APD/GBA - 38/2021
|APD/GBA - Decision 38/2021|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 17 GDPR
Belgian corporate law
Belgian law establishing the national data protection authority (LCA)
|Parties:||A company associate (plaintiff)|
The federal public service of Belgium "SPF Belgique" (defendant)
|National Case Number/Name:||Decision 38/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Official website of the Belgian data protection authority (in FR)|
|Initial Contributor:||Maïlys Lemaître|
The Belgian DPA reaffirmed the standard conditions for minimization of data (Article 5(1)(c) GDPR) in relation with the lawfulness of the data processing (Article 6 GDPR) and underlines that a data subject's request for erasure of their personal data pursuant to Article 17 GPDR must be granted if the data processing is not lawful to begin with.
English Summary[edit | edit source]
Facts[edit | edit source]
The plaintiff, an associate in a limited company, had decided with their co-associate to reduce their company's capital, for which a publication in the Belgian State Journal (Moniteur belge) is an obligation under the Belgian corporate law. The notary mandated by the associates to do the publication in their name not only informed about the reduction of capital but also mistakenly indicated the amount reimbursed to the associates as well as their personal bank account number. The plaintiff asked the notary to proceed to the erasure of these complementary and in their eyes unnecessary information. Following this, the notary requested that the Belgian federal public service (SPF, the defendant), responsible for the journal, erased the plaintiff's data of whom he acted on behalf of. The request was met with a refusal, the SPF mostly arguing that whatever the data published, since they were linked to publication required by the law, they could not be erased. After further exchanges and with the SPF still refusing to erase the concerned data, the plaintiff lodged a complaint with the Belgian DPA, mainly claiming that the SPF had no actual legal basis pursuant to Article 6 GDPR for processing the litigious data.
Dispute[edit | edit source]
Can a legal obligation under national law justify the processing of data that may be unnecessary for the intended purposes of the processing?
Holding[edit | edit source]
Before giving its decision on the question in dispute, the Belgian DPA reminded the defendant that the plaintiff's notary's mistake of publishing unnecessary data, was no reason for justifying that the defendant should not be held liable for a possible unlawful processing, as the SPF argued. A data controller always being accountable for the data they process, no matter in what way obtained, the liability of the defendant could indeed also be sought in this case.
Thereupon, the DPA states that even if the publication was an obligation under the applicable corporate law and the data processing herewith found its legal basis in Article 6(1)(c) GDPR, the principle of minimization of data pursuant to Article 5(1)(c) could not be undermined as it had been by the defendant. It is not because a data processing is justified by the law, that its controller can process data within its framework as pleases them. Saying otherwise would mean questioning the very essence of the principle of minimization. Thus, the plaintiff was right in claiming that the processing of the data linked with the publication had no legal basis as per Article 6 GPDR, since the data was not necessary for the defined purposes, and that it meant that the defendant had not been within their right to refuse an erasure of the plaintiff's data pursuant to Article 17 GPDR. The DPA therefore issued a reprimand towards the defendant according to their powers resulting from the Belgian law establishing the national data protection authority and ordered them to grant the plaintiff's request and erase the litigious data.
Comment[edit | edit source]
I wonder what will happen if the SPF (Federal Public Service) does not take any action to the order of the Belgian DPA keeping in mind that the Belgian Data Protection Act does not allow to fine a public authority like the SPF. In other words what are the options for the Belgian DPA to enforce a public service to act?
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision as to font 38/2021 - 1/24 Litigation Chamber Decision on the merits 38/2021 of 23 March 2021 File No .: DOS-2020-00404 Subject: Complaint against the Belgian Monitor for basic lack of legality and refusal of erasure of personal data published in the Annexes to the Belgian Official Gazette The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection data), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Took the following decision regarding: The complainant: Mr X., represented by his counsel Maître Sari Depreeuw, lawyer, whose law firm is established at 1050 Brussels, avenue Louise, 81 (hereinafter the complainant) The defendant: The FPS Justice established at 1000 Brussels, Boulevard de Waterloo 115, represented by Mr. Jean-Paul Janssens, Chairman of the Management Committee (hereinafter the defendant) Decision on the font 38/2021 - 2/24 1. Feedback from the procedure Having regard to the complaint lodged on January 21, 2020 by the complainant with the Data Protection Authority (APD); Considering the decision of February 20, 2020 of the Front Line Service (SPL) of the APD declaring the complaint admissible and its transmission to the Litigation Chamber; Having regard to the letter of March 5, 2020 from the Litigation Chamber informing the parties of its decision to consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their providing a timetable for the exchange of conclusions; Having regard to the main conclusions of 6 April 2020 from the defendant; Having regard to the conclusions of the complainant of April 21, 2020; Having regard to the respondent's submissions of May 6, 2020; Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on August 20, 2020; Having regard to the hearing during the session of the Litigation Chamber of October 9, 2020 in the presence of Masters S. Depreeuw and O. Belflamme, representing the complainant and Mr. A. Hoefmans, director of the Data Protection Unit of the FPS Justice and Mr. W. Verrezen, Director of the Belgian Monitor both representing the defendant; Having regard to the minutes of the hearing and the observations made thereon by the parties who have been attached to these minutes. The Litigation Chamber notes that in terms of its comments, the defendant announces that she realized during the hearing that the royal decree of 30 January 2001 repeatedly cited in terms of submissions in support of its defense had been replaced by a new royal decree of April 29, 2019, (M.B., April 30, 2019) adopted after the entry into force of the GDPR. The defendant specifies that this new royal decree has not changed the content of Article 11.5 1 invoked, now replaced by Article 1-9 § 5. 1Article 1-9 § 5: Correction of an error made in an act, an extract of an act, a decision or a document published in the Annexes to the Belgian Official Gazette is filed and published in accordance with the preceding paragraphs. The rectification of an error made in a document the filing of which was published by mention in the Annexes of Belgian Monitor is operated by filing at the registry in accordance with the preceding paragraphs, one or more pages corrected or additional, bearing the words "rectification", attached to a page with the details provided in paragraph 2, subparagraph 4 and indicating the document to which the rectification relates. Corrected pages or additional documents are entered in the file. The submission of corrected or additional pages gives rise to publication by extracted from the Annexes of the Belgian Official Gazette. Decision as to font 38/2021 - 3/24 2. Facts and subject of the claim 2 1. The complainant is a shareholder of SPRL Bureau X. The complainant holds the vast majority of shares of the SPRL, its partner by holding a very small minority. 2. The shareholders of the company - including the complainant - decided to reduce the capital by the company whose articles of association have, following this operation, been amended by a decision of the extraordinary general meeting in early 2019 (article 316 of the Companies Code). 3. In February 2019, an extract from this decision was published in the Annexes to the Belgian Monitor, available both in hard copy and in electronic version available on the Internet. 4. The extract published in the Belgian Official Gazette contains the decision to reduce the capital of the company, the amount initial capital, the amount of the reduction with mention of the new amount of the share capital and of the new text of the statutes. These are in fact the elements required by Article 69 combined with Article 74 of the Companies Code. 5. In addition, the extract mentions, among other things, the names of the two partners (including the complainant), the amounts that were reimbursed to them as well as their bank account numbers. 6. This part of the extract published in Dutch (point 5 above) is reproduced below: (…) - aan de heer X, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn naam van het bedrag van (..); - aan de heer Z, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn naam, van het bedrag van (..) Free translation - to Mr X, mentioned above, by payment to account number (..) to his name in the amount of (..); - to Mr. Z, mentioned above, by payment to account number (..) to his name, in the amount of (..) (Hereinafter the disputed passage) 2 Since the capital reduction took place before the entry into force of the new Companies and Companies Code associations, the Companies Code of May 7, 1999 is applicable to the facts of the case. Decision as to font 38/2021 - 4/24 7. This extract was prepared by the complainant's notary in application of the Companies Code (article 74 paragraph 1, 1 ° juncto article 69, paragraph 1, 5 °) and then transmitted by the latter to the registry of the court of the company within the territorial jurisdiction of the company to be published in the Annexes of the Belgian Monitor. 4 8. Considering that his notary had committed an error by including the disputed passage in the request for publication of the extract from the capital reduction decision, the complainant has, by the intermediary of his notary and his data protection officer (DPO), initiated steps aimed at obtaining the deletion of this contentious passage from the defendant. 9. On March 28, 2019, the DPO of the plaintiff's notary sent an email to the defendant's DPO inviting the latter to delete the two paragraphs cited above in execution of the right to the erasure of the complainant (art. 17 GDPR). Concretely, the DPO of the complainant's notary has, for the account of the latter, requested (a) the deletion of the publication of the extract containing the contentious passage and (b) its replacement by the publication of an extract without this contentious passage. 10. On April 10, 2019, the Respondent replied in the negative to the Complainant's request. His refusal was based on the exception provided for in Article 17.3 of the GDPR (right to erasure) and its article 5 86. The defendant's DPO, instead of the requested erasure, suggested that a new publication of the extract - without the disputed passage - be made, the initial publication remaining as for it intact. 11. On April 11, 2019, the DPO of the complainant's notary replied to the respondent that his position was irrelevant and insisted on deleting the publication of the excerpt containing the passage contentious. 12. In an e-mail of April 30, 2019, the defendant's DPO made arguments additional to justify its refusal to erase the disputed passage. 3 Article 74: The following are filed and published in accordance with the preceding articles: 1 ° acts bringing about changes the provisions of which this code prescribes publication. Article 69 paragraph 1, 5 °: The extract from the deed of incorporation of companies, with the exception of interest groups economic, contains: 5 ° where applicable the amount of the share capital; the amount of the part released; the amount authorized capital; for limited partnerships, the amount of securities released or to be released in limited partnership and for cooperative societies, the amount of the fixed part of the capital. 4The formalities for publication by the Belgian Official Gazette were provided for in the Royal Decree of 30 January 2001 relating to execution of the Companies and Associations Code, in particular in Article 11, which has replaced it as well as was specified in the retroacts of the procedure, the Royal Decree of April 29, 2019 implementing the Code of companies and associations. 5 Article 86 of the GDPR: Processing and public access to official documents: Personal data contained in official documents held by a public authority or by a public body or a private body for the performance of a mission of public interest may be communicated by that authority or body in accordance with Union or Member State law to which the public authority or public body is subject, in order to reconcile the public's right of access to documents officials and the right to the protection of personal data under this Regulation. Decision as to font 38/2021 - 5/24 13. On April 30, 2019, the DPO of the complainant's notary requested an opinion from the APD. On July 5, 2019, the SPL of the APD thus recalled in particular (1) that a royal decree (i.e. the royal decree of 30 January 2001 invoked by the defendant in support of its refusal to erase) cannot take precedence over a European regulation (i.e. on the GDPR) as well as (2) the conditions of the right to erasure. 14. Several requests were subsequently made by the complainant's notary on July 8. 2019, October 25, 2019, November 19, 2019, and January 8, 2020 without success. The disputed extract does not have been withdrawn from the Belgian Official Gazette. 15. On January 21, 2020, the complainant filed a complaint with the APD. 16. Pursuant to his complaint, the complainant denounces the following: (1) a breach of Article 6 of the GDPR on the part of the defendant for publication of its personal data on the Internet without a basis for lawfulness. (2) A breach of Article 17 of the GDPR on the part of the defendant for not having deleted their personal data following the exercise of their right to erasure. 17. Pursuant to his conclusions of April 21, 2020, the complainant asks the Litigation Chamber to say as a right that his complaint is founded and that the legal conditions of the right to erasure are met in accordance with Article 17.1. of the GDPR. The complainant requests that it be ordered to the defendant to comply with the exercise of its right to erasure and to erase the data to personal character concerning him (in particular names, bank account numbers and amounts paid both to himself and to his partner) within 10 working days after the notification of the DPA's decision under penalty of a fine for each day of delay, the amount of which er is to be determined by the DPA under Article 100 § 1, 6, 10 and 12 of the LCA. The complainant y also denounces a breach of Article 5.1. c) and Article 5.1. e) of the GDPR. 18. The Litigation Chamber would like to point out from the outset that within the framework of the compliance with the GDPR entrusted to the APD (for which it is the administrative litigation body) both by the European legislator (article 58 of the GDPR) that by the Belgian legislator (article 4 LCA), it will examine the facts reported by the complainant both under the articles of the GDPR referred to in the form complaint that he lodged on January 21, 2020 under one of the articles of the GDPR that he referred to in a second step by way of its conclusions of April 21, 2020. 19. Indeed, the Contentious Chamber decides here, as it had already done in its Decision 19/2020, that the complainant cannot be required to identify clearly, precisely and exhaustively the legal provisions in support of which he files his complaint. This work of qualification of the facts - Decision as to the font 38/2021 - 6/24 constituting breaches of current data protection regulations if necessary - returns to the Inspection and the Litigation Chamber. 6 20. After nearly two years of operation, the Litigation Chamber notes that the complainants who file a complaint with the DPA are not necessarily familiar with the provisions of the GDPR or other specific legislation that would apply to the facts they report and which they believe are contrary to the applicable regulations on protection of personal data. The Litigation Chamber is of the opinion in this regard that it cannot be required of them to have this knowledge in order to make a complaint. 21. If the Contentious Chamber were to refuse to examine grievances brought by the complainant in during the proceedings relating to the facts denounced in his complaint, it would considerably reduce, or even would seriously jeopardize the effectiveness of the exercise of the right to lodge a complaint recognized in Article 77 of the GDPR. To assert the contrary would amount to requiring the complainant to identify, under its complaint, all grievances relating to the facts he denounces. This would erode, the Litigation Chamber holds to underline it, in an unacceptable way the right to lodge a complaint and more generally, the right fundamental to data protection which, in order to be effective, must be able to be controlled by supervisory authorities, in particular through the complaints it receives. Control of the law fundamental to the protection of data by an independent authority participates in the essence of this right and is enshrined in Article 8.3. of the Charter of Fundamental Rights. Once again, to affirm the contrary would also come back, de facto (and starting from the observations that can make the Litigation Chamber over its almost two years of operation), to be required of the complainant whether he is assisted by a lawyer or any other legal advisor (as soon as he lodges his complaint), which cannot condition the exercise of a fundamental right with the authority for the protection of data. The Litigation Chamber is also of the opinion that as far as possible, the right to bring complaint must, like the exercise of other rights recognized by the GDPR (Chapter III), be free (article 12.5 of the GDPR). Finally, the supervisory authorities must also facilitate the exercise by data subjects of their rights, including the right to lodge a complaint (article 57.2. of GDPR). 22. In the present case, the facts not being in dispute and not requiring clarification complementary, the Litigation Chamber has not, as permitted by Article 94.3 ° LCA, recourse to the Inspection. The lack of recourse to the Inspection once the facts are clearly established cannot have the consequence of depriving the Litigation Chamber of examining the facts denounced by the complaint with regard to all the relevant complaints as far as they are 6 See. in this regard, the note on the role of the complainant available on the APD website: https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-plaignant-dans-la- procedure-within-the-litigation-chamber.pdf Decision as to the case 38/2021 - 7/24 legal arguments related to the facts reported in the complaint and respecting the debate contradictory as it pointed out in its Decision 17/2020 (points 20-28). 23. In the present case, the complaints alleging non-compliance with Article 5.1. c) (principle of minimization) and article 5.1.e) (principle of limited retention) of the GDPR brought by the complainant by way of conclusions are, moreover, without prejudice to the foregoing, intrinsically linked to the question of the existence or not on a basis of legitimacy (Article 6 of the GDPR) raised from the outset by the terms of the complaint. Indeed, in the absence of a basis of legitimacy (article 6 of the GDPR) authorizing the processing of data, the controller does not respect the principle of minimization either, which requires that only adequate, relevant and limited data to what is necessary for the achievement of the purpose pursued are processed. By refraining from following the complainant's right to erasure (raised from the outset by the complaint), the data controller (potentially) infringes also to the principle of the limited retention period of the processed data. 24. Accordingly, any argument according to which the defendant was not, in this case, warned as soon as the initiation of the proceedings for what was alleged against him must be ruled out here. 25. The defendant asks the Litigation Chamber to dismiss the complainant's complaint, according to her, no breach of the GDPR can be noted. 3. The hearing of October 16, 2020 26. At the hearing on October 16, 2020, the parties had the opportunity to present their point of view, referring very broadly to their previously communicated conclusions. 27. More specifically, the following elements emerged from that hearing: - The complainant's counsel clarified that personal data directly relating to his partner should also be considered as personal data. personal character concerning him and that therefore his request for erasure involved also on these (see point 17 above). - The parties have indicated that they agree that the publication of the data personal data of the complainant appearing in the disputed passage were not covered by the disclosure obligation provided for in the Companies Code. - The defendant confirmed its status as data controller. - The defendant indicated that it was not authorized to sort between the data whose publication is required by the Companies Code and those whose publication is regularly desired. Indeed, it is not uncommon for natural persons or Decision to make 38/2021 - 8/24 legal entities wish to add data to the publication, data whose publication is not legally required by the Companies Code for example. The defendant has added that in practice, this sorting is also impossible to carry out given the number extracts of documents to be marginally checked daily (only the presence of certain mentions and format are verified). 7 - Via a request for rectification, the rectified publication necessarily refers to the publication that it corrects (and in this case, the one looking for the publication can find via the date mentioned on the rectification notice). 28. Full minutes of this hearing were drawn up and communicated to the parties as specified in the retroacts of the procedure. PLACE 4. As to the breaches on the part of the defendant As a preliminary 29. The Contentious Chamber notes that the defendant qualifies itself as data controller. In 8 within the framework of its own discretion with regard to this qualification, the Chamber Litigation also retains this qualification considering that in view of the disputed passage from the extract published, the defendant did indeed act in that capacity, by defining both the purpose than the means (article 4.2 of the GDPR). 30. The Contentious Chamber notes that the defendant repeatedly emphasizes that the error generator of all the procedure leading to this decision was committed by the notary of the complainant when sending the document to be published in the Annexes to the Belgian Monitor. 7 Extract from the hearing report: The file is processed by the Company Court before being sent for publication in the Moniteur. By "treat", it is necessary here hear that the company court registry scans the document, adds the necessary references (number,…) and operates a purely formal check of the document submitted (is it dated?, signed? etc.). Circular specifies that the registry must limit itself to this formal control without being able to modify the content of the document. This content is the responsibility of the notary who made the deposit. The registry processes 800 to 900 acts per day. He has 24 hours to accept the file and 48 hours to send it to the Belgian Monitor. 8 See. in this regard, European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 1.0. September 2, 2020. These guidelines have been submitted for public consultation and are subject to change https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf. Voy also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 9/24 31. The defendant admittedly intervened following the complainant's notary, who prepared the deed for publish which contains the disputed passage and forwarded it to him. There was no less intervention successive of two separate data controllers, the notary first, the defendant then, operating a separate process. 9 32. Even if the initial error was made by the complainant's notary, compliance with the GDPR is required for each treatment operated. Therefore, the error made by a first controller does not cover a breach of the GDPR for which the "subsequent" data controller (for to use the words invoked by the defendant) would be guilty. This notion of responsible for "subsequent" processing is also not enshrined in the GDPR. In this case Litigation Chamber simply notes a successive intervention by two officials of treatment. It is true that the defendant was initially the recipient of the data within the meaning of Article 4.9. of the GDPR, but this quality does not exclude that in turn, it has intervened in the capacity of treatment. 4.1. As regards the breach of article 6 of the GDPR (lawfulness of the processing) and article 5.1. c) (principle minimization) 33. The Litigation Chamber recalls that pursuant to Article 6 of the GDPR, the processing of data of a personal nature is only lawful if, and to the extent that, it is based on one of the bases of lawfulness listed in Article 6 of the GDPR. 34. It is not disputed that the extract published in the Annexes to the Belgian Monitor includes data from personal character relating to the complainant within the meaning of Article 4.1. of the GDPR and therefore this publication must be based on one of the lawful bases of Article 6 of the GDPR. Bedroom Litigation specifies in this regard that, as the complainant alleges, the personal data personnel relating to the latter include both their identity, account number and the amount paid to him as the same information relating to his partner. All this information should be considered as personal data relating to to the complainant. Defendant's position 35. The defendant states that the complainant does not specify when he considers that he has observed a breach of Article 6 of the GDPR. The defendant argues for its part that both concerns the publication in the Annexes of the Belgian Official Gazette in February 2019 that with regard to the 9 See. also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 10/24 period following the complainant's subsequent erasure request, it is the basis for processing data of the latter on a valid legal basis in compliance with Article 6 of the GDPR. 36. Regarding the publication in February 2019, the defendant declares, in terms of its first conclusions at the very least, be able to rely on three bases of lawfulness: (1) the consent of the 10 complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in that the publication results on the part of the defendant from the necessary execution of a legal obligation arising from article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29 2019 implementing the Companies and Associations Code and finally, (3) Article 6.1 e) of 11 GDPR in that the publication of information transmitted by the complainant's notary falls under the public interest mission of official documentary source carried out by the Belgian Official Gazette in application of the Law of February 28, 1845 prescribing a new method of sanction and promulgation of the laws and of the Law of May 18, 1873 containing Title IX, Book I, of the Commercial Code relating to companies. The defendant also specifies that the exercise of this public interest mission falls within in the context of the aforementioned article 86 of the GDPR relating to public access to official documents. 37. It was recalled in Title 3 above, that during the hearing, the representatives of the Respondent explained that the defendant was, according to instructions received by way of circular, not authorized to sort the data required by the Companies Code on the one hand or any other text whose publication is requested and on the other hand, those, additional, that some would like to see it published despite the fact that their publication is not legally required. They also indicated that in addition, in practice, this sorting is not possible given the number of excerpts from deeds to be published daily. 38. Regarding the maintenance of the publication after the request for erasure of the complainant, the the defendant considers that it can continue to rely on Article 6.1 c) of the GDPR. She invokes the article 1-9 § 5 of the Royal Decree of April 29, 2019 implementing the Companies and Associations Code which provides for a rectification procedure in the event of an error made in a document published in Annexes to the Belgian Official Gazette, excluding any possibility of outright erasure of an act published. The absence of any legal prescription obliging (even authorizing) the Belgian Monitor, in its capacity as controller, to erase the document or the data relating to the complainant contained therein, do not therefore does not compromise, again according to the defendant, the legality of the continued publication of data of the disputed extract after the erasure request. 10 Article 6 § 1 c) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions following is fulfilled: (…) c) the processing is necessary for compliance with a legal obligation to which the controller is submitted. 11 Article 6 § 1 e) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions following is fulfilled: (...) e) the processing is necessary for the performance of a task of public interest or relevant the exercise of public authority vested in the controller. Decision as to font 38/2021 - 11/24 39. As to the principle of minimization (article 5.1.c) of the GDPR), the defendant emphasizes that this violation relates to the processing carried out by the notary and not to that which he carried out in application of its legal obligation recalled above (point 35) which does not allow it to modify the content of what is transmitted to him by the notary. Complainant's position 40. The complainant, for his part, considers that the publication of the disputed passage in the Annexes to the Monitor Belgian contravenes Article 6 of the GDPR in that no basis of lawfulness can validly be invoked by the defendant to justify the publication of the personal data of the passage litigation that appear therein, regardless of the moment at which one places oneself to establish the existence of this basis of legality. 41. The Complainant argues in this regard that, contrary to what the Respondent argues, there is no of his consent to the publication of the disputed data (article 6.1 a) of the GDPR), this publication resulting from an error. The defendant cannot either, always according to the complainant, rely on Article 6.1 c) of the GDPR which authorizes the processing of data only necessary to comply with a legal obligation, whereas in this case, the publication of data litigation goes beyond what is required by the relevant articles of the Companies Code following a capital reduction. In this regard, the defendant highlights the ratio legis of the publication in the Belgian Official Gazette. This serves a dual purpose of informing and protecting third parties in relation to the company with which they interact on the one hand and to protect the company itself, which can thus make its internal decisions enforceable against third parties on the other hand. The goal protection of third parties is particularly important in the event of a capital reduction when the society is impoverished and creditors' guarantees weakened. The publication of the reduction in capital, marks in this regard the starting point of a period of 2 months from which the creditors may, under certain conditions, require security for their previous claims. The publication of data relating to shareholders, such as the complainant, which reveals how the repayment of the principal amount has been made and to which bank accounts the amounts have been paid is irrelevant with regard to this advertising objective (not required by the Code companies). The complainant also disputes that the defendant can, like the latter invokes it, rely on Article 6.1 e) of the GDPR, the condition of "necessity" for the execution of its mission of public interest not being met in this case. 42. Finally, the complainant considers that since the personal data contained in the passage disputed were neither relevant nor necessary for the advertising purpose required by the Code of companies, (i.e., as stated above, informing third parties and protecting creditors), there is a Decision as to font 38/2021 - 12/24 breach of the principle of minimization enshrined in Article 5.1.c) of the GDPR in the area of defendant. Position of the Litigation Chamber 43. The Contentious Chamber recalls, as already mentioned in points 33 and 34 above, that all data processing must be based on one of the lawful bases provided for in Article 6 of the GDPR and 12 that a basis of lawfulness must exist as long as the processing lasts. 44. The Litigation Chamber also recalls that it is the responsibility of the controller to identify a single legal basis on which it bases its processing. This requirement is also part of the principles of loyalty and transparency which it is responsible for implementing (Article 5.1.a) of 13 GDPR - explained in recital 39 of the GDPR). Different consequences arising from one or the other basis of lawfulness, in particular in terms of rights for the persons concerned, it is not not allowed that the controller invokes one or the other depending on the circumstances. AT by way of illustration, the controller cannot, as in this case, both consider that it bases the processing on the consent of the data subject (Article 6.1.a) of the GDPR) and on its legal obligation (article 6.1.c) of the GDPR). Consent can in fact be withdrawn at any time and if it does not have the effect of compromising the validity of the processing carried out before the withdrawal consent (article 7.3. of the GDPR), it no longer allows, a priori, the person responsible for processing to continue processing for the future (Article 17.1.b) of the GDPR). By declaring to found processing based on its legal obligation (article 6.1.c) of the GDPR), the person responsible for processing excludes in principle any possibility of opposition to processing, withdrawal of consent cannot be invoked nor the right of opposition reserved for the cases of Article 21.1. of the GDPR either to the processing of personal data based on Article 6 (1), point e) or f) and not on Article 6.1.c) of the GDPR. By also invoking Article 6.1.e) of the GDPR as possible basis - which in turn precisely allows the exercise of a right of opposition to the data subject -, alongside article 6.1.c) of the GDPR which does not allow it, the person responsible treatment is causing great confusion. In general, by invoking grounds of lawfulness distinct, the controller who acts in this way creates a certain vagueness in terms of exercise the rights of data subjects. 45. Without prejudice to the foregoing, since the Respondent considers that it can rely on no less than 3 bases of lawfulness on which to base the data processing at the time of publication in February 12 If a data controller should be required to modify its basis of legitimacy during the processing, it does not could do so only on the condition of respecting all the conditions of application of this base and should also inform the data subject and comply with all other applicable GDPR provisions as if, in sort of starting from scratch with regard to that treatment. 13 See. in this regard, articles 13.1.c) of the RGPD and 14.1.c) of the RGPD. Decision as to font 38/2021 - 13/24 2019, the Contentious Chamber will examine below whether one of them can actually validly found the publication of the disputed passage. 46. As to article 6.1.c) of the GDPR also invoked by the defendant, the Litigation Chamber recalls that it can only be used when it grounds "a processing (of personal data) necessary to comply with a legal obligation ", each word of this assumption being important. 47. In the course of its defense, the defendant drew the attention of the Litigation Chamber to the makes no mistake about the application of Article 6.1.c) of the GDPR in this case. The legal obligation to be taken into account is that of publication to which the Belgian Official Gazette is bound pursuant to Article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29, 2019 already cited and which, specifies the defendant, required him to publish as is what the notary had transmitted to him without the services of the Belgian Official Gazette being authorized to sort out what is actually required to publish in application of the Companies Code and what would go beyond (see. points 27 and 37 above). This is, according to the defendant, the legal obligation to which it is outfit. Therefore, the fact that the published data is not required by the Companies Code is according to the defendant indifferent: their publication in the Annexes of the Belgian Monitor is the result of the legal obligation of the defendant. 48. The Litigation Chamber cannot subscribe to this reasoning which it considers contrary to the condition of necessity set out in Article 6.1.c) of the GDPR and which, according to it, also amounts to denying any implementation of the principle of data minimization in violation of Article 5.1 c) of the GDPR which requires that only adequate, relevant and limited to what is necessary for the purposes pursued. 49. This condition of necessity of the processing is found again formulated in all the bases of lawfulness (to except that of consent), from littera b) to littera f) of article 6 of the GDPR. 50. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of this condition of necessity, specified: that "having regard to the objective of ensuring an equivalent level of protection in all 14 Member States, the concept of necessity as it results from Article 7 (e) of Directive 95/46, which aims to delimit precisely one of the hypotheses in which the processing of personal data is lawful, cannot have a variable content depending on the Member States. Therefore, it is an autonomous concept of Community law which must 14 Member States provide that the processing of personal data can only be carried out if: (...) e) it is necessary for the performance of a mission of public interest or falling within the exercise of public authority with which the data controller or the third party to whom the data is communicated is invested. Decision as to font 38/2021 - 14/24 receive an interpretation that fully responds to the purpose of this directive, such as st 15 defined in Article 1, paragraph 1, thereof "(Emphasis is placed on the Litigation Chamber). 16 51. According to the conclusions he filed in this case, the Advocate General explains to this considering that "the concept of necessity has a long history in Community law and it is established as part of the proportionality test. It means that the authority which adopts a measure which infringes a fundamental right in order to achieve a justified objective must demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise, whether the processing of personal data may be likely to infringe the fundamental right to respect for private life, Article 8 of the European Convention for the Protection of Human Rights and fundamental freedoms (ECHR) which guarantees respect for private and family life, becomes also relevant. As the Court stated in Österreichischer Rundfunk and others, if a national measure is incompatible with Article 8 of the ECHR, this measure cannot satisfy the requirement of Article 7 (e) of the Directive. Article 8 (2) of the ECHR provides that an interference with privacy can be justified if it pursues one of the objectives therein listed and "in a democratic society, is necessary" for any of these purposes. The courtyard European Human Rights Council has ruled that the notion of "necessity" implies that a "need imperative social "is in question". 52. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to all the bases of lawfulness which retain this condition of necessity. She remains today relevant even though Directive 95/46 was repealed since this condition of necessity is maintained under Article 6.1 b) to f) of the GDPR. Article 6.1 of the GDPR in fact reiterates the terms of Article 7 of Directive 95/46 / EC, of which it is the equivalent. 17 53. The Article 29 Group also referred to the case law of the European Court of 18 human rights (Eur. D.H. Court) to identify the requirement of necessity and concludes that the adjective 15 CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52. 16 Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before the CJU resulting in the judgment cited in footnote 15 above (C-524/06). 17 Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which the data is communicated ", the mission of public interest or falling within the exercise of public authority before be that of the sole controller. In addition, a slight wording difference exists between the article 7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision. All these modifications do not affect the condition of necessity. 18 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible of data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217. Decision on policy 38/2021 - 15/24 "Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful", "Reasonable" or "expedient". 19 54. In support of the foregoing, the Contentious Chamber concludes that the assessment by the defendant of what is "necessary for the performance of its legal obligation" cannot be disembodied from the 20 purpose pursued by the publicity required by the Companies Code. In its Manni judgment, the CJEU specifies in this sense that in order to determine whether Member States are required to provide for data subjects the right to request from the authority responsible for maintaining an official register (Commercial register - mention of bankruptcies in this case), to erase or lock the data entered in this register or to restrict access to it, the purpose of registration in the said register. 55. To assert the contrary, as the defendant defends, would amount to agreeing to exempt it from any examination of the relevance of the data it publishes even though, on the contrary, the setting implementation of this founding principle of data protection provided for in Article 5.1.c) of the GDPR returns to him in his capacity as data controller. 56. Abundantly, the Contentious Chamber draws attention to the fact that in this case, the data published have a relatively direct link with the operation to reduce the capital (which could give their publication an "appearance of legitimacy" or at the very least induce a some understanding for the defendant's position). However, the Litigation Chamber wishes to alert its readers to the fact that the Respondent's conception of what it is should be understood by "processing necessary for a legal obligation", could, to follow the defendant, to be invoked with regard to the publication of any superfluous data, also harmless, delicate or sensitive (including within the meaning of Articles 9 and 10 of the GDPR) whatever it is. 57. In conclusion on this point of Article 6.1.c) of the GDPR, the Litigation Chamber is of the opinion that the only useful interpretation capable of giving full effect to the notion of necessity such as imposed by the CJEU case law is that which consists in qualifying as "necessary for the obligation of the defendant "the only data necessary for the purpose of the publicity measure pursued by the Companies Code (articles 69 and 74) which requires publication in the Belgian Official Gazette 19Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97. 20 See. also Opinion 06/2014 of the Article 29 Group on the notion of legitimate interest pursued by the person responsible data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217 of April 9, 2014 (page 21): "For Article 7 (c) to apply, the obligation must be imposed by law (and not, for example, by a contractual cause). The law must fulfill all the conditions required to make the obligation valid and binding, and must also comply with applicable data protection law, in particular to the principles of necessity, proportionality and delimitation of finality ”. 21 CJEU, March 9, 2017, Camera di Comercio v. S. Manni, C-398/15, para 48. Decision on the font 38/2021 - 16/24 by the defendant. Amounts paid to partners and their account number not being part of the data listed in these articles and not likely to participate in the advertising objective prosecuted, they are not necessary to comply with the legal obligation of the defendant. Leaving, the Contentious Chamber concludes that the defendant cannot rely on Article 6.1. c) under basis of lawfulness for their treatment in this case. 58. As to article 6.1.e) of the GDPR also invoked by the defendant, the Litigation Chamber considers that it cannot be accepted in this case either. As in the case of Article 6 .1.c), the necessity test must be met. It must certainly be appreciated here in the light of the mission of source of official documentation of the defendant. In this regard, the defendant relies on two legal texts, i.e. the Law of February 28, 1845 prescribing a new method of sanction and promulgation of the laws and the Law of 18 May 1873 containing Title IX, Book I, of the Code of trade relating to companies. The Litigation Chamber does not dispute that the mission of publication continued by the defendant through the publications (in the Annexes) of the Monitor Belgian law constitutes a public interest mission within the meaning of Article 6.1.e) of the GDPR. However, as this has just been recalled with regard to Article 6.1.c) of the GDPR above, only the processing of data necessary for the realization of this public interest can be qualified as lawful in support of Article 6.1.e) of the GDPR. In this case, the publication of the personal data of the complainant contained in the disputed passage is no more necessary for this interest than for the fulfillment of the obligation of the defendant and this for the reasons already set out (see point 56 in particular). 59. As to article 86 of the GDPR, also invoked by the defendant in support of its mission of interest public, the Litigation Chamber shares the complainant's analysis that the relevance of this reference is not obvious. Likewise, it is of the opinion that, given this access, it is all the more more essential that the defendant ensure that only the necessary personal data are published. 60. The application of Articles 6.1. c) and 6.1.e) being excluded, it remains for the Litigation Chamber to examine whether the processing of personal data relating to the complainant could, as defended the defendant, to rely in this case on the consent of the complainant. 61. It is certain, as pointed out in recital 43 of the GDPR as well as the European County of the 22 data protection in its Guidelines 05/2020, that it is not likely that public authorities can rely on consent for the processing of personal data personal character. Indeed, when the controller is a public authority, he there is often a clear imbalance in the balance of power between the controller 22 European Data Protection Committee (EDPS), Guidelines 5/2020 on consent within of Regulation (EU) 2016/679, adopted on May 4, 2020: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on font 38/2021 - 17/24 and the person concerned who does not meet the condition of freedom of consent. However, without prejudice to these general considerations, the legal framework of the GDPR does not exclude fully the use of consent as a legal basis for data processing by public authorities. 62. In the present case, the Contentious Chamber is of the opinion that consent cannot be the basis for publication of the contentious extract. In accordance with article 7.1. of the GDPR, it is in fact the responsibility of the treatment, or the defendant, to demonstrate that it has obtained from the data subject a valid consent, i.e. consent that meets all the conditions of Article 4.11 of GDPR. The Contentious Chamber is of the opinion that the defendant does not demonstrate that it has obtained a such consent on the part of the complainant. Even assuming that the defendant had obtained a consent valid at the time of publication of February 2019, and to follow, quod not always, the defendant according to which the complainant had withdrawn his consent without consequence on the validity of the February 2019 publication, the Contentious Chamber is of the opinion that the defendant does not have any legal basis for it from the moment this consent has been withdrawn, Articles 6.1.c) and 6.1.e) cannot be invoked. 63. As to the defendant's argument that some wish to publish more than this that is not prescribed by the applicable regulations, the Litigation Chamber is of the opinion that in this case, the publication of such data - accepted and carried out by the defendant as responsible of processing - would be based on a basis other than that of the fulfillment of its legal obligation or the performance of its public interest mission, which could be consent (Article 6.1.a) of the GDPR) (see point 61 above). This must meet all the required qualities (see his definition in Article 4.11 of the GDPR). It is therefore also for the defendant to draw all the consequences in terms of rights for the data subjects and the collection of evidence obtaining consent. 64. In conclusion, it follows from the foregoing that in the present case, no basis of legitimacy is of a nature to found the publication by the defendant of the disputed extract containing the data of a nature personnel relating to the complainant. The Litigation Chamber therefore finds a breach of Article 6 of the GDPR in its turn. This breach is combined with a breach of Article 5.1.c) of the GDPR. Indeed, in the absence of a legal basis on which to rely, the publication of this data also ignored the principle of minimization. 4.2. As regards the breach of the right to erasure of the complainant by the defendant (article 17.1 of the GDPR) Decision on the font 38/2021 - 18/24 65. The Litigation Chamber recalls that Article 17.1 of the GDPR provides that the data subject has the right to obtain from the controller the erasure, as soon as possible, of data of a personal nature concerning him and that the controller has the obligation to erase these personal data as soon as possible, when one of the reasons listed in Article 17.1. of the GDPR applies, the following reason for which: - d) the personal data have been subject to unlawful processing. Complainant's position 66. In support of Article 17.1 d) of the GDPR, the complainant considers that the respondent should have given following his right to erasure on the grounds that the processing of his data under the terms of the passage litigation is unlawful when it has no legal basis (Article 6 of the GDPR) and the publication of said data violates Article 5.1.c) of the GDPR. The complainant considers that by elsewhere, even assuming that the defendant is justified in invoking Article 6.1 e), quod non according to the complainant, it is under the conditions of Article 17.1 c) of the GDPR. Moreover, in refusing to erase said data, the defendant also violates Article 5.1.e) of the GDPR which requires that the retention of personal data be limited to a period not exceeding that necessary for the achievement of the objective pursued. Defendant's position 67. The defendant does not dispute that it did not respond to the complainant's request for erasure. She is of the opinion that no assumption of Article 17.1. of the GDPR does not apply in this case and that it is justified in relying on the exception in Article 17.3. b) of the GDPR taking into account the legal obligation incumbent on it, in particular the aforementioned Royal Decree of 29 April 2019 which provides a rectification procedure excluding any possibility of erasure (article 1-9 § 5). She adds that since the legislator does not empower him to erase the data of an act published in all or in part, no breach of Article 5.1.e) of the GDPR can be attributed to it. Position of the Litigation Chamber 68. The Litigation Chamber is of the opinion that in support of the breach of Article 6 of the GDPR combined with Article 5.1.c) of the GDPR which it found against the defendant (see point 64 above), the complainant is effectively in the conditions of Article 17.1. d) of the GDPR which requires controller to erase personal data unlawfully processed in the as fast as we can. 23 The data subject objects to the processing under Article 21.1. and there is no legitimate reason compelling for the processing or the data subject objects to the processing pursuant to Article 21.2. Decision as to font 38/2021 - 19/24 69. However, the right to erasure enshrined in Article 17.1. of the GDPR being subject to exceptions, it It is up to the Contentious Chamber to verify whether one of the exceptions provided for in Article 17.3. of GDPR is applicable in this case, more specifically Article 17.3. b) of the GDPR invoked by the defendant. 70. The Contentious Chamber considers that for the following reasons, the defendant cannot rely on Article 17.3 b) of the GDPR as an exception to the complainant's right to erasure. 71. This exception provides that the right of the data subject to obtain from the data controller processing the erasure of personal data concerning him does not apply in the to the extent that this data processing is necessary to comply with a legal obligation which requires the processing provided for by Union law or the law of the Member State to which the data controller processing is subject to or to perform a task of public interest or within the exercise of the public authority vested in the controller ". 72. As mentioned above, the defendant relies in this regard on the rectification procedure provided for by the Royal Decree of April 29, 2019 from which, according to her, it must be deduced that it is not authorized by the national legislator to erase data from official publications. In this, the defendant would be authorized to invoke Article 17.3. b) of the GDPR to refuse to respond to any request erasure given its legal obligation which would prohibit any erasure. The treatment of all published data would therefore, here too, be necessary for the legal obligation incumbent on it to respect. The Litigation Chamber is of the opinion that it is not because a royal decree does not provide that a rectification procedure which must necessarily be deduced that any erasure is prohibited. This prohibition, if it were to exist, should be provided for by law in compliance with the conditions of Article 23 of the GDPR and cannot be deduced from an absence of reference to this right in a royal decree. Since the GDPR is directly applicable, it is, failing the exception provided for in the compliance with the conditions it imposes, of application. The Litigation Chamber therefore notes a absence of a legal obligation that would allow the defendant to invoke Article 17.3.b) of the GDPR. 73. It has also been shown above that the legal obligation to publish in the Annexes of Belgian Monitor to which the defendant is admittedly subject, does not require the processing of data contained in the disputed passage and that therefore the processing of this data is not necessary to comply with the legal obligation of the defendant (paragraph 57). This treatment is not more necessary for the performance of its public interest mission (paragraph 58). The conditions of the article 17.3.b) of the GDPR invoked by the defendant are therefore not met in this case. 74. To even follow the reasoning of the defendant which consists in assessing the condition of necessity at different times, either at the time of the initial publication on the one hand and at the time of the request for erasure on the other hand, the conclusion of the Contentious Chamber would not remain Decision as to the case 38/2021 - 20/24 less identical. A fortiori, if we look at the time of the complainant's erasure request, the (practical) inability already mentioned to sort prior to publication between what it is legally required to publish and what results from the will of those concerned falls. In Indeed, the complainant points precisely when requesting erasure to the superfluous data published. 75. The Contentious Chamber also considers that the arguments based on the nature of the Monitor Belgian authorities are not likely to oppose the exercise of the complainant's right to erasure. The in this regard, the defendant emphasizes the immutability of the publications in the Belgian Official Gazette and of its Annexes after their publication and the fact that the legal certainty of official publications would be compromised by the application of a right to erasure exercised with regard to the data they contain. 76. Once again, the Contentious Chamber considers that therefore, in this case, the data would not have never had to be published, their erasure is not likely to compromise legal certainty of the publication, the data whose publicity must be ensured following the reduction of capital remaining intact. There is no such thing as the opinion of the Litigation Chamber, the immutability of principle of official publications. The Contentious Chamber recalls here that in terms of its Manni judgment, the CJEU accepts that the national legislator could introduce a time limit beyond which the data contained in a public database such as the Trade Register (in this was the information that the trader had gone bankrupt) would be 24 erased. In the Huber judgment, cited above, the CJEU stated the principle that public registers should not contain only the data necessary for the purpose they pursue and this, in application of the condition of necessity contained in the basis of lawfulness on which they rely. The CJEU adds 25 that these registers must be updated and superfluous data erased. 77. The Contentious Chamber concludes from the above that Article 17.3. b) RGOD is not applicable in the present case and that no other exemption from erasure can validly be invoked by the defendant. 78. Accordingly, in view of the breaches noted in point 64, the Contentious Chamber finds a breach of Article 17.1. d) of the GDPR on behalf of the defendant. This failure is combined with a breach of Article 5.1.e) of the GDPR since failing to have been erased on the basis of Article 17. 1 d) of the GDPR, the retention of this data did not comply with the principle 24CJUE, judgment of 9 March 2017, Camera di Comercio v. S. Manni, C-398/15, paras 32-35 and 58 et seq. 25 See. points 59 to 60 of the Huber judgment, cited in footnote 15 above. Decision as to font 38/2021 - 21/24 according to which the data cannot be processed for a period longer than that necessary to achieve the purpose of the processing. 4. Regarding corrective measures and sanctions 79. Under Article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; 10 ° order the rectification, restriction or erasure of the data and the notification thereof data recipients; 11 ° order the withdrawal of accreditation of certification bodies; 12 ° give periodic penalty payments; 13 ° issue administrative fines; 14 ° order the suspension of transborder data flows to another State or an organization international; 15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences data on file; 16 ° decide on a case-by-case basis to publish its decisions on the website of the data. 80. It is important to contextualize the breaches for which the defendant has been held responsible with a view to to identify the most appropriate corrective measures and sanctions. 81. The Litigation Chamber recalls in this regard that it is sovereignly in its capacity independent administrative authority - in compliance with the relevant articles of the GDPR and the LCA - determine the appropriate corrective measure (s) and sanction (s). Decision as to font 38/2021 - 22/24 82. The Litigation Chamber notes that on several occasions already, the APD Knowledge Center has highlighted gaps in the implementation of the GDPR with regard to data processing operated by the Belgian Monitor. For example, in a recent 99/20 opinion, the APD, referring to Article 1250 of the Judicial Code which refers to an obligation of official publication in the Moniteur Belgian, raises the following. "As it has already done in Opinion No. 141/2019, the Authority [read the PDA] here again draws attention to the fact that this publication, as in general publication in the Belgian Official Gazette, is not subject to any data retention period of a personal nature appearing therein. In this regard, the Authority [read the ODA] reiterates that the article 23 of the GDPR allows the legislator to make not only limitations on the rights referred to in Articles 12 to 22 inclusive of the GDPR but also within the scope of Article 5 of the GDPR and therefore, in this including, in Article 5.1.e) of the GDPR. However, such limitations cannot be made without ensuring the compliance with the conditions stipulated by Article 23 § 2 of the GDPR, starting with the fact that such limitation must be provided for by the law of the Member State in question. However, to the knowledge of the Authority [read the DPA], there is still no such standard for publications at Belgian instructor. The Authority [ODA] therefore once again insists that this situation. " 83. The Litigation Chamber is of the opinion that in the present case, given the shortcomings noted, the the most appropriate corrective measure is to issue a reprimand to the defendant (Article 100.1., 5 ° LCA) accompanied by an order to follow up on the complainant's exercise of the right to erasure based on article 100.1., 6 ° LCA and this, as soon as possible but not later than within a 30 days from the notification of this decision to the parties. The costs that the implementation of this erasure order cannot be attributed to the complainant, the exercise of rights of data subjects being, as required by Article 12.5. of the GDPR, free. 84. The Contentious Chamber does not comment on the advisability of a possible fine administrative action against the defendant. Taking into account the quality of "public authority" of the latter within the meaning of Article 5 of the Law of 30 July 2018 on the protection of persons physical with regard to the processing of personal data, read in conjunction with the article 83.7. of the GDPR and 221 § 2 of the aforementioned law of July 30, 2018, the Litigation Chamber is not indeed not authorized to impose such a fine on him. 85. The Litigation Chamber also invites the legislator to work towards bringing the data processing operated by the Belgian Official Gazette with the GDPR, in particular with regard to the identification of the basis of lawfulness of the data processing operations carried out, the implementation of the principle minimization devoted to Article 5.1.c) of the GDPR and the exercise of the right to erase persons concerned. Decision as to the font 38/2021 - 23/24 6. As for transparency 86. In view of the importance of transparency with regard to the decision-making process and decisions of the Litigation Chamber, this decision will be published on the website of the APD by deleting the direct identification data of the complainant and the persons cited, whether physical or legal, with the exception, however, of the Belgian Monitor and the SPF Justice. 87. When it decided to publish its decisions mentioning the identity of the defendants, the Litigation Chamber justified its decision by the fact that this advertisement would guarantee a rapid compliance, would help decrease the risk of repetitions and aim to inform the public taking into account the data controller involved. In addition, any pseudonymization the name of the defendant would have been in these few cases illusory. 26 88. In the present case, the Contentious Chamber is of the opinion that in support of the above reasons, the publication of the identity of the defendant is justified. The deletion of the identification of the FPS Justice / Monitor Belgian is, given the unique nature of the Belgian Monitor, moreover illusory. The maintenance of this identification is also essential for the understanding of the decision and therefore, the objective of transparency pursued by the Litigation Chamber. FOR THESE REASONS THE LITIGATION CHAMBER After having deliberated, - Decides to issue a reprimand to the defendant on the basis of Article 100.1, 5 ° LCA; - Decides, on the basis of Article 100.1., 6 ° LCA to order the defendant to act on the exercise of the right to erasure of the complainant as soon as possible and at the latest within within 30 days of notification of this decision. The defendant will inform the Litigation Chamber, supporting documents, within the same time limit at the address email@example.com. 26 See. decision 37/2020 of the Contentious Chamber (point 183) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf Decision on the font 38/2021 - 24/24 Under Article 108.1 LCA, this decision can be appealed to the Court of contracts (Brussels Court of Appeal) within 30 days of notification, with the Data Protection Authority as respondent. (se.) Hielke Hijmans President of the Litigation Chamber