APD/GBA (Belgium) - 81/2020: Difference between revisions

From GDPRhub
No edit summary
Line 66: Line 66:
}}
}}


Belgian DPA holds that two data controllers intervening successively have commited various breaches of the GDPR principles (lawfulness, data minimisation, accountability ,rights of information and access of the data subjects).
The Belgian DPA (APD/GBA) held that two data controllers successively committed various breaches of the Article 5 GDPR principles (lawfulness, data minimisation, accountability, rights of information and access of the data subjects).


==English Summary==
==English Summary==
Line 110: Line 110:
1/45
1/45


'''Litigation Chamber
'''Litigation Chamber'''


Decision on the merits 81/2020of 23 December 2020
Decision on the merits 81/2020of 23 December 2020
File No .: DOS-2019-02751
File No .: DOS-2019-02751
'''
 
Subject: Decision relating to two data controllers intervening successively
Subject: Decision relating to two data controllers intervening successively
noting various breaches of the GDPR principles (lawfulness, minimization,
noting various breaches of the GDPR principles (lawfulness, minimization,
Line 1,019: Line 1,019:
GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...]
GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...]
reproduced below9
reproduced below9
: [……]
 
:[……]


9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement
9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement

Revision as of 08:06, 22 January 2021

APD/GBA - 81/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 15(1) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.12.2020
Published:
Fine: 50000 EUR
Parties: Anonymous (Plaintive - physical person)
Anonymous (Defendant 1 - company specialized in controlling "street parking"
Anonymous (Defendant 2- bailiff's study)
National Case Number/Name: 81/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA (in FR)
Initial Contributor: Mathieu Desmet

The Belgian DPA (APD/GBA) held that two data controllers successively committed various breaches of the Article 5 GDPR principles (lawfulness, data minimisation, accountability, rights of information and access of the data subjects).

English Summary

Facts

A data subject made access requests with the private company ensuring the control of the respect of communal street parking regulations which had imposed him (or her) with a parking fine as well with the bailiff's study charged to insure that such fines are paid.

Dispute

To which extend should a data controller responsible for compliance with municipal regulations and a subsequent data controller to which personal data is transferred inform the data subject about the processing of his or her data as well as subsequent processing and justify the lawfulness and proportionality (data minimisation ) of the processing.

Holding

The Litigation Chamber of the Belgian DPA notes the following breaches in respect of the first defendant:

- a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1.of the GDPR)

- a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)

- a breach of the principle of minimization during the premature consultation of the DIV (register concerning immatriculation of cars) - (article 5.1 c) of the GDPR.

- a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR.

As to the second defendant the Belgian DPA found that the following breaches were commited :

- a breach of its information obligation (article 14.1-2, combined with article 12.3. of GDPR) - a lack of legal basis with regard to the collection of data by way of the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of data minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data.

- a breach of Articles 5.2. and 24. 1-2 of the GDPR.

In consequence with the breaches mentionned above the first defendant was sanctionned (In accordance with the Belgian Law of 3 December 2017 establishing the Data Protection Authority) with a reprimand, an order to adopt necessary actions to comply with the GDPR and a 50.000 euro fine.

The second defendant was sanctionned with a reprimand, an order to adopt necessary action to comply with gdpr and a 15.000 euro fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 1/45

Litigation Chamber

Decision on the merits 81/2020of 23 December 2020 File No .: DOS-2019-02751

Subject: Decision relating to two data controllers intervening successively noting various breaches of the GDPR principles (lawfulness, minimization, accountability) and the rights of the people concerned (information, access, facilitation Rights)

The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs J. Stassijns, C. Boeraeve, members, taking up the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection), hereinafter GDPR; Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA); Having regard to the rules of procedure as approved by the House of Representatives on December 20 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file;

Took the following decision regarding:

The complainant: X Decision on the merits 81 / 2020- 2/45

The first defendant: Y; Having for advice, Masters Frédéric Dechamps and Nathan Vanhelleputte, lawyers.

The second defendant: Z; Advised by Maître S. Parsa, lawyer. Hereinafter also referred to together as "the defendants";

1. Feedback from the procedure Considering the complaint filed on May 15, 2019 by the complainant to the Data Protection Authority (hereinafter APD); Having regard to the decision taken by the Litigation Chamber during its session of July 12, 2019 to seize the Inspector General on the basis of Articles 63, 2 ° and 94, 1 ° LCA and the latter's referral to this same date; Having regard to the Inspector General's report and investigation report sent on January 6, 2020 to the Contentious chamber; Having regard to the letters of January 21, 2020 and February 18, 2020 from the Litigation Chamber informing parts of its decision to consider the case ready for substantive processing based on Article 98 LCA and providing them with a timetable for the exchange of conclusions; Having regard to the main conclusions of the second defendant filed by its counsel, received on March 12 2020; Having regard to the conclusions of the complainant, received on March 27, 2020; Having regard to the additional and summary conclusions of the first defendant filed by its counsel, received on April 14, 2020; Having regard to the additional and summary conclusions of the second defendant filed by its counsel, received on April 14, 2020; In view of the request made by the defendants in the terms of their pleadings to be heard by the Litigation Chamber in application of article 51 of the internal regulations of the APD; Decision on the merits 81 / 2020- 3/45 Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on June 16, 2020; Considering the information sent on June 25, 2020 to the Inspector General regarding the holding of the hearing to date of July 13, 2020 in application of article 48.2. the internal rules of the ODA; Having regard to the hearing during the session of the Litigation Chamber of July 13, 2020 in the presence of the plaintiff, [...], of the first defendant represented by one of its counsel, Maître Van Helleputte as well as the second defendant represented by its counsel Maître S. Parsa; Having regard to the minutes of the hearing and the observations made thereon by the respective counsel the defendants who were attached to these minutes; Having regard to the reaction form against a proposed administrative fine sent on the 18th November 2020 to the first defendant. Under this form, the Litigation Chamber informs him that he is considering a fine against him as well as the reasons for which the breaches of the GDPR justify the amount of the fine; Having regard to the reaction of the first defendant on December 9 to this form; Having regard to the reaction form against a proposed administrative fine sent on the 18th November 2020 to the second defendant. Under this form, the Litigation Chamber communicates that it is considering a fine against it as well as the reasons for breaches of the GDPR justify this fine amount; Considering the reaction of December 10, 2020 of the second defendant to this form.

2. The facts

1. The first defendant is a company specializing in “street parking”. It carries out parking control in the municipalities for which it is the concessionaire of the missions of public interest. The first defendant employs [...] people. It is also part of the Group [...].

2. The first defendant manages, under the municipal regulations of the City of [...], the parkingof certain streets of this municipality.

3. The second defendant is an office of bailiffs located in [...] which deals, in within the framework of its legal prerogatives defined in Article 519 of the Judicial Code, in particular of amicable recovery and judicial recovery of debts from its clients. The first one Decision on the merits 81 / 2020- 4/45 defendant is one of his clients. The firm is responsible for the management of amicable collection, then, if necessary judicial, of unpaid debts such as royalties parking.

4. On January 2, 2019, the complainant parked her vehicle in one of the streets of [...] whose first defendant is responsible for the management of parking lots. The first defendant states that the complainant was parked in a blue zone in which parking is limited to thirty (30) minutes. In the absence of a blue disc affixed by the complainant to her windshield and lack of a parking permit which it would have held, the first defendant indicates have, in accordance with article [...] of the applicable municipal [...] regulations, placed an invitation to pay [...] euros on the windshield of the complainant's vehicle. This amount corresponds to the amount the “Tariff 1” charge of the municipal regulations. The complainant, for her part, denies having found any invitation to pay on his windshield.

5. The first defendant indicates that it sent a payment reminder to the plaintiff on the 24th. January 2019, reminder which increases the initial debt by five (5) euros in accordance with article [...] of municipal regulation already cited. The complainant also denies ever having received such a reminder.

6. In the absence of payment received within 15 days of sending the said reminder of January 24, 2019, and in accordance with article [...] of the applicable municipal regulations, the first defendant transmitted the file to his bailiff, or to the second defendant, so that the latter takes charge to recover the amount owed by the complainant.

7. On February 25, 2019, the complainant received a formal notice from the second defendant in order to recover the amount due in application of article [...] of the municipal regulation already cited. To the initial debt, as announced in the reminder letter of January 24, 2019 (point 5 above), there are additional costs in accordance with the Royal Decree of November 30, 1976 fixing the tariff for acts performed by bailiffs in civil and commercial matters referred to in article [...] of the municipal regulations. The complainant indicates that she received this formal notice on March 1 2019.

8. On March 3, 2019, the complainant wrote to the second respondent to receive explanations, indicating that she never received a payment invitation or reminder. She also opposes payment of the royalty. By the same letter, the complainant questioned the second respondent as to the legal bases which allow it to access the Vehicle Registration Department (DIV) of SPF Mobilité and the National Register. Also under the terms of this letter, the complainant exercises also his right of access to his personal data as recognized by the GDPR (article 15 of the GDPR).

Decision on the merits 81 / 2020- 5/45

9. On the same date, the complainant addressed the same requests to the first respondent.

10. On March 4, 2019, the first defendant referred the complainant to the second defendant in these words: "Arrange with the bailiff".

11. On March 29, in the absence of a response received from the second defendant, the complainant wrote back to him noting that the legal deadline of one (1) month to respond to his request for access is on the point to expire.

12. On April 2, 2019, the second defendant wrote to the complainant in response to her letter of 3 March (point 8 above) and provides it with a certain amount of information on the one hand on the data which it processes in response to its request for access and information relating to the legal bases mobilized as well as on the other hand, some information on the treatments operated by his client (the first defendant). There followed an exchange of correspondence between the complainant and the study of the bailiffs of justice (second defendant) under the terms of which photos - difficult to read according to the complainant - him are communicated.

13. On April 8, 2019, the complainant asked the second respondent to communicate the proof of sending the reminder letter of January 24, 2019 (point 5 above).

14. This also follows a request of April 29, 2019 from the complainant to the first respondent to receive proof of the sending of this reminder letter of January 24, 2019. In response, the first respondent provides a copy of the reminder letter and refers the complainant to bailiffs for the rest.

15. On May 15, 2019, the complainant filed a complaint with the DPA against both the first defendant that of the second ddefendant. The complainant will bring an addendum to her complaint in date of June 6, 2019.

16. The complainant also made a request for access to the DIV. From the response received by the complainant on May 17, 2019, it appears that the first respondent consulted the data of the complainant on January 3, 2019 at 10:03 p.m., i.e. the day after the finding (from January 2, 2019 - see point 4 above) of the infringement of the parking rules complained of.

17. In June 2019, the complainant wrote again to both the first and the second respondent for details of the alleged offense. Decision on the merits 81 / 2020- 6/45

18. On July 11, 2019, the second respondent responded to the complainant's request for clarification by indicating that he is accused of not having affixed a valid parking ticket on his windshield. The first defendant criticizes the complainant for having failed to affix the required parking disc in the blue zone. 3. The subject of the complaint lodged by the complainant

19. Pursuant to her complaint, the complainant requests that her complaint against the first and of the second defendants be declared admissible and well founded and that consequently, the defendants are ordered to comply with the GDPR and Belgian laws, within the that the Contentious Chamber will consider reasonable, under penalty of penalty.

20. In this regard, the complainant considers that the defendants are guilty: As to the first defendant: - a breach of his right to information (Articles 12 and 14 of the GDPR) - a breach of his right of access (article 15 of the GDPR) - a breach of Article 28 of the GDPR with regard to the quality of subcontractor of the second defendant - a breach of Article 5 of the GDPR (respect for the principle of necessity with regard to the consultation of the DIV) - a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the GDPR) with regard to the communication of his data at the second defendant - a breach of the principle of minimization (article 5 of the GDPR) with regard to the taking of photograph of his vehicle when the violation of the rules of parking As for the second defendant - a breach of his right to information (Articles 12 and 14 of the GDPR) - a breach of his right of access (article 15 of the GDPR) - a breach of Article 28 of the GDPR with regard to its status as a processor - a breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even that it would not be validly founded - a breach of the principles of data minimization and the use of consent forced (Articles 5 and 6 of the GDPR) with regard to the form attached to the payment notice. Decision on the merits 81 / 2020- 7/45

21. The complainant also requests that the defendants be sentenced to a sanction proportionate to the seriousness of the facts, taking into account the object and scope of their activity professional activity that affects a large number of citizens.

22. Finally, the complainant seeks the condemnation of the defendants to non-anonymized advertising of the decision of the Litigation Chamber in order to inform the public of illegal practices in management of parking fees against which they can claim the respect for their data protection rights. 4. The inspection report of January 6, 2020

23. According to his report, the Inspector General made the following observations:

24. Finding 1: It does not emerge from the information in the file and the responses provided by the first defendant that the lawfulness of the processing operations carried out by the first and second defendants in order to recover the regulatory parking debt communal can be questioned.

25. Finding 2: The information provided to the persons concerned on the site of the first defendant is incomplete. The privacy statement appearing on the site of the first defendant [...] does indeed concern not the personal data that it processes during the monitoring, sending of the reminder and transmission of the file to the bailiff (second defendant). The contact details of the privacy officer of the first defendant in charge of processing requests rights of access for data subjects are not mentioned in this declaration. The the first defendant therefore does not fulfill its obligation to provide information easily accessible, in particular by electronic means to the persons concerned, prescribed section 12.1. of the GDPR.

26. Finding 3: The complainant's right of access to data concerning her processed by the first defendant was not complied with, in contravention of Article 15 of the GDPR. Pour only response to her request for access, the complainant was in fact twice referred to the bailiff [read the second defendant] and a copy of the payment reminder she disputed having received was provided to him. In this regard, it appears that there is no procedure in place so that the customer service of the first defendant in charge of complaints can send the requests relating to the exercise of the rights of the data subject to the life protection officer deprived of the first defendant. Decision on the merits 81 / 2020- 8/45

27. Finding 4: Access to the DIV by the first defendant was made the next day control of the complainant's vehicle. Personal data concerning him (surname, first name and address) were processed unnecessarily in the period during which the data subject has the option of paying the fee before sending a reminder to their name and address, which does not comply with the principle of data minimization provided in article 5.c [read article 5.1 c)] of the GDPR. According to article [...] of the royalty by-law of the City of [...] from [……… ..], this period is 10 days. The first defendant argues that in this case a technical error was encountered in the automated access to the DIV. She joins an exchange of mails of 14 and 22 November 2019 with its supplier from whom it appears that the data of the DIV are then received after 48 hours for all of its sites.

28. The Litigation Chamber notes that in the context of its investigation, the response letters to the questions put to the second defendant by the Inspector General are signed by the group [...]. 5. The hearing of July 13, 2020 29. From the hearing of July 13, 2020 - of which a record has been drawn up - are, in addition to the arguments developed in terms of conclusions, the following elements emerged: - the status of data controller for each of the defendants; - the modifications decided by the first defendant to the procedure put in place with the second defendant for the exercise of data protection rights of people concerned and more particularly, the decision to keep internal management requests for the exercise of their rights by data subjects; - the work of compliance with the GDPR carried out by the judicial officers from the 25th May 2018, in particular the adoption of a detailed privacy policy available on its website; - the appointment of a data protection officer (DPO) by both the first and the second defendants; - the request for publication of the decision of the Contentious Chamber in a form anonymized formulated by both the first and the second defendants, in particular by the image of the function of bailiff (second defendant) as well as the fear of see, given the number of people whose personal data is processed by both defendants and the number of complaints against them. - confirmation that the first defendant is part of the group [...].

PLACE

6. Structure of the decision Decision on the merits 81 / 2020- 9/45

30. By way of introductory remarks, the Litigation Chamber will formulate a number of details as to its jurisdiction (7.1.), as to the reference error of the basis of legality of the treatment spontaneously noted by the first defendant (7.2.) as well as with regard to the quality of the first and second defendants with regard to the data processing concerned (7.3.). These clarifications are a prerequisite for consistency and a good understanding of what follows. of this decision.

31. Then, in Title 8, the Contentious Chamber will successively examine the breaches which may be retained at the expense of the first defendant on the one hand (Title 8.1.) and at the expense of the second defendant on the other hand (Title 8.2).

32. Finally, in Title 9, the Contentious Chamber will motivate the corrective measures and sanctions that it decides to impose on the first defendant on the one hand (Title 9.1.) and on the second defendant on the other hand (section 9.2.). 7. Introductory remarks 7.1. As for the sovereign appreciation of the Litigation Chamber notwithstanding the findings of the inspection report and the terms of the complaint

33. On several occasions in its submissions, the second defendant points out that given that the inspection report did not find any breach in its regard, no breach could not be held against him by the Litigation Chamber.

34. The Contentious Chamber recalls in this regard that recourse to the Inspection is not systematically required by the LCA. Indeed, it is for the Litigation Chamber to determine at the following the filing of a complaint, whether an investigation by the Inspectorate is necessary or not (article 63, 2 ° LCA - art. 94, 1 ° LCA). The Litigation Chamber may also decide to deal with the complaint without having referred to the inspection service (art. 94, 3 ° LCA).

35. When seized, the findings of the Inspection certainly enlighten the Chamber Litigation on the facts of the complaint, on the qualification of these facts with regard to the data protection regulations and can support one or the other breach ultimately retained by the Litigation Chamber under the terms of its decisions. However, the Litigation Chamber remains free, in support of all the documents produced during the procedure and the arguments developed in the context of the adversarial debate that follows his decision to deal with the case on the merits (Article 98 LCA) - if necessary after recourse to the Inspectorate -, to conclude reasoned for the existence of shortcomings that the inspection report did not indicate. Decision on the merits 81 / 2020- 10/45

36. As for the terms of the complaint, they constitute both for the Inspectorate and for the Chamber Litigation a starting point. The Litigation Chamber recalls that on several occasions it ruled that during the procedure following the complaint, it has the possibility of changing the legal qualification of the facts submitted to it, or to examine new facts related to the complaint, without necessarily calling on the intervention of the Inspection, in particular by asking questions to the parties or taking into account new facts or qualifications invoked by way of conclusion, and this, within the limits of the adversarial debate, namely, provided that the parties have had the opportunity to discuss these facts or legal qualifications in a manner consistent with the rights of defense1 . 7.2. As to the basis of legality

37. According to its conclusions, the first defendant specifies that it must correct a mistake. It specifies that the municipal regulations of [...] on which the lawfulness of the treatment and whose legitimacy is recognized through the investigation report applies in the case of parking fees in the event of non-payment via a parking meter.

38. In the present case, the first defendant observes that the fee due by the complainant is due due to the lack of an affixed blue disc. It is therefore the municipal regulation of [...] relating to parking in the blue zone which must apply.

39. The first defendant states that, however, since the two municipal regulations are drafted identically - at least as regards the relevant articles in the context of this dispute - it is simply necessary to adapt the references made.

40. In her conclusions, the complainant raises the fact that the municipal regulation of the [...] invoked this time by the second defendant at the bottom of the formal notice she sent him on February 25 2019 (point 7 above) expired on [...], i.e. before the said formal notice was sent and before the date of the alleged offense (January 2, 2019). It immediately concludes that there is no legality processing. In its pleadings and in its file of exhibits, the second defendant relies, contrary to the reference appearing at the bottom of said formal notice, on the municipal regulations the [...] relating to parking in the blue zone.

1 Voy Litigation Chamber, Decisions 17/2020 (points 26 to 33) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-2020.pdf; 41/2020 (point 12 and points 14-15) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-41- 2020.pdf and 63/2020 (points 16 to 22): https://www.autoriteprotectiondonnees.be/publications/decision-quantau-fond-n-63-2020.pdf available on the APD website. Decision on the merits 81 / 2020- 11/45

41. The Contentious Chamber concludes from the foregoing that the defendants agree to consider that the basis of lawfulness of their processing finds, at least in part, its source in the municipal [...] regulations relating to parking in the blue zone.

42. The Contentious Chamber can, however, only note a great confusion around identifying this basis of lawfulness. However, this element is now part of the elements of information listed in Articles 13.1 c) and 14.1 c) of the GDPR which should be informed concerned (see below). Likewise, without being compulsory, this information may also appear in the Register of processing activities which must be regularly updated (Art. 30 GDPR). Errors such as the one made by the defendants could perhaps be thus avoided2 . 43. In the present case, the Contentious Chamber is of the opinion that the error in the identification and communication of the basis of legality is not synonymous with the absence of a basis of legality within the meaning of Article 6 of the GDPR. As for the information obligation - in particular the basis of lawfulness (Articles 13.1 c) and 14.1 c) of the GDPR) - and, more generally, as regards the effective implementation of Article 24 of GDPR in this regard, the Litigation Chamber refers to points 8.1.1 and 8.1.4. below. 7.3. As to the qualification of the first and second defendants

44. The complainant notes that the first respondent states that it has put in place a procedure management of complaints with the second defendant. According to the latter, the second defendant manages all claims or complaints from the moment the file relating to them has been received transmitted and is responsible for collecting the amount due. The complainant considers that "if we have to understand that the second defendant acts as a subcontractor of the first defendant ", the requirements of Article 28 of the GDPR must apply and therefore the defendants must be able to demonstrate their effective application.

45. The Contentious Chamber has, at the end of the hearing of July 13, 2020 (title 5 above), note that both the first respondent and the second respondent qualify as data controller each for the processing operations they perform and for which they determine respectively the purposes and the means.

2 See. Commission for the Protection of Privacy, Recommendation 06/2017 of 14 June 2017 relating to the Register processing activities (Article 30). See. point 42 of the recommendation https://www.autoriteprotectiondonnees.be/publications/recommandation-n-06-2017.pdf Decision on the merits 81 / 2020- 12/45

46. ​​Regardless of the qualification given to themselves by the parties, which is not binding3 , The Litigation Chamber is of opinion, on the basis of the description given by the defendants of the collaboration between them, that each of them is responsible for processing. Their interventions in the context of amicable debt collection follow one another in this capacity. The Litigation Chamber notes in this regard that this collaboration is based, according to the defendants, on the sole basis of the municipal regulations, with the exception of any other document supporting their collaboration.

47. The Contentious Chamber also rejects any qualification of co-responsible for processing within the meaning of Article 26 of the GDPR between the defendants. Indeed, the co-responsibility requires a joint determination of both the purposes and the means of the identified processing, this which is not the case in this case.4 Each of the defendants successively carries out

3 European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 1.0. of September 2, 2020. These guidelines currently exist only in English. They have been submitted for public consultation and are subject to change https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf 4 Idem above points 50-55 in particular and the references cited:

50. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. Important year criterion is that the processing would not be possible without both parties ’participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand. (…)

55. It is also important to underline, as clarified by the CJEU, that an entity will be considered as joint controller with the other (s) only in respect of those operations for which it determines, jointly with others, the means and the purposes of the processing. If one of these entities decides alone the purposes and means of operations that precede or are subsequent in the chain of processing, this entity must be considered as the sole controller of this preceding or subsequent operation. Free translation by the ODA Secretariat 50. The overall criterion determining the presence of joint responsibility for the processing is participation joint venture of two or more entities in determining the purposes and means of a processing operation. Joint participation may take the form of a joint decision taken by two or more entities, or result from convergent decisions from two or more entities, when these decisions complement each other mutually and are necessary for carrying out the processing operation in such a way that they have a impact your ngible on determining the purposes and means of processing. An important criterion is that the processing would not be possible without the participation of both parties, in the sense that processing by each part is inseparable, that is to say that these treatments are inextricably linked. Joint participation must include the determination of purposes, on the one hand, and the determination of the means, on the other.

55. It is also important to stress, as clarified by the CJEU, that an entity will not be considered as joint controller, with one or more other entities, only with regard to operations for which it determines, together with the other entities, the purposes and means of processing. If one of these entities alone decides on the purposes and means of previous or subsequent operations in the chain processing, this entity must be considered as the sole controller of this operation anterior or posterior.


48. The Contentious Chamber nonetheless shares the impression of confusion and the lack of clarity with regard to the persons concerned relayed by the complainant. This is particularly evident in the response provided by the second defendant to a request to exercise his rights in matters of data protection sent by the complainant to the first respondent (points 10 and 14 above and 75 below).

49. Nevertheless, the second defendant is neither the subcontractor of the first defendant, nor joint responsible with her. Therefore, their relationship should not be governed by a subcontract and no breach of Article 28 of the GDPR can be blamed. Their relationship does should not be framed by an agreement between them as required by Article 26 of the GDPR in joint liability cases. 8. As to breaches 8.1. As regards the breaches on the part of the first defendant 8.1.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

50. In its capacity as controller, the first defendant is required to implement Articles 12, 13 and 14 of the GDPR and to be able to demonstrate this effective implementation (Articles 5.2. and 24 of the GDPR).

51. Pursuant to Article 12.1 of the GDPR, it is the first defendant's responsibility to take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in a manner concise, transparent, understandable and easily accessible in clear and simple terms. in writing or by other means including electronic.

52. In the present case, as regards data which were not collected directly from the complainant, the first defendant was required to provide her with information with regard to Decision on the merits 81 / 2020- 14/45 data processing carried out concerning it in the context of the collection of the fee due. As for the content of this information, in accordance with the case law of the Litigation Chamber, the elements listed in both § 1 and § 2 of Article 14 had to be communicated to it. 5 The Chamber Litigation has already specified above that these elements include the exact identification of the lawfulness of the processing (Article 14.1 c) of the GDPR) (point 42 above).

53. The Litigation Chamber is of the opinion that in light of the amount of information to be provided to data subject, controllers such as defendants should adopt a multi-level approach. On the one hand, the person concerned must immediately have a clear, accessible information on the fact that information on the processing of their data personal character (privacy policy) exist and where it can be found in their entirety.

54. On the other hand, without prejudice to the accessibility of the privacy policy in its completeness, the data subject must, from the first communication from the controller with them, to be informed of the details of the purpose of the processing concerned, of the identity of the controller the processing and the rights available to it. The importance of providing this information upstream follows in particular from recital 39 of the GDPR. Any additional information needed to allow the persone concerned to understand, from the information provided to this first level, what the consequences of the treatment in question will have to be added 6 . 55. According to his inspection report of 6 January 2020, the Inspector General, as well as been recalled in Title 3, notes, with regard to the confidentiality policy, that: "The privacy statement appearing on the site of the first defendant [...] does not concern indeed not the personal data that it processes during the control, the sending the reminder and the transmission of the file to the bailiff (second defendant). The contact details of the first defendant's privacy officer in charge to process requests for the right of access from data subjects are not mentioned in this statement. The first defendant therefore does not fulfill its obligation to provide easily accessible information, particularly electronically, to individuals concerned, prescribed in Article 12.1. of the GDPR ”.

5 Article 29 Group, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, revised version of April 11, 2018 (taken over by the European Data Protection Board): https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 (point 23). 6 Idem (points 35-38). Decision on the merits 81 / 2020- 15/45

56. In other words, the first defendant's privacy policy does not cover data processing questioned by the complainant. Indeed, the Inspector General details in its report that the confidentiality policy available on the site of the first defendant during of its consultation, concerned exclusively the way in which the data processing "that you send us through the site and / or otherwise "was carried out (step 5 of the report inspection).

57. The Litigation Chamber further notes that the first reminder letter sent by the first defendant to the complainant on 24 January 2019 (point 5 above) contains the clause next : PRIVACY Your personal data in our possession will only be processed within the framework of of this reminder and, where applicable, of future exchanges between you and our services at About the payment of the fee concerned. These data will only be kept for the duration corresponding to this regulation. In accordance with Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016 on data protection at personal nature and the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulation), you can freely exercise your rights and questions by sending a request to [...] or by email [...]. The protection officer privacy will contact you to confirm your identity and take the necessary action to respond to your request.

58. The said letter also mentions the website of the first defendant without however, reference to the privacy policy in general and a fortiori to the relevant provisions with regard to the reminder sent (as far as as mentioned above this privacy policy does not cover this type of treatment). The Contentious Chamber is of the opinion that this clause cannot to fill in the lack of information on the elements of §§ 1 and 2 of Article 14 of the GDPR (therefore that as already mentioned, the privacy policy of the first defendant does not cover the treatments in question).

59. As to the failure to mention the contact details of the privacy protection officer generally also noted by the investigation report, the Litigation Chamber is of the opinion that the communication of contact details of the DPO or any other contact address dedicated to the exercise the rights of data subjects is part of the obligation of data controllers facilitate the exercise of the rights of data subjects (article 12.2. of the GDPR) 7 .

7 During the hearing on July 13, 2020, the first defendant clarified that its protection officer privacy is in fact a Data Protection Officer (DPO) within the meaning of Article 37 of the GDPR. Decision on the merits 81 / 2020- 16/45

60. According to its submissions, the First Respondent states that it "can only take note of the conclusion of the investigation report which states that "the information provided to data subjects on the website of [...] is incomplete ”. It also indicates that it takes note that the Inspector considers that the information "is not easily accessible" to the persons concerned (point 41 of the conclusions of the first defendant) and makes a number of commitments vis-à-vis ODA to remedy this (see below under section 9.1. relating to the discussion on the measures corrective measures and sanctions).

61. When at the time of information, Article 14.3 of the GDPR specifies that the elements listed in §§ 1 and 2 must be provided within a reasonable time after having been obtained but at the latest within the month of this obtaining in view of the particular circumstances in which the data of a personal nature are processed.

62. In the present case, the Complainant and the First Respondent disagree on the issue of whether this information was provided in a timely manner. The first defendant indeed maintains that information can be found on the invitation to pay sent to the complainant as well as in her reminder letter (points 4 and 5 above). The complainant claims that she never received a butterfly or reminder letter and notes the absence of proof of the communication of these documents - and therefore of data protection information - by the first defendant. The first one the defendant also refers to the information provided on its website, while admitting that this is incomplete (point 60 above).

63. It is not for the Contentious Chamber to determine how the breach parking rules must be brought to the attention of offenders (flyer, reminder by regular mail, by registered mail). The fact remains that information on data processing which takes place both within the framework of the finding of the violation and of the management recovery of the amount resulting from this, must be communicated within the deadline prescribed in Article 12.3 of the GDPR in a useful manner (taking into account, for example, the deadline for payment given), or, depending on the context, without waiting for the expiry of the said deadline.

64. In support of the foregoing findings and the information obligation that weighs on the first defendant, the Litigation Chamber finds a breach of Article 14.1-2 of the GDPR therefore that the privacy policy of the first defendant does not cover the processing of data processed in this case (amicable debt collection). The "Privacy" clause appearing on its reminder mail, insufficient in content, is not likely to remedy this. This failure is also combined with Article 12.3 of the GDPR. The Litigation Chamber is of the opinion that if the information is not given or is incomplete, a fortiori it was not provided within the time limit Decision on the merits 81 / 2020- 17/45 required. Finally, these breaches are combined with a breach of Article 12.1 of the GDPR (default accessibility of the DPO's contact details in the privacy policy). 8.1.2. As for the breach of the right of access (article 15 of the GDPR)

65. According to Article 15 of the GDPR, the data subject has the right to obtain from the controller of processing the confirmation that personal data concerning him are or are not not processed and, when they are, access to said personal data as well as information items listed in letters a) to h) of Article 15.1. of the GDPR.

66. In the present case, according to the terms of his report, the Inspector General finds in this regard next : "Ms. X's right of access (read the complainant) to data concerning her processed by [...] (read the first defendant) was not respected, in contravention of article 15 of the GDPR. The only response to her request for access was Ms. X (read the complainant) was in fact twice referred to the bailiff (read the second defendant) and a copy of the payment reminder she disputed having received was provided to her. In this regard, it appears that there is no procedure in place for customer service [...] (read the first defendant) in charge of complaints send requests relating to the exercise of rights of the data subject to the privacy officer of [...] (read the first defendant) ”.

67. According to its submissions, the first defendant describes that, having regard to the nature of its activities, it faces a significant number of complaints and complaints. In practice, there described (and confirmed during the hearing on July 13, 2020) that as soon as it is found that the offender has not paid his fee within the required time, the case is transferred to the second defendant who is responsible for collecting the amount due. The first defendant specifies that any request carried out after the file has been transmitted to the bailiff must be processed directly with the bailiff to prevent contradictory information from being transmitted to the complainant. What she describes as being a procedure organized with the second defendant However, apart from the municipal regulations to which the defendants both refer during the hearing, not framed by a precise and detailed written procedure between them (point t 46 above).

68. As for the management of requests to exercise their rights in terms of the protection of data by the data subjects, the first defendant states that their separate management of that of complaints management described in point 67 above, requires that an email be sent to a e-mail address dedicated to this type of request, ie the address [...]. Decision on the merits 81 / 2020- 18/45

69. The first respondent notes in this regard that the complainant did not correspond with her via this specific email. The complainant therefore (paragraph 67 above), for only answer, was referred to the second defendant as in the case of a non-application related complaint of the rights of data subjects in terms of data protection: "Please contact to the bailiff "; and this since his request was subsequent to the communication of the file to the second defendant.

70. As the Inspector General notes in his report, the Litigation Chamber notes that while the complainant's request raised data protection issues, there is no no internal referral to the first defendant's data protection officer. This way of proceeding appears contrary to the "Privacy" clause appearing on the formal notice of the first defendant which indicates that for the exercise of their rights in matters of protection data, debtors are invited to contact the first defendant (first contact "Natural" after all), which suggests that it is indeed the first defendant who will examine their request (point 57 above).

71. The second respondent, on behalf of the first respondent, replied to the complainant by letter of April 2, 2019, or according to the first defendant, within the one month period required by article 12.3. of the GDPR. According to this letter, the second defendant provides it with a certain number information on the processing carried out by the first defendant.8 It also attaches the photographs (point 12) and the reminder letter of January 24, 2019.

72. Moreover, in the same letter, the second defendant also communicates to the complainant of the elements relating to the request for access addressed to her directly regarding her own processing (see point 8.2.2 below).

73. The Litigation Chamber is of the opinion that the establishment of internal procedures and standards dedicated to the exercise of the rights of data subjects in terms of the protection of data is essential and likely to contribute to the effective application of these rights. It facilitates certainly their exercise as required by Article 12.2. of the GDPR. In a structure such as first defendant, given the volume of data processed, the Litigation Chamber considers it

8 Extract from the letter of April 2 from the second defendant: “As for our client, he is mandated by the city of [...] to operate the recovery of unpaid parking fees. It is registered with the Commission for the Protection of Privacy and, to this end, has received the attached document authorizing him to receive IVD data for the sole purpose of collecting unpaid royalties. As part of its mandate, our customer obtains name, first name and address in order to send a reminder letter. Subsequently if the file is not paid, it is sent to the study as provided for by municipal regulations. According to him, this data is deleted upon receipt of payment ”. Decision on the merits 81 / 2020- 19/45 essential. However, the persons concerned cannot be criticized for using another channel communication to address their requests. No adverse consequences for the person concerned cannot be drawn from the fact - even in the hypothesis that it would have been correctly informed - that they have not used the correct form or have contacted the person in charge of processing by another means, via an incorrect e-mail address for example. Abundantly, the Litigation Chamber is of the opinion that in this case, the distinction between "complaint" and "exercise of a right access to his data "in the context of a request for payment of a parking is not easy to operate for any citizen.

74. The Contentious Chamber therefore notes that in any event, the first defendant does not could hide behind the "error" that she invokes on the part of the complainant to consider that she herself would have been exempted from her obligation to respond to the request to exercise the right access of the complainant.

75. In the present case, each of the defendants being a separate person responsible (and not jointly responsible as it has already been explained in section 7.3. above), it is their responsibility to give following the exercise of the rights of data subjects with regard to the processing operations they carry out each respectively. The Litigation Chamber ne can exclude that in fact, without being nor subcontractors or joint managers, controllers agree among themselves that one responds to the request to exercise the rights of data subjects on behalf of the other who mandate to do so. If this were to be the case, the procedure put in place should be perfectly clear and understandable for the persons concerned who must have been informed. Indeed, this way of proceeding is very likely to lead to confusion about the role of each. In in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu having regard to the facts and in the absence of other clear information, naturally the first defendant. The Contentious Chamber notes in this regard that the first defendant indicated to the Chamber Litigation now favor a reorganization of procedures which would retain internal management of complaints relating to the data processing it operates.

76. Nor can the first defendant consider that since the second defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so except to consider that the second defendant, mandated by the first, would have responded in a manner complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the first defendant, which is not the case. The second defendant admittedly provides some number of elements but these do not completely meet the requirements of the article 15.1 of the GDPR. Decision on the merits 81 / 2020- 20/45

77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR.

78. The Contentious Chamber concludes from the foregoing that the first respondent did not right to the complainant's request for access in a satisfactory manner and that there was a breach in its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of data subjects required by Article 12.2. of the GDPR. 8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR) 8.1.3.1. In view of the consultation of the DIV

79. The complainant accuses the first respondent of having consulted the DIV in such a way premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place in violation of the principle of minimization according to which "personal data must be: c) adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization) ”(article 5.1 c) of the GDPR).

80. According to his report, the Inspector General concludes in this regard that "data to personal character of the [complainant] concerning (name, first name and address) were treated without necessity in the period during which the data subject has the opportunity to pay the fee before sending a reminder sent to his name and address, which is not compliant with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next the article [...] of the By-law of the City of [...] parking ticket machines 2019, this delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3 January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2 2019. She explains that as soon as she was informed of what she called "an error", she immediately requested an adaptation of the system to take into account the deadlines imposed by the various municipal regulations and thus put an end to this practice of consultation immediate DIV. The first defendant further adds that when it made this request to his IT service provider, the latter informed him that the system had been corrected as soon as August 26, 2019.

82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account the sensitivity of this database and that only authorized bodies are authorized to Decision on the merits 81 / 2020- 21/45 to access. It was up to the first defendant to organize this access in accordance with the principles of data protection by design and by default (article 25 of the GDPR) in order to effectively implement the principle of data minimization.

83. The Contentious Chamber can only note, in support of the documents produced in e can exclude that in fact, without being nor subcontractors or joint managers, controllers agree among themselves that one responds to the request to exercise the rights of data subjects on behalf of the other who mandate to do so. If this were to be the case, the procedure put in place should be perfectly clear and understandable for the persons concerned who must have been informed. Indeed, this way of proceeding is very likely to lead to confusion about the role of each. In in this case, this led the Complainant to believe that the Second Respondent was the subcontractor of the first defendant. In this case, the first point of contact for the debtor of the royalty is, eu having regard to the facts and in the absence of other clear information, naturally the first defendant. The Contentious Chamber notes in this regard that the first defendant indicated to the Chamber Litigation now favor a reorganization of procedures which would retain internal management of complaints relating to the data processing it operates. 76. Nor can the first defendant consider that since the second defendant replied to the complainant on April 2, 2019, she herself would have been exempted from doing so except to consider that the second defendant, mandated by the first, would have responded in a manner complete, transparent and in accordance with Article 15 of the GDPR with regard to the processing operations carried out by the first defendant, which is not the case. The second defendant admittedly provides some number of elements but these do not completely meet the requirements of the article 15.1 of the GDPR. Decision on the merits 81 / 2020- 20/45 77. The Contentious Chamber notes overwhelmingly that the first defendant does not dispute not his lack of response, a fortiori within the time limit required by Article 12.3. of the GDPR. 78. The Contentious Chamber concludes from the foregoing that the first respondent did not right to the complainant's request for access in a satisfactory manner and that there was a breach in its head in Article 15.1 of the GDPR, combined, a fortiori, in Article 12.3. of the GDPR. The first one the defendant also failed to fulfill its obligation to facilitate the exercise of the rights of data subjects required by Article 12.2. of the GDPR. 8.1.3. As for the breach of the principle of minimization (article 5.1 c) of the GDPR) 8.1.3.1. In view of the consultation of the DIV 79. The complainant accuses the first respondent of having consulted the DIV in such a way premature on January 3, 2019, that is, before the expiry of the period given to him to fulfill spontaneously of the amount of the royalty claimed. According to her, this consultation therefore took place in violation of the principle of minimization according to which "personal data must be: c) adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization) ”(article 5.1 c) of the GDPR). 80. According to his report, the Inspector General concludes in this regard that "data to personal character of the [complainant] concerning (name, first name and address) were treated without necessity in the period during which the data subject has the opportunity to pay the fee before sending a reminder sent to his name and address, which is not compliant with the principle of data minimization provided for in Article 5.c [see Article 5.1 c)] of the GDPR. next the article [...] of the By-law of the City of [...] parking ticket machines 2019, this delay is 10 days ”.

81. The first defendant does not dispute that this consultation of the DIV took place on 3 January 2019 at 10:03 p.m., i.e. the day after the complainant's parking violation on January 2 2019. She explains that as soon as she was informed of what she called "an error", she immediately requested an adaptation of the system to take into account the deadlines imposed by the various municipal regulations and thus put an end to this practice of consultation immediate DIV. The first defendant further adds that when it made this request to his IT service provider, the latter informed him that the system had been corrected as soon as August 26, 2019. 82. The Litigation Chamber recalls that access to the DIV is strictly regulated taking into account the sensitivity of this database and that only authorized bodies are authorized to Decision on the merits 81 / 2020- 21/45 to access. It was up to the first defendant to organize this access in accordance with the principles of data protection by design and by default (article 25 of the GDPR) in order to effectively implement the principle of data minimization. 83. The Contentious Chamber can only note, in support of the documents produced in s the file and the Inspector General's finding that there was a breach of the minimization principle provided for in Article 5.1 c) of the GDPR in respect of the first defendant. 8.1.3.2. In view of the communication of the complainant's data to the second defendant

84. As regards the transfer of the complainant's data by the first respondent to the second defendant, the Litigation Chamber insists that this communication not take place only when necessary otherwise it would violate the principle of minimization. So, the data subject should be allowed the time allotted to him to pay the fee before entering the bailiff. The second defendant is indeed justified in intervening and therefore to be provided with the data of debtors such as the complainant, that in default of payment in the time limit provided for by the municipal implementing regulations. 8.1.3.3. In view of the taking of photographs and their conservation for the purpose of establishing the offense

85. According to its conclusions, the complainant also criticizes the first respondent to process (including keeping) a certain number of personal data concerning in violation of the principle of minimization and this, for the purposes of establishing the lack of payment of the royalty due. Thus, the complainant considers, for example, that the photographs of her vehicle (including their professional card on the passenger compartment, the name of their garage) do not provide any element likely to specify the offense with which it is charged and are therefore without relevance. The same goes for the photograph of her license plate which she is wondering about on the necessity of the treatment (including conservation).

86. The first defendant indicates in the terms of its conclusions that its agents collect such data as part of the establishment of the offense. It must, in accordance with Article 870 of the Judicial Code and taking into account the case law of the courts and tribunals, provide evidence of the offense it alleges before the competent courts. Finally, she adds: "That by taking the photos to ensure with certainty that no ticket or disc of parking is not shown on the windshield of the vehicle, as the car is parked in a place where parking is paid and / or in the blue zone on a date when the person concerned must pay for this parking, the conclusive one does not violate the principle of minimization ”(page 14 of the conclusions of the first defendant). Decision on the merits 81 / 2020- 22/45

87. The Contentious Chamber recalls that was it for the purpose of obtaining the necessary evidence for a breach of a parking rule, the data controller is required to respect all the obligations incumbent upon it under the GDPR throughout the duration of the processing (collection, communication, storage, etc.) of personal data. It does not appear from the primary competence of the Contentious Chamber to determine what evidence would be sufficient and relevant to present to the competent courts. The fact remains that as soon as this evidence constitutes personal data - including images as in the present case - processed for the purposes of establishing the alleged facts, this data must be relevant to the purpose pursued. Without finding a breach of the principle of minimization in the case of the first defendant in this case, the Litigation Chamber invites the latter to be attentive to the future and to sensitize its employees who make the findings on the ground to act with discernment in this regard. The Litigation Chamber also recalls the principle according to which personal data cannot be kept for a period not exceeding that necessary with regard to the purposes for which they are processed (article 5.1 e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR

88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to the obligations of data controllers (and subcontractors) and which reflects the principle set out in Article 5.2. of RGPD, provides that "taking into account the nature, scope, context and purposes of the processing as well as risks, of varying degrees of probability and severity, for the rights and freedoms of natural persons, the controller implements the technical measures and appropriate organizational structure to ensure and be able to demonstrate that the treatment is carried out in accordance with these regulations. These measures are reviewed and updated if necessary. "

89. Section 24.2. of the GDPR specifies that when this is proportionate to the activities of treatment, the measures referred to in Article 24.1. of the above GDPR include the implementation appropriate policies in data protection by the controller.

90. The Contentious Chamber is of the opinion, in view of what has been noted above in Headings 8.1.1., 8.1.2. and 8.1.3. , which the first defendant was at the time of the facts failing to implement the appropriate technical and organizational measures required by Articles 24.1 and 2 of the GDPR to guarantee not only an effective exercise of the rights of data subjects such as the complainant - in particular his right to information and his right of access - as well as respect for the principle of minimization when consulting the DIV. Decision on the merits 81 / 2020- 23/45

91. With regard more particularly to the rights of data subjects, the Chamber Litigation insists on the fact that the municipal regulation, which certainly describes the succession of interventions by the first and second defendant in the context of amicable recovery parking fee, cannot by itself constitute an adequate measure within the meaning of Article 24 of the GDPR. It does not allow the first defendant or to ensure that the processing is carried out in accordance with the GDPR nor to demonstrate it. The Litigation Chamber nevertheless takes note of the commitments made by the first defendant to comply with its obligations in this regard (see. infra title 9.1.). 8.1.5. Conclusion as to the breaches of the first defendant

92. In conclusion, the Contentious Chamber notes the following failings in the area of the first defendant: - a breach of its obligation to inform (article 14.1-2, combined with article 12.3 and 12.1. of the GDPR) - a breach of its obligation to follow up on the exercise of the complainant's right of access within the legal period allotted to it to do so (Article 15.1 combined with Article 12.3. of GDPR as well as Article 12.2. of the GDPR (obligation to facilitate the exercise of rights)) - a breach of the principle of minimization during the premature consultation of the IVD (article 5.1 c) of the GDPR) - a breach of its obligation to put in place technical measures and adequate organizational requirements for the implementation of Articles 5.2 and 24. 1-2 of the GDPR. 8.2. As to the breaches on the part of the second defendant 8.2.1. As for the breach of the information obligation (Articles 12 and 14 of the GDPR)

93. The complainant criticizes the second defendant for not having informed her in accordance to the requirements of Article 14 of the GDPR when it first comes into contact with it, or through the setting formal notice that it sent to it on February 25, 2019 (point 7 above).

94. The second defendant considers that the exception provided for in Article 14.5. c) from GDPR is applicable to it. In this regard, it relies on Article [...] of the municipal regulations of [...] reproduced below9

[……]

9 Note that in its formal notice of February 25, 2019, the second defendant refers to a settlement communal (erroneous - see Title 7.2. above) only in these terms: "the possible recovery costs amicably charged to the user are in accordance with article [...] of the municipal regulations of [...] of the municipality of [...] relating to the parking fee ”. Decision on the merits 81 / 2020- 24/45

95. The Litigation Chamber notes that under Article 14.5.c) of the GDPR, the person responsible processing is exempt from its obligation to provide information when and to the extent that "obtaining or the communication of information is expressly provided for by Union law or by law of the Member State to which the controller is subject and which provides for measures appropriate measures aimed at protecting the legitimate interests of the data subject ' 10 .

96. The Contentious Chamber notes a language difference between the French version and, by example, the Dutch and English versions of this provision. Indeed, while the version French of Article 14.5.c) mentions "when and to the extent that the obtaining or the communication information is expressly provided for by Union or Member State law ", the versions Dutch and English respectively use the following terms: "wanneer en voor zover het verkrijgen of verstrekken van de gegevens uitdrukkelijk is voorgeschreven bij Unierecht of lidstaatelijk recht ”and“ where and insofar obtaining or disclosure is expressly laid down byUnion or Member State law ”. The Litigation Chamber is of the opinion that it is the obtaining and the communication of data which must be provided for by national law and notwithstanding the terms of the French version of Article 14.5.c) of the GDPR.

97. The Contentious Chamber considers that the second defendant cannot rely on the exemption from the information provided for in Article 14.5 c) of the GDPR in this case for the reasons described below.

98. What is provided for in Article 14.5. c) of the GDPR constitutes an exception to the right to informationormation. Failing to be informed that data processing concerning him is carried out, the person concerned is deprived of information which is in principle spontaneously provided to him by the manager processing and which facilitates the exercise of its other rights of which it is also informed of the existence and modalities of exercise (article 13.2 b), c) and d) and 14.2 c), d) and e) of the GDPR).

99. This exemption must be interpreted restrictively since it constitutes a exception to the information obligation provided for by the fundamental right to data protection11 and all the more so as it deprives, as already mentioned, the data subject of information about the existence and the modalities of exercise of its other rights which are NOT subject with the same exception "in the event of obtaining or communicating expressly provided for by law". As for example, the right of access (Article 15 of the GDPR) - which in turn paves the way for the exercise of others

10 It is the Litigation Chamber that emphasizes. 11 The Contentious Chamber recalls the constant case law of the Court of Justice of the European Union which interprets the exceptions to the fundamental right to data protection restrictively: see. by example: C. Docksey and H. Hijmans, The Court of Justice as a Key Player in Privacy and Data Protection, EDPL Review (2019), pp. 300-316, and the case-law cited (in particular, p. 309). Decision on the merits 81 / 2020- 25/45 rights such as the right to rectification, opposition or even erasure in particular - do not know this exception (article 15.4. of the GDPR).

100. The Litigation Chamber notes that in this case, as already noted, the municipal regulations relied on by the second defendant describes the succession of interventions by the first and second defendants in the management of the collection of parking fees (as well as surcharges due in default / or in the event of late payment). In other words, the regulation municipality on which the second defendant bases its exemption from information does not inform to the data processing carried out in execution thereof. At most it allows us to deduce that information will be exchanged between the first and the second respondent in the context a violation of the parking rules in order to recover the fee due. We design certainly that these interventions will induce the obtaining and communication of personal data. Those - However, these are not expressly provided for, at most they can be implicitly deduced.

101. Moreover, this exception can only be invoked if appropriate guarantees aimed at protect the legitimate interests of the persons concerned are provided for by said regulation. The Litigation Chamber considers that in the present case, these guarantees must consist of a set minimum information relating to data processing which must appear in the act regulatory under which the communication of information takes place.

102. The Litigation Chamber is of the opinion that at a minimum, the following information - inspired by Article 23.2. of the GDPR - should have been included: purpose of the processing, categories of data of a personal nature processed, identity of the controller, retention period and a reference to the rights of data subjects.

103. Those guarantees must admittedly be provided for by national law. The lack of guarantees appropriate is certainly not attributable to the second defendant. The fact remains that at under the GDPR, it is the data controller who is responsible for verifying whether he can legitimately invoke the exception provided for in Article 14.5.c) of the GDPR. The Litigation Chamber recognizes that in depending on the case and in particular the quality of the data controller, this examination may not be easy, especially with regard to the existence of appropriate guarantees. However, in this case, the municipal regulation that the second defendant relies on in support of its exemption does not deal with data protection aspects, which left little room for doubt as to whether he could legitimize a waiver of information. The legal framework for the profession of bailiffs and the respect due to their ethical rules are not enough in themselves to constitute appropriate guarantees in terms of data protection within the meaning of Article 14.5.c) of the GDPR. Decision on the merits 81 / 2020- 26/45

104. In conclusion, the Contentious Chamber finds that the second defendant, relying on wrong on the exemption provided for in Article 14.5 c) of the GDPR (since the municipal regulation does not provide not expressly obtaining and communicating data and in the absence of guarantees appropriate otherwise) failed to fulfill its obligation to provide information, thus contravening Article 14.1-2 taken together with section 123. of the GDPR.

105. According to its conclusions, the second defendant indicates to the Contentious Chamber What does it say "if the exception should not apply, she noted that the reference to her website appearing in his letters of formal notice does not, at least at first glance, allow to inform the persons concerned that they can obtain information directly on the website of the conclusive ”(page 9 of the main conclusions of the second defendant). She proposes to add to the reference appearing on its model a specific mention concerning the protection of life privacy policy referring to its privacy information document available on its site.

106. The Contentious Chamber is indeed of the opinion that the mere mention of a website on a letter - site on which a privacy statement can be viewed - does not constitute not information that complies with the requirements of the GDPR. At a minimum, a “protection of data ”containing the essential elements of the processing operations concerned and an explicit reference to the privacy policy (relevant part if applicable) available on the site for the surplus must To be scheduled. The Contentious Chamber reviews in this regard what it has indicated above with regard to the “Privacy” clause of the first defendant (point 57 et seq.).

107. The Contentious Chamber also wishes to clarify the following. As part of his argument, the second defendant concludes that the GDPR does not impose on the person responsible for processing to communicate to the persons concerned the references of the supporting normative act which he considers to be exempted from his obligation to inform. However, failing any information in this regard, it is illusory to think that the persons concerned will seek (and will find) the normative act in question containing the required guarantees and allowing them to get informed. The Contentious Chamber considers that it would be, when this exemption from information can be invoked (quod non in this case), it is good practice to communicate this reference. 8.2.2. As for the breach of the right of access (article 15 of the GDPR)

108. As the Contentious Chamber recalled above with regard to the obligations of first defendant, the data subject has the right to obtain from the controller the confirmation that personal data concerning him is or is not being processed and, when they are, access to said personal data as well as the elements information listed in letters a) to h) of Article 15.1. of the GDPR. Decision on the merits 81 / 2020- 27/45

109. The complainant reports a fragmentary response to the request for the right of access that she has addressed to the second defendant. She is of the opinion that she was not fully informed relative to the source of the data.

110. The second defendant points out that on page 3 of its letter in reply of 2 April 2019, she specified that she was mandated by the first defendant who had communicated to her the complainant and file data.

111. Based on the documents produced, the Contentious Chamber is not in a position to conclude that a breach of Article 15 of the GDPR on the part of the second defendant. 8.2.3. Regarding the breach of the principles of proportionality and illegal reuse of data (Articles 5 and 6 of the RGPD) which are communicated to him by the first defendant then even that it would not be validly founded

112. The Contentious Chamber notes that the Complainant considers that the second Respondent performs illegal data processing when it collects and stores data relating to his vehicle (photos of the windshield and general photo of the vehicle sent to him by the first defendant). The Contentious Chamber refers in this regard to the considerations it has set out in Title 8.1.3.3. above with regard to this complaint also criticized in the first defendant.

113. The Contentious Chamber does not find any breach in the head of the second defendant in this regard. 8.2.4. As for the payment request form and the obtaining of a forced consent (article 6.1 a) of the GDPR - article 5.1 c) of the GDPR)

114. On February 25, 2019, the Complainant was sent by the Second Respondent a warning remains to pay the amount of the fee of […] euros ([…] +5) plus the summons costs and a collection fee, bringing the amount claimed to the sum of […] euros (point 7 above).

115. A form was attached to this formal notice, entitled "Form to be returned to us" printed in larger letters, framed and immediately followed by the following statement, in bold underlined: "Only this duly completed form and its annexes will be taken into account for the processing of your payment request or your dispute ”.

116. The following data are requested at the ends of this form: surname, first name, date of birth, address, postal code and town, telephone number, mobile number, e-mail address. Decision on the merits 81 / 2020- 28/45 Three choices in terms of payment proposals are also mentioned under which the debtor - (1) undertakes to pay the full amount on a date to be mentioned, or - (2) request a clearance plan or - (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this form by the second defendant without it being established that she herself completed it. There is therefore no, strictly speaking, "processing of personal data" by the complainant via this form. Refusal to complete a form that turns out to be against the law (as it will be demonstrated below), however, cannot result in a situation whereby the House Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD. The contentious chamber is, therefore, irrespective of whether there is a breach with regard to the complainant, empowered to examine this grievance against which the second respondent has also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation, its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be considered that the consent of the data subject to provide the data mentioned on this form would be free. The complainant is also of the opinion that the collection of data via this form ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons concerned to voice their dispute or their wish to benefit from a clearance plan. The second defendant adds that the purpose of the form is clearly stated in the setting remains of which it constitutes an annex and that no obligation for the person concerned can be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the GDPR to collect said data and carry out subsequent processing. The notice states that consultation of the file and requests for online clearance and / or payment may be done via the site or by e-mail and that additional information can be obtained via the form.

120. As to the principle of minimization, the second defendant states that the form allows, by offering the persons concerned various possibilities (postal address, telephone number telephone, mobile phone number, e-mail address) to choose the mode of communication and the contact data necessary for this purpose without there being any obligation to complete the form Decision on the merits 81 / 2020- 29/45 (point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the person concerned as being "any manifestation of will, free 12 , specific, illuminated and unambiguous by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him / her are processed. " The consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The consent can only be valid if the data subject is genuinely able to exercise a choice and if there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. significant additional costs) if it does not give his consent. Consent will not be free when any element of coercion, pressure or inability to exercise meaningful choice will be present. Consent will therefore not be not considered to be freely given if the data subject is not able to refuse or withdraw consent without suffering prejudice. The controller must also demonstrate that it is possible to refuse or withdraw consent without suffering prejudice (recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to account of a possible imbalance in the balance of power between the person concerned and the manager treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations s of this form: surname, first name, date of birth, address, postal code and town, telephone number, mobile number, e-mail address. Decision on the merits 81 / 2020- 28/45 Three choices in terms of payment proposals are also mentioned under which the debtor - (1) undertakes to pay the full amount on a date to be mentioned, or - (2) request a clearance plan or - (3) indicates that it is impossible to pay the amount.

117. As a preliminary point, the Contentious Chamber notes that the complainant denounces the use of this form by the second defendant without it being established that she herself completed it. There is therefore no, strictly speaking, "processing of personal data" by the complainant via this form. Refusal to complete a form that turns out to be against the law (as it will be demonstrated below), however, cannot result in a situation whereby the House Litigation could not exercise the missions and powers conferred on it by Articles 57 and 58 of the RGPD and the LCA with regard to a practice that involves data processing subject to the RGPD. The contentious chamber is, therefore, irrespective of whether there is a breach with regard to the complainant, empowered to examine this grievance against which the second respondent has also had the opportunity to defend themselves.

118. The complainant considers that, given the wording of the form, its presentation, its content and the fact that it constitutes an annex to a formal notice of payment, it cannot be considered that the consent of the data subject to provide the data mentioned on this form would be free. The complainant is also of the opinion that the collection of data via this form ignored the principle of minimization.

119. The second defendant argues, on the contrary, that this form allows persons concerned to voice their dispute or their wish to benefit from a clearance plan. The second defendant adds that the purpose of the form is clearly stated in the setting remains of which it constitutes an annex and that no obligation for the person concerned can be deduced from this formulation. Therefore, it can legitimately rely on Article 6.1 (a) of the GDPR to collect said data and carry out subsequent processing. The notice states that consultation of the file and requests for online clearance and / or payment may be done via the site or by e-mail and that additional information can be obtained via the form.

120. As to the principle of minimization, the second defendant states that the form allows, by offering the persons concerned various possibilities (postal address, telephone number telephone, mobile phone number, e-mail address) to choose the mode of communication and the contact data necessary for this purpose without there being any obligation to complete the form Decision on the merits 81 / 2020- 29/45 (point 119 above), nor - in the event that the debtor wishes to make use of it - obligation to provide data for each of the headings of said form.

121. The Contentious Chamber recalls that Article 4.11. of the GDPR defines the consent of the person concerned as being "any manifestation of will, free, specific, illuminated and unambiguous by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him / her are processed. " The consent on which data processing is based pursuant to Article 6.1. a) of the GDPR must meet all the qualities required by this definition.

122. The adjective "free" implies choice and real control for those concerned. The consent can only be valid if the data subject is genuinely able to exercise a choice and if there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. significant additional costs) if it does not give his consent. Consent will not be free when any element of coercion, pressure or inability to exercise meaningful choice will be present. Consent will therefore not be not considered to be freely given if the data subject is not able to refuse or withdraw consent without suffering prejudice. The controller must also demonstrate that it is possible to refuse or withdraw consent without suffering prejudice (recital 42 of the GDPR) 13

123. When determining whether consent is freely given, it is therefore appropriate to account of a possible imbalance in the balance of power between the person concerned and the manager treatment. Recital 43 of the GDPR makes it clear that it is not likely that authorizations Similarly, the Litigation Chamber recalls that to be valid, consent must also be enlightened. For consent to be considered informed, it is necessary that the controller provides certain information to the data subject, in a form understandable and easily accessible. Recital 42 of the GDPR requires that the data subject have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the data subject can make an informed decision and that their consent is valid. The controller should provide information on the type of data concerned by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR), on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR) and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15 . 132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the second defendant intends to rely in the future, the formal notice should include a information in the form of a specific clause containing both the elements required for a informed consent where applicable, and succinct information directly useful with regard to the processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of Regulation (EU) 2016/679 (points 121-123): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf 15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on the merits 81 / 2020- 32/45 133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber Litigation also notes that with regard to the various data requested under "Your contact details ", no asterisk or other indication indicates that the data subject is free to choose one of the communication modes (telephone number, GSM number, e-mail address) and that certain data are therefore optional. Taken in isolation, these data appear relevant and not excessive, but here too, the presentation and wording used suggest that there is no no alternative to collecting all the information regarding each section of the table.

134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in the head of the second defendant. 8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is of opinion that the second defendant is in default of having implemented the technical measures and appropriate organizational structure to ensure and be able to demonstrate that data that it processes are, in particular taking into account their nature, the context and purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of GDPR in respect of the second defendant. 8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second defendant: - a breach of its information obligation (article 14.1-2, combined with article 12.3. of GDPR) - a lack of legal basis with regard to the collection of data under the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data. - a breach of Articles 5.2. and 24. 1-2 of the GDPR. 9. Regarding corrective measures and sanctions 138. Under article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; Decision on the merits 81 / 2020- 33/45 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; 10 ° order the rectification, restriction or erasure of data and the notification Similarly, the Litigation Chamber recalls that to be valid, consent must also be enlightened. For consent to be considered informed, it is necessary that the controller provides certain information to the data subject, in a form understandable and easily accessible. Recital 42 of the GDPR requires that the data subject have, at a minimum, knowledge of the identity of the controller and of the purposes of the processing for whom this personal data is intended.

131. The Contentious Chamber considers that other elements are also crucial for the data subject can make an informed decision and that their consent is valid. The controller should provide information on the type of data concerned by the proposed processing, on the existence of a right to withdraw consent (art. 7.3 of the GDPR), on the possible use of data for automated decision-making (art. 22.2 c) of the GDPR) and, where applicable, on the risks associated with the transfer of data to a country that does not offer protection adequate and in the absence of appropriate guarantees (art. 49.1 a) of the GDPR) 15 . 132. The Contentious Chamber is of the opinion that, whatever the legal basis on which the second defendant intends to rely in the future, the formal notice should include a information in the form of a specific clause containing both the elements required for a informed consent where applicable, and succinct information directly useful with regard to the processing (s) concerned (point 106 above).

14 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of Regulation (EU) 2016/679 (points 121-123): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf 15 European Data Protection Board, Guidelines 05/2020 on consent within the meaning of Regulation 2016/679 (point 3.3. pp. 17 et seq. of the French version): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on the merits 81 / 2020- 32/45 133. With regard to compliance with the principle of minimization (article 5.1 c) of the GDPR), the Chamber Litigation also notes that with regard to the various data requested under "Your contact details ", no asterisk or other indication indicates that the data subject is free to choose one of the communication modes (telephone number, GSM number, e-mail address) and that certain data are therefore optional. Taken in isolation, these data appear relevant and not excessive, but here too, the presentation and wording used suggest that there is no no alternative to collecting all the information regarding each section of the table. 134. The Litigation Chamber therefore concludes that there has been a breach of Article 5.1 c) of the GDPR in the head of the second defendant. 8.2.5. With regard to compliance with Articles 5.2. and 24 of the GDPR

135. In support of the breaches identified above (8.2.1. And 8.2.4.), The Litigation Chamber is of opinion that the second defendant is in default of having implemented the technical measures and appropriate organizational structure to ensure and be able to demonstrate that data that it processes are, in particular taking into account their nature, the context and purposes they pursue, carried out in accordance with the GDPR.

136. The Contentious Chamber therefore concludes that there has been a breach of Articles 5.2. and 24. 1-2 of GDPR in respect of the second defendant. 8.2.6. Conclusion as to the breaches of the second defendant

137. In conclusion, the following shortcomings are noted with regard to the second defendant: - a breach of its information obligation (article 14.1-2, combined with article 12.3. of GDPR) - a lack of legal basis with regard to the collection of data under the form accompanying the formal notice of payment (article 6 of the GDPR) and a breach of principle of minimization (article 5.1 c) of the GDPR) given the excessive nature of requested data. - a breach of Articles 5.2. and 24. 1-2 of the GDPR. 9. Regarding corrective measures and sanctions 138. Under article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; Decision on the merits 81 / 2020- 33/45 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; 10 ° order the rectification, restriction or erasure of data and the notification e or such corrective measure or sanction. If, notwithstanding the above, the complainant had nevertheless to ask the Litigation Chamber to pronounce one or the other measure and / or sanction, it is therefore not up to the latter to justify why it would not retain not one or the other request made by the complainant. These considerations leave intact the obligation for the Litigation Chamber to justify the choice of measures and sanctions to which it judges, (among the list of measures and sanctions made available to it by Articles 58 of GDPR and 95.1 and 100.1 LCA) appropriate to condemn the party in question. 144. In the present case, the Contentious Chamber notes that the complainant seeks in particular Litigation Chamber that it order compliance under penalty of penalty. Without prejudice to the above, but since it has just published its policy in this regard, the Litigation Chamber refers on this point to the publication now available on its website Internet17 . 145. With regard to the administrative fine, the Contentious Chamber emphasizes that its aim is to effectively enforce the rules of the GDPR. Other measures, such as the order of compliance or the prohibition to continue certain treatments, for example, allow they put an end to a breach found. As can be seen from recital 148 of the GDPR, sanctions, including administrative fines, are imposed in the event of serious violations, in addition to or in place of the appropriate measures that are required. Therefore, the fine administrative can certainly come to sanction a serious breach to which it would have been remedied during the proceedings or which would be about to be remedied. The fact remains that the Litigation Chamber will take into account what has been terminated or what is in progress to remedy the said breaches in setting the amount of the fine. 9.1. As to the first defendant 146. The Contentious Chamber noted a breach of Articles 14. 1-2 combined with Article 12.1 and 12.3, 15.1 combined with Article 12.3 and Article 12.2., 5.1 c) and 5.2. 24. 1-2 of the GDPR (point 92 above).

17 See. on the APD website, Section Authority - Organization - Litigation Chamber: https://www.autoriteprotectiondonnees.be/citoyen/l-autorite/ organizations and https://www.autoriteprotectiondonnees.be/professionnel/l-autorite/ organizations Decision on the merits 81 / 2020- 36/45

147. In view of the observation of these breaches, the Contentious Chamber addresses to the first defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

148. The Contentious Chamber further notes that the first defendant has, without await the decision of the Litigation Chamber, upon its conclusions and during the hearing, taken a a number of commitments to remedy the shortcomings identified by the Inspector General in his report. The Litigation Chamber is of the opinion that a number of changes and measures must in fact, as quickly as possible, be brought by the first defendant to comply with its obligations under the GDPR. The Litigation Chamber therefore imposes a detailed compliance order for the device in application of article 100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).

149. In addition to this reprimand18 and this order for compliance, the Contentious Chamber is of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

150. As to the nature of the violation, the Contentious Chamber notes that with regard to the breach of Article 5.1 c) of the GDPR, it constitutes a breach of one of the principles founders of the GDPR (and of data protection law in general), or the principle of minimization devoted to Chapter II "Principles" of the GDPR.

151. As regards the breaches of Article 14. 1-2 combined with Articles 12.3 and 12.1 of the GDPR, in Article 15. 1 of the GDPR (combined with Article 12.3 and Article 12.2. Of the GDPR), they constitute breaches the rights of data subjects. These information and access rights have also been strengthened under the GDPR, which shows their particular importance. The Protection Authority in this perspective, has made compliance with them a priority in its plan. strategy 2020-2025.19 The appropriate corrective measure / sanction is nonetheless determined case by case.

152. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a breach of the key principle of accountability, introduced by the GDPR.

18 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning is intended to notify a controller or a processor that the trafficking operations is lying envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article 100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of the GDPR (article 58.2 b) of the GDPR and article 100.1, 5 ° LCA). 19 Data Protection Authority (DPA), Strategic Plan 2020-2025: https://www.autoriteprotectiondonnees.be/publications/plan-strategique-2020-2025.pdf Decision on the merits 81 / 2020- 37/45

153. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may amount to 20,000,000 euros or in the case of a company, up to 4% of turnover global annual total for the previous financial year. The maximum fine amounts that can be applied in case of violation of these provisions are higher than those provided for other types of breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right, devoted to Article 8 of the Charter of Fundamental Rights of the European Union, the appreciation of their gravity will be, as the Litigation Chamber has already had the opportunity to point out, in support of Article 83.2.a) of the GDPR, autonomously20 . 154 It has already been noted that in the context of the inspection, the letters in response to the Inspector General were signed by the group [...]. At the hearing on July 13, 2020, the first defendant confirmed to be part of this group.

155 In determining the amount of the fine, the Contentious Chamber takes into account the concept of company (article 83.5 of the GDPR). The Litigation Chamber also takes into account the opinion of the European Data Protection Committee, of which it particularly retains this following: "In order to impose effective, proportionate and dissuasive fines, the supervisory authorities will rely on the definition of the concept of enterprise provided by the CJEU for the purposes of the application of Articles 101 and 102 of the TFEU, namely that the concept of company must be understood as an economic unit that can be formed by the parent company and all the subsidiaries concerned. In accordance with Union law and case law, it is necessary to understand by enterprise the economic unit engaged in commercial activities or economic, regardless of the legal person involved (recital 150). " 21

156. As to the number of persons concerned affected by the violations, the Chamber Litigation notes that the breaches noted concern, beyond the sole complainant, a large number of people. The first defendant is the holder of concessions of parking in […] municipalities. The shortcomings observed are part of the practice of the first defendant and are consecutive to the failure to set up

20 See in this regard, decision 64/2020 of the Contentious Chamber (point 54): https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf 21 European Data Protection Board, Guidelines on the application and setting of fines Administrative Rules for the purposes of Regulation (EU) 2016/679, WP 253, adopted on 3 October 2017, p. 6, available at www.edpb.europa.eu. See also, decision 37/2020 of the Contentious Chamber. Decision on the merits 81 / 2020- 38/45 effective procedures for exercising rights in particular. The number of people concerned is therefore Student.

157. As to the status of the first defendant, the Contentious Chamber recalls that in previous decisions22, it has already retained the status of public representative of the head of treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR. Without constituting a public representative in the strict sense of the term, the first defendant in office no less public competence which has been entrusted to it by concession. As such, it must adopt a exemplary attitude. The "infringement" context in which the processing takes place of data that it processes requires, in view of their purpose, also particular respect rigorous rights of the persons concerned. Data processing is also a substantial part of the activity of the first defendant.

158. As to the duration criterion, the Litigation Chamber notes that these breaches lasted in time (Article 83.1 a) of the GDPR), at least since May 25, 2018, except for what is the breach of Article 5.1 c) of the GDPR more limited in time.

159. As to the question of whether the breaches were committed willfully or not (para negligence) (art. 83.2.b) of the GDPR), the Litigation Chamber recalls that "not deliberately" means that there was no intention to commit the violation, although the controller t or the subcontractor has not complied with its duty of care under the law. In In the present case, the Litigation Chamber is of the opinion that the facts and the shortcomings noted - were they serious - do not reflect a deliberate intention to violate the GDPR in the first instance defendant.

160. The Contentious Chamber finally notes that the first defendant cooperated with the APD throughout the procedure (Article 83.2. f) of the GDPR), in particular with the Inspectorate, and admits that the management of the complainant's case requires her to make substantial improvements to her current functioning with regard to the rights of data subjects. The first defendant has, as already underlined, moreover made a certain number of commitments to comply with this respect23 .

22 See decision 10/2019 of the Contentious Chamber (page 12) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-10-2019.pdf as well as its decision 11/2019 (page 10) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n11-2019.pdf 23 As for information, the first defendant makes a number of commitments vis-à-vis the ODA, the terms of which are reproduced below (points 42 to 45 of the conclusions of the first defendant): 42. The conclusive woman realized that the information provided was not sufficient with regard to obligations incumbent upon him. The conclusive therefore undertakes to provide the Protection Authority with Decision on the merits 81 / 2020- 39/45

161. The Contentious Chamber notes that the other criteria of Article 83.2. of the GDPR are not neither relevant nor likely to influence its decision on the imposition of an administrative fine and its amount.

162. In conclusion, in view of the elements developed above specific to this case, the Litigation Chamber considers that the facts noted and the breach of Articles 14.1-2 combined in Article 12.1 and 12.3, 15.1 combined with Article 12.3 and 12.2., 5.1 c) and 5.2. and 24.1-2 of the GDPR, justify as an effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR and taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the first defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and a compliance order detailed below (article 100.1, 9 ° LCA) accompanied by a fine administrative costs in the amount of 50,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced at against the first defendant.

163. In fixing this amount, the Litigation Chamber took into account that the first defendant is part of the group [...], of the annual turnover of this group and of the financial base of the last. It also took into account the information given by the first defendant in its reaction to the proposed fine form according to which the group is experiencing a clear decrease in revenues in the current context of the covid-19 virus pandemic.

164. With regard to these elements, the amount of 50,000 euros remains proportionate to the breaches denounced. The Litigation Chamber is of the opinion that an amount of fine less than 50,000 euros would not meet, in this case, the criteria required by Article 83.1. of the GDPR according to which the administrative fine must be effective, proportionate and dissuasive. In his decision 01/2020 of 9 November 2020, the European Data Protection Board insists in this regard

Data, as soon as possible, an information document that will meet the requirements of Article 14 of the GDPR and which will appear on its website (Exhibit 41). 43. In addition, the conclusive one will ensure that this notice allows easy access to the information relating to data protection by creating an explanatory note which will be located in a single place on its website.1 44. In addition, the conclusive one will put in place a clear reference on the invitation to pay to ensure that data subjects understand directly that all information is accessible on its website. In addition, the conclusive one will review, again, as soon as possible, the content of the privacy message at the bottom of their reminder letter. 45. Finally, the conclusive undertakes to redo audit its entire website in order to set up all the documentation, details and references in the necessary forms so that the people concerned can easily access complete information. Decision on the merits 81 / 2020- 40/45 on the fact that the height of the amount of the fine contributes to the effectiveness, proportion and deterrent to the fine24 . 9.2. As for the second defendant

165. The Contentious Chamber found a breach of article 14.1-2 combined with article 12.3, section 6, section 5.1 c) and sections 5.2. and 24. 1-2 of the GDPR in the case of the second defendant (paragraph 137 above).

166. In view of these shortcomings, the Litigation Chamber addresses the second defendant a reprimand on the basis of Article 100. 1, 5 ° LCA.

167. The Contentious Chamber also takes note of the fact that the second defendant is, in terms of its findings and at the hearing, proposed to make certain changes in his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and measures must in fact, as quickly as possible, be brought by the second defendant to comply with its obligations under the GDPR. Therefore, the Chamber Litigation imposes a detailed compliance order on the device pursuant to article 100. 1, 9 ° LCA (see in this regard the clarification in point 141 above).

168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is of the opinion that in addition, an administrative fine is justified in this case for the following reasons.

169. As to the nature of the violation, the Contentious Chamber notes that with regard to the breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR (only available in English)

See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf “199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ” Free translation by the ODA Secretariat: "199. Consequently, the EDPS considers that the amount of the fine proposed under the draft decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular, this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be effective, proportionate and dissuasive ”. 25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning is intended to notify a controller or processor that the processing operations envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article 100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of the GDPR (article 58.2 b) of the GDPR and article 100.1, 5 ° LCA). Decision on the merits 81 / 2020- 41/45 of the GDPR, they constitute breaches of the founding principles of the GDPR (and of data protection in general), or the principles of lawfulness and minimization devoted to Chapter II “Principles” of the GDPR. While the data collected at the end of the form are mainly identification data and do not constitute sensitive data within the meaning of Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176. below, in an “infringement” context. The Litigation Chamber will take this double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The right to information has been strengthened under the GDPR, demonstrating its importance particular. In this perspective, the Data Protection Authority has ensured respect for the rights of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may amount to 20,000,000 euros or in the case of a company, up to 4% of turnover global annual total for the previous financial year. The maximum fine amounts that can be applied in case of violation of these provisions are higher than those provided for other types of breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right, enshrined in Article 8 of the Charter of Fundamental Rights of 5.2. and 24. 1-2 of the GDPR in the case of the second defendant (paragraph 137 above). 166. In view of these shortcomings, the Litigation Chamber addresses the second defendant a reprimand on the basis of Article 100. 1, 5 ° LCA. 167. The Contentious Chamber also takes note of the fact that the second defendant is, in terms of its findings and at the hearing, proposed to make certain changes in his practice. The Litigation Chamber is in fact of the opinion that a number of modifications and measures must in fact, as quickly as possible, be brought by the second defendant to comply with its obligations under the GDPR. Therefore, the Chamber Litigation imposes a detailed compliance order on the device pursuant to article 100. 1, 9 ° LCA (see in this regard the clarification in point 141 above). 168. In addition to this reprimand25 and this order for compliance, the Contentious Chamber is of the opinion that in addition, an administrative fine is justified in this case for the following reasons. 169. As to the nature of the violation, the Contentious Chamber notes that with regard to the breach of Article 6 of the GDPR (lack of legal basis - forced consent) and Article 5.1 c)

24 European Data Protection Board, Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65 (1) (a) GDPR (only available in English) See. § 199: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf “199 Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfill its purpose as a corrective measure, in particular it does not meet the requirements ofArticle83 (1) GDPR of being effective, dissuasive and proportionate. ” Free translation by the ODA Secretariat: "199. Consequently, the EDPS considers that the amount of the fine proposed under the draft decision-making process is too weak and, for this reason, does not fulfill its role as a corrective measure. In particular, this amount does not meet the requirements of section 83.1. of the GDPR according to which the fine must be effective, proportionate and dissuasive ”. 25 The Contentious Chamber here intends to clarify the distinction between warning and reprimand: the warning is intended to notify a controller or processor that the processing operations envisaged are likely to violate the provisions of the RGPD (article 58.2 a) of the RGPD, article 95.1, 4 ° and article 100.1, 5 ° LCA). The reprimand (or call to order) aims to call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of the GDPR (article 58.2 b) of the GDPR and article 100.1, 5 ° LCA). Decision on the merits 81 / 2020- 41/45 of the GDPR, they constitute breaches of the founding principles of the GDPR (and of data protection in general), or the principles of lawfulness and minimization devoted to Chapter II “Principles” of the GDPR. While the data collected at the end of the form are mainly identification data and do not constitute sensitive data within the meaning of Articles 9 and 10 of the GDPR. However, they are processed, as will be mentioned in point 176. below, in an “infringement” context. The Litigation Chamber will take this double consideration.

170. As for the breach of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes a infringement of the rights of data subjects - notwithstanding the existence of a confidentiality policy moreover, which the Contentious Chamber is aware of and which it takes into account (paragraph 179). The right to information has been strengthened under the GDPR, demonstrating its importance particular. In this perspective, the Data Protection Authority has ensured respect for the rights of the people concerned as a priority in its 2020-2025 strategic plan26. Measurement However, the appropriate corrective / sanction is determined on a case-by-case basis.

171. Finally, with regard to the breach of Article 5.2. and 24. 1-2 of the GDPR, it also constitutes a breach of the key principle of accountability, introduced by the GDPR.

172. Pursuant to Article 83.5 a) of the GDPR, violations of all these provisions may amount to 20,000,000 euros or in the case of a company, up to 4% of turnover global annual total for the previous financial year. The maximum fine amounts that can be applied in case of violation of these provisions are higher than those provided for other types of breaches listed in section 83.4. of the GDPR. As regards breaches of a fundamental right, enshrined in Article 8 of the Charter of Fundamental Rights of ontentieuse notes that the other criteria of Article 83.2. of the GDPR are not neither relevant nor likely to influence its decision on the imposition of an administrative fine and its amount.

181. In conclusion, in view of the elements developed above specific to this case, the Litigation Chamber considers that the facts noted and the breach of Article 14.1-2 combined with Section 12.3, Section 6, Section 5.1 (c) and Section 5.2. and 24. 1-2 of the GDPR, justify that under effective, proportionate and dissuasive sanction as provided for in Article 83 of the GDPR and account taking into account the assessment factors listed in Article 83.2. GDPR and the reaction of the second defendant to the proposed fine form, a reprimand (article 100.1, 5 ° LCA) and an order of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine in an amount of 15,000 euros (article 100.1, 13 ° and 101 LCA) are pronounced against the second defendant. 10. As for transparency

182. In view of the importance of transparency in the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the website of the APD by deleting the direct identification data of the parties and persons mentioned, whether they are physical or legal.

183. The Litigation Chamber is aware that the complainant requested the publication by name of this decision. The contentious chamber is of the opinion that it is not for the complainant to request such measure. In this case, the Litigation Chamber does not care less to clarify than in the context of the wide margin of appreciation on the application of Article 100.1, 16 LCA which is its own, it decides not to publish this decision mentioning the data controllers involved.

Decision on the merits 81 / 2020- 44/45 When it decided to publish its decisions stating the identity of the defendant, the Litigation Chamber justified its decision by the fact that this advertisement would guarantee rapid compliance, would help reduce the risk of reoccurrence and aim to educate the public taking into account the data controller involved. In addition, any pseudonymization of the name of the defendant would have been in these few cases illusory29. She doesn't think it necessary to do it in this case.

FOR THESE REASONS THE LITIGATION CHAMBER After deliberating, decides to:  With regard to the first defendant - Issue a reprimand against the defendant on the basis of article 100.1, 5 ° LCA; - Issue an order of compliance in terms of the implementation of rights information and access for the persons concerned, on the basis of Article 100.1, 9 ° LCA. To this end, the first defendant is requested to communicate to the APD both its confidentiality policy applicable to the processing operations covered by this decision that his / her information clause (s) as well as the procedure put in place to respond to the exercise of permission to access. This production of documents must take place within 3 months from of the notification of this decision via the address litigationchamber@apd-gba.be - Impose an administrative fine against the defendant in the amount of 50,000 euros in application of articles 100.1, 13 ° and 101 LCA.  With regard to the second defendant: - Issue a reprimand against the defendant on the basis of article 100.1, 5 ° LCA; - Issue a compliance order in terms of information (confidentiality policy and information clauses) and basic legality of the form attached to the formal notices of

29 See decision 37/2020 of the Contentious Chamber (point 183): https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf Decision on the merits 81 / 2020- 45/45 payment and this, on the basis of article 100.1, 9 ° LCA. For this purpose, the second the defendant to communicate to the DPA both its confidentiality policy applicable to processing covered by this decision that its information clause (s) as well as the manner in which it intends to respond to the shortcomings related to the aforementioned form. The communication of these documents must take place within 3 months from the date of notification of this decision via the address litigationchamber@apd-gba.be - Impose an administrative fine against the defendant in the amount of 15,000 euros in application of articles 100.1, 13 ° and 101 LCA.

Under Article 108.1 LCA, this decision may be appealed to the Court of contracts (Brussels Court of Appeal) within 30 days of notification, with the Data Protection Authority as respondent. (Sé.) Hielke hijmans President of the Litigation Chamber