Authors: Heidi Waem, Muhammed Demircan, Nicolas Becker
On 29 September 2023, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand on a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement between the public authority – who is a controller within the meaning of Article 4 GDPR – and its processor. Additionally, the public authority fell short in providing adequate information to data subjects regarding the personal data processing activities it conducts.
This case stands out as a powerful reminder of the paramount importance of GDPR compliance, particularly in the context of data processing agreements between data controllers and processors. These agreements should be in place before any personal data processing activities commence, as confirmed by the Belgian DPA. The case also clarifies the exemption to inform data subjects about processing of their personal data as set out in Article 14(5)c GDPR when member state or European Union law expressly lays down the collection and disclosure of the personal data from those data subjects.
In this blogpost, we will briefly delve into the facts of the case, the findings of the Inspection Service, the subsequent determinations made by the Litigation Chamber and present you the key takeaways from this case.
The case was initiated on 4 September 2020, with a complaint to the Belgian DPA. The complainant received a parking fine on 20 May 2020, and the communication about the fine was sent to his home address and contained the complainant’s name, address and license plate number. After consulting with the public authority who issued the parking fine, the complainant learned that a third-party service provider was processing the personal data of the complainant, both for the establishment and the collection of the fine. The public authority informed the complainant that there was no data processing agreement in place between the public authority and the third-party service provider at the date when the fine was issued to him.
The public authority signed a “Personal Data Processing Agreement” at a later stage, i.e. on 27 July 2020 and included a clause confirming the retroactive application of the agreement as of the application date of the GDPR on 25 May 2018. In other words, this data processing agreement was deemed effective by the parties as of the GDPR’s application date.
The Findings of the Inspection Service
On 11 May 2021, the Inspection Service of the Belgian DPA issued its report and established the following key findings:
- The fact that there was no data processing agreement in place between the public authority and the third-party service provider on the date when the personal data of the complainant was processed by the third-party service provider constitutes a breach of Article 28.3 GDPR.
- The retroactivity clause shall not prejudice the rights of third parties, in particular those of the plaintiff.
- The public authority could not benefit from the exemption to the transparency obligation foreseen in Article 14(5)c GDPR (“obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protection the data subject’s legitimate interest”). Indeed, the legal framework for imposing a parking fee was considered insufficient to qualify for the exemption provided in Article 14(5)c GDPR as it neither mandated the public authority to process the personal data of the complainant for fine collection nor specified measures to protect the legitimate interests of the data subject.
The Findings of the Litigation Chamber
On 9 July 2021, the case was referred to the Litigation Chamber of the Belgian DPA. The Litigation Chamber rendered its decision on 29 September 2023 and came to the following conclusions:
- With regard to the breach of Article 28.3 GDPR (requirement to enter into a data processing agreement), the Litigation Chamber agreed with the Inspection Service and indicated that i) both controllers and processors are responsible for ensuring that a legally binding agreement governs the processing activities, ii) in the absence of such an agreement, both controllers and processors can be fined by the competent supervisory authority, iii) a retroactive clause in a data processing agreement to cover past processing activities does not compensate for the absence of the data processing agreement at the time of the processing activities and accepting such retroactive clauses would de facto allow a circumvention of Article 28.3 GDPR, iv) retroactive clauses cannot guarantee the rights and freedoms of the data subjects as processing activities were not governed by a legally binding agreement at the time of past processing activities. Therefore, both the controller and the processor were found to be in breach of Article 28.3 GDPR.
- With regard to the breach of Article 12.1 and 14(5)c GDPR (transparency obligation), the Litigation Chamber first analysed the conditions of the exemption foreseen in Article 14(5)c GDPR and noted a significant difference between the French version of the GDPR and the Dutch/English versions. Basically, the Litigation Chamber agreed with the Dutch/English versions of the text and indicated that the exemption applies when collection and disclosure of data is provided by member state or European Union law.
- The Litigation Chamber additionally indicated that this exemption in 14(5)c GDPR shall be interpreted restrictively since it constitutes an exception to the data subject’s right to information The Litigation Chamber correctly emphasizes that this exemption could prevent data subjects from being informed about the existence of their data subject rights in general while these other rights are not subject to a similar exception. Additionally, the Litigation Chamber explained that the laws providing for such an exemption should be particularly clear and shall cover all the data processed by data controllers.
Consequently, the Litigation Chamber found that the scope of national legislation that (i) the public authority referred to as the basis for the exemption in Article 14(5)c did not cover all the data that have been processed by the public authority and the third-party service provider and (ii) the abovementioned national legislation did not provide any appropriate measure to protect the interests of the data subjects. In conclusion, the public authority was found in breach of Article 14 and 12.1 GDPR.
The decision at hand again stresses the importance of prioritising data processing agreements when controllers engage with processors and vice versa. Due to the urgencies of business needs, data processing agreements may sometimes be perceived as a lower priority that can be handled after vendors start delivering services. However, this decision reminds us of the importance of consistent and timely compliance with the GDPR, especially in the framework of controller to processor engagements.
Furthermore, the decision also reminds us that exemptions to the GDPR obligations must be interpreted restrictively, and controllers must carefully analyse whether all specific conditions of exemptions – that may not be expressly stated in the GDPR – are fulfilled.
The full decision can be consulted here (in French).