Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=11/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-11-2026.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour…”
|Jurisdiction=Belgium
|DPA-BG-Color=
|DPAlogo=LogoBE.png
|DPA_Abbrevation=APD/GBA
|DPA_With_Country=APD/GBA (Belgium)
|Case_Number_Name=11/2026
|ECLI=
|Original_Source_Name_1=APD
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-11-2026.pdf
|Original_Source_Language_1=Dutch
|Original_Source_Language__Code_1=NL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=27.01.2026
|Date_Published=
|Year=2026
|Fine=
|Currency=
|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_2=Article 6(1)(c) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1c
|GDPR_Article_3=Article 6(1)(e) GDPR
|GDPR_Article_Link_3=Article 6 GDPR#1e
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=Article 10 §1, 4° of the Belgian Law on Safety at Football Matches of December 21, 1998
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA warned a football club to ensure that it only processed relevant and necessary personal data for tickets cancellation. Furthermore, the DPA warned the club to ensure it only processed personal data with a valid legal basis for security measures for matches.
== English Summary ==
=== Facts ===
The data subject is an employee of an entity that sponsors a second division football club (the controller). The data subject obtained tickets via his employer to attend a football match. However, the data subject’s ticket was cancelled due to him being registered as a supporter of the rival football club according to the information communicated by the controller’s ticket and security manager.
Following an inquiry from the data subject, the controller specified that it obtained the information from the police.
The controller argued that the football match was considered high-risk and, thus, it had to submit the ticket list to the local police in order to check that no supporters of the rival football club would be seated among the home supporters for safety reasons.
The controller forwarded the data subject’s name and date of birth to the local police for verification.
The controller claimed that it relied on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] and [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as legal bases for the transmission of personal data. The controller invoked Article 10 §1, 4° of the Belgian Law on Safety at Football Matches of December 21, 1998.
The data subject filed a complaint with the DPA regarding the transfer of his personal data to the police and from the controller to his employer.
=== Holding ===
Firstly, the DPA noted that the information provided by the controller to the data subject’s employer went beyond what was necessary for informing them of the cancellation of the ticket. Therefore, the DPA found that the controller was at risk of violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
Secondly, the DPA pointed out that the controller must designate a single legal basis prior to the processing activity. Moreover, the DPA found that the article of the Football Act invoked as a legal obligation by the controller did not require a specific processing of personal data and cannot form a legal basis under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
Alternatively, regarding the potential legal basis under [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], among other aspects, the controller failed to specify the nature, scope and concrete modalities of the purposes of the security measures taken under the Football Act article invoked.
Specifically, the DPA considered that the controller must examine whether the transfer of the personal data to the local police was a necessary and proportionate measure to separate rival supporters in order to ensure the safety of spectators and the emergency and police services.
The DPA pointed out that the measures are aimed at separating groups of rival supporters rather than excluding individual supporters who are not a part of such groups but are registered as supporters of the rival team.
Taking these arguments in consideration, the DPA found that Article 10 §1, 4° of the Football Act did not provide a sufficient legal basis in conjunction with [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]].
Therefore, the DPA issued a warning to the controller to ensure future compliance with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] (i.e. the data minimisation principle) when cancelling tickets. Furthermore, the DPA warned the controller to ensure compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]] in the sense that in the future it only carried out processing of personal data in the context of security measures at football matches with a valid legal basis.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
<pre>
1/13
Dispute Resolution Chamber
Decision 11/2026 of 27 January 2026
File number: DOS-2024-02593
Subject: Complaint concerning the transfer of personal data to the local police for the purpose of
excluding rival supporters from the home sections
The Dispute Resolution Chamber of the Data Protection Authority,
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
Considering the internal rules of procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 1
15 January 2019;
Considering the documents in the dossier;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
Defendant: Y, with registered office and establishment in […], with company number
[…], hereinafter “the defendant”
1The new Internal Rules (“IR”), following the amendments made by the law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (DPA), entered into force
on 1 June 2016.
In accordance with Article 56 of the law of 25 December 2023, the new IR applies only to complaints,
mediations, inspections, and proceedings before the Dispute Resolution Chamber initiated on or after that date:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-
gegevensbeschermingsautoriteit.pdf
Cases initiated before 1 June 2024, as in The present case is subject to the provisions of the Data Protection Act (WOG) as amended
by the law of 25 December 2023 and the RIO as it existed before that date:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf Decision 11/2026 — 2/13
I. Facts and procedure
1. On 30 May 2024, the complainant filed a complaint with the Data Protection Authority against
the defendant.
2. The defendant is a professional football club playing in the Belgian second division.
The complainant is an employee of one of the defendant’s main sponsors. The complainant was to attend a
football match as part of an activity organized by his
employer, who, as the main sponsor, was able to obtain tickets from the defendant. On April 11, 2024,
the complainant learned from his employer that his ticket had been canceled and that he would be unable to attend the match
due to his registered support of the rival football club. This information was communicated to the complainant’s employer
by the respondent’s ticket and security officer. When the complainant
contacted the respondent to inquire about how they obtained the
data, the respondent stated that it was obtained as a result of
a police check. The complainant doubted whether the transfer of his personal data to the
police was lawful and suspected that the transfer of his personal data
by the respondent to his employer violated the GDPR.
3. On June 25, 2024, the complaint was declared admissible by the First Line Service on the basis
of Articles 58 and 60 of the WOG (Commission for the Judicial Process), and the complaint was transferred to the Dispute Resolution Chamber pursuant to Article 62, § 1 of
the WOG.
4. On January 20, 2025, the parties were informed, in accordance with Article 95, § 2 of the WOG, that
a file had been opened in response to this complaint, as well as about the content of the
complaint. With this letter, the Dispute Resolution Chamber gave the defendant the opportunity
to submit its comments on the complaint.
5. On January 23, 2025, the Dispute Resolution Chamber received the defendant’s comments on
this notification, as well as the evidence it used to support its comments.
The defendant explains that the football match in question was a high-risk match. For that reason, the defendant had to hand over the ticket lists to the local police so that they could check whether supporters of the rival football club would be seated among the home supporters. The defendant explains that, for safety reasons, away supporters must always be seated in the visitors’ section. The documents show that the defendant forwarded the plaintiff’s surname, first name, and date of birth to the local police for verification.
6. On March 6, 2025, the Dispute Resolution Chamber, in accordance with Article 94, §1, 1° of the Dispute Resolution Act (WOG), decided to request information from the defendant to determine the scope of the dispute.
2 In accordance with Article 61 of the WOG, the Dispute Resolution Chamber hereby informs the parties that the complaint has been declared admissible. Decision 11/2026 — 3/13
to determine. In this letter, the Dispute Resolution Chamber explains that it remains unclear which
legal basis as referred to in Article 6.1 of the GDPR the respondent relies on to
forward personal data of supporters to the local police for the purpose of
a screening by the latter.
7. On March 7, 2025, the Dispute Resolution Chamber received the respondent’s response to this
information request. The respondent argues that the legal basis for the aforementioned
data processing is Article 6.1. c) and e) of the GDPR. In particular, the defendant relies
on Article 10, §1, 4° of the Law on Security at Football Matches of 21
December 1998.
8. Pursuant to Article 95, §2, 3° of the WOG (Social Security Act) and Article 47 of the Internal Rules of the GBA, the parties may request a copy of the file. If either
party wishes to consult and
copy the file, they should contact the registry of the Litigation Chamber,
preferably via litigationchamber@apd-gba.be.
II. Reasons
II.1. Regarding the transfer of personal data to the complainant’s employer
9. Regarding the transfer of information to the complainant’s employer, the
Litigation Chamber points out that the principle of data minimization, laid down in
Article 5.1. c) of the GDPR stipulates that personal data must be adequate, relevant,
and limited to what is necessary for the purposes for which they are
processed. Recital 39 of the GDPR adds that personal data may only
be processed if the purpose of the processing cannot reasonably be
achieved by other means.
10. In the present case, it can be argued that the transfer of the complainant’s personal data
was intended to inform his employer that his employee would not be able
to participate in the activity organized by him, and that the reserved
ticket was therefore canceled. The Litigation Chamber considers that the information
provided by the defendant, including the notification that the complainant is registered
as a supporter of the rival football club, exceeds this purpose. In particular,
information about the specific reason why the complainant could not participate, namely
his supporter registration, was not necessary to allow the employer to take note
of or act on the cancellation of the ticket. The defendant, for example,
could also have simply informed the complainant itself. Consequently, the Dispute Resolution Chamber
prima facie finds that the processing was not limited to what is relevant and necessary, as required by Article 5.1. c) of the GDPR, so that there may be a
infringement of the principle of data minimization.
11. In accordance with Article 95, § 1, 4° of the WOG and Article 58.2.a) of the GDPR, the
Dispute Resolution Chamber has the authority to warn a controller or processor
that the intended processing activities may violate the provisions
of the GDPR.
12. Based on the above facts, the Dispute Resolution Chamber finds that the defendant
is in danger of violating Article 5.1.c) of the GDPR by disclosing personal data of the complainant to the complainant’s
employer that exceeds the purpose of the processing. This
justifies issuing a warning so that the defendant ensures in the future
that it respects the principle of data minimization, as laid down in Article
5.1.c) of the GDPR, when canceling tickets.
13. This warning decision is intended to remind the defendant, who is presumably
responsible for the processing, of its obligation to comply with the
above provisions of the GDPR, so that it can comply with these
provisions in the future in the context of the processing activities at issue in this case.
II.2. Regarding the lawfulness of the transfer of personal data to the local police
The applicable legal basis
14. The Litigation Chamber recalls that, pursuant to Article 5.1. a) GDPR, any processing of
personal data must be based on a lawful basis (the
principle of lawfulness). This specifically means that a controller may not
initiate or continue processing without relying on one of the legal grounds listed in
Article 6.1 GDPR.
15. The Litigation Chamber notes that the respondent explicitly relies on Articles 6.1. c)
and e) GDPR to justify the transfer of the complainant’s personal data to the local police.
The respondent argues that the seats in the home sections are intended
for its own supporters and for neutral supporters, while away supporters must be seated in the visitors’ section for
security reasons. Given that the match
in this case was a high-risk match, the defendant argues that it was obligated to pass on the
ticket lists for the home sections to the local police. This allows them to
check whether supporters of the rival football club will be seated among the home fans.
If this were to occur, the defendant would be obligated to cancel the
tickets in question, which is what happened in this case with regard to the complainant. Decision 11/2026 — 5/13
3
16. The Litigation Chamber has already pointed out in its previous decisions that the
controller must, prior to processing, designate a single lawful
ground on which it wishes to process personal data.
The different lawful grounds have different
consequences, particularly with regard to the rights of data subjects. For
the aforementioned reason, a controller is not permitted to rely on multiple legal grounds for the same
processing,
depending on the circumstances. Furthermore, the Litigation Chamber points out that the choice of the appropriate
legal ground must be made before the start of the processing activity and
must be included in the controller’s privacy statement. It follows from
the foregoing that, in this case, the defendant cannot simultaneously rely on Articles 6.1.
c) and 6.1. e) of the GDPR for the transfer of personal data to the local police.
17. In view of the defendant’s response of 7 March 2025, the Litigation Chamber finds
that it relies on Article 10, §1, 4° of the Law on
security at football matches of 21 December 1998 for the transfer. That article reads as follows:
Art. 10. § 1. The organizers of a national or international football match or of a
football match in which at least one team from the third national division participates,
shall take at least the following measures:
[…]
4° the implementation of active and passive security measures aimed at the safety of the
public and the emergency and police services by controlling the movement of
spectators, separating rival spectators, and the concrete
implementation of the internal rules.
[…]
18. In view of this wording, the Litigation Chamber is prima facie of the opinion that the contested
processing of personal data cannot be based on Article 6.1.c) GDPR. A standard that imposes a
legal obligation must, on the one hand, specify the specific purpose for which the
mandatory data processing must be carried out, and, on the other hand, must be clear and
precise, so that the controller, in principle, has no
margin of discretion regarding the manner in which the processing of
personal data necessary to comply with its legal obligation is carried out.
3 Substantive Decision 55/2021 of 22 April 2021 of the Litigation Chamber; Substantive Decision 138/2021 of 8 December
2021 of the Litigation Chamber.
4 Art. 13.1, c) and 14.1 c) of the GDPR.
5 Law of 21 December 1998 on security at football matches, Belgian Official Gazette 3 February 1999, p. 3042 (hereinafter ‘the
Football Law’). Decision 11/2026 — 6/13
6
executed. The Litigation Chamber establishes prima facie that the aforementioned article of the
Football Act does not oblige a specific processing of personal data and
therefore cannot constitute a legal basis for the processing at issue under 6.1. c)
GDPR.
19. It is, of course, beyond doubt that the safety of spectators and emergency and
police services is, however, a task of general interest, which in principle allows
processing based on Article 6.1 e) GDPR. However, the application of Article 6.1 e)
GDPR presupposes the fulfillment of certain conditions listed in the GDPR,
which the Litigation Chamber will verify.
20. First, the Litigation Chamber notes that Article 10, §1, 4° of the Football Act
obliges organizers of national football matches, among other things, to separate rival
spectators from each other, in order to guarantee the safety of the public and the emergency
and police services. The Litigation Chamber notes that Article 2, 1° of that Act
defines a “national football match” as “a football match in which at least one
club from one of the top two national divisions participates.” Article 2, 4° of the
Football Act defines “organizer” as “the natural person or legal entity that organizes or commissions the organization of a
national football match or an international football match, in whole or in part,
on its own initiative or on the initiative of a third party.” Given that the
defendant is a professional football club playing in the Belgian second division,
the Litigation Chamber concludes that the defendant is an organizer of a national
football match within the meaning of the Football Act, which, in accordance with Article 10, 4°,
is obliged to implement active security measures, including the separation of
rival spectators, with the aim of fulfilling the aforementioned task of public interest.
21. The Litigation Chamber points out that when data processing is carried out because
it is necessary for the performance of a task of public interest (Article 6.1 e) GDPR),
7
the processing must have a legal basis in Union or national law. In this regard, the
Litigation Chamber points out that, in accordance with Article 6.3. GDPR, read in
conjunction with Article 22 of the Constitution and in light of Articles 7 and 8 of the
EU Charter of Fundamental Rights, a legislative standard must specify the essential characteristics of
data processing necessary for the performance of a task
of public interest or in the exercise of official authority entrusted to the controller.
8
The Litigation Chamber emphasizes that the
processing in question must be framed by a standard that is sufficiently clear and
6GBA, Standard Opinion 65/2024 of 24 March 2023 Updated version – session of 29 September 2023 concerning ‘the drafting of normative texts’, p. 5, https://www.gegevensbeschermingsautoriteit.be/publications/advies-nr.-65-2023.pdf
7
Art. 6.3 GDPR in conjunction with recital 45 GDPR
8See also the recommendations of the GBA Knowledge Center 36/2020, 42/2020, 44/2020, 46/2020, 52/2020, and 64/2020. Decision 11/2026 — 7/13
is accurate and the application of which is foreseeable for the persons concerned. Specifically, the GDPR requires that Union or national law on which the processing is based must at least determine the purpose of the processing. The applicable law may also further specify the general conditions of the GDPR that data processing must meet to be lawful, such as: the identity of the controller, the categories of personal data processed, the categories of data subjects whose personal data will be processed, the recipients or categories of recipients to whom the personal data may be disclosed, the retention period of the data, the circumstances and reasons for the disclosure, as well as any limitations on the obligations and/or rights referred to in Articles 5, 12 to 22, and 34 of the GDPR. 22. The Litigation Chamber notes in this regard, however, that the tasks of general interest or
public authority entrusted to data controllers are often
based on legislative provisions that do not meet the requirements set out in paragraph 21,
in particular because the purpose and/or essential characteristics
of the data processing in question were not specified in sufficient detail.
Rather, processing takes place on the basis of a more general
authorization to act, as is necessary for the performance of the task. This means
that in practice, the relevant legal basis often does not contain concrete
definitive provisions regarding the necessary data processing. The
controller who wishes to rely
on Article 6.1.e) GDPR based on such a legal basis must then independently assess whether the processing they
envision is necessary for the performance of their task in the public interest.10
23. In the present case, the Dispute Resolution Chamber recognizes that the legislature has defined the task in the public
interest as referred to in Article 10, § 1, 4° of the Football Act in broad and general
terms. It is important that the purpose, mentioned in point 19 above,
is sufficiently clearly defined, as required by Article 6.3 GDPR. The article in question
further limits itself to stipulating that the organizer of a football match
is obliged to take “active and passive security measures” to
ensure the safety of the public and of the emergency services and police, including
among other things, the separation of rival supporters. Although the Dispute Resolution Chamber is perfectly
9 GBA, Brochure on the advisory practice of the Authorization and Advisory Service, September 1, 2024, p. 21,
https://www.gegevensbeschermingsautoriteit.be/publications/brochure-publieke-sector-en-wettelijke-bepalingen.pdf, “The
principles of legality and foreseeability are not only mandatory, but also general in the sense that they apply
in both cases referred to in Article 6, paragraph 1, c) and e), GDPR. In other words, the aforementioned principles must be
respected regardless of whether the processing concerns a task carried out in the public interest by the public authority concerned or a
legal obligation of the latter.”
10See also decision on the merits 124/2021 of the Dispute Resolution Chamber dated 10 November 2021; decision on the merits 138/2021 of the Dispute Resolution Chamber dated 8 December 2021; decision on the merits 150/2024 of the Dispute Resolution Chamber dated 4 December 2024;
decision on the merits 171/2024 of the Dispute Resolution Chamber dated 19 December 2024; decision 11/2026 — 8/13
considers that the purpose of these measures is sufficiently clear, the
legislator has failed to further specify their nature, scope, and specific modalities. In particular, Article 10, § 1, 4° of the Football Act contains no explicit
reference to the processing of personal data, nor any indication from which
it can be inferred whether and to what extent such processing is intended within the context of these
security measures. Therefore, the Litigation Chamber finds that it is up to the
defendant to determine for itself whether the processing in this case was necessary and
proportionate for the performance of its public interest task, taking
into account the degree of interference with the rights and freedoms of the data subjects.
Necessity for the public interest task
24. Essentially, it must be examined whether the transfer of personal data to the local
police was a necessary and proportionate measure to separate rival supporters from
each other, in order to guarantee the safety of spectators and emergency and police services. Pursuant to the “Schecke” judgment of the Court of Justice, processing cannot be considered necessary if alternative measures are conceivable that entail a less intrusive interference with the rights and freedoms
of the data subjects and at the same time effectively contribute to the performance
of the task in the public interest. 11
25. To this end, the Litigation Chamber notes that the manner in which Article 10, §1, 4° of the Football Act, and in particular “the separation of
rival spectators”, should be implemented is further clarified by related implementing regulations. Summer Act
The Dispute Chamber notes that Article 7, 2° of the Royal Decree of 5 July 2005 containing rules for
ticket management at football matches obliges the organizer of
a football match to take all necessary precautions
when allocating seats to spectators in order to separate rival
supporters, consistent with the stadium infrastructure and the
existing barriers in the stands. In view of the Ministerial Circular regulating the
implementation of the aforementioned Royal Decree, the Dispute Chamber finds that this
is a best efforts obligation imposed on the organizer of a football match, which
must be assessed on a case-by-case basis based on the specific facts. This
obligation implies that the organizer must take all necessary precautions
to separate rival supporters, which means that no
1 ECJ Judgment of 9 November 2010, Schecke, joined cases C-92/09 and C-93/09, §86
12 Royal Decree of 2 July 2005 containing the rules for ticket management at football matches, B.S. 4
August 2005, p. 34213
1 Circular OOP34 of 21 February 2006 containing specifications for the implementation of the Royal Decree of 20 July 2005
containing the rules for ticket management at football matches, B.S. 1 March 2006, p. 12398 Decision 11/2026 — 9/13
Tickets can be allocated for the compartments of one team,
to spectators who were known or should have been known to be supporters of the other
team. The Ministerial Circular also lists examples of measures
that an organizer could take to meet the aforementioned
obligation of means: “The organizer may base this on certain external
characteristics, certain behavior of supporters, or, in case of doubt, by asking
the supporters’ choice. Discrimination regarding admission prices for home supporters
and visiting supporters can also result in a mix of supporters, and
could therefore also be a factor in determining whether the organizer has
not fulfilled its obligation of means.”
26. The Dispute Resolution Chamber notes that, although the Ministerial Circular does not list the possible
measures exhaustively, it does provide a useful indication of the nature and
extent of the measures an organizer can take to
separate rival supporters. Again, the Dispute Resolution Chamber notes that no mention is made
of the fact that separating rival supporters could
involve the processing of personal data. Furthermore, the Dispute Resolution Chamber notes
that the measures mentioned are aimed more at separating groups of rival
supporters from each other and not at excluding individual supporters who,
without being part of such groups, are (coincidentally) registered as
supporters of the rival team. Conversely, it can be noted that the Ministerial
Circular does implicitly refer to the processing of personal data regarding the monitoring of stadium bans:
“With regard to the distribution of
advance tickets and season tickets, a check must be carried out on
those who must identify themselves against the list of stadium bans. Furthermore, the season tickets
of persons with a stadium ban must be revoked.”
27. In light of the foregoing, the Dispute Resolution Chamber is prima facie of the opinion that Article 10,
§ 1, 4° of the Football Act, read in conjunction with Articles 6.1, e) and 6.3 of the GDPR,
does not constitute a sufficient legal basis for collecting and sharing personal data
of the complainant with the local police for the purpose of guaranteeing the safety of the
public and that of the emergency and police services during a football match. More specifically,
the Litigation Chamber rules that such a transfer of personal data constitutes, a priori,
processing that is not strictly necessary for the performance of the aforementioned task
of public interest. The defendant does not argue in this regard that without this
transfer, the desired task of public interest could not be achieved.
On the contrary, the cited implementing decrees show that several alternative
1 Ibid, p. 12400
1 The Litigation Chamber infers this from the wording “all necessary precautions” preceding the list. Decision 11/2026 — 10/13
and less drastic measures are available that are sufficient to separate rival
supporters from each other in order to guarantee safety as required
by Article 10, §1, 4° of the Football Act. These findings justify the
Dispute Chamber’s decision pursuant to Article 95, § 1,
4° of the WOG (Dutch Football Act), and more specifically, the issuance of a warning
to the defendant. For the sake of completeness, the Dispute Chamber notes that in this
prima facie decision, it exclusively addresses the legal basis invoked
by the defendant, specifically Article 10, § 1, 4° of the Football Act. It does not rule out that the
collection and provision of personal data to the local police, for the purpose of a prior check,
could possibly be based on another legal basis. However, such an investigation falls outside the scope of this decision.
28. In accordance with Article 95, § 1, 4° of the Dutch Football Act (WOG) and Article 58.2.a) of the GDPR, the
Dispute Resolution Chamber has the authority to warn a controller or processor
that the intended processing activities may violate the
provisions of the GDPR.
29. Based on the above facts, the Dispute Resolution Chamber is prima facie of the opinion that the
defendant runs the risk of violating Article 6.1(e) in conjunction with Article 6.3 of the GDPR if it
continues to rely on Article 10, § 1, 4° of the Football Act in the future for the transfer
of supporters’ personal data to the local police, in the absence of further
implementing decrees that make such transfer necessary for the performance of
the aforementioned task of public interest. The foregoing justifies issuing a warning to the defendant, in order to encourage it to ensure in the future that any processing of personal data in the context of
security measures at football matches is carried out solely on the basis of
a valid legal basis within the meaning of the GDPR, or, failing that, to refrain from such
processing.
30. This warning decision is intended to remind the defendant, who is presumably
responsible for the processing, of its obligation to comply with the
above provisions of the GDPR, so that it can comply with these
provisions in the future in the context of the processing activities at issue in this case.
31. This decision is a prima facie decision taken by the Dispute Resolution Chamber
in accordance with Article 95 of the Dutch Data Protection Act (WOG) on the basis of the complaint submitted by the complainant,
in the context of the “procedure prior to the decision on the merits”16 and not a
decision on the merits by the Dispute Resolution Chamber within the meaning of Article 100 of the WOG.
16
Section 3, Subsection 2 of the WOG (Articles 94 through 97). Decision 11/2026 — 11/13
32. This decision is intended to inform the defendant that it has
probably committed a breach of the provisions of the GDPR and to enable it
to comply with the aforementioned provisions, or
to prevent such breaches in the future.
33. If the defendant disagrees with the contents of this prima facie
decision and believes that they can present factual and/or legal arguments that
could lead to a new decision, they may submit a request for reconsideration
to the Litigation Chamber according to the procedure established in Articles 98 in conjunction
with 99 of the WOG, known as a “trial on the merits.” This request must be
sent to the email address litigationchamber@apd-gba.be within 30
days of notification of this prima facie decision. If applicable, the implementation
of this decision will be suspended for the aforementioned period.
34. In the event of a continuation of the hearing of the case on the merits, the
Dispute Chamber will, pursuant to Articles 98, paragraphs 2 and 3, in conjunction with Article 99 of the
WOG, invite the parties to submit their defenses and to add any documents they deem useful
to the file. In that case, this decision will be definitively
suspended.
35. Finally, for the sake of completeness, the Dispute Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures referred to in Article 100 of the
17
WOG.
III. Publication of the decision
36. Given the importance of transparency regarding the decision-making of the
Dispute Chamber, this decision will be published on the website of the
17Article 100. § 1. The Dispute Chamber has the authority to:
1° dismiss a complaint; 2° to order the dismissal of the prosecution;
3° to order the suspension of the judgment;
4° to propose a settlement;
5° to issue warnings and reprimands;
6° to order that the data subject’s requests to exercise their rights be complied with;
7° to order that the data subject be informed of the security problem;
8° to order that the processing be temporarily or definitively frozen, restricted, or prohibited;
9° to order that the processing be brought into compliance;
10° to order the rectification, restriction, or erasure of data and its notification to the recipients of the
data;
11° to order the withdrawal of the recognition of certification bodies;
12° to impose periodic penalty payments;
13° to impose administrative fines;
14° to order the suspension of cross-border data flows to another State or an international institution;
15° to transfer the file to the Public Prosecutor’s Office in Brussels, who will inform it of the
action taken on the file;
16° to decide, on a case-by-case basis, to publish its decisions on the website of the
Data Protection Authority. Decision 11/2026 — 13/13
Applications for intervention must be submitted to the registry of the Market Court
19
in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system
of the Ministry of Justice (Article 32ter of the Judicial Code).
(Gov.). Hielke H IJMANS
Director of the Litigation Chamber
6° the signature of the applicant or their lawyer.
19The petition and its attachment shall be sent by registered mail, in as many copies as there are parties involved, to the clerk of the court or deposited at the registry.
</pre>