Supreme Court - C.20.0323.N
From GDPRhub
| Supreme Court - C.20.0323.N | |
|---|---|
 | |
| Court: | Supreme Court (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(11) GDPR Article 5(1)(c) GDPR Article 6(1)(a) GDPR Article 57(1)(f) GDPR |
| Decided: | 07.10.2021 |
| Published: | 07.10.2021 |
| Parties: | Gegevensbeschermingsautoriteit (Data Protection Authority) Verreydt BV |
| National Case Number/Name: | C.20.0323.N |
| European Case Law Identifier: | BE:CASS:2021:ARR.20211007.1N.4 |
| Appeal from: | Court of Appeal of Brussels (Belgium) 2019/AR/1600 |
| Appeal to: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Hof van Cassatie (Nr. C.20.0323.N) (in Dutch) |
| Initial Contributor: | Matthias Smet |
The Belgian Supreme Court ruled that the lawfulness of a processing activity should have been assessed by the trial judge on the basis of Article 6 GDPR even if no personal data was processed. The case related to a customer's refusal to provide his electronic ID card to a shop owner to become part of a loyalty program.
English Summary
Facts
A shop owner tied admission to a loyalty scheme to the presentation of an eID (i.e. a Belgian electronic identity card). A data subject refused to provide his eID, considering that such data processing was excessive and not proportionate when taking into account the purpose of the processing. The data subject further filed a complaint before the Belgian DPA (APD/GBA) for being deprived of the advantages conferred by the loyalty scheme.
On 17 September 2019, the Belgian DPA fined the shop owner for requiring customers to present their eID in order to obtain a loyalty card and imposed a fine of €10,000. The shop owner appealed that decision.
The imposed fine of €10,000 was later annulled by the Court of Appeal of Brussels, because (i) the new eID legislation could not be applied retroactively ; (ii) the fine was not sufficiently justified and (iii) the data linked to the eID of the Complainant had actually not been processed by the shop owner, since the data subject had refused to provide such eID. The Belgian DPA contested the legality of such a decision before the Supreme Court of Belgium.
Holding
The Supreme Court annulled the decision of the Court of Appeal of Brussels because it considered that the Court of Appeal did not correctly apply the law.
The Supreme Court considered in particular that the Court of Appeal of Brussels erred in law by not properly considering whether the compulsory reading of an identity card as the only mean of creating a customer loyalty card is contrary to the principle of data minimisation under Article 5(1)(c) GDPR, and contrary to the obligation to obtain the freely given consent of the data subject under Article 6(1)(a) GDPR, when refusal to provide such data results into a disadvantage for the data subject (such as not being able to obtain discounts).
The Supreme Court stated that the Court of Appeal should have considered the loss of an advantage in assessing whether consent is freely given under GDPR. It also confirmed that the Belgian DPA can handle and act on a complaint of a data subject, regardless of whether personal data of that data subject have actually been processed (in this case, the customer who filed the complaint with the Belgian DPA refused to give the eID card and thus no data was processed).
For these reasons, the Supreme Court annulled the contested decision and referred the case back to the Court of Appeal of Brussels.
N.B. The Supreme Court can only annul a decision based on its legality ; by contrast, the Supreme Court cannot rule on the merits of a case. Hence, the Court of Appeal of Brussels will have to adopt a new decision in line with the ruling of the Supreme Court.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
OCTOBER 7, 2021 C.20.0323N/1
Court of Cassation of Belgium
Judgment
No. C.20.0323.N
DATA PROTECTION AUTHORITY, with registered office at 1000 Brussels,
Drukpersstraat 35, registered with the KBO under number 0694.679.950,
plaintiff,
represented by mr. Johan Verbist, lawyer at the Court of Cassation, with
office in 2000 Antwerp, Amerikalei 187/302, where the plaintiff is domiciled
chooses,
in return for
VERREYDT bv, with registered office at 2200 Herentals, Ring 99, registered with the KBO
under the number 0428.824.132,
defendant,
represented by mr. Bruno Maes, lawyer at the Court of Cassation, with
office at 1170 Brussels, Terhulpensesteenweg 177/7, where the defendant lives
chooses place. OCTOBER 7, 2021 C .20.0323N/2
I. JURISDICTION BEFORE THE COURT
The appeal in cassation is directed against the judgment of the Brussels Court of Appeal,
Marktenhof section, from 19 February 2020.
Attorney General Els Herregodts has issued a written statement on September 22, 2021
conclusion laid down.
Councilor Bart Wylleman has reported.
Attorney General Els Herregodts has concluded.
II. REMEDIES
In its application attached to this judgment, the plaintiff puts forward two pleas:
at.
III. DECISION OF THE COURT
Judgement
First remedy
Second part
1. Pursuant to Article 2(1) of Regulation (EU) 2016/679 of 27 April 2016,
concerning the protection of natural persons with regard to processing
of personal data and on the free movement of such data and
drawing of Directive 95/46/EC (General Data Protection Regulation,
hereinafter GDPR), this regulation applies to all or part of
automated processing, as well as to the processing of personal data that
are included in a file or are intended to be included therein
man.
Under Article 4, 2) GDPR, “processing” means an operation
or a set of operations relating to personal data or a
whole of personal data, whether or not carried out by automated means, 7OCTOBER 2021 C .20.0323N 3
such as collecting, recording, organizing, structuring, storing, updating or
modify, retrieve, consult, use, provide by means of forwarding
thing, distribute or otherwise make available, align or combine
creating, blocking, deleting or destroying data.
Article 5(1)(c) GDPR provides that personal data must be adequate, in order to
relevant and limited to what is necessary for the purposes for which it is
processed (“minimum data protection”).
Pursuant to Article 57 GDPR, each supervisory authority on its
territory the following tasks: (a) monitor and enforce the application of
this regulation; (…) f) handles complaints from data subjects, or from bodies,
organizations or associations in accordance with Article 80, examine the content of
the complaint to the extent that it is appropriate and the complainant will inform the complainant within a reasonable
period of notice of the progress and outcome of the investigation, in particular
if further investigation or coordination with another supervisory authority
is necessary; (…) (h) conduct investigations into the application of these
classification, including on the basis of information received from another supervisory
receiving authority or other government agency.
Point 141 of the preamble to this regulation provides that "any data subject"
should have the right to lodge a complaint with a single supervisory authority
authority, in particular in the Member State where he or she usually resides, and a
effective remedy in accordance with Article 47 of the
Charter of Fundamental Rights of the European Union if he believes that
infringement of his rights under this Regulation (…).”
2. Pursuant to Article 4, § 1, first paragraph, of the Law of 3 December 2017 until
towards the Data Protection Authority, this authority is responsible
body for monitoring compliance with the basic principles of protection
of the personal data, within the framework of this law and of the laws that stipulate
ments on the protection of the processing of personal data.
Pursuant to Article 63 of the aforementioned law, the referral to the inspectorate may be
service: 1° when the management committee establishes serious indications
of the existence of a practice which may give rise to an infringement of the
basic principles of the protection of personal data, in the context of 7OCTOBER 2021 C.20.0323.N/4
this Act and the laws containing provisions for the protection of
processing of personal data; 2° when the litigation chamber, at the
of a complaint has decided that an investigation by the inspectorate is necessary
is; (…) 6° of its own accord when it finds serious indications of the
existence of a practice which may give rise to an infringement of the land
principles of the protection of personal data, within the framework of this law
and of the laws containing provisions for the protection of the processing
king of personal data.
The legislative history clarifies with regard to the aforementioned Article 63, 2°, that the
inspection service is understood as “when a data subject is of the opinion that
violation of his rights under the GDPR and a complaint about this
submits to the Data Protection Authority and which, in accordance with Article 62, §
1, is transferred to the litigation chamber. The litigation chamber may
decide that an investigation should be conducted.”
Pursuant to Article 72 of the aforementioned law, the Inspector General and the
inspectors, without prejudice to the provisions of this chapter, proceed to any
search, any check and any interrogation, as well as obtain all the information they need
deem to ensure that the basic principles of protection
of the personal data, within the framework of this law and of the laws that stipulate
contain information on the protection of the processing of personal data,
which they supervise are actually complied with.
Pursuant to Article 100, § 1, of this law, the litigation chamber has the power
to take corrective action, including: (…) 9° to order that the
processing is brought into conformity, or to (…) 13° administrative
to impose fines.
3. It undeniably follows from all the aforementioned legal provisions that a
data subject has the right to lodge a complaint with the Data Protection
authority against a processing practice that it believes is infringing
invokes his rights under the GDPR, such as the right to have his personal
to have data processed as a minimum, pursuant to Article 5(1)(c) GDPR, so that
he can enjoy a benefit or service. This is also the case when the
personal data of the data subject themselves were not processed, but these were processed before 7OCTOBER 2021 C.20.0323.N/5
has not obtained part or the service, because, precisely for the sake of existence, he
of the allegedly infringing practice, his consent to the processing
has refused.
When the Data Protection Authority, after investigating such
complaint, determines that the practice actually gives rise to an infringement of
the basic principles of the protection of personal data, such as the
ginsel of minimum data processing contained in Article 5(1)(c) GDPR, it is
authorized to take corrective measures and, if necessary, an administrative
to impose a fine, even if the complainant's personal data was
not processed itself. After all, the rights of the
complainant under the GDPR, when he is obliged to disclose his personal data
process data in accordance with that infringing practice so that he is of a
benefit or service.
4. From the findings of the appellate courts and the documents on which the Court
able to take heed, it appears that:
- a customer of the defendant has lodged a complaint with the plaintiff because
she, to obtain a loyalty card and receive discounts on her purchases
was obliged to show her electronic identity card
read into the defendant's computer system and, as a result of a
refusal of this and in the absence of an alternative, such as providing the
strictly necessary personal data on paper, not of the benefit of the
could enjoy discounts;
- it appears from the plaintiff's inspection report that the customer data provided by
are stored by means of reading the electronic identity card, the
the following are: name, first names, address, date of birth, gender, from when
if the person concerned is a customer and the amount of the purchases, and that the barcode
of the electronic identity card containing the national register number,
is linked by the defendant to the customer's data;
- the claimant has ruled in the contested decision of 17 September 2019
that an infringement of Article 5(1)(c) of the GDPR has been proven, because the processing
of customer data does not follow the principle of data minimum processing
because it implies the use of the national register number that is OCTOBER 7, 2021 C.20.0323.N/6
included in the barcode of the electronic identity card, which is not
relevant, and it involves the retention of data on gender and
date of birth, which are also irrelevant.
5. The appeal judges ruled that "the complainant in this case did not have an eID card"
was offered and therefore no processing of its data was carried out.
fair. Therefore, [plaintiff] shows no actual infringement in connection with
personal data.”
6. By holding on that ground that an infringement of Article 5(1)(c) GDPR
has not been proved and set aside the contested decision of the plaintiff, while
it is not required that the complainant's personal data have actually been processed
to ensure that the claimant takes corrective action or
may impose an administrative fine, after it has been established that a practice exists
giving rise to a breach of the principle of minimum data
effect, the appeal judges do not justify their decision legally.
The part is valid.
7. There is no reason to refer the question to the Court for a preliminary ruling
of Justice of the European Union.
Fourth part
8. Article 288(2) TFEU provides that a regulation has general application
king has. It is binding in its entirety and directly applicable
in each Member State.
Pursuant to Article 6(1) of the GDPR, the processing is lawful only if and for
provided that at least one of the following conditions is met: (a) the
the person concerned has given permission for the processing of his personal data
vens for one or more specific purposes.
Pursuant to Article 4, 11) GDPR, with the “consent” of the data subject,
stand: any free, specific, informed and unambiguous expression of will that
inform the data subject by means of a statement or an unambiguous active
accepts an act concerning him/her concerning the processing of personal data. OCTOBER 7, 2021 C.20.0323.N/7
Point 42 of the preamble to this regulation states that “consent may not”
shall be deemed to have been freely granted if the person concerned has no real or free
has a choice or cannot refuse or withdraw its consent without detriment
effects."
9. It follows from all the above provisions that also the loss of a
benefit or service in the event of refusal of consent the possibility of a genuine
free choice and can constitute an adverse consequence in the sense of
point 42 of the preamble, as a result of which consent is not considered
to be freely granted within the meaning of Article 4, 11) GDPR.
10. The appellate courts find that the plaintiff in the contested decision of 17
September 2019 ruled that an infringement of Article 6(1)(a) GDPR
essential, as consent is not deemed to have been freely given if
the data subject cannot refuse or withdraw it without adverse consequences and there
in the present case there is no question of such free consent, because the
ger, and by extension all customers, can only enjoy discounts by
their electronic identity card and the defendant has no alternative
natively for the creation of a loyalty card in order to take advantage of this
can enjoy.
11. They then rule that:
- the claimant, regarding the lack of an alternative, refers to a still
non-applicable legislation, namely Article 6, § 4, of the Law of 19 July
1991 on the population registers, identity cards, aliens
gen cards and the residence documents, as amended by the law of 25 November
ber 2018, which was not yet applicable at the time of the facts
underlying the current dispute;
- the plaintiff further erroneously assumes the unproven assumption that the
the complainant would suffer an indisputable disadvantage because of the fact that she
don't miss out on a loyalty card, discounts would go wrong. This constitutes
no disadvantage because only a possible extra advantage is lost.
12. By thus failing to verify whether the plaintiff's decision on the free
permission to read in the electronic identity card to receive discounts
was correct pursuant to Articles 6.1, a) and 4, 11), GDPR, in particular- 7OCTOBER 2021 C .20.0323N/8
or pursuant to those directly applicable provisions an alternative had to be
are offered for the purpose of obtaining discounts where, specifically under
those provisions, the loss of the benefit of those discounts in the event of refusal of
consent may also have an adverse effect, and to judge on that basis
that an infringement of Article 6(1)(a) GDPR has not been proven, the appeal
judges the aforementioned provisions.
The part is valid.
(…)
dictum
The Council,
Set aside the judgment under appeal, in so far as it finds that an infringement of Articles
5(1)(c) and 6(1)(a) GDPR is not proven and the contested decision of the
plaintiff on that ground.
Orders that this judgment be reported on the side of the
partially quashed judgment.
Keep the costs and leave the decision to the factual judge.
Refers the case thus limited to the Court of Appeal in Brussels, Section
Marktenhof, composed differently.
This judgment was delivered in Brussels by the Court of Cassation, First Chamber, together
composed of section chairman Eric Dirix, as chairman, section chairman Koen
Mestdagh, and the counselors Bart Wylleman, Ilse Couwenberg and Sven
Mosselmans, and pronounced in a public court hearing on 7 October 2021 by
Section Chair Eric Dirix, in the presence of Advocate General Els
Herregodts, assisted by Clerk Vanity Vanden Hende. OCTOBER 7, 2021 C.20.0323N9
V. Vanden Hende S. Mosselmans I. Couwenberg
B. Wylleman K. Mestdagh E. Dirix APPLICATION/1
EXTRACT FROM THE PROVISION IN CASSATION
FOR: the DATA PROTECTION AUTHORITY, independent
public institution with legal personality, with social
registered office at 1000 Brussels, Drukpersstraat 35, registered
in the Crossroads Bank for Enterprises under the number
0694,679,950,
plaintiff in cassation,
assisted and represented by the undersigned lawyer at
the Court of Cassation Johan Verbist, with office in 2000
ANTWERP 1, Amerikalei 187/302, where choice of residence
is being done,
AGAINST: the NV VERREYDT, with registered office in 2200 Herentals,
Ring (NDW) 99, registered in the Crossroads Bank for Enterprises
ming under the number 0428.824.132,
defendant in cassation,
*
** APPLICATION /2
Plaintiff has the honor to submit to your assessment a judgment that was issued on 19
February 2020 contradiction between the parties was pointed out by the Section
e
Marktenhof (19 Chamber A) of the Court of Appeal in Brussels (2019/AR/1600). APPLICATION 3
FIRST SUBMISSION OF CASSATION
Violated legal provisions
Articles 4 § 1, 63, 72 and 100 § 1 of the Law of December 3, 2017
establishing the Data Protection Authority;
Articles 1319, 1320 and 1322 of the Civil Code;
Preamble 42 and Articles 2.1, 4 2), 4.11, 5.1 c), 5.2, 6.1 and 57.1 a),
f) and h) of Regulation (EU) 2016/679 of the European Parliament
ment and the Council of 27 April 2016 on the protection of
natural persons in connection with the processing of personal data
data and on the free movement of such data and until revocation
of Directive 95/46/EC (General Data Protection Regulation
screening) (hereinafter: GDPR);
Article 288, paragraph 2 of the Convention on the Functioning of the
European Union (TFEU), as coordinated by the Treaty of
Lisbon of December 13, 2007, approved by Law of June 19
2008 (BS 19 February 2009), by Decree of the Flemish Community
board/the Flemish Region of October 10, 2008 (BS 5 November
2008), by Decree of the French Community of May 23, 2008 (BS
July 15, 2008), by Decree of the German-speaking Community of May 19
2008 (BS 15 July 2008), by Decree of the Walloon Region of 22 May
2008 (BS 29 May 2008), by Decree of the Walloon Region of 22
May 2008 (BS 30 May 2008), by Ordinance of the Brussels Capital
Municipal Region of 10 July 2008 (BS 6 August 2008), by Ordonnan-
tie of the Joint Community Commission of 10 July
2008 (BS 6 August 2008) and by Decree of the French Commu-
committee of 17 July 2008 (BS 26 August 2008).
Article 149 of the Constitution.
Challenged decision
The appeal judges ruled that the decision of 17 September 2019 on
has been taken lawfully with regard to the detected infringements of Article 5.1 c) GDPR
and 6.1 GDPR, and they annul the decision for the following reasons: APPLICATION /4
“8. Discussion – the grounds for destruction
8.1. Infringement of Article 5.1. c) GDPR
[Defendant] asserts:
[…]
[Plaintiff] argues in this regard:
[…]
The contested decision considers:
The Inspectorate thus confirms the complaint in the sense that no alternative
is offered to customers who want a loyalty card, but do not
wish to have their electronic identity card used by the
again for the creation of such a loyalty card, while it is
obtaining the permission and offering an alternative
required by the Inspectorate.
The Inspectorate also refers to art. 6, 54 of the law of 19
July 1991 on the population registers, identity cards, de
aliens cards and residence documents, as applicable
as of December 23, 2018, and which provides that the electronic
identity card may only be read or used with the free,
specific and informed consent of its holder. When
a benefit or service is offered to a citizen through his electronic
national identity card in the context of an IT application, must
an alternative is also proposed that the use of the elec-
tronic ID card not required. Furthermore, the Inspectorate refers
in this regard also to Recommendation No. 03/2011 in order to
ing requirement and support the offer of an alternative.
The Act of 19 July 1991 on the population registers, the identity
cards, the aliens cards and the residence documents
now in article 6 5 4 second and third paragraph:
The National Register Number and the holder's photo may only be used
if authorized to do so by. or pursuant to a law, a de-
creet or ordinance. The electronic identity card may only be delivered
sent or used with the free, specific and informed consent
of the holder of the electronic identity card. When a
benefit or service is offered to a citizen through his electronic
identity card in the context of an IT application, must also
an alternative that does not allow the use of the electronic identity card
required, be presented to the person concerned.
This text was added by the law of November 25, 2018 and took effect
effective on December 23, 2018. This law is therefore not applicable to the actual
on the basis of the current dispute, since the complaint dates from
from August 28, 2018.
At the time of the complaint, this text read as follows:
"§ 4. Any automated check of the card by optical or other
reading procedures must be the subject of a royal decree, after
advice of the sectoral committee of the National Register referred to in Article 15
of the Act of 8 August 1983 regulating a National Register of the
natural persons. "
The motives of the inspection service - which [plaintiff] argues that as
serve as the basis for the decision - are illegal. A law that absolutely
was not applicable at the time of the complaint and a "recommendation"
which does not have legal force cannot serve as a basis for the
assessing conduct as being contrary to applicable law
caught.
It has not been demonstrated, and consequently not conclusively proven, that at the time
of the complaint an alternative had to be offered.
The contested decision further considers:
"The Disputes Chamber also notes that the processing of
the customer data (surname, first names, address, date of birth, gender,
from when the data subject is a customer and the amount of the purchases) the
does not respect the principle of minimum data processing, since it
given 'gender and date of birth' are also irrelevant.
The Disputes Chamber assumes that the customer card will not be REQUEST /6
used to check the minimum age for alcohol consumption
buy.
Since the defendant's conduct with regard to the production of
loyalty cards do not comply with the principle of data minimum processing,
the Disputes Chamber is therefore of the opinion that the infringement of art. 5.1. c)
A VG is proven."
No EID card was presented by the complainant in this case and there is
so no processing of her data happened. Therefore shows
[plaintiff] no actual infringement in connection with personal data
at.
There was no legal alternative (yet) offered to the complainant at the time
turn into. This has changed since December 23, 2018, but those regulations can
cannot be applied retroactively by [plaintiff].
Moreover, the Disputes Chamber erroneously assumes a number of
essence assumptions:
• that a liquor store loyalty card would not be used for
monitoring the prohibition of the sale of alcohol to minors;
• that the complainant would suffer an undeniable disadvantage by the fact that she
by missing out on the creation of a loyalty card, discounts would
pen. This does not constitute a disadvantage because only a possible additional advantage
is lost (the Court emphasizes). It is different when the EID card
is asked for a legal or contractual right (for example, the
to obtain or retain the right to warranty).
An infringement of art. 5.1. c) GDPR is therefore not applicable in this specific case
proven.
The [defendant]'s sixth plea is well founded on this point.
8.2. Infringement of art. 6.1. GDPR: APPLICATION /7
[Plaintiff] further bases its decision on an infringement of Article 6.1. GDPR,
to know that the lawfulness of the processing depends on the
consent of the data subject for the processing of his personal data
data for one or more specific purposes or the processing is necessary
is for the protection of the legitimate interests of the public
operations manager or a third party, except when the interested
or the fundamental rights and freedoms of the data subject
that require the protection of personal data outweigh those
interests, in particular where the data subject is a child.
[Plaintiff] states:
[…]
To the extent that [plaintiff] refers again to the lack of an alternative
native, it refers again (see point 8.1 above) to a not yet applicable
sane legislation.
The Marktenhof refers to what was stated under point 8.1 above.
suggested.
The infringement of article 6.1. AVG is therefore not proven. the seventh
[defendant]'s plea is well founded on this point.
8.3. Conclusion of points 8.1 and 8.2:
To the extent that the contested decision is not sufficiently motivated to
that certain motives of the contested decision are incompatible
with the documents from the file and with the current legal provisions on
the moment of the complaint and the Marktenhof cannot determine which motive
or which motives, according to them, were de facto decisive for the
to justify the contested decision, the Market Court must determine
that the motives cited by [plaintiff] explain the proven fact of the
infringements (and, as a consequence, likewise the imposition of sanctions for the sake of
of these alleged infringements). The decision is to
that reason was taken unlawfully and must therefore be declared null and void.
to be cleared” (judgment challenged p. 24-29) P ENDING 8
Grievances
(…)
Second part
Under Article 288(2) TFEU, a regulation has a general
my meaning. It is binding in its entirety and directly applicable
seldom in every Member State.
Pursuant to Article 2.1 of the GDPR, this Regulation applies to the
wholly or partly automated processing, as well as to the processing of
personal data that are included in a file or that are intended to
to be included therein.
Pursuant to Article 4 2) GDPR, "processing" should be understood,
an operation or set of operations relating to personal data
data or a set of personal data, whether or not carried out via automated
processes, such as collecting, recording, organizing, structuring, storing,
update or change, request, consult, use, provide by means of
transmission, distribution or otherwise making available, alignment
or combine, block, erase or destroy data.
Pursuant to Article 5.1 c) GDPR, personal data must be adequate,
relevant and limited to what is necessary for the purposes for which
they are processed (“minimal data processing”).
Pursuant to Article 57.1 a), f) and h) GDPR, each and every
supervisory authority in its territory the application of this Regulation;
it handles complaints from data subjects, or from bodies, organizations or associations
in accordance with Article 80, investigate the content of the complaint to the extent
appropriate and inform the complainant within a reasonable time of
the progress and outcome of the investigation, in particular if further
find out whether coordination with another supervisory authority is necessary; and
it shall conduct investigations into the application of this Regulation, including to
based on information received from another supervisory authority or other
received by the government agency. APPLICATION /9
Pursuant to Article 4 § 1 of the Law of 3 December 2017 establishing
the Data Protection Authority, the Data Protection Authority is
responsible for monitoring compliance with the fundamental principles of the
protection of personal data, in the context of this law and of the laws
containing provisions on the protection of the processing of personal
data. Without prejudice to the competences of the Community or Regional
minorities, of the Community or Regional Parliaments, of the United
ge or of the United Assembly referred to in Article 60 of the Special Law
of January 12, 1989 with regard to the Brussels institutions, the Gege-
protection authority carries out this mission throughout the territory of the
Kingdom, regardless of which national law on the processing of personal data concerned
pass.
Pursuant to Article 63 of the same law, the application may be brought before the
inspection service, including when the management committee has serious indications
singing establishes the existence of a practice that may give rise to a
breach of the basic principles of the protection of personal data, in
within the framework of this law and of the laws containing provisions on the
protection of the processing of personal data; when the litigation chamber
has decided in response to a complaint that an investigation by the Inspectorate
service is needed; or of her own accord when she finds serious indications
of the existence of a practice which may give rise to an infringement of the
basic principles of the protection of personal data, in the context of
this Act and the laws containing provisions for the protection of
processing of personal data.
Under Article 72 of the same law, the Inspector General and the
inspectors, without prejudice to the provisions of this chapter, proceed to any
inquiry, inspection and interrogation, as well as any information they obtain
deem it necessary to satisfy themselves that the basic principles of the
protection of personal data, in the context of this law and of the laws
containing provisions on the protection of the processing of personal
data, which they monitor, are actually complied with.
Article 100, § 1 of the same law lists the measures that the disputed
room can impose. APPLICATION /10
It follows from these provisions, read in conjunction with each other, that the
Data protection authority can act investigating and sanctioning against
with regard to a practice which may give rise to an infringement of the land
principles of the protection of personal data, and that they are more particularly
can act without investigating and sanctioning a practice
which may give rise to a breach of the principle of data minimum
processing.
It is therefore in no way required that a complainant first has actually provided his data.
unlawfully processed before the claimant could act.
This would go against both the spirit and the text of the Law of December 3, 2017.
If the claimant, whether or not on the basis of a complaint, establishes a practice that
may lead to a breach of the fundamental principles of the protection of
the personal data, it can investigate and impose sanctions against this practice.
action, even if the complainant's own data has not been processed.
be.
The contested decision dated September 17, 2019 of the Plaintiff refers to the
manner of the defendant with regard to the production of loyalty cards. "From
the inspection report also shows that the customer data being processed is
gender are: name, first name, address, date of birth, gender, from when the
the person concerned is a customer and the amount of the purchases. The barcode of the electronic
national identity card containing the national register number is issued by the
defendant linked to the customer's data […] Because the course of action
of the defendant with regard to the production of loyalty cards, the principle of
does not comply with minimum data processing, the Disputes Chamber is therefore of
considers that the infringement of art. 5.1. c) GDPR is proven” (p. 6)
This concerns a processing established by the claimant with regard to per-
personal data within the meaning of the GDPR, and in any case a practice that gives rise to
indicates or at least may constitute an infringement of the fundamental principles of the
protection of personal data within the meaning of the Act of 3 December 2017.
The appellate judges consider that “the complainant in this case did not have an EID
card [has] been presented and no processing of its data has therefore taken place.
fair. Therefore, [plaintiff] shows no actual infringement in connection with per-
personal data”. APPLICATION /11
By ruling on this ground that a breach of Article 5.1 c) GDPR is not
proven and to set aside the contested decision, where an actual
The processing of the complainant's data is not a necessary requirement in order for
the Data Protection Authority can take an investigative and sanctioning action,
and it is sufficient that a practice is identified which may give rise to a
violation of the principle of data minimum processing, the appeal
judges Articles 2.1, 4 2), 5.1 c) and 57.1 a), f) and h) GDPR, to the extent necessary
read in conjunction with Article 288(2) TFEU and Articles 4 §
1, 63, 72 and 100 § 1 of the Law of 3 December 2017 establishing the Gege-
protection authority.
In a subordinate order, Plaintiff requests the Court for the following preliminary ruling:
cial question to the Court of Justice of the European Union:
“Is Article 57.1, in particular the provisions a), f) and h), of the Regulation
deing (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons in relation
connection with the processing of personal data and with regard to the freedom of
movement of such data and repealing Directive 95/46/EC, thus
be understood that the supervisory authority receiving a complaint
who, after investigating the complaint, determines that there is a
practice giving rise to a breach of fundamental principles of the
protection of personal data, although there are specific
until the complainant is not actual processing of personal data
happened now that he had not given his consent, not sanctioned
can take action with regard to the established practice?”
(…)
Fourth part
Under Article 288(2) TFEU, a regulation has a general
my meaning. It is binding in its entirety and directly applicable
seldom in every Member State. APPLICATION /12
Pursuant to Article 6.1 of the GDPR, the processing is only lawful if and
provided that at least one of the following conditions is met:
a) the data subject has consented to the processing of
are personal data for one or more specific purposes;
b) the processing is necessary for the performance of a contract
arrival to which the data subject is a party, or at the request of the
the party to take measures before the conclusion of a contract
to take;
c) the processing is necessary for compliance with a legal
obligation on the controller;
d) the processing is necessary to protect the vital interests of the data subject
to protect the traveler or another natural person;
e) the processing is necessary for the performance of a task of
public interest or of a task in the course of the performance
of the public authority vested in the controller
dedicated;
f) the processing is necessary for the representation of judicial
legitimate interests of the controller or of
a third party, except where the interests or fundamental rights and
fundamental freedoms of the data subject for the protection of
require personal data, outweigh those interests, with
especially when the person concerned is a child.
Pursuant to Article 4.11 of the GDPR, subject to the 'consent' of the data subject,
understood, any free, specific, informed and unambiguous expression of will
with which the data subject by means of a statement or an unambiguous
accepts active action regarding the processing of personal data.
Preamble 42 also stipulates that permission may not be
considers to be freely granted if the data subject has no real or free choice
or cannot refuse or withdraw its consent without detriment.
The decision of the claimant dated September 17, 2019 states the following:
next one:
According to the Dispute Chamber, contrary to what the defendant
submits, there is no question of consent as a legal basis for the APPLICATION /13
effect, since the consent within the current working method of the
defendant can in no way be regarded as a free consent in
the meaning of art. 4.11 GDPR, in the absence of an alternative system that allows
allows to create a loyalty card without using the electronic
identity card, which makes it possible for the data subject also in that case
to benefit from discounts […] As a general rule, the GDPR
that if a data subject has no real choice, he is forced to
feels to give permission or it will negatively affect him
if he or she does not consent, the consent is not valid […] By-
that in the present case the complainant, and by extension all customers, only
can enjoy discounts through their electronic identification
identification card, and no alternative is offered by the defendant
for the creation of a loyalty card, in order to take advantage of this advantage
enjoy, it is clear that there is no question of free consent
[…] The Disputes Chamber decides that the infringement of art. 6.1. GDPR is moving
zen” (p. 7)
The appellate judges judge, partly through a reference to their previous
considers that the motives of the contested decision are illegal, now that this
tens are once again based on the lack of an alternative and thus on a
law that was not applicable at the time of the complaint (in particular the Act
of July 19, 1991 as amended by the Law of November 25, 2018).
In doing so, however, the appeal judges interpret the decision
which is incompatible with its wording. From the motives of the disputed
After all, this decision, as cited above, shows that the legal basis
battle is indeed located in Article 6.1 AVG and Article 4.11 AVG. It's from the-
they provisions, read in conjunction with Preamble 42 . to the extent necessary
GDPR, that the requirement of a “free consent” is derived and made concrete
sed as being a consent that must involve a free choice
without adverse effects.
In so far as the appellate judges consider the motives of the contested decision
sing an interpretation inconsistent with its wording, with
in particular by reading therein that to find the legal basis of the decision
is in the Law of 19 July 1991 as amended by the Law of 25 November 2018,
where it appears from the wording that the legal basis is indeed
can be found in Article 6.1 AVG and Article 4.11 AVG, the appeal judges are violating the
evidential value of these motives (violation of articles 1319, 1320 and 1322
of the Civil Code). APPLICATION /14
To the extent that the appellate courts fail to verify whether the
legal analysis taken with regard to Article 6.1 AVG and Article 4.11 AVG correct
is, in particular with regard to the interpretation of the required 'free consent',
they also misunderstand the judicial obligation to state reasons (violation of Article 149
of the Constitution) as well as Articles 6.1 and 4.11 GDPR, to the extent necessary in
read in conjunction with Preamble 42 GDPR and Article 288(2) TFEU.
(…)
