The Facts
Three Belgian plaintiffs had lodged a complaint with the Belgian Data Protection Authority against a regional public environmental institution. This institution has the competence to take action in the case of a breach against environmental legislation, for example in the case of littering. The institution could for example fine a citizen when it finds unlawfully placed garbage containing letters with the name of that citizen. Such a fine had been issued to the first plaintiff.
However, in the decision imposing the fine, the institution also referred to the civil partner of the first plaintiff, and the alleged father-in-law of the first plaintiff. The institution found the name of and the link to the civil partner (the second plaintiff) in the National Register of the first plaintiff. The alleged father-in-law (the third plaintiff) had communications with the institution in order to defend the first plaintiff in the environmental procedure initiated by the institution. The institution had concluded in its decision, based on the family name of the second and the third plaintiff, that there was a family connection between the two.
Decision of the Litigation Chamber
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
– the mentioning of the name of the second plaintiff, its link to the first plaintiff, as well as the alleged family link between the second and the third plaintiff, based on information retrieved from the National Register, constitutes unlawful processing (article 6.1 GDPR), as the legal ground for the processing activities in this specific context is deemed to be carrying out a task in the public interest (article 6.1.e. GDPR), and this processing in concreto was not necessary to carry out the task (environmental enforcement in a decision to impose a fine to the first plaintiff) in the public interest;
– the mentioning that there is a family connection between the second and the third plaintiff could be incorrect, and is based on assumptions not necessary to mention in a decision by the institution in this concrete context, which means the personal data of all plaintiffs is not processed in accordance with the principles of accuracy and data minimisation (resp. article 5.1.d. and article 5.1.c. GDPR.), which means the institution breaches these GDPR-provisions.
The Litigation Chamber issued a warning and reprimand to the institution in accordance with article 58.2.a. and 58.2.b GDPR.
To be conclusive, it can be mentioned that the Litigation Chamber of the Belgian DPA cannot impose an administrative fine to a Belgian public institution or any other government body, as this was excluded by the Belgian legislator
You can find the final decision in Dutch here.
For further information, please contact the Belgian DPA: contact@apd-gba.be