Two years of GDPR application in Belgium: lessons learned from the decisions of the Litigation Chamber and the Market Court
Today, the EU General Data Protection Regulation (the GDPR) celebrates its second anniversary. The GDPR became applicable on 25 May 2018, after a transition period of two years.
As the GDPR became a real buzzword, many data subjects found their way to the Belgian supervisory authority, the Data Protection Authority (the DPA). In recent months, the DPA’s Inspection Service showed its teeth by starting a number of investigations (following complaints filed or on its own initiative). The DPA’s Litigation Chamber (which is an administrative court dealing with data protection matters and imposing the administrative sanctions foreseen in the GDPR) meanwhile pronounced its first decisions. The sanctions imposed are diverse, as are the subject matters involved. Nevertheless, the Litigation Chamber was somewhat tempered in its enthusiasm by the Market Court, which decides on appeals against the Litigation Chamber’s decisions.
Below you will find some key takeaways from the case law of the Litigation Chamber and the Market Court.
Two of the Litigation Chambers’ decisions deal with camera surveillance.
On 2 April 2019, the Litigation Chamber decided that the installation and use of surveillance cameras in the common areas of student rooms is disproportionate to the purpose of combating vandalism, damage and nuisance. Consequently, the Litigation Chamber imposed a ban on such processing activities (see decision here).
On 20 April 2020, the Litigation Chamber issued a new decision regarding the use of a surveillance cameras outside of a shop. The Litigation Chamber considered that the use of such camera was not compliant with the GDPR and the specific legislation on surveillance cameras since the controller had not notified the installation of the surveillance camera to the police and had not mentioned such data processing in the records of processing activities. The controller was sanctioned by a reprimand (see decision here).
Controllers that are planning to use surveillance cameras should (i) carefully consider the purposes of such use, (ii) consider whether the placing of surveillance cameras is proportionate to such purposes, (iii) notify the placement of surveillance cameras to the police and (iv) ensure the related processing is mentioned in their records of processing activities.
 Litigation Chamber 2 April 2019, DOS-2018-04764.
PUBLIC MANDATES, ELECTIONS AND GDPR
The very first Belgian GDPR fine (in the amount of EUR 2,000) was imposed on the major of a small village for unlawful use of personal data in the context of the elections. In taking this decision, the Litigation Chamber stressed that matters of data protection should be considered especially important in the context of a governmental mandate (see decision here).
Mayors turned out to be on the radar of the DPA, as another fine (in the amount of EUR 5,000) was later imposed on another mayor for a similar infringement. The Litigation Chamber held that the major improperly used personal data to send political advertising as part of his re-election campaign during the 2018 local elections. The Litigation Chamber stressed again that individuals in public office need to pay attention to compliance with data protection legislation, since this is vital to preserve the citizens’ trust in the democracy (see decision here).
The above decisions clearly illustrate the importance of two essential concepts of the GDPR: purpose limitation and transparency, which the Data Protection Authority and the Litigation Chamber relentlessly enforce. Controllers are advised to revisit their processing activities in order to determine whether both principles are (demonstrably) complied with.
DATA SUBJECT RIGHTS
Not less than three of the Litigation Chamber’s decisions concerned the topic of data subject rights, illustrating their importance.
On 9 July 2019, the Litigation Chamber issued a reprimand to the Federal Public Service for Health after it failed to properly respond to the exercise of a data subject’s right to access. More in particular, the decision highlighted the lack of internal procedures enabling the Federal Public Service for Health to meet the GDPR’s requirements (see decision here).
In a decision of 17 December 2019, the Litigation Chamber ruled that a not-for-profit organisation had failed to comply with a data subject’s access and erasure request. The Litigation Chamber imposed a fine of EUR 2,000 and ordered the organisation to comply with the data subject’s rrequest, especially because health data were concerned (see decision here).
In a decision of 28 April 2020, the Litigation Chamber ruled that a bank had failed to comply with the data subject’s right to access because (i) it requested a copy of the identity card of the data subject although there was no reason to doubt the data subject’s identity and because (ii) the bank failed to meet the GDPR’s deadline (one month) for replying to data subject requests. The Litigation Chamber imposed a reprimand (see decision here).
The above decisions illustrate that controllers must have robust internal procedures to comply with data subject requests, ensuring that the GDPR’s deadlines as well as content requirements are met. Controllers are advised to only request proof of identity where (reasonable) doubt exists as to the identity of the person exercising the data subject right. Controllers should also review their fair processing notices, since many of them require the submission of proof of identity by default.
COOKIES, TRANSPARENCY AND CONSENT
The case also taught us more about the anonymity of the published decisions of the Litigation Chamber. Although the Litigation Chamber always referred to "website Y", the link to the website of Jubel.be was quickly made by the press. As a result, controllers and processors should be aware that, notwithstanding anonymisation, there is a relatively large risk of the parties being identified. The Litigation Chamber already clarified that the non-anonymised publication of the decision constitutes an additional sanction for the party condemned.
 Litigation Chamber 17 December 2019, DOS-2019-01356.
DATA PROTECTION OFFICERS
In its decision of 28 April 2020, the Litigation Chamber zoomed in on the independence of the Data Protection Officer (DPO) and the role of the DPO in the context of data breach management (see decision here).
The Litigation Chamber decided that the function of DPO cannot not be cumulated with a function as head of department, since the independence of the DPO would be compromised thereby. According to the Litigation Chamber, conflicts of interest must always be assessed on a case-by-case basis and are not limited to cases where a person determines the purposes and the means of processing. In the case at hand, the DPO was also found to be the head of the audit, risk and compliance department, which – according to the Litigation Chamber – would make it impossible for the DPO to independently monitor the controller's processing activities.
The decision also contains some useful insights into the role of the DPO in the context of data breach management. The Litigation Chamber stresses that the DPO must be involved in the whole process, but in an advisory role. This means, for example, that it is not up to the DPO but up to the controller (i.e., the higher management) to decide whether to notify the supervisory authority or the data subjects.
Finally, the matter illustrates the risks attached to data breach notifications. Indeed, data breach notifications are often a trigger for the DPA’s Inspection Service to start an investigation into the compliance of the controller with data protection law. During such inspection, the Inspection Service may look at various issues – even unrelated to the breach itself – including the role and status of the DPO, the manner in which the DPO’s recommendations are documented, the data breach severity methodology used by the controller, the relationship with processors (including the processing agreements entered into), etc.
Controllers and processors having appointed an internal DPO are advised to revisit the DPO’s position, possible conflicts of interests and incompatibilities, the role of the DPO within the organisation (job description as well as role within various operating procedures) and the manner in which the DPO documents the exercise of his/her function. Controllers and processors are also invited to read again the recommendation of the Belgian Privacy Commission on DPOs (see here). Furthermore, controllers are to keep in mind that data breach notifications may give rise to in-depth inspections by the DPA’s Inspection Service.
 Litigation Chamber 28 April 2020, AH-2019-0013.
VALID LEGAL GROUND
On 14 May 2020, the Litigation Chamber, together with 23 other supervisory authorities, imposed a fine of EUR 50,000 on an international social network.
The fine relates to the collection and use without a valid legal basis of personal data in the context of a service offered by a social network where their members can invite contacts (whether or not they are already members) on the platform (so-called Tell-a-Friend) (see decision here).
For the storage of contact data and the sending of an invitation, the social network was relying upon the member's consent to import these data, but the consent was not given by the data subject (the invitee). Thus, by storing the data of non-members of the network and sending them invitations, the social network was processing personal data without a valid legal basis.
In the case at hand, legitimate interests could not be used as a valid legal ground neither since all conditions were not met (combination of which would transform the message into a ‘personal communication’).
Controllers – whether social networks or other – are advised to be careful with ‘Tell-a-Friend’ mechanisms. Controllers that wish to rely upon their legitimate interests as the legal ground for processing must be able to justify such legal interests and meet the four criteria mentioned in the decision.
 Litigation Chamber 14 May 2020, DOS-2019-01156.
THE ROLE OF THE MARKET COURT
Pursuant to the Act establishing the Data Protection Authority, decisions of the DPA’s Litigation Chamber can be appealed before the Market Court, a special section within the Brussels Court of Appeal that is exclusively competent for complex litigation against (market) regulators.
The suspicion arose that the Market Court would transform itself into a kind of Supreme Court (“Hof van Cassatie” / “Cour de cassation”) in which only the legality of the decision could be tested. Nothing could be further from the truth. After a few rulings by the Market Court, it can be concluded that the latter is fully committed to consider the merits of the case.
At first sight, the Market Court’s first judgments do not seem very conspicuous. Nevertheless, the Market Court has always acted as a critical and independent court vis-à-vis the Litigation Chamber. It was striking that the Market Court gradually laid down rules for the DPA, as a result of which the Litigation Chamber changed its processes and practices.
THE DECISIONS IN APPEAL OF THE MARKET COURT
The first judgement in appeal of the Brussels Market Court was rendered on 12 June 2019. Although the appeal was dismissed, the Market Court expressed its concerns as regards the independence of the Litigation Chamber and its compliance with the rights of defence of the parties (including the presumption of innocence) (see decision here).
The second and third judgment mainly concern the justification of the decisions of the Litigation Chamber.
On 9 October 2019, although the appeal was dismissed as unfounded, the Market Court expressed its opinion on the limited justification of the Litigation Chamber, which constitutes a violation of the Act of 29 July 1991 concerning the explicit justification of administrative acts. However, the Market Court did not consider itself competent to sanction this ex officio. As a result, the decision of the Litigation Chamber, according to which a bank had to adapt its computer systems in order to allow for the exercise by the data subject of his right of rectification, remained unchanged (see decision here). 
For the creation of loyalty cards, which give discounts to the customer, the retailer relied on the customer's explicit consent. The Market Court did not follow the reasoning of the Litigation Chamber, which stated that the consent was not valid because the customer would suffer undeniable disadvantage (no discounts would be given) if he/she did not give consent. The Market Court emphasised that in the case at hand it is not a disadvantage, but rather a possible additional advantage, which must be distinguished from the disregard of a legal or contractual right. Moreover, according to the Market Court, there was no reason to establish a breach of the principle of data minimisation, since the complainant had refused to provide its e-ID to the retailer, which had resulted in no processing taking place at all.
In addition, the Market Court took a very critical stance and states that the Litigation Chamber cannot establish infringements purely based on assumptions. Infringements must always be substantiated by documents on file. In addition, the Market Court notes that the Litigation Chamber invoked legislation that was not applicable at the time of the facts.
A new twist was given by the Market Court to data relating to the appeal, since it was of the opinion that in addition to confirming or annulling contested decisions of the Litigation Chamber, it also has the possibility of imposing alternative sanctions within the meaning of Art. 100 of the Data Protection Act. In other words, the Market Court does have full jurisdiction and can substitute its decision for the annulled decision.
Finally, the Market Court examined the power of the Litigation Chamber to impose administrative fines. It clarifies that, in addition to the decision itself, a fine must also be adequately justified. In addition, the infringer must be warned by the Litigation Chamber (in order to avoid unnecessary sanctioning) and must be given the opportunity to defend himself concerning the amounts of the fine proposed by the Litigation Chamber, before the sanction is effectively imposed and executed. This has resulted in the Litigation Chamber adopting a new practice whereby the alleged infringer is warned on beforehand about the Litigation Chamber’s intent to impose an administrative fine and invited to submit its arguments as regards the amount of the administrative fine.
 Market Court 12 June 2019, 2019/AR/741.
 Market Court 9 October 2019, 2019/AR/1006.
 Market Court 12 June 2020, 2019/AR/741.
 Market Court 23 October 2019, 2019/AR/1234.
 Market Court 19 February 2020, 2019/AR/1600.
 Litigation Chamber 17 September 2019, DOS-2018-04470