Difference between revisions of "APD/GBA - 19/2020"

From GDPRhub
m (Duplicate of national law deleted.)
m (Mh moved page APD/GBA - DOS-2018-05421 to APD/GBA - 19/2020 without leaving a redirect)
 
(3 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
|DPA_With_Country=APD/GBA (Belgium)
 
|DPA_With_Country=APD/GBA (Belgium)
  
|Case_Number_Name=DOS-2018-05421
+
|Case_Number_Name=19/2020
 
|ECLI=
 
|ECLI=
  
 
|Original_Source_Name_1=Official site of the Belgian data protection authority
 
|Original_Source_Name_1=Official site of the Belgian data protection authority
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Decision_CC_19-2020_FR.pdf
+
|Original_Source_Link_1=https://autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-19-2020.pdf
 
|Original_Source_Language_1=French
 
|Original_Source_Language_1=French
 
|Original_Source_Language__Code_1=FR
 
|Original_Source_Language__Code_1=FR
Line 59: Line 59:
 
}}
 
}}
  
Belgium's DPA reasserts the principle of accountability of the data processor in accordance article 24 GDPR and the necessity of documenting all processes and procedures resulting thereof.   
+
Belgium's DPA reasserts the principle of accountability in accordance article 24 GDPR and the necessity of documenting all processes and procedures resulting thereof.   
  
 
==English Summary==
 
==English Summary==
Line 82: Line 82:
  
 
<pre>
 
<pre>
 +
File No.: DOS-2018-05421
 +
Subject: Complaint against a City about the regularity of the consultation of a citizen’s photo in the National Register by a communal employee
 +
The Litigation Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans, President, and Mr Y. Poullet and Mr C. Boeraeve, members. The case is taken up in this composition.
 +
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
 +
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);
 +
Having regard to the Act of 8 August 1983 establishing a National Register of Natural Persons.
 +
Having regard to the Rules of Procedure of the Data Protection Authority as approved by the House of Representatives on 20 December 2018 and published in the Belgian Moniteur on 15 January 2019;
 +
Having regard to the documents in the file;
 +
Took the following decision concerning:
 +
- The Complainant
 +
- The controller (hereinafter the
 +
respondent)
 +
I. Retroacts of the procedure
 +
Having regard to the complaint lodged by the complainant with the Data Protection Authority on 2 October 2018;
 +
Having regard to the decision of 26 October 2018 of the Data Protection Authority’s Frontline Service declaring the complaint admissible and its transmission to the Dispute Chamber on that same date;
 +
Having regard to the decision taken by the Dispute Chamber at its sitting on 14 November 2018 to request an investigation from the Inspection Service pursuant to Articles 63.2 and 94, 1° LCA; Having regard to the referral to the Inspector General on that same date;
 +
Having regard to the report and minutes of investigation of the Inspector General transmitted to the Dispute Chamber on 17 May 2019;
 +
Having regard to the decision taken by the Dispute Chamber at its sitting on 28 May 2019 to consider that the case was ready for substantive processing under Articles 95(1), 1 and 98 LCA;
 +
Having regard to the submission of the Inspector General’s report and minutes of investigation to the parties on 29 May 2019 and the invitation of the Dispute Chamber to the parties to present their arguments according to a set timetable; Having regard to the decision of the Trial Chamber of 19 July 2019 to replace the deadline for the final filing of the submissions for the respondent of 19 July 2019 with the date of 19 August 2019;
 +
Having regard to the submissions filed on 19 August 2019 by counsel for the respondent and the email accompanying them, according to which the respondent’s counsel state that their client wishes to be heard pursuant to Rule 51 of the Rules of Procedure of the Data Protection Authority;
 +
Having regard to the hearing at the sitting of November 18, 2019, at which the respondent represented by her counsel appeared. At the end of the hearing, the Litigation Chamber decided to proceed with the case and asked the respondent to provide it with any additional evidence attesting to the latest measures put in place since the communication of its findings in August 2019;
 +
Having regard to the minutes of the hearing of 18 November 2019;
 +
Having regard to the supplementary documents filed by the respondent on 22 and 26 November 2019;
 +
Having regard to the complainant’s reply of 11 December 2019;
 +
Having regard to the last submissions filed in reply by the respondent on January 14, 2020.
 +
II. The facts and subject matter of the complaint
 +
According to her complaint, the complainant states that she has doubts as to the regularity of the consultation of her photo in the National Register dated May 11, 2018 by an employee of the respondent. On June 27, 2019, she sent an email to the Helpdesk Belpic (Inner SPF – Directorate-General Institutions and Populations) in the following terms:
 +
Ma’am, sir,
 +
By consulting my file via IBZ, I note that a consultation in “Transaction Code 08 – Photo Consultation” was done on 11/05/2018 at 14: 39.
 +
Knowing that I was on a honeymoon at that time, I find it quite strange that someone would look at my photo.
 +
(...) I therefore know from experience that we do not consult a transaction code 08 without just cause. He is certainly a colleague, so I would like to know more if possible.
 +
(...)”.
 +
On June 28, 2019, HelpDesk Belpic replied by e-mail the following:
 +
“The staff of the bodies authorised to access the data of the National Register shall be bound by professional secrecy. Improper consultation of cases (e.g. for private purposes) entails their personal responsibility at the disciplinary, civil and criminal level.
 +
In the event of suspicion of improper or non-regulatory consultation of your data by an organisation, you can contact the organisation directly. Organisations are required to ensure the traceability and archiving of consultations within them and will normally be able to provide you with information regarding the nature of these consultations.
 +
If the response provided is unsatisfactory or if you have serious reasons to believe that a consultation is abusive, you have the opportunity to lodge a complaint with the
 +
Privacy Commission (httDs: //www. Drivacycommission.be/fr) or a court.https://www.privacycommission.be/fr
 +
The services of the National Register do not generally have information on the consultations carried out by these bodies and are not empowered to manage complaints”.
 +
Also by e-mail dated June 28, 2019, the complainant spoke to a former co-worker, to whom to apply to the respondent. Unanswered, the complainant reiterated her request by e-mail dated August 14, 2019. By e-mail dated August 29, 2019, the respondent was replied that an investigation had been requested and that the complainant would be informed of the result of the investigation at a later date.
 +
The complainant inquired about the follow-up to her request by email dated September 27, 2019. By email dated September 27, 2019, she was answered as follows:
 +
“ Dag,
 +
Een onderzoek werd opgestart maar leverde geen total zekerheid op noch at betreft de Persoon die uw dossier consuiteerde (aiieen de foto), noch wat betreft de eventueie motivatie voor de raadpieging.
 +
Er werden geen bekentenissen afgeiegd.From feiten werden evenwel geacteerd”.
 +
Free translation:
 +
“ good morning,
 +
An investigation was initiated but did not provide absolute certainty, either as to the person who consulted your file (only photo) or the possible motivation for consultation.
 +
No confession has been made. However, the facts have been recorded.
 +
On October 2, 2019, the complainant filed a complaint with the Data Protection Authority.
 +
III. The Inspector General’s Report and Minutes of Investigation
 +
According to the Inspector General’s report and minutes of investigation dated 17 May 2019, the Inspector General states:
 +
Finding 1:The respondent was not able to justify the contested consultation in accordance with Article 17 of the Law of 8 August 1983 establishing a national register of natural persons.In this regard, its register of consultations does not indicate the purpose for which the data in the National Register were consulted.
 +
The report also mentions the respondent’s reference to Recommendation 07/2017 of 30 August 2017 of the Commission de la protection de la vie privée aux villes et communes concerning 'registration of the ground for the consultation of the National Register.1 In fact, by letter dated 19 February 2019, addressed to the Data Protection Officer (DPO) of the respondent, the Inspector General asks in particular that it be provided "an explanation of the reasons why no concrete reply was given to the respondent’s Data Protection Officer (DPO) of the respondent, the Inspector General asks in particular that it be provided" an explanation of the reasons for which no concrete reply was given to the respondent’s Office for the Protection of Data (DPO) in respect of the complainant’s question.
 +
The respondent states by letter in reply of 29 April 2019 that the check carried out on the basis of the complainant’s request was carried out on 20 and 21 August 2019 by consultation of the SAPHIR logging used for access to the National Register. A request for explanation was then made with the officer under whose name the consultation was registered, Mr. X, the respondent’s employee.
 +
The respondent goes on to state that the reason why the identity of the officer who viewed the complainant’s photo was not disclosed is related to the lack of absolute certainty that this officer is indeed the author of the consultation. This lack of absolute certainty is "due to the fact that at the time of his hearing he did not remember to see the consultation carried out and specified that he never consult the photographs of citizens from the National Register but only in the Beipic application, to make a comparison when ordering identity cards.The reason for the diary consultation could not be established” (Excerpt from the respondent’s letter of 29 April 2019 to the Inspector General of ODA).
 +
Finally, as part of the inspection, the respondent adds that there are several elements of its willingness to strengthen, since 2018, the awareness and accountability of officers to whom access to the National Registry is granted as part of their duties. In this regard, it states that the systematic recording of the purpose for which data in the National Register are consulted has not yet been made mandatory. The mechanism aimed at combating unfounded access is essentially preventive in nature, but without a detective exploitation of access logging, except for the request of a citizen.
 +
The inspection report notes in this regard that the respondent commits itself in the following terms:
 +
1 This recommendation is published on the website of the Data Protection Authority and has been published on the website of the Privacy Commission since its adoption in August 2017:Https: //www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/recommandation 07 2017.pdf
 +
A recommendation will be made to make the reason for consultation mandatory.(...).As soon as possible, a recommendation to supplement the device with a layer of a detective nature will also be formulated, based on the principle that the reason recorded in the access logging must be able to be corroborated by a concrete element, such as a file, an application, etc., and that a sample check can be ascertained" (Excerpt from the inspection report – respondent’s response of April 5, 2019 – OPD opinion).
 +
IV. Hearing of 18 November 2019
 +
At the hearing held on 18 November 2019, the respondent, through its counsel, set out the arguments it had developed in its conclusions of 19 August 2019. In particular, counsel for the respondent admits that there was indeed a problem during the consultation of the complainant’s photograph. The respondent also highlights the seriousness with which the complainant’s complaint has been dealt with and the measures that have been decided and have been put in place or will soon be put in place to comply with section 17 of the National Registry Act.
 +
IN LAW
 +
V. As regards the competence of the Data Protection Authority, in particular
 +
the Litigation Chamber
 +
Pursuant to Article 4 § 1 LCA, the Data Protection Authority (DPA) is responsible for monitoring the principles of data protection contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data, including the Act of 8 August 1983 organising a National Register of Natural Persons.
 +
Pursuant to Article 33 § 1 LCA, the Litigation Chamber is the administrative litigation body of ODA.It is seized of complaints transmitted to it by the First Line Service (SPL) pursuant to Article 62 § 1 LCA, which are admissible complaints. In accordance with Article 60 (2) LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and which fall within the competence of ODA.
 +
As for the consultation of the photograph denounced by the complainant, this consultation is dated May 11, 2018. It therefore took place on a date prior to the entry into force of the GDPR.The Litigation Chamber is therefore not allowed to know about it. Indeed, the Chamber of Contentious finds the legal basis for its jurisdiction in the Act of 3 December 2017 establishing the Data Protection Authority (LCA), whose entry into force has been fixed, with exceptions, on the date of 25 May 2018 (article 110 of the CLA).While the Dispute Chamber is competent with regard to data processing which, of course, started before 25 May 2018 but continue today, it is not for one-time processing which would have taken place before 25 May 2018, since no retroactivity has been foreseen for the exercise within the time of its competence.
 +
In the present case, as set out in point III above, the inspection carried out following the filing of this complaint revealed failures subsequent to the date of 25 May 2018, of which the Dispute Chamber is therefore empowered to know (see point VI below).
 +
VI. On the reasons for the decision
 +
As a preliminary point on the infringement of the rights of defence invoked by the respondent In its submissions of 19 August 2019, the respondent deplores, at the outset, that the complainant did not file an Opinion (paragraph 10 of the respondent’s submissions).It adds that, given the wording of the complaint, it is impossible to fully grasp what it is accused of and, more precisely, the legal provisions that have been violated.
 +
Accordingly, the respondent is of the opinion that its rights of defence have not been respected in the present case. At the hearing on November 18, 2019, the respondent reiterated its regrets and grievances in this regard.
 +
The Litigation Chamber is also of the opinion that a complainant cannot be required to identify in a clear, precise and exhaustive manner the legal provisions in support of which he submits his complaint. This task of qualifying the facts – constituting breach(s) of the regulations in force for the protection of personal data where appropriate – is the responsibility of the Inspectorate and the Dispute Chamber. In this regard, the Inspector General’s letter of 19 February 2019 asks the respondent as to why it did not comply with Recommendation 07/2017, which clearly states that the reference to the reason for the consultation constitutes a necessary and binding guarantee for accessing the National Register legitimately.
 +
It is clear from the respondent’s reply of 25 April 2019 that the respondent correctly understood what she was accused of. The Inspectorate’s report communicated to the respondent on May 29, 2019 still refers to this recommendation. Finally, in paragraph 11 of its reply, the respondent, notwithstanding its preliminary defence, states:Notwithstanding the above, two requests appear to emerge from the complaint filed on October 2, 2018:
 +
- The identity of the author of the consultation of the contested National Register;
 +
- The reasons for this consultation, to the extent that there remain doubts on the complainant’s mind as to the relationship between this consultation and her dismissal, which she describes as abusive.”
 +
The respondent then defends itself with respect to these grievances in its findings.
 +
In conclusion, in view of the above, it cannot be held that the rights of the defendant’s defence would not have been respected.
 +
*
 +
The need to respect the principle of liability (Articles 5 § 2 and 24 of the GDPR) and the obligation of security (Articles 32 of the GDPR and 17 of the Law Organising a National Register of Natural Persons), coupled with the principles of purpose (Article 5 § 1 (b) GDPR) and security (Articles 5 § 1 f) GDPR)
 +
In its capacity as controller, the respondent is required to implement the data protection principles and must be able to demonstrate that they are respected (principle of liability – Article 5.2 GDPR).It must also, in its capacity as controller, implement all the measures necessary for this purpose (Article 24 GDPR).The Dispute Chamber insists, as it has already had the opportunity to point out in previous decisions against  public officials, that the public sector must, in general, be an example in the measures it adopts to ensure respect for the fundamental right to the protection of personal data.
 +
Article 32 of the GDPR (security obligation) specifies the following:
 +
1. Taking into account the state of knowledge, the implementation costs and the nature of the scope, context and purposes of the treatment, as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the subcontractor shall  implement appropriate technical and  organisational measures to ensure a high level of safety adapted to the risk, including, inter alia, as required:
 +
(...)
 +
B) ways of ensuring the continued  confidentiality, integrity, availability and resilience of processing systems and services
 +
(...) (d) a procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the safety of treatment (...) "
 +
Article 32 translates Article 5.1(f) GDPR (Chapter II-Principles), which sets out the principle of integrity and confidentiality as follows:
 +
“Personal data shall be:(...) (f) processed in such a way as to ensure appropriate security of personal data, including unauthorised or unlawful processing and counter-loss,destruction or damageof accidental origin,with the aid of
 +
appropriate technical or organizational measures”.
 +
The security of personal data is recognised as a principle – which demonstrates its increased importance – despite the fact that it was not included in Article  6 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, abrogated by the entry into force of the GDPR).
 +
Among the appropriate security measures designed to ensure the confidentiality of the data, a data controller such as the defendant is necessarily required to put in place organizational and technical security measures that guarantee access control:  in other words, only those persons who, in the exercise of their own function, need access to particular data, must be able to access the necessary access for that purpose.
 +
The Dispute Chamber recalls in this respect Article 5(1)(b) GDPR (Chapter II-Principles), which enshrines the principle of purpose, i.e. the requirement that the data be collected for specified, explicit and legitimate purposes and not be processed subsequently in a manner incompatible with these purposes. In this regard, the respondent is authorised to consult the National Register for purposes determined in accordance with the Act of 8 August 1983 organising a National Register of Natural Persons.
 +
 +
 +
 +
The controller must therefore ensure that personal data are only accessible to persons and applications who explicitly authorise it. It is appropriate to assign to each person his own account and access to personal data should be authorised exclusively by applying the principles of the need to know about it. These persons should only have access to the functionality or data they need for the purpose of carrying out the tasks assigned to them, in accordance with the principle of purpose.
 +
In its Recommendation 03/2017 to which the Inspector General also refers, the Privacy Commission (PPC) at the time states that the principle of liability (Articles 5.2. and 24 GDPR) recalled above "therefore implies not only that the controller complies with the provisions of the GDPR, but also that he can demonstrate this (...).It is not enough to take the appropriate technical and organizational measures, in accordance with the terms of the Regulations; This must also be done in  a transparent and tracable manner which, in the case of regular checks, provides evidence of the safeguards applied" (paragraph 16 of recommendation 07/2017).
 +
Recommendation 01/2017 further states that the GDPR, then in force but not yet in force, will strengthen the existing obligations of the PIA [read the Privacy Law, i.e. the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data], will, as soon as it comes into force on 25 May 2018, submit those responsible for processing, in this case the cities and municipalities – including the respondent – to the principle of liability and will also place transparency in this area. The said recommendation concludes that: “The joint reading of the current national legal provisions and the future GDPR leads to the conclusion in this recommendation that mentioning the reason for the consultation constitutes a necessary and mandatory guarantee for legitimate access to the National Register" (Recommendation 07/2017, item 6)5.
 +
It is therefore incumbent on the respondent to ensure that access to the National Register remains limited to the purposes for which such access has been authorised. It is also incumbent upon him to be able to demonstrate this.
 +
Compliance with the principle of purpose, a pillar of data protection, cannot be verified if the agents of a structure such as the defendant do not record the reason for the consultation they are operating. It is equally essential in this respect that, in accordance with Article 24 of the GDPR, the respondent has an adequate control mechanism to ensure that its authorised agents consult the National Register for these purposes alone. The respondent must have a computer application that legitimises each consultation carried out by its staff and thus demonstrates that the consultation took place as part of the exercise of the duties of the staff member who conducted the consultation.
 +
In addition to article 32 of the GDPR, the respondent, in its capacity as authority with access to the National Register, is also required to comply with the specific provisions of the Act of 8 August 1983 organising a National Register of Natural Persons.According to section 17 of the Act – which came into force on 23 December 2018 – to which the Inspector General refers:
 +
“Each public authority, public or private body before obtaining/authorised access
 +
The information provided by the National Register of Natural Persons, including the police services, as well as those of the Court referred to in Articles 5 and 8 must be able to justify the consultations carried out, whether by an individual user or by an automatic computer system. To this end, in order to ensure that consultations are traceable, each user keeps a register of consultations.
 +
This register shall indicate the  identification of the individual user or of the process or system which accessed the data, the data which was consulted, the way in which it was consulted, i.e., for reading or for modification, the date and time of the consultation, and the purpose for  which the data in the National Register of Natural Persons was
 +
consulted.
 +
(...) ".6
 +
The Litigation Chamber has already indicated that since the facts at the origin of the complaint predate the date of 25 May 2018, it could not know about it. The inspection – carried out from 21 November 2018 to 17 May 2019 – nevertheless revealed that the respondent had, in general, not yet completed the implementation of the technical and organisational measures required to comply with Articles 5.2., 24 GDPR (principle of responsibility) and Articles 32 of the GDPR and  17 of the Law of 8 August 1983 organising a National Register of Natural Persons (obligation to security), coupled with Articles 5(1) of the DPR and Article 1 of the GDPR.
 +
VII. On remedial measures and sanctions
 +
Under section 100 of the LCA, the Litigation Chamber has the power to:
 +
(1) classify the complaint without further action;
 +
2° order the non-placement;
 +
(3) order a suspension of the delivery;
 +
4° propose a transaction;
 +
5. formulate warnings or reprimands;
 +
6° order to comply with the requests of the person concerned to exercise these rights;
 +
7. order that the person concerned be informed of the safety problem;
 +
8° order the temporary or permanent freezing, limitation or prohibition of treatment;
 +
9° order that the treatment be brought into conformity;
 +
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
 +
11° order the withdrawal of the accreditation of certification bodies;
 +
12° give penalty payments;
 +
13° give administrative fines;
 +
(14) order the suspension of cross-border data flows to another State or international body;
 +
15° forward the file to the Prosecutor’s Office of the King of Brussels, who informs him of the follow-up to the case;
 +
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
 +
it is important to contextualise the failure to comply with Articles 5.2, 24 GDPR and Articles 32 GDPR and 17 of the Law of 8 August 1983 organising a National Register of Natural Persons, combined with  Articles 5 § 1 (b) and (f) GDPR in order to identify the most appropriate corrective measures.
 +
The Dispute Chamber notes that both the principle of security (Article 5 § 1 f) GDPR) (and the obligations arising from it – Article 32 GDPR) and the principle of purpose (Article 5 § 1 b) GDPR) which the principle of security guarantees, are essential principles of the protection regime established by the GDPR.The principle of liability set out in Article 5.2 of the GDPR and developed in Article 24 are at the heart of the GDPR and reflect the paradigm shift brought about by the GDPR, i.e. a shift in a regime based on prior declarations and authorisations from the supervisory authority towards greater accountability and accountability of the controller. The latter’s compliance with its obligations and its ability to demonstrate it are therefore only more important. Breaches of these principles constitute serious breaches.
 +
With regard to the number of persons potentially affected, the National Register includes a database of identification data of all natural persons who are registered in the national register.
 +
the population, waiting register and register of foreigners kept by municipalities or consular registers, i.e. for the defendant alone, more than XXX registered out of a total of 11 million persons registered in the National Register.
 +
Moreover, the extent of the operations carried out in the National Register by cities and municipalities such as the defendant cannot moderate the obligation to provide for a mechanism guaranteeing compliance with the purposes for which the data in the national register can be accessed via the indication of the reason for such consultation or the requirement for effective control. On the contrary, both Article 32 and Article 24 GDPR require that the nature of the technical and organisational measures taken by an entity such as the defendant be proportionate to the seriousness of the risks to the rights and freedoms of the persons concerned. By its nature, this database, which includes a certain amount of information – albeit limited – of more than 11 million people requires particularly rigorous supervision, not only in view of its size, but also because of its very vocation to record, memorise and communicate information relating to the identification of natural persons.
 +
The Chamber notes that as early as 2015, the Sectoral Committee of the National Register had clarified the exact extent of this obligation to keep logging files in connection with access to the National Register by local governments. In this recommendation, the Committee states that "this tracing must include the identification of the individual user or of the process or system that accessed the data, the data that was accessed, the manner in which it was accessed (reading, changing,...), when it was accessed, and the reason for such access."7 The Committee further recommended that a mandatory field be provided for the registration of the reason for access.
 +
The Privacy Commission (PPC) had also stated on several occasions, even before recommendation 01/2017, that the registration of the reason for consultation with the national registry is of crucial importance.8
 +
These were, of course, recommendations. However, they reflect the long-standing major concern and recommendations to put such a mechanism in place well before the implementation of the GDPR.In other words, the question was not new and the respondent, by virtue of its quality, could not ignore them.
 +
7 Recommendation 01/2015 of the Sectoral Committee of the National Register of Municipalities and Local Authorities on Information Security, to govern their access to the national registry and subsequent processing of data in the National Register, 18 February 2015, points 44-49.
 +
8 See point 23 of Recommendation 01/2017 already cited and the references mentioned.
 +
The Litigation Chamber also notes that, both in the course of inspection and in its findings, the respondent sets out the various decisions taken to comply with its security obligations designed to meet the requirements of the GDPR and the Act of 3 August 1983 organising a National Register of Natural Persons.These decisions are attested by various documents in the file, such as the internal documentation relating to access to the national registry, the designation and work of the Data Protection Officer (ODP) (Opinion of 5 April 2019) and a recommendation of 25 April 2019 (accepted on 6 May 2019) to make mandatory the referral of the reason for consultation with an implementation planned in the last quarter of 2019. The Litigation Chamber notes that most of these documents and decisions were adopted in the course of inspection.
 +
In addition, it is apparent from the documents submitted by the respondent in the context of the continuation decided by the Chamber of Disputes at the end of the hearing on 18 November 2019 that the work of implementing the DPO’s recommendation to make mandatory, in any application to the National Register, the user’s entry of the finality for which the data in the national register are consulted (in addition to the other data to be recorded, in accordance with Article 17 of the National Register Act of 8 August 1983) is actually carried out in the course of the proceedings.
 +
It is also apparent from the documents in the file that recommendations were made by the respondent’s DPO regarding the control of access  to the National Register (excerpt from the minutes of meeting “Access to the National Registry of September 16, 2019”).
 +
The Litigation Chamber further notes that in October 2019, the follow-up to the recommendations of the DPO resulted in the identification of the reasons for consultation for each of the groups with access to the national register and their inclusion in “SAPHIR”.
 +
The Dispute Chamber also notes that by e-mail dated 22 November 2019 wording "Important GDPR SAPHIR – Consultation RN: new procedure", the respondent sent an email to its agents, informing them that a procedure is being put in place, which will now include the choice of a reason for consultation prior to any consultation with the National Register of Citizens. In the Sapphire application, a drop-down list containing a series of reasons for consultation relating to the respective subjects of the staff concerned will appear when requesting consultation of the National Register. Under this procedure, staff will have to select the purpose corresponding to the type of file processed.
 +
The Litigation Chamber further notes that by e-mail of 22 November 2019, the respondent communicated to its IT correspondents a message according to which a periodic (quarterly) and systematic inspection of the allocated accesses is put in place: a listing containing the surname, first name and associated access group for each agent listed in the “Users Saphir – RN” database is established. The check will require confirmation of the names of the agents for whom access is to be maintained. In the absence of a response, the access will be systematically deleted.
 +
In addition to these specific measures relating to the mention of the reason for consultation with the National Register, the respondent forwarded to the Litigation Chamber the training materials used in support of internal sessions to raise awareness of the GDPR.It has also communicated to the Litigation Chamber exchanges of emails between its DPO and the heads of its various departments regarding the finalisation of the Register of Personal Data Processing Activities (Article 30.1 GDPR) and the Registers as such for the processing activities of different departments. The respondent states that the preparation of these registers is also planned for the remaining departments.
 +
The Litigation Chamber takes note of this information and the documents transmitted to it. It considers that they bear witness to a number of steps taken by the respondent to comply with its obligations in its capacity as controller. That while the Board welcomes such steps, it regrets, however, that the respondent, aware of its security obligations, did not require its officers to keep a register of accesses and their reasons manually while awaiting IT solutions.
 +
In general, the Litigation Chamber underlines the respondent’s good cooperation – certainly required by Article 31 GDPR – both with the Inspector General and with the Litigation Chamber.
 +
In conclusion, in the light of the elements developed above specific to this case, the Board of Contents considers that the facts found and the failure – to which the respondent claims that it has since been remedied – Articles 5.2, 24 GDPR and Article 32 of the GDPR and Article 17 of the Act of 8 August 1983 organising a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify the fact that, in accordance with Article 100 of the Act of 8 August 1983, the Court of First Instance, in conjunction with Articles 5 § 1(b) and (f) of the GDPR, is satisfied that, in the light of Article of the Act of 8 August 1983 establishing a national register of natural persons, in conjunction with Articles 5 § 1(b) and (f) of the GDPR, it is sufficient to justify, in the light of Article of the Act of 8 August 1983 that a national register of natural persons, combined with Articles 5 § 1(b) and f) of the GDPR, proves that, in the light of the above, the facts found and the failure to which the respondent asserts that it has since been remedied – Articles 100, 24 of the GDPR and Articles 32 of the GDPR and Article 17 of the Act of 8 August 1983 establishing a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify, in the light of the above, a finding that the facts found and the failure to comply with Article 17 of the Act of 8 August 1983 organising a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify, in the light of the above, that the facts found and the failure – to which the respondent asserts that it has since been remedied – Articles 5.2, 24 GDPR and Articles 32 GDPR and Article 17 of the Act of 8 August 1983 establishing a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justifying an effective sanction in respect of Article 100 of the Act of the
 +
Given the importance of transparency with regard to the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority by removing the direct identification data of the parties and persons mentioned, whether they be natural or legal.
 +
FOR THESE REASONS,
 +
THE CONTENTIOUS ROOM
 +
Decides, after deliberation, to refer a reprimand to the respondent on the basis of Article 100(5) of the Act.
 +
*
 +
According to Article 108, § 1 LCA, this decision may be appealed to the Court of Contracts within 30 days  of its notification, with the Data Protection Authority as defendant.
  
 
</pre>
 
</pre>

Latest revision as of 18:41, 11 November 2020

APD/GBA - 19/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Article 17 of the law organizing the national registry for natural persons
Type: Complaint
Outcome: Upheld
Decided: 29.04.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: 19/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Official site of the Belgian data protection authority (in FR)
Initial Contributor: Maïlys Lemaître

Belgium's DPA reasserts the principle of accountability in accordance article 24 GDPR and the necessity of documenting all processes and procedures resulting thereof.

English Summary[edit | edit source]

Facts[edit | edit source]

The plaintiff filed a complaint with the Belgian DPA after noticing that their picture in the national registry had been consulted by a city official without indication of a motive, such as required by article 17 of the Belgian law organizing the national registry, and following the inability of the city to justify the consultation or provide a satisfactory response as to the outcome of its internal enquiry on the matter. The city argued in its defence, that there were clear internal procedures for the consultation of the national registry and that it could therefore have reasonably assumed that the data would be processed lawfully.

Dispute[edit | edit source]

Is assuming that the data be processed lawfully because of the knowledge of the law and internal procedures by employees sufficient?

Holding[edit | edit source]

The Belgian DPA reminds that accountability in accordance as understood by article 24 GDPR resides not only in ensuring that the law and the internal procedures relating to data processing be known to employees, but also that those be clearly implemented and documented in order to be able to prove the lawful processing of the data. In this instance, the procedure for consultation of the national registry was inadequate because the motive of consultation had not to be provided in writing, although the motive in itself constitutes the decisive element for determining the lawfulness or not of the data processing.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

File No.: DOS-2018-05421
Subject: Complaint against a City about the regularity of the consultation of a citizen’s photo in the National Register by a communal employee
The Litigation Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans, President, and Mr Y. Poullet and Mr C. Boeraeve, members. The case is taken up in this composition.
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); 
Having regard to the Act of 8 August 1983 establishing a National Register of Natural Persons.
Having regard to the Rules of Procedure of the Data Protection Authority as approved by the House of Representatives on 20 December 2018 and published in the Belgian Moniteur on 15 January 2019;
Having regard to the documents in the file;
Took the following decision concerning:
-	The Complainant
-	The controller (hereinafter the 
 respondent)
I.	Retroacts of the procedure
Having regard to the complaint lodged by the complainant with the Data Protection Authority on 2 October 2018;
Having regard to the decision of 26 October 2018 of the Data Protection Authority’s Frontline Service declaring the complaint admissible and its transmission to the Dispute Chamber on that same date;
Having regard to the decision taken by the Dispute Chamber at its sitting on 14 November 2018 to request an investigation from the Inspection Service pursuant to Articles 63.2 and 94, 1° LCA; Having regard to the referral to the Inspector General on that same date;
Having regard to the report and minutes of investigation of the Inspector General transmitted to the Dispute Chamber on 17 May 2019;
Having regard to the decision taken by the Dispute Chamber at its sitting on 28 May 2019 to consider that the case was ready for substantive processing under Articles 95(1), 1 and 98 LCA;
Having regard to the submission of the Inspector General’s report and minutes of investigation to the parties on 29 May 2019 and the invitation of the Dispute Chamber to the parties to present their arguments according to a set timetable; Having regard to the decision of the Trial Chamber of 19 July 2019 to replace the deadline for the final filing of the submissions for the respondent of 19 July 2019 with the date of 19 August 2019;
Having regard to the submissions filed on 19 August 2019 by counsel for the respondent and the email accompanying them, according to which the respondent’s counsel state that their client wishes to be heard pursuant to Rule 51 of the Rules of Procedure of the Data Protection Authority;
Having regard to the hearing at the sitting of November 18, 2019, at which the respondent represented by her counsel appeared. At the end of the hearing, the Litigation Chamber decided to proceed with the case and asked the respondent to provide it with any additional evidence attesting to the latest measures put in place since the communication of its findings in August 2019;
Having regard to the minutes of the hearing of 18 November 2019;
Having regard to the supplementary documents filed by the respondent on 22 and 26 November 2019;
Having regard to the complainant’s reply of 11 December 2019;
Having regard to the last submissions filed in reply by the respondent on January 14, 2020.
II.	The facts and subject matter of the complaint
According to her complaint, the complainant states that she has doubts as to the regularity of the consultation of her photo in the National Register dated May 11, 2018 by an employee of the respondent. On June 27, 2019, she sent an email to the Helpdesk Belpic (Inner SPF – Directorate-General Institutions and Populations) in the following terms:
Ma’am, sir,
By consulting my file via IBZ, I note that a consultation in “Transaction Code 08 – Photo Consultation” was done on 11/05/2018 at 14: 39.
Knowing that I was on a honeymoon at that time, I find it quite strange that someone would look at my photo.
(...) I therefore know from experience that we do not consult a transaction code 08 without just cause. He is certainly a colleague, so I would like to know more if possible.
(...)”.
On June 28, 2019, HelpDesk Belpic replied by e-mail the following:
“The staff of the bodies authorised to access the data of the National Register shall be bound by professional secrecy. Improper consultation of cases (e.g. for private purposes) entails their personal responsibility at the disciplinary, civil and criminal level.
In the event of suspicion of improper or non-regulatory consultation of your data by an organisation, you can contact the organisation directly. Organisations are required to ensure the traceability and archiving of consultations within them and will normally be able to provide you with information regarding the nature of these consultations.
If the response provided is unsatisfactory or if you have serious reasons to believe that a consultation is abusive, you have the opportunity to lodge a complaint with the
 Privacy Commission (httDs: //www. Drivacycommission.be/fr) or a court.https://www.privacycommission.be/fr
The services of the National Register do not generally have information on the consultations carried out by these bodies and are not empowered to manage complaints”.
Also by e-mail dated June 28, 2019, the complainant spoke to a former co-worker, to whom to apply to the respondent. Unanswered, the complainant reiterated her request by e-mail dated August 14, 2019. By e-mail dated August 29, 2019, the respondent was replied that an investigation had been requested and that the complainant would be informed of the result of the investigation at a later date.
The complainant inquired about the follow-up to her request by email dated September 27, 2019. By email dated September 27, 2019, she was answered as follows:
“ Dag,
Een onderzoek werd opgestart maar leverde geen total zekerheid op noch at betreft de Persoon die uw dossier consuiteerde (aiieen de foto), noch wat betreft de eventueie motivatie voor de raadpieging.
Er werden geen bekentenissen afgeiegd.From feiten werden evenwel geacteerd”.
Free translation:
“ good morning,
An investigation was initiated but did not provide absolute certainty, either as to the person who consulted your file (only photo) or the possible motivation for consultation.
No confession has been made. However, the facts have been recorded.
On October 2, 2019, the complainant filed a complaint with the Data Protection Authority.
III.	The Inspector General’s Report and Minutes of Investigation
According to the Inspector General’s report and minutes of investigation dated 17 May 2019, the Inspector General states:
Finding 1:The respondent was not able to justify the contested consultation in accordance with Article 17 of the Law of 8 August 1983 establishing a national register of natural persons.In this regard, its register of consultations does not indicate the purpose for which the data in the National Register were consulted.
The report also mentions the respondent’s reference to Recommendation 07/2017 of 30 August 2017 of the Commission de la protection de la vie privée aux villes et communes concerning 'registration of the ground for the consultation of the National Register.1 In fact, by letter dated 19 February 2019, addressed to the Data Protection Officer (DPO) of the respondent, the Inspector General asks in particular that it be provided "an explanation of the reasons why no concrete reply was given to the respondent’s Data Protection Officer (DPO) of the respondent, the Inspector General asks in particular that it be provided" an explanation of the reasons for which no concrete reply was given to the respondent’s Office for the Protection of Data (DPO) in respect of the complainant’s question.
The respondent states by letter in reply of 29 April 2019 that the check carried out on the basis of the complainant’s request was carried out on 20 and 21 August 2019 by consultation of the SAPHIR logging used for access to the National Register. A request for explanation was then made with the officer under whose name the consultation was registered, Mr. X, the respondent’s employee.
The respondent goes on to state that the reason why the identity of the officer who viewed the complainant’s photo was not disclosed is related to the lack of absolute certainty that this officer is indeed the author of the consultation. This lack of absolute certainty is "due to the fact that at the time of his hearing he did not remember to see the consultation carried out and specified that he never consult the photographs of citizens from the National Register but only in the Beipic application, to make a comparison when ordering identity cards.The reason for the diary consultation could not be established” (Excerpt from the respondent’s letter of 29 April 2019 to the Inspector General of ODA).
Finally, as part of the inspection, the respondent adds that there are several elements of its willingness to strengthen, since 2018, the awareness and accountability of officers to whom access to the National Registry is granted as part of their duties. In this regard, it states that the systematic recording of the purpose for which data in the National Register are consulted has not yet been made mandatory. The mechanism aimed at combating unfounded access is essentially preventive in nature, but without a detective exploitation of access logging, except for the request of a citizen.
The inspection report notes in this regard that the respondent commits itself in the following terms:
1	This recommendation is published on the website of the Data Protection Authority and has been published on the website of the Privacy Commission since its adoption in August 2017:Https: //www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/recommandation 07 2017.pdf 
A recommendation will be made to make the reason for consultation mandatory.(...).As soon as possible, a recommendation to supplement the device with a layer of a detective nature will also be formulated, based on the principle that the reason recorded in the access logging must be able to be corroborated by a concrete element, such as a file, an application, etc., and that a sample check can be ascertained" (Excerpt from the inspection report – respondent’s response of April 5, 2019 – OPD opinion).
IV.	Hearing of 18 November 2019
At the hearing held on 18 November 2019, the respondent, through its counsel, set out the arguments it had developed in its conclusions of 19 August 2019. In particular, counsel for the respondent admits that there was indeed a problem during the consultation of the complainant’s photograph. The respondent also highlights the seriousness with which the complainant’s complaint has been dealt with and the measures that have been decided and have been put in place or will soon be put in place to comply with section 17 of the National Registry Act.
IN LAW
V.	As regards the competence of the Data Protection Authority, in particular
the Litigation Chamber
Pursuant to Article 4 § 1 LCA, the Data Protection Authority (DPA) is responsible for monitoring the principles of data protection contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data, including the Act of 8 August 1983 organising a National Register of Natural Persons.
Pursuant to Article 33 § 1 LCA, the Litigation Chamber is the administrative litigation body of ODA.It is seized of complaints transmitted to it by the First Line Service (SPL) pursuant to Article 62 § 1 LCA, which are admissible complaints. In accordance with Article 60 (2) LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and which fall within the competence of ODA.
As for the consultation of the photograph denounced by the complainant, this consultation is dated May 11, 2018. It therefore took place on a date prior to the entry into force of the GDPR.The Litigation Chamber is therefore not allowed to know about it. Indeed, the Chamber of Contentious finds the legal basis for its jurisdiction in the Act of 3 December 2017 establishing the Data Protection Authority (LCA), whose entry into force has been fixed, with exceptions, on the date of 25 May 2018 (article 110 of the CLA).While the Dispute Chamber is competent with regard to data processing which, of course, started before 25 May 2018 but continue today, it is not for one-time processing which would have taken place before 25 May 2018, since no retroactivity has been foreseen for the exercise within the time of its competence.
In the present case, as set out in point III above, the inspection carried out following the filing of this complaint revealed failures subsequent to the date of 25 May 2018, of which the Dispute Chamber is therefore empowered to know (see point VI below).
VI.	On the reasons for the decision
As a preliminary point on the infringement of the rights of defence invoked by the respondent In its submissions of 19 August 2019, the respondent deplores, at the outset, that the complainant did not file an Opinion (paragraph 10 of the respondent’s submissions).It adds that, given the wording of the complaint, it is impossible to fully grasp what it is accused of and, more precisely, the legal provisions that have been violated.
Accordingly, the respondent is of the opinion that its rights of defence have not been respected in the present case. At the hearing on November 18, 2019, the respondent reiterated its regrets and grievances in this regard.
The Litigation Chamber is also of the opinion that a complainant cannot be required to identify in a clear, precise and exhaustive manner the legal provisions in support of which he submits his complaint. This task of qualifying the facts – constituting breach(s) of the regulations in force for the protection of personal data where appropriate – is the responsibility of the Inspectorate and the Dispute Chamber. In this regard, the Inspector General’s letter of 19 February 2019 asks the respondent as to why it did not comply with Recommendation 07/2017, which clearly states that the reference to the reason for the consultation constitutes a necessary and binding guarantee for accessing the National Register legitimately.
It is clear from the respondent’s reply of 25 April 2019 that the respondent correctly understood what she was accused of. The Inspectorate’s report communicated to the respondent on May 29, 2019 still refers to this recommendation. Finally, in paragraph 11 of its reply, the respondent, notwithstanding its preliminary defence, states:Notwithstanding the above, two requests appear to emerge from the complaint filed on October 2, 2018:
-	The identity of the author of the consultation of the contested National Register;
-	The reasons for this consultation, to the extent that there remain doubts on the complainant’s mind as to the relationship between this consultation and her dismissal, which she describes as abusive.”
The respondent then defends itself with respect to these grievances in its findings.
In conclusion, in view of the above, it cannot be held that the rights of the defendant’s defence would not have been respected.
*
The need to respect the principle of liability (Articles 5 § 2 and 24 of the GDPR) and the obligation of security (Articles 32 of the GDPR and 17 of the Law Organising a National Register of Natural Persons), coupled with the principles of purpose (Article 5 § 1 (b) GDPR) and security (Articles 5 § 1 f) GDPR)
In its capacity as controller, the respondent is required to implement the data protection principles and must be able to demonstrate that they are respected (principle of liability – Article 5.2 GDPR).It must also, in its capacity as controller, implement all the measures necessary for this purpose (Article 24 GDPR).The Dispute Chamber insists, as it has already had the opportunity to point out in previous decisions against  public officials, that the public sector must, in general, be an example in the measures it adopts to ensure respect for the fundamental right to the protection of personal data.
Article 32 of the GDPR (security obligation) specifies the following:
1. Taking into account the state of knowledge, the implementation costs and the nature of the scope, context and purposes of the treatment, as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the subcontractor shall  implement appropriate technical and  organisational measures to ensure a high level of safety adapted to the risk, including, inter alia, as required:
(...)
B) ways of ensuring the continued  confidentiality, integrity, availability and resilience of processing systems and services
(...) (d) a procedure to regularly test, analyse and evaluate the effectiveness of technical and organisational measures to ensure the safety of treatment (...) "
Article 32 translates Article 5.1(f) GDPR (Chapter II-Principles), which sets out the principle of integrity and confidentiality as follows:
“Personal data shall be:(...) (f) processed in such a way as to ensure appropriate security of personal data, including unauthorised or unlawful processing and counter-loss,destruction or damageof accidental origin,with the aid of									
appropriate technical or organizational measures”.
The security of personal data is recognised as a principle – which demonstrates its increased importance – despite the fact that it was not included in Article  6 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, abrogated by the entry into force of the GDPR).
Among the appropriate security measures designed to ensure the confidentiality of the data, a data controller such as the defendant is necessarily required to put in place organizational and technical security measures that guarantee access control:   in other words, only those persons who, in the exercise of their own function, need access to particular data, must be able to access the necessary access for that purpose.
The Dispute Chamber recalls in this respect Article 5(1)(b) GDPR (Chapter II-Principles), which enshrines the principle of purpose, i.e. the requirement that the data be collected for specified, explicit and legitimate purposes and not be processed subsequently in a manner incompatible with these purposes. In this regard, the respondent is authorised to consult the National Register for purposes determined in accordance with the Act of 8 August 1983 organising a National Register of Natural Persons. 


 
The controller must therefore ensure that personal data are only accessible to persons and applications who explicitly authorise it. It is appropriate to assign to each person his own account and access to personal data should be authorised exclusively by applying the principles of the need to know about it. These persons should only have access to the functionality or data they need for the purpose of carrying out the tasks assigned to them, in accordance with the principle of purpose.
In its Recommendation 03/2017 to which the Inspector General also refers, the Privacy Commission (PPC) at the time states that the principle of liability (Articles 5.2. and 24 GDPR) recalled above "therefore implies not only that the controller complies with the provisions of the GDPR, but also that he can demonstrate this (...).It is not enough to take the appropriate technical and organizational measures, in accordance with the terms of the Regulations; This must also be done in  a transparent and tracable manner which, in the case of regular checks, provides evidence of the safeguards applied" (paragraph 16 of recommendation 07/2017).
Recommendation 01/2017 further states that the GDPR, then in force but not yet in force, will strengthen the existing obligations of the PIA [read the Privacy Law, i.e. the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data], will, as soon as it comes into force on 25 May 2018, submit those responsible for processing, in this case the cities and municipalities – including the respondent – to the principle of liability and will also place transparency in this area. The said recommendation concludes that: “The joint reading of the current national legal provisions and the future GDPR leads to the conclusion in this recommendation that mentioning the reason for the consultation constitutes a necessary and mandatory guarantee for legitimate access to the National Register" (Recommendation 07/2017, item 6)5.
It is therefore incumbent on the respondent to ensure that access to the National Register remains limited to the purposes for which such access has been authorised. It is also incumbent upon him to be able to demonstrate this.
Compliance with the principle of purpose, a pillar of data protection, cannot be verified if the agents of a structure such as the defendant do not record the reason for the consultation they are operating. It is equally essential in this respect that, in accordance with Article 24 of the GDPR, the respondent has an adequate control mechanism to ensure that its authorised agents consult the National Register for these purposes alone. The respondent must have a computer application that legitimises each consultation carried out by its staff and thus demonstrates that the consultation took place as part of the exercise of the duties of the staff member who conducted the consultation.
In addition to article 32 of the GDPR, the respondent, in its capacity as authority with access to the National Register, is also required to comply with the specific provisions of the Act of 8 August 1983 organising a National Register of Natural Persons.According to section 17 of the Act – which came into force on 23 December 2018 – to which the Inspector General refers:
“Each public authority, public or private body before obtaining/authorised access
The information provided by the National Register of Natural Persons, including the police services, as well as those of the Court referred to in Articles 5 and 8 must be able to justify the consultations carried out, whether by an individual user or by an automatic computer system. To this end, in order to ensure that consultations are traceable, each user keeps a register of consultations.
This register shall indicate the  identification of the individual user or of the process or system which accessed the data, the data which was consulted, the way in which it was consulted, i.e., for reading or for modification, the date and time of the consultation, and the purpose for  which the data in the National Register of Natural Persons was
consulted.
(...) ".6
The Litigation Chamber has already indicated that since the facts at the origin of the complaint predate the date of 25 May 2018, it could not know about it. The inspection – carried out from 21 November 2018 to 17 May 2019 – nevertheless revealed that the respondent had, in general, not yet completed the implementation of the technical and organisational measures required to comply with Articles 5.2., 24 GDPR (principle of responsibility) and Articles 32 of the GDPR and  17 of the Law of 8 August 1983 organising a National Register of Natural Persons (obligation to security), coupled with Articles 5(1) of the DPR and Article 1 of the GDPR. 
VII.	On remedial measures and sanctions
Under section 100 of the LCA, the Litigation Chamber has the power to: 
(1) classify the complaint without further action;
2° order the non-placement;
(3) order a suspension of the delivery;
4° propose a transaction;
5. formulate warnings or reprimands;
6° order to comply with the requests of the person concerned to exercise these rights;
7. order that the person concerned be informed of the safety problem;
8° order the temporary or permanent freezing, limitation or prohibition of treatment;
9° order that the treatment be brought into conformity;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
11° order the withdrawal of the accreditation of certification bodies;
12° give penalty payments;
13° give administrative fines;
(14) order the suspension of cross-border data flows to another State or international body;
15° forward the file to the Prosecutor’s Office of the King of Brussels, who informs him of the follow-up to the case;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
it is important to contextualise the failure to comply with Articles 5.2, 24 GDPR and Articles 32 GDPR and 17 of the Law of 8 August 1983 organising a National Register of Natural Persons, combined with  Articles 5 § 1 (b) and (f) GDPR in order to identify the most appropriate corrective measures.
The Dispute Chamber notes that both the principle of security (Article 5 § 1 f) GDPR) (and the obligations arising from it – Article 32 GDPR) and the principle of purpose (Article 5 § 1 b) GDPR) which the principle of security guarantees, are essential principles of the protection regime established by the GDPR.The principle of liability set out in Article 5.2 of the GDPR and developed in Article 24 are at the heart of the GDPR and reflect the paradigm shift brought about by the GDPR, i.e. a shift in a regime based on prior declarations and authorisations from the supervisory authority towards greater accountability and accountability of the controller. The latter’s compliance with its obligations and its ability to demonstrate it are therefore only more important. Breaches of these principles constitute serious breaches.
With regard to the number of persons potentially affected, the National Register includes a database of identification data of all natural persons who are registered in the national register. 
the population, waiting register and register of foreigners kept by municipalities or consular registers, i.e. for the defendant alone, more than XXX registered out of a total of 11 million persons registered in the National Register.
Moreover, the extent of the operations carried out in the National Register by cities and municipalities such as the defendant cannot moderate the obligation to provide for a mechanism guaranteeing compliance with the purposes for which the data in the national register can be accessed via the indication of the reason for such consultation or the requirement for effective control. On the contrary, both Article 32 and Article 24 GDPR require that the nature of the technical and organisational measures taken by an entity such as the defendant be proportionate to the seriousness of the risks to the rights and freedoms of the persons concerned. By its nature, this database, which includes a certain amount of information – albeit limited – of more than 11 million people requires particularly rigorous supervision, not only in view of its size, but also because of its very vocation to record, memorise and communicate information relating to the identification of natural persons.
The Chamber notes that as early as 2015, the Sectoral Committee of the National Register had clarified the exact extent of this obligation to keep logging files in connection with access to the National Register by local governments. In this recommendation, the Committee states that "this tracing must include the identification of the individual user or of the process or system that accessed the data, the data that was accessed, the manner in which it was accessed (reading, changing,...), when it was accessed, and the reason for such access."7 The Committee further recommended that a mandatory field be provided for the registration of the reason for access.
The Privacy Commission (PPC) had also stated on several occasions, even before recommendation 01/2017, that the registration of the reason for consultation with the national registry is of crucial importance.8
These were, of course, recommendations. However, they reflect the long-standing major concern and recommendations to put such a mechanism in place well before the implementation of the GDPR.In other words, the question was not new and the respondent, by virtue of its quality, could not ignore them.
7	Recommendation 01/2015 of the Sectoral Committee of the National Register of Municipalities and Local Authorities on Information Security, to govern their access to the national registry and subsequent processing of data in the National Register, 18 February 2015, points 44-49.
8	See point 23 of Recommendation 01/2017 already cited and the references mentioned.
The Litigation Chamber also notes that, both in the course of inspection and in its findings, the respondent sets out the various decisions taken to comply with its security obligations designed to meet the requirements of the GDPR and the Act of 3 August 1983 organising a National Register of Natural Persons.These decisions are attested by various documents in the file, such as the internal documentation relating to access to the national registry, the designation and work of the Data Protection Officer (ODP) (Opinion of 5 April 2019) and a recommendation of 25 April 2019 (accepted on 6 May 2019) to make mandatory the referral of the reason for consultation with an implementation planned in the last quarter of 2019. The Litigation Chamber notes that most of these documents and decisions were adopted in the course of inspection.
In addition, it is apparent from the documents submitted by the respondent in the context of the continuation decided by the Chamber of Disputes at the end of the hearing on 18 November 2019 that the work of implementing the DPO’s recommendation to make mandatory, in any application to the National Register, the user’s entry of the finality for which the data in the national register are consulted (in addition to the other data to be recorded, in accordance with Article 17 of the National Register Act of 8 August 1983) is actually carried out in the course of the proceedings.
It is also apparent from the documents in the file that recommendations were made by the respondent’s DPO regarding the control of access  to the National Register (excerpt from the minutes of meeting “Access to the National Registry of September 16, 2019”).
The Litigation Chamber further notes that in October 2019, the follow-up to the recommendations of the DPO resulted in the identification of the reasons for consultation for each of the groups with access to the national register and their inclusion in “SAPHIR”.
The Dispute Chamber also notes that by e-mail dated 22 November 2019 wording "Important GDPR SAPHIR – Consultation RN: new procedure", the respondent sent an email to its agents, informing them that a procedure is being put in place, which will now include the choice of a reason for consultation prior to any consultation with the National Register of Citizens. In the Sapphire application, a drop-down list containing a series of reasons for consultation relating to the respective subjects of the staff concerned will appear when requesting consultation of the National Register. Under this procedure, staff will have to select the purpose corresponding to the type of file processed.
The Litigation Chamber further notes that by e-mail of 22 November 2019, the respondent communicated to its IT correspondents a message according to which a periodic (quarterly) and systematic inspection of the allocated accesses is put in place: a listing containing the surname, first name and associated access group for each agent listed in the “Users Saphir – RN” database is established. The check will require confirmation of the names of the agents for whom access is to be maintained. In the absence of a response, the access will be systematically deleted.
In addition to these specific measures relating to the mention of the reason for consultation with the National Register, the respondent forwarded to the Litigation Chamber the training materials used in support of internal sessions to raise awareness of the GDPR.It has also communicated to the Litigation Chamber exchanges of emails between its DPO and the heads of its various departments regarding the finalisation of the Register of Personal Data Processing Activities (Article 30.1 GDPR) and the Registers as such for the processing activities of different departments. The respondent states that the preparation of these registers is also planned for the remaining departments.
The Litigation Chamber takes note of this information and the documents transmitted to it. It considers that they bear witness to a number of steps taken by the respondent to comply with its obligations in its capacity as controller. That while the Board welcomes such steps, it regrets, however, that the respondent, aware of its security obligations, did not require its officers to keep a register of accesses and their reasons manually while awaiting IT solutions.
In general, the Litigation Chamber underlines the respondent’s good cooperation – certainly required by Article 31 GDPR – both with the Inspector General and with the Litigation Chamber.
In conclusion, in the light of the elements developed above specific to this case, the Board of Contents considers that the facts found and the failure – to which the respondent claims that it has since been remedied – Articles 5.2, 24 GDPR and Article 32 of the GDPR and Article 17 of the Act of 8 August 1983 organising a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify the fact that, in accordance with Article 100 of the Act of 8 August 1983, the Court of First Instance, in conjunction with Articles 5 § 1(b) and (f) of the GDPR, is satisfied that, in the light of Article of the Act of 8 August 1983 establishing a national register of natural persons, in conjunction with Articles 5 § 1(b) and (f) of the GDPR, it is sufficient to justify, in the light of Article of the Act of 8 August 1983 that a national register of natural persons, combined with Articles 5 § 1(b) and f) of the GDPR, proves that, in the light of the above, the facts found and the failure to which the respondent asserts that it has since been remedied – Articles 100, 24 of the GDPR and Articles 32 of the GDPR and Article 17 of the Act of 8 August 1983 establishing a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify, in the light of the above, a finding that the facts found and the failure to comply with Article 17 of the Act of 8 August 1983 organising a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justify, in the light of the above, that the facts found and the failure – to which the respondent asserts that it has since been remedied – Articles 5.2, 24 GDPR and Articles 32 GDPR and Article 17 of the Act of 8 August 1983 establishing a national register of natural persons, combined with Articles 5 § 1(b) and (f) of the GDPR, justifying an effective sanction in respect of Article 100 of the Act of the
Given the importance of transparency with regard to the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority by removing the direct identification data of the parties and persons mentioned, whether they be natural or legal.
FOR THESE REASONS,
THE CONTENTIOUS ROOM
Decides, after deliberation, to refer a reprimand to the respondent on the basis of Article 100(5) of the Act.
*
According to Article 108, § 1 LCA, this decision may be appealed to the Court of Contracts within 30 days  of its notification, with the Data Protection Authority as defendant.