Three Belgian plaintiffs had lodged a complaint with the Belgian Data Protection Authority against a regional public environmental institution. This institution has the competence to take action in the case of a breach against environmental legislation, for example in the case of littering. The institution could for example fine a citizen when it finds unlawfully placed garbage containing letters with the name of that citizen. Such a fine had been issued to the first plaintiff.
However, in the decision imposing the fine, the institution also referred to the civil partner of the first plaintiff, and the alleged father-in-law of the first plaintiff. The institution found the name of and the link to the civil partner (the second plaintiff) in the National Register of the first plaintiff. The alleged father-in-law (the third plaintiff) had communications with the institution in order to defend the first plaintiff in the environmental procedure initiated by the institution. The institution had concluded in its decision, based on the family name of the second and the third plaintiff, that there was a family connection between the two.
Decision of the Litigation Chamber
The Litigation Chamber of the Belgian DPA upheld, among other things, that:
- the mentioning of the name of the second plaintiff, its link to the first plaintiff, as well as the alleged family link between the second and the third plaintiff, based on information retrieved from the National Register, constitutes unlawful processing (article 6.1 GDPR), as the legal ground for the processing activities in this specific context is deemed to be carrying out a task in the public interest (article 6.1.e. GDPR), and this processing in concreto was not necessary to carry out the task (environmental enforcement in a decision to impose a fine to the first plaintiff) in the public interest;
- the mentioning that there is a family connection between the second and the third plaintiff could be incorrect, and is based on assumptions not necessary to mention in a decision by the institution in this concrete context, which means the personal data of all plaintiffs is not processed in accordance with the principles of accuracy and data minimisation (resp. article 5.1.d. and article 5.1.c. GDPR.), which means the institution breaches these GDPR-provisions.
The Litigation Chamber issued a warning and reprimand to the institution in accordance with article 58.2.a. and 58.2.b GDPR.
To be conclusive, it can be mentioned that the Litigation Chamber of the Belgian DPA cannot impose an administrative fine to a Belgian public institution or any other government body, as this was excluded by the Belgian legislator
You can find the final decision in Dutch here.
For further information, please contact the Belgian DPA: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.