APD/GBA (Belgium) - 38/2021: Difference between revisions
From GDPRhub
No edit summary |
|||
| Line 70: | Line 70: | ||
==Comment== | ==Comment== | ||
I wonder what will happen if the SPF (Federal Public Service) does not take any action to the order of the Belgian DPA keeping in mind that the Belgian Data Protection Act does not allow to fine a public authority like the SPF. In other words what are the options for the Belgian DPA to enforce a public service to act? | |||
==Further Resources== | ==Further Resources== | ||
Revision as of 06:50, 2 April 2021
| APD/GBA - Decision 38/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 17 GDPR Belgian corporate law Belgian law establishing the national data protection authority (LCA) |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 23.03.2021 |
| Published: | 25.03.2021 |
| Fine: | None |
| Parties: | A company associate (plaintiff) The federal public service of Belgium "SPF Belgique" (defendant) |
| National Case Number/Name: | Decision 38/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Official website of the Belgian data protection authority (in FR) |
| Initial Contributor: | Maïlys Lemaître |
The Belgian DPA reaffirmed the standard conditions for minimization of data (Article 5(1)(c) GDPR) in relation with the lawfulness of the data processing (Article 6 GDPR) and underlines that a data subject's request for erasure of their personal data pursuant to Article 17 GPDR must be granted if the data processing is not lawful to begin with.
English Summary
Facts
The plaintiff, an associate in a limited company, had decided with their co-associate to reduce their company's capital, for which a publication in the Belgian State Journal (Moniteur belge) is an obligation under the Belgian corporate law. The notary mandated by the associates to do the publication in their name not only informed about the reduction of capital but also mistakenly indicated the amount reimbursed to the associates as well as their personal bank account number. The plaintiff asked the notary to proceed to the erasure of these complementary and in their eyes unnecessary information. Following this, the notary requested that the Belgian federal public service (SPF, the defendant), responsible for the journal, erased the plaintiff's data of whom he acted on behalf of. The request was met with a refusal, the SPF mostly arguing that whatever the data published, since they were linked to publication required by the law, they could not be erased. After further exchanges and with the SPF still refusing to erase the concerned data, the plaintiff lodged a complaint with the Belgian DPA, mainly claiming that the SPF had no actual legal basis pursuant to Article 6 GDPR for processing the litigious data.
Dispute
Can a legal obligation under national law justify the processing of data that may be unnecessary for the intended purposes of the processing?
Holding
Before giving its decision on the question in dispute, the Belgian DPA reminded the defendant that the plaintiff's notary's mistake of publishing unnecessary data, was no reason for justifying that the defendant should not be held liable for a possible unlawful processing, as the SPF argued. A data controller always being accountable for the data they process, no matter in what way obtained, the liability of the defendant could indeed also be sought in this case.
Thereupon, the DPA states that even if the publication was an obligation under the applicable corporate law and the data processing herewith found its legal basis in Article 6(1)(c) GDPR, the principle of minimization of data pursuant to Article 5(1)(c) could not be undermined as it had been by the defendant. It is not because a data processing is justified by the law, that its controller can process data within its framework as pleases them. Saying otherwise would mean questioning the very essence of the principle of minimization. Thus, the plaintiff was right in claiming that the processing of the data linked with the publication had no legal basis as per Article 6 GPDR, since the data was not necessary for the defined purposes, and that it meant that the defendant had not been within their right to refuse an erasure of the plaintiff's data pursuant to Article 17 GPDR. The DPA therefore issued a reprimand towards the defendant according to their powers resulting from the Belgian law establishing the national data protection authority and ordered them to grant the plaintiff's request and erase the litigious data.
Comment
I wonder what will happen if the SPF (Federal Public Service) does not take any action to the order of the Belgian DPA keeping in mind that the Belgian Data Protection Act does not allow to fine a public authority like the SPF. In other words what are the options for the Belgian DPA to enforce a public service to act?
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision as to font 38/2021 - 1/24
Litigation Chamber
Decision on the merits 38/2021 of 23 March 2021
File No .: DOS-2020-00404
Subject: Complaint against the Belgian Monitor for basic lack of legality and refusal of erasure
of personal data published in the Annexes to the Belgian Official Gazette
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this
composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of individuals with regard to the processing of personal data and the
free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection
data), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20
2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
Took the following decision regarding:
The complainant: Mr X., represented by his counsel Maître Sari Depreeuw, lawyer, whose law firm
is established at 1050 Brussels, avenue Louise, 81 (hereinafter the complainant)
The defendant: The FPS Justice established at 1000 Brussels, Boulevard de Waterloo 115, represented
by Mr. Jean-Paul Janssens, Chairman of the Management Committee
(hereinafter the defendant) Decision on the font 38/2021 - 2/24
1. Feedback from the procedure
Having regard to the complaint lodged on January 21, 2020 by the complainant with the Data Protection Authority
(APD);
Considering the decision of February 20, 2020 of the Front Line Service (SPL) of the APD declaring the complaint
admissible and its transmission to the Litigation Chamber;
Having regard to the letter of March 5, 2020 from the Litigation Chamber informing the parties of its decision to
consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their
providing a timetable for the exchange of conclusions;
Having regard to the main conclusions of 6 April 2020 from the defendant;
Having regard to the conclusions of the complainant of April 21, 2020;
Having regard to the respondent's submissions of May 6, 2020;
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on August 20, 2020;
Having regard to the hearing during the session of the Litigation Chamber of October 9, 2020 in the presence of Masters
S. Depreeuw and O. Belflamme, representing the complainant and Mr. A. Hoefmans, director of
the Data Protection Unit of the FPS Justice and Mr. W. Verrezen, Director of the Belgian Monitor
both representing the defendant;
Having regard to the minutes of the hearing and the observations made thereon by the parties who have
been attached to these minutes. The Litigation Chamber notes that in terms of its comments, the
defendant announces that she realized during the hearing that the royal decree of 30
January 2001 repeatedly cited in terms of submissions in support of its defense had been replaced
by a new royal decree of April 29, 2019, (M.B., April 30, 2019) adopted after the entry into force
of the GDPR. The defendant specifies that this new royal decree has not changed the content of Article 11.5
1
invoked, now replaced by Article 1-9 § 5.
1Article 1-9 § 5: Correction of an error made in an act, an extract of an act, a decision or a document
published in the Annexes to the Belgian Official Gazette is filed and published in accordance with the preceding paragraphs. The
rectification of an error made in a document the filing of which was published by mention in the Annexes of
Belgian Monitor is operated by filing at the registry in accordance with the preceding paragraphs, one or more pages
corrected or additional, bearing the words "rectification", attached to a page with the details provided
in paragraph 2, subparagraph 4 and indicating the document to which the rectification relates. Corrected pages or
additional documents are entered in the file. The submission of corrected or additional pages gives rise to publication by
extracted from the Annexes of the Belgian Official Gazette. Decision as to font 38/2021 - 3/24
2. Facts and subject of the claim 2
1. The complainant is a shareholder of SPRL Bureau X. The complainant holds the vast majority of
shares of the SPRL, its partner by holding a very small minority.
2. The shareholders of the company - including the complainant - decided to reduce the capital by
the company whose articles of association have, following this operation, been amended by a decision of
the extraordinary general meeting in early 2019 (article 316 of the Companies Code).
3. In February 2019, an extract from this decision was published in the Annexes to the Belgian Monitor, available
both in hard copy and in electronic version available on the Internet.
4. The extract published in the Belgian Official Gazette contains the decision to reduce the capital of the company, the amount
initial capital, the amount of the reduction with mention of the new amount of the share capital and
of the new text of the statutes. These are in fact the elements required by Article 69 combined with
Article 74 of the Companies Code.
5. In addition, the extract mentions, among other things, the names of the two partners (including the complainant), the amounts
that were reimbursed to them as well as their bank account numbers.
6. This part of the extract published in Dutch (point 5 above) is reproduced below:
(…)
- aan de heer X, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn
naam van het bedrag van (..);
- aan de heer Z, voornoemd, door uitbetaling op de rekening met nummer (..) op zijn
naam, van het bedrag van (..)
Free translation
- to Mr X, mentioned above, by payment to account number (..) to his
name in the amount of (..);
- to Mr. Z, mentioned above, by payment to account number (..) to his
name, in the amount of (..)
(Hereinafter the disputed passage)
2
Since the capital reduction took place before the entry into force of the new Companies and Companies Code
associations, the Companies Code of May 7, 1999 is applicable to the facts of the case. Decision as to font 38/2021 - 4/24
7. This extract was prepared by the complainant's notary in application of the Companies Code (article 74
paragraph 1, 1 ° juncto article 69, paragraph 1, 5 °) and then transmitted by the latter to the registry of the court
of the company within the territorial jurisdiction of the company to be published in the Annexes of the Belgian Monitor. 4
8. Considering that his notary had committed an error by including the disputed passage in the
request for publication of the extract from the capital reduction decision, the complainant has, by
the intermediary of his notary and his data protection officer (DPO), initiated
steps aimed at obtaining the deletion of this contentious passage from the defendant.
9. On March 28, 2019, the DPO of the plaintiff's notary sent an email to the defendant's DPO
inviting the latter to delete the two paragraphs cited above in execution of the right to
the erasure of the complainant (art. 17 GDPR). Concretely, the DPO of the complainant's notary has, for
the account of the latter, requested (a) the deletion of the publication of the extract containing the
contentious passage and (b) its replacement by the publication of an extract without this contentious passage.
10. On April 10, 2019, the Respondent replied in the negative to the Complainant's request. His refusal
was based on the exception provided for in Article 17.3 of the GDPR (right to erasure) and its article
5
86. The defendant's DPO, instead of the requested erasure, suggested that a
new publication of the extract - without the disputed passage - be made, the initial publication remaining
as for it intact.
11. On April 11, 2019, the DPO of the complainant's notary replied to the respondent that his position was
irrelevant and insisted on deleting the publication of the excerpt containing the passage
contentious.
12. In an e-mail of April 30, 2019, the defendant's DPO made arguments
additional to justify its refusal to erase the disputed passage.
3 Article 74: The following are filed and published in accordance with the preceding articles: 1 ° acts bringing about changes
the provisions of which this code prescribes publication.
Article 69 paragraph 1, 5 °: The extract from the deed of incorporation of companies, with the exception of interest groups
economic, contains: 5 ° where applicable the amount of the share capital; the amount of the part released; the amount
authorized capital; for limited partnerships, the amount of securities released or to be released in limited partnership
and for cooperative societies, the amount of the fixed part of the capital.
4The formalities for publication by the Belgian Official Gazette were provided for in the Royal Decree of 30 January 2001 relating to
execution of the Companies and Associations Code, in particular in Article 11, which has replaced it as well as
was specified in the retroacts of the procedure, the Royal Decree of April 29, 2019 implementing the Code of
companies and associations.
5 Article 86 of the GDPR: Processing and public access to official documents:
Personal data contained in official documents held by a public authority or by
a public body or a private body for the performance of a mission of public interest may be
communicated by that authority or body in accordance with Union or Member State law
to which the public authority or public body is subject, in order to reconcile the public's right of access to documents
officials and the right to the protection of personal data under this Regulation. Decision as to font 38/2021 - 5/24
13. On April 30, 2019, the DPO of the complainant's notary requested an opinion from the APD. On July 5, 2019, the SPL
of the APD thus recalled in particular (1) that a royal decree (i.e. the royal decree of 30 January 2001
invoked by the defendant in support of its refusal to erase) cannot take precedence over a
European regulation (i.e. on the GDPR) as well as (2) the conditions of the right to erasure.
14. Several requests were subsequently made by the complainant's notary on July 8.
2019, October 25, 2019, November 19, 2019, and January 8, 2020 without success. The disputed extract does not have
been withdrawn from the Belgian Official Gazette.
15. On January 21, 2020, the complainant filed a complaint with the APD.
16. Pursuant to his complaint, the complainant denounces the following:
(1) a breach of Article 6 of the GDPR on the part of the defendant for publication of its
personal data on the Internet without a basis for lawfulness.
(2) A breach of Article 17 of the GDPR on the part of the defendant for not having
deleted their personal data following the exercise of their right to erasure.
17. Pursuant to his conclusions of April 21, 2020, the complainant asks the Litigation Chamber
to say as a right that his complaint is founded and that the legal conditions of the right to erasure
are met in accordance with Article 17.1. of the GDPR. The complainant requests that it be ordered to
the defendant to comply with the exercise of its right to erasure and to erase the data to
personal character concerning him (in particular names, bank account numbers and
amounts paid both to himself and to his partner) within 10 working days after the
notification of the DPA's decision under penalty of a fine for each day of delay, the amount of which
er
is to be determined by the DPA under Article 100 § 1, 6, 10 and 12 of the LCA. The complainant y
also denounces a breach of Article 5.1. c) and Article 5.1. e) of the GDPR.
18. The Litigation Chamber would like to point out from the outset that within the framework of the
compliance with the GDPR entrusted to the APD (for which it is the administrative litigation body) both by the
European legislator (article 58 of the GDPR) that by the Belgian legislator (article 4 LCA), it will examine
the facts reported by the complainant both under the articles of the GDPR referred to in the form
complaint that he lodged on January 21, 2020 under one of the articles of the GDPR that he referred to in a
second step by way of its conclusions of April 21, 2020.
19. Indeed, the Contentious Chamber decides here, as it had already done in its Decision 19/2020,
that the complainant cannot be required to identify clearly, precisely and exhaustively the
legal provisions in support of which he files his complaint. This work of qualification of the facts - Decision as to the font 38/2021 - 6/24
constituting breaches of current data protection regulations
if necessary - returns to the Inspection and the Litigation Chamber. 6
20. After nearly two years of operation, the Litigation Chamber notes that the
complainants who file a complaint with the DPA are not necessarily familiar with the provisions
of the GDPR or other specific legislation that would apply to the facts they
report and which they believe are contrary to the applicable regulations on
protection of personal data. The Litigation Chamber is of the opinion in this regard that it
cannot be required of them to have this knowledge in order to make a complaint.
21. If the Contentious Chamber were to refuse to examine grievances brought by the complainant in
during the proceedings relating to the facts denounced in his complaint, it would considerably reduce, or even
would seriously jeopardize the effectiveness of the exercise of the right to lodge a complaint recognized in Article
77 of the GDPR. To assert the contrary would amount to requiring the complainant to identify, under its
complaint, all grievances relating to the facts he denounces. This would erode, the Litigation Chamber holds
to underline it, in an unacceptable way the right to lodge a complaint and more generally, the right
fundamental to data protection which, in order to be effective, must be able to be controlled by
supervisory authorities, in particular through the complaints it receives. Control of the law
fundamental to the protection of data by an independent authority participates in
the essence of this right and is enshrined in Article 8.3. of the Charter of Fundamental Rights. Once
again, to affirm the contrary would also come back, de facto (and starting from the observations that can
make the Litigation Chamber over its almost two years of operation), to be required of the complainant
whether he is assisted by a lawyer or any other legal advisor (as soon as he lodges his complaint),
which cannot condition the exercise of a fundamental right with the authority for the protection of
data. The Litigation Chamber is also of the opinion that as far as possible, the right to bring
complaint must, like the exercise of other rights recognized by the GDPR (Chapter III), be free
(article 12.5 of the GDPR). Finally, the supervisory authorities must also facilitate the exercise by
data subjects of their rights, including the right to lodge a complaint (article 57.2. of
GDPR).
22. In the present case, the facts not being in dispute and not requiring clarification
complementary, the Litigation Chamber has not, as permitted by Article 94.3 ° LCA,
recourse to the Inspection. The lack of recourse to the Inspection once the facts are clearly
established cannot have the consequence of depriving the Litigation Chamber of examining the facts
denounced by the complaint with regard to all the relevant complaints as far as they are
6 See. in this regard, the note on the role of the complainant available on the APD website:
https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-position-du-plaignant-dans-la-
procedure-within-the-litigation-chamber.pdf Decision as to the case 38/2021 - 7/24
legal arguments related to the facts reported in the complaint and respecting the debate
contradictory as it pointed out in its Decision 17/2020 (points 20-28).
23. In the present case, the complaints alleging non-compliance with Article 5.1. c) (principle of minimization) and article
5.1.e) (principle of limited retention) of the GDPR brought by the complainant by way of conclusions
are, moreover, without prejudice to the foregoing, intrinsically linked to the question of the existence
or not on a basis of legitimacy (Article 6 of the GDPR) raised from the outset by the terms of the complaint.
Indeed, in the absence of a basis of legitimacy (article 6 of the GDPR) authorizing the processing of data, the
controller does not respect the principle of minimization either, which requires that only
adequate, relevant and limited data to what is necessary for the achievement of the purpose
pursued are processed. By refraining from following the complainant's right to erasure
(raised from the outset by the complaint), the data controller (potentially) infringes
also to the principle of the limited retention period of the processed data.
24. Accordingly, any argument according to which the defendant was not, in this case, warned as soon as
the initiation of the proceedings for what was alleged against him must be ruled out here.
25. The defendant asks the Litigation Chamber to dismiss the complainant's complaint,
according to her, no breach of the GDPR can be noted.
3. The hearing of October 16, 2020
26. At the hearing on October 16, 2020, the parties had the opportunity to present their point of view,
referring very broadly to their previously communicated conclusions.
27. More specifically, the following elements emerged from that hearing:
- The complainant's counsel clarified that personal data directly
relating to his partner should also be considered as personal data.
personal character concerning him and that therefore his request for erasure involved
also on these (see point 17 above).
- The parties have indicated that they agree that the publication of the data
personal data of the complainant appearing in the disputed passage were not covered by
the disclosure obligation provided for in the Companies Code.
- The defendant confirmed its status as data controller.
- The defendant indicated that it was not authorized to sort between the data whose
publication is required by the Companies Code and those whose publication is
regularly desired. Indeed, it is not uncommon for natural persons or Decision to make 38/2021 - 8/24
legal entities wish to add data to the publication, data whose publication
is not legally required by the Companies Code for example. The defendant has
added that in practice, this sorting is also impossible to carry out given the number
extracts of documents to be marginally checked daily (only the presence of
certain mentions and format are verified). 7
- Via a request for rectification, the rectified publication necessarily refers to the
publication that it corrects (and in this case, the one looking for the publication can
find via the date mentioned on the rectification notice).
28. Full minutes of this hearing were drawn up and communicated to the parties as
specified in the retroacts of the procedure.
PLACE
4. As to the breaches on the part of the defendant
As a preliminary
29. The Contentious Chamber notes that the defendant qualifies itself as data controller. In
8
within the framework of its own discretion with regard to this qualification, the Chamber
Litigation also retains this qualification considering that in view of the disputed passage from
the extract published, the defendant did indeed act in that capacity, by defining both the purpose
than the means (article 4.2 of the GDPR).
30. The Contentious Chamber notes that the defendant repeatedly emphasizes that the error
generator of all the procedure leading to this decision was committed by the notary
of the complainant when sending the document to be published in the Annexes to the Belgian Monitor.
7 Extract from the hearing report:
The file is processed by the Company Court before being sent for publication in the Moniteur. By "treat", it is necessary
here hear that the company court registry scans the document, adds the necessary references
(number,…) and operates a purely formal check of the document submitted (is it dated?, signed? etc.). Circular
specifies that the registry must limit itself to this formal control without being able to modify the content of the document. This content
is the responsibility of the notary who made the deposit. The registry processes 800 to 900 acts per day. He has 24 hours
to accept the file and 48 hours to send it to the Belgian Monitor.
8
See. in this regard, European Data Protection Board (EDPS), Guidelines 07/2020 on the concepts of
controller and processor in the GDPR, version 1.0. September 2, 2020.
These guidelines have been submitted for public consultation and are subject to change
https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf. Voy
also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 9/24
31. The defendant admittedly intervened following the complainant's notary, who prepared the deed for
publish which contains the disputed passage and forwarded it to him. There was no less intervention
successive of two separate data controllers, the notary first, the defendant
then, operating a separate process. 9
32. Even if the initial error was made by the complainant's notary, compliance with the GDPR is required
for each treatment operated. Therefore, the error made by a first controller
does not cover a breach of the GDPR for which the "subsequent" data controller (for
to use the words invoked by the defendant) would be guilty. This notion of
responsible for "subsequent" processing is also not enshrined in the GDPR. In this case
Litigation Chamber simply notes a successive intervention by two officials of
treatment. It is true that the defendant was initially the recipient of the data within the meaning of Article 4.9.
of the GDPR, but this quality does not exclude that in turn, it has intervened in the capacity of
treatment.
4.1. As regards the breach of article 6 of the GDPR (lawfulness of the processing) and article 5.1. c) (principle
minimization)
33. The Litigation Chamber recalls that pursuant to Article 6 of the GDPR, the processing of data
of a personal nature is only lawful if, and to the extent that, it is based on one of the bases of
lawfulness listed in Article 6 of the GDPR.
34. It is not disputed that the extract published in the Annexes to the Belgian Monitor includes data from
personal character relating to the complainant within the meaning of Article 4.1. of the GDPR and therefore this
publication must be based on one of the lawful bases of Article 6 of the GDPR. Bedroom
Litigation specifies in this regard that, as the complainant alleges, the personal data
personnel relating to the latter include both their identity, account number and
the amount paid to him as the same information relating to his partner. All
this information should be considered as personal data relating to
to the complainant.
Defendant's position
35. The defendant states that the complainant does not specify when he considers that he has observed a
breach of Article 6 of the GDPR. The defendant argues for its part that both
concerns the publication in the Annexes of the Belgian Official Gazette in February 2019 that with regard to the
9
See. also decision 81/2020 of the Contentious Chamber (point 46). Decision as to font 38/2021 - 10/24
period following the complainant's subsequent erasure request, it is the basis for processing
data of the latter on a valid legal basis in compliance with Article 6 of the GDPR.
36. Regarding the publication in February 2019, the defendant declares, in terms of its first
conclusions at the very least, be able to rely on three bases of lawfulness: (1) the consent of the
10
complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in
that the publication results on the part of the defendant from the necessary execution of a
legal obligation arising from article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29
2019 implementing the Companies and Associations Code and finally, (3) Article 6.1 e) of
11
GDPR in that the publication of information transmitted by the complainant's notary falls under
the public interest mission of official documentary source carried out by the Belgian Official Gazette in
application of the Law of February 28, 1845 prescribing a new method of sanction and promulgation
of the laws and of the Law of May 18, 1873 containing Title IX, Book I, of the Commercial Code relating to
companies. The defendant also specifies that the exercise of this public interest mission falls within
in the context of the aforementioned article 86 of the GDPR relating to public access to official documents.
37. It was recalled in Title 3 above, that during the hearing, the representatives of the Respondent
explained that the defendant was, according to instructions received by way of circular, not
authorized to sort the data required by the Companies Code on the one hand
or any other text whose publication is requested and on the other hand, those, additional, that
some would like to see it published despite the fact that their publication is not legally
required. They also indicated that in addition, in practice, this sorting is not possible given the
number of excerpts from deeds to be published daily.
38. Regarding the maintenance of the publication after the request for erasure of the complainant, the
the defendant considers that it can continue to rely on Article 6.1 c) of the GDPR. She invokes the article
1-9 § 5 of the Royal Decree of April 29, 2019 implementing the Companies and Associations Code
which provides for a rectification procedure in the event of an error made in a document published in
Annexes to the Belgian Official Gazette, excluding any possibility of outright erasure of an act
published. The absence of any legal prescription obliging (even authorizing) the Belgian Monitor, in its capacity as
controller, to erase the document or the data relating to the complainant contained therein, do not
therefore does not compromise, again according to the defendant, the legality of the continued publication of
data of the disputed extract after the erasure request.
10 Article 6 § 1 c) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions
following is fulfilled: (…) c) the processing is necessary for compliance with a legal obligation to which the
controller is submitted.
11 Article 6 § 1 e) of the GDPR: Processing is only lawful if, and insofar as, at least one of the conditions
following is fulfilled: (...) e) the processing is necessary for the performance of a task of public interest or relevant
the exercise of public authority vested in the controller. Decision as to font 38/2021 - 11/24
39. As to the principle of minimization (article 5.1.c) of the GDPR), the defendant emphasizes that this
violation relates to the processing carried out by the notary and not to that which he carried out in application
of its legal obligation recalled above (point 35) which does not allow it to modify the content
of what is transmitted to him by the notary.
Complainant's position
40. The complainant, for his part, considers that the publication of the disputed passage in the Annexes to the Monitor
Belgian contravenes Article 6 of the GDPR in that no basis of lawfulness can validly be
invoked by the defendant to justify the publication of the personal data of the passage
litigation that appear therein, regardless of the moment at which one places oneself to establish the existence of
this basis of legality.
41. The Complainant argues in this regard that, contrary to what the Respondent argues, there is no
of his consent to the publication of the disputed data (article 6.1 a) of the GDPR),
this publication resulting from an error. The defendant cannot either, always according to the
complainant, rely on Article 6.1 c) of the GDPR which authorizes the processing of data only
necessary to comply with a legal obligation, whereas in this case, the publication of data
litigation goes beyond what is required by the relevant articles of the Companies Code following
a capital reduction. In this regard, the defendant highlights the ratio legis of the
publication in the Belgian Official Gazette. This serves a dual purpose of informing and protecting
third parties in relation to the company with which they interact on the one hand and to protect the company
itself, which can thus make its internal decisions enforceable against third parties on the other hand. The goal
protection of third parties is particularly important in the event of a capital reduction when the
society is impoverished and creditors' guarantees weakened. The publication of the reduction in
capital, marks in this regard the starting point of a period of 2 months from which the creditors
may, under certain conditions, require security for their previous claims. The
publication of data relating to shareholders, such as the complainant, which reveals how the
repayment of the principal amount has been made and to which bank accounts the amounts
have been paid is irrelevant with regard to this advertising objective (not required by the Code
companies). The complainant also disputes that the defendant can, like the latter
invokes it, rely on Article 6.1 e) of the GDPR, the condition of "necessity" for the execution of
its mission of public interest not being met in this case.
42. Finally, the complainant considers that since the personal data contained in the passage
disputed were neither relevant nor necessary for the advertising purpose required by the Code of
companies, (i.e., as stated above, informing third parties and protecting creditors), there is a Decision as to font 38/2021 - 12/24
breach of the principle of minimization enshrined in Article 5.1.c) of the GDPR in the area of
defendant.
Position of the Litigation Chamber
43. The Contentious Chamber recalls, as already mentioned in points 33 and 34 above, that all
data processing must be based on one of the lawful bases provided for in Article 6 of the GDPR and
12
that a basis of lawfulness must exist as long as the processing lasts.
44. The Litigation Chamber also recalls that it is the responsibility of the controller to identify
a single legal basis on which it bases its processing. This requirement is also part of the
principles of loyalty and transparency which it is responsible for implementing (Article 5.1.a) of
13
GDPR - explained in recital 39 of the GDPR). Different consequences arising from one
or the other basis of lawfulness, in particular in terms of rights for the persons concerned, it is not
not allowed that the controller invokes one or the other depending on the circumstances. AT
by way of illustration, the controller cannot, as in this case, both consider
that it bases the processing on the consent of the data subject (Article 6.1.a) of the GDPR) and
on its legal obligation (article 6.1.c) of the GDPR). Consent can in fact be withdrawn at any
time and if it does not have the effect of compromising the validity of the processing carried out before the withdrawal
consent (article 7.3. of the GDPR), it no longer allows, a priori, the person responsible for
processing to continue processing for the future (Article 17.1.b) of the GDPR). By declaring to found
processing based on its legal obligation (article 6.1.c) of the GDPR), the person responsible for
processing excludes in principle any possibility of opposition to processing, withdrawal of consent
cannot be invoked nor the right of opposition reserved for the cases of Article 21.1. of the GDPR
either to the processing of personal data based on Article 6 (1), point
e) or f) and not on Article 6.1.c) of the GDPR. By also invoking Article 6.1.e) of the GDPR as
possible basis - which in turn precisely allows the exercise of a right of opposition to the
data subject -, alongside article 6.1.c) of the GDPR which does not allow it, the person responsible
treatment is causing great confusion. In general, by invoking grounds of lawfulness
distinct, the controller who acts in this way creates a certain vagueness in terms of exercise
the rights of data subjects.
45. Without prejudice to the foregoing, since the Respondent considers that it can rely on no
less than 3 bases of lawfulness on which to base the data processing at the time of publication in February
12
If a data controller should be required to modify its basis of legitimacy during the processing, it does not
could do so only on the condition of respecting all the conditions of application of this base and should also
inform the data subject and comply with all other applicable GDPR provisions as if, in
sort of starting from scratch with regard to that treatment.
13
See. in this regard, articles 13.1.c) of the RGPD and 14.1.c) of the RGPD. Decision as to font 38/2021 - 13/24
2019, the Contentious Chamber will examine below whether one of them can actually validly
found the publication of the disputed passage.
46. As to article 6.1.c) of the GDPR also invoked by the defendant, the Litigation Chamber
recalls that it can only be used when it grounds "a processing (of personal data)
necessary to comply with a legal obligation ", each word of this assumption being important.
47. In the course of its defense, the defendant drew the attention of the Litigation Chamber to the
makes no mistake about the application of Article 6.1.c) of the GDPR in this case.
The legal obligation to be taken into account is that of publication to which the Belgian Official Gazette is bound
pursuant to Article 73 paragraph 2 of the Companies Code and the Royal Decree of April 29, 2019 already
cited and which, specifies the defendant, required him to publish as is what the notary had transmitted to him
without the services of the Belgian Official Gazette being authorized to sort out what is
actually required to publish in application of the Companies Code and what would go beyond (see.
points 27 and 37 above). This is, according to the defendant, the legal obligation to which it is
outfit. Therefore, the fact that the published data is not required by the Companies Code is
according to the defendant indifferent: their publication in the Annexes of the Belgian Monitor is the result of
the legal obligation of the defendant.
48. The Litigation Chamber cannot subscribe to this reasoning which it considers contrary to the condition
of necessity set out in Article 6.1.c) of the GDPR and which, according to it, also amounts to denying any
implementation of the principle of data minimization in violation of Article 5.1 c) of the GDPR which
requires that only adequate, relevant and limited to what is
necessary for the purposes pursued.
49. This condition of necessity of the processing is found again formulated in all the bases of lawfulness (to
except that of consent), from littera b) to littera f) of article 6 of the GDPR.
50. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of this
condition of necessity, specified:
that "having regard to the objective of ensuring an equivalent level of protection in all
14
Member States, the concept of necessity as it results from Article 7 (e) of Directive
95/46, which aims to delimit precisely one of the hypotheses in which the processing of
personal data is lawful, cannot have a variable content depending on the
Member States. Therefore, it is an autonomous concept of Community law which must
14 Member States provide that the processing of personal data can only be carried out if:
(...) e) it is necessary for the performance of a mission of public interest or falling within the exercise of public authority
with which the data controller or the third party to whom the data is communicated is invested. Decision as to font 38/2021 - 14/24
receive an interpretation that fully responds to the purpose of this directive, such as
st 15
defined in Article 1, paragraph 1, thereof "(Emphasis is placed on the Litigation Chamber).
16
51. According to the conclusions he filed in this case, the Advocate General explains to this
considering that "the concept of necessity has a long history in Community law and it is
established as part of the proportionality test. It means that the authority which adopts
a measure which infringes a fundamental right in order to achieve a justified objective must
demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise,
whether the processing of personal data may be likely to infringe the fundamental right to
respect for private life, Article 8 of the European Convention for the Protection of Human Rights
and fundamental freedoms (ECHR) which guarantees respect for private and family life, becomes
also relevant. As the Court stated in Österreichischer Rundfunk and others, if a
national measure is incompatible with Article 8 of the ECHR, this measure cannot satisfy
the requirement of Article 7 (e) of the Directive. Article 8 (2) of the ECHR provides
that an interference with privacy can be justified if it pursues one of the objectives therein
listed and "in a democratic society, is necessary" for any of these purposes. The courtyard
European Human Rights Council has ruled that the notion of "necessity" implies that a "need
imperative social "is in question".
52. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to
all the bases of lawfulness which retain this condition of necessity. She remains today
relevant even though Directive 95/46 was repealed since this condition of necessity
is maintained under Article 6.1 b) to f) of the GDPR. Article 6.1 of the GDPR in fact reiterates
the terms of Article 7 of Directive 95/46 / EC, of which it is the equivalent. 17
53. The Article 29 Group also referred to the case law of the European Court of
18
human rights (Eur. D.H. Court) to identify the requirement of necessity and concludes that the adjective
15
CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52.
16
Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before
the CJU resulting in the judgment cited in footnote 15 above (C-524/06).
17
Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another
natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which
the data is communicated ", the mission of public interest or falling within the exercise of public authority before
be that of the sole controller. In addition, a slight wording difference exists between the article
7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision.
All these modifications do not affect the condition of necessity.
18 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible
of data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217. Decision on policy 38/2021 - 15/24
"Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful",
"Reasonable" or "expedient". 19
54. In support of the foregoing, the Contentious Chamber concludes that the assessment by the defendant
of what is "necessary for the performance of its legal obligation" cannot be disembodied from the
20
purpose pursued by the publicity required by the Companies Code. In its Manni judgment, the CJEU
specifies in this sense that in order to determine whether Member States are required to provide for
data subjects the right to request from the authority responsible for maintaining an official register
(Commercial register - mention of bankruptcies in this case), to erase or lock the data
entered in this register or to restrict access to it, the purpose of
registration in the said register.
55. To assert the contrary, as the defendant defends, would amount to agreeing to exempt it from
any examination of the relevance of the data it publishes even though, on the contrary, the setting
implementation of this founding principle of data protection provided for in Article 5.1.c) of the GDPR
returns to him in his capacity as data controller.
56. Abundantly, the Contentious Chamber draws attention to the fact that in this case, the data
published have a relatively direct link with the operation to reduce the capital (which
could give their publication an "appearance of legitimacy" or at the very least induce a
some understanding for the defendant's position). However, the Litigation Chamber
wishes to alert its readers to the fact that the Respondent's conception of what it is
should be understood by "processing necessary for a legal obligation", could, to follow the
defendant, to be invoked with regard to the publication of any superfluous data, also harmless,
delicate or sensitive (including within the meaning of Articles 9 and 10 of the GDPR) whatever it is.
57. In conclusion on this point of Article 6.1.c) of the GDPR, the Litigation Chamber is of the opinion that the
only useful interpretation capable of giving full effect to the notion of necessity such as
imposed by the CJEU case law is that which consists in qualifying as "necessary for the obligation
of the defendant "the only data necessary for the purpose of the publicity measure
pursued by the Companies Code (articles 69 and 74) which requires publication in the Belgian Official Gazette
19Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97.
20 See. also Opinion 06/2014 of the Article 29 Group on the notion of legitimate interest pursued by the person responsible
data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217 of April 9, 2014 (page 21):
"For Article 7 (c) to apply, the obligation must be imposed by law (and not, for example, by
a contractual cause). The law must fulfill all the conditions required to make the obligation valid and
binding, and must also comply with applicable data protection law, in particular
to the principles of necessity, proportionality and delimitation of finality ”.
21
CJEU, March 9, 2017, Camera di Comercio v. S. Manni, C-398/15, para 48. Decision on the font 38/2021 - 16/24
by the defendant. Amounts paid to partners and their account number not being
part of the data listed in these articles and not likely to participate in the advertising objective
prosecuted, they are not necessary to comply with the legal obligation of the defendant. Leaving,
the Contentious Chamber concludes that the defendant cannot rely on Article 6.1. c) under
basis of lawfulness for their treatment in this case.
58. As to article 6.1.e) of the GDPR also invoked by the defendant, the Litigation Chamber
considers that it cannot be accepted in this case either. As in the case of Article 6 .1.c),
the necessity test must be met. It must certainly be appreciated here in the light of the mission of
source of official documentation of the defendant. In this regard, the defendant relies on two
legal texts, i.e. the Law of February 28, 1845 prescribing a new method of sanction and
promulgation of the laws and the Law of 18 May 1873 containing Title IX, Book I, of the Code of
trade relating to companies. The Litigation Chamber does not dispute that the mission of
publication continued by the defendant through the publications (in the Annexes) of the Monitor
Belgian law constitutes a public interest mission within the meaning of Article 6.1.e) of the GDPR. However, as
this has just been recalled with regard to Article 6.1.c) of the GDPR above, only the processing of
data necessary for the realization of this public interest can be qualified as lawful in support of
Article 6.1.e) of the GDPR. In this case, the publication of the personal data of the complainant contained
in the disputed passage is no more necessary for this interest than for the fulfillment of the obligation
of the defendant and this for the reasons already set out (see point 56 in particular).
59. As to article 86 of the GDPR, also invoked by the defendant in support of its mission of interest
public, the Litigation Chamber shares the complainant's analysis that the relevance of this
reference is not obvious. Likewise, it is of the opinion that, given this access, it is all the more
more essential that the defendant ensure that only the necessary personal data are
published.
60. The application of Articles 6.1. c) and 6.1.e) being excluded, it remains for the Litigation Chamber to
examine whether the processing of personal data relating to the complainant could, as defended
the defendant, to rely in this case on the consent of the complainant.
61. It is certain, as pointed out in recital 43 of the GDPR as well as the European County of the
22
data protection in its Guidelines 05/2020, that it is not likely that
public authorities can rely on consent for the processing of personal data
personal character. Indeed, when the controller is a public authority, he
there is often a clear imbalance in the balance of power between the controller
22 European Data Protection Committee (EDPS), Guidelines 5/2020 on consent within
of Regulation (EU) 2016/679, adopted on May 4, 2020:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_fr.pdf Decision on font 38/2021 - 17/24
and the person concerned who does not meet the condition of freedom of consent.
However, without prejudice to these general considerations, the legal framework of the GDPR does not exclude
fully the use of consent as a legal basis for data processing by
public authorities.
62. In the present case, the Contentious Chamber is of the opinion that consent cannot be the basis for publication
of the contentious extract. In accordance with article 7.1. of the GDPR, it is in fact the responsibility of the
treatment, or the defendant, to demonstrate that it has obtained from the data subject a
valid consent, i.e. consent that meets all the conditions of Article 4.11 of
GDPR. The Contentious Chamber is of the opinion that the defendant does not demonstrate that it has obtained a
such consent on the part of the complainant. Even assuming that the defendant had obtained a
consent valid at the time of publication of February 2019, and to follow, quod not always,
the defendant according to which the complainant had withdrawn his consent without consequence on the
validity of the February 2019 publication, the Contentious Chamber is of the opinion that the defendant
does not have any legal basis for it from the moment this consent has been withdrawn,
Articles 6.1.c) and 6.1.e) cannot be invoked.
63. As to the defendant's argument that some wish to publish more than this
that is not prescribed by the applicable regulations, the Litigation Chamber is of the opinion that in this case,
the publication of such data - accepted and carried out by the defendant as responsible
of processing - would be based on a basis other than that of the fulfillment of its legal obligation
or the performance of its public interest mission, which could be consent (Article 6.1.a)
of the GDPR) (see point 61 above). This must meet all the required qualities (see his
definition in Article 4.11 of the GDPR). It is therefore also for the defendant to draw
all the consequences in terms of rights for the data subjects and the collection of evidence
obtaining consent.
64. In conclusion, it follows from the foregoing that in the present case, no basis of legitimacy is of a nature
to found the publication by the defendant of the disputed extract containing the data of a nature
personnel relating to the complainant. The Litigation Chamber therefore finds a breach of
Article 6 of the GDPR in its turn. This breach is combined with a breach of Article 5.1.c)
of the GDPR. Indeed, in the absence of a legal basis on which to rely, the publication of this data
also ignored the principle of minimization.
4.2. As regards the breach of the right to erasure of the complainant by the defendant (article 17.1
of the GDPR) Decision on the font 38/2021 - 18/24
65. The Litigation Chamber recalls that Article 17.1 of the GDPR provides that the data subject has
the right to obtain from the controller the erasure, as soon as possible, of data
of a personal nature concerning him and that the controller has the obligation to erase these
personal data as soon as possible, when one of the reasons listed in Article 17.1.
of the GDPR applies, the following reason for which:
- d) the personal data have been subject to unlawful processing.
Complainant's position
66. In support of Article 17.1 d) of the GDPR, the complainant considers that the respondent should have given
following his right to erasure on the grounds that the processing of his data under the terms of the passage
litigation is unlawful when it has no legal basis (Article 6 of the GDPR) and the
publication of said data violates Article 5.1.c) of the GDPR. The complainant considers that by
elsewhere, even assuming that the defendant is justified in invoking Article 6.1 e), quod non
according to the complainant, it is under the conditions of Article 17.1 c) of the GDPR. Moreover, in
refusing to erase said data, the defendant also violates Article 5.1.e) of the GDPR which
requires that the retention of personal data be limited to a period not exceeding that
necessary for the achievement of the objective pursued.
Defendant's position
67. The defendant does not dispute that it did not respond to the complainant's request for erasure.
She is of the opinion that no assumption of Article 17.1. of the GDPR does not apply in this case and
that it is justified in relying on the exception in Article 17.3. b) of the GDPR taking into account
the legal obligation incumbent on it, in particular the aforementioned Royal Decree of 29 April 2019 which provides
a rectification procedure excluding any possibility of erasure (article 1-9 § 5). She
adds that since the legislator does not empower him to erase the data of an act published in all
or in part, no breach of Article 5.1.e) of the GDPR can be attributed to it.
Position of the Litigation Chamber
68. The Litigation Chamber is of the opinion that in support of the breach of Article 6 of the GDPR combined with
Article 5.1.c) of the GDPR which it found against the defendant (see point 64 above),
the complainant is effectively in the conditions of Article 17.1. d) of the GDPR which requires
controller to erase personal data unlawfully processed in the
as fast as we can.
23
The data subject objects to the processing under Article 21.1. and there is no legitimate reason
compelling for the processing or the data subject objects to the processing pursuant to Article 21.2. Decision as to font 38/2021 - 19/24
69. However, the right to erasure enshrined in Article 17.1. of the GDPR being subject to exceptions, it
It is up to the Contentious Chamber to verify whether one of the exceptions provided for in Article 17.3. of
GDPR is applicable in this case, more specifically Article 17.3. b) of the GDPR invoked by the
defendant.
70. The Contentious Chamber considers that for the following reasons, the defendant cannot
rely on Article 17.3 b) of the GDPR as an exception to the complainant's right to erasure.
71. This exception provides that the right of the data subject to obtain from the data controller
processing the erasure of personal data concerning him does not apply in the
to the extent that this data processing is necessary to comply with a legal obligation which requires
the processing provided for by Union law or the law of the Member State to which the data controller
processing is subject to or to perform a task of public interest or within the exercise of
the public authority vested in the controller ".
72. As mentioned above, the defendant relies in this regard on the rectification procedure provided for
by the Royal Decree of April 29, 2019 from which, according to her, it must be deduced that it is not authorized by the
national legislator to erase data from official publications. In this, the defendant would be
authorized to invoke Article 17.3. b) of the GDPR to refuse to respond to any request
erasure given its legal obligation which would prohibit any erasure. The treatment
of all published data would therefore, here too, be necessary for the legal obligation incumbent on it to
respect. The Litigation Chamber is of the opinion that it is not because a royal decree does not provide
that a rectification procedure which must necessarily be deduced that any erasure is
prohibited. This prohibition, if it were to exist, should be provided for by law in compliance with the
conditions of Article 23 of the GDPR and cannot be deduced from an absence of reference to this right in
a royal decree. Since the GDPR is directly applicable, it is, failing the exception provided for in the
compliance with the conditions it imposes, of application. The Litigation Chamber therefore notes a
absence of a legal obligation that would allow the defendant to invoke Article 17.3.b) of the GDPR.
73. It has also been shown above that the legal obligation to publish in the Annexes of
Belgian Monitor to which the defendant is admittedly subject, does not require the processing of
data contained in the disputed passage and that therefore the processing of this data is not
necessary to comply with the legal obligation of the defendant (paragraph 57). This treatment is not
more necessary for the performance of its public interest mission (paragraph 58). The conditions of the article
17.3.b) of the GDPR invoked by the defendant are therefore not met in this case.
74. To even follow the reasoning of the defendant which consists in assessing the condition of necessity
at different times, either at the time of the initial publication on the one hand and at the time of the
request for erasure on the other hand, the conclusion of the Contentious Chamber would not remain Decision as to the case 38/2021 - 20/24
less identical. A fortiori, if we look at the time of the complainant's erasure request,
the (practical) inability already mentioned to sort prior to publication between what it is
legally required to publish and what results from the will of those concerned falls. In
Indeed, the complainant points precisely when requesting erasure to the superfluous data
published.
75. The Contentious Chamber also considers that the arguments based on the nature of the Monitor
Belgian authorities are not likely to oppose the exercise of the complainant's right to erasure. The
in this regard, the defendant emphasizes the immutability of the publications in the Belgian Official Gazette and of its
Annexes after their publication and the fact that the legal certainty of official publications would be
compromised by the application of a right to erasure exercised with regard to the data they
contain.
76. Once again, the Contentious Chamber considers that therefore, in this case, the data would not have
never had to be published, their erasure is not likely to compromise legal certainty
of the publication, the data whose publicity must be ensured following the reduction of
capital remaining intact. There is no such thing as the opinion of the Litigation Chamber, the immutability of
principle of official publications. The Contentious Chamber recalls here that in terms of its
Manni judgment, the CJEU accepts that the national legislator could introduce a time limit beyond which
the data contained in a public database such as the Trade Register (in
this was the information that the trader had gone bankrupt) would be
24
erased. In the Huber judgment, cited above, the CJEU stated the principle that public registers should not
contain only the data necessary for the purpose they pursue and this, in application of the
condition of necessity contained in the basis of lawfulness on which they rely. The CJEU adds
25
that these registers must be updated and superfluous data erased.
77. The Contentious Chamber concludes from the above that Article 17.3. b) RGOD is not
applicable in the present case and that no other exemption from erasure can validly be invoked
by the defendant.
78. Accordingly, in view of the breaches noted in point 64, the Contentious Chamber finds
a breach of Article 17.1. d) of the GDPR on behalf of the defendant. This failure is
combined with a breach of Article 5.1.e) of the GDPR since failing to have been erased on
the basis of Article 17. 1 d) of the GDPR, the retention of this data did not comply with the principle
24CJUE, judgment of 9 March 2017, Camera di Comercio v. S. Manni, C-398/15, paras 32-35 and 58 et seq.
25 See. points 59 to 60 of the Huber judgment, cited in footnote 15 above. Decision as to font 38/2021 - 21/24
according to which the data cannot be processed for a period longer than that necessary
to achieve the purpose of the processing.
4. Regarding corrective measures and sanctions
79. Under Article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of the data and the notification thereof
data recipients;
11 ° order the withdrawal of accreditation of certification bodies;
12 ° give periodic penalty payments;
13 ° issue administrative fines;
14 ° order the suspension of transborder data flows to another State or an organization
international;
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences
data on file;
16 ° decide on a case-by-case basis to publish its decisions on the website of the
data.
80. It is important to contextualize the breaches for which the defendant has been held responsible with a view to
to identify the most appropriate corrective measures and sanctions.
81. The Litigation Chamber recalls in this regard that it is sovereignly in its capacity
independent administrative authority - in compliance with the relevant articles of the GDPR and the
LCA - determine the appropriate corrective measure (s) and sanction (s). Decision as to font 38/2021 - 22/24
82. The Litigation Chamber notes that on several occasions already, the APD Knowledge Center has
highlighted gaps in the implementation of the GDPR with regard to data processing
operated by the Belgian Monitor. For example, in a recent 99/20 opinion, the APD, referring to
Article 1250 of the Judicial Code which refers to an obligation of official publication in the Moniteur
Belgian, raises the following. "As it has already done in Opinion No. 141/2019, the Authority [read the PDA]
here again draws attention to the fact that this publication, as in general
publication in the Belgian Official Gazette, is not subject to any data retention period
of a personal nature appearing therein. In this regard, the Authority [read the ODA] reiterates that the article
23 of the GDPR allows the legislator to make not only limitations on the rights referred to in
Articles 12 to 22 inclusive of the GDPR but also within the scope of Article 5 of the GDPR and therefore, in this
including, in Article 5.1.e) of the GDPR. However, such limitations cannot be made without ensuring the
compliance with the conditions stipulated by Article 23 § 2 of the GDPR, starting with the fact that such
limitation must be provided for by the law of the Member State in question. However, to the knowledge of
the Authority [read the DPA], there is still no such standard for publications at
Belgian instructor. The Authority [ODA] therefore once again insists that this
situation. "
83. The Litigation Chamber is of the opinion that in the present case, given the shortcomings noted, the
the most appropriate corrective measure is to issue a reprimand to the defendant (Article
100.1., 5 ° LCA) accompanied by an order to follow up on the complainant's exercise of the right to erasure
based on article 100.1., 6 ° LCA and this, as soon as possible but not later than within a
30 days from the notification of this decision to the parties. The costs that
the implementation of this erasure order cannot be attributed to the complainant, the exercise of
rights of data subjects being, as required by Article 12.5. of the GDPR, free.
84. The Contentious Chamber does not comment on the advisability of a possible fine
administrative action against the defendant. Taking into account the quality of "public authority" of
the latter within the meaning of Article 5 of the Law of 30 July 2018 on the protection of persons
physical with regard to the processing of personal data, read in conjunction with the
article 83.7. of the GDPR and 221 § 2 of the aforementioned law of July 30, 2018, the Litigation Chamber is not
indeed not authorized to impose such a fine on him.
85. The Litigation Chamber also invites the legislator to work towards bringing the
data processing operated by the Belgian Official Gazette with the GDPR, in particular with regard to
the identification of the basis of lawfulness of the data processing operations carried out, the implementation of the principle
minimization devoted to Article 5.1.c) of the GDPR and the exercise of the right to erase
persons concerned. Decision as to the font 38/2021 - 23/24
6. As for transparency
86. In view of the importance of transparency with regard to the decision-making process and
decisions of the Litigation Chamber, this decision will be published on the website of the APD
by deleting the direct identification data of the complainant and the persons cited,
whether physical or legal, with the exception, however, of the Belgian Monitor and the SPF Justice.
87. When it decided to publish its decisions mentioning the identity of the defendants, the
Litigation Chamber justified its decision by the fact that this advertisement would guarantee a
rapid compliance, would help decrease the risk of repetitions and aim to inform the
public taking into account the data controller involved. In addition, any pseudonymization
the name of the defendant would have been in these few cases illusory. 26
88. In the present case, the Contentious Chamber is of the opinion that in support of the above reasons, the publication of
the identity of the defendant is justified. The deletion of the identification of the FPS Justice / Monitor
Belgian is, given the unique nature of the Belgian Monitor, moreover illusory. The maintenance of
this identification is also essential for the understanding of the decision and therefore,
the objective of transparency pursued by the Litigation Chamber.
FOR THESE REASONS
THE LITIGATION CHAMBER
After having deliberated,
- Decides to issue a reprimand to the defendant on the basis of Article 100.1, 5 ° LCA;
- Decides, on the basis of Article 100.1., 6 ° LCA to order the defendant to act on
the exercise of the right to erasure of the complainant as soon as possible and at the latest within
within 30 days of notification of this decision. The defendant will inform the
Litigation Chamber, supporting documents, within the same time limit at the address
litigationchamber@apd-gba.be.
26
See. decision 37/2020 of the Contentious Chamber (point
183) https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf Decision on the font 38/2021 - 24/24
Under Article 108.1 LCA, this decision can be appealed to the Court of
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(se.) Hielke Hijmans
President of the Litigation Chamber
