The Litigation Chamber of the Belgian Data Protection Authority (BDPA) has published a decision of 15 April 2020 in relation to a municipality that required landlords to provide information on tenants for tax reasons.
Despite the context of the case, the decision is relevant for all organisations in relation to the scope of an investigation by the BDPA, transparency (information, but also joint controllership aspects), the register of data processing activities and even the role of the DPO.
1. For public authorities only: BDPA versus other public watchdogs
In its decision, the Litigation Chamber was led to examine the BDPA's authority over municipalities and the interaction between the BDPA and regional (non-federal) privacy watchdogs (in particular: the Vlaamse Toezichtcommissie, a watchdog at the level of Flanders).
The Litigation Chamber concluded that it did have jurisdiction over this case.
In a similar vein, the Litigation Chamber stated that the municipality had to modify its privacy statement (see below) because it only referred to the possibility of filing a complaint before the Flemish watchdog and not the BDPA.
2. Complaint versus inspection: how far can an investigation go?
The Litigation Chamber had tasked the BDPA's inspection service (the Inspection Service) with investigating the matter, and in the course of its investigation the Inspection Service made certain observations "outside of the scope of the complaint" ("buiten de scope van de klacht" in Dutch). While the complaint came down to claims of non-compliance with Articles 5, 6 and 14 of the GDPR, the Inspection Service made additional observations as regards:
- the municipality's privacy statement (Articles 12 & 13 GDPR);
- the register of processing activities (Art. 30 GDPR); and
- the data protection officer (DPO) and his/her position (Articles 37 & 38 GDPR).
Despite the number of "out of scope" observations, the municipality does not appear to have questioned these observations or the Litigation Chamber's authority to take them into consideration. As a result, the Litigation Chamber has not issued any guidance as to whether these "out of scope" observations were (in)admissible. It is possible, though, that other cases will lead to an examination of the limits of the Inspection Service's powers.
In the meantime, this decision illustrates the broad power the Inspection Service appears to hold at this time. If the Inspection Service is brought in, the information it requests might also be examined separately for non-compliance. In other words: if you are not confident that your own documentation is accurate and compliant, maybe now is the time to review both that documentation and related processes – it might be too late when the inspection service comes knocking.
3. Transparency
In this case, various considerations – both in scope and out of scope in relation to the initial complaint – relate to transparency, and in particular compliance with Articles 12, 13 and 14 of the GDPR.
First, on Art. 14 GDPR, the municipality did not collect the personal data from the data subject themselves (the tenants) but from a third party (the landlord). The Litigation Chamber found that the municipality did not provide any information to the tenants and that it did not instruct landlords to provide any information either, such that the tenants were not informed of the processing. The municipality tried to turn this around, claiming that it was a landlord's choice to claim a tax benefit that led to providing his tenant's personal data – and thus that it would have been up to the landlord to inform the tenant. The Litigation Chamber rejected the argument, considering that it was up to the municipality as controller to comply with Art. 14 GDPR.
In practice, therefore, if you rely on a third party to collect data for you, ensure there are clear instructions for it to provide the necessary information to data subjects.
Next, on Articles 12 and 13 GDPR, the Inspection Service stated that the municipality's privacy statement was "not always transparent and understandable for data subjects", for instance mentioning the use of Facebook, Twitter, Mailchimp and Google Analytics "without transparently informing data subjects on how these platforms process their personal data".
The Litigation Chamber agreed that the mere mention of such platforms was "insufficiently transparent, clear and intelligible", referring to the CJEU's Wirtschaftsakademie Schleswig-Holstein and Fashion ID judgments to stress that the municipality would be deemed joint controller if it uses these platforms for the processing of personal data "on the basis of a purpose it had determined (e.g. marketing or provision of a service) and with means it had determined (e.g. own personnel writing texts and communicating via a user account or fan page they had created)". As a result, the municipality had to provide transparent information to data subjects in relation to e.g. processing in the context of its fan pages. In practice, if you use third-party platforms, include in your privacy statement information at least on how you use them and what is shared with the platform.
In relation to updates to a privacy statement, the Inspection Service criticised the indication in the privacy statement that it could be modified at any time. The Litigation Chamber agreed that modifications must be communicated, but not necessarily by e-mail to all of the municipality's inhabitants. In practice, when you change your privacy statement, draw users' attention to the fact that there has been a modification.
Other considerations in relation to privacy statements were more limited.
4. Data minimisation and purpose limitation
In the relevant tax declaration, the municipality required an "emergency phone number" linked to the tenant, should the tenant be involved in any accident. The municipality claimed that this was for public safety reasons.
This position was criticised on the basis of the principle of purpose limitation (Art. 5(1)(b) GDPR), as information requested for tax purposes would be reused for public safety purposes.
Moreover, the necessity of this emergency phone number was brought into question on the basis of the principle of data minimisation (Art. 5(1)(c) GDPR). In response, the municipality claimed that the Litigation Chamber was not permitted to decide in the municipality's stead which personal data could be requested. This argument was set aside, with the Litigation Chamber stating that it was authorised to verify compliance with the principle of data minimisation, which could not be disassociated from the question of whether those data were necessary for the purposes determined by the municipality
In practice, ensure your processing activities meet the fundamental principles of data minimisation and purpose limitation, or the BDPA will limit your processing for you.
5. Register of data processing activities
The decision of the Litigation Chamber does not provide actionable guidance in relation to the register of data processing activities required under Art. 30 GDPR, other than the requirement for it to feature all information listed under that article. More generally, though, it stated that the register must be filled in with sufficient precision so that one can gain a precise and clear view of the processing activities.
In practice, review your register of data processing activities and check that (i) it is up to date and (ii) it contains all the information required by Art. 30 GDPR.
6. DPO
In the course of its investigation, the Inspection Service brought into question the manner in which the municipality had appointed a DPO, from several perspectives.
- First, the municipality had called upon a third-party recruiter for a search for an "information security consultant – DPO", and the DPO appointed in the end was the most suitable candidate. The Litigation Chamber considered that just because a candidate comes out of a recruitment process as the "most suitable" one, "this does not ipso facto demonstrate that the person is sufficiently suitable". The DPO job description did not play in the municipality's favour, as it stated "(extensive) knowledge of the GDPR is a plus". The Litigation Chamber also criticised the absence of evidence that the candidates were tested in relation to their professional qualities.
- Next, as regards the position of the DPO, the Inspection Service noted that it was unclear what exactly fell within the remit of the DPO's role and whether he could report directly to the highest level, in this particular case the municipal council (presided by the Mayor), outside of a yearly report.
On this basis, the Litigation Chamber concluded that the municipality was in breach of Articles 37 and 38 of the GDPR.
In practice, check that you have taken all necessary measures to prove that your DPO – if you need one under the GDPR – was appointed in accordance with the requirements of the GDPR and has e.g. the necessary expertise and access to the highest level.
7. No fine?
The Litigation Chamber did not impose a fine after all of these findings of non-compliance, but this was purely because public authorities such as a municipality cannot in this case be fined under the Belgian rules.
It did, however, require the municipality to stop its processing in the context of the relevant tax until the necessary measures could be taken to ensure compliance, and it required additional steps in relation to information to data subjects. As far as the DPO was concerned, the municipality got away with a warning to comply better in the future.
It is unclear, though, whether a private organisation in the same circumstances would have avoided a fine.
With that in mind, if you are unsure of what the BDPA might find if it comes knocking at your door, it isn't too late to get in touch.