Introduction:
The Belgian Data Protection Authority (DPA) has concluded that a data processing agreement cannot be applied retroactively. This position was taken to avoid circumventing Article 28(3) of the General Data Protection Regulation (GDPR). Moreover, the supervisory authority clarified that both the controller and processor are jointly responsible for entering into the data processing agreement.
FACTS:
On May 20, 2020, the administrator of a municipality, the individual, received a parking fine for a violation.
On July 6, 2020, the individual requested evidence of the parking violation and received several photos of his vehicle. They also wanted information about the processing of their personal data and wanted to obtain the agreement between the municipality (the controller) and a third party (the processor) used in setting and collecting the fee.
Following the request, the individual noted that no data processing agreement existed at the time of the events.
On Sept. 4, 2020, the data subject filed a complaint against both the controller and the processor for violation of Article 28(3) of the AVG, which requires controllers to implement a data processing agreement.
On Nov. 20, 2020, the Data Protection Authority opened an investigation that was later transferred to the Inspectorate (SI).
On May 11, 2021, the SI’s investigation was closed and the case was referred back to the DPA.
The SI found that the processor agreement between the controller and the processor had not been entered into until July 27, 2020.
The investigation revealed that no agreement existed at the time of data processing of the data subject. Nevertheless, the July 27, 2020 contract contained a retroactive clause.
Defective Data Processing Agreement and Retroactivity in Litigation
The Belgian DPA found violations of Articles 28, 14 and 12 of the AVG. The DPA emphasized that Article 28(1) of the AVG requires a processor to provide adequate safeguards to protect the rights of data subjects.
Article 28(3) of the AVG requires data controllers to implement a data processing agreement. The DPA concluded that adding a retroactive clause to the contract does not correct the lack of the contract at the time of the event.
Recognizing this could circumvent the application of the obligations of Article 28(3) AVG, which aim to safeguard the rights and freedoms of data subjects. The AP concluded that both the controller and processor were responsible for preparing a data processing agreement in a timely manner.
Violations of Transparency Obligation and Data Processing Agreement under GDPR
In addition, the DPA found violations for lack of transparency under Article 12(1) of the AVG and Article 14 of the AVG because the controller had not complied with the information obligations under Article 14 of the AVG.
The municipality argued that the exception of Article 14(5)(c) of the AVG applied to it. She referred to the law of Feb. 22, 1965, which empowers municipalities to levy parking fees on motor vehicles, and the Decree of Jan. 22, 2009, on the enforcement of parking fees.
The DPA rejected this, noting that exceptions should be interpreted restrictively. The legislation cited by the municipality did not contain any exceptions to the reporting requirement. The DPA concluded that the legislation cited by the municipality was insufficiently specific. She added that even if the exemption applied, the controller was still obliged to inform the data subject about the sources and recipients of his personal data, unless prohibited by law.
As a result, both the municipality and the third party were reprimanded for violation of Article 28(3) of the AVG, and the municipality was reprimanded for violation of Article 14 of the AVG and Article 12(1) of the AVG for failing to take appropriate measures to fully inform the data subject
