Court of Appeal of Brussels - 2021/AR/163: Difference between revisions
From GDPRhub
Tag: Undo |
No edit summary |
||
| Line 46: | Line 46: | ||
|Initial_Contributor=n/a | |Initial_Contributor=n/a | ||
| | | | ||
}} | }} | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A bailiff’s office dealing with debt recovery requested the debtor to fill in a form with personal data. The Belgian Data Protection Authority considered that the form did not comply with the GDPR, and therefore issued a decision in which it reprimanded the bailiff’s office, ordered it to change its processes to comply with the GDPR and ordered it to pay a fine. | |||
The bailiff’s office, disagreeing with the decision, appealed it before the Court of Appeal. | |||
=== Holding === | === Holding === | ||
The Court of Appeal found the Litigation Chamber guilty of a misuse of power, as it had inflicted an administrative fine as from the first offence. The Court of Appeal held that no fine should have been issued and therefore decided to partially annull the Belgian DPA’s decision. | |||
Inflicting an administrative fine as from the first offence was deemed contrary to the proportionality principle, which implies that the sanction must be proportionate to the infringement. | |||
The Data Protection Authority should consider the full range of sanctions at its disposal before issuing a fine, and only impose a fine on organisations/people who do not comply with its injunctions. | |||
== Comment == | == Comment == | ||
Revision as of 12:17, 7 July 2021
| CA - 2021/AR/163 | |
|---|---|
 | |
| Court: | CA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 83 GDPR |
| Decided: | 26.05.2021 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 2021/AR/163 |
| European Case Law Identifier: | |
| Appeal from: | Data Protection Authority 81/2020 |
| Appeal to: | Unknown |
| Original Language(s): | French |
| Original Source: | autoriteprotectiondonnees.be (in French) |
| Initial Contributor: | n/a |
English Summary
Facts
A bailiff’s office dealing with debt recovery requested the debtor to fill in a form with personal data. The Belgian Data Protection Authority considered that the form did not comply with the GDPR, and therefore issued a decision in which it reprimanded the bailiff’s office, ordered it to change its processes to comply with the GDPR and ordered it to pay a fine.
The bailiff’s office, disagreeing with the decision, appealed it before the Court of Appeal.
Holding
The Court of Appeal found the Litigation Chamber guilty of a misuse of power, as it had inflicted an administrative fine as from the first offence. The Court of Appeal held that no fine should have been issued and therefore decided to partially annull the Belgian DPA’s decision.
Inflicting an administrative fine as from the first offence was deemed contrary to the proportionality principle, which implies that the sanction must be proportionate to the infringement.
The Data Protection Authority should consider the full range of sanctions at its disposal before issuing a fine, and only impose a fine on organisations/people who do not comply with its injunctions.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Court of Appeal Brussels - 2021 / AR / 163 p. 2
BECAUSE OF
X1
Requesting Party,
Having for advice Master Benjamin Docquir (benjamin.docguir@osborneclarke.com) and
Maitre ChloePonsart (chloe.ponsart@osborneclarke.com), lawyers, with an established firm
a 1050 B ruxelles, Place du Champ de Mars 5.
Cantre:
THE DATA PROTECTION AUTHORITY, a public body endowed with the
legal, created by the law of 3 December 2017, and whose head office is established at 1000
Brussels, Rue de la Presse 35, and registered the Banque-Carrefour des Entreprises under the
number 0694.679.950 (hereinafter, the "lntimee", the Data Protection Authority "or
the "APD"),
Defendant,
Advised by Maitre Etienne Kairis (e.kairis@liedekerke.com), and Maitre Francesca
Biebuyck (f.biebuyck@liedekerke.com), lawyers, whose firm is established in 1000 Brussels,
Boulevard de l'Empereur 3.
******
Having regard to the procedural documents and in particular
the decision 81/2020 rendered by the Contentious Chamber of the Protection Authority
data on December 23, 2020 (DOS-2019-02751);
the appeal brought by X1 against decision 81/2020 dated 20
January 2021;
- the timetable for conclusions taken on the basis of article 747, §1 of the Judicial Code;
the summary conclusions of X1 of April 8, 2021;
the additional conclusions and summary of the APD of April 29, 2021;
the files of exhibits filed by the parties, Court of Appeal Brussels-2021 / AR / 163 p. 3
Heard the advice of the parties at the public hearing of May 5, 2021, held in
videoconference of the parties agreement. At the date of the hearing, the registry has my disposal
of any litigant and any person wishing to attend the debates, the link and the word of
pass allowing to participate in the videoconference.
I. The DecisionAttaguee
X1 is a study by bailiffs established in [...]. She is notably in charge of
recovery of parking fees entrusted by the City of [...] the company X2S.A.
X2S.A. and X was the subject of a complaint lodged on May 15, 2019 with the ODA introduced
through [...]. (hereinafter "the person concerned").
The APD Litigation Chamber rendered the Attacked Decision on December 23, 2020, at
end of which, it has decided, with regard to X1 to:
Issue (...) a reprimand on the basis of article 100.1, 5 LCA;
Issue an order of compliance in terms of information (policy of
confidentiality and information clauses) and basic pleasure of the form attached to the
°
formal notice of payment on the basis of article 100.1, 9 LCA. He is at
this effect requires the second defendant [X1] to communicate to the APD
both its confidentiality policy applicable to the processing operations covered by this
decision that its information clause (s) as well as the manner in which it intends
respond to breaches related to the above form. The
communication of these
documents must be received within 3 months from the notification of the
present decision via the address litigationchamber@apd-gba.be;
Impose (...) an administrative fine in the amount of 15,000 euros in
application of articles 100.1, 13 and 101 LCA.
II.
According to the APD, the facts relevant to the examination of the present case can be summarized
as follows:
1.
X1 is a study of judicial officers located in Brussels who deals, within the framework of its
legal prerogatives defined in article 519 of the Judicial Code, in particular of
amicable and judicial recovery of debts from its customers.
3 Brussels Court of Appeal -2021 / AR / 163 p. 4
2.
The S .A. X2 (hereinafter "X2"} is a company specializing in parking for
street, and as such it controls parking in the municipalities in which it is
concessionaire of public interest missions. It is part of the Group [...].
X2 is one of X1's clients: the latter takes care of the management of the
amicable, and if necessary, judicial recovery of unpaid debts such as
parking fees.
3.
X2 indicates to have place, dated January 2, 2019, an invitation to pay [...] on the barrier
breeze from a vehicle parked in [...] a blue zone without a blue disc affixed or
parking authorization. This amount corresponds to the amount of the "Tariff °
[..] "of the Municipal Regulations of [...] of [...] relating to parking in the blue zone n [...]
(hereinafter the “Municipal Regulations”}.
X2 indicates that it then sent a payment reminder to the person concerned on 24
January 2019, increasing the initial debt by 5 €, in accordance with article [...] of the Regulation
Communal.
The person concerned denies having found on January 2, 2019 any invitation to
pay this fee on their windshield, as well as having received a payment reminder from
by X2
4.
This payment has not been paid within 15 days of the call of January 24, 2019, X2
transmitted the file of the person concerned to his judicial officer X1, so that he
collects the amount claimed.
5.
On February 25, 2019, X1 therefore sent the person concerned a formal notice in order to
recover the amount claimed (i.e. the amount of the initial fee, plus the
delay and bailiff fees, a total of € [..]). The person concerned indicates
have received this formal notice on March 1, 2019.
This remittance resumes as an annex a form entitled "Form anusreturn
"Which specifies in particular" (...) "(Exhibit 1 of the APO file}.
4Brussels-2021 / AR / 163 Court of Appeal p. 5
The form contains fields to be completed with their contact details (surname / first name, date of
birth, address, postal code and town, telephone number, mobile phone number, e-mail address
mail) and includes three "payment proposals" with, for each of them, a box
to hide.
6.
The person concerned wrote several times to X2 and X1 to obtain more
explanations, indicating never having received an invitation to pay, nor a reminder, and
opposing the payment of the royalty. In these writings, she also questioned X1
as to the legal bases allowing him to access the Management of
Vehicle registration (the “DIV”) from the SPF Mobilite and the National Register, as well as
requests to be able to exercise their right of access to their personal data,
in accordance with article 15 of the General Data Protection Regulation (the "GDPR
))
7.
on the one hand, and X1, on the other hand, for various breaches of the GDPR (Pieces 1 and 2 last from X2,
APD file). On June 6, 2019, she made an addendum to her complaint (Exhibit 3 of the
APD).
More precisely, under the terms of these complaints, she blamed X1 for being guilty
of
A breach of his right to information (articles 12 and 14 of the GDPR);
A breach of his right of access (article 15 of the GDPR);
A breach of Article 28 of the GDPR with regard to its status as a sub
treating;
A breach of the principles of proportionality and reuse
illegal data communicated to it by X2 even though it
would not be validly based there (Articles 5 and 6 of the GDPR); and
- A breach of the principles of data minimization and the use of
enforced consent with regard to the form attached to the formal notice of
payment (Articles 5 and 6 of the GDPR).
The person concerned also asked the APD that X2 and X1 be condemned to
sanction proportionate to the gravity of the facts, taking into account the object and the extent of their
professional activity which affects a large number of citizens. She begged in
Litigation in order to inform the public of illegal practices in matters of management of
parking fees against which he can claim the respect of his rights by
data protection matter.
5 Court of Appeal Bruxelles-2021 / AR / 163 p. 6
8.
On June 18, 2019, the complaints were declared admissible by the APO and forwarded to the Chamber.
APO litigation (Exhibit 4 of the APD file).
On July 12, 2019, the Litigation Chamber decided to join the two complaints and to
forward to the Inspection Service so that an investigation can be carried out {Exhibit 5 of the
ODA).
9.
On January 6, 2020, an investigation report is filed by the Inspection Service with the
Litigation Chamber (Exhibit 6 of the APD file).
The parties were each given the opportunity to submit their observations following the report of the
Inspection service.
10.
On January 21, 2020, the APD informs the parties of the fact that following the complaint lodged and the
findings made by the Inspection Service, it decides to carry out a review of the
complaint on the merits (Exhibits 7, 8 and 9 of the APD file).
11.
On July 13, 2020, the Litigation Chamber organized a hearing in the presence of the parties,
a report was drawn up (Exhibits 10 and 11 of the APD file).
12.
Endated on December 23, 2020, the APD issued a decision on the merits (81/2020) against
of X1 and X2 (hereinafter the "decision"), in which
-
it concludes, in the head of X1, has:
(i) a breach of its information obligation (Articles 12 and 14 of the GDPR),
(ii) a defect in the legal basis with regard to the collection of data under the terms of the
form accompanying the formal notice of payment (article 6 of the RGPO) and a
breach of the principle of minimization (article 5.1, c) of the GDPR), and
(iii) on the basis of the previous breaches ((i) and (ii)), a breach of the obligation to
implementation of appropriate technical and organizational measures for the
data processing (articles 5.2 and 24.1-2 of the GDPR),
- and pronounces the sanctions mentioned above with regard to X1.
13.
6 Brussels Court of Appeal -2021 / AR / 163 p. 7
On January 20, 2021, X1 brought an action before the Marches Court against the
decision Attacked.
Ill. The legal framework
1.
The Attacked Decision of the APD pronounces the sanction of the reprimand with regard to X1 in
based on the provisions of Article 100 § 1, 5 LCA, and attaches this claim to a
order of settlement in accordance with the form attached to the final payments, and this
on the basis of Article 100 § 1, 9 LCA within a period of 3 months from the notification of the
decision and an administrative fine in the amount of 15,000.00 euros in application of the
Articles 100§1,13 and 101 LCA.
2.
Article 100 § 1 LCA is drafted as follows
"§1 The contentious chamber has the power to:
1 ° dismiss the complaint;
2 order the dismissal;
°
3 pronounce the suspension of the pronouncement;
°
4 offer a transaction;
5 issue warnings and reprimands;
°
6 order compliance with the requests of the person concerned to exercise these rights;
7 order that the person concerned be informed of the security problem;
°
8 order the freezing, limitation or temporary or definitive prohibition of processing;
7 Brussels Court of Appeal -2021 / AR / 163 p. 8
°
9 order that the processing be brought into conformity;
°
10 order the rectification, restriction or / 'erasure of data and the notification of
these to the data recipients;
11 ° order the withdrawal of accreditation of certification bodies;
12 give on-call penalties;
°
13 issue administrative fines;
°
14 order the suspension of cross-border data flows to another State or to a
international body;
15 ° transmit the case to the public prosecutor's office of the Roide Bruxelles, which informs it of the
data on file;
16 ° to decide in the event of publication of its decisions on the Internet site of the Protection Authority
Datas
°
§2. When, after the application of §, 15, the public ministry renounces the initiation of legal proceedings
penal, to propose an amicable resolution or penal mediation within the meaning of article
216ter of the Code of Criminal Instruction, or / when the public prosecutor has not taken a decision
for a period of six months from the day on which the file is received, the Protection Authority
of the data determines whether the administrative procedure should be resumed ”.
Article 101 LCA is written as follows: "The contentious chamber may decide
to impose an administrative fine on the parties prosecuted in accordance with the general principles referred to
a / 'article 83 of Regulation 2016/679 ”.
3.
Article 83 of the GDPR is read as follows:
"1. Each supervisory authority shall ensure that its administrative fines imposed
of this article for violations of these regulations referred to in paragraphs 4, 5 and 6
be, given each cos, effective, proportionate and dissuasive.
2. Based on the specific characteristics of each cos, administrative fines are imposed
in addition to or instead of the measures referred to in Article 58 (2) (a) to (h), and
j). To decide whether to impose an administrative fine and to decide on the amount
8 Court of Appeal Bruxelles-2021 / AR / 163 p. 9
of / 'administrative amendment, it is taken into account, in each case, of the elements
following:
a) the nature, gravity and duration of the breach, taking into account the nature, extent to
the purpose of the treatment concerned, as well as the number of affected persons and
the level of damage they suffered;
(b) the fact that the violation was committed willfully or negligently;
c) any measure taken by the controller to the processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of those responsible for the processing of the subcontractor,
technical and organizational measures that i / s implemented pursuant to Articles25
and 32;
e) any relevant breach previously committed by the controller on
subcontractor;
f) the degree of cooperation established with the control authority with a view to remedying the breach and
to mitigate any negative effects;
(g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the violation, including whether, and
to what extent the data controller has notified the breach;
(i) where measures referred to in Article 58 (2) have previously been ordered to
/ 'against the controller or the processor concerns for the same purpose, the
compliance with these measures;
j) the application of codes of conduct approved in accordance with article 40 of the mechanisms
decertification approved in application of article 42; and
k) any other circumstantial aggravating factor applicable to the circumstances of the case,
such as the financial benefits obtained at the losses avoided, directly at the
indirectly, as a result of the violation. "
4.
X1 claims other avers of its various means than the Decision Attackeviole
•! Article 14 §5 c) of the GDPR on the concept of exemption from the obligation to inform the
controller (first method),
• the concept of the free nature of the consent of the person concerned within the meaning of
! 'Article 4 (11) of the GDPR (second means),
• the rules for applying the principle of data minimization established by Article 5
§ 1, c) of the GDPR (3rd means),
• Articles 5 §2 and 24 §§ 1- 2 of the GDPR insofar as they aim at the implementation of measures
appropriate technical and organizational principles and the principle of formal motivation
(4 medium),
9Brussels-2021 / AR / 163 Court of Appeal p. 10
• Article 83 of the GDPR relating to the justification and proportion of the fine and the
principle of formal motivation obligation (average seme).
IV. The subject of the appeal
1.
At the end of its summary conclusions, X1 asks the Marches Court to:
"- Declare the appeal of X1 admissible and found;
- Therefore;
Mainly,
- Annul decision 81/2020 rendered by the Data Protection Authority on 23
December 2020 (decision a quo) against the APE / ante, in that it notes a
breach of the obligation to inform, a basic defect that concerns
the collection of data under the form accompanying the formal notice
payment and a breach of the minimization principle, as well as a breach
Articles 5.2. and 24.1-2 of the GDPR;
- Order the Data Protection Authority to reimburse the fine
administration of an amount of € 15,000.00 paid by X1; and Brussels Court of Appeal - 2021 / AR / 163 p. 11
-
Confirm the decision a quo for the rest.
In the alternative,
-
If the Court were to consider that the complaint filed on May 15, 2019 by the
person concerned with the Data Protection Authority was founded in
part with regard to X1, in any case pronounce a simple
reprimand and not a fine.
In any case,
- Order the lntimee to pay the full costs, including procedural compensation,
liquids a1.860,00 € as follows:
o Role rights € 400.00
o Contribution to the budget fund € 20.00
o procedural indemnity (basic amount) € 1,440.00 ”.
2.
At the end of its summary conclusions, the APD asks the Marches Court to
"- Declare X1's requests to annul the decision rendered in that it finds
a legal base defect for data collection and a breach of the principle of
minimization (2nd and 3rd grievances) inadmissible or in the alternative, unfounded;
Declare / s requests by X1 to quash the decision rendered in so far as he / she finds a
breach of the information obligation, a breach of Articles 5em and 2 of
RGPD, and in that it imposes an administrative fine on X1 {1st, 4th and 5th grievances)
unfounded;
- Order X1 to pay the full costs of the proceedings, including the procedural indemnity
fixed at the basic amount (€ 1,440.00) ”.
V. Means invoked by X1
11 Brussels Court of Appeal -2021 / AR / 163 p. 12
X1 develops an introductory argument relating to the jurisdiction of the Marches Court and
the admissibility of his complaints and five pleas.
They are worded as follows:
A. AT A GLANCE: AS REGARDS THE JURISDICTION OF THE COURT OF MARKETS AND
GRIEVANCES FROM X1
B. FIRST MEANS: X1 HAS NOT FAILED IN ITS OBLIGATION
INFORMATION FOR THE PERSONS CONCERNED
C. SECOND MEANS: USE OF THE PAYMENT REQUEST FORM BY
X1 STANDS ON A LEGAL BASIS AND ALLOWS A FREE CONSENT FROM THE
CONCERNED PERSON
D. THIRD SUBMISSION: X1 DID NOT BREACH ARTICLE 5 (1) (() OF THE
RGPD (PRINCIPLE OF "DATA MINIMIZATION") IN THE CONTEXT OF
USE OF THE PAYMENT REQUEST FORM
E. FOURTH SUBMISSION: X1 DID NO BREACH OF ITEMS
5 (2) AND 24 (1) - (2) GDPR
F. FIFTH SUBMISSION: THE ADMINISTRATIVE FINE IMPOSED ON THE APPELLANT IS
INJUSTIFIED AND DISPROPORTED
VI. Means invoked in support of the defense
The APD arguments are titled as follows:
CLIMINALLY: AS TO THE JURISDICTION OF THE LITIGATION CHAMBER OF THE APO AND
OF THE COUR DES MARCHES
FIRST SUBMISSION: AS REGARDS THE BREACH OF THE OBLIGATION TO INFORM
DATA SUBJECT (ARTICLES 12 AND 14 OF THE GDPR)
SECOND MEAN: AS TO OBTAINING A FORCE PERSON'S CONSENT
CONCERNED AND THE VIOLATION OF THE PRINCIPLE OF DATA MINIMIZATION IN THE FRAMEWORK
THE USE OF THE PAYMENT REQUEST FORM (ARTICLES 6.1, A) AND 5.1, C)
GDPR)
THIRD SUBMISSION: AS REGARDS COMPLIANCE WITH ARTICLES 5.2 AND 24 OF THE GDPR
FOURTH SUBMISSION: AS TO THE ADMINISTRATIVE FINE IMPOSED BY ODA
12 Brussels Court of Appeal - 2021 / AR / 163 p. 13
VII. Admissibility
The Attacked Decision was taken by the ODA on December 23, 2020 and was notified by
e-mail to X1 the same day.
It is not disputed that the petition was filed with the court registry within 30 days.
er
referred to in article 108 § 1 of the law of 3 December 2017 establishing the Authority
Data protection.
The appeal is admissible.
VIII. Discussion
A. As to the scope of the jurisdiction of the Marches Court and the admissibility of
certain grievances of the requesting party
1.
The parties develop in terms of conclusions of theses in disagreement on the scope of the
jurisdiction / jurisdiction of the Marches Court, in particular the question of the scope of
full jurisdiction of the Marches Court and its impact on the admissibility of complaints
of the requesting party.
2.
However, in certain laws which confer jurisdiction on the Marches Court, it is
explicitly indicates that the Court will rule in full jurisdiction, this delimitation of
jurisdiction is not explicitly mentioned in this case. Article 108 § 1 of the APD law
only provides that an appeal against the decisions of the contentious chamber may be
form in front of the Marches Court.
An appeal to the Marches Court differs from an "ordinary" appeal such as one that can
be brought before a court of appeal 1.
Article 6 § 1 of the ECHR provides that “Everyone has the right to have his cause heard
fairly, publicly and within a reasonable timeframe, by an independent tribunal and
impartial, established by the Joi, which will decide, either of the disputes on its rights and obligations of
civil character, [... »]
With regard to the right to an effective remedy and to a fair trial, article 47 of the charter
of the fundamental rights of the European Union provides that "everyone whose rights are
and freedoms guaranteed by Union law have been violated has the right to an effective remedy before a
court in compliance with the conditions provided for in this article. Everyone has the right to
that its cause be heard fairly, publicly and within a reasonable timeframe by a
independent and impartial tribunal, established previously by the Joi. [...] "
1Comp. Cour des marches February 19, 2020, 2019 AR 1600.
13 Brussels-2021 / AR / 163 Court of Appeal p. 17
judicial order, he considers it imperative that a legal remedy be instituted by the legislator in order to
to guarantee the litigant a remedy before a court forming part of the judicial order.
It follows that the Marches Court cannot therefore substitute its decision for that of the
administrative only when the Court finds that this decision is illegal or irregular (for
example when any principle of good administration would be violated by the decision
administrative attack).
A manifest error "may" lead to the annulment of the decision. It follows that it belongs
the applicant to prove the manifest error of assessment which would have been committed by the
contentious chamber of the APD, the illegality of the Attacked Decision or the disregard of the
general principles of good administrative management 9 •
The motivation required by the law of July 29, 1991 on the explicit motivation of acts
administrative matters must include the statement of the legal and factual considerations which constitute the
basis of the decision. It follows from these provisions that, in the hypothesis or legality
of an administrative decision is based on the taking into account of a certain number of
considerations, compliance with the motivation requirement that they provide for
to only have to state those on which the decision he has taken is based.
7.
This being recalled, the APD is wrong to conclude that certain grievances developed by the
claimant party would not be admissible on the ground that the latter would not report
proof of a manifest irregularity or illegality but would be content to invoke a
error of appreciation on the part of the APD.
Article 108 § 1 of the APD law does not contain any provision relating to the admissibility of
complaints raised by the complainant. The only admissibility test to which the Court of
markets should engage in that of the course introduced. The fact that certain grievances raised by
the requesting party are possibly lacking in law or in fact will only lead to
on an appreciation of their (non-) foundation.
B. As to the first plea of the reguerante party
9Cour des marchesJune 12, 2019, 2019 AR113.
17 Court of Appeal Bruxelles-2021 / AR / 163 p. 18
a) Return of the reguerante party
The appellant's thesis can be summarized as follows:
"The Data Protection Authority made a first error of law when it
decides that X1 could not avail itself of the exception to the information obligation provided for
a / 'article 14, §5, (c) of the GDPR. (...)
Pursuant to article 14, §5, (c) of the GDPR, the responsibility for processing is exempt from
/ 'obligation to inform the persons concerned about the processing of their data
personal / s when and in the measurement or obtaining or communication of information
are expressly provided for by Union law or the law of the Member State to which the
controller is subject to and provides for appropriate measures to protect
The legitimate interests of the person concerned "(...)
Recital 62 of the GDPR leaves no doubt as to the intention of the legislator of the Union of
make an exception to / 'information obligation' when recording or communicating
data of a personal nature is expressly provided for by the Law "(...)
(...) the exemption from information provided for / 'article 14, § 5, (c), of the GDPR, does not create
controller a kind of obligation of result with regard to the existence of
appropriate guarantees: the definition of the nature, content and extent of these guarantees
is left to the national legislator, which necessarily implies that there is a margin
of appreciation in the headingsponsab / treatment, quiditsandquedersilecadrelegal
is sufficient to justify the exemption.
It follows that the Data Protection Authority had to assess quite differently
/ 'existence of the exemption from information with regard to the applicable legal framework. She had to be
ask whether, in the light of the concrete circumstances, it was or was not reasonable for the
controller to consider that he could benefit from the exemption of information referred
a / 'article 14, 5, (c), of the GDPR. However, she did not make such an assessment, without
will in no way justify this regard ”.
b) These ODA
18 Court of Appeal Bruxelles-2021 / AR / 163 p. 19
1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality
committed by APD.
2.
In the alternative, the APD concludes that the exception invoked by the applicant
had to be interpreted restrictively and was not applicable in the present case, his complaint
being unfounded.
c) Decision of the Court
1.
The Court refers to the foregoing considerations relating to the extent of its jurisdiction
APD accepted the complaints in order to set aside the argument of inadmissibility of the complaint raised by
2.
The Court further notes that, in the Attacked Decision, at the end of a statement of reasons
consequente {see. points 97 to 104 of the decision), the APD came to the conclusion
that the exception to the information obligation invoked by X1 was not applicable in
the species.
The APD indicated the reasons which led it to conclude that X1 could not avail itself of this
exemption: the municipal regulations do not include information on the
data processing {"obtaining or communicating information is
expressly provided for "), and not providing for" appropriate measures to protect
legitimate interests of the person concerned ”, it does not meet, according to the DPA, the criteria
provided for by the GDPR for the application of this exception.
3.
It is correct that the municipal regulations do not provide information on the processing of data operated
in execution of it.
X1 does not dispute, moreover, the fact that the municipal regulations concerned do not contain
not "appropriate measures to protect the legitimate interests of the person
concerned ”, but invokes the fact that these would be implemented by the“ numerous
reg / es Jega / es and deontologies framing the profession of bailiff ”which she quotes on pages 18
and 19 of its synthesis conclusions.
4.
The interpretation adopted by the APD is based on the fact that in the presence of an exception to a
obligation provided for by the RGPD (in this case! the information obligation), it is necessary to interpret
this exemption in a restrictive manner. The purpose of the text is to grant a dispensation
when the person concerned already has, through national law, the information
in question.
In the present case, the APD noted that the legal rules invoked by X1 were not, for the most part,
by relevant because they had no connection with the processing of the data
personal character.
19Brussels-2021 / AR / 163 Court of Appeal p. 20
The APD retained only two laws cited by the applicant as being a priori
relevant (! Article 519 of the Judicial Code and Articles 71 and 72 of the Code of Ethics of
bailiffs), because they prescribe the necessary guarantees in terms of information to
with regard to the litigant in their text, but she then noted that X1 did not demonstrate
not have applied in concreto what these texts provide.
5.
As has already been recalled, the principle of full jurisdiction should not be interpreted as
whether the Cour des Marches offered "a second chance" for the party or parties concerned and
as if that the Marches Court could "reexamine the file by making a clean sweep of the
departure and reassess the file ”.
The Marches Court notes that in this case it has not been demonstrated that by basing its decision
on the foregoing analysis, the Litigation Chamber of the APD committed an illegality or error
of right or of manifest fact.
The appellant's first plea is unfounded.
C. As to the second maven of the complainant
a) These by the requesting party
The appellant's thesis can be summarized as follows:
"The Data Protection Authority has a second legal error when it analyzes
the free character of consent of the persons concerned about the treatment of gamers given by
X1 in the context of / 'use of the form accompanying the formal notice sent
to debtors.
The formal notice {Exhibit n 3}, of which this form constitutes an annex, puts c / airement in
evidence the objective and the optional nature of the latter, indicating that any consultation
of the file or request for an audit plan can be made via the study site or by e-mail
and that if the person liable for payment wishes to obtain additional information, he can
use the form in question.
The Data Protection Authority, for its part, considered that this mention does not allow
not to overturn its conclusion. However, it should be remembered that the main part (namely the
concerned person at the origin of the complaint against X1 before the Authority
data protection) had not completed this form 35 We can therefore
•
reasonably consider that she understood the optional nature of the form and had
decides not to complete it despite the wording used on the form and the fact that it emanates
of a judicial officer study.
20 Brussels Court of Appeal -2021 / AR / 163 p. 21
The GDPR does not define what is meant by a "manifestation of will fiber" in the sense
of its article4 (11). The European legislator has only specified that for the purpose of determining whether
consent is given freely, the utmost account should be taken of
to know, among other things, whether the execution of a contract, including the provision of a service, is
subject to consent to the processing of personal data which is not
necessary for the execution of the said contract ".
In accordance with the 5/2020 guidelines of the European Committee for data protection
on consent, the adjective "fiber" implies that the person concerned has the choice of
to consent or not to the processing of their data. Consent will therefore not be considered
as freely given if the person concerned is not in a position to refuse or
withdraw consent without being prejudiced.
The decision of the Data Protection Authority to consider that X1 could not be
prevailing consent as the legal basis for processing is therefore based on a
incorrect legal qualification of the facts. In other words, the Data Protection Authority,
based on the factual evidence in the file, could not infer that
debtors were not in a position to freely consent to the processing of data
staff / es by X1 ”.-
b) These ODA
1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the grounds that it does not demonstrate the existence of an irregularity or unequal equality
committed by APD.
2.
In the alternative, the APD concludes that the use of the
payment by X1 is not based on a legal basis and does not allow obtaining a
free consent of the person concerned.
c) Decision of the Court
1.
The Court refers to the foregoing considerations relating to the extent of its jurisdiction
and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by
ODA.
2.
As regards the basis of the applicant's complaint, the Cour des marches raised
that Article 4.11 of the GDPR defines consent as "any manifestation of will,
free, specific, enlightened and unambiguous by which the person concerned accepts, by a
declaration or by a positive act c / air, that personal data concerning him
/ assent subject to processing ”.
21 Court of Appeal Bruxelles-2021 / AR / 163 p. 22
3.
According to APD, “The adjective 'fiber' implies real choice and control over people.
concerned. Now in this case, as underlined by the APO in its decision, the combination of
following items
! the terms used on the form header ("only the form", "duly
complete ”) in bold, underlined;
the title of the form (“Return form”);
the fact that it emanates from a study of judicial officers;
the fact that the form is attached to a formal notice; and
the fact that the formal notice specifies that payment default in the de / ai,
an increase in the amount to be paid will be applied;
suggest that there is no alternative to the debtor's supplying the information
requested on / edit form. Consent cannot therefore be qualified as "fiber" and is
therefore not in accordance with the requirements of article 4.11 of the RGPO. Commesoulignepar / 'APO,
It is also necessary to take into account, when determining whether consent is given
freely, of the existence of a balance of power relations between the person concerned and
the data controller3 4 •
The fact that the formal notice sent to the person concerned specifies, at the end of the letter and
in smaller type than those shown on the form, "if you wish to obtain
additional information, we invite you to use the attached form »ne
Obviously not sufficient to characterize the consent of "fiber", in view of the elements mentioned above.
before ”.
4.
It is not demonstrated by the requesting party that the Attacked Decision, in that it accepts
of t these considerations would be based on an illegality, an irregularity or an error
manifest.
The fact that the person concerned by the decision is a lawyer and that he has not completed
and return the said form is irrelevant in this regard, as long as it is not disputed
that the disputed form is the one used by X1 in the context of its activities of
Debt recovery.
Once again, it is not up to the Court of Marches to give to the justiciable, as in a
“classic” call, a “second chance” to present one's basic arguments.
22 Brussels Court of Appeal -2021 / AR / 163 p. 23
The appellant's second plea is unfounded.
D. As to the third plea of the reguerante part
a} These of the reguerante part
The argument of the requesting party can be summarized as follows:
"The Data Protection Authority has made a third deciding legal error
the collection of data through the payment request form, under "Your
coordinates ", constitutes a breach of the principle of data minimization (art. 5, §1,
(c) of the GDPR) on the sole ground that no asterisk or other mention indicated that the person
concerned was free to choose one of the modes of communication proposed by the form and
that the provision of certain data was therefore optional.
The Data Protection Authority has thus focused all its analysis on / 'the absence
asterisks or another statement explicitly indicating the optional nature of
some data.
However, it is all the specific circumstances which must be assessed in order to
determine whether the use of this form ultimately results in excessive data collection
personnel by X1 with regard to the purposes of the processing ”.
b) These from the APO
1.
The APD mainly concludes that the complaint formulated by the requesting party is
inadmissible on the ground that it does not demonstrate the existence of an irregularity or illegality
committed by APD.
2.
In the alternative, the APD concludes that the use of the
payment by X1 suggests that all the details of the person being prosecuted
should be communicated when not all are necessary.
c) Decision of the Court
1.
23 Court of Appeal Bruxelles-2021 / AR / 163 p. 24
The Court refers to the foregoing considerations relating to the extent of its jurisdiction
and to the admissibility of the complaints to set aside the argument of inadmissibility of the complaint raised by
ODA.
2.
As regards the basis of the complainant's complaint, the principle of minimization
data is defined in article 5.1 (c) of the GDPR:
"1. Data of a personal nature must be:
(...)
c) adequate, relevant and limited to what is necessary for the purposes of
[inalities for which they are processed (data minimization) ”.
3.
The Contentious Chamber considered the results of its analysis of the form that the presentation
of the data requested under the "coordinates" and the wording used in the
form suggest that all the headings must be completed and that there is no
no alternative to collecting all the information requested in the table, while
considering that all the data included on this form is not necessary for
the purpose pursued by X1.
According to the APD, it would be enough to provide the postal address, the telephone number, the GSM number
or the e-mail address, "all of this cumulative contact data is not required".
4.
Once again, it does not appear that this analysis of the contentious chamber would constitute
illegality, irregularity or manifest error.
The appellant's third plea is unfounded.
E. As to the fourth plea of the partiereguerante
a) These of the reguerante part
The appellant's thesis can be summarized as follows:
"The Data Protection Authority has failed in its obligation to formally motivate
contenting himself with referring "to the shortcomings retained above {8.2.1. and 8.2.4.}" for
24 Brussels Court of Appeal -2021 / AR / 163 p. 25
conclude that X1 was in default "of having implemented the technical measures and
appropriate organizational structure to ensure and be able to demonstrate that
data processing which it operates are, in particular taking into account their nature,
the context and the purposes I / s pursue, carried out in accordance with the RGPO ".
The simple reference to the breaches referred to in sections 8.2.1. and 8.2.4. of the decision
Attack does not allow X1 to understand the reasons on which the Protection Authority
data was based in order to conc! uure that other infringements (in this case, a
breach of Articles 5, §2, and 24, §§1-2 of the RGPO} would have been committed by X1.
The Data Protection Authority even contradicted itself since it indicated, given the
same decision, that "from May 25, 2018, the second defendant [X1] had a
clear and detailed privacy policy and has endeavored to comply with all
its obligations under the RGPO, in particular the designation of a
OPO "(emphasis added).
These two conclusions are for the most part contradictory and required more reasoning.
detail from the Data Protection Authority so that X1 can
understand! the reasons behind this change of position ”.
b) These ODA
The APD concludes by the fact that it "made it clear in its decision that it was in support of the
arguments provided in this very decision ("donations / 'act"), for / es relative breaches (i)
a / the obligation to inform the persons concerned, and (ii) concerning the
request for payment and the consent of the person concerned, that they have entered into a
breacha / 'article 14.1-2 combined' article 12.3, article 6, article 5.1, c) and articles 5.2
and 24.1-2 of the RGPO. It is therefore not a question of an autonomous failure, but of the consequence
other breaches identified by / 'APO.
The motivation developed by / 'APO in this regard is based on information and
developments already known from X1, to which express reference is made in the text.
It certainly allows X1 to understand the factual and legal reasons which led to
a / 'adoption of such a decision'.
c) Decision of the Court
1.
The requirement to state reasons for the administrative act in dispute requires (see article 3 of the law of 29
July 1991 on the explicit motivation of administrative acts) than the motivation as it
25 Court of Appeal Bruxelles-2021 / AR / 163 p. 27
The sufficiency of the motivation means that the motivation must be relevant, i.e.
say that it must be clearly linked to the decision, and that it must be substantial, that is to say
that the reasons must be sufficient to support the decision. The reasoning must be based
on clear and concrete elements these elements must be all the more concrete and precise
that the decision deviates from a proposal or an opinion, even if it is not binding. In
in such a case, the administrative authority should not limit itself to contradicting the proposition or
opinion, but should instead explain why it considers that it cannot follow the
arguments on which the body which proposes or advises is based. 17.
4.
The main reason for the obligation to state reasons is that the person concerned must
be able to find, in the decision concerning itself, the reasons on the basis of which
it has been taken in such a way that it appears or at least can be verified whether the authority
was based on information which is factually correct, if it has correctly
evaluations given and whether it was reasonable to make a decision on the basis of them,
so that the person concerned can determine with full knowledge of the cause whether there is
place to challenge the decision by appealing for annulment 18
.
5.
In application of these principles, it appears that the Attacked Decision is adequately
motivated, the requesting party not showing how the motivation should have been
"Strengthened" in this case.
Indeed, it is the title that the APD concludes with the fact that "in its conclusions, X1 invokes, ace
subject, situations like this l / e of a change in attitude of authority. She leans
also on a judgment of the Marches Court in which the decision deviated from a
proposal or opinion ".
However, none of these cases is encountered in this case: it has not been shown that ODA
would have made a "turnaround" or "would have departed from a proposal or opinion".
Secondly, the Applicant is also wrong to raise an alleged
contradiction on the part of the APD, which mentioned in the decision the efforts made
by X1 to comply with the obligations arising from the GDPR which it
incumbent, while having concluded a breach of Articles 5.2 and 24 of the GDPR.
The finding that X1 has complied with the GDPR during the procedure
logically follows from the finding of a prior situation of non-compliance.
The ODA did not contradict itself by taking into account these efforts, in a second step,
in order to assess the height of the sanction which it was incumbent on him to retain against X1.
It has not been demonstrated by the applicant that the considerations adopted by the APD
would constitute an illegality, an irregularity or a manifest error.
The appellant's fourth plea is unfounded.
17
18Conseil d'Et ° t (9th c188.152, November 24, 2008, CDPK 2009, 535; http://www.raadvst-consetat.be.
Council of State n 153.326, January 9, 2006, CDPK 2006, 183 and 207; http://www.raadvst-consetat.be.
27 Court of Appeal Bruxelles-2021 / AR / 163 p. 28
F. As to the average fifth of the reguerante part
a) These of the reguerante part
The appellant's thesis can be summarized as follows:
"The Data Protection Authority has failed in its obligation to formally motivate
not indicating, in a transparent and substantiated manner, in the Attacked Decision, why a
simple reprimand or, at the very least, a fine of less than 15,000 euros would not have
sufficient to put an end to the shortcomings observed.
The Data Protection Authority has certainly detailed the various elements it has taken into account.
account in its decision to impose an administrative fine but has not given reasons
why a less / hateful sanction, such as a simple reprimand or, at the very least, a
a fine of less than 15,000 euros, would not have been such as to put an end to the offenses.
This motivation was all the more necessary as the discounted deterrent effect of the fine
no longer had a reason to be. X1 had in fact already committed to providing
modifications to its official documents (such as the formal notice or the life policy
privee) in order to meet the criticisms addressed by the Data Protection Authority.
In addition, the Marches Court has already had the opportunity to point out that it was not bound by the
decision of the Data Protection Authority regarding the fine or its amount
may substitute its power of appreciation to that of the Data Protection Authority in this
which concerns the appropriateness of the sanction a / 'infringement.
In the present case, in addition to being inadequately reasoned, it should be noted that the fine
imposed by the Data Protection Authority is a / disproportionate in relation to:
at. The seriousness of the offense with regard to the non-sensitive nature of the data
col / ected through the contested form, reg / es (lega / es et
deontological) surrounding the profession of bailiff and the processing of
data that they can and / or must achieve in the context of their activities and
of the many steps taken by X1 in order to
compliance with / 'all the obligations arising from the RGPD Jui incumbent
(as / are, and as / 'has re / eve the Data Protection Authority, the update
provision of a "clear and detailed confidentiality policy");
b. To the purely theoretical damage because the complainant did not replace
contested form;
vs. To the financial situation of X1 strongly impacted by the health crisis
current.
For the foregoing reasons, if the Court were not to set aside the decision under appeal, ii
at the very least, to substitute for the financial sanction the simple pronouncement of a
reprimanded for / 'all the breaches established judges'.
b) These ODA
28 Brussels Court of Appeal -2021 / AR / 163 p. 29
The analysis of ODA can be synthesized as follows:
"X1 reproached the APO for having, as for the imposition of a fine, breached his obligation to
formal motivation.
This means is devoid of any foundation.
It should be remembered that article 58.2, i) of the RGPO stipulates that any supervisory authority,
such as the APO, has the power to impose an administrative fine under
/ 'Article 83, "in addition to or instead of the measures referred to in this paragraph, in
depending on the characteristics specific to each case ”.
Article 83.1 of the RGPO provides that each supervisory authority ensures that fines
administrative measures imposed for violations of the RGPO are "effective, proportionate and
dissuasive (...).
It is indisputable that APO in this case properly gave the reasons for its decision as to
/ 'Imposition of an administrative fine. It is in effect at the end of long developments (i.e.
more than three pages), offering a clear and detailed account of the
the Contentious Chamber came to the conclusion that an administrative fine was, in view of
of / all the circumstances of the cause, justified in the completion of the reprimand and the order
compliance, in accordance with the criteria retained by article 83.2 of the RGPO (see Jes
points 167a 181 of the decision).
It may also be emphasized that in that it indicates that "if the Court were not to annul in
all its provisions the decision undertaken, it is appropriate for all hands to substitute the
financial sanction the simple pronouncement of a reprimand for / 'all the breaches
judges etab / is ", X1 visibly ignored the scope of the mission and the powers conferred on the
Court. Failing to note that the decision would be illegal or irregular, quad not in
In this case, the Court is in fact unable to modify the sanction retained ”.
c) Decision of the Court
1.
The Cour des Marches is referring to what has been set out above as to the requirement of motivation
formal.
2.
The Court notes that the sanctions imposed on X1 are reasoned as follows in the
DecisionAttacke:
“165. The Litigation Chamber noted a breach of article 14.1-2 combined with
/ 'article 12.3a /'article6,a/'article5.1 c) and articles 5.2. and24. 1-2 of the RGPOin the head of
the second-defendant [X1] (point 137 above).
166. In view of these shortcomings, the Contentious Chamber addresses ° to the second
defendant [X1] a reprimand on the basis of / 'article 100. 1, 5 LCA.
167. The Contentious Chamber also takes action that the second defendant [X1]
has, in the terms of its conclusions and / ors / 'hearing, proposed to provide certain
modifications 29 Court of Appeal Brussels-2021 / AR / 163 p. 30
in his practice. The Litigation Chamber is in fact of the opinion that a certain number of
modifications and measures must in fact be introduced as quickly as possible.
the second defendant [X1] to comply with its obligations under the
GDPR. P artantly, the Jui Litigation Chamber imposes an order of compliance
details to the device in application of article 100. 1, 9 LCA (see in this respect the precision in
point 141 above).
168. In addition to this reprimand25 and this order of compliance, the Litigation Chamber
is of the opinion that in addition, an administrative fine is justified in this case for
reasons below.
169. As to the nature of the violation, the Contentious Chamber finds that with regard to the
breach of article 6 of the GDPR (absence of a legal basis) and of article
5.1 c) of the GDPR, ifs constitute breaches of the founding principles of the GDPR (and of the
data protection law in general}, or to the principles of / iceity and minimization
devoted to Chapter II "Principles" of the GDPR. Certainly the data collected at the end of the
form are primarily identification data and do not constitute data
sensitive within the meaning of Articles 9 and 10 of the GDPR. Their treatment intervenes, however, as ii
will be mentioned in point 176 below, in an “infringement” context.
Contentious will take this double consideration into account.
170. As for the infringement of article 14.1-2 combined with article 12.3 of the GDPR, it constitutes
a violation of the rights of the persons concerned - notwithstanding the existence of a
confidentiality, moreover, which the Litigation Chamber is aware of and of which it holds
account (point 179}. The right to / "information has been strengthened under the terms of the GDPR, which
testifies to its particular importance. The Data Protection Authority has, in
this perspective, inscribes respect for the rights of the persons concerned with the priority authority in
its strategic plan 2020-202526. Appropriate corrective action / sanction is not
hands determined on a case-by-case basis.
171. Finally, as regards the breach of article 5.2. and 24. 1-2 of the GDPR, it is also constitutive
a breach of the key principle of accountability, introduced by the GDPR.
172. Pursuant to article 83.5 a) of the GDPR, violations of all these provisions may
up to 20,000,000 euros or in the case of a company, up to 4% of the turnover
total worldwide annual business of the previous year. The maximum fine amounts
that may be applicable in the event of violation of these provisions are greater than those provided for
for other types of breaches listed in article 83.4. of the GDPR. is about
breach of a fundamental right, enshrined in Article 8 of the Charter of Rights
fundamentals of the European Union, / 'appreciation of their severity will be, such as the
Litigation Chamber has already had the opportunity to submit it, in support of Article 83.2.a) of
GDPR, autonomously.
173. According to the reaction that she / he sent to the Contentious Chamber in response to the
form of the envisaged fine, the second defendant [X1] states that the crisis
health related to the covid-19 virus pandemic hit extremely hard the
profession of judicial officer. The forced suspension of the p / upart of the activities of
bailiffs (whose execution measures) led the second defendant [X1] to have
put some of its staff on technical unemployment. The second defendant [X1]
estimates that its future turnover for 2020 and 2021 will, moreover, be disproportionate
with that of the past years.
30 Court of Appeal Brussels 2021 / AR / 163p. 31
174. As to the number of affected persons affected by the violations, the Chamber
Litigation re / eve that the breaches noted concern, beyond
complainant, a large number of people. the second defendant [X1] is not assuredly
a multinational company but a beige SME. the second defendant [X1] is not
not hands a study of benchmark bailiffs in Belgium, with strong experience [...]
years and which has [...] deco / laborers.
175. In view of the fact that / these shortcomings are part of the practice of the second
defendant [X1], the number of people potentially concerned is at the height of
number
of persons whose second defendant [X1] processes data within the framework of the exercise of
its amicable collection missions, i.e. a large number, even if the
Amicable debt collection does not constitute, which the Litigation Chamber is aware of,
part of the activities of the second defendant.
176. As to the quality of the second defendant [X1], the Litigation Chamber recalls that
in previous decisions, it has retained the status of public representative of the responsible
treatment as an aggravating factor within the meaning of Article 83.2. k) of the GDPR28. the
second defendant [X1] is in particular a ministerial official with a
public authority, which can exercise so-called "monopolistic" powers, which are
conferred by the Joi. As a liberal profession, the judicial officer exercises a number of
extrajudicial activities including amicable debt collection. the function is regulated
and the bailiffs are appointed by the King. their number is limited. With regard to this status,
the second defendant [X1] must adopt an exemplary attitude whatever the
cap with / with which she carries out her missions. the "infringement" context within the framework
of which the data processing that it operates also requires, having regard to
for their purpose, a particularly rigorous respect for the rights of individuals
concerned. data processing is a substantial part of the business
of the second defendant.
177. As to the criterion of duration, the Non-Competent Chamber notes that these
shortcomings last as long as they are part of the practices
of the second defendant
(article 83. 1 a} of the RGPD) at all hands since January 2019 ”.
2.
Article 83 of the GDPR provides in its first point that each supervisory authority ensures that
that the administrative fines imposed for breaches of the rules are, within
each case, effective, proportionate and dissuasive.
In its article 100, the law of 3 December 2017 establishing the Authority for the protection of
data (APD law) lists the possible sanctions.
The contentious chamber has the power to classify the complaint without further action; to order the non-place;
to pronounce the suspension of the pronouncement; to propose a transaction; to formulate
warnings and reprimands; to order to comply with the person's requests
concerns exercising these rights; to order that the interested party be informed of the
security; order the freezing, limitation or temporary or definitive prohibition of
treatment; to order that the processing be brought into conformity; to order the rectification,
restriction or erasure of data and notification thereof to recipients of
data; order the withdrawal of accreditation of certification bodies; to give
31 Brussels Court of Appeal 21 / AR / 163 p. 32
has streinte; to issue administrative fines; order the suspension of flows
data transborder to another or an international organization; to transmit
the file to the public prosecutor's office of Brussels, who informs them of the follow-up given to the
folder; decide on a case-by-case basis to publish its decisions on the website of the Authority
Data protection.
The faculty to impose an administrative fine is only the thirteenth sanction in
! 'legal enumeration.
The fundamental aim of European legislation is not to sanction in the form in
imposing fines for the breach of the prescribed, the goal is protection
Datas. The aim is therefore to protect data, not to punish at all costs.
the least offense.
3.
The fact that the shortcomings observed concern fundamental principles for which
higher fines are not an argument to adjust the proportionality.
The nature of the activities of the requesting party is certainly an element which it can be held
account to appreciate the height of the action, but do so in previous decisions
the Litigation Chamber took into account the status of "public representative" of the
responsible for treatment as an "aggravating factor" cannot be
that it cannot be admitted that this "case law" apparently relating to elected officials is
applied in parallel to the holder of a judicial officer charge.
The contentious chamber is an organ of an administrative authority which is not based on
establish some binding "case law", but must take its Caucasian decisions by
case, the publication of the decisions on the APO website should be sufficient to ensure
informing "public officials" of the need to comply with the provisions
legal data protection. It is not admissible that a "tariff" of
sanctions are applicable to certain professions, each litigant having the right to
personalize elements specific to his file, without any elements of appreciation drawn
other files interfere in the treatment of his case.
The argument drawn by the Litigation Chamber from the "duration of the breaches observed"
also lack of relevance to justify the amount of the fine retained.
The Court recalls that the complaint against the complaining party concerns a single fact, circumscribed
in time. The failure noted in the processing of the data is also
theoretical since it is not contested that any person concerned has not returned the form
contentious is referred to by its complaint. It cannot be argued in this context of considerations
general linked to the fact that the requesting party has been active for many years and
employs a large number of employees to justify the proportionality of the fine.
4.
The Court further raises the following points from the Attacked Decision, again with regard to the
motivation for the chosen action (La Coursouligne and accentuates)
"178. As to the question of knowing whether the breaches were committed deliberately or by
negligence (art. 83.2.b} of the GDPR), the Contentious Chamber considers that they have not been released.
It also accepts the fact that from May 25, 2018, the second defendant [X1
a 32Court of Appeal Brussels -2021 / AR / 163p. 33
c / ary and detailed privacy policy and has endeavored to comply with all
its obligations under the GDPR, in particular the appointment of a DPO.
She contacted specialized consultants for this purpose, notwithstanding the announcements.
made by the National Chamber of Judicial Officers which indicated that he / she has put in
in place of concrete measures to accompany and help studies which, in fine, was not the
case.
179. Finally, the second defendant [X1] was cooperative and concerned with
modify his
practices during the proceedings (in terms of its conclusions and / or the hearing). The
Litigation Chamber in taking note. (see in this respect the precision in point 141 above) ”.
5.
The Cour des Marches does not criticize the policy of the ODA contentious chamber, but the
the fact that it did not consider the possibilities of achieving the aim pursued by the legislation
European (as implemented in beige law) by another decision (provided for
explicitly in article 100 points 3 to 12 of the APD law and especially points 5 and 9 of which
it also applied in this case) when it had observed a series of elements which
demonstrate that the applicant has in no way manifested its intention to ignore the
principles of protection of personal data but that, on the contrary, the violation
that it committed is the result of negligence or rather a simple inadvertence,
when the requesting party had made arrangements in 2018, noted by the Chamber
contentious, hoping to comply with the legislation, and that it quickly rectified the
situation during the procedure.
6.
The foregoing observation cannot be interpreted otherwise than as a misappropriation of
power, that is to say, the use by an administrative authority of its power for another purpose
than that for which it was granted, in the head of the contentious chamber of the APD.
An attitude tending to impose a fine on the first offense committed by
inadvertently, does not correspond to the principles that govern the matter, insofar as
the litigation chamber of the APD has a complete repressive chain allowing it
to carry out checks, the consequences of which (if the infringement is established) may
the warning has the financial penalty or not. Violations should be punished
gradually and according to their gravity. For exemple:
• Step 1: Warning or formal notice from the offending company with a reminder of the
duty to ensure compliance of processing of sensitive data with the GDPR
• Step 2: injunction to cease the violation
• Step 3 (in certain cases): Limitation or temporary suspension of treatment
data
• Step 4: Administrative sanctions in the event of non-compliance with the rules of the GDPR.
33 Brussels Court of Appeal -2021 / AR / 163 p. 34
The penalties provided for in the GDPR should therefore in fact only be the ultimate
to which those prosecuted are exposed if they do not follow the instructions of the ODA.
The DPA must also ensure that the administrative sanctions provided for in the event of
GDPR breaches are effective, proportional and dissuasive. inflict
first offense, an administrative fine violated the principle of proportionality
of the sanction in relation to the infringement. The contentious chamber, while it is in its
motivation! the absence of deliberate character of the breaches observed and the real concern of
requesting party to modify its practices to bring them into compliance with the GDPR, omits
obviously to take into account the need for proportionality which includes in particular the
taking into account the presumption of good faith which must be enjoyed by the requesting party.
7.
In this case, it is by no means demonstrated that the reprimand and the order of compliance
inflicted elsewhere on X1 would not have been sufficient to ensure the finality of the proceedings. By inflicting
immediately, in this case, an administrative fine - the amount of
15,000.00 euros is in itself very consistent in the head of an SME - in addition to the two
measures already cited, the Contentious Chamber disregarded the fundamental principles of
proportionality of the sanction.
8.
The object of the appeal brought by the applicant is, in the alternative, to:
"If the Court were to consider that the complaint filed on May 15, 2019 by the person
concerned was founded in part with regard to X1, pronounce in any case a
simple reprimand and not a fine ”.
Taking into account the foregoing reasons, the Attacked Decision will be annulled, but only
in that it imposes a fine of 15,000.00 euros on X1.
IX. The costs
In accordance with article 1017, paragraph 1, of the Judicial Code, the APD is ordered to pay the costs,
liquid at 1,440 € (compensation for procedure-case not assessable in money).
34 Brussels Court of Appeal -2021 / AR / 163 p. 35
FOR THESE REASONS,
THE COURTYARD,
Having regard to the provisions of the law of June 15, 1935 on the use of languages in judicial matters,
Ruling contradictorily,
Receives the appeal, and says it grounds to the following extent:
Annuls Decision n ° 81/2020 pronounced by the Contentious Chamber of the Authority of
Data Protection on December 23, 2020 (DOS-2019-02751) insofar as it imposes a
fine of 15,000.00 euros at X1 on the basis of articles 100, 13 and 101 of the law of 3
December 2 017 establishing the Data Protection Authority ("LCA") as well
that! 'article 83 of the GDPR.
Orders the Data Protection Authority to pay the costs, including compensation for
procedure of 1.440 euros.
Orders the Data Protection Authority to pay the filing fee before
the court of appeal (€ 400.00) to the FPS FINANCES, in accordance with article 269 2 § 1, of the French
registration, mortgage and graft fees.
*****
35
