Court of Appeal of Brussels - 2020/AR/1333: Difference between revisions

From GDPRhub
 
(6 intermediate revisions by 3 users not shown)
Line 5: Line 5:
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Cour d'Appel Bruxelles
|Court_Abbrevation=Cour d'Appel Bruxelles
|Court_With_Country=Cour d'Appel Bruxelles (Belgium)
|Court_With_Country=Court of Appeal of Brussels (Belgium)


|Case_Number_Name=2020/AR/1333
|Case_Number_Name=2020/AR/1333
Line 38: Line 38:
|Party_Name_1=X
|Party_Name_1=X
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=L'AUTORITE DE PROTECTION DES DONNEES, BCE
|Party_Name_2=APD/GBA (Belgium)‎
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Name_3=
Line 47: Line 47:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=Décision de l'autorité de protection des données BCE
|Appeal_From_Body=APD/GBA (Belgium)‎
|Appeal_From_Case_Number_Name=n ° 53/2020
|Appeal_From_Case_Number_Name=n ° 53/2020
|Appeal_From_Status=
|Appeal_From_Status=
Line 60: Line 60:
}}
}}


The appellant argues the decision to fine 5000€ for mistakenly sending one email to 150 recipients whose email addresses is wrongfully disclosed is disproportionate. Only one person has complained.
The Court of Appeal overruled the DPA's decision to fine €5,000 for mistakenly sending an email to 150 recipients whose email addresses is wrongfully disclosed, because it considered the decision to be disproportionate.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Appeal against a decision from the BCE 1st September 2020 to fine 5.000 for sending unsolicited emails for electoral message and divulgation of emails by CC following one complaint.  
On 1 September 2020, [[APD/GBA - 53/2020|the Belgium DPA imposed a fine of €5,000 on a controller]] for sending unsolicited emails for electoral message and disclosure of emails (via CC). The controller did not agree with the fine and filed for appeal.


=== Dispute ===
=== Dispute ===
Proportionality of the administrative fie
Proportionality of the administrative fee


=== Holding ===
=== Holding ===
The DPA's decision has been cancelled for lack of justification as required by Article 83 GDPR, and lack of proportionality. Sent back to the authority who is additionally required to pay back legal cost for 1400€. The Cour of Appeal could not itself reform or amend the decision.
The Court of Appeal overruled the DPA's decision for lack of justification as required by [[Article 83 GDPR]], and lack of proportionality. The decision was sent back to the authority who is additionally required to pay back legal cost for €1,400, since the Court could not itself reform, or amend the decision.


== Comment ==
== Comment ==
The Belgian DPA is having serious trouble holding its decisions.


== Further Resources ==
== Further Resources ==

Latest revision as of 11:43, 24 January 2022

Cour d'Appel Bruxelles - 2020/AR/1333
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Decided: 27.01.2021
Published:
Parties: X
APD/GBA (Belgium)‎
National Case Number/Name: 2020/AR/1333
European Case Law Identifier:
Appeal from: APD/GBA (Belgium)‎
n ° 53/2020
Appeal to:
Original Language(s): French
Original Source: Cour d'Appel des Marchés (in French)
Initial Contributor: TaraTb

The Court of Appeal overruled the DPA's decision to fine €5,000 for mistakenly sending an email to 150 recipients whose email addresses is wrongfully disclosed, because it considered the decision to be disproportionate.

English Summary

Facts

On 1 September 2020, the Belgium DPA imposed a fine of €5,000 on a controller for sending unsolicited emails for electoral message and disclosure of emails (via CC). The controller did not agree with the fine and filed for appeal.

Dispute

Proportionality of the administrative fee

Holding

The Court of Appeal overruled the DPA's decision for lack of justification as required by Article 83 GDPR, and lack of proportionality. The decision was sent back to the authority who is additionally required to pay back legal cost for €1,400, since the Court could not itself reform, or amend the decision.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Court of Appeal Brussels -2020 / AR / 1333 p. 2





X, [...], represented [...],

Requiring partner,

Against Decision No. 53/2020 pronounced by the Contentious Chamber of the Authority for the Protection of
Data as of September 1, 2020 (DOS-2019-02974)


Vs:
THE DATA PROTECTION AUTHORITY, BCE 0694.679.950, with its registered office at

the press35 in 1000 Brussels,
represented by Me CROISANT Guillaume (guillaume.croisant@linklaters.com) and Me SERON Carine
(carine.seron@linklaters.com) lawyer in BRUSSELS,

Defendant,



                                             ****

1.The referral to the Market Court.

                                                                              °
The Markets Court is seized by an appeal from X against decision no.53 / 2020
pronounced by the Contentious Chamber of the Data Protection Authority (ei-after the
C ontentious chamber ”) in September 2020 which imposes a fine of 5,000 € on him
(DOS-2019-02974).
Pursuant to article 108 § 1 of the law of 3 December 2017 establishing the Protection Authority

data (hereinafter “APD law”), the contentious chamber informs the parties of its decision and of
the possibility of appealing to the Procurement Court within thirty days, from the date of
notification of the decision. The appeal brought by a request lodged with the registry of the court of appeal
de Bruxelles dated September 29, 2020 is therefore admissible. The admissibility of the appeal is
not contested.


The case was argued at the hearing on January 13, 2021 in the form of a video conference (Webex).
By email from the registry of January 3, 2021, the parties were invited to participate in a
video conference. By emails of January 11, 2021, counsel for the parties indicated their agreement to
replace the face-to-face public hearing with a virtual public hearing.
On the date of the hearing, the registry is at the disposal of any litigant and any person wishing to

attend the debates, the link and the password allowing him to participate in the videoconference.

2.The Attagged Decision.

The Contested Decision states the following:


       "PARCES REASONS, LACHAMBRE LITIGATION,
       Decides, after deliberation, to impose a fine of 5000EUR on the data controller
       on the basis of articles 100, 13t 101 of the LCA as well as 83 of the GDPR, for / 'all
       breaches identified, namely for breach of Article 5, 1., b) of the GDPR, and




              1 PAGE □ 1- □ valid farfetched 1942078-0002-0025- □ 5- □ 1-i; -J



              L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 3




       breach of articles 5.1.a} and 5.1.b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the GDPR read
       together.

       This decision may be appealed against within thirty days, from
       notification, to the Procurement Court15 (Article 108, § 1 of the LCA), with the Authority
       data protection as a defendant. "

3. The parties' demands.

In summary conclusions filed on December 15, 2020, X requests:
       "PRINCIPLE / PAL
       Declare the appeal admissible and well founded,
       Reform the decision appealed from,
       In doing so, pronounce the suspension of the pronouncement.
       IN THE ALTERNATIVE

       Dec / arer / 'appelrecevab / eet founded,
       Reform the decision appealed from,
       In doing so, considerably reduce the fine imposed by the contentious chamber of
       the Data Protection Authority.
       INFINITELY SUBSIDIARY
       Declare / 'appelrecevab / eet founded,
       Reform the decision appealed from,

       In doing so, refer the complaint to the Contentious Chamber so that it adopts a
       new decision which would take into account the grounds for annulment retained.
       IN ALL CASES
       Order the respondent to pay the entire costs and expenses of this liquidated procedure
       as follows with regard to X:
              Appeal request fee: 20.00 euros

              procedural indemnity: 1,440.00 euros
              Total: 1,460.00 euros ”

The Data Protection Authority (APD} requests summary conclusions, filed with
Registry of the Brussels Court of Appeal Ie 07/01/2021
       "PLAISEÀ THE COURT DESMARCHES OF THE COURT OF APPEAL OF BRUSSELS

       - As a principal /, to declare the appeal of X unfounded and to condemn it to the entire
       costs of the proceedings, including the procedural indemnity fixed at the basic amount of
       € 1,440;
       -In the alternative, if Your Court were to accept a ground for annulment (quad no), to refer
       the complaint before the Contentious Chamber so that it adopts a new decision

       in accordance with the judgment of Your Court. "

4. The means.
4.1.
X makes the following arguments:
       the means: / 'amended inflicted does not respect /' article 83 of the GDPR
              (a) The nature, gravity and duration of the violation, taking into account the nature, of

              the scope or purpose of the processing concerned, as well as the number of people
              affected and the level of damage they have suffered (article 83.2.4 of the GDPR)




              r PAGE 01-00001942078-0003-0025-05-01-� 



              L _J Brussels-2020 Court of Appeal / AR / 1333 p. 4




              b) The fact that the violation was committed willfully or negligently {article
              83.2.b of the GDPR)

              c) Measures taken by the controller and the processor to
              mitigate the damage suffered by the data subject (art / e83.2.c of the GDPR}
              d) Any violation committed by the controller or processor
              (article 83.2.e of the GDPR}
              e) The degree of cooperation established with the supervisory authority with a view to
              violation and mitigate any negative effects (article / e83.2.f of the GDPR)
              f) Any other aggravating or mitigating circumstance applicable to

              circumstances of the case, you / Ie that the financial advantages obtained or the losses
              avoided, directly or indirectly, as a result of the violation (article 83.2.k of the GDPR)
       2nd plea: / the fine is disproportionate

       SUBSCRIBE: REDUCTION OF THE FINE
       IN AN INFINITE SUBSIDIARY: REFERRAL TO LACHAMBRE LITIGATION

4.2.

The ODA, for its part, raises the following means:

       Means 1: / the fine imposed by the Contested Decision is proportionate and complies with the article
       83 of the GDPR. The Litigation Chamber fully complied with article 83.1 of the GDPR and
       principle of proportionality in its choice to impose an administrative fine on
       X only in determining the amount thereof.
       It has taken into consideration the criteria listed in article 83.2 of the GDPR to assess and

       guarantee the proportionate and dissuasive nature of this fine. On the other hand, she discarded the
       mitigating circumstances alleged by X, because cel / es-ei were either not
       relevant or unfounded.
       In addition, the fine imposed on X is in line with the case law of the
       Litigation Chamber relating to the il / here processing of personal data
       to electoral / ins.
       X's sole plea, having regard to which administrative fine imposed on it by the

       Decision attacked would be disproportionate, must therefore be rejected for lack of
       foundation.

       Means 2: in the alternative, the Court cannot substitute its decision for that of the Chamber
       Litigation. In the alternative, even if the Court were to annul the Contested Decision (quad
       no), it cannot substitute its assessment for that of the Contentious Chamber as the
       solicitX.
       Indeed, when X so / lawful of the Court that it decides in full jurisdiction by reforming the

       Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber
       Litigation, he asks the Court to decide on an aspect that falls within the power of
       discretionary judgment of / 'APO. A solution cannot be adopted. The courtyard
       should therefore refer the matter back to the contentious chamber for the latter to adopt
       a new decision which would take into account the grounds for annulment retained by the Court.






             r PAGE 01-00 □□ 1942078- □□□ 4- □ 025- □ 5- □ 1-; i



             L _J Brussels Court of Appeal -2020 / AR / 1333p. 5








5. The facts.

The Attacked Decision relates the facts as follows:
       “On 25 May 2019, the complainant submitted a request for information to the Autorité de
       protection of data concerning the use by the defendant of his / her e-mail address

       personal for / 'sending an electoral message received on May 22, 2019, addressed to his / her name by
       his secretary. The complainant emphasizes that he never gave his consent to have his address
       be used for this purpose by the defendant. The complainant also denounces the fact that this
       message was sent to many recipients p / aced in copy, which favored Ja
       diffusiononsol / icitéedesourelectronicaddress tothispeople.

       2. The letter read as follows: “Ladies and Gentlemen, Dear Friends, Dear Friends, I
       am proud to be the [Xth] candidate of the [Y] list for our borough [list of
       communes concerned..J. Allow me to ask for your suffrage. A good result to me
       will allow our team at the College and the Provincial Council to be even more efficient. I
       wishes to do everything in its power to also support our local representatives and their projects.

       3. By letter of July 2, 2019, the Frontline Service of the Protection Authority
       of the data invited the complainant to exercise his rights with the defendant, in this case,
       his right to object to the processing of his personal data. At the same time, by letter
       On July 2, 2019, the Frontline Service contacted the defendant for him
       ask in particular how he / she had obtained the duplicating e-mail address, if he

       had lodged a data breach notification with / 'APO and that / the measures
       been taken so that this type of incident does not happen again.
       4. Responses that the Respondent addressed to the complainant and to the Primary Care Service.
       sign, it appears that the complainant's email address was collected on the occasion of a
       request for information sent in March 2014 by the p / aignant to the secretariat of the

       bourgmestre of the city of X., to sign a public cleanliness problem.
       more particularly an e-mail addressed to "secretariat.bourgmestre@X.be"
       concerning an illegal dump near the old city walls
       which the parent requested cleaning. On July 4, and in fact, in his letter to
       at the front line service, co-signed by the defendant, the defendant's secretary writes
       the following explanation regarding the collection of the e-mail address reads "g

       come from a "hotlines" file organized by the defendant when he was
       »Bourgmestre of the city. The p / aignant therefore appears in this / ui to have, at a time
       or another, had contact with the defendant ”The Litigation Chamber cannot therefore
       follow the defendant in his subsequent explanations (July 2020)
       which / 'disputed email address (and others) would have been collected via emails to him

       being addressed personally and not via an administrative or other service of
       the municipal administration The contentious chamber understands as soon as the
       collected by the burgomaster are not only the result of contacts with citizens
       with the city administration but also, according to the statements of the defendant, emails to him
       having been addressed personally, which was not the case with regard to

       e-mail of the complainant who was indeed collected via the bourgmestre's secretariat.
       5. With regard to the modus operandi for sending the disputed email, the Respondent replied
       to questions from the Data Protection Authority by co-signing the following exp / ication
       provided by the municipal employee who was his secretary when he was mayor:


              IPAGE 01-00001942078-0005-0025-05-01- � 



              L ..J Brussels-2020 Court of Appeal / AR / 1333 p. 8





personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation
general data protection or GDPR)
        "1. Each supervisory authority shall ensure that the administrative fines imposed in
       under this article for violations of this Regulation referred to in paragraphs 4, 5
       and 6 are, in each case, effective, proportionate and dissuasive.
       2. Based on the characteristics of each case, the administrative fines imposed

       in addition to instead of the measures referred to in Article 58 (2) (a) to (h), and
       j). To decide whether to impose an administrative fine and to decide on the amount
       administrative fine, due account shall be taken, in each individual case, of the
       following items
               a) the nature, severity and duration of the viofation, taking into account the nature, of
               the scope of the purpose of the processing concerned, as well as the number of people

               affected parties and the level of damage they suffered;
               (b) the fact that the violation was committed willfully or negatively;
               c) any action taken by the controller to the processor to
               to mitigate the damage suffered by the persons concerned;
               d) the degree of responsibility of the controller to the processor,
               taking into account the technical and organizational measures they have implemented

               by virtue of Articles 25 and 32;
               e) any relevant violation previously committed by the responsible
               processing to the subcontractor;
               f) the degree of cooperation established with the supervisory authority in order to remedy
               violation and mitigate any negative effects;
               g) the categories of personal data affected by the breach;

               h) the manner in which the supervisory authority became aware of the violation,
               in particular if, and to the extent that the processor is responsible for the processing
               notified the violation;
               i) / where measures referred to in Article 58 (2) have been
               previously ordered against the controller at the
               treating concerned for the same oj and, the respect of these measures;

               } the application of codes of conduct approved in application of / 'article 40 to the
               certification mechanisms approved in application of article / e42; and
               k) any other aggravating or mitigating circumstance applicable to
               circumstances of the case, you / Ie that the financial advantages obtained or the losses
               avoided, directly or indirectly, as a result of the violation ”(underlined by us).


7. Motivation.

        7.1. The infractions.
X does not dispute the infractions. There is therefore no need to examine the merits of the Decision.
Attacked in that it declares the infringements as proven.


        7.2. The scope of the jurisdiction of the Market Court.
The parties disagree on the scope of the jurisdiction / jurisdiction of the Market Court, in
particularly the question of the extent of the full jurisdiction of the Market Court, or more
concretely on the question of whether the Court - after having set aside a decision - can substitute
its own decision to the decision of the APD and can therefore impose a sanction "different" from that



              1 PAGE 01- □ 0 □□ 1942078-0008-0025- □ 5- □ 1-; i



              L _J Brussels Court of Appeal -2020 / AR / 1333 p. 14




decisions, some of which have a scope equivalent to that of the courts and tribunals of the order

judicial process, it is imperative that a judicial remedy be instituted by the legislator in order to guarantee
aujusticiable an appeal before a court forming part of the judicial order.
It follows that the Market Court cannot therefore substitute its decision for that of the authority
administrative only when the Court finds that this decision is illegal or irregular (for
example when any principle of good administration would be violated by the decision
administrative attack).


A manifest error "may" result in the decision being overturned. It follows that it belongs to the
applicant to prove the manifest error of assessment allegedly committed by the board
litigation of the APO, the illegality of the Contested Decision or the disregard of the principles
general matters of good administrative management

The motivation required by the law of July 29, 1991 on the explicit motivation of administrative acts

must include a statement of the legal and factual considerations which form the basis of the
decision. It follows from these provisions that, in the event that a decision is legal
administrative process is based on the taking into account of a certain number of considerations, the respect of
the requirement of motivation which they foresee only leads its author to have to state only those on
which is the basis for the decision he has taken. It follows from this that the plea alleging insufficient
motivation of the Attacked Decision which did not have to rule on all the criteria provided for
in Article 83 of the aforementioned GDPR and the error of law that this insufficient reasoning would reveal,

should be discarded.

                7.4. Does the fine imposed comply with Article 83 of the GDPR?
                          (first plea of the applicant and the APD)

Insofar as the applicant criticizes the content of the answers provided by the Chamber

APO litigation, the plea cannot be accepted.
The applicant claims:
       "4.1.3.
       In this case, the Contentious Chamber of the Data Protection Authority imposed a
       fine in the amount of 5,000.00 euros without taking into account all the elements
       thus invoked by / 'artic / e83 of the GDPR Regulation.
              a) The nature, severity and duration of the viofation, taking into account the nature, of fa

              scope or purpose of the processing concerned, as well as the number of people
              affected and the level of damage the elves suffered (article 83.2.4 of the GDPR)
       4.1.4.
       The Data Protection Authority should have taken into account the nature, the seriousness
       and the duration of the breach as well as the number of affected persons affected and
       The level of damage that the elves suffered (article 83.2 a)
       In this case, X sent a single courrief to the complainant, Z, and immediately

       excused for this handling error so that there was only one person
       affected and the GDPR violation has not lasted.




18Cour des marchés June 12, 2019, 2019 AR 113.


             r PAGE □ 1- □ valid fares 1942 □ 78- □ valid 14-0025-05- □ 1-� 



             L _J Brussels-2020 Court of Appeal / AR / 1333 p. 15





       This handling error did not, moreover, cause significant damage to Z, which
       that the contentious chamber did not take into account in the assessment of / 'fine
       inflicted on X.
      4.1.5.

      In terms of main conclusions, the Data Protection Authority recognizes that a
      only elitigious email but indicates that it is wrong to consider that only one person has
      was affected as soon as the email in question was sent to 150 people.
      This does not mean, however, that these 150 people are "affected people" in the
      meaning of section 83.2. of the GDPR as soon as it is not established that X did not have

      authorization to use the personal data of some of these people.
      Moreover, apart from Z, no one has issued any p / aints, neither to X, nor to the Protection Authority.
      Datas.

             b) The fact that the violation was committed willfully or negligently (article

             83.2.b of the GDPR)
      4.1.6.
      The Data Protection Authority should also have taken into account that the
      violation was not willful and took place, on the contrary, by neg / igence (article 83.2 b).
      As X was able to explain through his secretary, the latter sent

      election advertising from his private mailbox, omitting to hide the list of
      recipients.
      There was therefore no intention to misuse these addresses, nor to harm anyone else.
      either.This is a simple handling error for the excused.
      4.1.7.

      In its decision, the Litigation Chamber recognizes "that no element of the file attests
      that the infringement was committed deliberately, on the instructions of the defendant ”(page
      11 of the decision).
      The Contentious Chamber thus agreed to retain the unintentional nature of the
      under mitigating circumstances.
      However, at the level of the sanction, the Contentious Chamber did not, in reality, take any

      consideration of this attenuating circumstance as soon as, and as will be explained below
      below, the sanction imposed on X is a very severe sanction compared to the sanctions
      usually applied by the contentious chamber.
      4.1.8.
      In terms of main conclusions, the Data Protection Authority alleges that “Ie

      unintentional nature of the infringement which was retained by the Litigation Chamber as
      attenuating circumstance (Contested Decision paragraph 35} concerns only the
      third violation (article 32.1 of the GDPR) ”(page 15 of the main conclusions of
      the Data Protection Authority).
      In other words, the Data Protection Authority estimates, in terms of conclusions

      principa / es, that this mitigating circumstance was not retained for the violations of
      articles 5.1.a, 5.1.b, 6.1 as well as articles 25.1 and 25.2 of the GDPR.
      It is clear that this statement is in total contradiction with the decision
      rendered by the Contentious Chamber of the Data Protection Authority.







            1 PAGE 01-00001942078-0015-0025-05-01-� 


                   � 
            L __J Brussels Court of Appeal -2020 / AR / 1333 p. 16





       The latter admitted, under Title 3 of its 'Corrective Measure' decision, that
       mitigating circumstance without making any distinction and without specifying that it only applied
       either violation.
       Point 35 of the contested decision is, in fact, worded as follows:
              "In its response to the reaction form to I meet a proposed fine, I
              the defendant is mainly going to believe that the sending of this mail results from his point of

              view of a handling error. In this regard, the Litigation Chamber notes / Ie
              that a handling error, I if applicable, constitutes a security breach and
              as such a data breach within the meaning of J'artic / e 4.10 of the GDPR which results in Ja
              responsibility of the defendant with regard to the prior implementation of
              adequate security measures to avoid such errors. Bedroom
              litigation notes, however, that nothing in the file attests that the infringement

              was allegedly committed on the instruction of the defendant. Bedroom
              contentious therefore retains the unintentional nature of the infringement as a
              mitigating circumstance ”(page 11 of the contested decision).
       In addition, to the extent that the Litigation Chamber of the Data Protection Authority
       imposed a global fine for the various violations, the mitigating circumstance
       recognized by the latter had to be taken into consideration with regard to the assessment of Ja

       sanction and this even though this mitigating circumstance has been recognized only
       for rune violations, quad no.
              c) Measures taken by the controller or the processor to mitigate
              Damage suffered by the data subject (article 83.2.c of the GDPR)
       4.1.9.
       In addition, the Data Protection Authority should still have taken into

       consideration of the measures taken by X to mitigate the damage suffered by the
       persons concerned (article 83.2 c).
       In his letter of October 14, 2019, X informed the Contentious Chamber that he
       had "solicited / 'opinion of a specialist in the news / aegis" to help him to supervise
       his team "in order to avoid any new errors of the kind in the future". Protection Authority
       data are refused to take these elements into consideration.


              d) Any violation committed previously by the controller or
              The subcontractor (article 83.2.e of the RGPG)
       4.1.10.
       In estimating the fine imposed on X, the Contentious Chamber also did not judge
       useful to take into account / 'total absence of previous viofation in the head of X and this in
       annoyance with article 83.2. e).

       4.1.11.
       In terms of main conclusions, the Data Protection Authority claims that the
       GDPR considers recidivism to be an aggravating circumstance.
       Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance.
       mitigating.
       This does not detract from the fact that in determining the sanction to be imposed on X, the

       Data Protection should have taken into consideration I made that the latter was not
       customary for GDPR violations and that no sanction had ever been applied to it
       previously.




              1 PAGE □ 1-00001942078- □ 016-0025- □ 5- □ 1-� 



             L __J Brussels Court of Appeal -2020 / AR / 1333 p. 17




        If the absence of previous violations does not constitute a mitigating circumstance, quod
        no, this constitutes an objective criterion at all times which must be taken into account in the
        determination of the sanction.
                e) The degree of cooperation established with the supervisory authority in order to remedy

               violation and mitigate any negative effects (article 83.2.f of the GDPR)
        4.1.12.
        Likewise, the Contentious Chamber did not take into consideration the cooperation of X (article
        83.2 f). From October 14, 2019, X indicated to the Litigation Chamber that he was in his
        available to be heard if she so wished.

        This perfectly demonstrates that X wanted to cooperate in this case, which
        the Chmbrecontentieu did not take it into account.

                f) Any other aggravating or mitigating circumstance applicable to the circumstances
               of the species, you / Ie that the financial advantages obtained or the losses avoided,

               directly or indirectly, due to the violation (article 83.2.k of the GDPR}
        4.1.13.
        Finally, the Contentious Chamber did not consider it useful to take into account other
        extenuating circumstances such as the fact that X did not derive any benefit from this violation.
        In terms of main designs, the Data Protection Authority considers that there is no

        no reason to uphold this argument on the grounds that X does not add any element which
        would make it possible to determine whether or not the use of the permanent file influenced
        favorably the result of the elections.
        It is impossible for X to prove this negative fact. Nevertheless, it is
        not unreasonable to admit that the 150 people allegedly targeted by the email

        litigation alone could not influence the final outcome of the elections. In addition, there
        a / ieu to note that the fines imposed by the Data Protection Authority
        constitute penalties of a criminal nature.
        Indeed, since the judgment of the European Court of Rights of Hamme Engel v. Netherlands from 8
        June 1976, it is accepted that the concept of "criminal charge" referred to in Article 6 of

        the Convention is an “autonomous concept”, endowed with a European meaning
        potentially distinct from that attributed to homonymous terms in national
        High Contracting Porties.
        To determine whether an administrative sanction is of a criminal nature, it is necessary that three
        criteria are met: the qualification of the sanction in domestic law, the nature of the

        repressed behavior and, finally, the nature and degree of severity of the sanction concerned.
        The second and third criteria are alternative and not necessarily cumulative. For
        that Article 6 of the ECHR applies, it is sufficient that the offense in question is of a criminal nature
        with regard to the Convention, or has exposed the person concerned to a sanction which, by its nature and
        degree of seriousness, generally pertains to criminal matters.
        In this case, it must be noted that the sanction applied by the Authority for the Protection of

        Data does indeed constitute an administrative sanction of a criminal nature:

                       The fine thus imposed is qualified as an administrative sanction;
               - The GDPR protects / 'general / societal interest and the fines imposed due to
               a violation of the GDPR have both a deterrent and a repressive purpose;

                       The fine imposed is of undeniable severity.




               rPAGE 01-00001942078-0017-0025-05-01-� 



               L _J Brussels-2020 Court of Appeal / AR / 1333 p. 18





      This is all the more true as the European Court of Human Rights has already had the opportunity
      to apply the "Engel criteria" to an administrative fine pronounced by the authority of
      control of the Italian financial markets and to recognize its criminal character.
      The Court of Justice of the European Union, after having endorsed the development of the "criteria
      d'Engel ”, also applied this reasoning to administrative fines.

      The criminal nature of the administrative sanctions provided for by the GDPR must therefore
      clearly recognized, in particular with regard to the content of article 83 of the GDPR
      providing that the administrative fines provided for by the supervisory authorities must be
      effective, proportionate and dissuasive, and setting particularly high thresholds.
      Being of a criminal nature, the administrative fines applied by the Protection Authority
      Data must apply the procedural guarantees specific to the "matter

      criminal law ”that owing to the right to a fair trial, the legality of the incriminations and penalties and
      The principle non bis in idem.
      These procedural guarantees in criminal matters lead, in particular, to a reversal of the
      burden of proof, which means that it is the prosecution, in this case the Authority of
      Data Protection, which must bear the burden of proof.
      Thus, the Data Protection Authority cannot content itself with invoking that X would have

      gained an advantage from the GDPR violation but must prove it, quad no.
      4.1.14.
      Likewise, the Litigation Chamber did not consider it useful to take the situation into account.
      financial situation of X a / ors that the latter had informed the Chamber of this and had
      added that a fine of 5,000.00 euros would result in

      to worsen this already de / icate financial situation.
      Indeed, X has to face important debts which prevent him from assuming a
      fine in the amount of 5,000.00 euros.
      For example, X is being claimed for nearly 16,000.00 euros per administration
      fiscal.
      In addition, the building he owns and in which he resides is having problems.

      stability. X therefore has no choice but to carry out large-scale work to
      that / s his home insurance refuses to intervene, which / 'obliges to assume some alone
      cost.
      Finally, X was the subject of criminal proceedings in the context of the so-called "..." case.
      This procedure, initiated on November 3, 1999, lasted thirteen years and was completed by a

      judgment of the 6th chamber of the Court of Appeal of [...] of [...] in which the Court of Appeal / a
      confirmed in all respects the judgment of the Criminal Court of [...], of [...] by virtue of
      from which X was acquitted of all charges.
      The counsel who assisted X in this procedure have recently returned to him, as
      costs and fees, the total sum of 465,488.82 euros.
      These amounts were the subject of disputes by X, which led to a

      legal proceedings before the Court of First Instance of [...] (Exhibit 13 of the file
      inventoried of the conc / uant).
      This procedure is currently still in progress so that no final judgment has been made.
      could be returned.




             g) Design



            IPAGE 01-00001942078-0018-0025-05-01- � 

                   �� 

            L � ..J Court of Appeal Brussels - 2020 / AR / 1333 p. 19




       4.1.15.

       The Contentious Chamber of the Data Protection Authority did not take into
       consideration / 'all the elements that must be taken into account to determine the
       amount of the penalty prescribed by article 83 of the GDPR Regulation. "

All of these criticisms relate to the factual assessment that the APD's contentious chamber
carried out in this case.

As it is not for the Market Court to "re-examine" the facts of the case, and that the
plea does not claim that there was a manifest error of assessment, it cannot be
welcomed.

       7.5. Is the fine imposed disproportionate?
                   (second plea of the applicant, first plea of the DPA)


Article 83 of the GDPR provides in its first point that each supervisory authority ensures that
administrative fines imposed for breaches of the rules are, in each case,
effective, proportionate and dissuasive.
In its article 100, the law of 3 December 2017 establishing the Authority for the protection of
data (APD law) lists the possible penalties.
The contentious chamber has the power to dismiss the complaint; to order the dismissal; of
pronounce the suspension of the pronouncement; to propose a transaction; to issue warnings

and reprimands; to order compliance with the requests of the data subject to exercise
these rights; to order that the person concerned be informed of the safety problem; to order the freezing,
temporary or permanent limitation or prohibition of processing; to order a setting
compliance of processing; to order the rectification, restriction or erasure of data and the
notification of these to data recipients; order the withdrawal of the accreditation of
certification bodies; to give periodic penalty payments; to issue administrative fines;
order the suspension of transborder data flows to another State or an organization

international; to send the file to the public prosecutor's office in Brussels, who informs them
follow-up given to the case; decide on a case-by-case basis to publish its decisions on the website
of the Data Protection Authority.
The ability to impose an administrative fine is only the thirteenth sanction in the list
legal.
The fundamental aim of European legislation is not to sanction in the form of inflicting

fines for the slightest breach of regulations, the real goal is data protection. The
the aim is therefore to protect data, not to punish the slightest infringement at all costs.
In this case:
       “On May 22, 2019, X sent a letter / on his behalf, through / 'adress
       emails from his secretary, [...], to these terms: "Ladies and Gentlemen, Dear friends,
       Dear friends, I am proud to be the 10th candidate on the list [...] for our
       borough of [...]. May I be allowed to sol / icite your suf / anger. A good result

       will allow me with our team at the College and the Provincial Council to be even more
       effective. I want to do everything in my power to also support our







             1 PAGE □ 1- □ validated 01942078- □□ 19- □regon 25- □ 5- □ 1-; i



             L __J Brussels Court of Appeal -2020 / AR / 1333 p. 20





       local representatives and their projects. My warmest regards ”(Exhibit 1 of the dossier
       inventory of the appellant).
       On May 23, 2019, Z sent an email to X's secretary in order to
       to indicate that he had not given his consent for the use of his personal data
       and that the e-mail mentioned above should not have been sent to him from then on.
       From the next day, that is May 24, 2019, X, through his secretary, presented his

       apologies to Z in these terms: "We know the law on the RGPD: we apologize for
       this mistake. We realized this at the time of / 'sending but it was
       trap late We therefore ask you not to lodge a complaint for a gesture totally
       beyond our control. Our apologies again. Best regards ”(Exhibit 2 of
       appellant's inventory).
       On May 25, 2019, Z submitted a request for information to the Autorité de
       protection of data concerning the use by X of his e-mail address

       personal. He also denounced the fact that this message was sent to many
       addressees placed in copy (Exhibit 3 of the inventoried file of the appellant). "

       "From July 4/2019, the secretary of X, [...] answered this question in these
and: terms: "The addresses come from a" permanence "file organized by X / orsqu'il

       was Mayor of [...]. Z is therefore in this one to have, at one time or another,
       had contact with X ”.
       The secretary added: “In fact, from my private messaging system, I sent a
       election advertising for X, in order to prevent him from using his personal messaging system in his capacity
       of provincial deputy (...). And this email was sent spontaneously, omitting to put
       in CC / the recipients. There is therefore no intention to misuse these addresses, nor
       to harm anyone. It is just a mishandling that we regret.

       We apologized to Z as you may have read it ”.
       On August 6, 2019, the Frontline Service of the Data Protection Authority declared
       Z's complaint admissible and forwarded it to the Litigation Chamber.
       By registered letter of September 25, 2019, the President of the Litigation Chamber
       informed X and Z that the case was ready for treatment on the merits and invited the parties to
       introduce their conclusions according to the fixed timetable.

       By letter of October 14, 2019, X indicated to the Litigation Chamber: “I have received
       your new e-mail concerning the distribution of e-mail addresses to a series of contacts
       during the last election campaign. If you wish, I am at your disposal
       to be heard on this. I already want to confirm or "reconfirm" that
       file to / 'all people was a simple handling error at the time
       of / 'sending of the document which had to be individualized. I myself solicited / 'opinion of a

       specialist in the new legislation to help me supervise my team in order to avoid
       the future any new error of the genre. The question still being analyzed with the
       resource person I have chosen is to know that the health precautions for
       take with e-mail addresses that people did not send spontaneously. For










              r PAGE 01-00001942078-0 □ 20-0025- □ 5- □ 1- � 



                                                                _JBrussels-2020 Court of Appeal / AR / 1333 p. 22





citizen, has the right to be treated individually and according to the elements of his file and without
elements from other files may interfere.
When a decision has to be taken on a case-by-case basis, based on the principle of good faith,
! 'absence of a prior warning, in the absence of any precedent and confronted with
immediate apology (the day after the date on which the applicant was informed of the problem which
he was not aware), the sanction of immediately imposing an administrative fine in addition to the

fact of fixing it from the outset at a large sum of 5,000 euros, is of a
disproportionate.

In addition, the following grounds:
       "34. The defendant did not follow the procedure communicated to him by mail
       recommended and by email. His answer is laced, he would not have been informed of the obstruction

       to send conclusions to the complainant is contrary to the facts. The contentious chamber
       considers that by this omission and erroneous denials of the facts, the Respondent has not provided
       all its cooperation in the procedure, which constitutes an aggravating circumstance "
show a manifest error of assessment in the head of the contentious chamber of the APD.
There is no binding procedure and in any event, a breach of the rules of

procedure may result in the authority disregarding writings or documents which
are used in violation of the rules of procedure, but such a fact - even if it is established quad not in
! the absence of binding rules which are enforceable against litigants - can never constitute
an aggravating circumstance. reason for the litigation chamber mixes form and substance and is
perfectly illegal and invalidates the decision by this fact alone.

The Cour des marchés does not criticize the policy of the contentious chamber of the APD but the fact of

not to consider the possibilities of achieving the goal pursued by European legislation (such as
implemented in Belgian law) by another decision (explicitly provided for in Article 100 points 3 to
12 of the APD Act) while noting a series of elements which show that the applicant did not
in no way expressed his intention to disregard the principles of data protection
personal but on the contrary the violation he committed was the result of negligence
or inadvertently and immediately rectified the situation while apologizing (see

above) cannot be interpreted other than as a misuse of powers, the use
by an administrative authority within its power for a purpose other than that for which it was
granted, in the head of the contentious chamber of the APD.
An attitude, tending to impose fines from the first inadvertent offense,
does not correspond to the principles that govern matter. As far as the room
AD litigation has a complete repressive chain enabling it to carry out

controls, the consequences of which (if the infringement is established) can range from a warning to a sanction
financial or not. In some cases, an advertisement can even be decided based on the severity
cases. The Procurement Court wonders whether in X's case a warning might not have been sufficient. The
disputed chamber fails to take into account the presumption of good faith. By inflicting
immediately an administrative fine - very substantial against an individual who has
sent e-mails mentioning the e-mail address of all the persons to whom the e-mail

was addressed - the litigation chamber disregards the fundamental principles of the
proportionality of the sanction.






             1 PAGE □ 1-00 □□ 1942078- □□ 22- □regon 25- □ 5- □ 1-� 



             L _JCourt of AppealBrussels-2020 AR / 1333p. 23





       7.6. Punishment.
                                (second means of ODA)

The applicant requests the "reformation" of the decision so that the sanction of inflicting a

a fine of € 5,000.00 would be reformed into a stay of proceedings. The APD argues on this subject
       “78. In the alternative, even if Your Court were to set aside the Contested Decision (quod
       no}, it cannot substitute its assessment for that of the contentious Chamber as the
       asks X.
       Indeed, when X asks Your Court to rule in full jurisdiction by reforming

       the Contested Decision and pronouncing the suspension of the pronouncement in place of the Chamber
       Litigation, he asks Your Court to decide on an aspect that falls within the power of
       discretionary judgment of / 'APO. A solution cannot be adopted.
       Your Court should therefore refer the complaint to the Contentious Chamber so that it
       adopt a new decision which would take into account the grounds for cancellation retained by Your

       Court. "


The Markets Court cannot "reform" a decision as an appellate judge could.
The Market Court can only annul or not the contested decision.

To the extent that a decision is quashed, the Markets Court may - on the basis of the full
jurisdiction - make a new decision that will replace the annulled decision. The "reformation
factual ”of the Contested Decision is therefore carried out in two phases, first the annulment of the decision and
then the replacement of the annulled decision by a new decision.
The Markets Court therefore considers that when the applicant requests the "reform" of a

Contested Decision, which he ultimately requests that the Procurement Court annul the Contested Decision and
replaces this decision with a new decision. 19
The Court endorses the following considerations of the judgment of 28 September 2012 Court of
cassation:
       "The judge is bound to settle the dispute in accordance with the rules of law which are applicable to him.

       applicable. He is required to examine the legal nature of the facts and acts referred to by the porties
       and may, whatever the legal qualification given to them by the porties, complete
       ex officio the reasons they invoked on the condition that it does not raise any dispute
       of which the porties have exc / u the existence in their conclusions, that it relies exclusively on
       elements which have been regularly submitted to him, which he does not modify / 'subject of the request

       and that it does not violate the rights of defense of the porties. "

In the present case, the applicant requests that the decision be replaced and the DPA defended himself on this
request (see the extract from the conclusions cited above). When the Market Court interprets the
request of the applicant to "reform" the Contested Decision into a request to annul the decision

and replace it with a new decision on the extent of which the parties have taken
conclusions, the Markets Court does not rule ultra petita.

In the present case, the Impugned Decision must be annulled for misuse of power, the use by the
contentious chamber of the APD of its power to sanction by imposing a fine

administrative without considering that the other sanctions of article 100 of the ODA law may reach

19Cass. September 28, 2012, http://www.cass.be at its date, judgment n C.12.0049.N; J.T. 2013, 497; J.L.M.B. 2013, 1297, note
VAN DROOGHENBROECK, J.


             1 PAGE 01-00001942078-0023-0025-05-01-� 


                    � 
             L �� _J Brussels Court of Appeal -2020 / AR / 1333 p. 24





The result envisaged by the legislator0and on the ground that in this case the contentious chamber did not
taken into account the presumption of good faith, nor the attitude of the applicant as soon as he was informed of
the offense, and that it took into account aggravating circumstances in an unlawful manner, violating

thus the principle of proportionality of the sanction.

Since the applicant does not dispute the infringements and has never done so, it is appropriate to

consider the offenses as established and reconsidering - by virtue of the full jurisdiction of which
provides the Procurement Court - the proportionality of the sanction, the applicant should be imposed
sanction of the suspension of the pronouncement.


8. Decision and costs

The appeal is admissible and well founded.
Decision No. 53/2020 pronounced by the contentious chamber of the Authority for the Protection of
Data Ie September 1, 2020 which imposes a fine of 5,000 € (DOS-2019-02974) on X is

canceled, the sanction is that of the suspension of the pronouncement.
The Data Protection Authority is ordered to pay the costs, liquidated at 1,440 € in compensation
procedure for X.


FOR THESE REASONS,
THE COURTYARD,


Having regard to articles 24 and 43 bis § 3 in fine of the law of June 15, 1935 on the use of languages in

judicial,

Ruling contradictorily,


Holds X's appeal admissible and well founded;
                    °
Annuls Decree no.53 / 2020 pronounced by the contentious chamber of the Authority for the Protection of
Data September 1, 2020 (DOS-2019-02974) in which it imposes a fine of 5,000 euros on
X on the basis of articles 100, 13 and 101 of the law of 3 December 2017 on the creation of
the Data Protection Authority (“LCA”) as well as article 83 of the GDPR;


Deciding with full jurisdiction, pronounces the sanction of suspension of the pronouncement on the basis of
Articles 100 and 101 of the LCA as well as Article 83 of the GDPR;
Orders the Data Protection Authority to pay the costs, liquidate to .... right to roll and

€ 1,440 in procedural compensation for X.

Pursuant to article 2692 of the Code of registration, mortgage and graft rights,
condemns the Data Protection Authority to pay to the Belgian State, SPF Finances, the right to
on the call roll (400 €}.



20 namely to modernize the European regulations on the protection of personal data due to
of the advancement of new technologies and to ensure that personal data is processed in a
new way and that all citizens benefit from high-quality protection when processing their data
of a personal nature.


               rPAGE 01-00 □primer 1942078- □ 024-0025-05- □ 1-i: -i




               L ... J