SA Rossel et Cie – Court Ruling (Belgium, 2023)

This ruling is the result by an appeal of Rossel & Cie, a large media company (controller), which was fined €50.000 by the Belgian DPA after an investigation on their cookies practices (see [https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-22-februari-2023-van-het-marktenhof-ar-953-beschikbaar-in-het-frans.pdf here] for the DPA decision and here for the GDPRhub summary). The Belgian law empowers the board management of the DPA to issue a referral in order to open an ex officio investigation (Article 63(1) of the Law establishing the Belgian DPA). This referral needs to indicate that there are "serious indications of a practice that could give rise to an infringement of the fundamental principles of personal data protection. In this case, the board management issued a referral on 16 January 2019 without mentioning any reference to serious indications of potential infringements, or any evidence for that matter. The investigation was however considered open on that date. On 7 March 2019, an handwritten note was drawn up by the investigation service (so, not by the management board (!)) containing several reasons for starting the investigation, among others the high amount of visitors of the controller's websites.   On 16 June 2022, the DPA issued decision 103/2022, fining the controller for several GDPR related violations. The controller appealed this decision at the Market Court in Brussels, stating that the DPA's board management referral did not indicate the reasons to investigate. It was thus irregular, and implied that the investigation service was irregularly seized. As a result, the DPA decision was also invalid.   The court confirmed that the management board had issued the referral to investigate the controller on 16 January 2019. The referral constituted the only administrative act leading up to decision 103/2022. The internal note of the investigation service of 7 March 2019 could not be considered as (a part of) the referral,