City Of Kortrijk – Complaint Upheld (Belgium, 2023)

This decision concerns two controllers, the Belgian City of Kortrijk (controller 1) and the Belgian FOD Mobiliteit en Vervoer, the federal service of mobility and transport (controller 2). On 28 May 2020, the data subject was given a parking fine by controller 1. Specifically, the fine was issued by a public company acting on behalf of Controller 1 - AGB Parko. In order to perform its tasks, AGB Parko could use DIV ([https://www.belgium.be/nl/mobiliteit/Voertuigen/inschrijving dienst inschrijving voor voertuigen]), a database provided by controller 2 containing information concerning the identities of vehicles' owners. On 1 January 2020, the City of Kortrijk internalised AGB Parko's services. The data subject was not informed about this change. By doing so, however, controller 1 could no longer rely on the same legal basis used by AGB Parko, namely deliberation FO No. 02/2016. Such a deliberation originally enabled AGB Parko to use FOD Mobiliteit en Vervoer's database to identify owners who owed fees on their vehicles and issue fines. On 5 November 2020, the data subject filed a complaint at the Belgian DPA against both controllers. The main claim was that both controllers did not have a valid legal basis for the sharing of his personal data. During the investigation, the attention of the Belgian DPA focused on the lack of legal basis connected with the data above-mentioned data sharing. However, on 4 March 2022, the Belgian DPA issued a decision against both controllers by which it did not only found a violation of Article 6(1), but also of Articles 5(1)(a), 12(1) and 14(1)(a) GDPR (lack of adequate information concerning the identity of the controller). Worth mentioning is that, during the decision process, one of the three members of the DPA had stepped down due to a conflict of interest. Therefore, the chair decided to issue the decision alone, since it was not allowed to issue a decision with only two members. On 4 April 2022, an appeal was filed at the