en conformité en termes de mise en oeuvre des droits
d’information et d’accès des personnes concernées et ce, sur la base de l’article 100.1, LCA.
Il est à cet effet demandé à la première défenderesse de communiquer à l’APD tant sa
politique de confidentialité applicable aux traitements visés par la présente décision que sa/ses
clause(s) d’information ainsi que la procédure mise en place pour répondre à l’exercice du
droit d’accès. Cette production de documents doit intervenir dans un délai de 3 mois à dater
de la notification de la présente décision via l’adresse litigationchamber@apd-gba.be
- Prononcer à l’encontre de la défenderesse une amende administrative d’un montant de 50.000
euros en application des articles 100.1, 13° et 101 LCA.
A l’égard de la seconde défenderesse :
- Prononcer à l’encontre de la défenderesse une réprimande sur la base de l’article 100.1,
LCA ;
- Prononcer un ordre de mise en conformité en termes d’information (politique de confidentialité
et clauses d’information) et de base de licéité du formulaire joint aux mises en demeure de


29 Voy. la décision 37/2020 de la Chambre contentieuse (point 183) :
29 See decision 37/2020 of the Contentious Chamber (point 183):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf
Décision quant au fond 81/2020- 45/45
Decision on the merits 81 / 2020- 45/45
paiement et ce, sur la base de l’article 100.1, LCA. Il est à cet effet demandé à la seconde
payment and this, on the basis of article 100.1, 9 ° LCA. For this purpose, the second
défenderesse de communiquer à l’APD tant sa politique de confidentialité applicable aux
the defendant to communicate to the DPA both its confidentiality policy applicable to
traitements visés par la présente décision que sa/ses clause(s) d’information ainsi que la
processing covered by this decision that its information clause (s) as well as the
manière dont elle entend répondre aux manquements liés au formulaire susmentionné. La
manner in which it intends to respond to the shortcomings related to the aforementioned form. The
communication de ces documents doit intervenir dans un délai de 3 mois à dater de la
communication of these documents must take place within 3 months from the date of
notification de la présente décision via l’adresse litigationchamber@apd-gba.be
notification of this decision via the address litigationchamber@apd-gba.be
- Prononcer à l’encontre de la défenderesse une amende administrative d’un montant de 15.000
- Impose an administrative fine against the defendant in the amount of 15,000
euros en application des articles 100.1, 13° et 101 LCA.
euros in application of articles 100.1, 13 ° and 101 LCA.
En vertu de l’article 108.1 LCA, cette décision peut faire l’objet d’un recours auprès de la Cour des
 
marchés (Cour d’appel de Bruxelles) dans un délai de 30 jours à compter de sa notification, avec
Under Article 108.1 LCA, this decision may be appealed to the Court of
l’Autorité de protection des données en qualité de défenderesse.
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(Sé.)
(Sé.)
Hielke Hijmans
Hielke hijmans
Président de la Chambre Contentieuse
President of the Litigation Chamber
</pre>
</pre>

Revision as of 09:22, 27 January 2021

APD/GBA - 81/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 15(1) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.12.2020
Published:
Fine: 50000 EUR
Parties: Anonymous (Complainant - physical person)
Anonymous (Defendant 1 - a company specialized in controlling the respect of street parking regulations.)
Anonymous (Defendant 2- a bailiff's study)
National Case Number/Name: 81/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA (in FR)
Initial Contributor: Mathieu Desmet

The Belgian DPA (APD/GBA) imposed a fine of €50,000 and €15,000 on two different data controllers for breaching various principles of the GDPR, such as the principles of lawfulness, data minimisation and accountability.

English Summary

Facts

The complainant was fined by the first defendant ( a private company mandated to ensure the respect of municipal street parking regulations) for a violation of municipal street parking regulations.

In order to establish the violation of municipal regulations and issue the fine, the first defendant collected personal data directly from the complainant including data extracted from the Belgian national register, the DIV (department for vehicle registration) and a photo of her car. The DIV was consulted by the first defendant the day after the fine was issued (which was not necessary).

The first defendant claims to have sent a reminder to the complainant concerning the payment of the fine. Having received no response, it transferred this data to the second defendant, a bailiff's office to be reused and processed in the context of the collection of the fee (processing allowed by article 519 of the Belgian judiciary code).

After having received a formal notice from the second defendant asking her to pay the fine with interests, the complainant wrote to the second defendant claiming she had not received an invitation to pay , nor a reminder from the first defendant and also asked to exercise her right of access and information concerning the data processed by the second defendant.

The complainant then also made a similar request with the first defendant.

The complainant only received a partial response from the second defendant in the allotted time. The first defendant did not respond to her request and redirected her to the second defendant.

Pursuant to this lack of satisfactory answers from the defendants, the complainant lodged a complaint with the Belgian Data Protection Authority stating the following violations :

As to the first defendant:

- a breach of her right to information (Articles 12 and 14 of the GDPR)

- a breach of her right of access (article 15 of the GDPR)

- a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second defendant

- a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the consultation of the DIV)

- a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second defendant - a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of photograph of his vehicle when the violation of the rules of parking

As for the second defendant :

- a breach of his right to information (Articles 12 and 14 of the GDPR)

- a breach of his right of access (article 15 of the GDPR)

- a breach of Article 28 of the GDPR with regard to its status as a processor

- a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the GDPR) which are communicated to him by the first defendant.

- a breach of the principles of data minimization and the use of consent forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice (formal notice).

Dispute

The dispute between the parties involved the following questions :

To which extent can a data controller responsible for compliance with municipal regulations (regulations which does not address the processing of data) collect and process personal data of a data subject without complying with general data protection principles such as timely information, access and the principle minimization ? Can this first controller rely on an exception to collect this data ?

Under which circumstances and to what extent may this data controller transfer the data collected for this first processing to a subsequent (but not joint) data controller mandated to collect the unpaid fine ?

To which extent should the the subsequent but distinct data controller comply with the right to access and information of the data subject ?

What is the relation between the two controllers as regard to data protection principles ?

Holding

The Litigation Chamber of the Belgian DPA notes the following breaches are established in respect of the first defendant:

- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.of the GDPR)

- a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)

- a breach of the principle of minimization during the premature consultation of the DIV (register concerning matriculation of cars) - (article 5.1 c) of the GDPR.

- a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.

As to the second defendant the Belgian DPA found that the following breaches are established :

- a breach of its information obligation (article 14.1-2, combined with article 12.3. of GDPR)

- a lack of legal basis with regard to the collection of data by way of the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of data minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data.

- a breach of Articles 5.2. and 24. 1-2 of the GDPR.

Sanctions : In consequence with the breaches mentioned above :

- the first defendant was sanctioned (In accordance with the Belgian Law of 3 December 2017 establishing the Data Protection Authority) with a reprimand, an order to adopt necessary actions to comply with the GDPR as well as a 50.000 euro fine.

- the second defendant was sanctioned with a reprimand, an order to adopt necessary action to comply with GDPR as well as a 15.000 euro fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/45
'''Litigation Chamber'''

Decision on the merits 81/2020of 23 December 2020
File No .: DOS-2019-02751

Subject: Decision relating to two data controllers intervening successively
noting various breaches of the GDPR principles (lawfulness, minimization,
accountability) and the rights of the people concerned (information, access, facilitation
Rights)

The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs J. Stassijns, C. Boeraeve, members, taking up the case in this
composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to
protection of individuals with regard to the processing of personal data and the
free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection), hereinafter GDPR;
Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA);
Having regard to the rules of procedure as approved by the House of Representatives on December 20
2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;

Took the following decision regarding:

The complainant: X
Decision on the merits 81 / 2020- 2/45

The first defendant: Y;
Having for advice, Masters Frédéric Dechamps and Nathan
Vanhelleputte, lawyers.

The second defendant: Z;
Advised by Maître S. Parsa, lawyer.
Hereinafter also referred to together as "the defendants";

1. Feedback from the procedure
Considering the complaint filed on May 15, 2019 by the complainant to the Data Protection Authority
(hereinafter APD);
Having regard to the decision taken by the Litigation Chamber during its session of July 12, 2019 to seize
the Inspector General on the basis of Articles 63, 2 ° and 94, 1 ° LCA and the latter's referral to this
same date;
Having regard to the Inspector General's report and investigation report sent on January 6, 2020 to the
Contentious chamber;
Having regard to the letters of January 21, 2020 and February 18, 2020 from the Litigation Chamber informing
parts of its decision to consider the case ready for substantive processing based on
Article 98 LCA and providing them with a timetable for the exchange of conclusions;
Having regard to the main conclusions of the second defendant filed by its counsel, received on March 12
2020;
Having regard to the conclusions of the complainant, received on March 27, 2020;
Having regard to the additional and summary conclusions of the first defendant filed by its counsel,
received on April 14, 2020;
Having regard to the additional and summary conclusions of the second defendant filed by its counsel,
received on April 14, 2020;
In view of the request made by the defendants in the terms of their pleadings to be heard by
the Litigation Chamber in application of article 51 of the internal regulations of the APD;
Decision on the merits 81 / 2020- 3/45
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on June 16, 2020;
Considering the information sent on June 25, 2020 to the Inspector General regarding the holding of the hearing to date
of July 13, 2020 in application of article 48.2. the internal rules of the ODA;
Having regard to the hearing during the session of the Litigation Chamber of July 13, 2020 in the presence of the
plaintiff, [...], of the first defendant represented by one of its counsel, Maître Van
Helleputte as well as the second defendant represented by its counsel Maître S. Parsa;
Having regard to the minutes of the hearing and the observations made thereon by the respective counsel
the defendants who were attached to these minutes;
Having regard to the reaction form against a proposed administrative fine sent on the 18th
November 2020 to the first defendant. Under this form, the Litigation Chamber
informs him that he is considering a fine against him as well as the reasons for which the
breaches of the GDPR justify the amount of the fine;
Having regard to the reaction of the first defendant on December 9 to this form;
Having regard to the reaction form against a proposed administrative fine sent on the 18th
November 2020 to the second defendant. Under this form, the Litigation Chamber
communicates that it is considering a fine against it as well as the reasons for
breaches of the GDPR justify this fine amount;
Considering the reaction of December 10, 2020 of the second defendant to this form.

2. The facts

1. The first defendant is a company specializing in “street parking”.
It carries out parking control in the municipalities for which it is the concessionaire of the missions
of public interest. The first defendant employs [...] people. It is also part of the
Group [...].

2. The first defendant manages, under the municipal regulations of the City of [...], the parking of certain streets of this municipality.

3. The second defendant is an office of bailiffs located in [...] which deals, in
within the framework of its legal prerogatives defined in Article 519 of the Judicial Code, in particular of amicable recovery and judicial recovery of debts from its clients. The first one defendant is one of his clients. The firm is responsible for the management of amicable collection, then, if necessary judicial, of unpaid debts such as royalties parking.

4. On January 2, 2019, the complainant parked her vehicle in one of the streets of [...] whose first defendant is responsible for the management of parking lots. The first defendant states that the complainant was parked in a blue zone in which parking is limited to thirty (30) minutes. In the absence of a blue disc affixed by the complainant to her windshield and
lack of a parking permit which it would have held, the first defendant indicates
have, in accordance with article [...] of the applicable municipal [...] regulations, placed an invitation to
pay [...] euros on the windshield of the complainant's vehicle. This amount corresponds to the amount
the “Tariff 1” charge of the municipal regulations. The complainant, for her part, denies having found
any invitation to pay on his windshield.

5. The first defendant indicates that it sent a payment reminder to the plaintiff on the 24th.
January 2019, reminder which increases the initial debt by five (5) euros in accordance with article [...] of
municipal regulation already cited. The complainant also denies ever having received such a reminder.

6. In the absence of payment received within 15 days of sending the said reminder of January 24, 2019, and
in accordance with article [...] of the applicable municipal regulations, the first defendant transmitted
the file to his bailiff, or to the second defendant, so that the latter takes charge
to recover the amount owed by the complainant.

7. On February 25, 2019, the complainant received a formal notice from the second
defendant in order to recover the amount due in application of article [...] of the municipal regulation
already cited. To the initial debt, as announced in the reminder letter of January 24, 2019 (point 5 above), there are additional costs in accordance with the Royal Decree of November 30, 1976 fixing the tariff for
acts performed by bailiffs in civil and commercial matters referred to in article
[...] of the municipal regulations. The complainant indicates that she received this formal notice on March 1
2019.

8. On March 3, 2019, the complainant wrote to the second respondent to receive explanations,
indicating that she never received a payment invitation or reminder. She also opposes payment
of the royalty. By the same letter, the complainant questioned the second respondent as to the
legal bases which allow it to access the Vehicle Registration Department (DIV) of
SPF Mobilité and the National Register. Also under the terms of this letter, the complainant exercises
also his right of access to his personal data as recognized by the GDPR (article 15
of the GDPR).


9. On the same date, the complainant addressed the same requests to the first respondent.

10. On March 4, 2019, the first defendant referred the complainant to the second defendant
in these words: "Arrange with the bailiff".

11. On March 29, in the absence of a response received from the second defendant, the complainant
wrote back to him noting that the legal deadline of one (1) month to respond to his request for access is on the
point to expire.

12. On April 2, 2019, the second defendant wrote to the complainant in response to her letter of 3
March (point 8 above) and provides it with a certain amount of information on the one hand on the data
which it processes in response to its request for access and information relating to the legal bases mobilized
as well as on the other hand, some information on the treatments operated by his client (the first
defendant). There followed an exchange of correspondence between the complainant and the study of the bailiffs of
justice (second defendant) under the terms of which photos - difficult to read according to the complainant - him
are communicated.

13. On April 8, 2019, the complainant asked the second respondent to communicate the
proof of sending the reminder letter of January 24, 2019 (point 5 above).

14. This also follows a request of April 29, 2019 from the complainant to the first respondent
to receive proof of the sending of this reminder letter of January 24, 2019. In response,
the first respondent provides a copy of the reminder letter and refers the complainant to
bailiffs for the rest.

15. On May 15, 2019, the complainant filed a complaint with the DPA against both the first
defendant that of the second ddefendant. The complainant will bring an addendum to her complaint in
date of June 6, 2019.

16. The complainant also made a request for access to the DIV. From the response received by
the complainant on May 17, 2019, it appears that the first respondent consulted the data of the
complainant on January 3, 2019 at 10:03 p.m., i.e. the day after the finding (from January 2, 2019 - see
point 4 above) of the infringement of the parking rules complained of.

17. In June 2019, the complainant wrote again to both the first and the second respondent
for details of the alleged offense.


18. On July 11, 2019, the second respondent responded to the complainant's request for clarification
by indicating that he is accused of not having affixed a valid parking ticket
on his windshield. The first defendant criticizes the complainant for having failed
to affix the required parking disc in the blue zone.

3. The subject of the complaint lodged by the complainant

19. Pursuant to her complaint, the complainant requests that her complaint against the first and
of the second defendants be declared admissible and well founded and that consequently, the
defendants are ordered to comply with the GDPR and Belgian laws, within the
that the Contentious Chamber will consider reasonable, under penalty of penalty.

20. In this regard, the complainant considers that the defendants are guilty:
As to the first defendant:
- a breach of his right to information (Articles 12 and 14 of the GDPR)
- a breach of his right of access (article 15 of the GDPR)
- a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second
defendant
- a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the
consultation of the DIV)
- a breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second
defendant
- a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of
photograph of his vehicle when the violation of the rules of
parking
As for the second defendant
- a breach of his right to information (Articles 12 and 14 of the GDPR)
- a breach of his right of access (article 15 of the GDPR)
- a breach of Article 28 of the GDPR with regard to its status as a processor
- a breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
that it would not be validly founded
- a breach of the principles of data minimization and the use of consent
forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice.
Decision on the merits 81 / 2020- 7/45

21. The complainant also requests that the defendants be sentenced to a sanction
proportionate to the seriousness of the facts, taking into account the object and scope of their activity
professional activity that affects a large number of citizens.

22. Finally, the complainant seeks the condemnation of the defendants to non-anonymized advertising
of the decision of the Litigation Chamber in order to inform the public of illegal practices in
management of parking fees against which they can claim the
respect for their data protection rights.
4. The inspection report of January 6, 2020

23. According to his report, the Inspector General made the following observations:

24. Finding 1: It does not emerge from the information in the file and the responses provided by the
first defendant that the lawfulness of the processing operations carried out by the first and second
defendants in order to recover the regulatory parking debt
communal can be questioned.

25. Finding 2: The information provided to the persons concerned on the site of the
first defendant is incomplete.
The privacy statement appearing on the site of the first defendant [...] does indeed concern
not the personal data that it processes during the monitoring, sending of the reminder and
transmission of the file to the bailiff (second defendant). The contact details of
the privacy officer of the first defendant in charge of processing requests
rights of access for data subjects are not mentioned in this declaration. The
the first defendant therefore does not fulfill its obligation to provide information
easily accessible, in particular by electronic means to the persons concerned, prescribed
section 12.1. of the GDPR.

26. Finding 3: The complainant's right of access to data concerning her processed by the
first defendant was not complied with, in contravention of Article 15 of the GDPR.
Pour only response to her request for access, the complainant was in fact twice referred to
the bailiff [read the second defendant] and a copy of the payment reminder she
disputed having received was provided to him. In this regard, it appears that there is no procedure in place
so that the customer service of the first defendant in charge of complaints can send the
requests relating to the exercise of the rights of the data subject to the life protection officer
deprived of the first defendant.
Decision on the merits 81 / 2020- 8/45

27. Finding 4: Access to the DIV by the first defendant was made the next day
control of the complainant's vehicle. Personal data concerning him
(surname, first name and address) were processed unnecessarily in the period during which the
data subject has the option of paying the fee before sending a reminder to their
name and address, which does not comply with the principle of data minimization provided
in article 5.c [read article 5.1 c)] of the GDPR. According to article [...] of the royalty by-law of the City of
[...] from [……… ..], this period is 10 days. The first defendant argues that in this case
a technical error was encountered in the automated access to the DIV. She joins an exchange of mails
of 14 and 22 November 2019 with its supplier from whom it appears that the data of the DIV are
then received after 48 hours for all of its sites.

28. The Litigation Chamber notes that in the context of its investigation, the response letters
to the questions put to the second defendant by the Inspector General are signed by the group [...].
5. The hearing of July 13, 2020
29. From the hearing of July 13, 2020 - of which a record has been drawn up - are, in addition to the arguments
developed in terms of conclusions, the following elements emerged:
- the status of data controller for each of the defendants;
- the modifications decided by the first defendant to the procedure put in place with the
second defendant for the exercise of data protection rights of
people concerned and more particularly, the decision to keep internal management
requests for the exercise of their rights by data subjects;
- the work of compliance with the GDPR carried out by the judicial officers from the 25th
May 2018, in particular the adoption of a detailed privacy policy available on its website;
- the appointment of a data protection officer (DPO) by both the first and the
second defendants;
- the request for publication of the decision of the Contentious Chamber in a form
anonymized formulated by both the first and the second defendants, in particular
by the image of the function of bailiff (second defendant) as well as the fear of
see, given the number of people whose personal data is processed by
both defendants and the number of complaints against them.
- confirmation that the first defendant is part of the group [...].

PLACE

6. Structure of the decision
Decision on the merits 81 / 2020- 9/45

30. By way of introductory remarks, the Litigation Chamber will formulate a number of
details as to its jurisdiction (7.1.), as to the reference error of the basis of legality of the
treatment spontaneously noted by the first defendant (7.2.) as well as with regard to the quality of
the first and second defendants with regard to the data processing concerned (7.3.).
These clarifications are a prerequisite for consistency and a good understanding of what follows.
of this decision.

31. Then, in Title 8, the Contentious Chamber will successively examine the breaches
which may be retained at the expense of the first defendant on the one hand (Title 8.1.) and at the expense of the
second defendant on the other hand (Title 8.2).

32. Finally, in Title 9, the Contentious Chamber will motivate the corrective measures and sanctions
that it decides to impose on the first defendant on the one hand (Title 9.1.) and on the second defendant
on the other hand (section 9.2.).
7. Introductory remarks
7.1. As for the sovereign appreciation of the Litigation Chamber notwithstanding the findings of the
inspection report and the terms of the complaint

33. On several occasions in its submissions, the second defendant points out that
given that the inspection report did not find any breach in its regard, no
breach could not be held against him by the Litigation Chamber.

34. The Contentious Chamber recalls in this regard that recourse to the Inspection is not
systematically required by the LCA. Indeed, it is for the Litigation Chamber to determine at the
following the filing of a complaint, whether an investigation by the Inspectorate is necessary or not (article 63, 2 ° LCA
- art. 94, 1 ° LCA). The Litigation Chamber may also decide to deal with the complaint without having
referred to the inspection service (art. 94, 3 ° LCA).

35. When seized, the findings of the Inspection certainly enlighten the Chamber
Litigation on the facts of the complaint, on the qualification of these facts with regard to the
data protection regulations and can support one or the other
breach ultimately retained by the Litigation Chamber under the terms of its decisions. However, the
Litigation Chamber remains free, in support of all the documents produced during the procedure
and the arguments developed in the context of the adversarial debate that follows his decision to deal with
the case on the merits (Article 98 LCA) - if necessary after recourse to the Inspectorate -, to conclude
reasoned for the existence of shortcomings that the inspection report did not indicate.
Decision on the merits 81 / 2020- 10/45

36. As for the terms of the complaint, they constitute both for the Inspectorate and for the Chamber
Litigation a starting point. The Litigation Chamber recalls that on several occasions it
ruled that during the procedure following the complaint, it has the possibility of changing the
legal qualification of the facts submitted to it, or to examine new facts related to the complaint,
without necessarily calling on the intervention of the Inspection, in particular by asking questions
to the parties or taking into account new facts or qualifications invoked by way of
conclusion, and this, within the limits of the adversarial debate, namely, provided that the parties have
had the opportunity to discuss these facts or legal qualifications in a manner consistent with the rights of
defense1
.
7.2. As to the basis of legality

37. According to its conclusions, the first defendant specifies that it must correct
a mistake. It specifies that the municipal regulations of [...] on which the lawfulness of the
treatment and whose legitimacy is recognized through the investigation report applies in the case of
parking fees in the event of non-payment via a parking meter.

38. In the present case, the first defendant observes that the fee due by the complainant is due
due to the lack of an affixed blue disc. It is therefore the municipal regulation of [...] relating to
parking in the blue zone which must apply.

39. The first defendant states that, however, since the two municipal regulations
are drafted identically - at least as regards the relevant articles in the
context of this dispute - it is simply necessary to adapt the references made.

40. In her conclusions, the complainant raises the fact that the municipal regulation of the [...] invoked
this time by the second defendant at the bottom of the formal notice she sent him on February 25
2019 (point 7 above) expired on [...], i.e. before the said formal notice was sent and
before the date of the alleged offense (January 2, 2019). It immediately concludes that there is no legality
processing. In its pleadings and in its file of exhibits, the second defendant relies,
contrary to the reference appearing at the bottom of said formal notice, on the municipal regulations
the [...] relating to parking in the blue zone.

1 Voy Litigation Chamber, Decisions 17/2020 (points 26 to 33)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf; 41/2020 (point
12 and points 14-15) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-41-
2020.pdf and 63/2020 (points 16 to 22): https://www.autoriteprotectiondonnees.be/publications/decision-quantau-fond-n-63-2020.pdf available on the APD website.
Decision on the merits 81 / 2020- 11/45

41. The Contentious Chamber concludes from the foregoing that the defendants agree to
consider that the basis of lawfulness of their processing finds, at least in part, its source in
the municipal [...] regulations relating to parking in the blue zone.

42. The Contentious Chamber can, however, only note a great confusion around
identifying this basis of lawfulness. However, this element is now part of the elements
of information listed in Articles 13.1 c) and 14.1 c) of the GDPR which should be informed
concerned (see below). Likewise, without being compulsory, this information may also appear
in the Register of processing activities which must be regularly updated (Art. 30 GDPR).
Errors such as the one made by the defendants could perhaps be thus
avoided2
.
43. In the present case, the Contentious Chamber is of the opinion that the error in the identification and
communication of the basis of legality is not synonymous with the absence of a basis of legality within the meaning of
Article 6 of the GDPR. As for the information obligation - in particular the basis of lawfulness (Articles 13.1
c) and 14.1 c) of the GDPR) - and, more generally, as regards the effective implementation of Article 24 of
GDPR in this regard, the Litigation Chamber refers to points 8.1.1 and 8.1.4. below.
7.3. As to the qualification of the first and second defendants

44. The complainant notes that the first respondent states that it has put in place a procedure
management of complaints with the second defendant. According to the latter, the second defendant
manages all claims or complaints from the moment the file relating to them has been received
transmitted and is responsible for collecting the amount due. The complainant considers that "if we have to
understand that the second defendant acts as a subcontractor of the first
defendant ", the requirements of Article 28 of the GDPR must apply and therefore the defendants
must be able to demonstrate their effective application.

45. The Contentious Chamber has, at the end of the hearing of July 13, 2020 (title 5 above),
note that both the first respondent and the second respondent qualify as
data controller each for the processing operations they perform and for which they determine
respectively the purposes and the means.

2 See. Commission for the Protection of Privacy, Recommendation 06/2017 of 14 June 2017 relating to the Register
processing activities (Article 30). See. point 42 of the recommendation
https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf
Decision on the merits 81 / 2020- 12/45

46. ​​Regardless of the qualification given to themselves by the parties, which is not binding3
, The
Litigation Chamber is of opinion, on the basis of the description given by the defendants of the
collaboration between them, that each of them is responsible for processing. Their
interventions in the context of amicable debt collection follow one another in this capacity. The
Litigation Chamber notes in this regard that this collaboration is based, according to the
defendants, on the sole basis of the municipal regulations, with the exception of any other document
supporting their collaboration.

47. The Contentious Chamber also rejects any qualification of co-responsible for
processing within the meaning of Article 26 of the GDPR between the defendants. Indeed, the co-responsibility
requires a joint determination of both the purposes and the means of the identified processing, this
which is not the case in this case.4 Each of the defendants successively carries out

3 European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of controller and
processor in the GDPR, version 1.0. of September 2, 2020. These guidelines currently exist only in
English. They have been submitted for public consultation and are subject to change
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
4
Idem above points 50-55 in particular and the references cited:

50. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in
the determination of the purposes and means of a processing operation. Joint participation can take the form of
a common decision taken by two or more entities or result from converging decisions by two or more entities,
where the decisions complement each other and are necessary for the processing to take place in such a manner
that they have a tangible impact on the determination of the purposes and means of the processing. Important year
criterion is that the processing would not be possible without both parties ’participation in the sense that the
processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the
determination of purposes on the one hand and the determination of means on the other hand. (…)

55. It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller
with the other (s) only in respect of those operations for which it determines, jointly with others, the means and
the purposes of the processing. If one of these entities decides alone the purposes and means of operations that
precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this
preceding or subsequent operation.
Free translation by the ODA Secretariat
50. The overall criterion determining the presence of joint responsibility for the processing is participation
joint venture of two or more entities in determining the purposes and means of a processing operation.
Joint participation may take the form of a joint decision taken by two or more entities, or
result from convergent decisions from two or more entities, when these decisions complement each other
mutually and are necessary for carrying out the processing operation in such a way that they have a
impact your ngible on determining the purposes and means of processing. An important criterion is that the
processing would not be possible without the participation of both parties, in the sense that processing by each
part is inseparable, that is to say that these treatments are inextricably linked. Joint participation must
include the determination of purposes, on the one hand, and the determination of the means, on the other.

55. It is also important to stress, as clarified by the CJEU, that an entity will not be considered
as joint controller, with one or more other entities, only with regard to operations for
which it determines, together with the other entities, the purposes and means of processing. If one
of these entities alone decides on the purposes and means of previous or subsequent operations in the chain
processing, this entity must be considered as the sole controller of this operation
anterior or posterior.


48. The Contentious Chamber nonetheless shares the impression of confusion and the lack of
clarity with regard to the persons concerned relayed by the complainant. This is particularly evident in the
response provided by the second defendant to a request to exercise his rights in matters of
data protection sent by the complainant to the first respondent (points 10 and
14 above and 75 below).

49. Nevertheless, the second defendant is neither the subcontractor of the first defendant, nor
joint responsible with her. Therefore, their relationship should not be governed by a subcontract and no breach of Article 28 of the GDPR can be blamed. Their relationship does
should not be framed by an agreement between them as required by Article 26 of the GDPR in
joint liability cases.
8. As to breaches
8.1. As regards the breaches on the part of the first defendant
8.1.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

50. In its capacity as controller, the first defendant is required to
implement Articles 12, 13 and 14 of the GDPR and to be able to demonstrate this effective implementation
(Articles 5.2. and 24 of the GDPR).

51. Pursuant to Article 12.1 of the GDPR, it is the first defendant's responsibility to take
appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in a manner
concise, transparent, understandable and easily accessible in clear and simple terms.
in writing or by other means including electronic.

52. In the present case, as regards data which were not collected directly from the
complainant, the first defendant was required to provide her with information with regard to
Decision on the merits 81 / 2020- 14/45 data processing carried out concerning it in the context of the collection of the fee due.
As for the content of this information, in accordance with the case law of the Litigation Chamber,
the elements listed in both § 1 and § 2 of Article 14 had to be communicated to it. 5 The Chamber
Litigation has already specified above that these elements include the exact identification of the
lawfulness of the processing (Article 14.1 c) of the GDPR) (point 42 above).

53. The Litigation Chamber is of the opinion that in light of the amount of information to be provided to
data subject, controllers such as defendants should adopt a
multi-level approach. On the one hand, the person concerned must immediately have a
clear, accessible information on the fact that information on the processing of their data
personal character (privacy policy) exist and where it can be found in
their entirety.

54. On the other hand, without prejudice to the accessibility of the privacy policy in its
completeness, the data subject must, from the first communication from the controller
with them, to be informed of the details of the purpose of the processing concerned, of the identity of the controller
the processing and the rights available to it. The importance of providing this information upstream
follows in particular from recital 39 of the GDPR. Any additional information needed to
allow the persone concerned to understand, from the information provided to this first
level, what the consequences of the treatment in question will have to be added 6
.
55. According to his inspection report of 6 January 2020, the Inspector General, as well as
been recalled in Title 3, notes, with regard to the confidentiality policy, that:
"The privacy statement appearing on the site of the first defendant [...] does not concern
indeed not the personal data that it processes during the control, the sending
the reminder and the transmission of the file to the bailiff (second defendant). The
contact details of the first defendant's privacy officer in charge
to process requests for the right of access from data subjects are not mentioned
in this statement. The first defendant therefore does not fulfill its obligation to
provide easily accessible information, particularly electronically, to individuals
concerned, prescribed in Article 12.1. of the GDPR ”.

5 Article 29 Group, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260,
revised version of April 11, 2018 (taken over by the European Data Protection Board):
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23).
6
Idem (points 35-38).
Decision on the merits 81 / 2020- 15/45

56. In other words, the first defendant's privacy policy does not cover
data processing questioned by the complainant. Indeed, the Inspector General details in
its report that the confidentiality policy available on the site of the first defendant during
of its consultation, concerned exclusively the way in which the data processing "that you
send us through the site and / or otherwise "was carried out (step 5 of the report
inspection).

57. The Litigation Chamber further notes that the first reminder letter sent by
the first defendant to the complainant on 24 January 2019 (point 5 above) contains the clause
next :
PRIVACY
Your personal data in our possession will only be processed within the framework of
of this reminder and, where applicable, of future exchanges between you and our services at
About the payment of the fee concerned. These data will only be kept for
the duration corresponding to this regulation. In accordance with Regulation (EU) 2016/679 of
European Parliament and of the Council of 27 April 2016 on data protection at
personal nature and the free movement of such data, and repealing Directive 95/46 / EC
(general data protection regulation), you can freely exercise your rights
and questions by sending a request to [...] or by email [...]. The protection officer
privacy will contact you to confirm your identity and take the necessary action
to respond to your request.

58. The said letter also mentions the website of the first defendant without
however, reference to the privacy policy in general and a fortiori to the relevant provisions
with regard to the reminder sent (as far as as mentioned above this privacy policy
does not cover this type of treatment). The Contentious Chamber is of the opinion that this clause cannot
to fill in the lack of information on the elements of §§ 1 and 2 of Article 14 of the GDPR (therefore
that as already mentioned, the privacy policy of the first defendant does not cover
the treatments in question).

59. As to the failure to mention the contact details of the privacy protection officer
generally also noted by the investigation report, the Litigation Chamber is of the opinion
that the communication of contact details of the DPO or any other contact address dedicated to the exercise
the rights of data subjects is part of the obligation of data controllers
facilitate the exercise of the rights of data subjects (article 12.2. of the GDPR) 7
.

7 During the hearing on July 13, 2020, the first defendant clarified that its protection officer
privacy is in fact a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR.
Decision on the merits 81 / 2020- 16/45

60. According to its submissions, the First Respondent states that it "can only
take note of the conclusion of the investigation report which states that "the information provided to
data subjects on the website of [...] is incomplete ”. It also indicates that it takes note that
the Inspector considers that the information "is not easily accessible" to the persons concerned
(point 41 of the conclusions of the first defendant) and makes a number of commitments
vis-à-vis ODA to remedy this (see below under section 9.1. relating to the discussion on the measures
corrective measures and sanctions).

61. When at the time of information, Article 14.3 of the GDPR specifies that the elements listed in
§§ 1 and 2 must be provided within a reasonable time after having been obtained but at the latest
within the month of this obtaining in view of the particular circumstances in which the data
of a personal nature are processed.

62. In the present case, the Complainant and the First Respondent disagree on the issue of
whether this information was provided in a timely manner. The first defendant indeed maintains
that information can be found on the invitation to pay sent to the complainant as well as in her
reminder letter (points 4 and 5 above). The complainant claims that she never received a butterfly or
reminder letter and notes the absence of proof of the communication of these documents - and therefore of
data protection information - by the first defendant. The first one
the defendant also refers to the information provided on its website, while
admitting that this is incomplete (point 60 above).

63. It is not for the Contentious Chamber to determine how the breach
parking rules must be brought to the attention of offenders (flyer, reminder by
regular mail, by registered mail). The fact remains that information on
data processing which takes place both within the framework of the finding of the violation and of the management
recovery of the amount resulting from this, must be communicated within the deadline
prescribed in Article 12.3 of the GDPR in a useful manner (taking into account, for example, the deadline for
payment given), or, depending on the context, without waiting for the expiry of the said deadline.

64. In support of the foregoing findings and the information obligation that weighs on the first
defendant, the Litigation Chamber finds a breach of Article 14.1-2 of the GDPR therefore
that the privacy policy of the first defendant does not cover the processing of
data processed in this case (amicable debt collection). The "Privacy" clause appearing on its
reminder mail, insufficient in content, is not likely to remedy this. This failure
is also combined with Article 12.3 of the GDPR. The Litigation Chamber is of the opinion that
if the information is not given or is incomplete, a fortiori it was not provided within the time limit
Decision on the merits 81 / 2020- 17/45
required. Finally, these breaches are combined with a breach of Article 12.1 of the GDPR (default
accessibility of the DPO's contact details in the privacy policy).
8.1.2. As for the breach of the right of access (article 15 of the GDPR)

65. According to Article 15 of the GDPR, the data subject has the right to obtain from the controller
of processing the confirmation that personal data concerning him are or are not
not processed and, when they are, access to said personal data as well as
information items listed in letters a) to h) of Article 15.1. of the GDPR.

66. In the present case, according to the terms of his report, the Inspector General finds in this regard
next :
"Ms. X's right of access (read the complainant) to data concerning her processed by
[...] (read the first defendant) was not respected, in contravention of article 15
of the GDPR.
The only response to her request for access was Ms. X (read the complainant) was in fact
twice referred to the bailiff (read the second defendant) and a copy
of the payment reminder she disputed having received was provided to her. In this regard, it appears
that there is no procedure in place for customer service [...] (read the first
defendant) in charge of complaints send requests relating to the exercise of
rights of the data subject to the privacy officer of [...] (read the
first defendant) ”.

67. According to its submissions, the first defendant describes that, having regard to the nature of
its activities, it faces a significant number of complaints and complaints. In practice, there
described (and confirmed during the hearing on July 13, 2020) that as soon as it is found that the offender
has not paid his fee within the required time, the case is transferred to the second defendant who
is responsible for collecting the amount due. The first defendant specifies that any request
carried out after the file has been transmitted to the bailiff must be processed
directly with the bailiff to prevent contradictory information from being transmitted
to the complainant. What she describes as being a procedure organized with the second defendant
However, apart from the municipal regulations to which the defendants both refer
during the hearing, not framed by a precise and detailed written procedure between them (point t 46 above).

68. As for the management of requests to exercise their rights in terms of the protection of
data by the data subjects, the first defendant states that their separate management of
that of complaints management described in point 67 above, requires that an email be sent to a
e-mail address dedicated to this type of request, ie the address [...].
Decision on the merits 81 / 2020- 18/45

69. The first respondent notes in this regard that the complainant did not correspond with her
via this specific email. The complainant therefore (paragraph 67 above), for only answer, was
referred to the second defendant as in the case of a non-application related complaint
of the rights of data subjects in terms of data protection: "Please contact
to the bailiff "; and this since his request was subsequent to the communication of the file to the
second defendant.

70. As the Inspector General notes in his report, the Litigation Chamber notes
that while the complainant's request raised data protection issues, there is no
no internal referral to the first defendant's data protection officer. This
way of proceeding appears contrary to the "Privacy" clause appearing on the formal notice of the
first defendant which indicates that for the exercise of their rights in matters of protection
data, debtors are invited to contact the first defendant (first contact
"Natural" after all), which suggests that it is indeed the first defendant who
will examine their request (point 57 above).

71. The second respondent, on behalf of the first respondent, replied to the complainant by
letter of April 2, 2019, or according to the first defendant, within the one month period required by article
12.3. of the GDPR. According to this letter, the second defendant provides it with a certain number
information on the processing carried out by the first defendant.8 It also attaches the
photographs (point 12) and the reminder letter of January 24, 2019.

72. Moreover, in the same letter, the second defendant also communicates to the
complainant of the elements relating to the request for access addressed to her directly regarding her
own processing (see point 8.2.2 below).

73. The Litigation Chamber is of the opinion that the establishment of internal procedures and
standards dedicated to the exercise of the rights of data subjects in terms of the protection of
data is essential and likely to contribute to the effective application of these rights. It facilitates
certainly their exercise as required by Article 12.2. of the GDPR. In a structure such as
first defendant, given the volume of data processed, the Litigation Chamber considers it

8 Extract from the letter of April 2 from the second defendant: “As for our client, he is mandated by the city of
[...] to operate the recovery of unpaid parking fees. It is registered with the
Commission for the Protection of Privacy and, to this end, has received the attached document authorizing him to receive
IVD data for the sole purpose of collecting unpaid royalties. As part of its mandate, our
customer obtains name, first name and address in order to send a reminder letter. Subsequently if the file is not
paid, it is sent to the study as provided for by municipal regulations. According to him, this data is deleted
upon receipt of payment ”.
Decision on the merits 81 / 2020- 19/45
essential. However, the persons concerned cannot be criticized for using another channel
communication to address their requests. No adverse consequences for the person
concerned cannot be drawn from the fact - even in the hypothesis that it would have been correctly
informed - that they have not used the correct form or have contacted the person in charge of
processing by another means, via an incorrect e-mail address for example. Abundantly, the
Litigation Chamber is of the opinion that in this case, the distinction between "complaint" and "exercise of a right
access to his data "in the context of a request for payment of a
parking is not easy to operate for any citizen.

74. The Contentious Chamber therefore notes that in any event, the first defendant does not
could hide behind the "error" that she invokes on the part of the complainant to consider
that she herself would have been exempted from her obligation to respond to the request to exercise the right
access of the complainant.

75. In the present case, each of the defendants being a separate person responsible (and not
jointly responsible as it has already been explained in section 7.3. above), it is their responsibility to give
following the exercise of the rights of data subjects with regard to the processing operations they carry out
each respectively. The Litigation Chamber ne can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.

76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45

77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.

78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV

79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).

80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.

82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.

83. The Contentious Chamber can only note, in support of the documents produced in e can exclude that in fact, without being nor
subcontractors or joint managers, controllers agree among themselves that
one responds to the request to exercise the rights of data subjects on behalf of the other who
mandate to do so. If this were to be the case, the procedure put in place should be perfectly
clear and understandable for the persons concerned who must have been informed. Indeed,
this way of proceeding is very likely to lead to confusion about the role of each. In
in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of
the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu
having regard to the facts and in the absence of other clear information, naturally the first defendant. The
Contentious Chamber notes in this regard that the first defendant indicated to the Chamber
Litigation now favor a reorganization of procedures which would retain internal
management of complaints relating to the data processing it operates.
76. Nor can the first defendant consider that since the second
defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so
except to consider that the second defendant, mandated by the first, would have responded in a manner
complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the
first defendant, which is not the case. The second defendant admittedly provides some
number of elements but these do not completely meet the requirements of the article
15.1 of the GDPR.
Decision on the merits 81 / 2020- 20/45
77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute
not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.
78. The Contentious Chamber concludes from the foregoing that the first respondent did not
right to the complainant's request for access in a satisfactory manner and that there was a breach in
its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one
the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of
data subjects required by Article 12.2. of the GDPR.
8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR)
8.1.3.1. In view of the consultation of the DIV
79. The complainant accuses the first respondent of having consulted the DIV in such a way
premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill
spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place
in violation of the principle of minimization according to which "personal data
must be: c) adequate, relevant and limited to what is necessary for the purposes for
which they are processed (data minimization) ”(article 5.1 c) of the GDPR).
80. According to his report, the Inspector General concludes in this regard that "data to
personal character of the [complainant] concerning (name, first name and address) were treated without
necessity in the period during which the data subject has the opportunity to pay the
fee before sending a reminder sent to his name and address, which is not compliant
with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next
the article [...] of the By-law of the City of [...] parking ticket machines 2019, this
delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3
January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2
2019. She explains that as soon as she was informed of what she called "an error", she
immediately requested an adaptation of the system to take into account the deadlines
imposed by the various municipal regulations and thus put an end to this practice of consultation
immediate DIV. The first defendant further adds that when it made this request
to his IT service provider, the latter informed him that the system had been corrected as soon as
August 26, 2019.
82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account
the sensitivity of this database and that only authorized bodies are authorized to
Decision on the merits 81 / 2020- 21/45
to access. It was up to the first defendant to organize this access in accordance with the principles
of data protection by design and by default (article 25 of the GDPR) in order to
effectively implement the principle of data minimization.
83. The Contentious Chamber can only note, in support of the documents produced in s the file
and the Inspector General's finding that there was a breach of the minimization principle provided for in
Article 5.1 c) of the GDPR in respect of the first defendant.
8.1.3.2. In view of the communication of the complainant's data to the second defendant

84. As regards the transfer of the complainant's data by the first respondent to the
second defendant, the Litigation Chamber insists that this communication not take place
only when necessary otherwise it would violate the principle of minimization. So,
the data subject should be allowed the time allotted to him to pay the fee
before entering the bailiff. The second defendant is indeed justified in intervening and
therefore to be provided with the data of debtors such as the complainant, that in default of payment in
the time limit provided for by the municipal implementing regulations.
8.1.3.3. In view of the taking of photographs and their conservation for the purpose of establishing
the offense

85. According to its conclusions, the complainant also criticizes the first respondent
to process (including keeping) a certain number of personal data
concerning in violation of the principle of minimization and this, for the purposes of establishing the lack of
payment of the royalty due. Thus, the complainant considers, for example, that the photographs of her
vehicle (including their professional card on the passenger compartment, the name of their garage)
do not provide any element likely to specify the offense with which it is charged and are therefore without
relevance. The same goes for the photograph of her license plate which she is wondering about
on the necessity of the treatment (including conservation).

86. The first defendant indicates in the terms of its conclusions that its agents collect
such data as part of the establishment of the offense. It must, in accordance with Article 870
of the Judicial Code and taking into account the case law of the courts and tribunals, provide evidence
of the offense it alleges before the competent courts. Finally, she adds:
"That by taking the photos to ensure with certainty that no ticket or disc of
parking is not shown on the windshield of the vehicle, as the car is parked in a
place where parking is paid and / or in the blue zone on a date when the person concerned
must pay for this parking, the conclusive one does not violate the principle of minimization ”(page
14 of the conclusions of the first defendant).
Decision on the merits 81 / 2020- 22/45

87. The Contentious Chamber recalls that was it for the purpose of obtaining the necessary evidence
for a breach of a parking rule, the data controller is required to respect
all the obligations incumbent upon it under the GDPR throughout the duration of the
processing (collection, communication, storage, etc.) of personal data. It does not appear from
the primary competence of the Contentious Chamber to determine what evidence would be
sufficient and relevant to present to the competent courts. The fact remains that
as soon as this evidence constitutes personal data - including images
as in the present case - processed for the purposes of establishing the alleged facts, this data must be
relevant to the purpose pursued. Without finding a breach of the principle of
minimization in the case of the first defendant in this case, the Litigation Chamber invites
the latter to be attentive to the future and to sensitize its employees who make the findings on the
ground to act with discernment in this regard. The Litigation Chamber also recalls the principle
according to which personal data cannot be kept for a period not exceeding
that necessary with regard to the purposes for which they are processed (article 5.1 e) of the GDPR).
8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR

88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to the obligations of
data controllers (and subcontractors) and which reflects the principle set out in Article 5.2. of
RGPD, provides that "taking into account the nature, scope, context and purposes of the processing
as well as risks, of varying degrees of probability and severity, for the rights and freedoms of
natural persons, the controller implements the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that the treatment is
carried out in accordance with these regulations. These measures are reviewed and updated if
necessary. "

89. Section 24.2. of the GDPR specifies that when this is proportionate to the activities of
treatment, the measures referred to in Article 24.1. of the above GDPR include the implementation
appropriate policies in data protection by the controller.

90. The Contentious Chamber is of the opinion, in view of what has been noted above in Headings 8.1.1.,
8.1.2. and 8.1.3. , which the first defendant was at the time of the facts failing to implement
the appropriate technical and organizational measures required by Articles 24.1 and 2 of the GDPR to
guarantee not only an effective exercise of the rights of data subjects such as the complainant -
in particular his right to information and his right of access - as well as respect for the principle of
minimization when consulting the DIV.
Decision on the merits 81 / 2020- 23/45

91. With regard more particularly to the rights of data subjects, the Chamber
Litigation insists on the fact that the municipal regulation, which certainly describes the succession of
interventions by the first and second defendant in the context of amicable recovery
parking fee, cannot by itself constitute an adequate measure within the meaning of Article
24 of the GDPR. It does not allow the first defendant or to ensure that the processing is carried out
in accordance with the GDPR nor to demonstrate it. The Litigation Chamber nevertheless takes note of the
commitments made by the first defendant to comply with its obligations in this regard (see.
infra title 9.1.).
8.1.5. Conclusion as to the breaches of the first defendant

92. In conclusion, the Contentious Chamber notes the following failings in the area of
the first defendant:
- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.
of the GDPR)
- a breach of its obligation to follow up on the exercise of the complainant's right of access
within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of
GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights))
- a breach of the principle of minimization during the premature consultation of the IVD
(article 5.1 c) of the GDPR)
- a breach of its obligation to put in place technical measures and
adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.
8.2. As to the breaches on the part of the second defendant
8.2.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

93. The complainant criticizes the second defendant for not having informed her in accordance
to the requirements of Article 14 of the GDPR when it first comes into contact with it, or through the setting
formal notice that it sent to it on February 25, 2019 (point 7 above).

94. The second defendant considers that the exception provided for in Article 14.5. c) from
GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...]
reproduced below9

:[……]

9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement
communal (erroneous - see Title 7.2. above) only in these terms: "the possible recovery costs
amicably charged to the user are in accordance with article [...] of the municipal regulations of [...] of the
municipality of [...] relating to the parking fee ”.
Decision on the merits 81 / 2020- 24/45

95. The Litigation Chamber notes that under Article 14.5.c) of the GDPR, the person responsible
processing is exempt from its obligation to provide information when and to the extent that "obtaining
or the communication of information is expressly provided for by Union law or by law
of the Member State to which the controller is subject and which provides for measures
appropriate measures aimed at protecting the legitimate interests of the data subject '
10
.

96. The Contentious Chamber notes a language difference between the French version and, by
example, the Dutch and English versions of this provision. Indeed, while the version
French of Article 14.5.c) mentions "when and to the extent that the obtaining or the communication
information is expressly provided for by Union or Member State law ", the versions
Dutch and English respectively use the following terms: "wanneer en voor
zover het verkrijgen of verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of
lidstaatelijk recht ”and“ where and insofar obtaining or disclosure is expressly laid down byUnion or
Member State law ”. The Litigation Chamber is of the opinion that it is the obtaining and the
communication of data which must be provided for by national law and notwithstanding the terms of
the French version of Article 14.5.c) of the GDPR.

97. The Contentious Chamber considers that the second defendant cannot rely on the
exemption from the information provided for in Article 14.5 c) of the GDPR in this case for the reasons described below.

98. What is provided for in Article 14.5. c) of the GDPR constitutes an exception to the right to informationormation.
Failing to be informed that data processing concerning him is carried out, the person
concerned is deprived of information which is in principle spontaneously provided to him by the manager
processing and which facilitates the exercise of its other rights of which it is also informed of
the existence and modalities of exercise (article 13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).

99. This exemption must be interpreted restrictively since it constitutes a
exception to the information obligation provided for by the fundamental right to data protection11 and
all the more so as it deprives, as already mentioned, the data subject of information about
the existence and the modalities of exercise of its other rights which are NOT subject
with the same exception "in the event of obtaining or communicating expressly provided for by law". As
for example, the right of access (Article 15 of the GDPR) - which in turn paves the way for the exercise of others

10 It is the Litigation Chamber that emphasizes.
11 The Contentious Chamber recalls the constant case law of the Court of Justice of the European Union which
interprets the exceptions to the fundamental right to data protection restrictively: see. by
example: C. Docksey and H. Hijmans, The Court of Justice as a Key Player in Privacy and Data Protection, EDPL
Review (2019), pp. 300-316, and the case-law cited (in particular, p. 309).
Decision on the merits 81 / 2020- 25/45
rights such as the right to rectification, opposition or even erasure in particular - do not know
this exception (article 15.4. of the GDPR).

100. The Litigation Chamber notes that in this case, as already noted, the municipal regulations
relied on by the second defendant describes the succession of interventions by the first and
second defendants in the management of the collection of parking fees (as well as
surcharges due in default / or in the event of late payment). In other words, the regulation
municipality on which the second defendant bases its exemption from information does not inform
to the data processing carried out in execution thereof. At most it allows us to deduce that
information will be exchanged between the first and the second respondent in the context
a violation of the parking rules in order to recover the fee due. We design
certainly that these interventions will induce the obtaining and communication of personal data. Those -
However, these are not expressly provided for, at most they can be implicitly deduced.

101. Moreover, this exception can only be invoked if appropriate guarantees aimed at
protect the legitimate interests of the persons concerned are provided for by said regulation. The
Litigation Chamber considers that in the present case, these guarantees must consist of a set
minimum information relating to data processing which must appear in the act
regulatory under which the communication of information takes place.

102. The Litigation Chamber is of the opinion that at a minimum, the following information -
inspired by Article 23.2. of the GDPR - should have been included: purpose of the processing, categories of data
of a personal nature processed, identity of the controller, retention period and a
reference to the rights of data subjects.

103. Those guarantees must admittedly be provided for by national law. The lack of guarantees
appropriate is certainly not attributable to the second defendant. The fact remains that at
under the GDPR, it is the data controller who is responsible for verifying whether he can legitimately
invoke the exception provided for in Article 14.5.c) of the GDPR. The Litigation Chamber recognizes that in
depending on the case and in particular the quality of the data controller, this examination may
not be easy, especially with regard to the existence of appropriate guarantees. However, in this case,
the municipal regulation that the second defendant relies on in support of its exemption does not deal with
data protection aspects, which left little room for doubt as to
whether he could legitimize a waiver of information. The legal framework for
the profession of bailiffs and the respect due to their ethical rules are not enough in themselves
to constitute appropriate guarantees in terms of data protection within the meaning of Article 14.5.c)
of the GDPR.
Decision on the merits 81 / 2020- 26/45

104. In conclusion, the Contentious Chamber finds that the second defendant, relying on
wrong on the exemption provided for in Article 14.5 c) of the GDPR (since the municipal regulation does not provide
not expressly obtaining and communicating data and in the absence of guarantees
appropriate otherwise) failed to fulfill its obligation to provide information, thus contravening Article 14.1-2
taken together with section 123. of the GDPR.

105. According to its conclusions, the second defendant indicates to the Contentious Chamber
What does it say "if the exception should not apply, she noted that the reference to her website
appearing in his letters of formal notice does not, at least at first glance, allow
to inform the persons concerned that they can obtain information directly on the website of the
conclusive ”(page 9 of the main conclusions of the second defendant). She proposes
to add to the reference appearing on its model a specific mention concerning the protection of life
privacy policy referring to its privacy information document available on its site.

106. The Contentious Chamber is indeed of the opinion that the mere mention of a website
on a letter - site on which a privacy statement can be viewed - does not constitute
not information that complies with the requirements of the GDPR. At a minimum, a “protection of
data ”containing the essential elements of the processing operations concerned and an explicit reference to the
privacy policy (relevant part if applicable) available on the site for the surplus must
To be scheduled. The Contentious Chamber reviews in this regard what it has indicated above with regard to
the “Privacy” clause of the first defendant (point 57 et seq.).

107. The Contentious Chamber also wishes to clarify the following. As part of his
argument, the second defendant concludes that the GDPR does not impose on the person responsible for
processing to communicate to the persons concerned the references of the supporting normative act
which he considers to be exempted from his obligation to inform. However, failing any
information in this regard, it is illusory to think that the persons concerned will seek (and
will find) the normative act in question containing the required guarantees and allowing them to
get informed. The Contentious Chamber considers that it would be, when this exemption from information can be
invoked (quod non in this case), it is good practice to communicate this reference.
8.2.2. As for the breach of the right of access (article 15 of the GDPR)

108. As the Contentious Chamber recalled above with regard to the obligations of
first defendant, the data subject has the right to obtain from the controller the
confirmation that personal data concerning him is or is not being processed and,
when they are, access to said personal data as well as the elements
information listed in letters a) to h) of Article 15.1. of the GDPR.
Decision on the merits 81 / 2020- 27/45

109. The complainant reports a fragmentary response to the request for the right of access that she has
addressed to the second defendant. She is of the opinion that she was not fully informed
relative to the source of the data.

110. The second defendant points out that on page 3 of its letter in reply of 2 April 2019,
she specified that she was mandated by the first defendant who had communicated to her the
complainant and file data.

111. Based on the documents produced, the Contentious Chamber is not in a position to conclude that
a breach of Article 15 of the GDPR on the part of the second defendant.
8.2.3. Regarding the breach of the principles of proportionality and illegal reuse of data
(Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even
that it would not be validly founded

112. The Contentious Chamber notes that the Complainant considers that the second Respondent
performs illegal data processing when it collects and stores data relating to
his vehicle (photos of the windshield and general photo of the vehicle sent to him by the
first defendant). The Contentious Chamber refers in this regard to the considerations it has
set out in Title 8.1.3.3. above with regard to this complaint also criticized in the first
defendant.

113. The Contentious Chamber does not find any breach in the head of the second
defendant in this regard.
8.2.4. As for the payment request form and the obtaining of a forced consent (article
6.1 a) of the GDPR - article 5.1 c) of the GDPR)

114. On February 25, 2019, the Complainant was sent by the Second Respondent a warning
remains to pay the amount of the fee of […] euros ([…] +5) plus the summons costs
and a collection fee, bringing the amount claimed to the sum of […] euros (point 7 above).

115. A form was attached to this formal notice, entitled "Form to be returned to us"
printed in larger letters, framed and immediately followed by the following statement, in bold
underlined: "Only this duly completed form and its annexes will be taken into account for the
processing of your payment request or your dispute ”.

116. The following data are requested at the ends of this form: surname, first name, date of
birth, address, postal code and town, telephone number, mobile number, e-mail address.
Decision on the merits 81 / 2020- 28/45
Three choices in terms of payment proposals are also mentioned under which
the debtor
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.

120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
person concerned as being "any manifestation of will, free
12
, specific, illuminated and
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
that personal data concerning him / her are processed. " The
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The
consent can only be valid if the data subject is genuinely able
to exercise a choice and if there is no risk of deception, intimidation, coercion or
significant negative consequences (e.g. significant additional costs) if it does not give
his consent. Consent will not be free when any element of coercion, pressure
or inability to exercise meaningful choice will be present. Consent will therefore not be
not considered to be freely given if the data subject is not able to refuse
or withdraw consent without suffering prejudice. The controller must also
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
(recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to
account of a possible imbalance in the balance of power between the person concerned and the manager
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations s of this form: surname, first name, date of
birth, address, postal code and town, telephone number, mobile number, e-mail address.
Decision on the merits 81 / 2020- 28/45
Three choices in terms of payment proposals are also mentioned under which
the debtor
- (1) undertakes to pay the full amount on a date to be mentioned, or
- (2) request a clearance plan or
- (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this
form by the second defendant without it being established that she herself completed it. There is
therefore no, strictly speaking, "processing of personal data" by the complainant
via this form. Refusal to complete a form that turns out to be against the law (as it will be
demonstrated below), however, cannot result in a situation whereby the House
Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the
RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD.
The contentious chamber is, therefore, irrespective of whether there is a breach
with regard to the complainant, empowered to examine this grievance against which the second respondent has
also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation,
its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be
considered that the consent of the data subject to provide the data mentioned on this
form would be free. The complainant is also of the opinion that the collection of data via this form
ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons
concerned to voice their dispute or their wish to benefit from a clearance plan.
The second defendant adds that the purpose of the form is clearly stated in the setting
remains of which it constitutes an annex and that no obligation for the person concerned can
be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the
GDPR to collect said data and carry out subsequent processing. The notice
states that consultation of the file and requests for online clearance and / or payment may
be done via the site or by e-mail and that additional information can be obtained via
the form.

120. As to the principle of minimization, the second defendant states that the form allows,
by offering the persons concerned various possibilities (postal address, telephone number
telephone, mobile phone number, e-mail address) to choose the mode of communication and
the contact data necessary for this purpose without there being any obligation to complete the form
Decision on the merits 81 / 2020- 29/45
(point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to
provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the
person concerned as being "any manifestation of will, free, specific, illuminated and
unambiguous by which the data subject accepts, by a declaration or by a clear positive act,
that personal data concerning him / her are processed. " The
consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must
meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The
consent can only be valid if the data subject is genuinely able
to exercise a choice and if there is no risk of deception, intimidation, coercion or
significant negative consequences (e.g. significant additional costs) if it does not give
his consent. Consent will not be free when any element of coercion, pressure
or inability to exercise meaningful choice will be present. Consent will therefore not be
not considered to be freely given if the data subject is not able to refuse
or withdraw consent without suffering prejudice. The controller must also
demonstrate that it is possible to refuse or withdraw consent without suffering prejudice
(recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to
account of a possible imbalance in the balance of power between the person concerned and the manager
treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations Similarly, the Litigation Chamber recalls that to be valid, consent must
also be enlightened. For consent to be considered informed, it is necessary that the
controller provides certain information to the data subject, in a form
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the
data subject can make an informed decision and that their consent is valid.
The controller should provide information on the type of data concerned
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
second defendant intends to rely in the future, the formal notice should include a
information in the form of a specific clause containing both the elements required for a
informed consent where applicable, and succinct information directly useful with regard to the
processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
Decision on the merits 81 / 2020- 32/45
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
Litigation also notes that with regard to the various data requested under "Your
contact details ", no asterisk or other indication indicates that the data subject is free to
choose one of the communication modes (telephone number, GSM number, e-mail address) and
that certain data are therefore optional. Taken in isolation, these data appear relevant
and not excessive, but here too, the presentation and wording used suggest that there is no
no alternative to collecting all the information regarding each section of the table.

134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
the head of the second defendant.
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
of opinion that the second defendant is in default of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data that it processes are, in particular taking into account their nature, the context and
purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
GDPR in respect of the second defendant.
8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second
defendant:
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
GDPR)
- a lack of legal basis with regard to the collection of data under the form
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
requested data.
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
9. Regarding corrective measures and sanctions
138. Under article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
Decision on the merits 81 / 2020- 33/45
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification Similarly, the Litigation Chamber recalls that to be valid, consent must
also be enlightened. For consent to be considered informed, it is necessary that the
controller provides certain information to the data subject, in a form
understandable and easily accessible. Recital 42 of the GDPR requires that the data subject
have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing
for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the
data subject can make an informed decision and that their consent is valid.
The controller should provide information on the type of data concerned
by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR),
on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR)
and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection
adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15
.
132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the
second defendant intends to rely in the future, the formal notice should include a
information in the form of a specific clause containing both the elements required for a
informed consent where applicable, and succinct information directly useful with regard to the
processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation (EU) 2016/679 (points 121-123):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of
Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version):
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf
Decision on the merits 81 / 2020- 32/45
133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber
Litigation also notes that with regard to the various data requested under "Your
contact details ", no asterisk or other indication indicates that the data subject is free to
choose one of the communication modes (telephone number, GSM number, e-mail address) and
that certain data are therefore optional. Taken in isolation, these data appear relevant
and not excessive, but here too, the presentation and wording used suggest that there is no
no alternative to collecting all the information regarding each section of the table.
134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in
the head of the second defendant.
8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is
of opinion that the second defendant is in default of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data that it processes are, in particular taking into account their nature, the context and
purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of
GDPR in respect of the second defendant.
8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second
defendant:
- a breach of its information obligation (article 14.1-2, combined with article 12.3. of
GDPR)
- a lack of legal basis with regard to the collection of data under the form
accompanying the formal notice of payment (article 6 of the GDPR) and a breach of
principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of
requested data.
- a breach of Articles 5.2. and 24. 1-2 of the GDPR.
9. Regarding corrective measures and sanctions
138. Under article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
Decision on the merits 81 / 2020- 33/45
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification e or such corrective measure or sanction. If, notwithstanding the above, the complainant
had nevertheless to ask the Litigation Chamber to pronounce one or the other measure
and / or sanction, it is therefore not up to the latter to justify why it would not retain
not one or the other request made by the complainant. These considerations leave intact
the obligation for the Litigation Chamber to justify the choice of measures and sanctions to which
it judges, (among the list of measures and sanctions made available to it by Articles 58 of
GDPR and 95.1 and 100.1 LCA) appropriate to condemn the party in question.
144. In the present case, the Contentious Chamber notes that the complainant seeks in particular
Litigation Chamber that it order compliance under penalty of penalty. Without
prejudice to the above, but since it has just published its policy in this regard, the
Litigation Chamber refers on this point to the publication now available on its website
Internet17
.
145. With regard to the administrative fine, the Contentious Chamber emphasizes that its aim is
to effectively enforce the rules of the GDPR. Other measures, such as the order of
compliance or the prohibition to continue certain treatments, for example, allow
they put an end to a breach found. As can be seen from recital 148 of the GDPR,
sanctions, including administrative fines, are imposed in the event of serious violations,
in addition to or in place of the appropriate measures that are required. Therefore, the fine
administrative can certainly come to sanction a serious breach to which it would have been
remedied during the proceedings or which would be about to be remedied. The fact remains that
the Litigation Chamber will take into account what has been terminated or what is in progress
to remedy the said breaches in setting the amount of the fine.
9.1. As to the first defendant
146. The Contentious Chamber noted a breach of Articles 14. 1-2 combined with Article
12.1 and 12.3, 15.1 combined with Article 12.3 and Article 12.2., 5.1 c) and 5.2. 24. 1-2 of the GDPR (point 92
above).

17 See. on the APD website, Section Authority - Organization - Litigation Chamber:
https://www.autoriteprotectiondonnees.be/citoyen/l-autorite/ organizations and
https://www.autoriteprotectiondonnees.be/professionnel/l-autorite/ organizations
Decision on the merits 81 / 2020- 36/45

147. In view of the observation of these breaches, the Contentious Chamber addresses to the first
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

148. The Contentious Chamber further notes that the first defendant has, without
await the decision of the Litigation Chamber, upon its conclusions and during the hearing, taken a
a number of commitments to remedy the shortcomings identified by the Inspector General in
his report. The Litigation Chamber is of the opinion that a number of changes and measures
must in fact, as quickly as possible, be brought by the first defendant to
comply with its obligations under the GDPR. The Litigation Chamber therefore
imposes a detailed compliance order for the device in application of article 100. 1, 9 ° LCA
(see in this regard the clarification in point 141 above).

149. In addition to this reprimand18 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

150. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 5.1 c) of the GDPR, it constitutes a breach of one of the principles
founders of the GDPR (and of data protection law in general), or the principle of
minimization devoted to Chapter II "Principles" of the GDPR.

151. As regards the breaches of Article 14. 1-2 combined with Articles 12.3 and 12.1 of the GDPR, in Article
15. 1 of the GDPR (combined with Article 12.3 and Article 12.2. Of the GDPR), they constitute breaches
the rights of data subjects. These information and access rights have also been strengthened
under the GDPR, which shows their particular importance. The Protection Authority
in this perspective, has made compliance with them a priority in its plan.
strategy 2020-2025.19 The appropriate corrective measure / sanction is nonetheless determined
case by case.

152. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

18 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or a processor that the trafficking operations is lying
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
19 Data Protection Authority (DPA), Strategic Plan 2020-2025:
https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf
Decision on the merits 81 / 2020- 37/45

153. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
devoted to Article 8 of the Charter of Fundamental Rights of the European Union, the appreciation of
their gravity will be, as the Litigation Chamber has already had the opportunity to point out, in support of
Article 83.2.a) of the GDPR, autonomously20
.
154 It has already been noted that in the context of the inspection, the letters in response to
the Inspector General were signed by the group [...]. At the hearing on July 13, 2020, the first
defendant confirmed to be part of this group.

155 In determining the amount of the fine, the Contentious Chamber takes into account the
concept of company (article 83.5 of the GDPR). The Litigation Chamber also takes into account
the opinion of the European Data Protection Committee, of which it particularly retains this
following:
"In order to impose effective, proportionate and dissuasive fines, the supervisory authorities
will rely on the definition of the concept of enterprise provided by the CJEU for the purposes of
the application of Articles 101 and 102 of the TFEU, namely that the concept of company must
be understood as an economic unit that can be formed by the parent company and all
the subsidiaries concerned. In accordance with Union law and case law, it is necessary
to understand by enterprise the economic unit engaged in commercial activities or
economic, regardless of the legal person involved (recital 150). "
21

156. As to the number of persons concerned affected by the violations, the Chamber
Litigation notes that the breaches noted concern, beyond the sole complainant, a
large number of people. The first defendant is the holder of concessions of
parking in […] municipalities. The shortcomings observed are part of the practice
of the first defendant and are consecutive to the failure to set up

20 See in this regard, decision 64/2020 of the Contentious Chamber (point 54):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf
21 European Data Protection Board, Guidelines on the application and setting of fines
Administrative Rules for the purposes of Regulation (EU) 2016/679, WP 253, adopted on 3 October 2017, p. 6, available at
www.edpb.europa.eu. See also, decision 37/2020 of the Contentious Chamber.
Decision on the merits 81 / 2020- 38/45
effective procedures for exercising rights in particular. The number of people concerned is therefore
Student.

157. As to the status of the first defendant, the Contentious Chamber recalls that in
previous decisions22, it has already retained the status of public representative of the head of
treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR. Without constituting a
public representative in the strict sense of the term, the first defendant in office no less
public competence which has been entrusted to it by concession. As such, it must adopt a
exemplary attitude. The "infringement" context in which the processing takes place
of data that it processes requires, in view of their purpose, also particular respect
rigorous rights of the persons concerned. Data processing is also a
substantial part of the activity of the first defendant.

158. As to the duration criterion, the Litigation Chamber notes that these breaches lasted
in time (Article 83.1 a) of the GDPR), at least since May 25, 2018, except for what is
the breach of Article 5.1 c) of the GDPR more limited in time.

159. As to the question of whether the breaches were committed willfully or not (para
negligence) (art. 83.2.b) of the GDPR), the Litigation Chamber recalls that "not deliberately" means
that there was no intention to commit the violation, although the controller t or the
subcontractor has not complied with its duty of care under the law. In
In the present case, the Litigation Chamber is of the opinion that the facts and the shortcomings noted - were they
serious - do not reflect a deliberate intention to violate the GDPR in the first instance
defendant.

160. The Contentious Chamber finally notes that the first defendant cooperated with the APD
throughout the procedure (Article 83.2. f) of the GDPR), in particular with the Inspectorate, and admits that
the management of the complainant's case requires her to make substantial improvements to her
current functioning with regard to the rights of data subjects. The first defendant has,
as already underlined, moreover made a certain number of commitments to comply with this
respect23
.

22 See decision 10/2019 of the Contentious Chamber (page 12)
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as its
decision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf
23 As for information, the first defendant makes a number of commitments vis-à-vis the ODA,
the terms of which are reproduced below (points 42 to 45 of the conclusions of the first defendant):
42. The conclusive woman realized that the information provided was not sufficient with regard to
obligations incumbent upon him. The conclusive therefore undertakes to provide the Protection Authority with
Decision on the merits 81 / 2020- 39/45

161. The Contentious Chamber notes that the other criteria of Article 83.2. of the GDPR are not
neither relevant nor likely to influence its decision on the imposition of an administrative fine
and its amount.

162. In conclusion, in view of the elements developed above specific to this case, the
Litigation Chamber considers that the facts noted and the breach of Articles 14.1-2 combined
in Article 12.1 and 12.3, 15.1 combined with Article 12.3 and 12.2., 5.1 c) and 5.2. and 24.1-2 of the GDPR, justify
as an effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR
and taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the
first defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and
a compliance order detailed below (article 100.1, 9 ° LCA) accompanied by a fine
administrative costs in the amount of 50,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced at
against the first defendant.

163. In fixing this amount, the Litigation Chamber took into account that the first
defendant is part of the group [...], of the annual turnover of this group and of the financial base
of the last. It also took into account the information given by the first defendant
in its reaction to the proposed fine form according to which the group is experiencing a clear
decrease in revenues in the current context of the covid-19 virus pandemic.

164. With regard to these elements, the amount of 50,000 euros remains proportionate to the
breaches denounced. The Litigation Chamber is of the opinion that an amount of fine less than
50,000 euros would not meet, in this case, the criteria required by Article 83.1. of the GDPR according to
which the administrative fine must be effective, proportionate and dissuasive. In his decision
01/2020 of 9 November 2020, the European Data Protection Board insists in this regard

Data, as soon as possible, an information document that will meet the requirements of Article 14
of the GDPR and which will appear on its website (Exhibit 41).
43. In addition, the conclusive one will ensure that this notice allows easy access to the information
relating to data protection by creating an explanatory note which will be located in a single place
on its website.1
44. In addition, the conclusive one will put in place a clear reference on the invitation to pay to ensure
that data subjects understand directly that all information is accessible
on its website. In addition, the conclusive one will review, again, as soon as possible, the content
of the privacy message at the bottom of their reminder letter.
45. Finally, the conclusive undertakes to redo audit its entire website in order to set up
all the documentation, details and references in the necessary forms so that the
people concerned can easily access complete information.
Decision on the merits 81 / 2020- 40/45
on the fact that the height of the amount of the fine contributes to the effectiveness, proportion and
deterrent to the fine24
.
9.2. As for the second defendant

165. The Contentious Chamber found a breach of article 14.1-2 combined with article
12.3, section 6, section 5.1 c) and sections 5.2. and 24. 1-2 of the GDPR in the case of the second
defendant (paragraph 137 above).

166. In view of these shortcomings, the Litigation Chamber addresses the second
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

167. The Contentious Chamber also takes note of the fact that the second defendant is,
in terms of its findings and at the hearing, proposed to make certain changes in
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
measures must in fact, as quickly as possible, be brought by the second defendant
to comply with its obligations under the GDPR. Therefore, the Chamber
Litigation imposes a detailed compliance order on the device pursuant to article
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).

168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)

See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Free translation by the ODA Secretariat:
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionate and dissuasive ”.
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or processor that the processing operations
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Decision on the merits 81 / 2020- 41/45
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
data protection in general), or the principles of lawfulness and minimization devoted to
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
mainly identification data and do not constitute sensitive data within the meaning of
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
below, in an “infringement” context. The Litigation Chamber will take this
double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
right to information has been strengthened under the GDPR, demonstrating its importance
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
enshrined in Article 8 of the Charter of Fundamental Rights of 5.2. and 24. 1-2 of the GDPR in the case of the second
defendant (paragraph 137 above).
166. In view of these shortcomings, the Litigation Chamber addresses the second
defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.
167. The Contentious Chamber also takes note of the fact that the second defendant is,
in terms of its findings and at the hearing, proposed to make certain changes in
his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and
measures must in fact, as quickly as possible, be brought by the second defendant
to comply with its obligations under the GDPR. Therefore, the Chamber
Litigation imposes a detailed compliance order on the device pursuant to article
100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).
168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is
of the opinion that in addition, an administrative fine is justified in this case for the following reasons.
169. As to the nature of the violation, the Contentious Chamber notes that with regard to the
breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR
(only available in English)
See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf
“199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and
therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the
requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ”
Free translation by the ODA Secretariat:
"199. Consequently, the EDPS considers that the amount of the fine proposed under the draft
decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular,
this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be
effective, proportionate and dissuasive ”.
25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning
is intended to notify a controller or processor that the processing operations
envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article
100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a
processor when the processing operations have resulted in a violation of the provisions of the GDPR (article
58.2 b) of the GDPR and article 100.1, 5 ° LCA).
Decision on the merits 81 / 2020- 41/45
of the GDPR, they constitute breaches of the founding principles of the GDPR (and of
data protection in general), or the principles of lawfulness and minimization devoted to
Chapter II “Principles” of the GDPR. While the data collected at the end of the form are
mainly identification data and do not constitute sensitive data within the meaning of
Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176.
below, in an “infringement” context. The Litigation Chamber will take this
double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a
infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy
moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The
right to information has been strengthened under the GDPR, demonstrating its importance
particular. In this perspective, the Data Protection Authority has ensured respect for the rights
of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement
However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a
breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may
amount to 20,000,000 euros or in the case of a company, up to 4% of turnover
global annual total for the previous financial year. The maximum fine amounts that can be applied
in case of violation of these provisions are higher than those provided for other types of
breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right,
enshrined in Article 8 of the Charter of Fundamental Rights of ontentieuse notes that the other criteria of Article 83.2. of the GDPR are not
neither relevant nor likely to influence its decision on the imposition of an administrative fine
and its amount.

181. In conclusion, in view of the elements developed above specific to this case, the
Litigation Chamber considers that the facts noted and the breach of Article 14.1-2 combined with
Section 12.3, Section 6, Section 5.1 (c) and Section 5.2. and 24. 1-2 of the GDPR, justify that under
effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR and account
taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the second
defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and an order
of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine
in an amount of 15,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced against the
second defendant.
10. As for transparency

182. In view of the importance of transparency in the decision-making process
and the decisions of the Litigation Chamber, this decision will be published on the website of the APD
by deleting the direct identification data of the parties and persons mentioned,
whether they are physical or legal.

183. The Litigation Chamber is aware that the complainant requested the publication by name
of this decision. The contentious chamber is of the opinion that it is not for the complainant to request
such measure. In this case, the Litigation Chamber does not care less to clarify than in the context
of the wide margin of appreciation on the application of Article 100.1, 16 LCA which is its own, it decides
not to publish this decision mentioning the data controllers involved.

Decision on the merits 81 / 2020- 44/45
When it decided to publish its decisions stating the identity of the defendant, the
Litigation Chamber justified its decision by the fact that this advertisement would guarantee
rapid compliance, would help reduce the risk of reoccurrence and aim to educate the public
taking into account the data controller involved. In addition, any pseudonymization of the name
of the defendant would have been in these few cases illusory29. She doesn't think it necessary to do it
in this case.

FOR THESE REASONS
THE LITIGATION CHAMBER
After deliberating, decides to:
 With regard to the first defendant
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
LCA;
- Issue an order of compliance in terms of the implementation of rights
information and access for the persons concerned, on the basis of Article 100.1, 9 ° LCA.
To this end, the first defendant is requested to communicate to the APD both its
confidentiality policy applicable to the processing operations covered by this decision that his / her
information clause (s) as well as the procedure put in place to respond to the exercise of
permission to access. This production of documents must take place within 3 months from
of the notification of this decision via the address litigationchamber@apd-gba.be
- Impose an administrative fine against the defendant in the amount of 50,000
euros in application of articles 100.1, 13 ° and 101 LCA.
 With regard to the second defendant:
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
LCA;
- Issue a compliance order in terms of information (confidentiality policy
and information clauses) and basic legality of the form attached to the formal notices of

29 See decision 37/2020 of the Contentious Chamber (point 183):
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf
Decision on the merits 81 / 2020- 45/45
payment and this, on the basis of article 100.1, 9 ° LCA. For this purpose, the second
the defendant to communicate to the DPA both its confidentiality policy applicable to
processing covered by this decision that its information clause (s) as well as the
manner in which it intends to respond to the shortcomings related to the aforementioned form. The
communication of these documents must take place within 3 months from the date of
notification of this decision via the address litigationchamber@apd-gba.be
- Impose an administrative fine against the defendant in the amount of 15,000
euros in application of articles 100.1, 13 ° and 101 LCA.

Under Article 108.1 LCA, this decision may be appealed to the Court of
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(Sé.)
Hielke hijmans
President of the Litigation Chamber