APD/GBA - DOS-2019-01156

From GDPRhub
APD/GBA - DOS-2019-01156
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 30 GDPR
Article 37 GDPR
Article 38 GDPR
Type: Complaint
Outcome: Upheld
Decided: 14.05.2020
Published: 14.05.2020
Fine: 50000 EUR
Parties: n/a
National Case Number/Name: DOS-2019-01156
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Belgian DPA (in NL)
Initial Contributor: n/a

The litigation chamber concluded that the "invite a friend" function of a social media platform violates the GDPR since consent from the users was not collected.

English Summary[edit | edit source]

Facts[edit | edit source]

A social media encourages both existing users and new joiners to invite their friends to join the platform via a "invite a friend" option. The Litigation Chamber examined the legal grounds for the "invite a friend" system. The user gave the provider access to his or her list of contacts, so that a message could be sent to those contacts to join the social media platform or, if they were already members of the social media platform, to become part of that user's network of friends on the platform.

Holding[edit | edit source]

The Litigation Chamber stated the "invite a friend" functionality made the provider a controller within the meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". Therefore, the GDPR applied in full.

Only the data subject whose personal data are processed can validly consent to the processing of this data. The collection of contact details can take place only on a compare and forget basis: all data of non users of the platform should be deleted. That was not the case here.

No consent is required for an e-mail invitation to the user's non-member contacts under the following conditions (already stated by the Article 29 WP): – no pressure should be applied to the transmitter or receiver; – the provider is not allowed to choose the addressees of the message; – the identity of the user sending the message must be clearly indicated; – the user sending the message must be aware of the full content of the message to be sent on his behalf'

The social media provider claimed that others social media providers were following the same practices. However, the litigation chamber considered that was not a proper argument.

As conclusion, the litigation chamber imposed a fine of EUR 50,000 for processing personal data of non-members of the website without an appropriate legal basis, as well as personal data of members.



Comment[edit | edit source]

The Belgian DPA published the decision also in English, which you may find here: https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/Beslissing_GK_25-2020_EN.pdf.

In-depth comments can be found here:

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Decision on the substance 25/2020 of 14 May 2020 
 
 
 
File number : DOS-2019-01156    Subject: Legal basis for processing of personal data by social media platform  
 
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke 
Hijmans, chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns, members; 
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; 
 
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as 
WOG; 
 
Having regard to the internal rules of procedure as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 
 
Having regard to the documents in the file; 
 
 has taken the following decision regarding: 
                                 	 
- 	a processing of personal data by the controller: Y ('defendant'); 
 
1. Facts and procedure 
2.	On 28 November 2018, the Management Committee of the Data Protection Authority (hereinafter the GBA) decided to refer a case to the Inspectorate of the GBA on the basis of Article 63, 1° of the WOG. The reason for the aforementioned referral was the practice whereby the social network and website "W" invites its members to add the "friends/contacts" of those members.   
 
3.	The Inspectorate of the GBA informed the defendant of this decision of the Executive Committee of the GBA by letter of 12 March 2019. 
 
4.	The Inspectorate sent two letters to the defendant dated 12 March 2019 and 16 May 2019 with questions relating to alleged infringements of Articles 5, 6, 7, 30, 37 and 38 of the AVG. More specifically, the Inspectorate asked questions about the categories of personal data of non-users that were collected as well as the retention period for those data. The Inspectorate also requested an extract from the register of the defendant's processing activities and asked questions about the data protection officer (place in the organisation chart, time spent, professional qualities, involvement in answering the Inspectorate's questions).   
 
5.	The defendant replied to the Inspectorate's questions by letters dated 21 March 2019, 3 April 2019 and 14 June 2019. The defendant clarified the processing of personal data in the invitation functionality on the "W" website as follows: "Here, the personal data we collect will depend on the platform used: if a user chooses to upload contacts from the phone book of his or her mobile phone, we will collect phone numbers and the names that the user assigns to these phone numbers. If a user chooses to upload contacts from his or her email account, the basic contact information that will be uploaded will be determined by the user's own email provider, as clearly set out in that provider's upload permissions screen" . If a user chooses to upload his or her contacts from his or her phonebook, the details of these contacts will be synchronized regularly so that the user can invite new contacts who are not yet members of "W" to register. 
 
6.	The defendant explains that in addition to the consent button, the following section of information will appear: "At regular intervals we will import and store your contacts so that we can give you 
be able to notify when acquaintances register on "W" and so you can invite them to register when your contacts are not yet members of "W". You decide who you add. You can stop the import at any time and delete all contacts. More information". 
 
7.	If the user clicks on "more information", he or she will see the following additional information: "When you import your address book, we will periodically import information, such as names, phone numbers and other information as clarified on the provider's permissions screen, about your contacts on our servers. We use this information to inform you about who you already know on W and so that you can invite your contacts who are not yet members. The above suggestions are made directly on the service and via email. We do not store your password and do not email anyone without your permission. You can stop the synchronisation of your address book at any time via your settings. When you do this, all previously imported contacts will be deleted. For more information on how we process your personal data, please refer to our Privacy Policy" . 
 
8.	The defendant further explained that the user's contact persons are kept in the defendant's database until the user decides to stop synchronizing the contact persons, or if a user removes certain contact persons. When an account is closed (either deliberately or after 2 years of inactivity), the contact persons are deleted within three months, the defendant further explained3. 
 
9.	In his letter of 9 March 2020, the defendant explains that the user can choose to withdraw his consent and thus no longer synchronize contacts, thus removing the existing contacts from the "W" database. If the user does not choose this function, the contact details (including those of third party non-users of the website) will be kept for at least three months . 
 
10.	The defendant submitted to the Inspectorate an extract from its register of processing activities, showing which categories of personal data of customers (users of the website) are processed: 'profile information, personal identification, analytical data, user generated content, user account information, contact information and third party information (for users who register via Facebook)'. According to that register, the legal basis invoked for processing is 'the performance of a contract' and 'the 
consent of the individual" . 
 
11.	As regards the legal basis for the collection of non-users' personal data, the defendant explained that the legal basis 'consent' - in its view - should not be used: 'We are of the opinion that we are not obliged to collect the consent of the contact person. Indeed, we do not send promotional messages because it is the user who sends personal communications to his or her contact through our platform. This interpretation is in line with the vision set out in the Article 29 Working Party's Opinion 5/2009 on Online Social Networking  and we have ensured that our process fully complies with the four criteria set out in [this] Opinion" 8. 
 
12.	The defendant responded in detail to the Inspectorate's questions about the activities and competence of its Data Protection Officer . The defendant refers, inter alia, to the professional experience of this person, in particular his experience as EMEA Senior Privacy Counsel with a company active in online means of payment and lawyer with the IT service of a law firm. This person also holds an IAPP CIPP/E and CIPM  certification. 
 
13.	On 18 June 2019, the Inspectorate submitted its report to the Disputes Chamber on the basis of article 92, 3° of the WOG. 
 
14.	The inspection report shall identify potential breaches of Article 5(1). 2 of the AVG, Article 6 of the AVG, Articles 4, 11) and 7 of the AVG as well as Articles 37 and 38 of the AVG. 
 
15.	With regard to the alleged breaches of accountability (Article 5(2) of the AVG), of the lawfulness of processing (Article 6 of the AVG), and with regard to the definition and conditions for consent (Articles 4, 11 and 7 of the AVG), the Inspection Report makes a distinction between, on the one hand, the consent relating to the processing of personal data of the user of the website and, on the other hand, the consent required with regard to the processing of personal data of that user's contacts. 
 
16.	As regards the defendant's assertion that he is not obliged to collect the consent of the contact persons (non-members of "W"), since it would be "personal". 
communication' by the user, the Inspectorate notes that the exception (to the obligation of consent under Article 7 AVG) for personal or household activities may be invoked by social media users but not by the social network 'W' itself, in line with recital 18 of the AVG, which reads as follows: 'Personal or household activities [outside the scope of the AVG] may include social networking and online activities in the context of such activities'. However, this Regulation shall apply to controllers or processors providing the means for processing personal data for such personal or household activities' (Inspection report, p. 4). 
 
17.	The reference made by the respondent to Opinion 5/2009 of Group 29 on online social networks is not considered relevant by the Inspectorate because this Opinion concerns  the former Data Protection Directive and 'because the AVG imposes more far-reaching obligations on data controllers including the accountability in Article 5(2) of the AVG and the requirements of unambiguous expression of will in Articles 4, 11) and 7 of the AVG' (Inspection report, p. 5). 
 
18.	With regard to the consent of social media users (members of "W"), the Inspectorate notes that there are pre-ticked options in the process of adding contacts. As a result, the user's consent to use or not use the personal data of his contacts is not valid in a context where recital 32 of the AVG explicitly clarifies that 'already ticked boxes' do not count as consent. The Inspectorate notes that the respondent is prepared to "continue his practice of pre-assessing contacts' personal data".
selects to stop", which has happened in the meantime. According to the defendant, the adjustment 
place 2 working days after receipt of the inspection report . 
 
19.	In the meantime, the defendant has removed the pre-ticked options from the platform 'voluntarily and without any unfavourable acknowledgement' after receiving the second letter from the Inspectorate dated 16 May 2019. However, the defendant states in its conclusion that these pre-ticked options do not relate to obtaining the user's consent to import his contacts, and that, moreover, no consent is necessary in view of the principles set out in the Opinion 5/2009 of Group 29 on online social networks (see defendant's conclusion, p. 13). 
 
20.	The Inspectorate also noted that the defendant's privacy policy does not state that consent can be withdrawn, as imposed by Article 7 of the AVG. In its conclusion 
(p. 19 and 20) and in his letter of 14 June, the defendant replies that the possibility to withdraw consent is indeed offered on the website. The user is informed that he can stop the import at any time and delete all contacts. 
 
21.	Before starting the current procedure, the defendant had been in contact with the GBA in response to a complaint received regarding the working method of the "W" platform. The complaint referred to the fact that the information about the protection of personal data could only be read after creating one's own account and accepting the terms of use and privacy policy. The GBA had pointed out to "W" that this was not a valid way to obtain permission for the "invite a friend" e-mail, as far as this was the legal basis used by "W". 
 
22.	At a hearing on 9 July 2019, the Disputes Chamber decided on the basis of Article 98 of the WOG that the file was ready to be dealt with on the merits. 
 
23.	On 10 July 2019, the defendant was informed by registered mail of this decision, of the inspection report, and of the inventory of the documents in the file that the Inspectorate sent to the Chamber of Disputes. At the same time, the defendant was informed of the provisions as mentioned in article 98 of the WOG and the defendant was informed of the time limits to submit his defence under article 99 of the WOG. The deadline for receiving the defendant's response was set at 4 September 2019. 
 
24.	By letter and e-mail dated 15 July 2019, the defendant asked to be heard. By letter dated 30 August 2019, the Chamber of Disputes informed the defendant of the date of the hearing. 
 
25.	On 4 September 2019, the Chamber of Disputes received the conclusion of the defendant's response. 
 
26.	The hearing took place on 1 October 2019. The file was resumed with other members of the Dispute Chamber. The data controller was heard and given the opportunity to present his arguments, in response to the questions put to him by the members of the Disputes Chamber, concerning the foreign scope of the 'W' website, the legal basis for processing personal data of users and non-users of the 'W' website and the role and working methods of the Data Protection Officer. 
 
27.	At the hearing, the defendant made the following statements in addition to his conclusion: 
 
-	The defendant offers a platform to get to know new people in the private sphere without limitation (friend or relationship); there are 4.5 million active users per month, spread all over the world, 1.5 million of whom are in the EU. There are 33 people working at "W" (see also defendant's conclusion, p. 3) and 100 people in various places in the world working for the helpdesk (not Y employees, but only contractual service providers, as clarified by defendant's letter of 4 November 2019 to the Chamber of Disputes). 
 
-	The defendant complains that the constitutive elements of the offence imputed to "W" are not indicated in the Inspection Report (see also defendant's conclusion, p. 6); the defendant considers that in this case the charge was made without a prior detailed explanation of the alleged infringement. The defendant finds that the allegations with regard to "accountability" are very unclear. 
 
28.	The defendant then explains how the invitation process takes place on the "W" website: 
 
-	The website users will be informed - as shown above - about the processing that will take place in the context of the "invite a friend" functionality. 
 
-	Under the message "W is better with friends" the internet user gets the possibility to import an address book of different service providers (Outlook, Google mail, Yahoo, Facebook, Telenet, Skynet). The user is not obliged to select a service provider and can skip the "invite a friend" functionality in its entirety. If the user wants to make use of this functionality, one of the service providers must be selected. Then a screen of this service provider will be displayed, on which the internet user can allow his contact addresses to be read. This is, as explained by the defendant, "the provider's permissions screen". If the internet user agrees, all addresses listed in the address book are then stored by "W". The functionality offered by such service providers consists of allowing users to share limited contact information with the "W" platform, for limited purposes. 
 
-	In a next step, the Internet user is given the opportunity to choose the recipients of invitation emails. 
 
-	In a first version of the website, all addresses were pre-checked, with the possibility to unselect all recipients with a single click. Since July 12, 2019,  no address is pre-checked and the user can choose between two options: pre-select all recipients one by one, or pre-select all his contacts with a single click. In the previous version of the website, the user also had the possibility to deselect the pre-checked recipients one by one. 
 
-	By letter of 4 November 2019, the defendant insists that users should have the possibility to obtain their consent regarding the use of the "invite a friend". 
functionality" at any time. All previously imported contacts 
are then removed, the website announces (cf. above, p. 3). 
 
29.	The defendant then argues that the address details of the contact persons are used only for the invitation functionality. According to the defendant, no profiles are created on the basis of these contact details. 
 
30.	With regard to the legal basis invoked, the defendant states the following: when a user sends an invitation to his friends, it is a personal communication, not a marketing message subject to the anti-spam rules of the ePrivacy Directive; defendant uses a single legal basis, i.e. the consent of the users; the "AVG does not say that you need the consent of contacts. We have the consent of the user to import his data," the defendant stated in court. To the question of the Dispute Chamber whether, according to the defendant, the user's consent is also valid for non-users of the "W" website, the defendant answers positively, "since it is one and the same 
finality' as regards the processing of personal data. Thus, the defendant confirmed the assertions made in his conclusion, which were summarised by the defendant as follows: 
 
"With regard to the legal basis invoked, the defendant claims the following: Y processes the contact details of the user's contact persons for a single purpose: to make the "invite a friend" functionality available. In order to fulfill this single purpose, the user's contacts are uploaded and invitation emails are then sent on behalf of the user to those contacts selected by the user. The legal basis on which Y relies for the processing of personal data within the scope of the "invite a friend" functionality is the consent of the user. Y is of the opinion that it is not mandatory to separately request the consent of the user's contact persons, since the processing of data is already justified by the user's consent under Article 6 of the AVG and since, on the other hand, the invitation message sent does not constitute a direct marketing message that is subject to the ePrivacy Directive. This was explicitly confirmed by the Article 29 Working Party. To the question of the Dispute Chamber whether the consent of the user is also valid for non-users of the "W" website, the defendant answers positively: in the context of the "invite a friend" functionality and, more generally, of all services and functions that enable users to process contact data and other information of people they know (e.g. e-mail providers, messaging systems, operating systems, cloud services where people upload photos that can show their friends and family, ...), the data are primarily that of the user himself." The data is the user's own. (Letter from the defendant to the Chamber of Disputes of 4 November 2019, reaction to the draft PV of the hearing, p. 3). 
 
31.	The defendant then shows by means of printed screens of the website that the user can see and change the standard message before it is sent in the context of the invitation e-mail (page 12 of the bundle of pleadings). The defendant reiterates that, in its view, it has taken all measures to ensure that this processing would meet the requirements of "personal communication" as set out in Group 29 Opinion 5/2009 on online social networks. According to the respondent, the Inspectorate wrongly states that this advice predates the AVG and is no longer valid, because the consent requirements have meanwhile become more stringent (see also conclusion, p. 23). The defendant also addresses the question whether or not there is a marketing message within the meaning of Article 13 of the ePrivacy Directive. By letter of 4 November 2019, the defendant wished to provide additional clarification: "Y has never claimed that the AVG would not apply to the processing activities carried out in the context of the W platform. On the contrary, Y considers that the invitation message sent to the user's selected contact persons constitutes personal communication, for which it is not required to obtain the consent of such contact persons on the basis of the ePrivacy Directive". 
 
32.	The Chamber of Disputes then asks whether or not the users are informed in the invitation e-mail departing from the "W" platform that their data may be corrected or deleted. The defendant refers to his pleading, which contains a printed version of the screen that the addressee of such an invitation will see: under the message "X. sent 
You have a message! "two blue buttons offer the following option: "Register and reply" or 
"Read only message." Under these buttons the following explanation is placed: "When you click on 'Register and reply' you agree that an account will be created for you on W and you agree to our [hyperlink] Terms and Conditions. Please also read our [hyperlink] Privacy Policy and our [hyperlink] Cookie Policy". The Respondent explains that the recipient of the invitation email receives information about their rights through "W"'s Privacy Policy and Cookie Policy, and that the recipient also receives the following information in the email itself: "Click here if 
you do not wish to receive commercial e-mails about our products or services" (page 17 of the 
pleading). 
 
33.	As regards the Data Protection Officer, the defendant refers to documents proving that this person was indeed involved in the definition of the invitation functionality, including an e-mail of 13 August 2018 already communicated to the Inspectorate (page 15 of the bundle of pleadings - document 21 of the defendant). The defendant claims that his data protection officer can report to the highest body and that in practice he does so according to the defendant (defendant's letter to the Chamber of Disputes dated 4 November 2019, p. 4). The defendant also states that there is no evidence in the inspection report that this person would not be independent (e.g. that he would receive instructions from the management). 
 
34.	The defendant submits a positive and recent evaluation report showing that this person should not fear for his job. According to the defendant, this positive assessment proves that the DPO is able to carry out his tasks in an independent manner and that V was the obvious choice for the DPO. The DPO is based in Dublin but is able to communicate with the defendant's staff in English and French, and there is also a local 'privacy lead' in U. The defendant claims that the DPO meets the Y employees in person on a regular basis and that most of the meetings take place via 'video conferencing' software. This person's professional qualifications are evident from his CV. The data protection officer states that he also works for another social media platform ("Z") and that there is no pre-determined division of time between the two platforms, and that he can rely on a team of 4 full-time employees, in addition to the local privacy lead in U. 
 
35.	In view of the cross-border nature of the data processing operations on the defendant's website, the Litigation Chamber decided to submit the case to the Article 56 AVG procedure in order to identify the leading supervisory authority and the supervisory authorities concerned. The GBA identified itself as a potential lead supervisory authority. Authorities from the following countries declared themselves to be concerned: the Netherlands, Germany (Lower Saxony, Baden-Württemberg, Brandenburg, Rhineland-Palatinate, Mecklenburg-Western Pomerania, Bavaria, North Rhine Westphalia, Berlin), Portugal, Sweden, Ireland, Latvia, Italy, Norway, Hungary, Austria, Spain, France, Cyprus, Slovakia, Denmark, Slovenia. 
 
36.	On 3 October 2019, the Disputes Chamber sent a registered letter to the defendant enclosing the defendant's annual accounts for the fiscal years 2016, 2017 and 2018, asking whether the defendant could confirm the figures contained therein, including the turnover figure. The turnover figures are as follows: 
-	financial year 2016: more than XXX EUR; 
-	financial year 2017: more than XXX EUR, - 	financial year 2018: almost XXX EUR. 
 
37.	On 17 October 2019, the defendant's counsel confirmed on behalf of his client that the annual accounts listed above are accurate. By means of this letter, the defendant wished to draw the attention of the Litigation Chamber to an enclosed forecast for the fiscal year 2019 (see below).   
 
38.	A transcript of the hearing was sent to the defendant for information by e-mail dated 30 October 2019, asking him to respond within 2 working days if he had any comments. The defendant was informed that this does not reopen the debates and that the comments may only refer to the presentation of the oral debates. 
 
39.	The defendant submitted his observations to the Dispute Chamber and insisted, among other things, on taking into account "the fact that Y was always willing to cooperate long before the official start of the investigation and that it repeatedly asked the GBA for feedback, which was never given". ) 
 
40.	On 5 November 2019 this case was discussed again at the session of the Disputes Chamber. The Disputes Chamber decided to initiate the cooperation procedure as referred to in article 60.3 AVG. 
 
41.	On 8 January 2020, an English translation of the draft decision was submitted to the relevant data protection authorities in accordance with Article 60.3 of the AVG. On 15 January 2020, the respondent was informed by letter. 
 
42.	The Netherlands submitted a relevant reasoned objection on 4 February 2020. The Netherlands asked for more references to the case law of the Court of Justice regarding the analysis of the defendant's legitimate interest in sending invitations to third parties who are not members of its social media platform, on the one hand, and contested the relevance of references to a research report from 2013 regarding the legitimate interest of a social medium to send invitation emails, on the other hand. 
 
43.	The Dispute Chamber decided on 14 February 2020 to uphold the objection lodged, in particular as regards the assertion that the application of the legal basis justified an interest in 
in the present case, an assessment in concreto of all the relevant factual elements, taking into account the case-law of the Court of Justice: the Chamber of Disputes decided to reopen the debates as regards the analysis of the legitimate interest of the defendant. 
 
44.	The Disputes Chamber informed the defendant by registered letter of 18 February 2020 of this relevant and substantiated objection, as well as of its content, and invited the defendant to respond by 9 March 2020 at the latest, regarding the possible invocation of the legitimate interest as a legal basis for the disputed data processing operations. The defendant submitted its response by letter of 9 March 2020.     
 
45.	The Disputes Chamber then took note of the defendant's arguments regarding his legitimate interest and, following the Inspection Report and taking into account the defendant's argumentation, ruled that it would impose a fine of EUR 50,000 on the basis of the infringements of the AVG that it had established. 
 
46.	In order to give the defendant the opportunity to defend himself on the amount of the fine proposed by the Chamber of Disputes, the Chamber of Disputes decided to list relevant infringements in its standard 'form for reaction against the proposed fine', which was sent by e-mail of 7 April 2020, stating that the defendant was free to further complete this document with its reaction on the particular circumstances of the case, the proposed amount of the fine and the annual figures submitted.  The defendant replied by e-mail of 28 April 2020 with its arguments regarding the amount of the fine as well as new information regarding the turnover for the fiscal year 2019 which exceeds EUR 10.000.000 according to the latest forecast of the defendant. 
 
47.	In the meantime, the Chamber of Disputes had decided to submit a revised draft decision to the relevant authorities on 23 April 2020 in accordance with Article 60.5 AVG. This international procedure ended on 8 May 2020, without any substantiated objection. 
 
48.	The Dispute Chamber then adjusted its decision to take into account the defendant's arguments regarding the fine. 
 
 
 
2. Decision 
2.1 Qualification of the controller and of the processing at issue 
 
49.	The defendant is responsible for processing the personal data of the users of the social media platform "W", as well as for processing the contact data of non-users (names, telephone numbers or e-mail addresses) and other contact information stored on the servers of "W" as a result of the synchronization of the address book (GSM or e-mail) of the users of the website. 
 
50.	After all, under Article 4.7 AVG, the controller is 'a natural or legal person, a public authority, a service or other body, whether or not a third party, to whom/which the personal data are provided'. […]”. 
 
51.	The Court of Justice of the European Union has interpreted on several occasions that the term 'controller' refers to 'the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data', with a view to ensuring effective and comprehensive protection of data subjects through a broad definition of the term 'controller'. Moreover, this notion 'does not necessarily refer to a single body and may involve several participants'. 
to such processing, each of which is then subject to data protection provisions 
fall." 
 
52.	In accordance with 	the 	Group	'	s 	Opinion 	1/2010 	on 	the 	terms 
"The Chamber of Disputes assesses the role and capacity of the 'controller' and 'processor' in concrete terms23.   
 
53.	In the present case, the defendant is responsible for the storage of the contact details of the website users, since the defendant has predetermined the means and purposes of this processing (sending invitation emails). With regard to the means and conditions for this processing, for example, the retention period of contact data is determined by the defendant in Article 11 of its privacy policy. This period shall be 3 months following the closure of the user's account, or immediate deletion when the website user deselects the "Contact Synchronisation". 
 
54.	The defendant is also in this case the data controller, which consists of sending invitation emails in the name and on behalf of "W" to contacts of current users. 
 
55.	However, the transmission to the recipients of the invitation emails and the processing of personal data in the message itself do not fall under the GCG to the extent that the "household exception" exception applies, i.e. if it concerns a purely personal or household activity within the meaning of Article 2 of the GCG. 
 
56.	The defendant himself cannot invoke this 'household exception' as clarified in recital 18 of the AVG: 'This Regulation shall not apply to the processing of personal data by a natural person in the context of a purely personal or domestic activity which as such is unrelated to any professional or commercial activity. Personal or household activities may include conducting correspondence or keeping address records, social networking and online activities in the context of such activities. However, this Regulation shall apply to controllers or processors providing the means for processing personal data for such personal or household activities'. Thus, the defendant is responsible for sending out invitation emails even if the website user could invoke the household exception as regards his own processing of personal data. 
 
57.	Moreover, the defendant itself does not dispute that the AVG applies to the contested processing operations and does not invoke the exception for personal or household purposes. 
 
 
2.2 Clarification with regard to the household exception and the concept of personal communication 
 
58.	The defendant claims that he considers the invitation e-mails to be a 'personal communication'. In his conclusion and at the hearing, the defendant clarified that this defence has nothing to do with the 'household exception' and that at no point did he claim that the AVG would not apply. According to the defendant, the notion of 'personal communication' merely refers to the fact that it does not constitute a marketing message within the meaning of Article 13.2 of the ePrivacy Directive, according to the criteria defined by Group 29 in its Opinion 5/2009 on online social networks . 
 
59.	Thus, the defendant does not dispute that the AVG is applicable and that he is the controller with regard to the sending of invitation e-mails. 
 
60.	De Geschillenkamer adds that certainly if the recipients of the invitation e-mail have been determined in advance by the online social platform (e.g. pre-ticked), the user of the website concerned has no control over an important aspect of the purposes of the processing (indicating the recipients). The pre-check of recipients by the defendant is therefore in this case an additional element to consider the defendant as a data controller. 
 
61.	Finally, it is thus established that the defendant is responsible for the processing of personal data of the contact persons of the users of the "W" website, both as regards the storage of those data and the sending of an invitation e-mail. 
 
2.3 Legal basis for processing the contact details of users and non-users of the "W" website 
 
62.	As a data controller in the context of the 'invite a friend' functionality, the defendant must ensure that this processing complies with the principles of data processing and is lawful, in the sense that the processing is carried out on an adequate legal basis (Articles 5 and 6 AVG). 
 
63.	The processing concerns personal data of users and non-users of the website "W", and is twofold: the storage of contact data on the defendant's servers and the sending of invitation emails. 
 
64.	The defendant claims that the procedure elaborated on the "W" website ensures that it obtains free, specific, informed and unambiguous consent from the user of the website, in accordance with the requirements of Articles 4.11, 6.1 and 7 of the AVG, with regard to the "invite a 
friend/invite a friend' functionality (defendant's conclusion, p. 19). 
 
65.	In particular, the defendant states that the consent of the recipient of the message is not required, neither for the storage of his contact details on the servers of the website, nor for the sending of an invitation e-mail, and this because the user of the website has given his consent for the import of his address book by the defendant: 
 
"First of all, it should be pointed out that importing the contact details of the contacts is a processing of personal data that is part of the purpose of the 'invite a friend' functionality. As explained above, for this purpose Y processes personal data included in the address book of a user who has given his consent. Y can therefore invoke a valid legal basis for importing the personal data of these contacts". (Defendant's conclusion, p. 21). 
 
66.	The defendant reiterated this assertion at the hearing, and also clarified that he did not wish to invoke any other legal basis in that respect. 
 
67.	The defendant also refers to other online services where users can "upload/upload" their address book (Gmail, Hotmail, Whatsapp and Messenger) as well as operating systems (such as IOS, Android and Windows) where users upload their address book and photos: 
"If the Inspectorate tries to demonstrate that whenever a user of a service uploads personal data relating to people he knows, the company operating the service must obtain the consent of these people, this would undermine the operation of online communication services in general. Such a position would apply not only to "invite a friend" functionalities such as Y and other online social networking services, but also to (i) messaging services such as Gmail, Hotmail, Whatsapp and Messenger, where users upload their address book, (ii) operating systems such as iOS, Android and Windows, where users upload their address book and photos, and (iii) other services such as booking services and aircraft check-in services, where users can upload personal data of people they know, etc. "”  . 
  
 
3.  Motivation regarding the processing of personal data of users versus non-users 
 
3.1 With regard to the processing of personal data of non-users 
 
3.1.1 No valid consent 
 
68.	The Disputes Chamber does not follow the defendant in his assertion that the user of the social media website himself can give his consent for the import by the website of personal data of third parties in his address book, with a view to sending an invitation e-mail. 
 
69.	Under the GCAU, only the data subject whose personal data are processed can validly consent to the processing of these data, except in cases of parental consent (Art. 8.1 GCAU) or another legal power of attorney . In the event that data of a third party is used, this third party must give permission in accordance with the conditions of Article 7 in conjunction with Article 4.11 of the AVG, as interpreted by 
Group 29.  There is no such consent here. In addition, such consent can de facto only be given by existing members of "W" if and to the extent that they would give their consent to the use of their personal data in accordance with the terms and conditions of the AVG at the time they enter the platform.
 
70.	In this context, the Disputes Chamber also refers to an investigation by the Dutch Data Protection Authority into Whatsapp, dating from before the entry into force of the AVG. In the context of the mobile application Whatsapp, this authority ruled that the social media user cannot give valid consent in the name and on behalf of a non-user of the social media platform: 'Whatsapp users cannot give (unambiguous) consent on behalf of the non-users in their address book to have the contact details relating to them processed by WhatsApp, without being authorised to do so by the non-users concerned. Only the affected non-users themselves (or their legal representatives) may give such consent. Because WhatsApp does not obtain the unambiguous consent of non-users in Whatsapp users' address books for the processing of their personal data and yet processes them, and WhatsApp has no other basis for such data processing, WhatsApp is in violation of Article 8 of the (Dutch) Data Protection Act ". 
 
 
3.1.2 Possibility of invoking a legitimate interest 
 
71.	In the present case, no legal basis other than 'consent' is invoked by the defendant. The defendant only invoked the basis "legitimate interest" in a subordinate capacity, in response to the questions raised by the Disputes Chamber following the objection lodged by the Netherlands. The Disputes Chamber therefore investigates whether the disputed processing of personal data of non-users can have a legal basis under Article 6 of the AVG, and whether or not the processing is therefore 'lawful' within the meaning of Article 5.1 of the AVG. 
 
72.	In the absence of any possibility to request permission with regard to the processing of personal data of non-users, the Disputes Chamber investigated to what extent the social media platform "W" could process the data of third party non-users on the basis of its legitimate interest (art. 6.1.f) AVG, with a view to very limited purposes, as explained below. 
 
73.	De Geschillenkamer understands that the website "W" has an interest in processing third party non-users' personal data in order to stimulate an increase in the number of members of the platform.   
 
74.	In this case, the data of third party non-users are not processed solely for the purpose of identifying members of the "W" website. However, the data of contact persons (including third party non-users) are potentially kept by the Website for 3 months after a "W" account has been closed by the user . 
 
75.	The website "W" also processes more data than necessary to send an invitation e-mail as these data are not restricted by the website itself: not only contact data determined by the website itself (e.g. names, telephone numbers and e-mail addresses) but on the contrary possibly other categories of personal data such as from third party providers of information society services, i.e. "other information as clarified on the permissions screen of the provider, about your contacts imported on our servers".   
 
76.	Article 6.1.f of the AVG provides that the legal basis may be used in so far as 'the processing is necessary in order to protect the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child'.  
 
77.	The case law of the Court of Justice of the European Union requires that recourse to Article 6(1)(f) of the AVG must meet three cumulative conditions: "namely, in the first place, the furtherance of a legitimate interest of the controller or of the third party or parties to whom the data are disclosed, in the second place, the necessity of processing the personal data for the purposes of pursuing the legitimate interest and, in the third place, the condition that the fundamental rights and freedoms of the data subject do not prevail" . 
 
78.	In other words, the person responsible for processing must demonstrate that: 
1)	the interests it pursues in the processing may be recognised as legitimate (the 'purpose test'); 
2)	the intended processing is necessary for the purposes of pursuing those interests (the 'necessity test'); and 
3)	weighing these interests against the interests, fundamental freedoms and fundamental rights of data subjects in favour of the controller or of a third party (the 'balancing test'). 
 
 
The target key 
 
79.	The Court of Justice clarifies that the legitimate interest must also be "existing, current and not hypothetical at the date of processing".     
 
80.	The Dispute Chamber also refers to the recent Guidelines 3/2019 on the processing of personal data by camera , in which the EDPB reiterated that the controller or third parties may pursue legitimate interests of various kinds, in particular, interests of a legal, economic or immaterial nature . In this context, the EDPB also refers to the judgment of the Court of Justice that "the interest of a third party in obtaining personal data from a person who has caused damage to his property, in order to recover the damage from that person before the courts, is a legitimate interest 
is". 
 
81.	On the basis of the case law of the Court of Justice and the guidelines of the EDPB, the Disputes Chamber rules that the concept of legitimate interest can have a broad scope, on the understanding that an interest invoked by a data controller is sufficiently specific. In the context of the present case, the Disputes Chamber does not rule on the question whether an economic interest can be regarded as a legitimate interest within the meaning of Article 6.1.f of the AVG. 
 
82.	In the present case, the defendant points out that 'the purpose of the W platform is essentially to allow users to connect with each other and to have interesting conversations and exchanges with the other users' and that 
o	Y, as processing manager, has an interest in offering users of the W platform the possibility to find contacts who are already users and/or invite other contacts who are not yet users to become members; 
o	the user of W, as a third party or as a data controller using the platform under the household exception (recital 18 AVG), has an interest in finding or inviting persons he knows in order to build up his network more easily" . 
83.	The defendant also invokes that the development of the "invite a friend" functionality was driven by the fact that certain users asked for an easy way to find or invite acquaintances, and that the "experience" of the user on the social platform "W" is made more pleasant by this "invite a friend" function. The defendant also stresses that this interest is "an actual and present interest that is neither vague nor speculative in nature". 
 
84.	The Disputes Chamber holds that, on the basis of these facts and motives, the defendant demonstrates the existence of an interest to be taken into account, that this interest is present and sufficiently specific, as is apparent from the detailed statements of the defendant. 
 
The necessity test 
85.	The Court of Justice has clarified that, in order to review this condition, it must be verified "that the legitimate interest of processing of data sought ... cannot reasonably be achieved as effectively by other means which are less prejudicial to the fundamental freedoms and rights of data subjects, in particular the right to respect for private life and the right to the protection of personal data. 
personal data as guaranteed by Articles 7 and 8 of the Charter' . 
 
86.	The Court of Justice has also clarified that the condition relating to the necessity of the processing must also be examined in conjunction with the principle of minimum data processing laid down in Article 5(1)(c) of the AVG. 
 
87.	The defendant claims that the "W " platform processes only the basic contact data of its users' contacts. However, it appears from the factual data that the defendant keeps these data in principle for 3 months, unless the user of the platform decides to stop the synchronisation of his contacts. 
 
88.	De Geschillenkamer is of the opinion that the collection of these contact data - with regard to both users and non-users of the website - only passes the necessity test if these data are immediately deleted after initial use. 
 
89.	As far as non-users are concerned, the Disputes Chamber decides that it should be possible for the social media platform "W" to invoke the legitimate interest, but only to process the personal data of the existing "W" members, in order to help those users to identify their contacts who are already "W" users and who have therefore agreed to use the "W" website's messaging function as a communication medium. 
 
90.	It is important to note that these members have previously given their unambiguous consent to "W" to collect and process their mobile phone number or email for this purpose. In addition, 'W' must take appropriate technical and organisational measures in order to meet the data protection requirement by design and by default as set out in Article 4 of the Directive. 
25 AVG to comply.   
 
91.	In this context, the Disputes Chamber also refers to Group 29's Opinion 5/2009 on online social networks. This opinion states in this respect that social media networks have no basis for processing data of non-users other than the legitimate interest, and that, moreover, it is not possible to invoke this basis to extract contact details of non-members from uploaded address books and then use them to create new social media profiles: 'Many social network services let their members contribute data about others, such as adding a name to an image, rating people, drawing up lists of people who want to meet or have met members. These tags can also be used to identify non-members. However, the processing of such data about non-members by a social network service is only allowed if one of the criteria laid down in Article 7 of the Data Protection Directive [now Article 6.f AVG "legitimate interest"] is met. There is no legal basis for creating ready-made profiles of non-members by collecting data provided independently by members, including relationship data derived from uploaded address books'.  . 
 
92.	This opinion is, in principle, still relevant since the legal basis of legitimate interest has not been substantially changed by the entry into force of the AVG. The fact that, according to his allegations, the defendant does not create 'profiles', but only sends out invitation e-mails using the contact details of non-members, does not alter the fact that the sending of these e-mails is not necessary for the purpose intended by the defendant. 
 
93.	The Group 29 has refined this opinion and defined the general interest of social media networks in the context of invitation emails, taking into account the fundamental rights and freedoms of third party non-users. In its Opinion No 06/2014 on the concept of legitimate interest, the Working Party 29 explained the limitations of the legitimate interest in relation to third party contact details by means of an example : 
 
"Example 25: Access to mobile phone numbers of users and not app users: 'compare and forget': 
 
Personal data of individuals are processed to check whether they have already given unambiguous consent in the past (i.e. "compare and forget" as a guarantee). 
An app developer is required to obtain unambiguous consent from data subjects for the processing of their personal data: for example, the app developer wants to access and collect the entire electronic address book of app users, including mobile phone numbers of contacts who do not use the app. In order to do so, it must first assess whether the holders of the mobile phone numbers in the address books of the users of the app have given their unambiguous consent (in accordance with Article 7(a)) to have their data processed. For this limited initial processing (i.e. short-term access for reading the full address book of an app user), the app developer may rely on Article 7(f) as the legal basis, subject to the necessary safeguards. 
Technical and organisational measures should be part of the safeguards to ensure that the company only uses this access to help identify which of its contact persons are already users, and who have therefore in the past given their unambiguous consent to the company to collect and process telephone numbers for this purpose. 
The mobile phone numbers of non-users may only be collected and used for the strictly limited purpose of verification whether they have already given their unambiguous consent to the processing of their data and must be deleted immediately afterwards'. 
 
94.	In summary, Group 29 believes that - in the circumstances described in the above example - the contact details of third party non-users should only be used to check whether or not they are already members of the website, and thus have already given their consent to their contact details being used for communications via the website in question. As stated above, the Chamber of Disputes bases its decision partly on this consideration of Group 29, and considers that the storage of contact details of non-users of Y may only be necessary in the context of "compare and forget" under certain strict requirements and safeguards.    
 
95.	However, the Disputes Chamber notes that the retention period of contact details of non-members exceeds what is strictly necessary to identify existing contacts. The website "W" also processes more data than necessary to send an invitation e-mail as these data are not restricted by the website itself: not only contact data determined by the website itself (e.g. names, telephone numbers and e-mail addresses) but, on the contrary, possibly other categories of personal data such as those of third party providers of information society services, i.e. "other information as clarified on the website". 
permissions screen of the provider, about importing your contacts on our servers". 
 
96.	Pursuant to the above, the Dispute Chamber finds that the storage of contact information of non-Y users may only be necessary in the context of "compare and forget" under certain strict requirements and guarantees. These requirements and safeguards are not met. 
 
 
The weighting test 
 
96.	The Court of Justice clarifies that: "the assessment of that condition involves a balancing of the conflicting rights and interests at issue, which depends on the particular circumstances of a particular case and which must take account of the importance of the rights of the person concerned under Articles 7 and 8 of the Charter". 
 
97.	The criterion relating to the seriousness of the infringement of the rights and freedoms of the person concerned is an essential part of the case-by-case assessment required by Article 6.1.f of the AVG. In 
according to the Court of Justice, this connection must take account in particular of 'the nature of the personal data concerned, in particular their possible sensitivity, as well as the nature and the practical arrangements for processing them, in particular the number of persons having access to them and the ways in which they may be accessed'. 
98.	As highlighted by the Court, 'also relevant in this balancing exercise' are 'the data subject's reasonable expectations that his personal data will not be processed where, in the circumstances of the case, he cannot reasonably expect further processing'51. In this context, the Disputes Chamber also refers to recital 47 AVG which states that what is relevant is what 'the data subject may reasonably expect, at the time and in the context of the collection of the personal data, that processing may take place for that purpose'. ” 
 
99.	In the present case, as regards the seriousness of the infringement, the defendant invokes the following special circumstances: "The nature of the personal data processed by Y in the context of its 'invite a friend' functionality was not excessive. Y has never processed sensitive data, only the absolute minimum of personal data (i.e. basic contact data) with only one purpose, namely to send the invitation e-mail at the request of and on behalf of the user of the W platform'.  However, the Dispute Resolution Chamber again notes that the 
retention period of contact details of non-members exceeds what is strictly necessary to identify existing contacts. Moreover, the data processed are not defined in an exhaustive manner by the defendant. Among other things, the defendant refers to "other information, as clarified on the provider's permissions screen, about importing your contacts into our servers".  
 
100.	With regard to the reasonable expectations of the data subject, the defendant refers to services provided by online email service providers such as Google, or services provided by operating system providers such as Android, IoS and Windows, or providers of social networks such as LinkedIn54. The Litigation Chamber discusses the relevance of practices of these other providers in section 3.1.3 and finds that the arguments concerning these practices fall outside the scope of the current proceedings. 
 
101.	In view of the above, the Disputes Chamber decides that the third condition imposed by Article 6.1(f) AVG and the case law of the Court of Justice has not been met in the present case. 
Conclusion  
100.	The defendant could not validly invoke the 'legitimate interest' as a legitimate ground for the (further) processing of the personal data of the data subject for direct marketing purposes. The defendant is thus in breach of Article 6.1(f) of the AVG. 
 
101.	Furthermore, the Disputes Chamber rules in this case that the legitimate interest in this case only allows the processing of data of non-users for the purpose of a "compare & compare". 
forget' action, in order to select existing users under the contact details, and 
send any invitation email to those existing users. 
 
102.	More specifically, in this case the Chamber of Disputes is of the opinion that the processing must be limited to the data strictly necessary for the purpose of the 'invitation to lodge an application'. 
website" and insofar as it is technically impossible to distinguish between members and non-members in a user's address book without first processing these data as a minimum. In addition, in accordance with Article 32 of the AVG, the defendant should take appropriate technical and organisational measures to secure the processing properly. Only under these conditions could this processing take place on the basis of the defendant's legitimate interest. 
 
103.	The Chamber of Disputes takes into account the fact that the user of the website "W" is still free to send invitations via other channels (social media website or e-mail provider), which the third party already uses. 
 
 
3.1.3 Defence in relation to the processing of data of third persons by other information society service providers 
 
104.	The defendant compares its practices with the processing of data of third parties by other service providers such as " Whatsapp " and " Gmail ", "Windows", "LinkedIn".  The defendant argues, inter alia, that data subjects can reasonably expect their contact data to be processed by different types of online service providers, since, according to the defendant, it is "the normal course of business" for a person to have their contact data processed. 
of other persons in an address book in order to facilitate communication". 
 
105.	The Chamber of Disputes rules that the defence regarding the processing of the data of third persons by service providers does not stand up. 
 
106.	First, the practices of other service providers are not at issue in the present case. 
 
107.	Secondly, the requirement of a proper legal basis for the processing of non-users' data for all service providers, including those referred to by the defendant in its conclusion. 
 
108.	Thirdly, these service providers may not process personal data of third parties in a way that would infringe their rights and freedoms, whatever the legal basis of the processing. As clearly explained by the Working Party 29 in the context of the right to portability, information society service providers and telecommunication service providers may not infringe the rights and freedoms of non-users of their services if a user gives his consent to store on their servers personal data of non-users . Moreover, in this context, the Working Party has also reiterated that the user's consent is not sufficient to process data of non-users: a different legal basis must be laid down, and the legitimate interest of the service provider appears to be the most appropriate basis58. 
 
109.	The Disputes Chamber ruled that these views of the Group 29 support the earlier finding of non-compliance - in this case - with the AVG. In summary, the unlawfulness of the data processing of the website "W" results from the fact that this website processes the data of non-members without a proper legal basis, to the extent that this processing was not limited to a "compare & forget" action as set out above. 
 
 
 
 
3.1.4 Use personal data of non-users to send invitation emails 
 
110.	De Geschillenkamer is of the opinion that the storage of contact details of non-users of a website for the purpose of sending an invitation e-mail is only permitted in the context of a "compare & forget" action, as explained above. It follows that it is only possible to send invitation emails to existing members via the "W" website. The Dispute Resolution Chamber will therefore only consider the availability of a legal basis for sending invitation emails to non-users in the future of this decision. 
 
111.	As mentioned above, the defendant argues that the invitation e-mails constitute a "personal communication" on the part of the user of the "W" website, so that no separate legal basis is required for sending this message. However, the defendant stated in its conclusion and confirmed at the hearing that it does not intend to invoke the 'domestic processing' exception in recital 18 AVG. 
 
112.	By 'personal communication', the defendant means that these invitation emails do not constitute a marketing message, on the understanding that advertising messages by email may - subject to exception - only be sent after prior consent (see also Article 13.2 of the ePrivacy Directive  and its implementation in Article VI.110 § 2 of the Economic Law Code ). 
 
113.	In its Opinion 5/2009 on online social networks,  the Group 29 indicated the conditions under which invitation messages sent via a social media platform do not constitute an online advertising message under the platform: 
 
"Some social networking services let their users send invitations to third parties. The ban on the use of e-mail for direct marketing does not apply to personal communications. The exemption for personal communications only applies if the social network service meets the following criteria:  
–	no pressure should be applied to the transmitter or receiver; 
–	the provider is not allowed to choose the addressees of the message; 
–	the identity of the user sending the message must be clearly indicated; 
–	the user sending the message must be aware of the full content of the message to be sent on his behalf'.  
 
114.	The defendant refers to these four terms and conditions , and therefore believes that he may send these messages without prior consent.   
 
115.	The fact that the sending of marketing e-mails is partly regulated by the ePrivacy Directive does not affect the competence of the Dispute Resolution Chamber to supervise the application of the AVG with regard to the consent requirement or the conditions for invoking the legitimate interest . 
 
116.	In this context, the Disputes Chamber decides that the social media network "W" should in principle not request permission to send e-mail messages from users to other users, if the 4 conditions of the Social Media Advice are respected, provided that all other AVG principles such as article 25 (data protection at design and at default settings) are respected.
 
117.	In that case, "W" could - as previously stated - invoke its legitimate interest, including for the storage of the data on its servers, provided that the data of non-members are immediately deleted as soon as it appears that the user has not selected this addressee with a view to sending an invitation e-mail. 
 
118.	However, the Litigation Chamber is of the opinion that the strict AVG rules on consent - which also apply in the context of the ePrivacy Directive  - leave no room for such an interpretation, and that the legal basis " legitimate interest" should be interpreted restrictively to the extent that data of third persons are involved. 
 
119.	With regard to consent, Article 4(11) in conjunction with Article 7 of the AVG states that consent by the person concerned means the following: 
-	free; 
-	specific; 
-	informed and 
unambiguous expression of will by which the data subject accepts, by means of a declaration or an unambiguous active act, the processing of personal data concerning him/her. 
 
120.	This permission must be obtained prior to processing, as is evident from the opening words of Article 6.1 of the AVG: 'processing is only lawful if and insofar as at least one of the following conditions is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes [...]' . 
 
121.	Therefore, the Disputes Chamber decides that the AVG does not allow the sending of e-mails to third persons with a view to obtaining their consent. This reasoning applies to the requirement of consent under the AVG (requirement of a legal basis) and under the ePrivacy Directive (requirement of "opt-in" for sending marketing messages) . In addition, in its Opinion 5/2009 on online social media, the Working Party stated that sending third parties who are not members of a social media website an e-mail invitation to access their data violates the prohibition in Article 13(4) of the ePrivacy Directive: 
 
122.	"There is no legal basis for creating ready-made profiles of non-members by collecting data provided independently by members, including relationship data derived from uploaded address books. 
Even if the social networking service were able to inform the non-user of the existence of personal data relating to him or her, a possible e-mail invitation to become a member in order to access those personal data would be contrary to the prohibition in Article 13(4) of the e-Privacy Directive on sending unsolicited e-mail for the purposes of direct marketing'.  
 
123.	With regard to the legitimate interest, the Litigation Chamber considers that this legal basis does not allow the sending of such e-mails, in view of the impossibility for the third party to exercise control over his data, in the context where those data have first been uploaded to the website servers and then used in the context of an invitation e-mail. 
 
 
3.2 Store personal data of existing users under the contact persons and send invitation emails to existing users (contacts) 
 
124.	The defendant seeks the consent of the users to store the contact details of other users on its servers and to process those data in the context of invitation emails. 
 
125.	However, the Chamber of Disputes found that the consent of the users was not free to the extent that the first version of the website pre-selected the recipients of the invitation e-mails. This follows directly from Recital 32 of the AVG. The Court of Justice has recently confirmed in the Planet judgment49 as follows that consent is not validly obtained if pre-selected boxes are used: 
"“51. "Article 2(h) of the above-mentioned Directive [95/46] defines 'the data subject's consent' as 'any free, specific and informed expression of consent by which the data subject accepts that personal data relating to him/her are processed'. 
52.       Thus, as the Advocate General pointed out in paragraph 60 of his Opinion, the requirement of a 'statement of will' by the person concerned clearly refers to active rather than passive conduct. Consent by means of a standard checkbox, however, does not imply active behaviour on the part of the user of a website'. 71 
 
126.	Thus, as long as the recipients of e-mails were pre-checked, the defendant could not invoke the legal basis "consent" with regard to the storage of the contact details of existing users and the sending of invitation e-mails to existing users. 
 
127.	The Disputes Chamber rules that the processing in question is not necessarily unlawful within the meaning of Article 5.1 of the AVG, and that the social media network "W" should in principle not ask the AVG for permission to send e-mail messages from users to other users, in so far as such messages would fall under the basis "necessary for the performance of a contract" or "legitimate interest" pursuant to "W" (Article 6.1.b or Article 6.1.f of the AVG). 
 
128.	In particular, the website may invoke its legitimate interest if the emails do not constitute a marketing message within the meaning of Article 13.2 of the ePrivacy Directive, provided therefore that the defendant complies with the conditions set out by Group 29 (such as e.g. 
do not let the recipients be chosen by the website itself).   
 
129.	In this case, the Chamber of Disputes notes that the recipients of the invitation e-mails were originally ticked beforehand.   
 
130.	Even if the defendant does not invoke these principles, the Chamber of Disputes notes that ticking the addressees in advance would be problematic in the context of the legal basis 'legitimate interest' or 'performance of a contract': after all, the sending of bulk e-mails does not comply with the principle of minimum data processing (Article 5.1.c AVG) and with the principles of Article 25 AVG (data protection by design and by default settings). The fact that, in the previous version of the website, the website user had the possibility to deselect the pre-checked recipients one by one does not matter. 
 
131.	Finally, since the defendant has voluntarily removed the pre-ticked options - in response to the Inspectorate's grievances in that regard - the data controller 'W' is eligible to send such e-mails to other users in the name and on behalf of its users on the basis of its legitimate interest. 
 
132.	As an alternative to the justified interest, the Disputes Chamber is of the opinion that the social media network "W" should in principle not have requested AVG permission to send e-mail messages from users to other users, to the extent that such messages under "W" could fall under the basis "necessary for the performance of a contract" (art. 6.1.b AVG). The possibility to invoke such a basis obviously depends on the definition of the service provided and the extent to which the persons concerned have been informed about it . The Disputes Chamber does not have sufficient factual data at its disposal to assess the lawfulness of the processing under the legal basis 'performance of a contract'. 
a contract', but decides that the processing could in any case be carried out under the legal basis 'legitimate interest', and therefore was not unlawful, after removal of the pre-checked addressees of the invitation e-mails. Needless to say, the Disputes Chamber also notes that the defendant must, of course, be transparent about the processing grounds used by him. 
 
 
3.3 Letters from the inspectorate concerning the Data Protection Officer 
 
133.	The Litigation Chamber decides not to respond to the Inspectorate's grievances about the Data Protection Officer, given that the prima facie expertise of this person is apparent from the CV submitted, and given that the documents and the hearing show that this person was duly involved in developing the 'invite a friend' functionality. Moreover, the defendant adequately explained the role and position of the DPO at the hearing. 
 
 
3.4 The defence on the lack of concrete recommendations from the GBA or the Inspectorate Service 
 
134.	The defendant reproaches the GBA for not having made any concrete recommendations or comments on the "invite function" following a letter of 12 October 2018  in which the GBA reminded the defendant of the requirement to obtain a valid consent under the AVG with regard to the "invite a friend" functionality (defendant's conclusion, p. 3). The defendant makes the same reproach to the Inspectorate (Conclusion, p. 5). As the defendant rightly points out (Conclusion, p. 4), the Inspectorate made no recommendation regarding the invitation functionality and chose to ask for information. 
 
135.	The Inspectorate's task is to gather evidence of indications of practices which may give rise to a breach of the fundamental principles of personal data protection (Article 63 et seq. of the WOG). The Inspectorate is 
not charged with providing tailor-made advice on the infringements under investigation. More generally, under Articles 5.2 and 24 AVG 4, the controller is responsible for accountability. This accountability is a core element of the AVG. A data controller cannot evade this accountability by claiming that he has not received sufficient instructions from the supervisor. Admittedly, pursuant to Article 57.1.d) AVG, it is a duty of the GBA to make responsible parties and processors better aware of their obligations in respect of the AVG. However, in performing this task, the GBA - of which the Inspectorate is part - has a great deal of discretion whether or not to draw a data processor's attention to a possible infringement. 
 
 
3.5 Decision concerning the sanction 
 
136.	As a result of the Inspection Report and taking into account the defendant's argumentation, the Disputes Chamber established the following infringements of the AVG: 
 
1.	The defendant has no legal basis for storing and further processing the personal data of non-users of the website "W" in its files with a view to sending an invitation e-mail: this constitutes an infringement of Articles 5 and 6 of the AVG; 
2.	The defendant has no legal basis to send invitation e-mails to existing users of the website during the period in which the addressees of the invitation e-mails were checked in advance: infringement of article 5.1 in conjunction with 6.1.a), 7 AVG and 4.11 AVG. 
 
 
3.5.1 Competence of the Dispute Settlement Chamber with regard to sanctions 
 
137.	By virtue of article 100 WOG, the Disputes Chamber is authorised to order that the processing be brought into conformity (art. 100.9 WOG) as well as to impose periodic penalty payments (art. 100.2° WOG). The Disputes Chamber is also competent to impose administrative fines (art. 100.13°, 101 and 102 WOG) and to publish the decision on the website of the Data Protection Authority (art. 100.16° WOG). When determining the level of the fines, the Disputes Chamber must take into account the criteria laid down in Article 83 of the AVG, depending on the circumstances. In this case, the Chamber of Disputes takes into account the following circumstances that it considers sufficient to impose the sanctions listed below: 
 
-	the nature, seriousness and duration of the infringement: this is a lack of legal basis, which the Chamber of Disputes considers to be a serious infringement, in particular as regards the right of non-members of the 'W' website to retain control over their data and not to run the risks associated with data processing (recital 75 AVG); 
-	the intentional nature of the breach: the defendant was aware of a problem regarding the processing of personal data on the website since the first letter of the GBA dated 12 October 2018. 
 
 	 	 
3.5.2 The attenuating circumstances invoked 
 
138.	The defendant considers, in a subsidiary order, that the penalties imposed should take account of the following attenuating circumstances (Conclusion, p. 42): 
 
•	The defendant would have been 'not negligent' and would have acted in good faith taking into account the Opinion 5/2009 on social networks of Group 29. In this respect, the Disputes Chamber states that the defendant cannot simply rely on an opinion of 2009, long before the AVG came into being, which moreover - as described above - is insufficiently clear. Moreover, the data controller could have been aware of the discussions surrounding the use by social media sites of data of non-members, as reflected in Group 29's Opinion 06/2014 on the concept of "legitimate interest"; 
•	The possible infringements would not have caused any material damage: Here the Dispute Chamber points out that the right to data protection is a fundamental right and that it is irrelevant for the violation of this right whether infringements cause material damage . The infringement in this case leads to the loss of control over the data by many persons, which is mentioned in recital 75 of the AVG as a potential cause of immaterial damage; 
•	The defendant has stopped using pre-checked options. The defendant was aware of the infringement since 3 April 2019 (Conclusion, p. 42) and waited to receive a second letter from the Inspectorate (May 2019) to stop this practice (Conclusion, p. 13). The Disputes Chamber is of the opinion that this infringement was deliberate or, at any rate, largely due to negligence, since recital 32 of the AVG makes it clear that consent is not validly obtained if the options offered have been ticked beforehand. ) The defendant therefore had to know that the consent of the users of the website to process their data with a view to sending out invitation e-mails was not valid with regard to the selection of recipients. In addition, the defendant also had to know that a user of the website could not consent to the use of data by third parties. 
 
139.	In his response to the form dated 28 April 2020, the defendant developed additional arguments with regard to the sanction proposed by the Chamber of Disputes. 
 
140.	The defendant argues that he was not negligent and that the alleged infringements did not constitute a clear infringement of the AVG, but rather "a problem of interpretation about which 
even the supervisory authorities adopt different interpretations'. The defendant wrongly deduced this from the fact that the Dutch authority had adopted a relevant and substantiated objection. The Dutch authority did not object to this final decision, and all authorities concerned have validated the reasoning set out above with respect to the amount of the fine. 
 
141.	The Disputes Chamber agrees with the defendant that a discussion was possible on the extent to which the defendant could or could not invoke a legitimate interest to address third party non-users by means of an invitation e-mail. 
 
142.	However, the Chamber of Disputes found that no discussion was possible and ruled that the legal basis invoked by the defendant was invalid: the existing users of a website cannot give permission for third party non-users . Thus, the defendant misapplied the legal basis "consent" (or exemption from consent), and in any case it is not allowed to subsequently invoke the legal basis "legitimate interest" to justify a certain processing already started . 
 
143.	For the sake of clarity, the Disputes Chamber reminds the defendant that it did not invoke the basis 'legitimate interest' (and did not examine its conditions of application) in its original privacy policy, nor later in the context of its arguments before the Disputes Chamber, despite a clear question from the Disputes Chamber in that respect at the hearing, and up to and including the reopening of the debates by the Disputes Chamber on that point. This constitutes a clear breach of its information obligations under art. 12-13 of the AVG and of the requirement to have an appropriate legal basis under art. 5-6 of the AVG before the data processing starts. 
 
144.	It is also beyond dispute that, with regard to invitations sent to existing members of the social media platform "W", the defendant could not invoke the legal basis "consent" as long as the addressees of the invitation e-mails were originally ticked in advance . 
 
145.	For this reason, the Disputes Chamber decides that the defendant has been negligent and deserves a fine with regard to the sending of invitation e-mails both to members and third non-members of the social media platform "W", and that a fine is justified, even if there was a possible debate regarding the limits and conditions of the defendant's justified interest with regard to the sending of invitation e-mails by social media to third non-members, which debate the Disputes Chamber, in view of the circumstances presented to it, decides in this case. 
 
146.	In determining the amount of the fine, the Disputes Chamber shall take into account the circumstances invoked under 3.5.1 and 3.5.2 of this decision. 
 
147.	The Disputes Chamber also takes note of the fact that, according to the information provided in its response dated 28 April 2020, the defendant stopped sending out invitation e-mails as of 7 February 2020. 
 
148.	However, the Chamber of Disputes did not require such a far-reaching measure and reopened the debates on the legitimate interest in order to allow the defendant to properly carry out the assessment of his legitimate interest.   
 
149.	In 	the 	original 	draft decision, 	as submitted 	to 	the 	relevant 
In the context of the cooperation procedure provided for in Article 60.5 of the AVG, the Litigation Chamber had ordered that the processing would be brought into compliance with Articles 5 and 6 of the AVG within 3 months of the date of this decision, by ensuring that the storage and processing of personal data for the purpose of sending invitation e-mails to third non-members of the website is either discontinued or based on a legal basis (e.g. consent, legitimate interest). However, this envisaged injunction no longer has a raison d'être, as the defendant - according to the statements of his legal counsel in his response dated 28 April 2020 - has spontaneously stopped sending out invitations e-mails since 7 February 2020. 
 
150.	The fact that the defendant stopped sending invitation e-mails is a sign of good will but does not alter the fact that the defendant was negligent in determining a legal basis, not only for the start of the data processing in question but also in the context of his argumentation with regard to the Disputes Chamber despite the reopening of the debates by the Disputes Chamber. The fact that the defendant stopped using pre-ticked options only has a positive impact on the legal basis "consent" for the invitation e-mails sent to existing users, but not with regard to the third non-users of the website. 
 
151.	Nevertheless, the above shows a willingness on the part of the defendant to pay attention to the AVG when developing the processing operations. This is important for determining the level of the sanction.   
 
152.	The Data Protection Authority considers that the annual turnover of the defendant from 2017 onwards (including for the financial year 2019 for which the closure is still ongoing) will still exceed €10,000,000. The Disputes Chamber decided that the amount of the fine should be set at 0.5% of the annual turnover and therefore set the amount of the fine at €50,000.   
 
153.	In view of the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision shall be published on the website of the 
Data Protection Authority. Publication of the present decision is also in the interest of legal development and consistent application of the AVG in the European Union. However, it is not necessary for the identification data of the defendant to be published directly for this purpose. 
 
 
 
 
 
FOR THESE REASONS, 
 
the Data Protection Authority's Disputes Chamber shall decide after deliberation, 
 
- to impose a fine of EUR 50,000 for processing personal data of non-members of the website "W" without an appropriate legal basis, as well as personal data of members, the latter during the period in which the recipients of such e-mails were pre-checked; 
 
An appeal against this decision may be lodged, pursuant to Article 108 §1 of the Act of 3 December 2017, with the GBA as defendant, within a period of thirty days from service of the notification at the Market Court. 
 
  
 
Hielke Hijmans 
President of the Chamber of Disputes