Skip to main content

Two years of GDPR application in Belgium: lessons learned from the decisions of the Litigation Chamber and the Market Court

Share this page

Today, the EU General Data Protection Regulation (the GDPR) celebrates its second anniversary. The GDPR became applicable on 25 May 2018, after a transition period of two years.

As the GDPR became a real buzzword, many data subjects found their way to the Belgian supervisory authority, the Data Protection Authority (the DPA). In recent months, the DPA’s Inspection Service showed its teeth by starting a number of investigations (following complaints filed or on its own initiative). The DPA’s Litigation Chamber (which is an administrative court dealing with data protection matters and imposing the administrative sanctions foreseen in the GDPR) meanwhile pronounced its first decisions. The sanctions imposed are diverse, as are the subject matters involved. Nevertheless, the Litigation Chamber was somewhat tempered in its enthusiasm by the Market Court, which decides on appeals against the Litigation Chamber’s decisions. 

Below you will find some key takeaways from the case law of the Litigation Chamber and the Market Court. 

SURVEILLANCE CAMERAS

Two of the Litigation Chambers’ decisions deal with camera surveillance.
On 2 April 2019, the Litigation Chamber decided that the installation and use of surveillance cameras in the common areas of student rooms is disproportionate to the purpose of combating vandalism, damage and nuisance.[1] Consequently, the Litigation Chamber imposed a ban on such processing activities (see decision here).

On 20 April 2020, the Litigation Chamber issued a new decision regarding the use of a surveillance cameras outside of a shop. The Litigation Chamber considered that the use of such camera was not compliant with the GDPR and the specific legislation on surveillance cameras since the controller had not notified the installation of the surveillance camera to the police and had not mentioned such data processing in the records of processing activities. The controller was sanctioned by a reprimand (see decision here).

Controllers that are planning to use surveillance cameras should (i) carefully consider the purposes of such use, (ii) consider whether the placing of surveillance cameras is proportionate to such purposes, (iii) notify the placement of surveillance cameras to the police and (iv) ensure the related processing is mentioned in their records of processing activities.

[1] Litigation Chamber 2 April 2019, DOS-2018-04764.

PUBLIC MANDATES, ELECTIONS AND GDPR

The very first Belgian GDPR fine (in the amount of EUR 2,000) was imposed on the major of a small village for unlawful use of personal data in the context of the elections.[2] In taking this decision, the Litigation Chamber stressed that matters of data protection should be considered especially important in the context of a governmental mandate (see decision here).

Mayors turned out to be on the radar of the DPA, as another fine (in the amount of EUR 5,000) was later imposed on another mayor for a similar infringement.[3] The Litigation Chamber held that the major improperly used personal data to send political advertising as part of his re-election campaign during the 2018 local elections. The Litigation Chamber stressed again that individuals in public office need to pay attention to compliance with data protection legislation, since this is vital to preserve the citizens’ trust in the democracy (see decision here).

The above decisions clearly illustrate the importance of two essential concepts of the GDPR: purpose limitation and transparency, which the Data Protection Authority and the Litigation Chamber relentlessly enforce. Controllers are advised to revisit their processing activities in order to determine whether both principles are (demonstrably) complied with.


[2] Litigation Chamber 28 May 2019, DOS-2018-05808 and DOS-2018-05815.

[3] Litigation Chamber 25 November 2019, DOS-2018-06068.

DATA SUBJECT RIGHTS

Not less than three of the Litigation Chamber’s decisions concerned the topic of data subject rights, illustrating their importance.

On 9 July 2019, the Litigation Chamber issued a reprimand to the Federal Public Service for Health after it failed to properly respond to the exercise of a data subject’s right to access. More in particular, the decision highlighted the lack of internal procedures enabling the Federal Public Service for Health to meet the GDPR’s requirements (see decision here).[4]

In a decision of 17 December 2019, the Litigation Chamber ruled that a not-for-profit organisation had failed to comply with a data subject’s access and erasure request. The Litigation Chamber imposed a fine of EUR 2,000 and ordered the organisation to comply with the data subject’s rrequest, especially because health data were concerned (see decision here).[5]

In a decision of 28 April 2020, the Litigation Chamber ruled that a bank had failed to comply with the data subject’s right to access because (i) it requested a copy of the identity card of the data subject although there was no reason to doubt the data subject’s identity and because (ii) the bank failed to meet the GDPR’s deadline (one month) for replying to data subject requests. The Litigation Chamber imposed a reprimand (see decision here).

The above decisions illustrate that controllers must have robust internal procedures to comply with data subject requests, ensuring that the GDPR’s deadlines as well as content requirements are met. Controllers are advised to only request proof of identity where (reasonable) doubt exists as to the identity of the person exercising the data subject right. Controllers should also review their fair processing notices, since many of them require the submission of proof of identity by default.


[4] Litigation Chamber 9 July 2019, DOS-2018-04887.

[5] Litigation Chamber 17 December 2019, DOS-2019-04234.

 

COOKIES, TRANSPARENCY AND CONSENT

By decision of 17 December 2019, the Litigation Chamber imposed a fine of EUR 15,000 on a legal news website for lack of transparency in its cookie policy and for obtaining inadequate cookie consent (see decision here).[6]

Several infringements were identified by the Litigation Chamber. The website used pre-ticked boxes and the privacy and cookie policy was not made available in every language of the website. The Litigation Chamber reminded that the prior consent of the data subject is required, except for the use of necessary cookies. Analytical and statistical cookies do not fall within the (narrow) scope of this exception and the consent is thus required. When requesting the data subject’s consent, granularity is required. An ‘all or nothing’ approach is not permitted. In addition, data subjects must be given an easy way to revoke their consent. 

The case also taught us more about the anonymity of the published decisions of the Litigation Chamber. Although the Litigation Chamber always referred to "website Y", the link to the website of Jubel.be was quickly made by the press. As a result, controllers and processors should be aware that, notwithstanding anonymisation, there is a relatively large risk of the parties being identified. The Litigation Chamber already clarified that the non-anonymised publication of the decision constitutes an additional sanction for the party condemned.

Controllers are strongly advised to check their cookie policy, cookie banner and consent mechanisms for cookies. In this respect, we invite you to attend our webinar on 4 June 2020 on “GDPR and Marketing in the New Decade", during which we will discuss this topic in more detail. 


[6] Litigation Chamber 17 December 2019, DOS-2019-01356.

DATA PROTECTION OFFICERS

In its decision of 28 April 2020, the Litigation Chamber zoomed in on the independence of the Data Protection Officer (DPO) and the role of the DPO in the context of data breach management (see decision here).[7]

The Litigation Chamber decided that the function of DPO cannot not be cumulated with a function as head of department, since the independence of the DPO would be compromised thereby. According to the Litigation Chamber, conflicts of interest must always be assessed on a case-by-case basis and are not limited to cases where a person determines the purposes and the means of processing. In the case at hand, the DPO was also found to be the head of the audit, risk and compliance department, which – according to the Litigation Chamber – would make it impossible for the DPO to independently monitor the controller's processing activities.

The decision also contains some useful insights into the role of the DPO in the context of data breach management. The Litigation Chamber stresses that the DPO must be involved in the whole process, but in an advisory role. This means, for example, that it is not up to the DPO but up to the controller (i.e., the higher management) to decide whether to notify the supervisory authority or the data subjects.

Finally, the matter illustrates the risks attached to data breach notifications. Indeed, data breach notifications are often a trigger for the DPA’s Inspection Service to start an investigation into the compliance of the controller with data protection law. During such inspection, the Inspection Service may look at various issues – even unrelated to the breach itself – including the role and status of the DPO, the manner in which the DPO’s recommendations are documented, the data breach severity methodology used by the controller, the relationship with processors (including the processing agreements entered into), etc.

Controllers and processors having appointed an internal DPO are advised to revisit the DPO’s position, possible conflicts of interests and incompatibilities, the role of the DPO within the organisation (job description as well as role within various operating procedures) and the manner in which the DPO documents the exercise of his/her function. Controllers and processors are also invited to read again the recommendation of the Belgian Privacy Commission on DPOs (see here). Furthermore, controllers are to keep in mind that data breach notifications may give rise to in-depth inspections by the DPA’s Inspection Service.


[7] Litigation Chamber 28 April 2020, AH-2019-0013.

VALID LEGAL GROUND

On 14 May 2020, the Litigation Chamber, together with 23 other supervisory authorities, imposed a fine of EUR 50,000 on an international social network.

The fine relates to the collection and use without a valid legal basis of personal data in the context of a service offered by a social network where their members can invite contacts (whether or not they are already members) on the platform (so-called Tell-a-Friend) (see decision here).

For the storage of contact data and the sending of an invitation, the social network was relying upon the member's consent to import these data, but the consent was not given by the data subject (the invitee). Thus, by storing the data of non-members of the network and sending them invitations, the social network was processing personal data without a valid legal basis.[8]

In the case at hand, legitimate interests could not be used as a valid legal ground neither since all conditions were not met (combination of which would transform the message into a ‘personal communication’).

Controllers – whether social networks or other – are advised to be careful with ‘Tell-a-Friend’ mechanisms. Controllers that wish to rely upon their legitimate interests as the legal ground for processing must be able to justify such legal interests and meet the four criteria mentioned in the decision.

[8] Litigation Chamber 14 May 2020, DOS-2019-01156.

THE ROLE OF THE MARKET COURT

Pursuant to the Act establishing the Data Protection Authority, decisions of the DPA’s Litigation Chamber can be appealed before the Market Court, a special section within the Brussels Court of Appeal that is exclusively competent for complex litigation against (market) regulators.

The suspicion arose that the Market Court would transform itself into a kind of Supreme Court (“Hof van Cassatie” / “Cour de cassation”) in which only the legality of the decision could be tested. Nothing could be further from the truth. After a few rulings by the Market Court, it can be concluded that the latter is fully committed to consider the merits of the case.

At first sight, the Market Court’s first judgments do not seem very conspicuous. Nevertheless, the Market Court has always acted as a critical and independent court vis-à-vis the Litigation Chamber. It was striking that the Market Court gradually laid down rules for the DPA, as a result of which the Litigation Chamber changed its processes and practices. 

THE DECISIONS IN APPEAL OF THE MARKET COURT

The first judgement in appeal of the Brussels Market Court was rendered on 12 June 2019.[9] Although the appeal was dismissed, the Market Court expressed its concerns as regards the independence of the Litigation Chamber and its compliance with the rights of defence of the parties (including the presumption of innocence) (see decision here).

The second and third judgment mainly concern the justification of the decisions of the Litigation Chamber. 

On 9 October 2019, although the appeal was dismissed as unfounded, the Market Court expressed its opinion on the limited justification of the Litigation Chamber, which constitutes a violation of the Act of 29 July 1991 concerning the explicit justification of administrative acts.[10] However, the Market Court did not consider itself competent to sanction this ex officio. As a result, the decision of the Litigation Chamber, according to which a bank had to adapt its computer systems in order to allow for the exercise by the data subject of his right of rectification, remained unchanged (see decision here). [11]

In its decision of 23 October 2019, the Market Court decided to overturn a decision of the Litigation Chamber due to a manifest lack of justification and an excess of power.[12] Furthermore, the Market Court held that the publication by the Litigation Chamber of its decision was only intended to unnecessarily harm the defendant in first instance. For this reason, the DPA was required by the Market Court to publish the Market Court’s decision on its website (see decision here).
The latest judgement[13] of the Market Court dates from 19 February 2002 and concerns an appeal against a decision of the Litigation Chamber to impose an administrative fine of EUR 10,000 on a retailer for the use of e-ID cards as ‘loyalty cards’ without valid consent.[14] This decision was without doubt the most interesting one at that point in time (see decision here). The Market Court annulled the Litigation Chamber’s decision.
 

For the creation of loyalty cards, which give discounts to the customer, the retailer relied on the customer's explicit consent. The Market Court did not follow the reasoning of the Litigation Chamber, which stated that the consent was not valid because the customer would suffer undeniable disadvantage (no discounts would be given) if he/she did not give consent. The Market Court emphasised that in the case at hand it is not a disadvantage, but rather a possible additional advantage, which must be distinguished from the disregard of a legal or contractual right. Moreover, according to the Market Court, there was no reason to establish a breach of the principle of data minimisation, since the complainant had refused to provide its e-ID to the retailer, which had resulted in no processing taking place at all.

In addition, the Market Court took a very critical stance and states that the Litigation Chamber cannot establish infringements purely based on assumptions. Infringements must always be substantiated by documents on file. In addition, the Market Court notes that the Litigation Chamber invoked legislation that was not applicable at the time of the facts.

A new twist was given by the Market Court to data relating to the appeal, since it was of the opinion that in addition to confirming or annulling contested decisions of the Litigation Chamber, it also has the possibility of imposing alternative sanctions within the meaning of Art. 100 of the Data Protection Act. In other words, the Market Court does have full jurisdiction and can substitute its decision for the annulled decision. 

Finally, the Market Court examined the power of the Litigation Chamber to impose administrative fines. It clarifies that, in addition to the decision itself, a fine must also be adequately justified. In addition, the infringer must be warned by the Litigation Chamber (in order to avoid unnecessary sanctioning) and must be given the opportunity to defend himself concerning the amounts of the fine proposed by the Litigation Chamber, before the sanction is effectively imposed and executed. This has resulted in the Litigation Chamber adopting a new practice whereby the alleged infringer is warned on beforehand about the Litigation Chamber’s intent to impose an administrative fine and invited to submit its arguments as regards the amount of the administrative fine.


[9] Market Court 12 June 2019, 2019/AR/741.

 [10] Market Court 9 October 2019, 2019/AR/1006.

[11] Market Court 12 June 2020, 2019/AR/741.

[12] Market Court 23 October 2019, 2019/AR/1234.

[13] Market Court 19 February 2020, 2019/AR/1600.

[14] Litigation Chamber 17 September 2019, DOS-2018-04470

Authors

  • Liese Kuyken
    Associate

    Liese Kuyken

    Download VCARD