https://gdprhub.eu/api.php?action=feedcontributions&user=Fra-data67&feedformat=atomGDPRhub - User contributions [en]2024-03-29T06:30:28ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_54/2021&diff=15590APD/GBA (Belgium) - 54/20212021-05-04T18:20:38Z<p>Fra-data67: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=54/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Autorité de la protection des données<br />
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-54-2021.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=22.04.2021<br />
|Date_Published=<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 24 GDPR<br />
|GDPR_Article_Link_4=Article 24 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The Belgian Data Protection Authority reprimands entity in charge of paying family allowances to its members for failure to comply with Articles 4, 5, 6 and 24 GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In July 2019, an entity (voluntary intervener in the proceedings, hereinafter "the voluntary intervener") in charge of paying family allowances to its affiliates who have children consulted the data of the complainant's son in the National Register, in particular the "household composition" data and its history. This consultation took place in order to manage the family allowance file of the complainant's son, one of its affiliates, and to determine the amount of family allowance that he would be entitled to receive. This consultation was carried out via the TRIVIA application, developed by the BCSS, made available to the family allowance funds. This consultation was done on the basis of the National Register number of the affiliated person, son of the complainant. <br />
<br />
It is this consultation of the history of the composition of the complainant's son's household that is the subject of the complaint. During this consultation, the volunteer intervener was given access to the information that the complainant had been part of her son's household at one time in his life. The complainant complains that this consultation of personal data concerning him had no basis of valid legitimacý within the meaning of Article 6 of the GDPR. <br />
<br />
On 24 September 2019, the Supervisory Authority of the family allowance funds for the Brussels-Capital Region (IRISCARE/FAMIFED) received a request for information from the complainant via the contact form on its website. With this request for information, the complainant asked the Supervisory Authority about the consultation of his data on 9 and 17 July 2019. <br />
<br />
Following several unsuccessful exchanges, and in the absence of a satisfactory response, the dispute was brought before the Belgian Data Protection Authority’s dispute chamber. <br />
<br />
In this case, the defendant is the shared service center of the voluntary intervening entity. In this respect, the defendant was responsible for monitoring the personal data protection of all the family allowance funds in the group. <br />
<br />
When he submitted his conclusions on 9 June 2020, the complainant underlined that a new consultation of his data, still without any legitimate basis according to him, had taken place on 21 April 2020. When questioned in this respect, the defendant answered to the complainant that this consultation was part of the management of the present case pending before the dispute chamber. <br />
=== Dispute ===<br />
<br />
* Is access to the information that the complainant had been a member of his son's household at one time in his life considered processing of personal data within the meaning of Article 4 GDPR and is it justified on the basis of Article 6 GDPR?<br />
* Can the controller raise the argument that the application used and imposed by a third party does not allow it to comply with provisions of the GDPR ?<br />
<br />
=== Holding ===<br />
The Belgian data protection authority found a violation of the GDPR, and gave the following reasons for its decision: <br />
<br />
==== The notion of processing of personal data within the meaning of Article 4 GDPR ====<br />
Very briefly, the dispute chamber begins by recalling that the fact of having accessed this information constitutes processing of personal data within the meaning of Article 4(2) GDPR irrespective of whether this processing is lawful within the meaning of the Regulation. <br />
<br />
Furthermore, the dispute chamber holds that in this case the voluntary intervening entity must be considered as a controller, and the defendant as a processor of the voluntary intervener.<br />
<br />
==== Legal basis of processing under Article 6 of the GDPR ====<br />
The dispute chamber of the Belgian data protection authority points out that the defendant and the voluntary intervener base the processing on Article 6(1)(c) GDPR (processing made necessary by virtue of a legal obligation). Recalling that the concept of 'necessity' is an autonomous concept in EU law, the dispute chamber emphasises that the principle of necessity implies that the authority adopting a measure that infringes a fundamental right of the individual in order to achieve a justified objective must demonstrate that this measure is the least restrictive in order to achieve that objective. Furthermore, recalling the case law of the European Court of Human Rights, the notion of necessity implies that there is a compelling social need. <br />
<br />
Furthermore, the Belgian authority relies on Opinion 03/2019 of 23 January 2019 of the European Data Protection Committee (EDPS), which sets out the conditions under which this basis for lawfulness can be applied: <br />
<br />
* The obligation must be imposed by legislation; <br />
* The legislation must meet all the conditions required to make the obligation valid and binding; <br />
* The legislation must comply with applicable data protection law, including the principles of necessitý, proportionalitý and purpose limitation ; <br />
* The legal obligation itself must be sufficiently clear about the processing of personal data it requires; and <br />
* The controller should not have an unjustified margin of discretion as to how to comply with the legal obligation. <br />
<br />
In the present case, the Belgian DPA notes the following points in this respect: <br />
<br />
* Under the provisions of the General Law on Family Allowances of 19 December 1939, the family allowance bodies and the ministerial departments responsible for the implementation of that law are obliged to consult the national register of natural persons in order to obtain the information required by the law, which includes, inter alia, data relating to the composition of the household and its successive changes (the history). <br />
* In addition, the Order of 25 April 2019 of the Brussels-Capital Region and the Order of 4 April 2019 lay down the conditions for the granting of social supplements (these supplements being conditioned by the household income). <br />
<br />
The dispute chamber concludes that, in other words, prior to the granting of the family allowance and supplement, it was the responsibility of the family allowance funds (of which the voluntary intervener was one) to identify, in application of the various aforementioned texts, the beneficiaries and their household income. This verification of the household income requirement (and therefore of who was part of it) was, in this case, done by identifying the composition of the complainant's son's household by consulting the National Register. <br />
<br />
However, the dispute chamber notes that it is not clear from the legal texts what date the composition of the household was to be taken into consideration. Yet, this precision would have been precious, in accordance with the principle of clarity and predictability of the law, as derived from the jurisprudence of the Court of Justice of the European Union and the European Court of Human Rights.<br />
<br />
The dispute chamber considered that, in any event, this history of the complainant's son's "household composition" data could have been consulted back to the date on which entitlement to benefits/social supplements to these benefits began, and that, in any event, the consultation of the complainant's son's entire history without any time limit was disproportionate and unnecessary for the voluntary intervener to comply with its legal obligation. Access to this complete history of the complainant's son was therefore disproportionate and the data consulted were not relevant to the purpose pursued, i.e. to determine the composition of the household at a given point in time, which must be taken into account when granting family allowances and the social supplement. <br />
<br />
Consequently, the dispute chamber held that there had been a breach of Article 6 GDPR, in that the processing was not necessary for its legal obligation. In addition, the chamber found a breach of Article 5 GDPR, in that the data collected could not be considered relevant to the purpose.<br />
<br />
However, the complainant raised a second consultation in the course of the proceedings, dated 21/04/2020. In this respect, the DPA notes that the defendant and the voluntary intervener rely on their legitimate interest (article 6(1)(f) GDPR), the consultation being justified, according to them, by the needs of the present proceedings. In this respect, the DPA recalls that it has already considered that legal defence is a legitimate interest that can be validly invoked by data controllers, provided that the cumulative conditions of necessity of the processing operation for the achievement of the legitimate interest pursued and of proportionality (i.e. that the fundamental rights and freedoms of the data subjects do not prevail over the interest pursued) are met. But as it is not the case in fact, the Chamber rejected this argument and considered that the processing was not justified.<br />
<br />
==== Accountability within the meaning of Article 24 GDPR ====<br />
The Belgian data protection authority also concludes that the voluntary intervener failed to comply with Articles 24 and 5.2 of the GDPR when it was not able to put in place the technical measures intended to implement the GDPR. Indeed, the controller cannot therefore raise the argument that the application used - even if its use is imposed by a third party - does not allow it to comply with the GDPR. <br />
<br />
Consequently, in application of its obligation of accountability and documentation, the voluntary intervener should at least have alerted the relevant authorities to the situation in which the forced use of the TRIVIA application placed it in relation to its obligations under the GDPR. <br />
<br />
==== Sanctions ====<br />
In view of these failings, the dispute chamber reprimanded the voluntary intervener and ordered the publication of the decision on the Belgian data protection authority's website with the deletion of the parties' direct identification data. <br />
<br />
In addition, the dispute chamber stresses that it is important that an appropriate response be found quickly to the problem raised by the complaint, in order to allow limited consultation, in compliance with the GDPR, of the history of the "household composition" data (as well as the history of other data in the National Register, if applicable).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Decision on the merits 54 / 2021-1 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
<br />
<br />
<br />
Decision on the merits 54/2021 of 22 April 2021<br />
<br />
<br />
<br />
<br />
<br />
File No .: DOS-2019-06237<br />
<br />
<br />
<br />
Subject: Complaint relating to an illicit consultation of the National Register in the<br />
<br />
context of the allocation of family allowances<br />
<br />
<br />
<br />
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke<br />
<br />
Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this<br />
<br />
composition;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of individuals with regard to the processing of personal data and the<br />
<br />
free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection<br />
<br />
data), hereinafter GDPR;<br />
<br />
<br />
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);<br />
<br />
<br />
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20<br />
<br />
2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Having regard to the documents in the file;<br />
<br />
<br />
<br />
<br />
Took the following decision regarding:<br />
<br />
<br />
<br />
<br />
The complainant: Mr X1, (hereinafter "the complainant");<br />
<br />
<br />
<br />
The defendant: Y1, (hereinafter “the defendant”);<br />
<br />
<br />
In the presence of: Y2 ASBL, (hereinafter "the voluntary worker"); Decision on the merits 54 / 2021-2 / 23<br />
<br />
<br />
<br />
<br />
<br />
Both advising Maître Paul Van den Bulck and Maître Andrine Like, lawyers at the Bar<br />
<br />
of Brussels, whose office is established at Rue des Colonies 56 box 3 in 1000 Brussels.<br />
<br />
<br />
<br />
<br />
<br />
1. Feedback from the procedure<br />
<br />
<br />
In view of the mediation request filed on December 8, 2019 by the complainant with the Autorité de<br />
<br />
data protection (DPA);<br />
<br />
<br />
<br />
Given the failure of the mediation attempt communicated to the complainant on February 20, 2020 by the<br />
<br />
First Line (SPL) of ODA;<br />
<br />
<br />
<br />
Considering the agreement given by the complainant on February 20, 2020 for his request to be transformed into a complaint<br />
<br />
in application of Article 62.2. LCA;<br />
<br />
<br />
<br />
Considering the decision of March 9, 2020 of the SPL declaring the complaint admissible and the transmission of it to the<br />
<br />
Litigation Chamber;<br />
<br />
<br />
<br />
Having regard to the letter of April 8, 2020 from the Litigation Chamber informing the parties of its decision to<br />
<br />
consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their<br />
<br />
providing a timetable for the exchange of conclusions. In this letter, the Litigation Chamber<br />
<br />
<br />
in particular specified the following to the parties:<br />
<br />
Without prejudice to any arguments you may wish to develop, you will ensure that you shed light on the<br />
<br />
Litigation Chamber on the data processing involved, on the role of the various<br />
<br />
possible stakeholders and their quality with regard to the regulations for the protection of<br />
<br />
data as well as on the precise legal basis of the disputed consultation of the data of the<br />
<br />
<br />
complainant. You will also ensure that you explain the measures put in place to guarantee<br />
<br />
access only to data justified by the processing of files and the traceability of such access.<br />
<br />
You will also inform the Litigation Chamber of what is concretely understood by<br />
<br />
the terms "induced and involuntary consultation" used in the attachments to the complaint<br />
<br />
in the light of the specific facts.<br />
<br />
<br />
Having regard to the main conclusions filed on May 22, 2020 by the defendant as well as by Y2<br />
<br />
(the voluntary intervenor) who intervenes voluntarily to the cause by this means (see below<br />
<br />
point 30 and following);<br />
<br />
Having regard to the arguments of the complainant of June 9, 2020; Decision on the merits 54 / 2021-3 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Having regard to the additional and summary conclusions of the defendant and the voluntary intervener of 3<br />
<br />
July 2020;<br />
<br />
<br />
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on December 10, 2020;<br />
<br />
Having regard to the hearing during the session of the Litigation Chamber of January 19, 2021 in the presence of the complainant<br />
<br />
<br />
and Mr. A. Like, representing both the Respondent and the Volunteer Intervenor;<br />
<br />
Having regard to the letter sent by counsel for the defendant and the voluntary worker on January 26<br />
<br />
<br />
2021;<br />
<br />
Having regard to the minutes of the hearing and the observations made thereon by the parties who have<br />
<br />
<br />
been attached to these minutes.<br />
<br />
<br />
<br />
<br />
2. The facts and the subject of the request<br />
<br />
<br />
2.1. Preliminary remarks<br />
<br />
<br />
<br />
1. For a good understanding of its decision and of all the actors to whom the parts<br />
<br />
procedure and the files of the parties refer, the Litigation Chamber specifies the following:<br />
<br />
<br />
<br />
<br />
- FAMIFED is the federal agency for family allowances. FAMIFED was to insure until<br />
<br />
December 31, 2019 the management of family allowances, including in the Region of<br />
<br />
Brussels-Capital.<br />
<br />
<br />
th<br />
- IRISCARE has, under the 6 state reform, become, in place of FAMIFED,<br />
<br />
the supervisory authority for family allowance funds for the Brussels-Capital Region.<br />
<br />
IRISCARE is responsible for setting up and managing the family allowances system of the<br />
<br />
Brussels-Capital Region.<br />
<br />
<br />
<br />
- During a period of transition, the two structures coexisted so that the relay of the mission<br />
<br />
legal process can switch from FAMIFED to the new regional authorities, including, as mentioned,<br />
<br />
for the Brussels-Capital Region, IRISCARE. In the context of this decision,<br />
<br />
IRISCARE and FAMIFED are referred to as the "Supervisory Authority".<br />
<br />
<br />
<br />
<br />
- The complainant includes the Crossroads Bank for Social Security (BCSS) among the “stakeholders”<br />
<br />
revolving around the disputed data processing indicating that it was the BCSS which, at the time<br />
<br />
facts, develops the TRIVIA application. The TRIVIA application allows benefit funds Decision on the merits 54 / 2021-4 / 23<br />
<br />
<br />
<br />
family to consult the available files of integrated actors, to integrate themselves<br />
<br />
actors and create files and obtain, through the intervention of the BCSS, access to the various<br />
<br />
sources of the social security network.<br />
<br />
<br />
<br />
2. The defendant is the shared service center of group Y. It provides administrative services<br />
<br />
to the various entities of Group Y. In this regard, it notably monitors the protection<br />
<br />
personal data of all family allowance funds in the group. It<br />
<br />
has a Data Protection Officer (DPO) as well as a "Corporate Compliance 1<br />
<br />
Officer ”and“ Information Security Officer ”.<br />
<br />
<br />
<br />
3. Y2, here a voluntary intervening party, aims in particular to pay family allowances to<br />
<br />
its affiliates who have children.<br />
<br />
<br />
<br />
<br />
4. Mr. X2 is the son of the complainant, affiliated with Y2, voluntarily intervened in the cause (see below.<br />
<br />
points 30 et seq.).<br />
<br />
<br />
<br />
2.2. The facts at the origin of the dispute<br />
<br />
<br />
<br />
5. In July 2019, the voluntary worker consulted the data of the complainant's son in the Register<br />
<br />
national, in particular the "household composition" data and its history. This consultation<br />
<br />
took place in order to manage the family allowances file for the complainant's son, one of his affiliates, and<br />
<br />
determine the amount of family allowances - including any supplement - that it would be<br />
<br />
entitled to receive from January 1, 2020. This consultation was done via the TRIVIA application,<br />
<br />
developed by the BCSS, made available to family allowance funds, including the worker<br />
<br />
voluntary, by the supervisory authority. This consultation was made on the basis of the register number<br />
<br />
affiliate's national, Mr. X2.<br />
<br />
<br />
<br />
<br />
6. It is this consultation of the history of the household composition of Mr. X2 that is the subject of<br />
<br />
of the complainant's complaint. Indeed, during this consultation, the volunteer worker had access<br />
<br />
to the information that the complainant had been part of his son's household at some time<br />
<br />
his life. The complainant complains that this consultation of personal data<br />
<br />
concerning was not based on any valid basis of legitimacy within the meaning of Article 6 of the GDPR (see.<br />
<br />
title 2.3; point 23 et seq.).<br />
<br />
<br />
<br />
<br />
<br />
1<br />
Deliberation 18/008 of 9 January 2018 on the communication of personal data by the Agency<br />
federal for family allowances (Famifed) and various other social security institutions to the Ministry of<br />
the German-speaking Community, in the context of the transfer of powers to follow up on the sixth reform<br />
status - use of the TRIVIA application. Decision on the merits 54 / 2021-5 / 23<br />
<br />
<br />
7. This research of the history of the composition of the household is called by the supervisory authority<br />
<br />
<br />
"search P028". It is carried out via the TRIVIA application already mentioned. During this<br />
<br />
research, the history of the household composition of Mr. X2 showed the complainant as<br />
<br />
having been part of his household in the past and this, as head of household.<br />
<br />
<br />
<br />
8. On September 24, 2019, the Supervisory Authority received a request for information from the complainant<br />
<br />
via the contact form on its website. By this request for information, the complainant<br />
<br />
asked the Supervisory Authority about the consultation of its data on July 9 and 17, 2019.<br />
<br />
<br />
<br />
9. There followed an exchange of e-mails between the complainant and the Supervisory Authority. The latter informed<br />
<br />
the complainant of the nature of the research P028 which had led to access to certain data on<br />
<br />
concerning and invited him, if necessary, to approach the family allowance fund (either<br />
<br />
the voluntary worker), in order to inquire more about the reason for the access to his data<br />
<br />
as they appeared in her son's household composition history.<br />
<br />
<br />
<br />
10. On 7 October 2019, the complainant sent his request for information to the<br />
<br />
data of the volunteer worker via the address "[...]".<br />
<br />
<br />
<br />
11. On 10 October 2019, the defendant, which ensures, as mentioned above in point 2, the follow-up<br />
<br />
on the protection of personal data of all family allowance funds<br />
<br />
group, acknowledged receipt and responded a first time to the request for information from<br />
<br />
complainant.<br />
<br />
<br />
<br />
12. On October 14, 2019, the defendant replied to the complainant a second time. This answer was<br />
<br />
following a request for acknowledgment of receipt from the complainant regarding his request for information, which<br />
<br />
acknowledgment of receipt had been sent by the defendant on 10 October 2019 (see point 11 below<br />
<br />
above).<br />
<br />
<br />
<br />
13. On November 6, 2019, the Complainant wrote again to the Respondent. On the same day, the<br />
<br />
defendant replied a third time to the complainant and confirmed having responded promptly to the<br />
<br />
October 10 and 14, 2019 at his request of October 7, 2019.<br />
<br />
<br />
<br />
14. On November 7, 2019, the complainant, still addressing the respondent, developed his fears<br />
<br />
and raised the following question:<br />
<br />
"That one checks his tax flow [read the tax flow of Mr. X2] does not ask me personally<br />
<br />
no problem and that seems normal to me since his household is beneficiary / beneficiary<br />
<br />
Family Allowances. Decision on the merits 54 / 2021-6 / 23<br />
<br />
<br />
BUT, what are the legal bases that allow you to consult my own<br />
<br />
<br />
private data and tax flow? "<br />
<br />
<br />
<br />
15. On November 7, 2019, the defendant replied a fourth time to the complainant and confirmed that the<br />
<br />
the tax flow of the complainant had not been examined and that only the identification data of the<br />
<br />
complainant had appeared while viewing her son's household history.<br />
<br />
<br />
<br />
16. On 12 November 2019, the complainant confirmed receipt of the registered letter from the<br />
<br />
defendant by which the latter provided proof of the sending of her emails of the 10th and 14th<br />
<br />
October 2019.<br />
<br />
<br />
<br />
17. On 20 November 2019, the Respondent informed the Complainant that a request for clarification had<br />
<br />
still requested from the Supervisory Authority regarding the consultation of its data. The<br />
<br />
Defendant's DPO returned the same day (i.e. a fifth time) with said clarification of<br />
<br />
the supervisory authority. In the response that the defendant sent to the complainant, the Supervisory Authority<br />
<br />
confirms that it appeared that there had been access to the complainant's identification data,<br />
<br />
this one being mentioned as having been part of the household of his son and that it was necessary to understand<br />
<br />
that this consultation was "induced and not voluntary" (in other words, that it was a<br />
<br />
incidental access via the history of the household composition of the complainant's son).<br />
<br />
<br />
<br />
18. The same day, after receiving this response (see point 17 above), the complainant filed<br />
<br />
defendant in default to justify the legal grounds for the consultation of its data.<br />
<br />
<br />
<br />
19. On November 27, 2019, the defendant returned to the complainant for a sixth time, specifying that<br />
<br />
the provisions of the General Law on Family Allowances (hereinafter "LGAF") justified the<br />
<br />
consultation of the history of the household composition of Mr. X2 (complainant's son) with<br />
<br />
of the National Register (i.e. Articles 51 and 54 LGAF). Literally, she indicated, for the<br />
<br />
good understanding of the complainant, that the mission of the family allowance funds included<br />
<br />
verification of entitlement to allowances including verification of "the history of the<br />
<br />
family composition for which the funds have the right to query the National Register ”.<br />
<br />
<br />
<br />
20. On December 8, 2019, the complainant lodged an application with the APD in the following terms:<br />
<br />
"I noticed that (Y2- Brussels) [read the volunteer worker] had consulted my data<br />
<br />
personal without any valid reason in my eyes since I am a pensioner, without<br />
<br />
responsible for more than 10 years and that I live in Wallonia.<br />
<br />
<br />
<br />
After questions from those in charge, I received an answer that does not satisfy me in any way.<br />
<br />
given that the family composition history of one of my sons' household - including Decision on the merits 54 / 2021-7 / 23<br />
<br />
<br />
<br />
household apparently benefits from family allowances in Wallonia - does not have to lead to<br />
<br />
an induced and involuntary manner regardless because the legal references, unless I am mistaken<br />
<br />
part, do not allude to it) on queries of my private data which are not at all<br />
<br />
concerned.<br />
<br />
<br />
<br />
In my view, this is not a normal procedure but a malfunction (or a<br />
<br />
pirate query) which I cannot accept. "<br />
<br />
<br />
<br />
21. On February 3, 2020, the defendant replied to the SPL's questions in connection with the attempt<br />
<br />
mediation conducted by this service of the ODA. In essence, the defendant responded to the DPA which<br />
<br />
had already been answered to the complainant by the Supervisory Authority, i.e. a P028 search had been<br />
<br />
carried out and that the consultation was non-voluntary but resulted from the consultation<br />
<br />
- necessary in the exercise of its legal missions - consultation of the history of the<br />
<br />
<br />
household composition of the complainant's son.<br />
<br />
<br />
<br />
22. When communicating his conclusions on 9 June 2020, the complainant complained that a new<br />
<br />
consultation of his data, still without a legitimate basis according to him, had taken place on April 21<br />
<br />
2020. Interested on June 3 in this regard, the defendant on June 15, 2020, indicated to the complainant that<br />
<br />
this consultation was part of the management of this case pending before the DPA.<br />
<br />
The Litigation Chamber specifies from the outset that it will also rule on this second<br />
<br />
consultation, the legality of which is called into question by the complainant in terms of its conclusions as soon as<br />
<br />
when it is closely linked to the facts denounced by the complainant under the terms of his form<br />
<br />
complaint.2<br />
<br />
<br />
<br />
2.3. The subject of the complaint<br />
<br />
<br />
<br />
23. In these same conclusions of June 9, 2020, the complainant specifies the subject of his complaint and expresses<br />
<br />
which his son, Mr. X2, has not resided with him since 2006. Consultation of the history<br />
<br />
<br />
the household composition of the latter - even necessary for the granting of allowances - must according to<br />
<br />
be subject to a time limit taking into account (1) either the day on which the person whose<br />
<br />
"history of household composition" data is consulted is potentially<br />
<br />
beneficiary / beneficiary of allowances / supplement, (2) either from the day of the birth of the child<br />
<br />
beneficiary. Access to the history of "household composition" since the birth of the one<br />
<br />
whose history is consulted - as happened in this case - is irrelevant and<br />
<br />
disproportionate in relation to the purpose pursued (the granting of family allowances).<br />
<br />
<br />
<br />
<br />
<br />
2 See. in this sense, points 18 and s. of Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf Decision on the merits 54 / 2021-8 / 23<br />
<br />
<br />
According to the complainant, this access constitutes an all the more unacceptable security breach:<br />
<br />
<br />
- that it emanates from public bodies;<br />
<br />
<br />
<br />
- that it potentially affects millions of people (beyond himself, his<br />
<br />
wife and all the people with whom her son has, at some point in his<br />
<br />
life, lived under the same roof);<br />
<br />
<br />
<br />
- that the useful data (i.e. the date / dates opening (s) the right to benefits<br />
<br />
family and from which the consultation of the history of<br />
<br />
management composition could be relevant) is / are available in the Cadastre<br />
<br />
family allowances;<br />
<br />
<br />
<br />
- that the research system "P028" replaced an earlier system which<br />
<br />
allowed relevant and targeted research. The complainant quotes in this regard the passage<br />
<br />
following extract from the “Specific functional description of message P028” sheet:<br />
<br />
<br />
<br />
1.2.1.1. P028 Historical consultation of household composition<br />
<br />
Principle<br />
<br />
The P028 message is used to request data relating to the history of the<br />
<br />
household composition in the National Register on the basis of a register number<br />
<br />
national. This flow can be subsequently extended with data from the registry of the<br />
<br />
BCSS.<br />
<br />
This consultation flow combines the old consultation messages P036 and P038<br />
<br />
in a single message. Unlike consultation message P036, this flow displays<br />
<br />
the complete history, whether or not the person sought is the head of the household. It is not<br />
<br />
therefore it is no longer necessary to carry out several consultations for this purpose. (…)<br />
<br />
<br />
<br />
24. Finally, still in his conclusions of 9 June 2020, the complainant makes a series of requests to<br />
<br />
the Litigation Chamber, namely (page 11 of its conclusions):<br />
<br />
<br />
<br />
- To jointly and indivisibly condemn the defendant, the voluntary intervener,<br />
<br />
the Supervisory Authority, the FPS Interior (National Register), the Crossroads Security Bank<br />
<br />
social (BCSS), or even any dishonest perpetrators responsible for access and processing<br />
<br />
of its data, in accordance with articles 221 to 230 of the Law of 30 July 2018 on the<br />
<br />
protection of individuals with regard to the processing of personal data<br />
<br />
staff ;<br />
<br />
- Inform the King's Prosecutor of any breaches noted and inform the complainant of this<br />
<br />
Steps ; Decision on the merits 54 / 2021-9 / 23<br />
<br />
<br />
- To ensure that the necessary corrections have been made to remedy the shortcomings<br />
<br />
<br />
denounced and this under penalty of penalty;<br />
<br />
- Obtain proof that their tax data has not been processed within the framework of the<br />
<br />
consultation denounced;<br />
<br />
- Obtain the necessary explanations regarding the consultations of July 9, 2019 and April 21, 2020<br />
<br />
by FAMIFED in the National Register;<br />
<br />
- Obtain the identification and full contact details of all persons who have had access<br />
<br />
to his personal data and failing that condemn the defendant, the voluntary intervener and<br />
<br />
other contributors to periodic penalty payments;<br />
<br />
- To invite those responsible in the broad sense of the illegal processing, or even the possible perpetrators<br />
<br />
indelicate, to compensate him for the material and moral damage suffered.<br />
<br />
<br />
<br />
2.4. Position of the defendant and the voluntary worker<br />
<br />
<br />
<br />
25. The defendant and the voluntary intervener request, in support of their conclusions,<br />
<br />
that the Litigation Chamber declare the complainant's complaint, if admissible, unfounded, the<br />
<br />
consultation of the household composition of Mr X2, son of the complainant, being from their point of<br />
<br />
perfectly legal and legitimate view. They therefore request that the complaint of the<br />
<br />
Complainant without follow-up. The defendant and the voluntary intervener add that if by impossible,<br />
<br />
the ODA had to consider that in the circumstances of the case, access to the history of the<br />
<br />
composition is illegal, it should be the cause of both the National Register and the Authority<br />
<br />
supervision insofar as they are the ones who determine the data accessible during a<br />
<br />
search P028 (page 11 of the additional and summary conclusions of the defendant and<br />
<br />
the volunteer worker).<br />
<br />
<br />
<br />
3. The hearing of January 19, 2021<br />
<br />
<br />
<br />
26. During the hearing on January 19, 2021 - of which the minutes were drawn up - the parties stated<br />
<br />
the arguments they had developed by their respective conclusions.<br />
<br />
<br />
<br />
27. The following elements were particularly highlighted by the parties:<br />
<br />
- the status of data controller of the voluntary worker;<br />
<br />
<br />
<br />
- the deliberate choice, according to the complainant, to set up research which won the<br />
<br />
consultation of potentially irrelevant data and the seriousness of the problem at<br />
<br />
with regard to the number of people who may be affected by this structural failure; Decision on the merits 54 / 2021-10 / 23<br />
<br />
<br />
- the absence of any legal impact of the "induced" and "non-voluntary" nature of the access<br />
<br />
<br />
irrelevant data on the qualification of processing within the meaning of Article 4.2. of the GDPR;<br />
<br />
<br />
<br />
- the demonstration by the defendant and the voluntary intervener of the obligation to resort to<br />
<br />
the TRIVIA application and the impossibility for them to modify the parameters to consult the<br />
<br />
only historical data relating to a targeted period of time.<br />
<br />
<br />
<br />
PLACE<br />
<br />
<br />
As a preliminary<br />
<br />
✓ As for the quality of the parties<br />
<br />
<br />
28. Both in terms of her conclusions and of the hearing (see section 3 above), the intervener<br />
<br />
volunteer declares himself responsible for processing within the meaning of Article 4.7. of the GDPR with regard to<br />
<br />
disputed consultation, consultation which she furthermore qualifies as an incident. The defendant is for<br />
<br />
its part qualified as a subcontractor of the voluntary worker (page 10 of the conclusions and page 11<br />
<br />
additional and summary conclusions of the defendant and the voluntary intervener).<br />
<br />
<br />
<br />
<br />
29. The Contentious Chamber takes note of this and does not see, in the context of its own analysis with regard to<br />
<br />
to the factual elements submitted to it and having regard to the applicable legal elements, no<br />
<br />
reason for not recognizing these respective qualities in the voluntary intervenor and the defendant.<br />
<br />
With regard to the voluntary worker more particularly, she defines in fact, at the start of her<br />
<br />
own mission, the purposes and means of the data processing it operates within the meaning of<br />
<br />
Article 4.7 of the GDPR which defines the data controller.<br />
<br />
<br />
<br />
✓ As for voluntary intervention<br />
<br />
<br />
30. The Contentious Chamber takes note of Y2's voluntary intervention in this procedure. This<br />
<br />
intervention is the result of the decision of Y2 who, voluntarily, and for the needs of the cause,<br />
<br />
intervened in the proceedings by way of pleadings (see title 1).<br />
<br />
<br />
<br />
31. The Litigation Chamber specifies that neither the LCA nor the Internal Rules of the APD<br />
<br />
explicitly provide for the mechanism of (voluntary) intervention by a party that has not been<br />
<br />
challenged by the complainant.<br />
<br />
<br />
<br />
32. Nevertheless, in the exercise of its competences, it is incumbent on the ODA, and therefore on<br />
<br />
the Litigation Chamber in the exercise of the powers devolved to it, to facilitate<br />
<br />
the exercise of the rights recognized to persons concerned by the GDPR, including the right to<br />
<br />
complaint (Article 77 of the GDPR - also recognized in Article 8.3. of the Charter of Rights Decision on the merits 54 / 2021-11 / 23<br />
<br />
<br />
<br />
fundamental as part of the essence of the right to data protection). In this<br />
<br />
perspective, filing a complaint should remain an easy process for people<br />
<br />
data subjects whose personal data are processed and with regard to the processing of which they<br />
<br />
believe that there has been a breach of data protection rules.<br />
<br />
<br />
<br />
33. As it has already had the opportunity to develop in its Decision 17/2020, the authorities of<br />
<br />
data protection must therefore play an active role through the missions and powers<br />
<br />
which are assigned to them under Articles 57 and 58 of the GDPR.<br />
<br />
<br />
<br />
<br />
34. In the same way that the complainant cannot be expected to identify straight away, from the terms<br />
4<br />
of his complaint, all the legal grievances relevant to the facts denounced, the same<br />
<br />
so he cannot be expected to identify with certainty the controller<br />
<br />
concerned. To assert the contrary would be to seriously jeopardize the right of complaint of the<br />
<br />
complainant. Indeed, the identification of the controller, even in support of the definition<br />
<br />
provided for in Article 4.7. GDPR, is a process that can be particularly complex. Certainly<br />
<br />
detailed guidelines have already been published several times by the European Committee<br />
<br />
of Data Protection (EDPS) and its predecessor the Article 29 Group, on it. 5<br />
<br />
Nevertheless, it is clear that this identification often remains thorny. It requires<br />
<br />
sometimes even recourse to the Inspection Service in the most difficult cases.<br />
<br />
<br />
<br />
<br />
35. In support of the foregoing considerations, in order to give effective effect to the right to lodge a complaint,<br />
<br />
and through it, to contribute to the effective application of the GDPR, the Litigation Chamber<br />
<br />
therefore naturally accepts this voluntary intervention. She specifies that, of course, the debate<br />
<br />
contradictory has developed with the latter as well. In these circumstances, the House<br />
<br />
Litigation is able to impose sanctions on the voluntary intervenor, if necessary.<br />
<br />
<br />
<br />
✓ As to the competence of the APD and the Litigation Chamber<br />
<br />
<br />
36. The Contentious Chamber specifies here at the outset, with regard to the measures requested by the<br />
<br />
complainant (see point 24), that it is in any case not competent to grant a<br />
<br />
any compensation even in the event of shortcomings noted. Indeed, this<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Decision 17/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-<br />
<br />
2020.pdf See. also Decision 80/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf<br />
<br />
4 Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
5 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, on edpb.europa.eu. Decision on the merits 54 / 2021-12 / 23<br />
<br />
<br />
jurisdiction is not listed among the corrective measures and sanctions that it may decide on<br />
<br />
application of Articles 58.2. of the GDPR and 95 and 100 LCA.<br />
<br />
<br />
<br />
<br />
4. As for breaches of the GDPR<br />
<br />
<br />
<br />
37. The Litigation Chamber notes that it emerges from the above statement of facts that the complainant<br />
<br />
criticizes the voluntary intervener for having accessed personal data on<br />
<br />
concerning and this, in its terms, without valid legal basis.<br />
<br />
<br />
<br />
38. The Contentious Chamber notes that the parties do not dispute that during the consultation of<br />
<br />
the history of the household composition (National Register) of Mr. X2 in July 2019,<br />
<br />
the voluntary worker did have access to the information that the complainant had, at<br />
<br />
a time, is part of his son's household as head of household.<br />
<br />
<br />
<br />
39. Having access to this information constitutes processing of personal data<br />
<br />
within the meaning of Article 4.2 of the GDPR regardless of whether the person responsible for<br />
<br />
treatment that accessed it - in this case the voluntary worker - intended to seek<br />
<br />
this information or if there was access incidentally, fortuitously, during the<br />
<br />
search for data relating to a separate person, in this case the complainant's son. that<br />
<br />
the voluntary worker had the intention or not to process this personal data,<br />
<br />
whether or not she then used it to make her decision, all of these are irrelevant<br />
<br />
on the qualification of "treatment" within the meaning of Article 4.2. of the GDPR.<br />
<br />
<br />
<br />
40. The Litigation Chamber recalls that any processing of personal data must<br />
<br />
rely on one of the bases of lawfulness provided for in Article 6 of the GDPR.<br />
<br />
<br />
<br />
41. Article 3, paragraph 1, 9 ° of the Law of 8 August 1983 organizing a National Register of Persons<br />
<br />
physical (hereinafter the RN Law) provides that for each person registered in the National Register, the<br />
<br />
"household composition" data is recorded and kept as well as the modifications<br />
<br />
<br />
successive dates provided to this information as well as their effective date; this is<br />
<br />
the history (article 3 paragraph 2 of the RN Law). The royal decree of January 8, 2006 determining<br />
<br />
the types of information associated with the information referred to in Article 3, paragraph 1, of the law<br />
<br />
of August 8, 1983 organizing a national register of natural persons precise as to<br />
<br />
<br />
<br />
<br />
6 See. article 4.2 of the GDPR: "processing", any operation or any set of operations carried out or not using<br />
automated processes applied to data or sets of personal data, such as<br />
<br />
that the collection, recording, organization, structuring, conservation, adaptation or modification,<br />
the extraction, consultation, use, communication by transmission, dissemination or any other form of<br />
provision, reconciliation or interconnection, limitation, erasure or destruction. Decision on the merits 54 / 2021-13 / 23<br />
<br />
<br />
him in Article 1, 9 ° that the information "household composition" is associated with the data<br />
<br />
following: "household reference person" on the one hand and "household member" on the other<br />
<br />
go.<br />
<br />
<br />
<br />
42. Consequently, consultation of the “household composition” data from the National Register of<br />
<br />
son of the complainant may, de facto, take cognizance of personal data<br />
<br />
other people than the son himself, such as members of his household. Personal data<br />
<br />
that appear in the household composition and its history are both data of a<br />
<br />
personal data relating to the person whose National Register is consulted AND personal data<br />
<br />
personnel relating to persons who are included in the composition and history of its<br />
<br />
housework. There will therefore be processing of personal data of third parties.<br />
<br />
(separate from the one for which the "household composition" data is consulted, in this case the son<br />
<br />
of the complainant) when they are or have been part of the household of the person for whom<br />
<br />
the "household composition" data is consulted (as here the complainant). The result is<br />
<br />
however, not necessarily an absence of a basis of lawfulness for the processing of personal data.<br />
<br />
these third parties such as the complainant in this case.<br />
<br />
<br />
<br />
43. Provided it is validly invoked, the legal basis for consulting the data<br />
<br />
"Household composition" (and its history) of the person concerned (in this case the son of<br />
<br />
complainant) includes the consultation of the data included under this information, including therefore<br />
<br />
members of his household, including the complainant. In this case, the basis of lawfulness in support of which<br />
<br />
consultation of the history of the household composition of the complainant's son is legitimate<br />
<br />
potentially also access - even induced as described by the defendant and<br />
<br />
the voluntary worker - to the data relating to the complainant according to which he was part of the household<br />
<br />
of his son.<br />
<br />
<br />
<br />
44. The Litigation Chamber recalls that in addition to the required legal basis (Article 6 of the GDPR),<br />
<br />
personal data must, in accordance with the principle of minimization expressed in Article 5.1.c)<br />
<br />
of the GDPR, be adequate, relevant and limited to what is necessary with regard to the purposes for<br />
<br />
which they are processed (principle of minimization).<br />
<br />
<br />
<br />
45. Finally, pursuant to Article 24 of the GDPR, it is the responsibility of the controller to implement<br />
<br />
implement the appropriate technical and organizational measures to ensure and be able to<br />
<br />
to demonstrate (as required by Article 5.2. of the GDPR) that the processing he carries out complies<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
46. It follows from the foregoing that it is for the Contentious Chamber to verify whether the consultation<br />
<br />
<br />
(whose legality is contested by the complainant) - by the voluntary intervener in her capacity as Decision on the merits 54 / 2021-14 / 23<br />
<br />
<br />
data controller - the "household composition" data of the complainant's son, in this<br />
<br />
including the complete history thereof, met in this case the conditions of treatment imposed<br />
<br />
by the GDPR.<br />
<br />
<br />
<br />
4.1. As to the basis of legality and respect for the principle of minimization<br />
<br />
<br />
<br />
<br />
47. The Contentious Chamber notes that the defendant and the voluntary intervener rely on<br />
<br />
Article 6.1.c) of the GDPR to legitimize the contested data processing. Article 6.1.c) authorizes the<br />
<br />
data processing necessary for compliance with a legal obligation to which the person responsible for<br />
7<br />
treatment is submitted.<br />
<br />
<br />
<br />
48. The Contentious Chamber recalls as it did in its recent decisions 37/2021 and<br />
<br />
38/2021 that in its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of<br />
<br />
of this condition of necessity, specified that it was an autonomous notion of the right<br />
<br />
Community which must be interpreted in a way that fully meets the purpose of the<br />
<br />
8<br />
Directive 95/46 / EC applicable at the time of this judgment.<br />
<br />
<br />
9<br />
49. According to the conclusions he filed in this case, the Advocate General explains to this<br />
<br />
considering that "the concept of necessity has a long history in Community law and it is<br />
<br />
established as part of the proportionality test. It means that the authority which adopts<br />
<br />
a measure which infringes a fundamental right in order to achieve a justified objective must<br />
<br />
demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise,<br />
<br />
whether the processing of personal data may be likely to infringe the fundamental right to<br />
<br />
respect for private life, Article 8 of the European Convention for the Protection of<br />
<br />
man and fundamental freedoms (ECHR) which guarantees respect for private and family life,<br />
<br />
<br />
also becomes relevant. As the Court stated in the Österreichischer Rundfunk and others judgment,<br />
<br />
if a national measure is incompatible with Article 8 of the ECHR, this measure cannot<br />
<br />
meet the requirement of Article 7 (e) of the Directive. Article 8, paragraph 2, of the ECHR<br />
<br />
provides that an interference with privacy may be justified if it pursues one of the objectives therein<br />
<br />
listed and "in a democratic society, is necessary" for any of these purposes. The courtyard<br />
<br />
<br />
<br />
<br />
<br />
7 See. decisions 37/2021 and 38/2021 of the Contentious Chamber which explain what is meant by<br />
<br />
necessary for compliance with a legal obligation: https://www.autoriteprotectiondonnees.be/publications/decision-<br />
quant-au-fond-n-37-2021.pdf https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-<br />
38-2021.pdf<br />
<br />
8<br />
CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, ECLI: EU: C: 2008: 724, para. 52.<br />
<br />
9<br />
Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before<br />
the CJU resulting in the judgment cited in footnote 15 above (C-524/06). Decision on the merits 54 / 2021-15 / 23<br />
<br />
<br />
European Human Rights Council has ruled that the notion of "necessity" implies that a "need<br />
<br />
imperative social "is in question".<br />
<br />
<br />
<br />
50. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to<br />
<br />
all the bases of lawfulness which retain this condition of necessity. She remains today<br />
<br />
relevant even though Directive 95/46 was repealed since this condition of necessity<br />
<br />
<br />
is maintained under Article 6.1 b) to f) of the GDPR and therefore in Article 6.1.c) invoked in<br />
<br />
the species. Article 6.1 of the GDPR in fact reproduces the terms of Article 7 of Directive 95/46 / EC<br />
10<br />
of which it is the equivalent.<br />
<br />
<br />
<br />
51. The Article 29 Group also referred to the case law of the European Court of<br />
<br />
human rights (Eur. D.H. Court) to define the requirement of necessity 11 and concludes that the adjective<br />
<br />
"Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful",<br />
<br />
"Reasonable" or "expedient". 12<br />
<br />
<br />
<br />
<br />
52. More precisely with regard to the basis of legitimacy which rests on the legal obligation to which would be<br />
<br />
held by the controller, the European Data Protection Board (EDPB -<br />
13<br />
EDPS) has set out the conditions under which this basis of lawfulness can be applied:<br />
<br />
- the obligation must be imposed by law;<br />
<br />
- the legislation must meet all the conditions required to make the obligation valid and<br />
<br />
binding;<br />
<br />
- the legislation must comply with the applicable data protection law,<br />
<br />
in particular the principles of necessity, proportionality and limitation of purpose;<br />
<br />
- the legal obligation itself must be sufficiently clear about the data processing<br />
<br />
of a personal nature that it requires;<br />
<br />
<br />
- and the controller should not have an unjustified margin of appreciation as to<br />
<br />
how to comply with the legal obligation.<br />
<br />
<br />
<br />
10 Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another<br />
<br />
natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which<br />
the data is communicated ", the mission of public interest or falling within the exercise of public authority before<br />
be that of the sole controller. In addition, a slight wording difference exists between the article<br />
7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision.<br />
<br />
All these modifications do not affect the condition of necessity.<br />
<br />
11 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible<br />
data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217.<br />
<br />
<br />
12Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97.<br />
<br />
13European Data Protection Board (EDPS), Opinion 03/2019 concerning questions and answers on<br />
<br />
the interaction between the regulation on clinical trials and the general data protection regulation<br />
(GDPR) [article 70, paragraph 1, point b)] of 23 January 2019 (point 11):<br />
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_fr.pdf Decision on the merits 54 / 2021-16 / 23<br />
<br />
<br />
<br />
<br />
<br />
53. In the present case, the defendant and the voluntary intervener put forward several provisions<br />
<br />
which, from their point of view, required them to proceed with the disputed treatment.<br />
<br />
<br />
<br />
54. The Contentious Chamber notes in this regard the following:<br />
<br />
<br />
<br />
<br />
- The granting of the social supplement in addition to the ordinary allowances is governed by the General Law<br />
<br />
relating to family allowances (LGAF) of 19 December 1939, in particular Articles 51, 54 and<br />
<br />
173quater. Article 173 quater explicitly provides that family allowance organizations and<br />
<br />
the ministerial services, responsible for the execution of this law, are required to contact the Register<br />
<br />
national of natural persons to obtain the information referred to in Article 3, paragraphs 1 and 2,<br />
<br />
of the Law of August 8, 1983 organizing a national register of natural persons. Among these<br />
<br />
data show the household composition and its successive modifications (ie history). The<br />
<br />
recourse to another source is only permitted insofar as the necessary information is not<br />
<br />
cannot be obtained from the National Register.<br />
<br />
<br />
<br />
<br />
- Jurisdiction over the granting of family allowances and social supplement is regionalized<br />
<br />
and the complainant's son was listed as residing in the Brussels-Capital Region at the time<br />
14<br />
of the consultation of the denounced National Register. In this regard, the Litigation Chamber notes<br />
<br />
that Article 9 of the Ordinance of 25 April 2019 of the Brussels-Capital Region regulating the granting<br />
15<br />
family benefits specifies that the basic family allowance is increased by a supplement<br />
<br />
social under certain conditions, especially when the annual household income does not reach<br />
<br />
not a certain threshold. In other words, the granting of the supplement is conditioned by the income of the<br />
<br />
housework.<br />
<br />
<br />
<br />
- Regarding the granting of this social supplement, Article 10 of the Ordinance of April 4, 2019 provides<br />
<br />
that "the assembled College sets the conditions under which the payment of social supplements is<br />
<br />
carried out provisionally, pending tax data establishing the annual income of the<br />
<br />
<br />
cleaning allowing a final decision to be taken ”. As a result, the assembled College of the Commission<br />
<br />
Community Commune has set the conditions for granting social supplements and certain<br />
<br />
supplements provided for in the General Law on Family Allowances in a Decree of 24<br />
<br />
October 2019.<br />
<br />
<br />
<br />
<br />
<br />
14 The complainant states in this regard that his son has been living in Wallonia since a date much earlier than that of this<br />
consultation (i.e. since July 2018). The voluntary worker and the defendant indicate that this change<br />
<br />
of domicile had not been notified to them on the date of the P028 consultation and that now the voluntary worker<br />
no longer manages the family allowances file of the complainant's son. The Litigation Chamber takes note of this.<br />
<br />
15M.B., May 8, 2019.<br />
<br />
https://bruxelles.famifed.be/sites/default/files/uploads/20190509_ordranteiegezinsbijslag_NLFR.pdf: Decision on the merits 54 / 2021-17 / 23<br />
<br />
<br />
<br />
- In accordance with the aforementioned Decree of October 24, 2019, the preparatory measures that the funds<br />
<br />
family allowances were to be taken from 2019 in order to be able to establish, for each household<br />
<br />
Brussels resident, the correct amount of family allowances to which he would be entitled from the 1st<br />
<br />
January 2020, as well as the procedure to be followed for the granting of social supplements from<br />
<br />
2020, were decreed in the CO PF2 Circular of July 5, 2019 relating to the granting procedure<br />
<br />
provisional social supplements in the Brussels-Capital Region from January 1, 2020 ,.<br />
<br />
<br />
<br />
- The defendant and the voluntary intervener rely on this Circular of July 5, 2019 relating to<br />
<br />
the procedure for provisionally granting social supplements in the Brussels-Capital Region to<br />
<br />
from 1 January 2020, in particular on its articles 2.2 and 7 to legitimize their consultation of<br />
<br />
the history of the household composition of the complainant's son.<br />
<br />
<br />
<br />
- This circular provides that the establishment of the right to a supplement in the Brussels-Capital Region<br />
<br />
will be done in two phases, namely:<br />
<br />
Phase 1: A decision on the provisional payment of the supplement is taken in "time<br />
<br />
real ": in other words, it is automatically granted on a provisional basis if the conditions are met.<br />
<br />
Also, the supplement can be granted on a provisional basis following a request from the household<br />
<br />
accompanied by supporting documents relating to the current gross income of the household.<br />
<br />
<br />
<br />
Phase 2: Two years later, the taxable income of all households is verified using<br />
<br />
of the tax flow and the definitive establishment of the right to the social supplement is carried out on the basis<br />
<br />
<br />
tax data made available by the authentic source.<br />
<br />
<br />
- As for the concept of household retained, the circular specifies that "this identification is made according to<br />
<br />
the notion of household as described in article 2 of the decree of October 24, 2019. This decree<br />
<br />
provides in Article 1 that it is to be understood by:<br />
<br />
"1 ° member of the cohabiting household: any person who is neither a relative nor an ally<br />
<br />
up to the third degree inclusive, with which the recipient cohabits and forms a<br />
<br />
de facto household;<br />
<br />
2 ° household members: the beneficiary and, where applicable, the spouse with whom he<br />
<br />
cohabits and / or any other member of the cohabiting household ”<br />
<br />
<br />
<br />
55. The Litigation Chamber concludes that in other words, prior to the granting of the supplement<br />
<br />
adequate social security from 1 January 2020, it went to the family allowance funds (including<br />
<br />
the voluntary worker), to identify, in application of the various aforementioned texts, from July 2019,<br />
<br />
beneficiaries and their income, more particularly that of their household as this concept is<br />
<br />
defined in article 2 of the decree of 24 October 2019. Decision on the merits 54 / 2021-18 / 23<br />
<br />
<br />
56. This verification of the income condition of the household (and therefore of who was part of it) is, in<br />
<br />
<br />
the occurrence, through an identification of the household composition of the complainant's son via the<br />
<br />
consultation of the National Register. It is also not disputed that the allowance funds<br />
<br />
family, including the volunteer worker, were duly authorized to consult the National Register.<br />
<br />
<br />
<br />
57. The Litigation Chamber notes that it is not clear from the legal texts invoked which<br />
<br />
are the income that should be taken into account and hence, depending on the phase in which<br />
<br />
the consultation took place, what was the date of the household composition to be taken into<br />
<br />
consideration (current calendar year, backtracking by 2 years by analogy with the final calculation<br />
<br />
which will take place two years later as mentioned by the defendants and the intervener<br />
<br />
voluntary during the hearing (see Articles 2.1. and 2.2. of the circular of 5 July 2019)?). This<br />
<br />
precision would have been invaluable, it is also required by the principle of clarity and predictability of<br />
<br />
the "law", a principle long required by the case law of the European Court of Human Rights<br />
16<br />
man, as well as the CJEU.<br />
<br />
<br />
<br />
58. The Litigation Chamber considers that at most, this history of the “composition” data<br />
<br />
household "of the complainant's son could have been consulted by going back to the opening date<br />
<br />
right to allowances / social supplement to these allowances and that in any event, the consultation<br />
<br />
the entire history of the complainant's son without a time limit was disproportionate<br />
<br />
and not necessary for the voluntary worker to comply with her legal obligation.<br />
<br />
<br />
<br />
59. However, as the complainant denounces, the “P028 search” which was carried out prevails<br />
<br />
systematically consulting the history of household composition in its entirety,<br />
<br />
or since the birth of the person whose National Register is consulted. Access to this history<br />
<br />
of the complainant's son was therefore disproportionate and the data consulted was not<br />
<br />
relevant with regard to the objective pursued, namely the determination of the composition of<br />
<br />
household at a time T which must be taken into account in the granting of family allowances<br />
<br />
and the social supplement.<br />
<br />
<br />
<br />
60. Accordingly, the Contentious Chamber concludes that, even if it invokes that the TRIVIA application which it<br />
<br />
had to use did not allow consultation of a time-limited history<br />
<br />
(see point 63), the voluntary worker did not carry out the processing necessary for her obligation<br />
<br />
<br />
legal and therefore cannot invoke Article 6.1.c) as a basis of lawfulness. The Litigation Chamber<br />
<br />
therefore finds a breach of Article 6 of the GDPR on its part, in the absence of any other basis<br />
<br />
valid lawfulness and without prejudice to the obligation of the controller to identify a basis<br />
<br />
<br />
<br />
16Court eur. D.H., May 4, 2000, Rotaru v. Romania; CJEU, Joined cases C-511/18, C-512/18 and C-520/18,<br />
<br />
La Quadrature du Net and others, ECLI: EU: C: 2020: 791, para 121. Decision on the merits 54 / 2021-19 / 23<br />
<br />
<br />
17<br />
legality and not several depending on the circumstances. The Litigation Chamber also concludes<br />
<br />
also for a breach of Article 5.1.c) of the GDPR, the data of which the intervener has<br />
<br />
acquainted with it on the occasion of its illegal consultation (in the absence of a legal basis to legitimize it)<br />
<br />
therefore also irrelevant with regard to the aim pursued.<br />
<br />
<br />
<br />
61. As for the consultation held on April 21, 2020, the Litigation Chamber notes that the<br />
<br />
the defendant and the voluntary intervener are based on their legitimate interest (article 6.1.f) of the GDPR),<br />
<br />
the consultation being justified according to them by the needs of the present procedure. Bedroom<br />
<br />
Litigation recalls in this regard that it has, in the past already, considered that the defense in court<br />
<br />
18<br />
is a legitimate interest that can validly be invoked by data controllers to<br />
<br />
as much as the cumulative conditions of necessity of the treatment for the realization of the interest<br />
<br />
lawful pursuit and proportionality (i.e. that the fundamental rights and freedoms of<br />
<br />
concerned do not prevail over the interest pursued) are met.<br />
<br />
<br />
<br />
62. Without calling into question the fact that legal defense may indeed constitute an interest<br />
<br />
legitimate within the meaning of Article 6.1.f) of the GDPR, the Litigation Chamber concludes no less, for<br />
<br />
the same reasons as those underlying its conclusion regarding the initial consultation (see.<br />
<br />
points 57-60), that this consultation during the proceedings pending before the DPA was<br />
<br />
also illegal.<br />
<br />
<br />
<br />
<br />
4.2. As for the principle of accountability<br />
<br />
<br />
63. The Litigation Chamber takes note of what the voluntary intervener declares on the one hand that it<br />
<br />
<br />
is required to use the TRIVIA application and on the other hand that it is impossible for him to target in time<br />
<br />
his request to consult the history of the "household composition" data in the Register<br />
<br />
national. The Litigation Chamber is not insensitive to this and refers on this point to the measures<br />
<br />
corrective measures that it decides to take as detailed in points 69 et seq. (title 5).<br />
<br />
<br />
<br />
64. Notwithstanding this last point, the fact remains that in his capacity as responsible<br />
<br />
processing, the voluntary worker could not rely on Article 6.1.c) of the GDPR and did not have<br />
<br />
as was concluded in points 60 and 62 above from no valid basis of lawfulness to access<br />
<br />
the complainant's data via the consultation of the complete history of household composition<br />
<br />
of his son.<br />
<br />
<br />
<br />
<br />
<br />
17 See. Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
18 See. the Decision 03/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2020.pdf Decision on the merits 54 / 2021-20 / 23<br />
<br />
<br />
65. The Contentious Chamber also finds a breach of Articles 24 and 5.2. of<br />
<br />
<br />
GDPR on the part of the voluntary worker when she has not been able to put<br />
<br />
put in place the technical measures intended to implement the GDPR. Here again, the House<br />
<br />
Litigation is not unaware of the lack of control of the application by the voluntary worker. This<br />
<br />
circumstance is not, however, such as to eliminate any breach on his part<br />
<br />
given his capacity as data controller.<br />
<br />
<br />
<br />
66. Indeed, the objective of the principle of accountability, or "principle of responsibility" in its translation<br />
<br />
French (Article 5.2. of the GDPR), is to make data controllers accountable - whether it is<br />
<br />
private companies or public authorities or bodies -, and allow the authorities to<br />
<br />
data protection monitoring such as ODA to verify the effectiveness of the measures taken<br />
<br />
applying it. Risks must be identified by setting up action plans and<br />
<br />
control procedures and these organizations must be able to prove without difficulty that they have<br />
<br />
carried out an identification, an assessment and a framework of the risks in terms of protection<br />
<br />
of personal data with regard to the processing they carry out. This principle would be broadly<br />
<br />
undermined, or even emptied of all substance if it was enough for a data controller to invoke,<br />
<br />
once faced with a complaint lodged with the supervisory authority, the fact that the application<br />
<br />
computer used - even its use imposed by a third party - does not allow it to comply<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
67. In accordance with its obligation of accountability and documentation, the voluntary worker<br />
<br />
therefore, at a minimum, should have alerted the relevant authorities to the overhang situation<br />
<br />
in which the constrained use of the TRIVIA application placed it in relation to its obligations<br />
<br />
arising from the GDPR.<br />
<br />
<br />
<br />
68. The Litigation Chamber is also aware of the care taken by the defendant to respond to<br />
<br />
questions from the complainant and making contact with the supervisory authority to be able to explain to the<br />
<br />
the situation better at the latter. But here again, these circumstances are not such as to<br />
<br />
allow the Litigation Chamber to conclude that there was no breach. Bedroom<br />
<br />
Litigation also noted that the intervener now undertook to contact<br />
<br />
the Supervisory Authority.<br />
<br />
<br />
<br />
<br />
5. Regarding corrective measures and sanctions<br />
<br />
<br />
69. Under article 100 LCA, the Litigation Chamber has the power to:<br />
<br />
1 ° dismiss the complaint;<br />
<br />
2 ° order the dismissal;<br />
<br />
<br />
3 ° pronounce a suspension of the pronouncement; Decision on the merits 54 / 2021-21 / 23<br />
<br />
<br />
4 ° propose a transaction;<br />
<br />
5 ° issue warnings or reprimands;<br />
<br />
<br />
6 ° order compliance with the requests of the person concerned to exercise these rights;<br />
<br />
7 ° order that the person concerned be informed of the security problem;<br />
<br />
<br />
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;<br />
<br />
9 ° order that the processing be brought into conformity;<br />
<br />
<br />
10 ° order the rectification, restriction or erasure of the data and the notification thereof<br />
data recipients;<br />
<br />
<br />
11 ° order the withdrawal of accreditation of certification bodies;<br />
<br />
12 ° give periodic penalty payments; 19<br />
<br />
20<br />
13 ° issue administrative fines;<br />
<br />
14 ° order the suspension of transborder data flows to another State or an organization<br />
<br />
international;<br />
<br />
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences<br />
<br />
data on file;<br />
<br />
16 ° decide on a case-by-case basis to publish its decisions on the website of the<br />
<br />
data.<br />
<br />
<br />
<br />
70. It is important to contextualize the shortcomings noted by the Litigation Chamber with a view to<br />
<br />
<br />
to identify the most appropriate corrective measures and sanctions.<br />
<br />
<br />
<br />
71. In this context, the Litigation Chamber will take into account all the circumstances of the case<br />
<br />
and explanations provided by the parties. In this regard, the Litigation Chamber wishes<br />
<br />
to specify that it belongs to it sovereignly as an independent administrative authority -<br />
<br />
in compliance with the relevant articles of the GDPR and the LCA - to determine the measure (s)<br />
<br />
corrective (s) and appropriate sanction (s). 21<br />
<br />
<br />
<br />
<br />
72. Thus, it is not for the complainant to ask the Litigation Chamber to order such<br />
<br />
or such corrective measure or sanction. If, notwithstanding the above, the complainant should<br />
<br />
nevertheless ask the Litigation Chamber to pronounce one or the other measure and / or<br />
<br />
<br />
19<br />
https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf<br />
<br />
20 The Contentious Chamber does not comment on the advisability of a possible administrative fine to<br />
<br />
against the defendant. Given the latter's "public authority" status within the meaning of<br />
Article 5 of the Law of 30 July 2018 on the protection of individuals with regard to processing<br />
of personal data, read in conjunction with Articles 83.7. of the GDPR and 221 § 2 of the law of<br />
July 30, 2018 cited above, the Litigation Chamber is in fact not authorized to impose such a fine on him.<br />
<br />
<br />
21 Litigation Chamber, Decision on the merits 81/2020:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 54 / 2021-22 / 23<br />
<br />
<br />
<br />
sanction, it is not up to the latter to justify why it would not retain one or<br />
<br />
the other request made by the complainant. These considerations leave intact the obligation for<br />
<br />
the Litigation Chamber to justify the choice of corrective measure (s) and / or sanction (s)<br />
<br />
which it judges, (among the list of measures and sanctions made available to it by the articles<br />
<br />
58 of the GDPR and 95.1 and 100.1 of the LCA recalled above) appropriate to condemn the party<br />
<br />
in question. The Contentious Chamber recalls here, as it mentioned in point 36 above,<br />
<br />
that it is not competent to grant any compensation.<br />
<br />
<br />
<br />
73. The Litigation Chamber found a breach of Articles 6, 5.1.c) as well as of Articles 24<br />
<br />
<br />
and 5.2. of the GDPR on behalf of the voluntary worker (points 60, 62 and 65).<br />
<br />
<br />
<br />
74. In view of these shortcomings, the Litigation Chamber sends the voluntary intervener<br />
22<br />
a reprimand on the basis of Article 100.1, 5 ° LCA which constitutes, in view of the facts and<br />
<br />
breaches noted, the effective, proportionate and dissuasive sanction as required by<br />
<br />
the applicable article 83 of the GDPR. In this regard, the Litigation Chamber wishes to stress that it<br />
<br />
is not in a position to issue a warning to the voluntary worker as soon as this<br />
<br />
measure cannot be applied when a breach is found. Disclaimer applies<br />
<br />
only when the planned processing operations are likely to violate the<br />
<br />
provisions of the GDPR.<br />
<br />
<br />
<br />
<br />
75. The Litigation Chamber is of the opinion that beyond the reprimand addressed to the intervener<br />
<br />
voluntary, it is important that an adequate response be quickly found to the problem raised<br />
<br />
by the complaint and this, in order to allow a limited consultation, respectful of the GDPR, of<br />
<br />
the history of the "household composition" data (as well as the history of other data from the<br />
<br />
National Register if applicable). The Contentious Chamber refers in this regard to the deliberations<br />
<br />
of the Sectoral Committee of the National Register (CSRN) of the former Commission for the Protection of Life<br />
<br />
private (OPC) under which the NISA grants access to limited historical data<br />
<br />
over time in accordance with Article 4 § 1, 3 ° of the Privacy Law which then set out the principle<br />
<br />
proportionality (now principle of minimization worded in Article 5.1, c) of the GDPR). 23 The<br />
<br />
Litigation Chamber is also challenged by the document entitled "File - Description<br />
<br />
specific function of the P028 message ”(in particular point 1.2.1.1.) highlighted by the<br />
<br />
complainant, according to which it would have been waived to use an application more respectful of the<br />
<br />
<br />
principle of minimization (see point 23).<br />
<br />
<br />
<br />
<br />
<br />
22 See. Article 58. 2 b) of the GDPR which provides for sending a call to order to the controller when<br />
<br />
"The processing operations have resulted in a violation of the provisions of this Regulation".<br />
<br />
<br />
23<br />
See. taking for example the deliberation of the sectoral committee of the National Register RN No. 20 of March 25, 2009. Decision on the merits 54 / 2021-23 / 23<br />
<br />
<br />
76. For all these reasons, the Litigation Chamber will draw the attention of the APD Steering Committee<br />
<br />
<br />
on this issue. Where appropriate, the ODA bodies could, in accordance with their<br />
<br />
respective competences assigned to them by the LCA, decide to enter into a dialogue with the whole<br />
<br />
of the bodies concerned and / or conduct an in-depth investigation of the issue<br />
<br />
which arose during the complaint leading to this decision.<br />
<br />
<br />
<br />
77. The Contentious Chamber also decides to send a copy of this decision to<br />
<br />
services of the National Registry as well as to Famifed, Iriscare and the Crossroads Security Bank<br />
<br />
social security (BCSS) mentioned by the complainant in the terms of his complaint.<br />
<br />
<br />
<br />
<br />
6. Transparency<br />
<br />
<br />
78. In view of the importance of transparency with regard to the decision-making process and<br />
<br />
decisions of the Litigation Chamber, this decision will be published on the website of the APD<br />
<br />
by deleting the direct identification data of the parties (either the defendant,<br />
<br />
the voluntary worker and the complainant) and the natural persons mentioned. On the other hand, the Chamber<br />
<br />
Litigation believes that it has no other possibility, for the proper understanding of this<br />
<br />
decision, only to mention Famifed, Iriscare, the Banque-Carrefour de la sécurité<br />
<br />
social (BCSS) and National Registry services.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS,<br />
<br />
<br />
THE LITIGATION CHAMBER<br />
<br />
Decided<br />
<br />
<br />
- To issue a reprimand against the voluntary intervener on the basis of the article<br />
<br />
100.1, 5 ° LCA.<br />
<br />
<br />
Under Article 108.1 LCA, this decision can be appealed to the Court of<br />
<br />
contracts (Brussels Court of Appeal) within 30 days of notification, with<br />
<br />
the Data Protection Authority as respondent.<br />
<br />
<br />
<br />
<br />
<br />
(Sé) Hielke Hijmans<br />
<br />
President of the Litigation Chamber<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_54/2021&diff=15588APD/GBA (Belgium) - 54/20212021-05-04T18:05:00Z<p>Fra-data67: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=54/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Autorité de la protection des données<br />
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-54-2021.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=22.04.2021<br />
|Date_Published=<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 24 GDPR<br />
|GDPR_Article_Link_4=Article 24 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The Belgian Data Protection Authority reprimands entity in charge of paying family allowances to its members for failure to comply with Articles 4, 5, 6 and 24 GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In July 2019, an entity (voluntary intervener in the proceedings, hereinafter "the voluntary intervener") in charge of paying family allowances to its affiliates who have children consulted the data of the complainant's son in the National Register, in particular the "household composition" data and its history. This consultation took place in order to manage the family allowance file of the complainant's son, one of its affiliates, and to determine the amount of family allowance that he would be entitled to receive. This consultation was carried out via the TRIVIA application, developed by the BCSS, made available to the family allowance funds. This consultation was done on the basis of the National Register number of the affiliated person, son of the complainant. <br />
<br />
It is this consultation of the history of the composition of the complainant's son's household that is the subject of the complaint. During this consultation, the volunteer intervener was given access to the information that the complainant had been part of her son's household at one time in his life. The complainant complains that this consultation of personal data concerning him had no basis of valid legitimacý within the meaning of Article 6 of the GDPR. <br />
<br />
On 24 September 2019, the Supervisory Authority of the family allowance funds for the Brussels-Capital Region (IRISCARE/FAMIFED) received a request for information from the complainant via the contact form on its website. With this request for information, the complainant asked the Supervisory Authority about the consultation of his data on 9 and 17 July 2019. <br />
<br />
Following several unsuccessful exchanges, and in the absence of a satisfactory response, the dispute was brought before the Belgian Data Protection Authority’s dispute chamber. <br />
<br />
In this case, the defendant is the shared service center of the voluntary intervening entity. In this respect, the defendant was responsible for monitoring the personal data protection of all the family allowance funds in the group. <br />
<br />
When he submitted his conclusions on 9 June 2020, the complainant underlined that a new consultation of his data, still without any legitimate basis according to him, had taken place on 21 April 2020. When questioned in this respect, the defendant answered to the complainant that this consultation was part of the management of the present case pending before the dispute chamber. <br />
=== Dispute ===<br />
Is access to the information that the complainant had been a member of his son's household at one time in his life considered processing of personal data within the meaning of Article 4 GDPR and is it justified on the basis of Article 6 GDPR?<br />
<br />
=== Holding ===<br />
The Belgian data protection authority found a violation of the GDPR, and gave the following reasons for its decision: <br />
<br />
==== The notion of processing of personal data within the meaning of Article 4 GDPR ====<br />
Very briefly, the dispute chamber begins by recalling that the fact of having accessed this information constitutes processing of personal data within the meaning of Article 4(2) GDPR irrespective of whether this processing is lawful within the meaning of the Regulation. <br />
<br />
Furthermore, the dispute chamber holds that in this case the voluntary intervening entity must be considered as a controller, and the defendant as a processor of the voluntary intervener.<br />
<br />
2. XXX<br />
<br />
XXX<br />
<br />
===== Accountability within the meaning of Article 24 GDPR =====<br />
The Belgian data protection authority also concludes that the voluntary intervener failed to comply with Articles 24 and 5.2 of the GDPR when it was not able to put in place the technical measures intended to implement the GDPR. Indeed, the controller cannot therefore raise the argument that the application used - even if its use is imposed by a third party - does not allow it to comply with the GDPR. <br />
<br />
Consequently, in application of its obligation of accountability and documentation, the voluntary intervener should at least have alerted the relevant authorities to the situation in which the forced use of the TRIVIA application placed it in relation to its obligations under the GDPR. <br />
<br />
===== Sanctions =====<br />
In view of these failings, the dispute chamber reprimanded the voluntary intervener and ordered the publication of the decision on the Belgian data protection authority's website with the deletion of the parties' direct identification data. <br />
<br />
In addition, the dispute chamber stresses that it is important that an appropriate response be found quickly to the problem raised by the complaint, in order to allow limited consultation, in compliance with the GDPR, of the history of the "household composition" data (as well as the history of other data in the National Register, if applicable).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Decision on the merits 54 / 2021-1 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
<br />
<br />
<br />
Decision on the merits 54/2021 of 22 April 2021<br />
<br />
<br />
<br />
<br />
<br />
File No .: DOS-2019-06237<br />
<br />
<br />
<br />
Subject: Complaint relating to an illicit consultation of the National Register in the<br />
<br />
context of the allocation of family allowances<br />
<br />
<br />
<br />
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke<br />
<br />
Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this<br />
<br />
composition;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of individuals with regard to the processing of personal data and the<br />
<br />
free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection<br />
<br />
data), hereinafter GDPR;<br />
<br />
<br />
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);<br />
<br />
<br />
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20<br />
<br />
2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Having regard to the documents in the file;<br />
<br />
<br />
<br />
<br />
Took the following decision regarding:<br />
<br />
<br />
<br />
<br />
The complainant: Mr X1, (hereinafter "the complainant");<br />
<br />
<br />
<br />
The defendant: Y1, (hereinafter “the defendant”);<br />
<br />
<br />
In the presence of: Y2 ASBL, (hereinafter "the voluntary worker"); Decision on the merits 54 / 2021-2 / 23<br />
<br />
<br />
<br />
<br />
<br />
Both advising Maître Paul Van den Bulck and Maître Andrine Like, lawyers at the Bar<br />
<br />
of Brussels, whose office is established at Rue des Colonies 56 box 3 in 1000 Brussels.<br />
<br />
<br />
<br />
<br />
<br />
1. Feedback from the procedure<br />
<br />
<br />
In view of the mediation request filed on December 8, 2019 by the complainant with the Autorité de<br />
<br />
data protection (DPA);<br />
<br />
<br />
<br />
Given the failure of the mediation attempt communicated to the complainant on February 20, 2020 by the<br />
<br />
First Line (SPL) of ODA;<br />
<br />
<br />
<br />
Considering the agreement given by the complainant on February 20, 2020 for his request to be transformed into a complaint<br />
<br />
in application of Article 62.2. LCA;<br />
<br />
<br />
<br />
Considering the decision of March 9, 2020 of the SPL declaring the complaint admissible and the transmission of it to the<br />
<br />
Litigation Chamber;<br />
<br />
<br />
<br />
Having regard to the letter of April 8, 2020 from the Litigation Chamber informing the parties of its decision to<br />
<br />
consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their<br />
<br />
providing a timetable for the exchange of conclusions. In this letter, the Litigation Chamber<br />
<br />
<br />
in particular specified the following to the parties:<br />
<br />
Without prejudice to any arguments you may wish to develop, you will ensure that you shed light on the<br />
<br />
Litigation Chamber on the data processing involved, on the role of the various<br />
<br />
possible stakeholders and their quality with regard to the regulations for the protection of<br />
<br />
data as well as on the precise legal basis of the disputed consultation of the data of the<br />
<br />
<br />
complainant. You will also ensure that you explain the measures put in place to guarantee<br />
<br />
access only to data justified by the processing of files and the traceability of such access.<br />
<br />
You will also inform the Litigation Chamber of what is concretely understood by<br />
<br />
the terms "induced and involuntary consultation" used in the attachments to the complaint<br />
<br />
in the light of the specific facts.<br />
<br />
<br />
Having regard to the main conclusions filed on May 22, 2020 by the defendant as well as by Y2<br />
<br />
(the voluntary intervenor) who intervenes voluntarily to the cause by this means (see below<br />
<br />
point 30 and following);<br />
<br />
Having regard to the arguments of the complainant of June 9, 2020; Decision on the merits 54 / 2021-3 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Having regard to the additional and summary conclusions of the defendant and the voluntary intervener of 3<br />
<br />
July 2020;<br />
<br />
<br />
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on December 10, 2020;<br />
<br />
Having regard to the hearing during the session of the Litigation Chamber of January 19, 2021 in the presence of the complainant<br />
<br />
<br />
and Mr. A. Like, representing both the Respondent and the Volunteer Intervenor;<br />
<br />
Having regard to the letter sent by counsel for the defendant and the voluntary worker on January 26<br />
<br />
<br />
2021;<br />
<br />
Having regard to the minutes of the hearing and the observations made thereon by the parties who have<br />
<br />
<br />
been attached to these minutes.<br />
<br />
<br />
<br />
<br />
2. The facts and the subject of the request<br />
<br />
<br />
2.1. Preliminary remarks<br />
<br />
<br />
<br />
1. For a good understanding of its decision and of all the actors to whom the parts<br />
<br />
procedure and the files of the parties refer, the Litigation Chamber specifies the following:<br />
<br />
<br />
<br />
<br />
- FAMIFED is the federal agency for family allowances. FAMIFED was to insure until<br />
<br />
December 31, 2019 the management of family allowances, including in the Region of<br />
<br />
Brussels-Capital.<br />
<br />
<br />
th<br />
- IRISCARE has, under the 6 state reform, become, in place of FAMIFED,<br />
<br />
the supervisory authority for family allowance funds for the Brussels-Capital Region.<br />
<br />
IRISCARE is responsible for setting up and managing the family allowances system of the<br />
<br />
Brussels-Capital Region.<br />
<br />
<br />
<br />
- During a period of transition, the two structures coexisted so that the relay of the mission<br />
<br />
legal process can switch from FAMIFED to the new regional authorities, including, as mentioned,<br />
<br />
for the Brussels-Capital Region, IRISCARE. In the context of this decision,<br />
<br />
IRISCARE and FAMIFED are referred to as the "Supervisory Authority".<br />
<br />
<br />
<br />
<br />
- The complainant includes the Crossroads Bank for Social Security (BCSS) among the “stakeholders”<br />
<br />
revolving around the disputed data processing indicating that it was the BCSS which, at the time<br />
<br />
facts, develops the TRIVIA application. The TRIVIA application allows benefit funds Decision on the merits 54 / 2021-4 / 23<br />
<br />
<br />
<br />
family to consult the available files of integrated actors, to integrate themselves<br />
<br />
actors and create files and obtain, through the intervention of the BCSS, access to the various<br />
<br />
sources of the social security network.<br />
<br />
<br />
<br />
2. The defendant is the shared service center of group Y. It provides administrative services<br />
<br />
to the various entities of Group Y. In this regard, it notably monitors the protection<br />
<br />
personal data of all family allowance funds in the group. It<br />
<br />
has a Data Protection Officer (DPO) as well as a "Corporate Compliance 1<br />
<br />
Officer ”and“ Information Security Officer ”.<br />
<br />
<br />
<br />
3. Y2, here a voluntary intervening party, aims in particular to pay family allowances to<br />
<br />
its affiliates who have children.<br />
<br />
<br />
<br />
<br />
4. Mr. X2 is the son of the complainant, affiliated with Y2, voluntarily intervened in the cause (see below.<br />
<br />
points 30 et seq.).<br />
<br />
<br />
<br />
2.2. The facts at the origin of the dispute<br />
<br />
<br />
<br />
5. In July 2019, the voluntary worker consulted the data of the complainant's son in the Register<br />
<br />
national, in particular the "household composition" data and its history. This consultation<br />
<br />
took place in order to manage the family allowances file for the complainant's son, one of his affiliates, and<br />
<br />
determine the amount of family allowances - including any supplement - that it would be<br />
<br />
entitled to receive from January 1, 2020. This consultation was done via the TRIVIA application,<br />
<br />
developed by the BCSS, made available to family allowance funds, including the worker<br />
<br />
voluntary, by the supervisory authority. This consultation was made on the basis of the register number<br />
<br />
affiliate's national, Mr. X2.<br />
<br />
<br />
<br />
<br />
6. It is this consultation of the history of the household composition of Mr. X2 that is the subject of<br />
<br />
of the complainant's complaint. Indeed, during this consultation, the volunteer worker had access<br />
<br />
to the information that the complainant had been part of his son's household at some time<br />
<br />
his life. The complainant complains that this consultation of personal data<br />
<br />
concerning was not based on any valid basis of legitimacy within the meaning of Article 6 of the GDPR (see.<br />
<br />
title 2.3; point 23 et seq.).<br />
<br />
<br />
<br />
<br />
<br />
1<br />
Deliberation 18/008 of 9 January 2018 on the communication of personal data by the Agency<br />
federal for family allowances (Famifed) and various other social security institutions to the Ministry of<br />
the German-speaking Community, in the context of the transfer of powers to follow up on the sixth reform<br />
status - use of the TRIVIA application. Decision on the merits 54 / 2021-5 / 23<br />
<br />
<br />
7. This research of the history of the composition of the household is called by the supervisory authority<br />
<br />
<br />
"search P028". It is carried out via the TRIVIA application already mentioned. During this<br />
<br />
research, the history of the household composition of Mr. X2 showed the complainant as<br />
<br />
having been part of his household in the past and this, as head of household.<br />
<br />
<br />
<br />
8. On September 24, 2019, the Supervisory Authority received a request for information from the complainant<br />
<br />
via the contact form on its website. By this request for information, the complainant<br />
<br />
asked the Supervisory Authority about the consultation of its data on July 9 and 17, 2019.<br />
<br />
<br />
<br />
9. There followed an exchange of e-mails between the complainant and the Supervisory Authority. The latter informed<br />
<br />
the complainant of the nature of the research P028 which had led to access to certain data on<br />
<br />
concerning and invited him, if necessary, to approach the family allowance fund (either<br />
<br />
the voluntary worker), in order to inquire more about the reason for the access to his data<br />
<br />
as they appeared in her son's household composition history.<br />
<br />
<br />
<br />
10. On 7 October 2019, the complainant sent his request for information to the<br />
<br />
data of the volunteer worker via the address "[...]".<br />
<br />
<br />
<br />
11. On 10 October 2019, the defendant, which ensures, as mentioned above in point 2, the follow-up<br />
<br />
on the protection of personal data of all family allowance funds<br />
<br />
group, acknowledged receipt and responded a first time to the request for information from<br />
<br />
complainant.<br />
<br />
<br />
<br />
12. On October 14, 2019, the defendant replied to the complainant a second time. This answer was<br />
<br />
following a request for acknowledgment of receipt from the complainant regarding his request for information, which<br />
<br />
acknowledgment of receipt had been sent by the defendant on 10 October 2019 (see point 11 below<br />
<br />
above).<br />
<br />
<br />
<br />
13. On November 6, 2019, the Complainant wrote again to the Respondent. On the same day, the<br />
<br />
defendant replied a third time to the complainant and confirmed having responded promptly to the<br />
<br />
October 10 and 14, 2019 at his request of October 7, 2019.<br />
<br />
<br />
<br />
14. On November 7, 2019, the complainant, still addressing the respondent, developed his fears<br />
<br />
and raised the following question:<br />
<br />
"That one checks his tax flow [read the tax flow of Mr. X2] does not ask me personally<br />
<br />
no problem and that seems normal to me since his household is beneficiary / beneficiary<br />
<br />
Family Allowances. Decision on the merits 54 / 2021-6 / 23<br />
<br />
<br />
BUT, what are the legal bases that allow you to consult my own<br />
<br />
<br />
private data and tax flow? "<br />
<br />
<br />
<br />
15. On November 7, 2019, the defendant replied a fourth time to the complainant and confirmed that the<br />
<br />
the tax flow of the complainant had not been examined and that only the identification data of the<br />
<br />
complainant had appeared while viewing her son's household history.<br />
<br />
<br />
<br />
16. On 12 November 2019, the complainant confirmed receipt of the registered letter from the<br />
<br />
defendant by which the latter provided proof of the sending of her emails of the 10th and 14th<br />
<br />
October 2019.<br />
<br />
<br />
<br />
17. On 20 November 2019, the Respondent informed the Complainant that a request for clarification had<br />
<br />
still requested from the Supervisory Authority regarding the consultation of its data. The<br />
<br />
Defendant's DPO returned the same day (i.e. a fifth time) with said clarification of<br />
<br />
the supervisory authority. In the response that the defendant sent to the complainant, the Supervisory Authority<br />
<br />
confirms that it appeared that there had been access to the complainant's identification data,<br />
<br />
this one being mentioned as having been part of the household of his son and that it was necessary to understand<br />
<br />
that this consultation was "induced and not voluntary" (in other words, that it was a<br />
<br />
incidental access via the history of the household composition of the complainant's son).<br />
<br />
<br />
<br />
18. The same day, after receiving this response (see point 17 above), the complainant filed<br />
<br />
defendant in default to justify the legal grounds for the consultation of its data.<br />
<br />
<br />
<br />
19. On November 27, 2019, the defendant returned to the complainant for a sixth time, specifying that<br />
<br />
the provisions of the General Law on Family Allowances (hereinafter "LGAF") justified the<br />
<br />
consultation of the history of the household composition of Mr. X2 (complainant's son) with<br />
<br />
of the National Register (i.e. Articles 51 and 54 LGAF). Literally, she indicated, for the<br />
<br />
good understanding of the complainant, that the mission of the family allowance funds included<br />
<br />
verification of entitlement to allowances including verification of "the history of the<br />
<br />
family composition for which the funds have the right to query the National Register ”.<br />
<br />
<br />
<br />
20. On December 8, 2019, the complainant lodged an application with the APD in the following terms:<br />
<br />
"I noticed that (Y2- Brussels) [read the volunteer worker] had consulted my data<br />
<br />
personal without any valid reason in my eyes since I am a pensioner, without<br />
<br />
responsible for more than 10 years and that I live in Wallonia.<br />
<br />
<br />
<br />
After questions from those in charge, I received an answer that does not satisfy me in any way.<br />
<br />
given that the family composition history of one of my sons' household - including Decision on the merits 54 / 2021-7 / 23<br />
<br />
<br />
<br />
household apparently benefits from family allowances in Wallonia - does not have to lead to<br />
<br />
an induced and involuntary manner regardless because the legal references, unless I am mistaken<br />
<br />
part, do not allude to it) on queries of my private data which are not at all<br />
<br />
concerned.<br />
<br />
<br />
<br />
In my view, this is not a normal procedure but a malfunction (or a<br />
<br />
pirate query) which I cannot accept. "<br />
<br />
<br />
<br />
21. On February 3, 2020, the defendant replied to the SPL's questions in connection with the attempt<br />
<br />
mediation conducted by this service of the ODA. In essence, the defendant responded to the DPA which<br />
<br />
had already been answered to the complainant by the Supervisory Authority, i.e. a P028 search had been<br />
<br />
carried out and that the consultation was non-voluntary but resulted from the consultation<br />
<br />
- necessary in the exercise of its legal missions - consultation of the history of the<br />
<br />
<br />
household composition of the complainant's son.<br />
<br />
<br />
<br />
22. When communicating his conclusions on 9 June 2020, the complainant complained that a new<br />
<br />
consultation of his data, still without a legitimate basis according to him, had taken place on April 21<br />
<br />
2020. Interested on June 3 in this regard, the defendant on June 15, 2020, indicated to the complainant that<br />
<br />
this consultation was part of the management of this case pending before the DPA.<br />
<br />
The Litigation Chamber specifies from the outset that it will also rule on this second<br />
<br />
consultation, the legality of which is called into question by the complainant in terms of its conclusions as soon as<br />
<br />
when it is closely linked to the facts denounced by the complainant under the terms of his form<br />
<br />
complaint.2<br />
<br />
<br />
<br />
2.3. The subject of the complaint<br />
<br />
<br />
<br />
23. In these same conclusions of June 9, 2020, the complainant specifies the subject of his complaint and expresses<br />
<br />
which his son, Mr. X2, has not resided with him since 2006. Consultation of the history<br />
<br />
<br />
the household composition of the latter - even necessary for the granting of allowances - must according to<br />
<br />
be subject to a time limit taking into account (1) either the day on which the person whose<br />
<br />
"history of household composition" data is consulted is potentially<br />
<br />
beneficiary / beneficiary of allowances / supplement, (2) either from the day of the birth of the child<br />
<br />
beneficiary. Access to the history of "household composition" since the birth of the one<br />
<br />
whose history is consulted - as happened in this case - is irrelevant and<br />
<br />
disproportionate in relation to the purpose pursued (the granting of family allowances).<br />
<br />
<br />
<br />
<br />
<br />
2 See. in this sense, points 18 and s. of Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf Decision on the merits 54 / 2021-8 / 23<br />
<br />
<br />
According to the complainant, this access constitutes an all the more unacceptable security breach:<br />
<br />
<br />
- that it emanates from public bodies;<br />
<br />
<br />
<br />
- that it potentially affects millions of people (beyond himself, his<br />
<br />
wife and all the people with whom her son has, at some point in his<br />
<br />
life, lived under the same roof);<br />
<br />
<br />
<br />
- that the useful data (i.e. the date / dates opening (s) the right to benefits<br />
<br />
family and from which the consultation of the history of<br />
<br />
management composition could be relevant) is / are available in the Cadastre<br />
<br />
family allowances;<br />
<br />
<br />
<br />
- that the research system "P028" replaced an earlier system which<br />
<br />
allowed relevant and targeted research. The complainant quotes in this regard the passage<br />
<br />
following extract from the “Specific functional description of message P028” sheet:<br />
<br />
<br />
<br />
1.2.1.1. P028 Historical consultation of household composition<br />
<br />
Principle<br />
<br />
The P028 message is used to request data relating to the history of the<br />
<br />
household composition in the National Register on the basis of a register number<br />
<br />
national. This flow can be subsequently extended with data from the registry of the<br />
<br />
BCSS.<br />
<br />
This consultation flow combines the old consultation messages P036 and P038<br />
<br />
in a single message. Unlike consultation message P036, this flow displays<br />
<br />
the complete history, whether or not the person sought is the head of the household. It is not<br />
<br />
therefore it is no longer necessary to carry out several consultations for this purpose. (…)<br />
<br />
<br />
<br />
24. Finally, still in his conclusions of 9 June 2020, the complainant makes a series of requests to<br />
<br />
the Litigation Chamber, namely (page 11 of its conclusions):<br />
<br />
<br />
<br />
- To jointly and indivisibly condemn the defendant, the voluntary intervener,<br />
<br />
the Supervisory Authority, the FPS Interior (National Register), the Crossroads Security Bank<br />
<br />
social (BCSS), or even any dishonest perpetrators responsible for access and processing<br />
<br />
of its data, in accordance with articles 221 to 230 of the Law of 30 July 2018 on the<br />
<br />
protection of individuals with regard to the processing of personal data<br />
<br />
staff ;<br />
<br />
- Inform the King's Prosecutor of any breaches noted and inform the complainant of this<br />
<br />
Steps ; Decision on the merits 54 / 2021-9 / 23<br />
<br />
<br />
- To ensure that the necessary corrections have been made to remedy the shortcomings<br />
<br />
<br />
denounced and this under penalty of penalty;<br />
<br />
- Obtain proof that their tax data has not been processed within the framework of the<br />
<br />
consultation denounced;<br />
<br />
- Obtain the necessary explanations regarding the consultations of July 9, 2019 and April 21, 2020<br />
<br />
by FAMIFED in the National Register;<br />
<br />
- Obtain the identification and full contact details of all persons who have had access<br />
<br />
to his personal data and failing that condemn the defendant, the voluntary intervener and<br />
<br />
other contributors to periodic penalty payments;<br />
<br />
- To invite those responsible in the broad sense of the illegal processing, or even the possible perpetrators<br />
<br />
indelicate, to compensate him for the material and moral damage suffered.<br />
<br />
<br />
<br />
2.4. Position of the defendant and the voluntary worker<br />
<br />
<br />
<br />
25. The defendant and the voluntary intervener request, in support of their conclusions,<br />
<br />
that the Litigation Chamber declare the complainant's complaint, if admissible, unfounded, the<br />
<br />
consultation of the household composition of Mr X2, son of the complainant, being from their point of<br />
<br />
perfectly legal and legitimate view. They therefore request that the complaint of the<br />
<br />
Complainant without follow-up. The defendant and the voluntary intervener add that if by impossible,<br />
<br />
the ODA had to consider that in the circumstances of the case, access to the history of the<br />
<br />
composition is illegal, it should be the cause of both the National Register and the Authority<br />
<br />
supervision insofar as they are the ones who determine the data accessible during a<br />
<br />
search P028 (page 11 of the additional and summary conclusions of the defendant and<br />
<br />
the volunteer worker).<br />
<br />
<br />
<br />
3. The hearing of January 19, 2021<br />
<br />
<br />
<br />
26. During the hearing on January 19, 2021 - of which the minutes were drawn up - the parties stated<br />
<br />
the arguments they had developed by their respective conclusions.<br />
<br />
<br />
<br />
27. The following elements were particularly highlighted by the parties:<br />
<br />
- the status of data controller of the voluntary worker;<br />
<br />
<br />
<br />
- the deliberate choice, according to the complainant, to set up research which won the<br />
<br />
consultation of potentially irrelevant data and the seriousness of the problem at<br />
<br />
with regard to the number of people who may be affected by this structural failure; Decision on the merits 54 / 2021-10 / 23<br />
<br />
<br />
- the absence of any legal impact of the "induced" and "non-voluntary" nature of the access<br />
<br />
<br />
irrelevant data on the qualification of processing within the meaning of Article 4.2. of the GDPR;<br />
<br />
<br />
<br />
- the demonstration by the defendant and the voluntary intervener of the obligation to resort to<br />
<br />
the TRIVIA application and the impossibility for them to modify the parameters to consult the<br />
<br />
only historical data relating to a targeted period of time.<br />
<br />
<br />
<br />
PLACE<br />
<br />
<br />
As a preliminary<br />
<br />
✓ As for the quality of the parties<br />
<br />
<br />
28. Both in terms of her conclusions and of the hearing (see section 3 above), the intervener<br />
<br />
volunteer declares himself responsible for processing within the meaning of Article 4.7. of the GDPR with regard to<br />
<br />
disputed consultation, consultation which she furthermore qualifies as an incident. The defendant is for<br />
<br />
its part qualified as a subcontractor of the voluntary worker (page 10 of the conclusions and page 11<br />
<br />
additional and summary conclusions of the defendant and the voluntary intervener).<br />
<br />
<br />
<br />
<br />
29. The Contentious Chamber takes note of this and does not see, in the context of its own analysis with regard to<br />
<br />
to the factual elements submitted to it and having regard to the applicable legal elements, no<br />
<br />
reason for not recognizing these respective qualities in the voluntary intervenor and the defendant.<br />
<br />
With regard to the voluntary worker more particularly, she defines in fact, at the start of her<br />
<br />
own mission, the purposes and means of the data processing it operates within the meaning of<br />
<br />
Article 4.7 of the GDPR which defines the data controller.<br />
<br />
<br />
<br />
✓ As for voluntary intervention<br />
<br />
<br />
30. The Contentious Chamber takes note of Y2's voluntary intervention in this procedure. This<br />
<br />
intervention is the result of the decision of Y2 who, voluntarily, and for the needs of the cause,<br />
<br />
intervened in the proceedings by way of pleadings (see title 1).<br />
<br />
<br />
<br />
31. The Litigation Chamber specifies that neither the LCA nor the Internal Rules of the APD<br />
<br />
explicitly provide for the mechanism of (voluntary) intervention by a party that has not been<br />
<br />
challenged by the complainant.<br />
<br />
<br />
<br />
32. Nevertheless, in the exercise of its competences, it is incumbent on the ODA, and therefore on<br />
<br />
the Litigation Chamber in the exercise of the powers devolved to it, to facilitate<br />
<br />
the exercise of the rights recognized to persons concerned by the GDPR, including the right to<br />
<br />
complaint (Article 77 of the GDPR - also recognized in Article 8.3. of the Charter of Rights Decision on the merits 54 / 2021-11 / 23<br />
<br />
<br />
<br />
fundamental as part of the essence of the right to data protection). In this<br />
<br />
perspective, filing a complaint should remain an easy process for people<br />
<br />
data subjects whose personal data are processed and with regard to the processing of which they<br />
<br />
believe that there has been a breach of data protection rules.<br />
<br />
<br />
<br />
33. As it has already had the opportunity to develop in its Decision 17/2020, the authorities of<br />
<br />
data protection must therefore play an active role through the missions and powers<br />
<br />
which are assigned to them under Articles 57 and 58 of the GDPR.<br />
<br />
<br />
<br />
<br />
34. In the same way that the complainant cannot be expected to identify straight away, from the terms<br />
4<br />
of his complaint, all the legal grievances relevant to the facts denounced, the same<br />
<br />
so he cannot be expected to identify with certainty the controller<br />
<br />
concerned. To assert the contrary would be to seriously jeopardize the right of complaint of the<br />
<br />
complainant. Indeed, the identification of the controller, even in support of the definition<br />
<br />
provided for in Article 4.7. GDPR, is a process that can be particularly complex. Certainly<br />
<br />
detailed guidelines have already been published several times by the European Committee<br />
<br />
of Data Protection (EDPS) and its predecessor the Article 29 Group, on it. 5<br />
<br />
Nevertheless, it is clear that this identification often remains thorny. It requires<br />
<br />
sometimes even recourse to the Inspection Service in the most difficult cases.<br />
<br />
<br />
<br />
<br />
35. In support of the foregoing considerations, in order to give effective effect to the right to lodge a complaint,<br />
<br />
and through it, to contribute to the effective application of the GDPR, the Litigation Chamber<br />
<br />
therefore naturally accepts this voluntary intervention. She specifies that, of course, the debate<br />
<br />
contradictory has developed with the latter as well. In these circumstances, the House<br />
<br />
Litigation is able to impose sanctions on the voluntary intervenor, if necessary.<br />
<br />
<br />
<br />
✓ As to the competence of the APD and the Litigation Chamber<br />
<br />
<br />
36. The Contentious Chamber specifies here at the outset, with regard to the measures requested by the<br />
<br />
complainant (see point 24), that it is in any case not competent to grant a<br />
<br />
any compensation even in the event of shortcomings noted. Indeed, this<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Decision 17/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-<br />
<br />
2020.pdf See. also Decision 80/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf<br />
<br />
4 Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
5 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, on edpb.europa.eu. Decision on the merits 54 / 2021-12 / 23<br />
<br />
<br />
jurisdiction is not listed among the corrective measures and sanctions that it may decide on<br />
<br />
application of Articles 58.2. of the GDPR and 95 and 100 LCA.<br />
<br />
<br />
<br />
<br />
4. As for breaches of the GDPR<br />
<br />
<br />
<br />
37. The Litigation Chamber notes that it emerges from the above statement of facts that the complainant<br />
<br />
criticizes the voluntary intervener for having accessed personal data on<br />
<br />
concerning and this, in its terms, without valid legal basis.<br />
<br />
<br />
<br />
38. The Contentious Chamber notes that the parties do not dispute that during the consultation of<br />
<br />
the history of the household composition (National Register) of Mr. X2 in July 2019,<br />
<br />
the voluntary worker did have access to the information that the complainant had, at<br />
<br />
a time, is part of his son's household as head of household.<br />
<br />
<br />
<br />
39. Having access to this information constitutes processing of personal data<br />
<br />
within the meaning of Article 4.2 of the GDPR regardless of whether the person responsible for<br />
<br />
treatment that accessed it - in this case the voluntary worker - intended to seek<br />
<br />
this information or if there was access incidentally, fortuitously, during the<br />
<br />
search for data relating to a separate person, in this case the complainant's son. that<br />
<br />
the voluntary worker had the intention or not to process this personal data,<br />
<br />
whether or not she then used it to make her decision, all of these are irrelevant<br />
<br />
on the qualification of "treatment" within the meaning of Article 4.2. of the GDPR.<br />
<br />
<br />
<br />
40. The Litigation Chamber recalls that any processing of personal data must<br />
<br />
rely on one of the bases of lawfulness provided for in Article 6 of the GDPR.<br />
<br />
<br />
<br />
41. Article 3, paragraph 1, 9 ° of the Law of 8 August 1983 organizing a National Register of Persons<br />
<br />
physical (hereinafter the RN Law) provides that for each person registered in the National Register, the<br />
<br />
"household composition" data is recorded and kept as well as the modifications<br />
<br />
<br />
successive dates provided to this information as well as their effective date; this is<br />
<br />
the history (article 3 paragraph 2 of the RN Law). The royal decree of January 8, 2006 determining<br />
<br />
the types of information associated with the information referred to in Article 3, paragraph 1, of the law<br />
<br />
of August 8, 1983 organizing a national register of natural persons precise as to<br />
<br />
<br />
<br />
<br />
6 See. article 4.2 of the GDPR: "processing", any operation or any set of operations carried out or not using<br />
automated processes applied to data or sets of personal data, such as<br />
<br />
that the collection, recording, organization, structuring, conservation, adaptation or modification,<br />
the extraction, consultation, use, communication by transmission, dissemination or any other form of<br />
provision, reconciliation or interconnection, limitation, erasure or destruction. Decision on the merits 54 / 2021-13 / 23<br />
<br />
<br />
him in Article 1, 9 ° that the information "household composition" is associated with the data<br />
<br />
following: "household reference person" on the one hand and "household member" on the other<br />
<br />
go.<br />
<br />
<br />
<br />
42. Consequently, consultation of the “household composition” data from the National Register of<br />
<br />
son of the complainant may, de facto, take cognizance of personal data<br />
<br />
other people than the son himself, such as members of his household. Personal data<br />
<br />
that appear in the household composition and its history are both data of a<br />
<br />
personal data relating to the person whose National Register is consulted AND personal data<br />
<br />
personnel relating to persons who are included in the composition and history of its<br />
<br />
housework. There will therefore be processing of personal data of third parties.<br />
<br />
(separate from the one for which the "household composition" data is consulted, in this case the son<br />
<br />
of the complainant) when they are or have been part of the household of the person for whom<br />
<br />
the "household composition" data is consulted (as here the complainant). The result is<br />
<br />
however, not necessarily an absence of a basis of lawfulness for the processing of personal data.<br />
<br />
these third parties such as the complainant in this case.<br />
<br />
<br />
<br />
43. Provided it is validly invoked, the legal basis for consulting the data<br />
<br />
"Household composition" (and its history) of the person concerned (in this case the son of<br />
<br />
complainant) includes the consultation of the data included under this information, including therefore<br />
<br />
members of his household, including the complainant. In this case, the basis of lawfulness in support of which<br />
<br />
consultation of the history of the household composition of the complainant's son is legitimate<br />
<br />
potentially also access - even induced as described by the defendant and<br />
<br />
the voluntary worker - to the data relating to the complainant according to which he was part of the household<br />
<br />
of his son.<br />
<br />
<br />
<br />
44. The Litigation Chamber recalls that in addition to the required legal basis (Article 6 of the GDPR),<br />
<br />
personal data must, in accordance with the principle of minimization expressed in Article 5.1.c)<br />
<br />
of the GDPR, be adequate, relevant and limited to what is necessary with regard to the purposes for<br />
<br />
which they are processed (principle of minimization).<br />
<br />
<br />
<br />
45. Finally, pursuant to Article 24 of the GDPR, it is the responsibility of the controller to implement<br />
<br />
implement the appropriate technical and organizational measures to ensure and be able to<br />
<br />
to demonstrate (as required by Article 5.2. of the GDPR) that the processing he carries out complies<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
46. It follows from the foregoing that it is for the Contentious Chamber to verify whether the consultation<br />
<br />
<br />
(whose legality is contested by the complainant) - by the voluntary intervener in her capacity as Decision on the merits 54 / 2021-14 / 23<br />
<br />
<br />
data controller - the "household composition" data of the complainant's son, in this<br />
<br />
including the complete history thereof, met in this case the conditions of treatment imposed<br />
<br />
by the GDPR.<br />
<br />
<br />
<br />
4.1. As to the basis of legality and respect for the principle of minimization<br />
<br />
<br />
<br />
<br />
47. The Contentious Chamber notes that the defendant and the voluntary intervener rely on<br />
<br />
Article 6.1.c) of the GDPR to legitimize the contested data processing. Article 6.1.c) authorizes the<br />
<br />
data processing necessary for compliance with a legal obligation to which the person responsible for<br />
7<br />
treatment is submitted.<br />
<br />
<br />
<br />
48. The Contentious Chamber recalls as it did in its recent decisions 37/2021 and<br />
<br />
38/2021 that in its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of<br />
<br />
of this condition of necessity, specified that it was an autonomous notion of the right<br />
<br />
Community which must be interpreted in a way that fully meets the purpose of the<br />
<br />
8<br />
Directive 95/46 / EC applicable at the time of this judgment.<br />
<br />
<br />
9<br />
49. According to the conclusions he filed in this case, the Advocate General explains to this<br />
<br />
considering that "the concept of necessity has a long history in Community law and it is<br />
<br />
established as part of the proportionality test. It means that the authority which adopts<br />
<br />
a measure which infringes a fundamental right in order to achieve a justified objective must<br />
<br />
demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise,<br />
<br />
whether the processing of personal data may be likely to infringe the fundamental right to<br />
<br />
respect for private life, Article 8 of the European Convention for the Protection of<br />
<br />
man and fundamental freedoms (ECHR) which guarantees respect for private and family life,<br />
<br />
<br />
also becomes relevant. As the Court stated in the Österreichischer Rundfunk and others judgment,<br />
<br />
if a national measure is incompatible with Article 8 of the ECHR, this measure cannot<br />
<br />
meet the requirement of Article 7 (e) of the Directive. Article 8, paragraph 2, of the ECHR<br />
<br />
provides that an interference with privacy may be justified if it pursues one of the objectives therein<br />
<br />
listed and "in a democratic society, is necessary" for any of these purposes. The courtyard<br />
<br />
<br />
<br />
<br />
<br />
7 See. decisions 37/2021 and 38/2021 of the Contentious Chamber which explain what is meant by<br />
<br />
necessary for compliance with a legal obligation: https://www.autoriteprotectiondonnees.be/publications/decision-<br />
quant-au-fond-n-37-2021.pdf https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-<br />
38-2021.pdf<br />
<br />
8<br />
CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, ECLI: EU: C: 2008: 724, para. 52.<br />
<br />
9<br />
Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before<br />
the CJU resulting in the judgment cited in footnote 15 above (C-524/06). Decision on the merits 54 / 2021-15 / 23<br />
<br />
<br />
European Human Rights Council has ruled that the notion of "necessity" implies that a "need<br />
<br />
imperative social "is in question".<br />
<br />
<br />
<br />
50. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to<br />
<br />
all the bases of lawfulness which retain this condition of necessity. She remains today<br />
<br />
relevant even though Directive 95/46 was repealed since this condition of necessity<br />
<br />
<br />
is maintained under Article 6.1 b) to f) of the GDPR and therefore in Article 6.1.c) invoked in<br />
<br />
the species. Article 6.1 of the GDPR in fact reproduces the terms of Article 7 of Directive 95/46 / EC<br />
10<br />
of which it is the equivalent.<br />
<br />
<br />
<br />
51. The Article 29 Group also referred to the case law of the European Court of<br />
<br />
human rights (Eur. D.H. Court) to define the requirement of necessity 11 and concludes that the adjective<br />
<br />
"Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful",<br />
<br />
"Reasonable" or "expedient". 12<br />
<br />
<br />
<br />
<br />
52. More precisely with regard to the basis of legitimacy which rests on the legal obligation to which would be<br />
<br />
held by the controller, the European Data Protection Board (EDPB -<br />
13<br />
EDPS) has set out the conditions under which this basis of lawfulness can be applied:<br />
<br />
- the obligation must be imposed by law;<br />
<br />
- the legislation must meet all the conditions required to make the obligation valid and<br />
<br />
binding;<br />
<br />
- the legislation must comply with the applicable data protection law,<br />
<br />
in particular the principles of necessity, proportionality and limitation of purpose;<br />
<br />
- the legal obligation itself must be sufficiently clear about the data processing<br />
<br />
of a personal nature that it requires;<br />
<br />
<br />
- and the controller should not have an unjustified margin of appreciation as to<br />
<br />
how to comply with the legal obligation.<br />
<br />
<br />
<br />
10 Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another<br />
<br />
natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which<br />
the data is communicated ", the mission of public interest or falling within the exercise of public authority before<br />
be that of the sole controller. In addition, a slight wording difference exists between the article<br />
7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision.<br />
<br />
All these modifications do not affect the condition of necessity.<br />
<br />
11 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible<br />
data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217.<br />
<br />
<br />
12Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97.<br />
<br />
13European Data Protection Board (EDPS), Opinion 03/2019 concerning questions and answers on<br />
<br />
the interaction between the regulation on clinical trials and the general data protection regulation<br />
(GDPR) [article 70, paragraph 1, point b)] of 23 January 2019 (point 11):<br />
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_fr.pdf Decision on the merits 54 / 2021-16 / 23<br />
<br />
<br />
<br />
<br />
<br />
53. In the present case, the defendant and the voluntary intervener put forward several provisions<br />
<br />
which, from their point of view, required them to proceed with the disputed treatment.<br />
<br />
<br />
<br />
54. The Contentious Chamber notes in this regard the following:<br />
<br />
<br />
<br />
<br />
- The granting of the social supplement in addition to the ordinary allowances is governed by the General Law<br />
<br />
relating to family allowances (LGAF) of 19 December 1939, in particular Articles 51, 54 and<br />
<br />
173quater. Article 173 quater explicitly provides that family allowance organizations and<br />
<br />
the ministerial services, responsible for the execution of this law, are required to contact the Register<br />
<br />
national of natural persons to obtain the information referred to in Article 3, paragraphs 1 and 2,<br />
<br />
of the Law of August 8, 1983 organizing a national register of natural persons. Among these<br />
<br />
data show the household composition and its successive modifications (ie history). The<br />
<br />
recourse to another source is only permitted insofar as the necessary information is not<br />
<br />
cannot be obtained from the National Register.<br />
<br />
<br />
<br />
<br />
- Jurisdiction over the granting of family allowances and social supplement is regionalized<br />
<br />
and the complainant's son was listed as residing in the Brussels-Capital Region at the time<br />
14<br />
of the consultation of the denounced National Register. In this regard, the Litigation Chamber notes<br />
<br />
that Article 9 of the Ordinance of 25 April 2019 of the Brussels-Capital Region regulating the granting<br />
15<br />
family benefits specifies that the basic family allowance is increased by a supplement<br />
<br />
social under certain conditions, especially when the annual household income does not reach<br />
<br />
not a certain threshold. In other words, the granting of the supplement is conditioned by the income of the<br />
<br />
housework.<br />
<br />
<br />
<br />
- Regarding the granting of this social supplement, Article 10 of the Ordinance of April 4, 2019 provides<br />
<br />
that "the assembled College sets the conditions under which the payment of social supplements is<br />
<br />
carried out provisionally, pending tax data establishing the annual income of the<br />
<br />
<br />
cleaning allowing a final decision to be taken ”. As a result, the assembled College of the Commission<br />
<br />
Community Commune has set the conditions for granting social supplements and certain<br />
<br />
supplements provided for in the General Law on Family Allowances in a Decree of 24<br />
<br />
October 2019.<br />
<br />
<br />
<br />
<br />
<br />
14 The complainant states in this regard that his son has been living in Wallonia since a date much earlier than that of this<br />
consultation (i.e. since July 2018). The voluntary worker and the defendant indicate that this change<br />
<br />
of domicile had not been notified to them on the date of the P028 consultation and that now the voluntary worker<br />
no longer manages the family allowances file of the complainant's son. The Litigation Chamber takes note of this.<br />
<br />
15M.B., May 8, 2019.<br />
<br />
https://bruxelles.famifed.be/sites/default/files/uploads/20190509_ordranteiegezinsbijslag_NLFR.pdf: Decision on the merits 54 / 2021-17 / 23<br />
<br />
<br />
<br />
- In accordance with the aforementioned Decree of October 24, 2019, the preparatory measures that the funds<br />
<br />
family allowances were to be taken from 2019 in order to be able to establish, for each household<br />
<br />
Brussels resident, the correct amount of family allowances to which he would be entitled from the 1st<br />
<br />
January 2020, as well as the procedure to be followed for the granting of social supplements from<br />
<br />
2020, were decreed in the CO PF2 Circular of July 5, 2019 relating to the granting procedure<br />
<br />
provisional social supplements in the Brussels-Capital Region from January 1, 2020 ,.<br />
<br />
<br />
<br />
- The defendant and the voluntary intervener rely on this Circular of July 5, 2019 relating to<br />
<br />
the procedure for provisionally granting social supplements in the Brussels-Capital Region to<br />
<br />
from 1 January 2020, in particular on its articles 2.2 and 7 to legitimize their consultation of<br />
<br />
the history of the household composition of the complainant's son.<br />
<br />
<br />
<br />
- This circular provides that the establishment of the right to a supplement in the Brussels-Capital Region<br />
<br />
will be done in two phases, namely:<br />
<br />
Phase 1: A decision on the provisional payment of the supplement is taken in "time<br />
<br />
real ": in other words, it is automatically granted on a provisional basis if the conditions are met.<br />
<br />
Also, the supplement can be granted on a provisional basis following a request from the household<br />
<br />
accompanied by supporting documents relating to the current gross income of the household.<br />
<br />
<br />
<br />
Phase 2: Two years later, the taxable income of all households is verified using<br />
<br />
of the tax flow and the definitive establishment of the right to the social supplement is carried out on the basis<br />
<br />
<br />
tax data made available by the authentic source.<br />
<br />
<br />
- As for the concept of household retained, the circular specifies that "this identification is made according to<br />
<br />
the notion of household as described in article 2 of the decree of October 24, 2019. This decree<br />
<br />
provides in Article 1 that it is to be understood by:<br />
<br />
"1 ° member of the cohabiting household: any person who is neither a relative nor an ally<br />
<br />
up to the third degree inclusive, with which the recipient cohabits and forms a<br />
<br />
de facto household;<br />
<br />
2 ° household members: the beneficiary and, where applicable, the spouse with whom he<br />
<br />
cohabits and / or any other member of the cohabiting household ”<br />
<br />
<br />
<br />
55. The Litigation Chamber concludes that in other words, prior to the granting of the supplement<br />
<br />
adequate social security from 1 January 2020, it went to the family allowance funds (including<br />
<br />
the voluntary worker), to identify, in application of the various aforementioned texts, from July 2019,<br />
<br />
beneficiaries and their income, more particularly that of their household as this concept is<br />
<br />
defined in article 2 of the decree of 24 October 2019. Decision on the merits 54 / 2021-18 / 23<br />
<br />
<br />
56. This verification of the income condition of the household (and therefore of who was part of it) is, in<br />
<br />
<br />
the occurrence, through an identification of the household composition of the complainant's son via the<br />
<br />
consultation of the National Register. It is also not disputed that the allowance funds<br />
<br />
family, including the volunteer worker, were duly authorized to consult the National Register.<br />
<br />
<br />
<br />
57. The Litigation Chamber notes that it is not clear from the legal texts invoked which<br />
<br />
are the income that should be taken into account and hence, depending on the phase in which<br />
<br />
the consultation took place, what was the date of the household composition to be taken into<br />
<br />
consideration (current calendar year, backtracking by 2 years by analogy with the final calculation<br />
<br />
which will take place two years later as mentioned by the defendants and the intervener<br />
<br />
voluntary during the hearing (see Articles 2.1. and 2.2. of the circular of 5 July 2019)?). This<br />
<br />
precision would have been invaluable, it is also required by the principle of clarity and predictability of<br />
<br />
the "law", a principle long required by the case law of the European Court of Human Rights<br />
16<br />
man, as well as the CJEU.<br />
<br />
<br />
<br />
58. The Litigation Chamber considers that at most, this history of the “composition” data<br />
<br />
household "of the complainant's son could have been consulted by going back to the opening date<br />
<br />
right to allowances / social supplement to these allowances and that in any event, the consultation<br />
<br />
the entire history of the complainant's son without a time limit was disproportionate<br />
<br />
and not necessary for the voluntary worker to comply with her legal obligation.<br />
<br />
<br />
<br />
59. However, as the complainant denounces, the “P028 search” which was carried out prevails<br />
<br />
systematically consulting the history of household composition in its entirety,<br />
<br />
or since the birth of the person whose National Register is consulted. Access to this history<br />
<br />
of the complainant's son was therefore disproportionate and the data consulted was not<br />
<br />
relevant with regard to the objective pursued, namely the determination of the composition of<br />
<br />
household at a time T which must be taken into account in the granting of family allowances<br />
<br />
and the social supplement.<br />
<br />
<br />
<br />
60. Accordingly, the Contentious Chamber concludes that, even if it invokes that the TRIVIA application which it<br />
<br />
had to use did not allow consultation of a time-limited history<br />
<br />
(see point 63), the voluntary worker did not carry out the processing necessary for her obligation<br />
<br />
<br />
legal and therefore cannot invoke Article 6.1.c) as a basis of lawfulness. The Litigation Chamber<br />
<br />
therefore finds a breach of Article 6 of the GDPR on its part, in the absence of any other basis<br />
<br />
valid lawfulness and without prejudice to the obligation of the controller to identify a basis<br />
<br />
<br />
<br />
16Court eur. D.H., May 4, 2000, Rotaru v. Romania; CJEU, Joined cases C-511/18, C-512/18 and C-520/18,<br />
<br />
La Quadrature du Net and others, ECLI: EU: C: 2020: 791, para 121. Decision on the merits 54 / 2021-19 / 23<br />
<br />
<br />
17<br />
legality and not several depending on the circumstances. The Litigation Chamber also concludes<br />
<br />
also for a breach of Article 5.1.c) of the GDPR, the data of which the intervener has<br />
<br />
acquainted with it on the occasion of its illegal consultation (in the absence of a legal basis to legitimize it)<br />
<br />
therefore also irrelevant with regard to the aim pursued.<br />
<br />
<br />
<br />
61. As for the consultation held on April 21, 2020, the Litigation Chamber notes that the<br />
<br />
the defendant and the voluntary intervener are based on their legitimate interest (article 6.1.f) of the GDPR),<br />
<br />
the consultation being justified according to them by the needs of the present procedure. Bedroom<br />
<br />
Litigation recalls in this regard that it has, in the past already, considered that the defense in court<br />
<br />
18<br />
is a legitimate interest that can validly be invoked by data controllers to<br />
<br />
as much as the cumulative conditions of necessity of the treatment for the realization of the interest<br />
<br />
lawful pursuit and proportionality (i.e. that the fundamental rights and freedoms of<br />
<br />
concerned do not prevail over the interest pursued) are met.<br />
<br />
<br />
<br />
62. Without calling into question the fact that legal defense may indeed constitute an interest<br />
<br />
legitimate within the meaning of Article 6.1.f) of the GDPR, the Litigation Chamber concludes no less, for<br />
<br />
the same reasons as those underlying its conclusion regarding the initial consultation (see.<br />
<br />
points 57-60), that this consultation during the proceedings pending before the DPA was<br />
<br />
also illegal.<br />
<br />
<br />
<br />
<br />
4.2. As for the principle of accountability<br />
<br />
<br />
63. The Litigation Chamber takes note of what the voluntary intervener declares on the one hand that it<br />
<br />
<br />
is required to use the TRIVIA application and on the other hand that it is impossible for him to target in time<br />
<br />
his request to consult the history of the "household composition" data in the Register<br />
<br />
national. The Litigation Chamber is not insensitive to this and refers on this point to the measures<br />
<br />
corrective measures that it decides to take as detailed in points 69 et seq. (title 5).<br />
<br />
<br />
<br />
64. Notwithstanding this last point, the fact remains that in his capacity as responsible<br />
<br />
processing, the voluntary worker could not rely on Article 6.1.c) of the GDPR and did not have<br />
<br />
as was concluded in points 60 and 62 above from no valid basis of lawfulness to access<br />
<br />
the complainant's data via the consultation of the complete history of household composition<br />
<br />
of his son.<br />
<br />
<br />
<br />
<br />
<br />
17 See. Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
18 See. the Decision 03/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2020.pdf Decision on the merits 54 / 2021-20 / 23<br />
<br />
<br />
65. The Contentious Chamber also finds a breach of Articles 24 and 5.2. of<br />
<br />
<br />
GDPR on the part of the voluntary worker when she has not been able to put<br />
<br />
put in place the technical measures intended to implement the GDPR. Here again, the House<br />
<br />
Litigation is not unaware of the lack of control of the application by the voluntary worker. This<br />
<br />
circumstance is not, however, such as to eliminate any breach on his part<br />
<br />
given his capacity as data controller.<br />
<br />
<br />
<br />
66. Indeed, the objective of the principle of accountability, or "principle of responsibility" in its translation<br />
<br />
French (Article 5.2. of the GDPR), is to make data controllers accountable - whether it is<br />
<br />
private companies or public authorities or bodies -, and allow the authorities to<br />
<br />
data protection monitoring such as ODA to verify the effectiveness of the measures taken<br />
<br />
applying it. Risks must be identified by setting up action plans and<br />
<br />
control procedures and these organizations must be able to prove without difficulty that they have<br />
<br />
carried out an identification, an assessment and a framework of the risks in terms of protection<br />
<br />
of personal data with regard to the processing they carry out. This principle would be broadly<br />
<br />
undermined, or even emptied of all substance if it was enough for a data controller to invoke,<br />
<br />
once faced with a complaint lodged with the supervisory authority, the fact that the application<br />
<br />
computer used - even its use imposed by a third party - does not allow it to comply<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
67. In accordance with its obligation of accountability and documentation, the voluntary worker<br />
<br />
therefore, at a minimum, should have alerted the relevant authorities to the overhang situation<br />
<br />
in which the constrained use of the TRIVIA application placed it in relation to its obligations<br />
<br />
arising from the GDPR.<br />
<br />
<br />
<br />
68. The Litigation Chamber is also aware of the care taken by the defendant to respond to<br />
<br />
questions from the complainant and making contact with the supervisory authority to be able to explain to the<br />
<br />
the situation better at the latter. But here again, these circumstances are not such as to<br />
<br />
allow the Litigation Chamber to conclude that there was no breach. Bedroom<br />
<br />
Litigation also noted that the intervener now undertook to contact<br />
<br />
the Supervisory Authority.<br />
<br />
<br />
<br />
<br />
5. Regarding corrective measures and sanctions<br />
<br />
<br />
69. Under article 100 LCA, the Litigation Chamber has the power to:<br />
<br />
1 ° dismiss the complaint;<br />
<br />
2 ° order the dismissal;<br />
<br />
<br />
3 ° pronounce a suspension of the pronouncement; Decision on the merits 54 / 2021-21 / 23<br />
<br />
<br />
4 ° propose a transaction;<br />
<br />
5 ° issue warnings or reprimands;<br />
<br />
<br />
6 ° order compliance with the requests of the person concerned to exercise these rights;<br />
<br />
7 ° order that the person concerned be informed of the security problem;<br />
<br />
<br />
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;<br />
<br />
9 ° order that the processing be brought into conformity;<br />
<br />
<br />
10 ° order the rectification, restriction or erasure of the data and the notification thereof<br />
data recipients;<br />
<br />
<br />
11 ° order the withdrawal of accreditation of certification bodies;<br />
<br />
12 ° give periodic penalty payments; 19<br />
<br />
20<br />
13 ° issue administrative fines;<br />
<br />
14 ° order the suspension of transborder data flows to another State or an organization<br />
<br />
international;<br />
<br />
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences<br />
<br />
data on file;<br />
<br />
16 ° decide on a case-by-case basis to publish its decisions on the website of the<br />
<br />
data.<br />
<br />
<br />
<br />
70. It is important to contextualize the shortcomings noted by the Litigation Chamber with a view to<br />
<br />
<br />
to identify the most appropriate corrective measures and sanctions.<br />
<br />
<br />
<br />
71. In this context, the Litigation Chamber will take into account all the circumstances of the case<br />
<br />
and explanations provided by the parties. In this regard, the Litigation Chamber wishes<br />
<br />
to specify that it belongs to it sovereignly as an independent administrative authority -<br />
<br />
in compliance with the relevant articles of the GDPR and the LCA - to determine the measure (s)<br />
<br />
corrective (s) and appropriate sanction (s). 21<br />
<br />
<br />
<br />
<br />
72. Thus, it is not for the complainant to ask the Litigation Chamber to order such<br />
<br />
or such corrective measure or sanction. If, notwithstanding the above, the complainant should<br />
<br />
nevertheless ask the Litigation Chamber to pronounce one or the other measure and / or<br />
<br />
<br />
19<br />
https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf<br />
<br />
20 The Contentious Chamber does not comment on the advisability of a possible administrative fine to<br />
<br />
against the defendant. Given the latter's "public authority" status within the meaning of<br />
Article 5 of the Law of 30 July 2018 on the protection of individuals with regard to processing<br />
of personal data, read in conjunction with Articles 83.7. of the GDPR and 221 § 2 of the law of<br />
July 30, 2018 cited above, the Litigation Chamber is in fact not authorized to impose such a fine on him.<br />
<br />
<br />
21 Litigation Chamber, Decision on the merits 81/2020:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 54 / 2021-22 / 23<br />
<br />
<br />
<br />
sanction, it is not up to the latter to justify why it would not retain one or<br />
<br />
the other request made by the complainant. These considerations leave intact the obligation for<br />
<br />
the Litigation Chamber to justify the choice of corrective measure (s) and / or sanction (s)<br />
<br />
which it judges, (among the list of measures and sanctions made available to it by the articles<br />
<br />
58 of the GDPR and 95.1 and 100.1 of the LCA recalled above) appropriate to condemn the party<br />
<br />
in question. The Contentious Chamber recalls here, as it mentioned in point 36 above,<br />
<br />
that it is not competent to grant any compensation.<br />
<br />
<br />
<br />
73. The Litigation Chamber found a breach of Articles 6, 5.1.c) as well as of Articles 24<br />
<br />
<br />
and 5.2. of the GDPR on behalf of the voluntary worker (points 60, 62 and 65).<br />
<br />
<br />
<br />
74. In view of these shortcomings, the Litigation Chamber sends the voluntary intervener<br />
22<br />
a reprimand on the basis of Article 100.1, 5 ° LCA which constitutes, in view of the facts and<br />
<br />
breaches noted, the effective, proportionate and dissuasive sanction as required by<br />
<br />
the applicable article 83 of the GDPR. In this regard, the Litigation Chamber wishes to stress that it<br />
<br />
is not in a position to issue a warning to the voluntary worker as soon as this<br />
<br />
measure cannot be applied when a breach is found. Disclaimer applies<br />
<br />
only when the planned processing operations are likely to violate the<br />
<br />
provisions of the GDPR.<br />
<br />
<br />
<br />
<br />
75. The Litigation Chamber is of the opinion that beyond the reprimand addressed to the intervener<br />
<br />
voluntary, it is important that an adequate response be quickly found to the problem raised<br />
<br />
by the complaint and this, in order to allow a limited consultation, respectful of the GDPR, of<br />
<br />
the history of the "household composition" data (as well as the history of other data from the<br />
<br />
National Register if applicable). The Contentious Chamber refers in this regard to the deliberations<br />
<br />
of the Sectoral Committee of the National Register (CSRN) of the former Commission for the Protection of Life<br />
<br />
private (OPC) under which the NISA grants access to limited historical data<br />
<br />
over time in accordance with Article 4 § 1, 3 ° of the Privacy Law which then set out the principle<br />
<br />
proportionality (now principle of minimization worded in Article 5.1, c) of the GDPR). 23 The<br />
<br />
Litigation Chamber is also challenged by the document entitled "File - Description<br />
<br />
specific function of the P028 message ”(in particular point 1.2.1.1.) highlighted by the<br />
<br />
complainant, according to which it would have been waived to use an application more respectful of the<br />
<br />
<br />
principle of minimization (see point 23).<br />
<br />
<br />
<br />
<br />
<br />
22 See. Article 58. 2 b) of the GDPR which provides for sending a call to order to the controller when<br />
<br />
"The processing operations have resulted in a violation of the provisions of this Regulation".<br />
<br />
<br />
23<br />
See. taking for example the deliberation of the sectoral committee of the National Register RN No. 20 of March 25, 2009. Decision on the merits 54 / 2021-23 / 23<br />
<br />
<br />
76. For all these reasons, the Litigation Chamber will draw the attention of the APD Steering Committee<br />
<br />
<br />
on this issue. Where appropriate, the ODA bodies could, in accordance with their<br />
<br />
respective competences assigned to them by the LCA, decide to enter into a dialogue with the whole<br />
<br />
of the bodies concerned and / or conduct an in-depth investigation of the issue<br />
<br />
which arose during the complaint leading to this decision.<br />
<br />
<br />
<br />
77. The Contentious Chamber also decides to send a copy of this decision to<br />
<br />
services of the National Registry as well as to Famifed, Iriscare and the Crossroads Security Bank<br />
<br />
social security (BCSS) mentioned by the complainant in the terms of his complaint.<br />
<br />
<br />
<br />
<br />
6. Transparency<br />
<br />
<br />
78. In view of the importance of transparency with regard to the decision-making process and<br />
<br />
decisions of the Litigation Chamber, this decision will be published on the website of the APD<br />
<br />
by deleting the direct identification data of the parties (either the defendant,<br />
<br />
the voluntary worker and the complainant) and the natural persons mentioned. On the other hand, the Chamber<br />
<br />
Litigation believes that it has no other possibility, for the proper understanding of this<br />
<br />
decision, only to mention Famifed, Iriscare, the Banque-Carrefour de la sécurité<br />
<br />
social (BCSS) and National Registry services.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS,<br />
<br />
<br />
THE LITIGATION CHAMBER<br />
<br />
Decided<br />
<br />
<br />
- To issue a reprimand against the voluntary intervener on the basis of the article<br />
<br />
100.1, 5 ° LCA.<br />
<br />
<br />
Under Article 108.1 LCA, this decision can be appealed to the Court of<br />
<br />
contracts (Brussels Court of Appeal) within 30 days of notification, with<br />
<br />
the Data Protection Authority as respondent.<br />
<br />
<br />
<br />
<br />
<br />
(Sé) Hielke Hijmans<br />
<br />
President of the Litigation Chamber<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_54/2021&diff=15582APD/GBA (Belgium) - 54/20212021-05-04T17:10:10Z<p>Fra-data67: Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=54/2021 |ECLI= |Ori..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=54/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Autorité de la protection des données<br />
|Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-54-2021.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=22.04.2021<br />
|Date_Published=<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 24 GDPR<br />
|GDPR_Article_Link_4=Article 24 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The Belgian Data Protection Authority reprimands entity in charge of paying family allowances to its members for failure to comply with Articles 4, 5, 6 and 24 GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In July 2019, an entity (voluntary intervener in the proceedings, hereinafter "the voluntary intervener") in charge of paying family allowances to its affiliates who have children consulted the data of the complainant's son in the National Register, in particular the "household composition" data and its history. This consultation took place in order to manage the family allowance file of the complainant's son, one of its affiliates, and to determine the amount of family allowance - including a possible supplement - that he would be entitled to receive as of 1 January 2020. This consultation was carried out via the TRIVIA application, developed by the BCSS, made available to the family allowance funds. This consultation was done on the basis of the National Register number of the affiliated person, son of the complainant. <br />
<br />
It is this consultation of the history of the composition of the complainant's son's household that is the subject of the complainant's complaint. During this consultation, the volunteer intervener was given access to the information that the complainant had been part of her son's household at one time in his life. The complainant complains that this consultation of personal data concerning him had no basis of valid legitimacý within the meaning of Article 6 of the GDPR. <br />
<br />
On 24 September 2019, the Supervisory Authority of the family allowance funds for the Brussels-Capital Region (IRISCARE/FAMIFED) received a request for information from the complainant via the contact form on its website. With this request for information, the complainant asked the Trustee Authority about the consultation of his data on 9 and 17 July 2019. <br />
<br />
Following several unsuccessful exchanges, and in the absence of a satisfactory response, the dispute was brought before the Belgian Data Protection Authority’s litigation division. <br />
<br />
In this case, the defendant is the shared service center of the voluntary intervening entity. In this respect, it is responsible for monitoring the personal data protection of all the family allowance funds in the group. <br />
<br />
When he submitted his conclusions on 9 June 2020, the complainant complained that a new consultation of his data, still without any legitimate basis according to him, had taken place on 21 April 2020. When questioned on 3 June in this respect, the defendant informed the complainant on 15 June 2020 that this consultation was part of the management of the present case pending before the DPA. <br />
<br />
In substance, the complainant complains that the family allowance fund (voluntary intervener) has accessed́ personal data concerning him without a valid legal basis.<br />
<br />
=== Dispute ===<br />
Is access to the information that the complainant had been a member of his son's household at one time in his life considered processing of personal data within the meaning of Article 4 GDPR and is it justified on the basis of Article 6 GDPR?<br />
<br />
=== Holding ===<br />
The Belgian Authority found a violation of the GDPR, and gave the following reasons for its decision: <br />
<br />
1. The notion of processing of personal data within the meaning of Article 4 GDPR<br />
<br />
Very briefly, the Court begins by recalling that the fact of having accessed this information constitutes processing of personal data within the meaning of Article 4(2) of the GDPR irrespective of whether this processing is lawful within the meaning of the Regulation. <br />
<br />
Furthermore, the Litigation Chamber holds that in this case the voluntary intervening entity must be considered as a controller, and the defendant as a processor of the voluntary intervener.<br />
<br />
2. XXX<br />
<br />
XXX<br />
<br />
3. Accountability within the meaning of Article 24 GDPR<br />
<br />
The Contentious Chamber also concludes that the voluntary intervener failed to comply with Articles 24 and 5.2 of the RGPD when it was not able to put in place the technical measures intended to implement the RGPD. Indeed, the controller cannot therefore raise the argument that the computer application used - even if its use is imposed by a third party - does not allow it to comply with the RGPD. <br />
<br />
Consequently, in application of its obligation of accountability and documentation, the voluntary intervener should at least have alerted the relevant authorities to the situation in which the forced use of the TRIVIA application placed it in relation to its obligations under the RGPD. <br />
<br />
<br />
4. Sanctions <br />
<br />
In view of these failings, the Contentious Division reprimanded the voluntary intervener and ordered the publication of the decision on the ADP website with the deletion of the parties' direct identification data. <br />
<br />
In addition, the Chamber stresses that it is important that an appropriate response be found quickly to the problem raised by the complaint, in order to allow limited consultation, in compliance with the RGPD, of the history of the "household composition" data (as well as the history of other data in the National Register, if applicable).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Decision on the merits 54 / 2021-1 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
<br />
<br />
<br />
Decision on the merits 54/2021 of 22 April 2021<br />
<br />
<br />
<br />
<br />
<br />
File No .: DOS-2019-06237<br />
<br />
<br />
<br />
Subject: Complaint relating to an illicit consultation of the National Register in the<br />
<br />
context of the allocation of family allowances<br />
<br />
<br />
<br />
The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke<br />
<br />
Hijmans, chairman, and of Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this<br />
<br />
composition;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of individuals with regard to the processing of personal data and the<br />
<br />
free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection<br />
<br />
data), hereinafter GDPR;<br />
<br />
<br />
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);<br />
<br />
<br />
Having regard to the Rules of Procedure as approved by the Chamber of Representatives on December 20<br />
<br />
2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Having regard to the documents in the file;<br />
<br />
<br />
<br />
<br />
Took the following decision regarding:<br />
<br />
<br />
<br />
<br />
The complainant: Mr X1, (hereinafter "the complainant");<br />
<br />
<br />
<br />
The defendant: Y1, (hereinafter “the defendant”);<br />
<br />
<br />
In the presence of: Y2 ASBL, (hereinafter "the voluntary worker"); Decision on the merits 54 / 2021-2 / 23<br />
<br />
<br />
<br />
<br />
<br />
Both advising Maître Paul Van den Bulck and Maître Andrine Like, lawyers at the Bar<br />
<br />
of Brussels, whose office is established at Rue des Colonies 56 box 3 in 1000 Brussels.<br />
<br />
<br />
<br />
<br />
<br />
1. Feedback from the procedure<br />
<br />
<br />
In view of the mediation request filed on December 8, 2019 by the complainant with the Autorité de<br />
<br />
data protection (DPA);<br />
<br />
<br />
<br />
Given the failure of the mediation attempt communicated to the complainant on February 20, 2020 by the<br />
<br />
First Line (SPL) of ODA;<br />
<br />
<br />
<br />
Considering the agreement given by the complainant on February 20, 2020 for his request to be transformed into a complaint<br />
<br />
in application of Article 62.2. LCA;<br />
<br />
<br />
<br />
Considering the decision of March 9, 2020 of the SPL declaring the complaint admissible and the transmission of it to the<br />
<br />
Litigation Chamber;<br />
<br />
<br />
<br />
Having regard to the letter of April 8, 2020 from the Litigation Chamber informing the parties of its decision to<br />
<br />
consider the case to be ready for treatment on the merits on the basis of Article 98 LCA and their<br />
<br />
providing a timetable for the exchange of conclusions. In this letter, the Litigation Chamber<br />
<br />
<br />
in particular specified the following to the parties:<br />
<br />
Without prejudice to any arguments you may wish to develop, you will ensure that you shed light on the<br />
<br />
Litigation Chamber on the data processing involved, on the role of the various<br />
<br />
possible stakeholders and their quality with regard to the regulations for the protection of<br />
<br />
data as well as on the precise legal basis of the disputed consultation of the data of the<br />
<br />
<br />
complainant. You will also ensure that you explain the measures put in place to guarantee<br />
<br />
access only to data justified by the processing of files and the traceability of such access.<br />
<br />
You will also inform the Litigation Chamber of what is concretely understood by<br />
<br />
the terms "induced and involuntary consultation" used in the attachments to the complaint<br />
<br />
in the light of the specific facts.<br />
<br />
<br />
Having regard to the main conclusions filed on May 22, 2020 by the defendant as well as by Y2<br />
<br />
(the voluntary intervenor) who intervenes voluntarily to the cause by this means (see below<br />
<br />
point 30 and following);<br />
<br />
Having regard to the arguments of the complainant of June 9, 2020; Decision on the merits 54 / 2021-3 / 23<br />
<br />
<br />
<br />
<br />
<br />
<br />
Having regard to the additional and summary conclusions of the defendant and the voluntary intervener of 3<br />
<br />
July 2020;<br />
<br />
<br />
Having regard to the invitation to the hearing sent by the Litigation Chamber to the parties on December 10, 2020;<br />
<br />
Having regard to the hearing during the session of the Litigation Chamber of January 19, 2021 in the presence of the complainant<br />
<br />
<br />
and Mr. A. Like, representing both the Respondent and the Volunteer Intervenor;<br />
<br />
Having regard to the letter sent by counsel for the defendant and the voluntary worker on January 26<br />
<br />
<br />
2021;<br />
<br />
Having regard to the minutes of the hearing and the observations made thereon by the parties who have<br />
<br />
<br />
been attached to these minutes.<br />
<br />
<br />
<br />
<br />
2. The facts and the subject of the request<br />
<br />
<br />
2.1. Preliminary remarks<br />
<br />
<br />
<br />
1. For a good understanding of its decision and of all the actors to whom the parts<br />
<br />
procedure and the files of the parties refer, the Litigation Chamber specifies the following:<br />
<br />
<br />
<br />
<br />
- FAMIFED is the federal agency for family allowances. FAMIFED was to insure until<br />
<br />
December 31, 2019 the management of family allowances, including in the Region of<br />
<br />
Brussels-Capital.<br />
<br />
<br />
th<br />
- IRISCARE has, under the 6 state reform, become, in place of FAMIFED,<br />
<br />
the supervisory authority for family allowance funds for the Brussels-Capital Region.<br />
<br />
IRISCARE is responsible for setting up and managing the family allowances system of the<br />
<br />
Brussels-Capital Region.<br />
<br />
<br />
<br />
- During a period of transition, the two structures coexisted so that the relay of the mission<br />
<br />
legal process can switch from FAMIFED to the new regional authorities, including, as mentioned,<br />
<br />
for the Brussels-Capital Region, IRISCARE. In the context of this decision,<br />
<br />
IRISCARE and FAMIFED are referred to as the "Supervisory Authority".<br />
<br />
<br />
<br />
<br />
- The complainant includes the Crossroads Bank for Social Security (BCSS) among the “stakeholders”<br />
<br />
revolving around the disputed data processing indicating that it was the BCSS which, at the time<br />
<br />
facts, develops the TRIVIA application. The TRIVIA application allows benefit funds Decision on the merits 54 / 2021-4 / 23<br />
<br />
<br />
<br />
family to consult the available files of integrated actors, to integrate themselves<br />
<br />
actors and create files and obtain, through the intervention of the BCSS, access to the various<br />
<br />
sources of the social security network.<br />
<br />
<br />
<br />
2. The defendant is the shared service center of group Y. It provides administrative services<br />
<br />
to the various entities of Group Y. In this regard, it notably monitors the protection<br />
<br />
personal data of all family allowance funds in the group. It<br />
<br />
has a Data Protection Officer (DPO) as well as a "Corporate Compliance 1<br />
<br />
Officer ”and“ Information Security Officer ”.<br />
<br />
<br />
<br />
3. Y2, here a voluntary intervening party, aims in particular to pay family allowances to<br />
<br />
its affiliates who have children.<br />
<br />
<br />
<br />
<br />
4. Mr. X2 is the son of the complainant, affiliated with Y2, voluntarily intervened in the cause (see below.<br />
<br />
points 30 et seq.).<br />
<br />
<br />
<br />
2.2. The facts at the origin of the dispute<br />
<br />
<br />
<br />
5. In July 2019, the voluntary worker consulted the data of the complainant's son in the Register<br />
<br />
national, in particular the "household composition" data and its history. This consultation<br />
<br />
took place in order to manage the family allowances file for the complainant's son, one of his affiliates, and<br />
<br />
determine the amount of family allowances - including any supplement - that it would be<br />
<br />
entitled to receive from January 1, 2020. This consultation was done via the TRIVIA application,<br />
<br />
developed by the BCSS, made available to family allowance funds, including the worker<br />
<br />
voluntary, by the supervisory authority. This consultation was made on the basis of the register number<br />
<br />
affiliate's national, Mr. X2.<br />
<br />
<br />
<br />
<br />
6. It is this consultation of the history of the household composition of Mr. X2 that is the subject of<br />
<br />
of the complainant's complaint. Indeed, during this consultation, the volunteer worker had access<br />
<br />
to the information that the complainant had been part of his son's household at some time<br />
<br />
his life. The complainant complains that this consultation of personal data<br />
<br />
concerning was not based on any valid basis of legitimacy within the meaning of Article 6 of the GDPR (see.<br />
<br />
title 2.3; point 23 et seq.).<br />
<br />
<br />
<br />
<br />
<br />
1<br />
Deliberation 18/008 of 9 January 2018 on the communication of personal data by the Agency<br />
federal for family allowances (Famifed) and various other social security institutions to the Ministry of<br />
the German-speaking Community, in the context of the transfer of powers to follow up on the sixth reform<br />
status - use of the TRIVIA application. Decision on the merits 54 / 2021-5 / 23<br />
<br />
<br />
7. This research of the history of the composition of the household is called by the supervisory authority<br />
<br />
<br />
"search P028". It is carried out via the TRIVIA application already mentioned. During this<br />
<br />
research, the history of the household composition of Mr. X2 showed the complainant as<br />
<br />
having been part of his household in the past and this, as head of household.<br />
<br />
<br />
<br />
8. On September 24, 2019, the Supervisory Authority received a request for information from the complainant<br />
<br />
via the contact form on its website. By this request for information, the complainant<br />
<br />
asked the Supervisory Authority about the consultation of its data on July 9 and 17, 2019.<br />
<br />
<br />
<br />
9. There followed an exchange of e-mails between the complainant and the Supervisory Authority. The latter informed<br />
<br />
the complainant of the nature of the research P028 which had led to access to certain data on<br />
<br />
concerning and invited him, if necessary, to approach the family allowance fund (either<br />
<br />
the voluntary worker), in order to inquire more about the reason for the access to his data<br />
<br />
as they appeared in her son's household composition history.<br />
<br />
<br />
<br />
10. On 7 October 2019, the complainant sent his request for information to the<br />
<br />
data of the volunteer worker via the address "[...]".<br />
<br />
<br />
<br />
11. On 10 October 2019, the defendant, which ensures, as mentioned above in point 2, the follow-up<br />
<br />
on the protection of personal data of all family allowance funds<br />
<br />
group, acknowledged receipt and responded a first time to the request for information from<br />
<br />
complainant.<br />
<br />
<br />
<br />
12. On October 14, 2019, the defendant replied to the complainant a second time. This answer was<br />
<br />
following a request for acknowledgment of receipt from the complainant regarding his request for information, which<br />
<br />
acknowledgment of receipt had been sent by the defendant on 10 October 2019 (see point 11 below<br />
<br />
above).<br />
<br />
<br />
<br />
13. On November 6, 2019, the Complainant wrote again to the Respondent. On the same day, the<br />
<br />
defendant replied a third time to the complainant and confirmed having responded promptly to the<br />
<br />
October 10 and 14, 2019 at his request of October 7, 2019.<br />
<br />
<br />
<br />
14. On November 7, 2019, the complainant, still addressing the respondent, developed his fears<br />
<br />
and raised the following question:<br />
<br />
"That one checks his tax flow [read the tax flow of Mr. X2] does not ask me personally<br />
<br />
no problem and that seems normal to me since his household is beneficiary / beneficiary<br />
<br />
Family Allowances. Decision on the merits 54 / 2021-6 / 23<br />
<br />
<br />
BUT, what are the legal bases that allow you to consult my own<br />
<br />
<br />
private data and tax flow? "<br />
<br />
<br />
<br />
15. On November 7, 2019, the defendant replied a fourth time to the complainant and confirmed that the<br />
<br />
the tax flow of the complainant had not been examined and that only the identification data of the<br />
<br />
complainant had appeared while viewing her son's household history.<br />
<br />
<br />
<br />
16. On 12 November 2019, the complainant confirmed receipt of the registered letter from the<br />
<br />
defendant by which the latter provided proof of the sending of her emails of the 10th and 14th<br />
<br />
October 2019.<br />
<br />
<br />
<br />
17. On 20 November 2019, the Respondent informed the Complainant that a request for clarification had<br />
<br />
still requested from the Supervisory Authority regarding the consultation of its data. The<br />
<br />
Defendant's DPO returned the same day (i.e. a fifth time) with said clarification of<br />
<br />
the supervisory authority. In the response that the defendant sent to the complainant, the Supervisory Authority<br />
<br />
confirms that it appeared that there had been access to the complainant's identification data,<br />
<br />
this one being mentioned as having been part of the household of his son and that it was necessary to understand<br />
<br />
that this consultation was "induced and not voluntary" (in other words, that it was a<br />
<br />
incidental access via the history of the household composition of the complainant's son).<br />
<br />
<br />
<br />
18. The same day, after receiving this response (see point 17 above), the complainant filed<br />
<br />
defendant in default to justify the legal grounds for the consultation of its data.<br />
<br />
<br />
<br />
19. On November 27, 2019, the defendant returned to the complainant for a sixth time, specifying that<br />
<br />
the provisions of the General Law on Family Allowances (hereinafter "LGAF") justified the<br />
<br />
consultation of the history of the household composition of Mr. X2 (complainant's son) with<br />
<br />
of the National Register (i.e. Articles 51 and 54 LGAF). Literally, she indicated, for the<br />
<br />
good understanding of the complainant, that the mission of the family allowance funds included<br />
<br />
verification of entitlement to allowances including verification of "the history of the<br />
<br />
family composition for which the funds have the right to query the National Register ”.<br />
<br />
<br />
<br />
20. On December 8, 2019, the complainant lodged an application with the APD in the following terms:<br />
<br />
"I noticed that (Y2- Brussels) [read the volunteer worker] had consulted my data<br />
<br />
personal without any valid reason in my eyes since I am a pensioner, without<br />
<br />
responsible for more than 10 years and that I live in Wallonia.<br />
<br />
<br />
<br />
After questions from those in charge, I received an answer that does not satisfy me in any way.<br />
<br />
given that the family composition history of one of my sons' household - including Decision on the merits 54 / 2021-7 / 23<br />
<br />
<br />
<br />
household apparently benefits from family allowances in Wallonia - does not have to lead to<br />
<br />
an induced and involuntary manner regardless because the legal references, unless I am mistaken<br />
<br />
part, do not allude to it) on queries of my private data which are not at all<br />
<br />
concerned.<br />
<br />
<br />
<br />
In my view, this is not a normal procedure but a malfunction (or a<br />
<br />
pirate query) which I cannot accept. "<br />
<br />
<br />
<br />
21. On February 3, 2020, the defendant replied to the SPL's questions in connection with the attempt<br />
<br />
mediation conducted by this service of the ODA. In essence, the defendant responded to the DPA which<br />
<br />
had already been answered to the complainant by the Supervisory Authority, i.e. a P028 search had been<br />
<br />
carried out and that the consultation was non-voluntary but resulted from the consultation<br />
<br />
- necessary in the exercise of its legal missions - consultation of the history of the<br />
<br />
<br />
household composition of the complainant's son.<br />
<br />
<br />
<br />
22. When communicating his conclusions on 9 June 2020, the complainant complained that a new<br />
<br />
consultation of his data, still without a legitimate basis according to him, had taken place on April 21<br />
<br />
2020. Interested on June 3 in this regard, the defendant on June 15, 2020, indicated to the complainant that<br />
<br />
this consultation was part of the management of this case pending before the DPA.<br />
<br />
The Litigation Chamber specifies from the outset that it will also rule on this second<br />
<br />
consultation, the legality of which is called into question by the complainant in terms of its conclusions as soon as<br />
<br />
when it is closely linked to the facts denounced by the complainant under the terms of his form<br />
<br />
complaint.2<br />
<br />
<br />
<br />
2.3. The subject of the complaint<br />
<br />
<br />
<br />
23. In these same conclusions of June 9, 2020, the complainant specifies the subject of his complaint and expresses<br />
<br />
which his son, Mr. X2, has not resided with him since 2006. Consultation of the history<br />
<br />
<br />
the household composition of the latter - even necessary for the granting of allowances - must according to<br />
<br />
be subject to a time limit taking into account (1) either the day on which the person whose<br />
<br />
"history of household composition" data is consulted is potentially<br />
<br />
beneficiary / beneficiary of allowances / supplement, (2) either from the day of the birth of the child<br />
<br />
beneficiary. Access to the history of "household composition" since the birth of the one<br />
<br />
whose history is consulted - as happened in this case - is irrelevant and<br />
<br />
disproportionate in relation to the purpose pursued (the granting of family allowances).<br />
<br />
<br />
<br />
<br />
<br />
2 See. in this sense, points 18 and s. of Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf Decision on the merits 54 / 2021-8 / 23<br />
<br />
<br />
According to the complainant, this access constitutes an all the more unacceptable security breach:<br />
<br />
<br />
- that it emanates from public bodies;<br />
<br />
<br />
<br />
- that it potentially affects millions of people (beyond himself, his<br />
<br />
wife and all the people with whom her son has, at some point in his<br />
<br />
life, lived under the same roof);<br />
<br />
<br />
<br />
- that the useful data (i.e. the date / dates opening (s) the right to benefits<br />
<br />
family and from which the consultation of the history of<br />
<br />
management composition could be relevant) is / are available in the Cadastre<br />
<br />
family allowances;<br />
<br />
<br />
<br />
- that the research system "P028" replaced an earlier system which<br />
<br />
allowed relevant and targeted research. The complainant quotes in this regard the passage<br />
<br />
following extract from the “Specific functional description of message P028” sheet:<br />
<br />
<br />
<br />
1.2.1.1. P028 Historical consultation of household composition<br />
<br />
Principle<br />
<br />
The P028 message is used to request data relating to the history of the<br />
<br />
household composition in the National Register on the basis of a register number<br />
<br />
national. This flow can be subsequently extended with data from the registry of the<br />
<br />
BCSS.<br />
<br />
This consultation flow combines the old consultation messages P036 and P038<br />
<br />
in a single message. Unlike consultation message P036, this flow displays<br />
<br />
the complete history, whether or not the person sought is the head of the household. It is not<br />
<br />
therefore it is no longer necessary to carry out several consultations for this purpose. (…)<br />
<br />
<br />
<br />
24. Finally, still in his conclusions of 9 June 2020, the complainant makes a series of requests to<br />
<br />
the Litigation Chamber, namely (page 11 of its conclusions):<br />
<br />
<br />
<br />
- To jointly and indivisibly condemn the defendant, the voluntary intervener,<br />
<br />
the Supervisory Authority, the FPS Interior (National Register), the Crossroads Security Bank<br />
<br />
social (BCSS), or even any dishonest perpetrators responsible for access and processing<br />
<br />
of its data, in accordance with articles 221 to 230 of the Law of 30 July 2018 on the<br />
<br />
protection of individuals with regard to the processing of personal data<br />
<br />
staff ;<br />
<br />
- Inform the King's Prosecutor of any breaches noted and inform the complainant of this<br />
<br />
Steps ; Decision on the merits 54 / 2021-9 / 23<br />
<br />
<br />
- To ensure that the necessary corrections have been made to remedy the shortcomings<br />
<br />
<br />
denounced and this under penalty of penalty;<br />
<br />
- Obtain proof that their tax data has not been processed within the framework of the<br />
<br />
consultation denounced;<br />
<br />
- Obtain the necessary explanations regarding the consultations of July 9, 2019 and April 21, 2020<br />
<br />
by FAMIFED in the National Register;<br />
<br />
- Obtain the identification and full contact details of all persons who have had access<br />
<br />
to his personal data and failing that condemn the defendant, the voluntary intervener and<br />
<br />
other contributors to periodic penalty payments;<br />
<br />
- To invite those responsible in the broad sense of the illegal processing, or even the possible perpetrators<br />
<br />
indelicate, to compensate him for the material and moral damage suffered.<br />
<br />
<br />
<br />
2.4. Position of the defendant and the voluntary worker<br />
<br />
<br />
<br />
25. The defendant and the voluntary intervener request, in support of their conclusions,<br />
<br />
that the Litigation Chamber declare the complainant's complaint, if admissible, unfounded, the<br />
<br />
consultation of the household composition of Mr X2, son of the complainant, being from their point of<br />
<br />
perfectly legal and legitimate view. They therefore request that the complaint of the<br />
<br />
Complainant without follow-up. The defendant and the voluntary intervener add that if by impossible,<br />
<br />
the ODA had to consider that in the circumstances of the case, access to the history of the<br />
<br />
composition is illegal, it should be the cause of both the National Register and the Authority<br />
<br />
supervision insofar as they are the ones who determine the data accessible during a<br />
<br />
search P028 (page 11 of the additional and summary conclusions of the defendant and<br />
<br />
the volunteer worker).<br />
<br />
<br />
<br />
3. The hearing of January 19, 2021<br />
<br />
<br />
<br />
26. During the hearing on January 19, 2021 - of which the minutes were drawn up - the parties stated<br />
<br />
the arguments they had developed by their respective conclusions.<br />
<br />
<br />
<br />
27. The following elements were particularly highlighted by the parties:<br />
<br />
- the status of data controller of the voluntary worker;<br />
<br />
<br />
<br />
- the deliberate choice, according to the complainant, to set up research which won the<br />
<br />
consultation of potentially irrelevant data and the seriousness of the problem at<br />
<br />
with regard to the number of people who may be affected by this structural failure; Decision on the merits 54 / 2021-10 / 23<br />
<br />
<br />
- the absence of any legal impact of the "induced" and "non-voluntary" nature of the access<br />
<br />
<br />
irrelevant data on the qualification of processing within the meaning of Article 4.2. of the GDPR;<br />
<br />
<br />
<br />
- the demonstration by the defendant and the voluntary intervener of the obligation to resort to<br />
<br />
the TRIVIA application and the impossibility for them to modify the parameters to consult the<br />
<br />
only historical data relating to a targeted period of time.<br />
<br />
<br />
<br />
PLACE<br />
<br />
<br />
As a preliminary<br />
<br />
✓ As for the quality of the parties<br />
<br />
<br />
28. Both in terms of her conclusions and of the hearing (see section 3 above), the intervener<br />
<br />
volunteer declares himself responsible for processing within the meaning of Article 4.7. of the GDPR with regard to<br />
<br />
disputed consultation, consultation which she furthermore qualifies as an incident. The defendant is for<br />
<br />
its part qualified as a subcontractor of the voluntary worker (page 10 of the conclusions and page 11<br />
<br />
additional and summary conclusions of the defendant and the voluntary intervener).<br />
<br />
<br />
<br />
<br />
29. The Contentious Chamber takes note of this and does not see, in the context of its own analysis with regard to<br />
<br />
to the factual elements submitted to it and having regard to the applicable legal elements, no<br />
<br />
reason for not recognizing these respective qualities in the voluntary intervenor and the defendant.<br />
<br />
With regard to the voluntary worker more particularly, she defines in fact, at the start of her<br />
<br />
own mission, the purposes and means of the data processing it operates within the meaning of<br />
<br />
Article 4.7 of the GDPR which defines the data controller.<br />
<br />
<br />
<br />
✓ As for voluntary intervention<br />
<br />
<br />
30. The Contentious Chamber takes note of Y2's voluntary intervention in this procedure. This<br />
<br />
intervention is the result of the decision of Y2 who, voluntarily, and for the needs of the cause,<br />
<br />
intervened in the proceedings by way of pleadings (see title 1).<br />
<br />
<br />
<br />
31. The Litigation Chamber specifies that neither the LCA nor the Internal Rules of the APD<br />
<br />
explicitly provide for the mechanism of (voluntary) intervention by a party that has not been<br />
<br />
challenged by the complainant.<br />
<br />
<br />
<br />
32. Nevertheless, in the exercise of its competences, it is incumbent on the ODA, and therefore on<br />
<br />
the Litigation Chamber in the exercise of the powers devolved to it, to facilitate<br />
<br />
the exercise of the rights recognized to persons concerned by the GDPR, including the right to<br />
<br />
complaint (Article 77 of the GDPR - also recognized in Article 8.3. of the Charter of Rights Decision on the merits 54 / 2021-11 / 23<br />
<br />
<br />
<br />
fundamental as part of the essence of the right to data protection). In this<br />
<br />
perspective, filing a complaint should remain an easy process for people<br />
<br />
data subjects whose personal data are processed and with regard to the processing of which they<br />
<br />
believe that there has been a breach of data protection rules.<br />
<br />
<br />
<br />
33. As it has already had the opportunity to develop in its Decision 17/2020, the authorities of<br />
<br />
data protection must therefore play an active role through the missions and powers<br />
<br />
which are assigned to them under Articles 57 and 58 of the GDPR.<br />
<br />
<br />
<br />
<br />
34. In the same way that the complainant cannot be expected to identify straight away, from the terms<br />
4<br />
of his complaint, all the legal grievances relevant to the facts denounced, the same<br />
<br />
so he cannot be expected to identify with certainty the controller<br />
<br />
concerned. To assert the contrary would be to seriously jeopardize the right of complaint of the<br />
<br />
complainant. Indeed, the identification of the controller, even in support of the definition<br />
<br />
provided for in Article 4.7. GDPR, is a process that can be particularly complex. Certainly<br />
<br />
detailed guidelines have already been published several times by the European Committee<br />
<br />
of Data Protection (EDPS) and its predecessor the Article 29 Group, on it. 5<br />
<br />
Nevertheless, it is clear that this identification often remains thorny. It requires<br />
<br />
sometimes even recourse to the Inspection Service in the most difficult cases.<br />
<br />
<br />
<br />
<br />
35. In support of the foregoing considerations, in order to give effective effect to the right to lodge a complaint,<br />
<br />
and through it, to contribute to the effective application of the GDPR, the Litigation Chamber<br />
<br />
therefore naturally accepts this voluntary intervention. She specifies that, of course, the debate<br />
<br />
contradictory has developed with the latter as well. In these circumstances, the House<br />
<br />
Litigation is able to impose sanctions on the voluntary intervenor, if necessary.<br />
<br />
<br />
<br />
✓ As to the competence of the APD and the Litigation Chamber<br />
<br />
<br />
36. The Contentious Chamber specifies here at the outset, with regard to the measures requested by the<br />
<br />
complainant (see point 24), that it is in any case not competent to grant a<br />
<br />
any compensation even in the event of shortcomings noted. Indeed, this<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Decision 17/2020: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-17-<br />
<br />
2020.pdf See. also Decision 80/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-80-2020.pdf<br />
<br />
4 Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
5 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, on edpb.europa.eu. Decision on the merits 54 / 2021-12 / 23<br />
<br />
<br />
jurisdiction is not listed among the corrective measures and sanctions that it may decide on<br />
<br />
application of Articles 58.2. of the GDPR and 95 and 100 LCA.<br />
<br />
<br />
<br />
<br />
4. As for breaches of the GDPR<br />
<br />
<br />
<br />
37. The Litigation Chamber notes that it emerges from the above statement of facts that the complainant<br />
<br />
criticizes the voluntary intervener for having accessed personal data on<br />
<br />
concerning and this, in its terms, without valid legal basis.<br />
<br />
<br />
<br />
38. The Contentious Chamber notes that the parties do not dispute that during the consultation of<br />
<br />
the history of the household composition (National Register) of Mr. X2 in July 2019,<br />
<br />
the voluntary worker did have access to the information that the complainant had, at<br />
<br />
a time, is part of his son's household as head of household.<br />
<br />
<br />
<br />
39. Having access to this information constitutes processing of personal data<br />
<br />
within the meaning of Article 4.2 of the GDPR regardless of whether the person responsible for<br />
<br />
treatment that accessed it - in this case the voluntary worker - intended to seek<br />
<br />
this information or if there was access incidentally, fortuitously, during the<br />
<br />
search for data relating to a separate person, in this case the complainant's son. that<br />
<br />
the voluntary worker had the intention or not to process this personal data,<br />
<br />
whether or not she then used it to make her decision, all of these are irrelevant<br />
<br />
on the qualification of "treatment" within the meaning of Article 4.2. of the GDPR.<br />
<br />
<br />
<br />
40. The Litigation Chamber recalls that any processing of personal data must<br />
<br />
rely on one of the bases of lawfulness provided for in Article 6 of the GDPR.<br />
<br />
<br />
<br />
41. Article 3, paragraph 1, 9 ° of the Law of 8 August 1983 organizing a National Register of Persons<br />
<br />
physical (hereinafter the RN Law) provides that for each person registered in the National Register, the<br />
<br />
"household composition" data is recorded and kept as well as the modifications<br />
<br />
<br />
successive dates provided to this information as well as their effective date; this is<br />
<br />
the history (article 3 paragraph 2 of the RN Law). The royal decree of January 8, 2006 determining<br />
<br />
the types of information associated with the information referred to in Article 3, paragraph 1, of the law<br />
<br />
of August 8, 1983 organizing a national register of natural persons precise as to<br />
<br />
<br />
<br />
<br />
6 See. article 4.2 of the GDPR: "processing", any operation or any set of operations carried out or not using<br />
automated processes applied to data or sets of personal data, such as<br />
<br />
that the collection, recording, organization, structuring, conservation, adaptation or modification,<br />
the extraction, consultation, use, communication by transmission, dissemination or any other form of<br />
provision, reconciliation or interconnection, limitation, erasure or destruction. Decision on the merits 54 / 2021-13 / 23<br />
<br />
<br />
him in Article 1, 9 ° that the information "household composition" is associated with the data<br />
<br />
following: "household reference person" on the one hand and "household member" on the other<br />
<br />
go.<br />
<br />
<br />
<br />
42. Consequently, consultation of the “household composition” data from the National Register of<br />
<br />
son of the complainant may, de facto, take cognizance of personal data<br />
<br />
other people than the son himself, such as members of his household. Personal data<br />
<br />
that appear in the household composition and its history are both data of a<br />
<br />
personal data relating to the person whose National Register is consulted AND personal data<br />
<br />
personnel relating to persons who are included in the composition and history of its<br />
<br />
housework. There will therefore be processing of personal data of third parties.<br />
<br />
(separate from the one for which the "household composition" data is consulted, in this case the son<br />
<br />
of the complainant) when they are or have been part of the household of the person for whom<br />
<br />
the "household composition" data is consulted (as here the complainant). The result is<br />
<br />
however, not necessarily an absence of a basis of lawfulness for the processing of personal data.<br />
<br />
these third parties such as the complainant in this case.<br />
<br />
<br />
<br />
43. Provided it is validly invoked, the legal basis for consulting the data<br />
<br />
"Household composition" (and its history) of the person concerned (in this case the son of<br />
<br />
complainant) includes the consultation of the data included under this information, including therefore<br />
<br />
members of his household, including the complainant. In this case, the basis of lawfulness in support of which<br />
<br />
consultation of the history of the household composition of the complainant's son is legitimate<br />
<br />
potentially also access - even induced as described by the defendant and<br />
<br />
the voluntary worker - to the data relating to the complainant according to which he was part of the household<br />
<br />
of his son.<br />
<br />
<br />
<br />
44. The Litigation Chamber recalls that in addition to the required legal basis (Article 6 of the GDPR),<br />
<br />
personal data must, in accordance with the principle of minimization expressed in Article 5.1.c)<br />
<br />
of the GDPR, be adequate, relevant and limited to what is necessary with regard to the purposes for<br />
<br />
which they are processed (principle of minimization).<br />
<br />
<br />
<br />
45. Finally, pursuant to Article 24 of the GDPR, it is the responsibility of the controller to implement<br />
<br />
implement the appropriate technical and organizational measures to ensure and be able to<br />
<br />
to demonstrate (as required by Article 5.2. of the GDPR) that the processing he carries out complies<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
46. It follows from the foregoing that it is for the Contentious Chamber to verify whether the consultation<br />
<br />
<br />
(whose legality is contested by the complainant) - by the voluntary intervener in her capacity as Decision on the merits 54 / 2021-14 / 23<br />
<br />
<br />
data controller - the "household composition" data of the complainant's son, in this<br />
<br />
including the complete history thereof, met in this case the conditions of treatment imposed<br />
<br />
by the GDPR.<br />
<br />
<br />
<br />
4.1. As to the basis of legality and respect for the principle of minimization<br />
<br />
<br />
<br />
<br />
47. The Contentious Chamber notes that the defendant and the voluntary intervener rely on<br />
<br />
Article 6.1.c) of the GDPR to legitimize the contested data processing. Article 6.1.c) authorizes the<br />
<br />
data processing necessary for compliance with a legal obligation to which the person responsible for<br />
7<br />
treatment is submitted.<br />
<br />
<br />
<br />
48. The Contentious Chamber recalls as it did in its recent decisions 37/2021 and<br />
<br />
38/2021 that in its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of<br />
<br />
of this condition of necessity, specified that it was an autonomous notion of the right<br />
<br />
Community which must be interpreted in a way that fully meets the purpose of the<br />
<br />
8<br />
Directive 95/46 / EC applicable at the time of this judgment.<br />
<br />
<br />
9<br />
49. According to the conclusions he filed in this case, the Advocate General explains to this<br />
<br />
considering that "the concept of necessity has a long history in Community law and it is<br />
<br />
established as part of the proportionality test. It means that the authority which adopts<br />
<br />
a measure which infringes a fundamental right in order to achieve a justified objective must<br />
<br />
demonstrate that this measure is the least restrictive allowing this objective to be achieved. Otherwise,<br />
<br />
whether the processing of personal data may be likely to infringe the fundamental right to<br />
<br />
respect for private life, Article 8 of the European Convention for the Protection of<br />
<br />
man and fundamental freedoms (ECHR) which guarantees respect for private and family life,<br />
<br />
<br />
also becomes relevant. As the Court stated in the Österreichischer Rundfunk and others judgment,<br />
<br />
if a national measure is incompatible with Article 8 of the ECHR, this measure cannot<br />
<br />
meet the requirement of Article 7 (e) of the Directive. Article 8, paragraph 2, of the ECHR<br />
<br />
provides that an interference with privacy may be justified if it pursues one of the objectives therein<br />
<br />
listed and "in a democratic society, is necessary" for any of these purposes. The courtyard<br />
<br />
<br />
<br />
<br />
<br />
7 See. decisions 37/2021 and 38/2021 of the Contentious Chamber which explain what is meant by<br />
<br />
necessary for compliance with a legal obligation: https://www.autoriteprotectiondonnees.be/publications/decision-<br />
quant-au-fond-n-37-2021.pdf https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-<br />
38-2021.pdf<br />
<br />
8<br />
CJEU, December 16, 2008, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, ECLI: EU: C: 2008: 724, para. 52.<br />
<br />
9<br />
Opinion of Advocate General Poiares Maduro delivered on 3 April 2008 in the proceedings before<br />
the CJU resulting in the judgment cited in footnote 15 above (C-524/06). Decision on the merits 54 / 2021-15 / 23<br />
<br />
<br />
European Human Rights Council has ruled that the notion of "necessity" implies that a "need<br />
<br />
imperative social "is in question".<br />
<br />
<br />
<br />
50. This case-law, formulated admittedly in the light of Article 7 (e) of Directive 95/46 / EC, applies to<br />
<br />
all the bases of lawfulness which retain this condition of necessity. She remains today<br />
<br />
relevant even though Directive 95/46 was repealed since this condition of necessity<br />
<br />
<br />
is maintained under Article 6.1 b) to f) of the GDPR and therefore in Article 6.1.c) invoked in<br />
<br />
the species. Article 6.1 of the GDPR in fact reproduces the terms of Article 7 of Directive 95/46 / EC<br />
10<br />
of which it is the equivalent.<br />
<br />
<br />
<br />
51. The Article 29 Group also referred to the case law of the European Court of<br />
<br />
human rights (Eur. D.H. Court) to define the requirement of necessity 11 and concludes that the adjective<br />
<br />
"Necessary" therefore does not have the flexibility of terms such as "admissible", "normal", "useful",<br />
<br />
"Reasonable" or "expedient". 12<br />
<br />
<br />
<br />
<br />
52. More precisely with regard to the basis of legitimacy which rests on the legal obligation to which would be<br />
<br />
held by the controller, the European Data Protection Board (EDPB -<br />
13<br />
EDPS) has set out the conditions under which this basis of lawfulness can be applied:<br />
<br />
- the obligation must be imposed by law;<br />
<br />
- the legislation must meet all the conditions required to make the obligation valid and<br />
<br />
binding;<br />
<br />
- the legislation must comply with the applicable data protection law,<br />
<br />
in particular the principles of necessity, proportionality and limitation of purpose;<br />
<br />
- the legal obligation itself must be sufficiently clear about the data processing<br />
<br />
of a personal nature that it requires;<br />
<br />
<br />
- and the controller should not have an unjustified margin of appreciation as to<br />
<br />
how to comply with the legal obligation.<br />
<br />
<br />
<br />
10 Note that the only differences to be noted are the addition to Article 6.1.d) of the GDPR of the vital interest of another<br />
<br />
natural person as the data subject as well as the deletion in Article 6.1.e) of the GDPR of the "third party to which<br />
the data is communicated ", the mission of public interest or falling within the exercise of public authority before<br />
be that of the sole controller. In addition, a slight wording difference exists between the article<br />
7.1. f) e Directive 95/46 / EC and Article 6.1. f) of the GDPR without modifying the scope of this provision.<br />
<br />
All these modifications do not affect the condition of necessity.<br />
<br />
11 Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the person responsible<br />
data processing within the meaning of Article 7 of Directive 95/46 / EC, WP 217.<br />
<br />
<br />
12Court eur. D.H., March 25, 1983, Silver and others v. United Kingdom, para 97.<br />
<br />
13European Data Protection Board (EDPS), Opinion 03/2019 concerning questions and answers on<br />
<br />
the interaction between the regulation on clinical trials and the general data protection regulation<br />
(GDPR) [article 70, paragraph 1, point b)] of 23 January 2019 (point 11):<br />
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_fr.pdf Decision on the merits 54 / 2021-16 / 23<br />
<br />
<br />
<br />
<br />
<br />
53. In the present case, the defendant and the voluntary intervener put forward several provisions<br />
<br />
which, from their point of view, required them to proceed with the disputed treatment.<br />
<br />
<br />
<br />
54. The Contentious Chamber notes in this regard the following:<br />
<br />
<br />
<br />
<br />
- The granting of the social supplement in addition to the ordinary allowances is governed by the General Law<br />
<br />
relating to family allowances (LGAF) of 19 December 1939, in particular Articles 51, 54 and<br />
<br />
173quater. Article 173 quater explicitly provides that family allowance organizations and<br />
<br />
the ministerial services, responsible for the execution of this law, are required to contact the Register<br />
<br />
national of natural persons to obtain the information referred to in Article 3, paragraphs 1 and 2,<br />
<br />
of the Law of August 8, 1983 organizing a national register of natural persons. Among these<br />
<br />
data show the household composition and its successive modifications (ie history). The<br />
<br />
recourse to another source is only permitted insofar as the necessary information is not<br />
<br />
cannot be obtained from the National Register.<br />
<br />
<br />
<br />
<br />
- Jurisdiction over the granting of family allowances and social supplement is regionalized<br />
<br />
and the complainant's son was listed as residing in the Brussels-Capital Region at the time<br />
14<br />
of the consultation of the denounced National Register. In this regard, the Litigation Chamber notes<br />
<br />
that Article 9 of the Ordinance of 25 April 2019 of the Brussels-Capital Region regulating the granting<br />
15<br />
family benefits specifies that the basic family allowance is increased by a supplement<br />
<br />
social under certain conditions, especially when the annual household income does not reach<br />
<br />
not a certain threshold. In other words, the granting of the supplement is conditioned by the income of the<br />
<br />
housework.<br />
<br />
<br />
<br />
- Regarding the granting of this social supplement, Article 10 of the Ordinance of April 4, 2019 provides<br />
<br />
that "the assembled College sets the conditions under which the payment of social supplements is<br />
<br />
carried out provisionally, pending tax data establishing the annual income of the<br />
<br />
<br />
cleaning allowing a final decision to be taken ”. As a result, the assembled College of the Commission<br />
<br />
Community Commune has set the conditions for granting social supplements and certain<br />
<br />
supplements provided for in the General Law on Family Allowances in a Decree of 24<br />
<br />
October 2019.<br />
<br />
<br />
<br />
<br />
<br />
14 The complainant states in this regard that his son has been living in Wallonia since a date much earlier than that of this<br />
consultation (i.e. since July 2018). The voluntary worker and the defendant indicate that this change<br />
<br />
of domicile had not been notified to them on the date of the P028 consultation and that now the voluntary worker<br />
no longer manages the family allowances file of the complainant's son. The Litigation Chamber takes note of this.<br />
<br />
15M.B., May 8, 2019.<br />
<br />
https://bruxelles.famifed.be/sites/default/files/uploads/20190509_ordranteiegezinsbijslag_NLFR.pdf: Decision on the merits 54 / 2021-17 / 23<br />
<br />
<br />
<br />
- In accordance with the aforementioned Decree of October 24, 2019, the preparatory measures that the funds<br />
<br />
family allowances were to be taken from 2019 in order to be able to establish, for each household<br />
<br />
Brussels resident, the correct amount of family allowances to which he would be entitled from the 1st<br />
<br />
January 2020, as well as the procedure to be followed for the granting of social supplements from<br />
<br />
2020, were decreed in the CO PF2 Circular of July 5, 2019 relating to the granting procedure<br />
<br />
provisional social supplements in the Brussels-Capital Region from January 1, 2020 ,.<br />
<br />
<br />
<br />
- The defendant and the voluntary intervener rely on this Circular of July 5, 2019 relating to<br />
<br />
the procedure for provisionally granting social supplements in the Brussels-Capital Region to<br />
<br />
from 1 January 2020, in particular on its articles 2.2 and 7 to legitimize their consultation of<br />
<br />
the history of the household composition of the complainant's son.<br />
<br />
<br />
<br />
- This circular provides that the establishment of the right to a supplement in the Brussels-Capital Region<br />
<br />
will be done in two phases, namely:<br />
<br />
Phase 1: A decision on the provisional payment of the supplement is taken in "time<br />
<br />
real ": in other words, it is automatically granted on a provisional basis if the conditions are met.<br />
<br />
Also, the supplement can be granted on a provisional basis following a request from the household<br />
<br />
accompanied by supporting documents relating to the current gross income of the household.<br />
<br />
<br />
<br />
Phase 2: Two years later, the taxable income of all households is verified using<br />
<br />
of the tax flow and the definitive establishment of the right to the social supplement is carried out on the basis<br />
<br />
<br />
tax data made available by the authentic source.<br />
<br />
<br />
- As for the concept of household retained, the circular specifies that "this identification is made according to<br />
<br />
the notion of household as described in article 2 of the decree of October 24, 2019. This decree<br />
<br />
provides in Article 1 that it is to be understood by:<br />
<br />
"1 ° member of the cohabiting household: any person who is neither a relative nor an ally<br />
<br />
up to the third degree inclusive, with which the recipient cohabits and forms a<br />
<br />
de facto household;<br />
<br />
2 ° household members: the beneficiary and, where applicable, the spouse with whom he<br />
<br />
cohabits and / or any other member of the cohabiting household ”<br />
<br />
<br />
<br />
55. The Litigation Chamber concludes that in other words, prior to the granting of the supplement<br />
<br />
adequate social security from 1 January 2020, it went to the family allowance funds (including<br />
<br />
the voluntary worker), to identify, in application of the various aforementioned texts, from July 2019,<br />
<br />
beneficiaries and their income, more particularly that of their household as this concept is<br />
<br />
defined in article 2 of the decree of 24 October 2019. Decision on the merits 54 / 2021-18 / 23<br />
<br />
<br />
56. This verification of the income condition of the household (and therefore of who was part of it) is, in<br />
<br />
<br />
the occurrence, through an identification of the household composition of the complainant's son via the<br />
<br />
consultation of the National Register. It is also not disputed that the allowance funds<br />
<br />
family, including the volunteer worker, were duly authorized to consult the National Register.<br />
<br />
<br />
<br />
57. The Litigation Chamber notes that it is not clear from the legal texts invoked which<br />
<br />
are the income that should be taken into account and hence, depending on the phase in which<br />
<br />
the consultation took place, what was the date of the household composition to be taken into<br />
<br />
consideration (current calendar year, backtracking by 2 years by analogy with the final calculation<br />
<br />
which will take place two years later as mentioned by the defendants and the intervener<br />
<br />
voluntary during the hearing (see Articles 2.1. and 2.2. of the circular of 5 July 2019)?). This<br />
<br />
precision would have been invaluable, it is also required by the principle of clarity and predictability of<br />
<br />
the "law", a principle long required by the case law of the European Court of Human Rights<br />
16<br />
man, as well as the CJEU.<br />
<br />
<br />
<br />
58. The Litigation Chamber considers that at most, this history of the “composition” data<br />
<br />
household "of the complainant's son could have been consulted by going back to the opening date<br />
<br />
right to allowances / social supplement to these allowances and that in any event, the consultation<br />
<br />
the entire history of the complainant's son without a time limit was disproportionate<br />
<br />
and not necessary for the voluntary worker to comply with her legal obligation.<br />
<br />
<br />
<br />
59. However, as the complainant denounces, the “P028 search” which was carried out prevails<br />
<br />
systematically consulting the history of household composition in its entirety,<br />
<br />
or since the birth of the person whose National Register is consulted. Access to this history<br />
<br />
of the complainant's son was therefore disproportionate and the data consulted was not<br />
<br />
relevant with regard to the objective pursued, namely the determination of the composition of<br />
<br />
household at a time T which must be taken into account in the granting of family allowances<br />
<br />
and the social supplement.<br />
<br />
<br />
<br />
60. Accordingly, the Contentious Chamber concludes that, even if it invokes that the TRIVIA application which it<br />
<br />
had to use did not allow consultation of a time-limited history<br />
<br />
(see point 63), the voluntary worker did not carry out the processing necessary for her obligation<br />
<br />
<br />
legal and therefore cannot invoke Article 6.1.c) as a basis of lawfulness. The Litigation Chamber<br />
<br />
therefore finds a breach of Article 6 of the GDPR on its part, in the absence of any other basis<br />
<br />
valid lawfulness and without prejudice to the obligation of the controller to identify a basis<br />
<br />
<br />
<br />
16Court eur. D.H., May 4, 2000, Rotaru v. Romania; CJEU, Joined cases C-511/18, C-512/18 and C-520/18,<br />
<br />
La Quadrature du Net and others, ECLI: EU: C: 2020: 791, para 121. Decision on the merits 54 / 2021-19 / 23<br />
<br />
<br />
17<br />
legality and not several depending on the circumstances. The Litigation Chamber also concludes<br />
<br />
also for a breach of Article 5.1.c) of the GDPR, the data of which the intervener has<br />
<br />
acquainted with it on the occasion of its illegal consultation (in the absence of a legal basis to legitimize it)<br />
<br />
therefore also irrelevant with regard to the aim pursued.<br />
<br />
<br />
<br />
61. As for the consultation held on April 21, 2020, the Litigation Chamber notes that the<br />
<br />
the defendant and the voluntary intervener are based on their legitimate interest (article 6.1.f) of the GDPR),<br />
<br />
the consultation being justified according to them by the needs of the present procedure. Bedroom<br />
<br />
Litigation recalls in this regard that it has, in the past already, considered that the defense in court<br />
<br />
18<br />
is a legitimate interest that can validly be invoked by data controllers to<br />
<br />
as much as the cumulative conditions of necessity of the treatment for the realization of the interest<br />
<br />
lawful pursuit and proportionality (i.e. that the fundamental rights and freedoms of<br />
<br />
concerned do not prevail over the interest pursued) are met.<br />
<br />
<br />
<br />
62. Without calling into question the fact that legal defense may indeed constitute an interest<br />
<br />
legitimate within the meaning of Article 6.1.f) of the GDPR, the Litigation Chamber concludes no less, for<br />
<br />
the same reasons as those underlying its conclusion regarding the initial consultation (see.<br />
<br />
points 57-60), that this consultation during the proceedings pending before the DPA was<br />
<br />
also illegal.<br />
<br />
<br />
<br />
<br />
4.2. As for the principle of accountability<br />
<br />
<br />
63. The Litigation Chamber takes note of what the voluntary intervener declares on the one hand that it<br />
<br />
<br />
is required to use the TRIVIA application and on the other hand that it is impossible for him to target in time<br />
<br />
his request to consult the history of the "household composition" data in the Register<br />
<br />
national. The Litigation Chamber is not insensitive to this and refers on this point to the measures<br />
<br />
corrective measures that it decides to take as detailed in points 69 et seq. (title 5).<br />
<br />
<br />
<br />
64. Notwithstanding this last point, the fact remains that in his capacity as responsible<br />
<br />
processing, the voluntary worker could not rely on Article 6.1.c) of the GDPR and did not have<br />
<br />
as was concluded in points 60 and 62 above from no valid basis of lawfulness to access<br />
<br />
the complainant's data via the consultation of the complete history of household composition<br />
<br />
of his son.<br />
<br />
<br />
<br />
<br />
<br />
17 See. Decision 38/2021 of the Contentious Chamber:<br />
<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-38-2021.pdf<br />
<br />
18 See. the Decision 03/2020 of the Contentious Chamber:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2020.pdf Decision on the merits 54 / 2021-20 / 23<br />
<br />
<br />
65. The Contentious Chamber also finds a breach of Articles 24 and 5.2. of<br />
<br />
<br />
GDPR on the part of the voluntary worker when she has not been able to put<br />
<br />
put in place the technical measures intended to implement the GDPR. Here again, the House<br />
<br />
Litigation is not unaware of the lack of control of the application by the voluntary worker. This<br />
<br />
circumstance is not, however, such as to eliminate any breach on his part<br />
<br />
given his capacity as data controller.<br />
<br />
<br />
<br />
66. Indeed, the objective of the principle of accountability, or "principle of responsibility" in its translation<br />
<br />
French (Article 5.2. of the GDPR), is to make data controllers accountable - whether it is<br />
<br />
private companies or public authorities or bodies -, and allow the authorities to<br />
<br />
data protection monitoring such as ODA to verify the effectiveness of the measures taken<br />
<br />
applying it. Risks must be identified by setting up action plans and<br />
<br />
control procedures and these organizations must be able to prove without difficulty that they have<br />
<br />
carried out an identification, an assessment and a framework of the risks in terms of protection<br />
<br />
of personal data with regard to the processing they carry out. This principle would be broadly<br />
<br />
undermined, or even emptied of all substance if it was enough for a data controller to invoke,<br />
<br />
once faced with a complaint lodged with the supervisory authority, the fact that the application<br />
<br />
computer used - even its use imposed by a third party - does not allow it to comply<br />
<br />
to the GDPR.<br />
<br />
<br />
<br />
67. In accordance with its obligation of accountability and documentation, the voluntary worker<br />
<br />
therefore, at a minimum, should have alerted the relevant authorities to the overhang situation<br />
<br />
in which the constrained use of the TRIVIA application placed it in relation to its obligations<br />
<br />
arising from the GDPR.<br />
<br />
<br />
<br />
68. The Litigation Chamber is also aware of the care taken by the defendant to respond to<br />
<br />
questions from the complainant and making contact with the supervisory authority to be able to explain to the<br />
<br />
the situation better at the latter. But here again, these circumstances are not such as to<br />
<br />
allow the Litigation Chamber to conclude that there was no breach. Bedroom<br />
<br />
Litigation also noted that the intervener now undertook to contact<br />
<br />
the Supervisory Authority.<br />
<br />
<br />
<br />
<br />
5. Regarding corrective measures and sanctions<br />
<br />
<br />
69. Under article 100 LCA, the Litigation Chamber has the power to:<br />
<br />
1 ° dismiss the complaint;<br />
<br />
2 ° order the dismissal;<br />
<br />
<br />
3 ° pronounce a suspension of the pronouncement; Decision on the merits 54 / 2021-21 / 23<br />
<br />
<br />
4 ° propose a transaction;<br />
<br />
5 ° issue warnings or reprimands;<br />
<br />
<br />
6 ° order compliance with the requests of the person concerned to exercise these rights;<br />
<br />
7 ° order that the person concerned be informed of the security problem;<br />
<br />
<br />
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;<br />
<br />
9 ° order that the processing be brought into conformity;<br />
<br />
<br />
10 ° order the rectification, restriction or erasure of the data and the notification thereof<br />
data recipients;<br />
<br />
<br />
11 ° order the withdrawal of accreditation of certification bodies;<br />
<br />
12 ° give periodic penalty payments; 19<br />
<br />
20<br />
13 ° issue administrative fines;<br />
<br />
14 ° order the suspension of transborder data flows to another State or an organization<br />
<br />
international;<br />
<br />
15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequences<br />
<br />
data on file;<br />
<br />
16 ° decide on a case-by-case basis to publish its decisions on the website of the<br />
<br />
data.<br />
<br />
<br />
<br />
70. It is important to contextualize the shortcomings noted by the Litigation Chamber with a view to<br />
<br />
<br />
to identify the most appropriate corrective measures and sanctions.<br />
<br />
<br />
<br />
71. In this context, the Litigation Chamber will take into account all the circumstances of the case<br />
<br />
and explanations provided by the parties. In this regard, the Litigation Chamber wishes<br />
<br />
to specify that it belongs to it sovereignly as an independent administrative authority -<br />
<br />
in compliance with the relevant articles of the GDPR and the LCA - to determine the measure (s)<br />
<br />
corrective (s) and appropriate sanction (s). 21<br />
<br />
<br />
<br />
<br />
72. Thus, it is not for the complainant to ask the Litigation Chamber to order such<br />
<br />
or such corrective measure or sanction. If, notwithstanding the above, the complainant should<br />
<br />
nevertheless ask the Litigation Chamber to pronounce one or the other measure and / or<br />
<br />
<br />
19<br />
https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf<br />
<br />
20 The Contentious Chamber does not comment on the advisability of a possible administrative fine to<br />
<br />
against the defendant. Given the latter's "public authority" status within the meaning of<br />
Article 5 of the Law of 30 July 2018 on the protection of individuals with regard to processing<br />
of personal data, read in conjunction with Articles 83.7. of the GDPR and 221 § 2 of the law of<br />
July 30, 2018 cited above, the Litigation Chamber is in fact not authorized to impose such a fine on him.<br />
<br />
<br />
21 Litigation Chamber, Decision on the merits 81/2020:<br />
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-81-2020.pdf Decision on the merits 54 / 2021-22 / 23<br />
<br />
<br />
<br />
sanction, it is not up to the latter to justify why it would not retain one or<br />
<br />
the other request made by the complainant. These considerations leave intact the obligation for<br />
<br />
the Litigation Chamber to justify the choice of corrective measure (s) and / or sanction (s)<br />
<br />
which it judges, (among the list of measures and sanctions made available to it by the articles<br />
<br />
58 of the GDPR and 95.1 and 100.1 of the LCA recalled above) appropriate to condemn the party<br />
<br />
in question. The Contentious Chamber recalls here, as it mentioned in point 36 above,<br />
<br />
that it is not competent to grant any compensation.<br />
<br />
<br />
<br />
73. The Litigation Chamber found a breach of Articles 6, 5.1.c) as well as of Articles 24<br />
<br />
<br />
and 5.2. of the GDPR on behalf of the voluntary worker (points 60, 62 and 65).<br />
<br />
<br />
<br />
74. In view of these shortcomings, the Litigation Chamber sends the voluntary intervener<br />
22<br />
a reprimand on the basis of Article 100.1, 5 ° LCA which constitutes, in view of the facts and<br />
<br />
breaches noted, the effective, proportionate and dissuasive sanction as required by<br />
<br />
the applicable article 83 of the GDPR. In this regard, the Litigation Chamber wishes to stress that it<br />
<br />
is not in a position to issue a warning to the voluntary worker as soon as this<br />
<br />
measure cannot be applied when a breach is found. Disclaimer applies<br />
<br />
only when the planned processing operations are likely to violate the<br />
<br />
provisions of the GDPR.<br />
<br />
<br />
<br />
<br />
75. The Litigation Chamber is of the opinion that beyond the reprimand addressed to the intervener<br />
<br />
voluntary, it is important that an adequate response be quickly found to the problem raised<br />
<br />
by the complaint and this, in order to allow a limited consultation, respectful of the GDPR, of<br />
<br />
the history of the "household composition" data (as well as the history of other data from the<br />
<br />
National Register if applicable). The Contentious Chamber refers in this regard to the deliberations<br />
<br />
of the Sectoral Committee of the National Register (CSRN) of the former Commission for the Protection of Life<br />
<br />
private (OPC) under which the NISA grants access to limited historical data<br />
<br />
over time in accordance with Article 4 § 1, 3 ° of the Privacy Law which then set out the principle<br />
<br />
proportionality (now principle of minimization worded in Article 5.1, c) of the GDPR). 23 The<br />
<br />
Litigation Chamber is also challenged by the document entitled "File - Description<br />
<br />
specific function of the P028 message ”(in particular point 1.2.1.1.) highlighted by the<br />
<br />
complainant, according to which it would have been waived to use an application more respectful of the<br />
<br />
<br />
principle of minimization (see point 23).<br />
<br />
<br />
<br />
<br />
<br />
22 See. Article 58. 2 b) of the GDPR which provides for sending a call to order to the controller when<br />
<br />
"The processing operations have resulted in a violation of the provisions of this Regulation".<br />
<br />
<br />
23<br />
See. taking for example the deliberation of the sectoral committee of the National Register RN No. 20 of March 25, 2009. Decision on the merits 54 / 2021-23 / 23<br />
<br />
<br />
76. For all these reasons, the Litigation Chamber will draw the attention of the APD Steering Committee<br />
<br />
<br />
on this issue. Where appropriate, the ODA bodies could, in accordance with their<br />
<br />
respective competences assigned to them by the LCA, decide to enter into a dialogue with the whole<br />
<br />
of the bodies concerned and / or conduct an in-depth investigation of the issue<br />
<br />
which arose during the complaint leading to this decision.<br />
<br />
<br />
<br />
77. The Contentious Chamber also decides to send a copy of this decision to<br />
<br />
services of the National Registry as well as to Famifed, Iriscare and the Crossroads Security Bank<br />
<br />
social security (BCSS) mentioned by the complainant in the terms of his complaint.<br />
<br />
<br />
<br />
<br />
6. Transparency<br />
<br />
<br />
78. In view of the importance of transparency with regard to the decision-making process and<br />
<br />
decisions of the Litigation Chamber, this decision will be published on the website of the APD<br />
<br />
by deleting the direct identification data of the parties (either the defendant,<br />
<br />
the voluntary worker and the complainant) and the natural persons mentioned. On the other hand, the Chamber<br />
<br />
Litigation believes that it has no other possibility, for the proper understanding of this<br />
<br />
decision, only to mention Famifed, Iriscare, the Banque-Carrefour de la sécurité<br />
<br />
social (BCSS) and National Registry services.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS,<br />
<br />
<br />
THE LITIGATION CHAMBER<br />
<br />
Decided<br />
<br />
<br />
- To issue a reprimand against the voluntary intervener on the basis of the article<br />
<br />
100.1, 5 ° LCA.<br />
<br />
<br />
Under Article 108.1 LCA, this decision can be appealed to the Court of<br />
<br />
contracts (Brussels Court of Appeal) within 30 days of notification, with<br />
<br />
the Data Protection Authority as respondent.<br />
<br />
<br />
<br />
<br />
<br />
(Sé) Hielke Hijmans<br />
<br />
President of the Litigation Chamber<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-016&diff=13222CNIL (France) - SAN-2020-0162021-01-11T18:11:57Z<p>Fra-data67: /* On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-016<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042774286?isSuggest=true<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=31.12.2020<br />
|Year=2020<br />
|Fine=7300<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 3(1) GDPR<br />
|GDPR_Article_Link_2=Article 3 GDPR#1<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1c<br />
|GDPR_Article_5=Article 12(2) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#2<br />
|GDPR_Article_6=Article 14 GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR<br />
|GDPR_Article_7=Article 21(2) GDPR<br />
|GDPR_Article_Link_7=Article 21 GDPR#2<br />
<br />
<br />
|National_Law_Name_1=Code des postes et des communications électroniques<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070987/<br />
|National_Law_Name_2=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-11/<br />
<br />
|Party_Name_1=PERFORMECLIC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
On the 7 December 2020, the CNIL's sub commission sanctioned the company PERFOMECLIC for having sent commercial prospecting emails without proof of prior consent and without satisfactory information.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The PERFORMECLIC Company's activity is the sending of commercial prospecting by e-mail on behalf of advertisers. As such, the company holds a database of 20 million e-mail addresses of prospects that it has purchased from a third party company. <br />
<br />
Following the report made by the SIGNAL SPAM association, the French DPA carried out an on-site inspection at the company's premises on 18 September 2019. <br />
<br />
===Dispute===<br />
<br />
*Insofar as the operational activities of the company were implemented from Morocco, is the GDPR applicable and is the CNIL competent in this case?<br />
*How is the notion of "consent" to be understood in the context of email prospecting operations?<br />
*Is the processing of the telephone number in the context of prospection operations carried out solely by e-mail contrary to the principle of data minimisation provided for in [https://gdprhub.eu/index.php?title=Article_5_GDPR Article 5(1)(e) GDPR]?<br />
*Is the simple opening of a prospecting e-mail sufficient to characterise the prospect's interest in the products and services of the sender of the message, and thus to extend the retention period of this data?<br />
*Is the apposition of a standard mention at the bottom of a prospecting e-mail sufficient regarding the information standards provided for in [https://gdprhub.eu/index.php?title=Article_14_GDPR Article 14 GDPR]?<br />
<br />
===Holding===<br />
The CNIL orders PERFORMECLIC to pay an administrative fine of 7300 euros. It also issued an injunction to bring the processing into compliance with the provisions of the French Post and Electronic Communications Code and the GDPR, accompanied by a penalty payment of 1,000 euros per day of delay at the end of a two-month period following notification of the decision. Finally, the French DPA has made its decision public. <br />
<br />
The CNIL based its decision on the following grievances :<br />
<br />
====On the competence of the French DPA====<br />
At the time of the audit, the manager of the company indicated to the CNIL that the operational activities of the company were carried out from Morocco and that, in the near future, he intended to end the company's activities in France and carry them out in their entirety from Morocco, so that the GDPR did not apply in this case.<br />
<br />
With regard to [https://gdprhub.eu/index.php?title=Article_3_GDPR Articles 3 GDPR] and 8 of the French Data Protection Act, the CNIL retains its jurisdiction and confirms the application of the GDPR insofar as the company is established in France, and addresses its prospecting messages to the French public only.<br />
<br />
====On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail====<br />
According to article L. 34-5(1) of the French Post and Electronic Communications Code, "direct prospecting by means of an automated electronic communications system, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means, is prohibited". With regard to this article, the notion of consent should be understood as any expression of free, specific and informed will by which a person agrees to the use of personal data concerning him/her for the purpose of direct prospecting. Thus, the consent of individuals must be obtained before any prospection by e-mail.<br />
<br />
In this case, the absence of elements attesting the effective existence of a valid consent of the persons concerned, in relation to the number of reports received by the association SIGNAL SPAM concerning the company (163,126 reports over the period from 1 January 2019 to 11 June 2019 making it the issuer of e-mails most reported by French Internet users to SIGNAL SPAM over this period) leads the Cnil's sub commission to retain a breach of Article L. 34-5 of the French Post and Electronic Communications Code.<br />
<br />
====On the failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company====<br />
The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation).<br />
<br />
In the present case, the CNIL notes that the prospecting files contained the telephone number of the prospects. However, it emerges from the monitoring operations that this information is not used by the company, which only addresses marketing by e-mail.<br />
<br />
Consequently, the French DPA considers that the telephone number should not have been collected and processed by the company and should have been deleted from the databases. In these circumstances, the restricted formation considers that the company has failed to comply with the obligation provided for in Article 5(1)(c) GDPR to process only adequate, relevant personal data limited to what is necessary for the purposes for which they are processed.<br />
<br />
====On the failure to comply with the obligation to process personal data for no longer than is necessary for the purposes for which they are processed====<br />
Article 5(1)(e) GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.<br />
<br />
According to the findings of the CNIL, it appears that the company kept prospect data for more than three years, with the contact details of approximately 5 million prospects having only opened the prospecting e-mails sent by the company, without any further action on their part, in particular without having clicked on one of the links contained in the said prospecting e-mails.<br />
<br />
The CNIL finds that the provisions of Article 5(1)(e) GDPR have been breached, emphasising in particular that the starting point set by the company to calculate the retention period for prospect data cannot be the simple opening of an email, insofar as the opening of an email does not necessarily reflect the prospect's interest in the products or services of the sender of the message, as the prospect may have opened the email by mistake or automatically, in particular due to the operation of his email software. By proceeding in this way, the company has not ensured the effective interest of the subjects in the commercial prospecting messages that it sends.<br />
<br />
====On the failure to comply with the obligation to inform the data subjects====<br />
Article 14 GDPR requires the controller to provide the data subject with several pieces of information, such as the identity and contact details of the controller, the purposes of the processing operation, its legal basis, the categories of personal data concerned, the recipients of these data, the storage period, or the terms and conditions of the rights granted to the data subjects. In addition, this information must be provided at the latest at the time of the first communication with the individual. <br />
<br />
In this case, the CNIL notes that in emails sent to prospects, information is provided by a standard mention at the bottom of the email. However, the CNIL points out that the company must provide individuals with complete information, whether it be from this first level of information given in the e-mails or by allowing them easy access to additional information, within a second level of information.<br />
<br />
However, the mention provided for at the end of e-mails sent to prospective customers does not include all the elements provided for by Article 14 GDR. The CNIL also notes that no hypertext link refers to more complete information than that standard mention in the mail. Consequently, the CNIL retains the failure to comply with the information obligation referred to in Article 14 GDPR.<br />
<br />
====On the failure to respect the right to object of data subjects====<br />
In this case, the CNIL holds that the company carries out its commercial prospection activity by silos : the personal data of prospects contained in the database is replicated within nine different accounts, and each account is associated with two different domain names. Thus, when a person clicks on an unsubscribe link to exercise their right of opposition, they are unsubscribed from the account used to send the prospecting campaign in question but not from the other accounts used by the company for other campaigns. <br />
<br />
[https://gdprhub.eu/index.php?title=Article_21_GDPR Article 21(2) GDPR] provides that where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him for such marketing purposes, including profiling insofar as it relates to such direct marketing.<br />
<br />
With regard to this article, the CNIL notes that the management of marketing campaigns by silos by the company makes it ineffective for individuals to oppose the processing of their data by the company for the purposes of prospection by e-mail when this right is exercised by means of the unsubscribe link at the bottom of the e-mail messages. Indeed, when a person clicks on an unsubscribe link to exercise his or her right to object, that person is unsubscribed only from the account used to send the prospecting campaign concerned but not from the other accounts used by the company for other campaigns.<br />
<br />
In order to defend itself, the company has indicated to the delegation of control that, in order to be unsubscribed from all accounts used for sending prospecting emails by the company, the person concerned must either make this request by replying by return message to the prospecting emails received, or fill in an online form available from the PERFORMECLIC.FR domain.<br />
<br />
In this respect, the CNIL recalls that Article 12(2) GDPR requires the data controller to facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22 GDPR, which the company has in any event failed to do by not offering the data subjects a satisfactory means of exercising their rights and by not informing them of the existence of channels enabling them to unsubscribe from all accounts and inviting them to use them to exercise their right of opposition.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-016&diff=13220CNIL (France) - SAN-2020-0162021-01-11T18:02:44Z<p>Fra-data67: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-016<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042774286?isSuggest=true<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=31.12.2020<br />
|Year=2020<br />
|Fine=7300<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 3(1) GDPR<br />
|GDPR_Article_Link_2=Article 3 GDPR#1<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1c<br />
|GDPR_Article_5=Article 12(2) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#2<br />
|GDPR_Article_6=Article 14 GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR<br />
|GDPR_Article_7=Article 21(2) GDPR<br />
|GDPR_Article_Link_7=Article 21 GDPR#2<br />
<br />
<br />
|National_Law_Name_1=Code des postes et des communications électroniques<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070987/<br />
|National_Law_Name_2=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-11/<br />
<br />
|Party_Name_1=PERFORMECLIC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
On the 7 December 2020, the CNIL's sub commission sanctioned the company PERFOMECLIC for having sent commercial prospecting emails without proof of prior consent and without satisfactory information.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The PERFORMECLIC Company's activity is the sending of commercial prospecting by e-mail on behalf of advertisers. As such, the company holds a database of 20 million e-mail addresses of prospects that it has purchased from a third party company. <br />
<br />
Following the report made by the SIGNAL SPAM association, the French DPA carried out an on-site inspection at the company's premises on 18 September 2019. <br />
<br />
===Dispute===<br />
<br />
*Insofar as the operational activities of the company were implemented from Morocco, is the GDPR applicable and is the CNIL competent in this case?<br />
*How is the notion of "consent" to be understood in the context of email prospecting operations?<br />
*Is the processing of the telephone number in the context of prospection operations carried out solely by e-mail contrary to the principle of data minimisation provided for in [https://gdprhub.eu/index.php?title=Article_5_GDPR Article 5(1)(e) GDPR]?<br />
*Is the simple opening of a prospecting e-mail sufficient to characterise the prospect's interest in the products and services of the sender of the message, and thus to extend the retention period of this data?<br />
*Is the apposition of a standard mention at the bottom of a prospecting e-mail sufficient regarding the information standards provided for in [https://gdprhub.eu/index.php?title=Article_14_GDPR Article 14 GDPR]?<br />
<br />
===Holding===<br />
The CNIL orders PERFORMECLIC to pay an administrative fine of 7300 euros. It also issued an injunction to bring the processing into compliance with the provisions of the French Post and Electronic Communications Code and the GDPR, accompanied by a penalty payment of 1,000 euros per day of delay at the end of a two-month period following notification of the decision. Finally, the French DPA has made its decision public. <br />
<br />
The CNIL based its decision on the following grievances :<br />
<br />
====On the competence of the French DPA====<br />
At the time of the audit, the manager of the company indicated to the CNIL that the operational activities of the company were carried out from Morocco and that, in the near future, he intended to end the company's activities in France and carry them out in their entirety from Morocco, so that the GDPR did not apply in this case.<br />
<br />
With regard to [https://gdprhub.eu/index.php?title=Article_3_GDPR Articles 3 GDPR] and 8 of the French Data Protection Act, the CNIL retains its jurisdiction and confirms the application of the GDPR insofar as the company is established in France, and addresses its prospecting messages to the French public only.<br />
<br />
====On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail====<br />
According to article L. 34-5(1) of the French Post and Electronic Communications Code, "direct prospecting by means of an automated electronic communications system, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means, is prohibited". With regard to this article, the notion of consent should be understood as any expression of free, specific and informed will by which a person agrees to the use of personal data concerning him/her for the purpose of direct prospecting. Thus, the consent of individuals must be obtained before any prospection by e-mail.<br />
<br />
In this case, the absence of elements, apart from the invoices produced by the company, which attest to the effective existence of a valid consent of the persons concerned, in relation to the number of reports received by the association SIGNAL SPAM concerning the company, i.e. 163,126 reports over the period from 1 January 2019 to 11 June 2019, making it the issuer of e-mails most reported by French Internet users to SIGNAL SPAM over this period, leads the restricted formation to consider that the elements constituting a breach of Article L. 34-5 of the French Post and Electronic Communications Code.<br />
<br />
====On the failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company====<br />
The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation).<br />
<br />
In the present case, the CNIL notes that the prospecting files contained the telephone number of the prospects. However, it emerges from the monitoring operations that this information is not used by the company, which only addresses marketing by e-mail.<br />
<br />
Consequently, the French DPA considers that the telephone number should not have been collected and processed by the company and should have been deleted from the databases. In these circumstances, the restricted formation considers that the company has failed to comply with the obligation provided for in Article 5(1)(c) GDPR to process only adequate, relevant personal data limited to what is necessary for the purposes for which they are processed.<br />
<br />
====On the failure to comply with the obligation to process personal data for no longer than is necessary for the purposes for which they are processed====<br />
Article 5(1)(e) GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.<br />
<br />
According to the findings of the CNIL, it appears that the company kept prospect data for more than three years, with the contact details of approximately 5 million prospects having only opened the prospecting e-mails sent by the company, without any further action on their part, in particular without having clicked on one of the links contained in the said prospecting e-mails.<br />
<br />
The CNIL finds that the provisions of Article 5(1)(e) GDPR have been breached, emphasising in particular that the starting point set by the company to calculate the retention period for prospect data cannot be the simple opening of an email, insofar as the opening of an email does not necessarily reflect the prospect's interest in the products or services of the sender of the message, as the prospect may have opened the email by mistake or automatically, in particular due to the operation of his email software. By proceeding in this way, the company has not ensured the effective interest of the persons concerned by the commercial prospecting messages that it sends, although this is necessary to consider that there has indeed been contact with the prospect, such as to extend the retention period of his personal data.<br />
<br />
====On the failure to comply with the obligation to inform the data subjects====<br />
Article 14 GDPR requires the controller to provide the data subject with several pieces of information, such as the identity and contact details of the controller, the purposes of the processing operation, its legal basis, the categories of personal data concerned, the recipients of these data, the storage period, or the terms and conditions of the rights granted to the data subjects. In addition, this information must be provided at the latest at the time of the first communication with the individual. <br />
<br />
In this case, the CNIL notes that in emails sent to prospects, information is provided by a standard mention at the bottom of the email. However, the CNIL points out that the company must provide individuals with complete information, whether it be from this first level of information given in the e-mails or by allowing them easy access to additional information, within a second level of information.<br />
<br />
However, the mention provided for at the end of e-mails sent to prospective customers does not include all the elements provided for by Article 14 GDR. The CNIL also notes that no hypertext link refers to more complete information than that reproduced above. Consequently, the CNIL retains the failure to comply with the information obligation referred to in Article 14 GDPR.<br />
<br />
====On the failure to respect the right to object of data subjects====<br />
In this case, the CNIL holds that the company carries out its commercial prospection activity by silos : the personal data of prospects contained in the database is replicated within nine different accounts, and each account is associated with two different domain names. Thus, when a person clicks on an unsubscribe link to exercise their right of opposition, they are unsubscribed from the account used to send the prospecting campaign in question but not from the other accounts used by the company for other campaigns. <br />
<br />
[https://gdprhub.eu/index.php?title=Article_21_GDPR Article 21(2) GDPR] provides that where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him for such marketing purposes, including profiling insofar as it relates to such direct marketing.<br />
<br />
With regard to this article, the CNIL notes that the management of marketing campaigns by silos by the company makes it ineffective for individuals to oppose the processing of their data by the company for the purposes of prospection by e-mail when this right is exercised by means of the unsubscribe link at the bottom of the e-mail messages. Indeed, when a person clicks on an unsubscribe link to exercise his or her right to object, that person is unsubscribed only from the account used to send the prospecting campaign concerned but not from the other accounts used by the company for other campaigns.<br />
<br />
In order to defend itself, the company has indicated to the delegation of control that, in order to be unsubscribed from all accounts used for sending prospecting emails by the company, the person concerned must either make this request by replying by return message to the prospecting emails received, or fill in an online form available from the PERFORMECLIC.FR domain.<br />
<br />
In this respect, the CNIL recalls that Article 12(2) GDPR requires the data controller to facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22 GDPR, which the company has in any event failed to do by not offering the data subjects a satisfactory means of exercising their rights and by not informing them of the existence of channels enabling them to unsubscribe from all accounts and inviting them to use them to exercise their right of opposition.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-016&diff=13219CNIL (France) - SAN-2020-0162021-01-11T18:01:29Z<p>Fra-data67: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-016<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042774286?isSuggest=true<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=31.12.2020<br />
|Year=2020<br />
|Fine=7300<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 3(1) GDPR<br />
|GDPR_Article_Link_2=Article 3 GDPR#1<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1c<br />
|GDPR_Article_5=Article 12(2) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#2<br />
|GDPR_Article_6=Article 14 GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR<br />
|GDPR_Article_7=Article 21(2) GDPR<br />
|GDPR_Article_Link_7=Article 21 GDPR#2<br />
<br />
<br />
|National_Law_Name_1=Code des postes et des communications électroniques<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070987/<br />
|National_Law_Name_2=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-11/<br />
<br />
|Party_Name_1=PERFORMECLIC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
On the 7 December 2020, the CNIL's sub commission sanctioned the company PERFOMECLIC for having sent commercial prospecting emails without proof of prior consent and without satisfactory information.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The PERFORMECLIC Company's activity is the sending of commercial prospecting by e-mail on behalf of advertisers. As such, the company holds a database of 20 million e-mail addresses of prospects that it has purchased from a third party company. <br />
<br />
Following the report made by the SIGNAL SPAM association, the French DPA carried out an on-site inspection at the company's premises on 18 September 2019. <br />
<br />
===Dispute===<br />
<br />
* Insofar as the operational activities of the company were implemented from Morocco, is the GDPR applicable and is the CNIL competent in this case? <br />
* How is the notion of "consent" to be understood in the context of email prospecting operations? <br />
* Is the processing of the telephone number in the context of canvassing operations carried out solely by e-mail contrary to the principle of data minimisation provided for in [https://gdprhub.eu/index.php?title=Article_5_GDPR Article 5(1)(e) GDPR]? <br />
* Is the simple opening of a prospecting e-mail sufficient to characterise the prospect's interest in the products and services of the sender of the message, and thus to extend the retention period of this data? <br />
* Is the apposition of a standard mention at the bottom of a prospecting e-mail sufficient regarding the information standards provided for in [https://gdprhub.eu/index.php?title=Article_14_GDPR Article 14 GDPR]? <br />
<br />
===Holding===<br />
The CNIL orders PERFORMECLIC to pay an administrative fine of 7300 euros. It also issued an injunction to bring the processing into compliance with the provisions of the French Post and Electronic Communications Code and the GDPR, accompanied by a penalty payment of 1,000 euros per day of delay at the end of a two-month period following notification of the decision. Finally, the French DPA has made its decision public. <br />
<br />
The CNIL based its decision on the following grievances :<br />
<br />
==== On the competence of the French DPA ====<br />
At the time of the audit, the manager of the company indicated to the CNIL that the operational activities of the company were carried out from Morocco and that, in the near future, he intended to end the company's activities in France and carry them out in their entirety from Morocco, so that the GDPR did not apply in this case.<br />
<br />
With regard to [https://gdprhub.eu/index.php?title=Article_3_GDPR Articles 3 GDPR] and 8 of the French Data Protection Act, the CNIL retains its jurisdiction and confirms the application of the GDPR insofar as the company is established in France, and addresses its prospecting messages to the French public only.<br />
<br />
==== On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail ====<br />
According to article L. 34-5(1) of the French Post and Electronic Communications Code, "direct prospecting by means of an automated electronic communications system, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means, is prohibited". With regard to this article, the notion of consent should be understood as any expression of free, specific and informed will by which a person agrees to the use of personal data concerning him/her for the purpose of direct prospecting. Thus, the consent of individuals must be obtained before any canvassing by e-mail.<br />
<br />
In this case, the absence of elements, apart from the invoices produced by the company, which attest to the effective existence of a valid consent of the persons concerned, in relation to the number of reports received by the association SIGNAL SPAM concerning the company, i.e. 163,126 reports over the period from 1 January 2019 to 11 June 2019, making it the issuer of e-mails most reported by French Internet users to SIGNAL SPAM over this period, leads the restricted formation to consider that the elements constituting a breach of Article L. 34-5 of the French Post and Electronic Communications Code.<br />
<br />
==== On the failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company ====<br />
The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation).<br />
<br />
In the present case, the CNIL notes that the prospecting files contained the telephone number of the prospects. However, it emerges from the monitoring operations that this information is not used by the company, which only addresses canvassing by e-mail.<br />
<br />
Consequently, the French DPA considers that the telephone number should not have been collected and processed by the company and should have been deleted from the databases. In these circumstances, the restricted formation considers that the company has failed to comply with the obligation provided for in Article 5(1)(c) GDPR to process only adequate, relevant personal data limited to what is necessary for the purposes for which they are processed.<br />
<br />
==== On the failure to comply with the obligation to process personal data for no longer than is necessary for the purposes for which they are processed ====<br />
Article 5(1)(e) GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.<br />
<br />
According to the findings of the CNIL, it appears that the company kept prospect data for more than three years, with the contact details of approximately 5 million prospects having only opened the prospecting e-mails sent by the company, without any further action on their part, in particular without having clicked on one of the links contained in the said prospecting e-mails.<br />
<br />
The CNIL finds that the provisions of Article 5(1)(e) GDPR have been breached, emphasising in particular that the starting point set by the company to calculate the retention period for prospect data cannot be the simple opening of an email, insofar as the opening of an email does not necessarily reflect the prospect's interest in the products or services of the sender of the message, as the prospect may have opened the email by mistake or automatically, in particular due to the operation of his email software. By proceeding in this way, the company has not ensured the effective interest of the persons concerned by the commercial prospecting messages that it sends, although this is necessary to consider that there has indeed been contact with the prospect, such as to extend the retention period of his personal data.<br />
<br />
==== On the failure to comply with the obligation to inform the data subjects ====<br />
Article 14 GDPR requires the controller to provide the data subject with several pieces of information, such as the identity and contact details of the controller, the purposes of the processing operation, its legal basis, the categories of personal data concerned, the recipients of these data, the storage period, or the terms and conditions of the rights granted to the data subjects. In addition, this information must be provided at the latest at the time of the first communication with the individual. <br />
<br />
In this case, the CNIL notes that in emails sent to prospects, information is provided by a standard mention at the bottom of the email. However, the CNIL points out that the company must provide individuals with complete information, whether it be from this first level of information given in the e-mails or by allowing them easy access to additional information, within a second level of information.<br />
<br />
However, the mention provided for at the end of e-mails sent to prospective customers does not include all the elements provided for by Article 14 GDR. The CNIL also notes that no hypertext link refers to more complete information than that reproduced above. Consequently, the CNIL retains the failure to comply with the information obligation referred to in Article 14 GDPR.<br />
<br />
==== On the failure to respect the right to object of data subjects ====<br />
In this case, the CNIL holds that the company carries out its commercial prospection activity by silos : the personal data of prospects contained in the database is replicated within nine different accounts, and each account is associated with two different domain names. Thus, when a person clicks on an unsubscribe link to exercise their right of opposition, they are unsubscribed from the account used to send the prospecting campaign in question but not from the other accounts used by the company for other campaigns. <br />
<br />
[https://gdprhub.eu/index.php?title=Article_21_GDPR Article 21(2) GDPR] provides that where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him for such marketing purposes, including profiling insofar as it relates to such direct marketing.<br />
<br />
With regard to this article, the CNIL notes that the management of marketing campaigns by silos by the company makes it ineffective for individuals to oppose the processing of their data by the company for the purposes of prospection by e-mail when this right is exercised by means of the unsubscribe link at the bottom of the e-mail messages. Indeed, when a person clicks on an unsubscribe link to exercise his or her right to object, that person is unsubscribed only from the account used to send the prospecting campaign concerned but not from the other accounts used by the company for other campaigns.<br />
<br />
In order to defend itself, the company has indicated to the delegation of control that, in order to be unsubscribed from all accounts used for sending prospecting emails by the company, the person concerned must either make this request by replying by return message to the prospecting emails received, or fill in an online form available from the PERFORMECLIC.FR domain.<br />
<br />
In this respect, the CNIL recalls that Article 12(2) GDPR requires the data controller to facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22 GDPR, which the company has in any event failed to do by not offering the data subjects a satisfactory means of exercising their rights and by not informing them of the existence of channels enabling them to unsubscribe from all accounts and inviting them to use them to exercise their right of opposition.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-016&diff=13215CNIL (France) - SAN-2020-0162021-01-11T17:49:50Z<p>Fra-data67: Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-016 |ECLI= |Origin..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-016<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042774286?isSuggest=true<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=31.12.2020<br />
|Year=2020<br />
|Fine=7300<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 3(1) GDPR<br />
|GDPR_Article_Link_2=Article 3 GDPR#1<br />
|GDPR_Article_3=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1e<br />
|GDPR_Article_4=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1c<br />
|GDPR_Article_5=Article 12(2) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#2<br />
|GDPR_Article_6=Article 14 GDPR<br />
|GDPR_Article_Link_6=Article 14 GDPR<br />
|GDPR_Article_7=Article 21(2) GDPR<br />
|GDPR_Article_Link_7=Article 21 GDPR#2<br />
<br />
<br />
|National_Law_Name_1=Code des postes et des communications électroniques<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000006070987/<br />
|National_Law_Name_2=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-11/<br />
<br />
|Party_Name_1=PERFORMECLIC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
On the 7 December 2020, the CNIL's sub commission sanctioned the company PERFOMECLIC for having sent commercial prospecting emails without proof of prior consent and without satisfactory information.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The PERFORMECLIC Company's activity is the sending of commercial prospecting by e-mail on behalf of advertisers. As such, the company holds a database of 20 million e-mail addresses of prospects that it has purchased from a third party company. <br />
<br />
Following the report made by the SIGNAL SPAM association, the French DPA carried out an on-site inspection at the company's premises on 18 September 2019. <br />
<br />
=== Dispute ===<br />
Insofar as the operational activities of the company were implemented from Morocco, is the GDPR applicable and is the CNIL competent in this case? <br />
<br />
How is the notion of "consent" to be understood in the context of email prospecting operations? <br />
<br />
Is the processing of the telephone number in the context of canvassing operations carried out solely by e-mail contrary to the principle of data minimisation provided for in Article 5(1)(e) GDPR? <br />
<br />
Is the simple opening of a prospecting e-mail sufficient to characterise the prospect's interest in the products and services of the sender of the message, and thus to extend the retention period of this data? <br />
<br />
Is the apposition of a standard mention at the bottom of a prospecting e-mail sufficient regarding the information standards provided for in Article 14 GDPR? <br />
<br />
=== Holding ===<br />
The CNIL orders PERFORMECLIC to pay an administrative fine of 7300 euros. It also issued an injunction to bring the processing into compliance with the provisions of the French Post and Electronic Communications Code and the GDPR, accompanied by a penalty payment of 1,000 euros per day of delay at the end of a two-month period following notification of the decision. Finally, the French DPA has made its decision public. <br />
<br />
<br />
<br />
The CNIL based its decision on the following grievances: <br />
<br />
<br />
<br />
1* On the competence of the French DPA <br />
<br />
<br />
<br />
At the time of the audit, the manager of the company indicated to the CNIL that the operational activities of the company were carried out from Morocco and that, in the near future, he intended to end the company's activities in France and carry them out in their entirety from Morocco, so that the GDPR did not apply in this case. <br />
<br />
<br />
<br />
With regard to Articles 3 GDPR and 8 of the French Data Protection Act, the CNIL retains its jurisdiction and confirms the application of the GDPR insofar as the company is established in France, and addresses its prospecting messages to the French public only. <br />
<br />
<br />
<br />
2* On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail <br />
<br />
<br />
<br />
According to article L. 34-5(1) of the French Post and Electronic Communications Code, "direct prospecting by means of an automated electronic communications system, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means, is prohibited". With regard to this article, the notion of consent should be understood as any expression of free, specific and informed will by which a person agrees to the use of personal data concerning him/her for the purpose of direct prospecting. Thus, the consent of individuals must be obtained before any canvassing by e-mail. <br />
<br />
<br />
<br />
In this case, the absence of elements, apart from the invoices produced by the company, which attest to the effective existence of a valid consent of the persons concerned, in relation to the number of reports received by the association SIGNAL SPAM concerning the company, i.e. 163,126 reports over the period from 1 January 2019 to 11 June 2019, making it the issuer of e-mails most reported by French Internet users to SIGNAL SPAM over this period, leads the restricted formation to consider that the elements constituting a breach of Article L. 34-5 of the French Post and Electronic Communications Code. <br />
<br />
<br />
<br />
3* On the failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company <br />
<br />
<br />
<br />
The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation). <br />
<br />
<br />
<br />
In the present case, the CNIL notes that the prospecting files contained the telephone number of the prospects. However, it emerges from the monitoring operations that this information is not used by the company, which only addresses canvassing by e-mail. <br />
<br />
<br />
<br />
Consequently, the French DPA considers that the telephone number should not have been collected and processed by the company and should have been deleted from the databases. In these circumstances, the restricted formation considers that the company has failed to comply with the obligation provided for in Article 5(1)(c) GDPR to process only adequate, relevant personal data limited to what is necessary for the purposes for which they are processed. <br />
<br />
<br />
<br />
4* On the failure to comply with the obligation to process personal data for no longer than is necessary for the purposes for which they are processed <br />
<br />
<br />
<br />
Article 5(1)(e) GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. <br />
<br />
<br />
<br />
According to the findings of the CNIL, it appears that the company kept prospect data for more than three years, with the contact details of approximately 5 million prospects having only opened the prospecting e-mails sent by the company, without any further action on their part, in particular without having clicked on one of the links contained in the said prospecting e-mails. <br />
<br />
<br />
<br />
The CNIL finds that the provisions of Article 5(1)(e) GDPR have been breached, emphasising in particular that the starting point set by the company to calculate the retention period for prospect data cannot be the simple opening of an email, insofar as the opening of an email does not necessarily reflect the prospect's interest in the products or services of the sender of the message, as the prospect may have opened the email by mistake or automatically, in particular due to the operation of his email software. By proceeding in this way, the company has not ensured the effective interest of the persons concerned by the commercial prospecting messages that it sends, although this is necessary to consider that there has indeed been contact with the prospect, such as to extend the retention period of his personal data. <br />
<br />
<br />
<br />
<br />
<br />
ON THE FAILURE TO COMPLY WITH THE OBLIGATION TO INFORM THE DATA SUBJECTS: <br />
<br />
<br />
<br />
Article 14 GDPR requires the controller to provide the data subject with several pieces of information, such as the identity and contact details of the controller, the purposes of the processing operation, its legal basis, the categories of personal data concerned, the recipients of these data, the storage period, or the terms and conditions of the rights granted to the data subjects. In addition, this information must be provided at the latest at the time of the first communication with the individual. <br />
<br />
<br />
<br />
In this case, the CNIL notes that in emails sent to prospects, information is provided by a standard mention at the bottom of the email. However, the CNIL points out that the company must provide individuals with complete information, whether it be from this first level of information given in the e-mails or by allowing them easy access to additional information, within a second level of information. <br />
<br />
<br />
<br />
However, the mention provided for at the end of e-mails sent to prospective customers does not include all the elements provided for by Article 14 GDR. The CNIL also notes that no hypertext link refers to more complete information than that reproduced above. Consequently, the CNIL retains the failure to comply with the information obligation referred to in Article 14 GDPR. <br />
<br />
<br />
<br />
ON THE FAILURE TO RESPECT THE RIGHT OF OPPOSITION OF THE PERSONS CONCERNED: <br />
<br />
<br />
<br />
In this case, the CNIL holds that the company carries out its commercial canvassing activity by silos: the personal data of prospects contained in the database is replicated within nine different accounts, and each account is associated with two different domain names. Thus, when a person clicks on an unsubscribe link to exercise their right of opposition, they are unsubscribed from the account used to send the prospecting campaign in question but not from the other accounts used by the company for other campaigns. <br />
<br />
<br />
<br />
Article 21(2) GDPR provides: Where personal data are processed for canvassing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him for such canvassing purposes, including profiling insofar as it relates to such canvassing. <br />
<br />
<br />
<br />
With regard to this article, the CNIL notes that the management of canvassing campaigns by silos by the company makes it ineffective for individuals to oppose the processing of their data by the company for the purposes of canvassing by e-mail when this right is exercised by means of the unsubscribe link at the bottom of the e-mail messages. Indeed, when a person clicks on an unsubscribe link to exercise his or her right of opposition, that person is unsubscribed only from the account used to send the prospecting campaign concerned but not from the other accounts used by the company for other campaigns. <br />
<br />
<br />
<br />
In order to defend itself, the company has indicated to the delegation of control that, in order to be unsubscribed from all accounts used for sending prospecting emails by the company, the person concerned must either make this request by replying by return message to the prospecting emails received, or fill in an online form available from the PERFORMECLIC.FR domain. <br />
<br />
<br />
<br />
In this respect, the CNIL recalls that Article 12(2) of the RGPD requires the data controller to facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22 of the RGPD, which the company has in any event failed to do by not offering the data subjects a satisfactory means of exercising their rights and by not informing them of the existence of channels enabling them to unsubscribe from all accounts and inviting them to use them to exercise their right of opposition. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-014&diff=13040CNIL (France) - SAN-2020-0142020-12-21T04:49:27Z<p>Fra-data67: /* English Summary */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-014<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042675720?tab_selection=cnil&searchField=ALL&query=&page=1&init=true&timeInterval=<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=17.12.2020<br />
|Year=2020<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 9 GDPR<br />
|GDPR_Article_Link_1=Article 9 GDPR<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
|GDPR_Article_3=Article 33 GDPR<br />
|GDPR_Article_Link_3=Article 33 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French DPA (CNIL) imposes a €3,000 fine on a doctor for failing to comply with the security obligation, due to the free access on the web of his patients' health data.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that thousands of medical images hosted on servers belonging to a private doctor were freely accessible on the Internet.<br />
<br />
===Dispute===<br />
<br />
* Does opening all the ports of its internet box in order to be able to access remotely the health data of its patients constitute a breach of the security obligation of [https://gdprhub.eu/index.php?title=Article_32_GDPR Article 32 GDPR]?<br />
* Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? <br />
* Does the fact that the data breach was brought to the doctor's attention by the CNIL's control department relieve the doctor of his obligation to notify a breach, as required by [https://gdprhub.eu/index.php?title=Article_33_GDPR Article 33 GDPR]?<br />
<br />
===Holding===<br />
During the hearing, the doctor said that in order to remotely access the medical images stored on the hard drive of the home computer, he opened the ports of his home internet box by activating the DMZ mode of the home computer in order to operate the VPN.<br />
<br />
'''The CNIL pronounced an administrative fine of €3,000 and publicised the decision against a doctor whose patients' health data was freely accessible on the web. To base its decision, the French DPA found two breaches: failure to comply to comply to the security obligation, and failure to notify the breach to the CNIL.'''<br />
<br />
==== On the failure to comply to the security obligation ====<br />
After recalling the provisions of Article 32 GDPR, the CNIL retains several things:<br />
<br />
* The doctor had not taken care to limit the network functions to those strictly necessary for the functioning of the treatment.<br />
* Based on its Personal Data Security guide, the CNIL recommends providing encryption means for mobile workstations and mobile storage media, for example by encrypting the entire hard disk when the operating system offers it, encrypting file by file or creating encrypted containers (a file likely to contain several files). Similarly, the Practical Guide for Physicians encourages physicians to encrypt their patients' data with suitable software. In this case, the French DPA emphasizes that none of the data freely accessible on the Internet was encrypted.<br />
* The CNIL reminds that the data concerned are so-called sensitive data within the meaning of [https://gdprhub.eu/index.php?title=Article_9_GDPR article 9 GDPR]. The CNIL’s sub-commission thus recalls that the data concerned by the violation included, in addition to the medical images, the patient's surname, first names and date of birth, the date the examination was carried out, the name of the referring practitioner and the practitioner who carried out the examination, and the name of the establishment where the examination took place. In addition, the data were exposed for approximately 4 months.<br />
<br />
Based on the evidence, the CNIL therefore concludes that there has been a breach of the obligation of security, as provided for in Article 32 GDPR.<br />
<br />
==== On the failure to comply to the obligation to notify breaches to the DPA ====<br />
In the present case, the doctor is accused of not having declared the data violation to the CNIL services, which the doctor refutes by stating that the need to notify the CNIL of the violation was never indicated to him.<br />
<br />
Recalling the provisions of Article 33 GDPR, the CNIL emphasised that the fact that the data breach was brought to the doctor's attention by the CNIL's control department did not relieve him of this obligation to notify. Moreover, the Commission notes that the existence and nature of the obligation to notify appeared in the email of 8 October 2019 informing the doctor of the data breach. It therefore concludes that there has been a breach of Article 33 GDPR.<br />
<br />
==Comment==<br />
This decision is linked to [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042676787?init=true&page=1&query=&searchField=ALL&tab_selection=cnil&timeInterval= decision SAN-2020-015] by which the the French DPA condemns a private doctor to a fine of €6,000 for having insufficiently protected the personal data of their patients and not having notified a data breach to the CNIL.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-014&diff=13039CNIL (France) - SAN-2020-0142020-12-21T04:44:56Z<p>Fra-data67: Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-014 |ECLI= |Origin..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-014<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042675720?tab_selection=cnil&searchField=ALL&query=&page=1&init=true&timeInterval=<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=07.12.2020<br />
|Date_Published=17.12.2020<br />
|Year=2020<br />
|Fine=3000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 9 GDPR<br />
|GDPR_Article_Link_1=Article 9 GDPR<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
|GDPR_Article_3=Article 33 GDPR<br />
|GDPR_Article_Link_3=Article 33 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French DPA (CNIL) imposes a €3,000 fine on a doctor for failing to comply with the security obligation, due to the free access on the web of his patients' health data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that thousands of medical images hosted on servers belonging to a private doctor were freely accessible on the Internet.<br />
<br />
=== Dispute ===<br />
- Does opening all the ports of its internet box in order to be able to access remotely the health data of its patients constitute a breach of the security obligation of Article 32 GDPR? <br />
- Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? <br />
- Does the fact that the data breach was brought to the doctor's attention by the CNIL's control department relieve the doctor of his obligation to notify a breach, as required by Article 33 GDPR?<br />
<br />
=== Holding ===<br />
During the hearing, the doctor said that in order to remotely access the medical images stored on the hard drive of the home computer, he opened the ports of his home internet box by activating the DMZ mode of the home computer in order to operate the VPN.<br />
<br />
The CNIL pronounced an administrative fine of €3,000 and publicised the decision against a doctor whose patients' health data was freely accessible on the web. To base its decision, the French DPA found two breaches: failure to comply to comply to the security obligation, and failure to notify the breach to the CNIL.<br />
<br />
On the failure to comply to the security obligation<br />
After recalling the provisions of Article 32 GDPR, the CNIL retains several things:<br />
- The doctor had not taken care to limit the network functions to those strictly necessary for the functioning of the treatment.<br />
- Based on its Personal Data Security guide, the CNIL recommends providing encryption means for mobile workstations and mobile storage media, for example by encrypting the entire hard disk when the operating system offers it, encrypting file by file or creating encrypted containers (a file likely to contain several files). Similarly, the Practical Guide for Physicians encourages physicians to encrypt their patients' data with suitable software. In this case, the French DPA emphasizes that none of the data freely accessible on the Internet was encrypted.<br />
- The CNIL reminds that the data concerned are so-called sensitive data within the meaning of article 9 RGPD. The CNIL’s sub-commission thus recalls that the data concerned by the violation included, in addition to the medical images, the patient's surname, first names and date of birth, the date the examination was carried out, the name of the referring practitioner and the practitioner who carried out the examination, and the name of the establishment where the examination took place. In addition, the data were exposed for approximately 4 months.<br />
<br />
Based on the evidence, the CNIL therefore concludes that there has been a breach of the obligation of security, as provided for in Article 32 GDPR.<br />
<br />
On the failure to comply to the obligation to notify breaches to the DPA<br />
In the present case, the doctor is accused of not having declared the data violation to the CNIL services, which the doctor refutes by stating that the need to notify the CNIL of the violation was never indicated to him.<br />
<br />
Recalling the provisions of Article 33 GDPR, the CNIL emphasised that the fact that the data breach was brought to the doctor's attention by the CNIL's control department did not relieve him of this obligation to notify. Moreover, the Commission notes that the existence and nature of the obligation to notify appeared in the email of 8 October 2019 informing the doctor of the data breach. It therefore concludes that there has been a breach of Article 33 GDPR.<br />
<br />
== Comment ==<br />
This decision is linked to decision SAN-2020-015 by which the CNIL condemns a private doctor to a fine of €6,000 for having insufficiently protected the personal data of their patients and not having notified a data breach to the CNIL.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012&diff=12980CNIL (France) - SAN-2020-0122020-12-15T18:34:12Z<p>Fra-data67: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-012<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=07.12.2020<br />
|Date_Published=10.12.2020<br />
|Year=2020<br />
|Fine=100000000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 26(1) GDPR<br />
|GDPR_Article_Link_2=Article 26 GDPR#1<br />
|GDPR_Article_3=Article 56 GDPR<br />
|GDPR_Article_Link_3=Article 56 GDPR<br />
|GDPR_Article_4=Article 60 GDPR<br />
|GDPR_Article_Link_4=Article 60 GDPR<br />
<br />
|EU_Law_Name_1=Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector <br />
|EU_Law_Link_1=https://eur-lex.europa.eu/TodayOJ/<br />
<br />
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-12-15/<br />
<br />
|Party_Name_1=Google Ireland Ltd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) imposed a sanction on Google LLC and Google Ireland Ltd for a total amount of 100 million euros for depositing cookies on user’s device without prior consent or information.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Google LLC is a company headquartered in USA, California. Since its creatin in 1998, it has developed numerous services for individuals and businesses, such as the Google Search engine, the Gmail email box, the Google Maps mapping service, and the YouTube video platform. It has more than 70 offices in some 50 countries and employed more than 110,000 people worldwide in 2019. Since August 2015, it has been a wholly owned subsidiary of Alphabet Inc, the parent company of the Google group. <br />
<br />
Google Ireland Ltd, based in Dublin (Ireland), is the headquarters of the Google Group for its activities in the European Economic Area and Switzerland. Google France SARL is the French branch of the Google Group. <br />
<br />
On 16 March 2020, the French DPA (CNIL) carried out an online check on the google.fr website. The CNIL then found several violations of the rules relating to cookies, contained in [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the French Data Protection Act] (Loi Informatique et Libertés), as transposed from the e-Privacy Directive. <br />
<br />
===Dispute===<br />
<br />
*Is the French DPA materially and territorially competent to control and sanction cookies deposited by companies on users' computers? More specifically, is the lead authority mechanism as detailed in [https://gdprhub.eu/index.php?title=Article_56_GDPR Articles 56] and [https://gdprhub.eu/index.php?title=Article_60_GDPR 60 GDPR] applicable in this case?<br />
*Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of [https://gdprhub.eu/index.php?title=Article_26_GDPR article 26 GDPR]?<br />
*Does an information banner at the bottom of the page referring to the privacy policy constitute information in compliance with Article 82 of the French Data Protection Act (prior, clear and complete information on the purposes and rights of the persons concerned)?<br />
*Does the deposit of a cookie for advertising purposes require the prior consent of the persons concerned under Article 82 of the French Data Protection Act?<br />
*Is the fact that several cookies for advertising purposes remained stored on the user's terminal and continued to read information to the server to which these cookies were attached during each new interaction with the domain concerned, even though the person concerned had deactivated the personalization of ads on Google search, consistent with the opt-out mechanism?<br />
<br />
===Holding===<br />
The French DPA fined GOOGLE LLC 60 millions euros and GOOGLE IRELAND LIMITED 40 millions euros, both of which were made public. Insofar as the practices of these companies have affected nearly 50 millions users, and the considerable profits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies, the CNIL has issued an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the French Data Protection Act within 3 months of notification. Otherwise, the companies will be liable to a penalty payment of 100 000 euros per day of delay. <br />
<br />
In order to justify its decision, the French DPA has identified several failings in terms of cookie management, with regard to the provisions of article 82 of the French Data Protection Act. <br />
<br />
====On the material and territorial competence of the French DPA====<br />
In its decision, '''the CNIL’s sub-commission recalls that the French DPA is <u>materially</u> competent to control and sanction cookies deposited by companies on the computers of users residing in France'''. Indeed, the CNIL notes that when a processing operation falls within the material scope of both the ePrivacy Directive and the GDPR, reference should be made to the relevant provisions of two texts that provide for their articulation. Thus, recital 173 of the Regulation explicitly provides that it is not applicable to processing of personal data which are subject to specific obligations set out in the ePrivacy Directive. <br />
<br />
The CNIL also stresses that this articulation was confirmed by the Court of Justice of the European Union in its PLANET49 decision of 1 October 2019 ([http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=18824560 C-613/17]). In doing so, the French DPA concludes that the lead authority mechanism provided for by the GDPR was not intended to apply in this procedure since operations related to the use of cookies fall within the scope of the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act. <br />
<br />
Also, '''the CNIL’s sub-commission considered that it is also <u>territorially</u> competent in application of article 3 of the French Data Protection Act''' because the use of cookies is carried out within the framework of the activities of the company Google France which constitutes the establishment on French territory of the companies Google LLC and Google Ireland Ltd and ensures the promotion of their products and services. <br />
<br />
====On the determination of responsibilities====<br />
The CNIL’s sub-commission notes that Articles 4(7) and 26(1) GDPR are applicable to the present proceedings because of the use of the concept of controller in Article 82 of French Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR. <br />
<br />
According to Article 4(7) GDPR, the controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. According to Article 26(1) GDPR, when two or more controllers jointly determine the purposes and means of processing, they sall be joint controllers. <br />
<br />
'''The CNIL considers that Google Ireland Ltd and Google LLC should be considered as joint controllers for the processing in question, since the companies both determine the purposes and means of the processing consisting of operations to access or deposit cookies in the terminal of Google Search users residing in France.''' <br />
<br />
indeed, Google Ireland Ltd is involved in the development and supervision of the internal policies that guide the products and their design, the setting of parameters, the determination of privacy rules and all checks carried out prior to the launch of the products, in application of the principle of privacy by design. <br />
<br />
With regard to Google LLC, the CNIL considers that although it appears from the contract concluded with Google Ireland Ltd that Google LLC acts as a processor of Google Ireland Ltd, it appears that the actual involvement of Google LLC in the processing in question goes far beyond that of a processor that merely carries out processing operations on behalf of Google Ireland Ltd and on its sole instructions. Thus, Google LLC also determines the means of processing since, as mentioned above, it is Google LLC that designs and builds the technology of cookies placed on the terminals of European users. The CNIL therefore concludes that Google LLC must also be granted the status of data controller. <br />
<br />
====On the violation of provisions on cookies====<br />
During the online check carried out on 16 March 2020, the CNIL noted that, when users reached the google.fr website, seven cookies were placed on their terminal equipment, before any action. In its letter dated 30 April 2020, Google Ireland Ltd indicated that four of these seven cookies were used for advertising purposes.<br />
<br />
In this context, the CNIL’s sub-commission recalls on provisions of Article 82 of the French Data Protection Act, according to which any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user. <br />
<br />
'''As a result, the CNIL found several violations of these provisions: the lack of prior information to users, the failure to obtain the consent of individuals before depositing cookies on their terminal, and the impossibility for individuals to refuse the deposit of all cookies.''' <br />
<br />
=====''The lack of information to users''=====<br />
The CNIL notes that the information provided to users residing in France relating to operations to access or deposit information in their terminal when using the Google Search engine was insufficient and unclear, and therefore violated the provisions of Article 82 of the French Data Protection Act. More specifically, the CNIL emphasized that: <br />
<br />
*'''Access or deposit of a cookie can only be made on the condition that user has consented to it after having received clear and complete information relating to the purposes of the cookies deposited and the means at his disposal to oppose'''. Firstly, the CNIL noticed that when a user reached the google.fr website, an information banner was displayed at the bottom of the page, containing the following notice "Reminder regarding Google's privacy policy", opposite which were two buttons entitled "Remind me later" or "Consult now". The CNIL highlights that the simple reference to the privacy policy is not explicit enough to enable the individuals to obtain information in accordance with the provisions of Article 82 of the French Data Protection Act. Then, the CNIL noted during the online checks that the privacy rules that opened in pop-up windows when people clicked on the “View Now” button still did not contain any developments dedicated to the use of cookies and other tracers, despite general information about the personal data processed by Google services. In addition, the data subjects were still not informed at this stage of their ability to refuse cookies on their terminal equipment. Consequently, '''the CNIL concluded that the information provided by the companies, both in the banner and in the pop-up window, did not allow users residing in France, when using the Google Search engine, to be priorly and clearly informed of the existence of operations allowing access and deposit of information in their terminal and, consequently, to be priorly and clearly informed of the purpose of such operations and the means made available to them as to the possibility of refusing them'''.<br />
<br />
*The CNIL underlines that since the initiation of the sanction proceedings, the companies have undertaken a series of changes in the way they use cookies. Thus, since 20 September 2020, all users visiting the google.fr website now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled "Before continuing" which contains prior information relating to cookies. '''However, although the French DPA highlights a definite change compared to previous information banners, the CNIL considers that the information provided is still not clear and complete within the meaning of Article 82 of the French Data Protection Act, insofar as this information does not inform the user of all the purposes of the cookies deposited and the means at his disposal to oppose them'''. Indeed, the presentation of the different purposes mentioned in this banner remains too general for users to easily and clearly understand why cookies are deposited on their terminal. Furthermore, the information provided is incomplete as users are still not informed about their right to oppose to these cookies, nor about the means made available to them for this purpose (the terms "Options" or "More information" are not explicit enough to enable users to directly understand the extent of their rights).<br />
<br />
=====''The failure to obtain the consent of individuals before depositing cookies on their terminal''=====<br />
In this respect, after recalling the provisions of Article 82 of the French Data Protection Act, the CNIL concludes that since these four cookies do not have the sole purpose of enabling or facilitating communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, '''the sub-commission considers that the companies should have obtained the prior consent of the users, before depositing cookies on the user's terminal.''' <br />
<br />
=====''The Google’s partially flawed opposition mechanism''=====<br />
First of all, the CNIL underlines that the use of the expression "withdraw consent" is particularly abusive, insofar as the cookies were deposited on the user's terminal even before their consent was obtained (absence of opt-in). <br />
<br />
Also, the DPA's sub-commission hold that, after having nevertheless deactivated the personalisation of ads on Google search, and while continuing its browsing on the site, several of these cookies for advertising purposes remained stored on user's computer and continued to read information for the server to which this cookie was attached (for example google.com or google.fr) during each new interaction with the domain concerned. <br />
<br />
Consequently, '''the CNIL concluded that the system put in place by the companies to oppose cookies for advertising purposes placed on the user's terminal was partially defective, in violation of the requirements of Article 82 of the French Data Protection Act'''. <br />
<br />
==Comment==<br />
This decision is highly interesting, as it clarifies the articulation between two instruments for the protection of personal data in the context of the deposit of cookies: on the one hand, the GDPR which provide a general framework, and on the other hand, the national provisions as they result from the transposition of the ePrivacy Directive. The decision recalls the complementary nature of the two instruments, and underlines in particular the special nature of the scope of the ePrivacy Directive, which provide specific obligations in the electronic communication sector. <br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012&diff=12979CNIL (France) - SAN-2020-0122020-12-15T18:33:17Z<p>Fra-data67: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-012<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=07.12.2020<br />
|Date_Published=10.12.2020<br />
|Year=2020<br />
|Fine=100000000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 26(1) GDPR<br />
|GDPR_Article_Link_2=Article 26 GDPR#1<br />
|GDPR_Article_3=Article 56 GDPR<br />
|GDPR_Article_Link_3=Article 56 GDPR<br />
|GDPR_Article_4=Article 60 GDPR<br />
|GDPR_Article_Link_4=Article 60 GDPR<br />
<br />
|EU_Law_Name_1=Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector <br />
|EU_Law_Link_1=https://eur-lex.europa.eu/TodayOJ/<br />
<br />
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-12-15/<br />
<br />
|Party_Name_1=Google Ireland Ltd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) imposed a sanction on Google LLC and Google Ireland Ltd for a total amount of 100 million euros for depositing cookies on user’s device without prior consent or information.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Google LLC is a company headquartered in USA, California. Since its creatin in 1998, it has developed numerous services for individuals and businesses, such as the Google Search engine, the Gmail email box, the Google Maps mapping service, and the YouTube video platform. It has more than 70 offices in some 50 countries and employed more than 110,000 people worldwide in 2019. Since August 2015, it has been a wholly owned subsidiary of Alphabet Inc, the parent company of the Google group. <br />
<br />
Google Ireland Ltd, based in Dublin (Ireland), is the headquarters of the Google Group for its activities in the European Economic Area and Switzerland. Google France SARL is the French branch of the Google Group. <br />
<br />
On 16 March 2020, the French DPA (CNIL) carried out an online check on the google.fr website. The CNIL then found several violations of the rules relating to cookies, contained in [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the French Data Protection Act] (Loi Informatique et Libertés), as transposed from the e-Privacy Directive. <br />
<br />
===Dispute===<br />
<br />
* Is the French DPA materially and territorially competent to control and sanction cookies deposited by companies on users' computers? More specifically, is the lead authority mechanism as detailed in [https://gdprhub.eu/index.php?title=Article_56_GDPR Articles 56] and [https://gdprhub.eu/index.php?title=Article_60_GDPR 60 GDPR] applicable in this case? <br />
* Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of [https://gdprhub.eu/index.php?title=Article_26_GDPR article 26 GDPR]? <br />
* Does an information banner at the bottom of the page referring to the privacy policy constitute information in compliance with Article 82 of the French Data Protection Act (prior, clear and complete information on the purposes and rights of the persons concerned)? <br />
* Does the deposit of a cookie for advertising purposes require the prior consent of the persons concerned under Article 82 of the French Data Protection Act? <br />
* Is the fact that several cookies for advertising purposes remained stored on the user's terminal and continued to read information to the server to which these cookies were attached during each new interaction with the domain concerned, even though the person concerned had deactivated the personalization of ads on Google search, consistent with the opt-out mechanism? <br />
<br />
===Holding===<br />
The French DPA fined GOOGLE LLC 60 millions euros and GOOGLE IRELAND LIMITED 40 millions euros, both of which were made public. Insofar as the practices of these companies have affected nearly 50 millions users, and the considerable profits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies, the CNIL has issued an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the French Data Protection Act within 3 months of notification. Otherwise, the companies will be liable to a penalty payment of 100 000 euros per day of delay. <br />
<br />
In order to justify its decision, the French DPA has identified several failings in terms of cookie management, with regard to the provisions of article 82 of the French Data Protection Act. <br />
<br />
==== On the material and territorial competence of the French DPA ====<br />
In its decision, '''the CNIL’s sub-commission recalls that the French DPA is <u>materially</u> competent to control and sanction cookies deposited by companies on the computers of users residing in France'''. Indeed, the CNIL notes that when a processing operation falls within the material scope of both the ePrivacy Directive and the GDPR, reference should be made to the relevant provisions of two texts that provide for their articulation. Thus, recital 173 of the Regulation explicitly provides that it is not applicable to processing of personal data which are subject to specific obligations set out in the ePrivacy Directive. <br />
<br />
The CNIL also stresses that this articulation was confirmed by the Court of Justice of the European Union in its PLANET49 decision of 1 October 2019 ([http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=18824560 C-613/17]). In doing so, the French DPA concludes that the lead authority mechanism provided for by the GDPR was not intended to apply in this procedure since operations related to the use of cookies fall within the scope of the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act. <br />
<br />
Also, '''the CNIL’s sub-commission considered that it is also <u>territorially</u> competent in application of article 3 of the French Data Protection Act''' because the use of cookies is carried out within the framework of the activities of the company Google France which constitutes the establishment on French territory of the companies Google LLC and Google Ireland Ltd and ensures the promotion of their products and services. <br />
<br />
==== On the determination of responsibilities ====<br />
The CNIL’s sub-commission notes that Articles 4(7) and 26(1) GDPR are applicable to the present proceedings because of the use of the concept of controller in Article 82 of French Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR. <br />
<br />
According to Article 4(7) GDPR, the controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. According to Article 26(1) GDPR, when two or more controllers jointly determine the purposes and means of processing, they sall be joint controllers. <br />
<br />
'''The CNIL considers that Google Ireland Ltd and Google LLC should be considered as joint controllers for the processing in question, since the companies both determine the purposes and means of the processing consisting of operations to access or deposit cookies in the terminal of Google Search users residing in France.''' <br />
<br />
indeed, Google Ireland Ltd is involved in the development and supervision of the internal policies that guide the products and their design, the setting of parameters, the determination of privacy rules and all checks carried out prior to the launch of the products, in application of the principle of privacy by design. <br />
<br />
With regard to Google LLC, the CNIL considers that although it appears from the contract concluded with Google Ireland Ltd that Google LLC acts as a processor of Google Ireland Ltd, it appears that the actual involvement of Google LLC in the processing in question goes far beyond that of a processor that merely carries out processing operations on behalf of Google Ireland Ltd and on its sole instructions. Thus, Google LLC also determines the means of processing since, as mentioned above, it is Google LLC that designs and builds the technology of cookies placed on the terminals of European users. The CNIL therefore concludes that Google LLC must also be granted the status of data controller. <br />
<br />
==== On the violation of provisions on cookies ====<br />
During the online check carried out on 16 March 2020, the CNIL noted that, when users reached the google.fr website, seven cookies were placed on their terminal equipment, before any action. In its letter dated 30 April 2020, Google Ireland Ltd indicated that four of these seven cookies were used for advertising purposes.<br />
<br />
In this context, the CNIL’s sub-commission recalls on provisions of Article 82 of the French Data Protection Act, according to which any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user. <br />
<br />
'''As a result, the CNIL found several violations of these provisions: the lack of prior information to users, the failure to obtain the consent of individuals before depositing cookies on their terminal, and the impossibility for individuals to refuse the deposit of all cookies.''' <br />
<br />
===== ''The lack of information to users'' : =====<br />
The CNIL notes that the information provided to users residing in France relating to operations to access or deposit information in their terminal when using the Google Search engine was insufficient and unclear, and therefore violated the provisions of Article 82 of the French Data Protection Act. More specifically, the CNIL emphasized that: <br />
<br />
* '''Access or deposit of a cookie can only be made on the condition that user has consented to it after having received clear and complete information relating to the purposes of the cookies deposited and the means at his disposal to oppose'''. Firstly, the CNIL noticed that when a user reached the google.fr website, an information banner was displayed at the bottom of the page, containing the following notice "Reminder regarding Google's privacy policy", opposite which were two buttons entitled "Remind me later" or "Consult now". The CNIL highlights that the simple reference to the privacy policy is not explicit enough to enable the individuals to obtain information in accordance with the provisions of Article 82 of the French Data Protection Act. Then, the CNIL noted during the online checks that the privacy rules that opened in pop-up windows when people clicked on the “View Now” button still did not contain any developments dedicated to the use of cookies and other tracers, despite general information about the personal data processed by Google services. In addition, the data subjects were still not informed at this stage of their ability to refuse cookies on their terminal equipment. Consequently, '''the CNIL concluded that the information provided by the companies, both in the banner and in the pop-up window, did not allow users residing in France, when using the Google Search engine, to be priorly and clearly informed of the existence of operations allowing access and deposit of information in their terminal and, consequently, to be priorly and clearly informed of the purpose of such operations and the means made available to them as to the possibility of refusing them'''. <br />
<br />
* The CNIL underlines that since the initiation of the sanction proceedings, the companies have undertaken a series of changes in the way they use cookies. Thus, since 20 September 2020, all users visiting the google.fr website now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled "Before continuing" which contains prior information relating to cookies. '''However, although the French DPA highlights a definite change compared to previous information banners, the CNIL considers that the information provided is still not clear and complete within the meaning of Article 82 of the French Data Protection Act, insofar as this information does not inform the user of all the purposes of the cookies deposited and the means at his disposal to oppose them'''. Indeed, the presentation of the different purposes mentioned in this banner remains too general for users to easily and clearly understand why cookies are deposited on their terminal. Furthermore, the information provided is incomplete as users are still not informed about their right to oppose to these cookies, nor about the means made available to them for this purpose (the terms "Options" or "More information" are not explicit enough to enable users to directly understand the extent of their rights). <br />
<br />
===== ''The failure to obtain the consent of individuals before depositing cookies on their terminal :'' =====<br />
In this respect, after recalling the provisions of Article 82 of the French Data Protection Act, the CNIL concludes that since these four cookies do not have the sole purpose of enabling or facilitating communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, '''the sub-commission considers that the companies should have obtained the prior consent of the users, before depositing cookies on the user's terminal.''' <br />
<br />
===== ''The Google’s partially flawed opposition mechanism :'' =====<br />
First of all, the CNIL underlines that the use of the expression "withdraw consent" is particularly abusive, insofar as the cookies were deposited on the user's terminal even before their consent was obtained (absence of opt-in). <br />
<br />
Also, the DPA's sub-commission hold that, after having nevertheless deactivated the personalisation of ads on Google search, and while continuing its browsing on the site, several of these cookies for advertising purposes remained stored on user's computer and continued to read information for the server to which this cookie was attached (for example google.com or google.fr) during each new interaction with the domain concerned. <br />
<br />
Consequently, '''the CNIL concluded that the system put in place by the companies to oppose cookies for advertising purposes placed on the user's terminal was partially defective, in violation of the requirements of Article 82 of the French Data Protection Act'''. <br />
<br />
==Comment==<br />
This decision is highly interesting, as it clarifies the articulation between two instruments for the protection of personal data in the context of the deposit of cookies: on the one hand, the GDPR which provide a general framework, and on the other hand, the national provisions as they result from the transposition of the ePrivacy Directive. The decision recalls the complementary nature of the two instruments, and underlines in particular the special nature of the scope of the ePrivacy Directive, which provide specific obligations in the electronic communication sector. <br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012&diff=12976CNIL (France) - SAN-2020-0122020-12-15T18:20:53Z<p>Fra-data67: Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-012 |ECLI= |Origin..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-012<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=07.12.2020<br />
|Date_Published=10.12.2020<br />
|Year=2020<br />
|Fine=100000000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 26(1) GDPR<br />
|GDPR_Article_Link_2=Article 26 GDPR#1<br />
|GDPR_Article_3=Article 56 GDPR<br />
|GDPR_Article_Link_3=Article 56 GDPR<br />
|GDPR_Article_4=Article 60 GDPR<br />
|GDPR_Article_Link_4=Article 60 GDPR<br />
<br />
|EU_Law_Name_1=Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector <br />
|EU_Law_Link_1=https://eur-lex.europa.eu/TodayOJ/<br />
<br />
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-12-15/<br />
<br />
|Party_Name_1=Google Ireland Ltd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) imposed a sanction on Google LLC and Google Ireland Ltd for a total amount of 100 million euros for depositing cookies on user’s device without prior consent or information.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google LLC is a company headquartered in USA, California. Since its creatin in 1998, it has developed numerous services for individuals and businesses, such as the Google Search engine, the Gmail email box, the Google Maps mapping service, and the YouTube video platform. It has more than 70 offices in some 50 countries and employed more than 110,000 people worldwide in 2019. Since August 2015, it has been a wholly owned subsidiary of Alphabet Inc, the parent company of the Google group. <br />
<br />
Google Ireland Ltd, based in Dublin (Ireland), is the headquarters of the Google Group for its activities in the European Economic Area and Switzerland. Google France SARL is the French branch of the Google Group. <br />
<br />
On 16 March 2020, the French DPA (CNIL) carried out an online check on the google.fr website. The CNIL then found several violations of the rules relating to cookies, contained in Article 82 of the French Data Protection Act (Loi Informatique et Libertés), as transposed from the e-Privacy Directive. <br />
<br />
=== Dispute ===<br />
Is the French DPA materially and territorially competent to control and sanction cookies deposited by companies on users' computers? More specifically, is the lead authority mechanism as detailed in Articles 56 and 60 GDPR applicable in this case? <br />
Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of article 26 RGPD? <br />
Does an information banner at the bottom of the page referring to the privacy policy constitute information in compliance with Article 82 of the French Data Protection Act (prior, clear and complete information on the purposes and rights of the persons concerned)? <br />
Does the deposit of a cookie for advertising purposes require the prior consent of the persons concerned under Article 82 of the French Data Protection Act? <br />
Is the fact that several cookies for advertising purposes remained stored on the user's terminal and continued to read information to the server to which these cookies were attached during each new interaction with the domain concerned, even though the person concerned had deactivated the personalisation of ads on Google search, consistent with the opt-out mechanism? <br />
<br />
=== Holding ===<br />
The French DPA fined GOOGLE LLC 60 million euros and GOOGLE IRELAND LIMITED 40 million euros, both of which were made public. Insofar as the practices of these companies have affected nearly 50 million users, and the considerable profits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies, the CNIL has issued an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the French Data Protection Act within 3 months of notification. Otherwise, the companies will be liable to a penalty payment of 100 000 euros per day of delay. <br />
<br />
In order to justify its decision, the French DPA has identified several failings in terms of cookie management, with regard to the provisions of article 82 of the French Data Protection Act. <br />
<br />
On the materiel and territorial competence of the French DPA: <br />
<br />
In its decision, the CNIL’s sub-commission recalls that the French DPA is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. Indeed, the CNIL notes that when a processing operation falls within the material scope of both the ePrivacy Directive and the GPDR, reference should be made to the relevant provisions of two texts that provide for their articulation. Thus, recital 173 of the Regulation explicitly provides that it is not applicable to processing of personal data which are subject to specific obligations set out in the ePrivacy Directive. <br />
<br />
The CNIL also stresses that this articulation was confirmed by the Court of Justice of the European Union in its PLANET49 decision of 1 October 2019 (C-613/17). In doing so, the French DPA concludes that the lead authority mechanism provided for by the GDPR was not intended to apply in this procedure since operations related to the use of cookies fall within the scope of the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act. <br />
<br />
Also, the CNIL’s sub-commission considered that it is also territorially competent in application of article 3 of the French Data Protection Act because the use of cookies is carried out within the framework of the activities of the company Google France which constitutes the establishment on French territory of the companies Google LLC and Google Ireland Ltd and ensures the promotion of their products and services. <br />
<br />
On the determination of responsibilities <br />
The CNIL’s sub-commission notes that Articles 4(7) and 26(1) GDPR are applicable to the present proceedings because of the use of the concept of controller in Article 82 of French Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR. <br />
<br />
According to Article 4(7) GDPR, the controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. According to Article 26(1) GDPR, when two or more controllers jointly determine the purposes and means of processing, they sall be joint controllers. <br />
<br />
The CNIL considers that Google Ireland Ltd and Google LLC should be considered as joint controllers for the processing in question, since the companies both determine the purposes and means of the processing consisting of operations to access or deposit cookies in the terminal of Google Search users residing in France. <br />
<br />
indeed, Google Ireland Ltd is involved in the development and supervision of the internal policies that guide the products and their design, the setting of parameters, the determination of privacy rules and all checks carried out prior to the launch of the products, in application of the principle of privacy by design. <br />
<br />
With regard to Google LLC, the CNIL considers that although it appears from the contract concluded with Google Ireland Ltd that Google LLC acts as a processor of Google Ireland Ltd, it appears that the actual involvement of Google LLC in the processing in question goes far beyond that of a processor that merely carries out processing operations on behalf of Google Ireland Ltd and on its sole instructions. Thus, Google LLC also determines the means of processing since, as mentioned above, it is Google LLC that designs and builds the technology of cookies placed on the terminals of European users. The CNIL therefore concludes that Google LLC must also be granted the status of data controller. <br />
<br />
<br />
<br />
On the violation of provisions on cookies <br />
During the online check carried out on 16 March 2020, the CNIL noted that, when users reached the google.fr website, seven cookies were placed on their terminal equipment, before any action. In its letter dated 30 April 2020, Google Ireland Ltd indicated that four of these seven cookies were used for advertising purposes. <br />
<br />
In this context, the CNIL’s sub-commission recalls on provisions of Article 82 of the French Data Protection Act, according to which any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user. <br />
<br />
As a result, the CNIL found several violations of these provisions: the lack of prior information to users, the failure to obtain the consent of individuals before depositing cookies on their terminal, and the impossibility for individuals to refuse the deposit of all cookies. <br />
<br />
The lack of information to users: <br />
<br />
The CNIL notes that the information provided to users residing in France relating to operations to access or deposit information in their terminal when using the Google Search engine was insufficient and unclear, and therefore violated the provisions of Article 82 of the French Data Protection Act. More specifically, the CNIL emphasized that: <br />
<br />
Access or deposit of a cookie can only be made on the condition that user has consented to it after having received clear and complete information relating to the purposes of the cookies deposited and the means at his disposal to oppose. <br />
Firstly, the CNIL noticed that when a user reached the google.fr website, an information banner was displayed at the bottom of the page, containing the following notice "Reminder regarding Google's privacy policy", opposite which were two buttons entitled "Remind me later" or "Consult now". The CNIL highlights that the simple reference to the privacy policy is not explicit enough to enable the individuals to obtain information in accordance with the provisions of Article 82 of the French Data Protection Act. <br />
Then, the CNIL noted during the online checks that the privacy rules that opened in pop-up windows when people clicked on the “View Now” button still did not contain any developments dedicated to the use of cookies and other tracers, despite general information about the personal data processed by Google services. In addition, the data subjects were still not informed at this stage of their ability to refuse cookies on their terminal equipment. <br />
Consequently, the CNIL concluded that the information provided by the companies, both in the banner and in the pop-up window, did not allow users residing in France, when using the Google Search engine, to be priorly and clearly informed of the existence of operations allowing access and deposit of information in their terminal and, consequently, to be priorly and clearly informed of the purpose of such operations and the means made available to them as to the possibility of refusing them. <br />
<br />
The CNIL underlines that since the initiation of the sanction proceedings, the companies have undertaken a series of changes in the way they use cookies. Thus, since 20 September 2020, all users visiting the google.fr website now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled "Before continuing" which contains prior information relating to cookies. However, although the French DPA highlights a definite change compared to previous information banners, the CNIL considers that the information provided is still not clear and complete within the meaning of Article 82 of the French Data Protection Act, insofar as this information does not inform the user of all the purposes of the cookies deposited and the means at his disposal to oppose them. Indeed, the presentation of the different purposes mentioned in this banner remains too general for users to easily and clearly understand why cookies are deposited on their terminal. Furthermore, the information provided is incomplete as users are still not informed about their right to oppose to these cookies, nor about the means made available to them for this purpose (the terms "Options" or "More information" are not explicit enough to enable users to directly understand the extent of their rights). <br />
<br />
The failure to obtain the consent of individuals before depositing cookies on their terminal: <br />
<br />
In this respect, after recalling the provisions of Article 82 of the French Data Protection Act, the CNIL concludes that since these four cookies do not have the sole purpose of enabling or facilitating communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, the sub-commission considers that the companies should have obtained the prior consent of the users, before depositing cookies on the user's terminal. <br />
<br />
The Google’s partially flawed opposition mechanism: <br />
<br />
First of all, the CNIL underlines that the use of the expression "withdraw consent" is particularly abusive, insofar as the cookies were deposited on the user's terminal even before their consent was obtained (absence of opt-in). <br />
<br />
Also, the DPA's sub-commission hold that, after having nevertheless deactivated the personalisation of ads on Google search, and while continuing its browsing on the site, several of these cookies for advertising purposes remained stored on user's computer and continued to read information for the server to which this cookie was attached (for example google.com or google.fr) during each new interaction with the domain concerned. <br />
<br />
Consequently, the CNIL concluded that the system put in place by the companies to oppose cookies for advertising purposes placed on the user's terminal was partially defective, in violation of the requirements of Article 82 of the French Data Protection Act. <br />
<br />
== Comment ==<br />
This decision is highly interesting, as it clarifies the articulation between two instruments for the protection of personal data in the context of the deposit of cookies: on the one hand, the GDPR which provide a general framework, and on the other hand, the national provisions as they result from the transposition of the ePrivacy Directive. The decision recalls the complementary nature of the two instruments, and underlines in particular the special nature of the scope of the ePrivacy Directive, which provide specific obligations in the electronic communication sector. <br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CE_-_N%C2%B0_428451&diff=12800CE - N° 4284512020-12-08T05:03:01Z<p>Fra-data67: /* English Summary */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=428451<br />
|ECLI=ECLI:FR:CECHR:2020:428451.20201125<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Date_Decided=25.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 9(3) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#3<br />
|GDPR_Article_3=Article 25 GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article L. 6113-7 Code de la santé publique<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304<br />
|National_Law_Name_2=Article R. 6113-7 Code de la santé publique<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006072665/LEGISCTA000006190793/#LEGISCTA000006190793<br />
|National_Law_Name_3=Loi informatique et libertés (version au 26/12/2018)<br />
|National_Law_Link_3=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2018-12-26/<br />
|National_Law_Name_4=Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale<br />
|National_Law_Link_4=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547?tab_selection=all&searchField=ALL&query=-%09D%C3%A9cret+n%C2%B02018-1254+du+26+d%C3%A9cembre+2018+&page=1&init=true<br />
<br />
|Party_Name_1=Conseil national de l'ordre des médecins<br />
|Party_Link_1=https://www.conseil-national.medecin.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
The French Supreme Administrative Court (Conseil d’Etat) annulled the decree of 26/12/2018 as it does not have technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of a health establishment's activities are collected.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
[https://gdprhub.eu/index.php?title=Article_9_GDPR Article 9(3) GDPR] provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.<br />
<br />
Under the terms of [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304/ Article L. 6113-7 of the French Public Health Code], health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.<br />
<br />
The [https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547/2020-12-08/ decree of 26 December 2018] clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.<br />
<br />
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French Supreme Administrative Court (Conseil d’Etat).<br />
<br />
===Dispute===<br />
In the present case, the dispute concerns the following points: <br />
<br />
*Did the publication of this decree require prior consultation of the National Council of Physicians with regard to [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000041721097/ Articles L. 1112-1] and [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304/ L. 6113-7 of the French Public Health Code]?<br />
*Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree?<br />
*Does the processing carried out in accordance with [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304/ Article L. 6113-7 of the French Public Health Code] and the [https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547/2020-12-08/ decree of 26 December 2018] comply with [https://gdprhub.eu/index.php?title=Article_6_GDPR Articles 6], [https://gdprhub.eu/index.php?title=Article_9_GDPR 9(3)] and [https://gdprhub.eu/index.php?title=Article_25_GDPR 25 GDPR]?<br />
<br />
===Holding===<br />
To reach the cancellation of the decree, the Supreme Administrative Court retained the following points.<br />
<br />
====On prior consultation====<br />
Contrary to what has been argued by the National Council of Physicians, the Supreme Administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree. <br />
<br />
====On the conditions laid down by the contested decree for the processing of data by auditors====<br />
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the Supreme Administrative Court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.<br />
<br />
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).<br />
<br />
However, recalling the provisions of [https://gdprhub.eu/index.php?title=Article_6_GDPR Articles 6] and [https://gdprhub.eu/index.php?title=Article_25_GDPR 25 GDPR], the French Supreme Administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful. <br />
<br />
====On the conditions laid down by the contested decree for the processing of data by external service providers====<br />
Recalling the rule laid down in [https://gdprhub.eu/index.php?title=Article_28_GDPR Article 28 GDPR], the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.<br />
<br />
The French Supreme Administrative Court outlines that the decree provides certain guarantees governing the mission of external service providers (they are placed under the responsibility of the doctor responsible for medical information, are subject to the obligation of medical confidentiality, may only access the data necessary for their mission, and may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract). However, the Court emphasises that the decree has not provided for technical and organisational measures to ensure that the only data processed, with sufficient guarantees, are those necessary for the purposes of the processing. Additionally, the Court stresses that the decree has not provided for provisions to ensure that they actually carry out these activities under the authority of the practitioner responsible for the medical information. The Court therefore concludes that the decree is unlawful, due to the absence of sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.<br />
==Comment==<br />
This decision concerns the derogation from the prohibition on processing special categories of personal data, including health data. More specifically, this decision addresses a specific issue relating to the link between the protection of so-called sensitive data (health data) and the administrative requirements for the proper administration of healthcare systems.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
FRENCH REPUBLIC<br />
IN NAME OF THE FRENCH PEOPLE<br />
<br />
Considering the following procedure:<br />
<br />
By a summary request, an additional brief, a reply and a new brief, registered on February 27 and April 24, 2019 and on January 28 and September 9, 2020 at the litigation secretariat of the Council of State, the National Council of order of doctors asks the Council of State:<br />
<br />
1 °) to cancel for excess of power the decree n ° 2018-1254 of December 26, 2018 relating to the medical information departments;<br />
<br />
2 °) to charge the State the sum of 3,000 euros under article L. 761-1 of the code of administrative justice.<br />
<br />
<br />
Having regard to the other documents in the file;<br />
<br />
Seen:<br />
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;<br />
- the commercial code;<br />
- the Penal Code ;<br />
- the public health code;<br />
- Law n ° 78-17 of January 6, 1978;<br />
- the code of administrative justice;<br />
<br />
After hearing in public session:<br />
<br />
- the report by Mr Damien Pons, master of requests for extraordinary service,<br />
<br />
- the conclusions of Mrs. Marie Sirinelli, public rapporteur;<br />
<br />
The floor having been given, before and after the conclusions, to SCP Matuchansky, Poupot, Valdelièvre, lawyer of the National Council of the Order of Physicians;<br />
<br />
<br />
<br />
<br />
Considering the following:<br />
<br />
1. Under the terms of Article L. 6113-7 of the Public Health Code: "Health establishments, public or private, analyze their activity. / In compliance with medical confidentiality and the rights of patients, they implement information systems that take account in particular of pathologies and treatment methods in order to improve knowledge and assessment of activity and costs and to promote optimization of the care. / Practitioners working in public and private health establishments transmit the nominative medical data necessary for the analysis of the activity and the invoicing of this one to the doctor responsible for the medical information for the establishment under conditions determined by regulation after consultation with the National Council of the Order of Physicians. / (...) The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or ' deliberative body of a private health establishment if it exists, after consulting the medical commission or the medical conference. The conditions for this designation and the organizational methods of the medical information function, in particular the conditions under which staff placed under the authority of the responsible practitioner or of the auditors acting under the legal mission of certifying accounts mentioned in article L. 6145-16 can contribute to the processing of data, are fixed by decree (...) ".<br />
<br />
2. For the application of these provisions, the decree of December 26, 2018 relating to medical information departments authorizes and regulates access to patient medical data for the purposes of analyzing the activity, billing and the control of this invoicing, on the one hand, by external service providers and, on the other hand, by auditors. The National Council of the Order of Physicians requests the cancellation for excess of power of this decree.<br />
<br />
On external legality:<br />
<br />
3. Firstly, neither III of Article L. 1112-1 of the Public Health Code, which provides for consultation of the National Council of the Order of Physicians on the regulatory provisions which lay down procedures according to which individuals treated as well as certain doctors have access to the information held by health establishments on the people they receive, nor that of article L. 6113-7 of the same code, cited in point 1, did not require consultation of the Council. national law on the contested decree. The fact that this decree would include modifications made after the Council had delivered its opinion on the project is therefore irrelevant to its legality. The plea alleging that the contested decree does not mention this consultation in its visas is also ineffective.<br />
<br />
4. Secondly, if, under the terms of a) of 4 ° of I of article 11 of the law of 6 January 1978 relating to data processing, files and freedoms, in the version applicable on the date of decree attacked, the National Commission for Informatics and Freedoms "is consulted on any bill or decree or any provision of a bill or decree relating to the protection of personal data or the processing of such data" , it is only in the cases provided for in articles 26 and 27 of the law and "when a law provides that a decree or an order is taken after the opinion of the commission" that the same provisions require that this notice be published with the decree or order. In addition, when the publication of the opinion of the National Commission for Informatics and Freedoms must take place at the same time as that of the decree or order, failure to observe this obligation can in any event only have no effect on the legality of the latter. Consequently, the Council of the Order of Physicians cannot usefully maintain that the failure to publish the opinion delivered by the National Commission for Informatics and Freedoms, whose consultation was not necessary in this case by virtue of a legislative provision other than that of article 11 of the law of January 6, 1978 cited above, would vitiate the contested decree with illegality.<br />
<br />
On internal legality:<br />
<br />
With regard to the applicable legal framework:<br />
<br />
5. It follows from the provisions of Article L. 6113-7 of the Public Health Code cited in point 1 that the implementation, by health establishments, of information systems for the analysis of their activity must be carried out in accordance with medical confidentiality and the rights of patients. By virtue of I of article L. 1110-4 of this code: "Any person taken care of by a health professional, an establishment or service, a professional or an organization contributing to prevention or treatment for which the conditions of exercise or activities are governed by this code (...) has the right to respect for his private life and the secrecy of information concerning him. / Except in cases of exemption expressly provided for by law, this secrecy covers the whole information concerning the person that has come to the attention of the professional, of any member of the staff of these establishments, services or organizations, and of any other person in relation, through his activities, with these establishments or organizations. professionals involved in the health system ". The following provisions of this same article specify the conditions under which the information thus protected can be shared between professionals of the same care team or exchanged between the professionals mentioned in I for the care of the same person.<br />
<br />
6. It also results from the provisions of Article L. 6113-7 of the Public Health Code that the practitioner responsible for medical information is the sole recipient of the nominative medical data necessary for the analysis of the activity and the invoicing sent to it for this purpose by the practitioners working in the establishment. These data are listed in Article R. 6113-1 of the Code, which provides that: "For the analysis of their medical activity, health establishments, public and private, proceed, under the conditions set by this section, to the synthesis and computer processing of data appearing in the medical file mentioned in Article L. 1112-1 which is collected, for each patient, by the practitioner responsible for the medical or medico-technical structure or by the practitioner who provided care for the patient and which is sent to the doctor responsible for medical information for the establishment, mentioned in article L. 6113-7. / These data can only concern: / 1 ° The patient's identity and his place of residence; / 2 ° The modalities according to which the care was provided, such as hospitalization with or without accommodation, part-time hospitalization, home hospitalization, outpatient; / 3 ° The patient's family or social environment in so far as it influences the modalities of its processing; / 4 ° The methods and dates of entry and exit; / 5 ° The medical units taking care of the patient; / 6 ° Pathologies and other medical characteristics of the person treated; / 7 ° The diagnostic and care procedures performed for the benefit of the patient during his stay in the establishment. / The data mentioned in 1 ° is not collected when a person can legally be admitted to a health establishment or receive treatment there while remaining anonymous ".<br />
<br />
7. Finally, it follows from the provisions of L. 6113-7 of the Public Health Code that personnel placed under the authority of the responsible practitioner as well as auditors acting under the legal mission of certifying the accounts of public establishments can contribute to the processing of nominative medical data, under conditions which it is for the regulatory power to set under the supervision of the judge. In this regard, Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of this data, or General Data Protection Regulation, defines "processing" as "any operation or set of operations carried out or not using automated processes and applied to data or sets of personal data , such as the collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, limitation, erasure or destruction "and" data concerning health "such as" personal data relating to the physical or mental health of a person physical, including the provision of health care services, which reveal information about that person's state of health. The 3 of article 9 of this regulation authorizes the processing of data relating to health necessary for the management of health care or social protection systems and services only by a health professional subject to an obligation of secrecy. professional or under his responsibility or by another person also subject to an obligation of secrecy, allowing Member States to maintain or introduce additional conditions or limitations. 6 ° of II of article 8 of the law of January 6, 1978, in the wording applicable on the date of the decree, requires that such treatment be implemented by a member of a health profession or by a other person to whom the obligation of professional secrecy provided for by article 226-13 of the penal code is imposed by reason of his or her duties. Article 6 of this law, in the wording then applicable, further provides that: "Processing can only relate to personal data that meet the following conditions: / (...) 3 ° They are adequate, relevant and not excessive with regard to the purposes for which they are collected and their subsequent processing (...) ".<br />
<br />
With regard to the conditions set by the decree under appeal for the processing of data by auditors or by external service providers:<br />
<br />
8. The contested decree inserts in Article R. 6113-5 of the Public Health Code provisions providing that: "Are subject to the obligation of secrecy, the disregard of which is punished in accordance with Articles 226-13 and 226-14 of the penal code: / (...) 3 ° The statutory auditors who have access, for consultation only and without the possibility of creation or modification, to personal data mentioned in article R. 6113-1, in within the framework of their legal mission of certifying the accounts of health establishments mentioned in article L. 6145-16; / 4 ° External service providers who contribute under the responsibility of the doctor responsible for medical information to the processing of personal data personnel mentioned in article R. 6113-1 as part of their subcontracting contract "and that:" The auditors and the external service providers mentioned in the two preceding paragraphs can only access personal data necessary mentioned in article R. 6113-1 within the strict limit of what is necessary for their missions ". He reminds that if the external service provider also provides hosting for health data, it must do so in accordance with the conditions specific to this activity, provided for by article L. 1111-8 of the same code. It also specifies, by inserting an article R. 6113-9-1 in the code, that interested parties cannot keep the data made available by the establishment beyond the period strictly necessary for their mission and , by that of an article R. 6113-9-2, that: "The traces of any access, consultation, creation and modification of data relating to patients are kept for a period of six rolling months by the health establishment" . Finally, it provides, in article R. 6113-7 of the code, that the people treated in the establishment are informed by the reception booklet or another written document that the data concerning them are transmitted to the doctor responsible for the hospital. medical information and to persons intervening under its authority and may, when they give rise to invoicing, "be the subject of a random consultation of traceability by the auditor in his function of certifying the annual accounts of the establishment ".<br />
<br />
With regard to the statutory auditors:<br />
<br />
9. Article L. 6145-16 of the public health code provides that: "The accounts of public health establishments defined by decree are certified. / The certification procedures, by an auditor or by the Court of Auditors , are fixed by regulation ". It follows from what was said in points 5 to 7 that the legislator intended that the auditors may, when they intervene under this legal certification mission, access personal health data collected by the responsible doctor. medical information for the establishment for the analysis of the activity. However, it did not intend to allow restrictions to be made to respect for medical confidentiality, recalled by the provisions cited above in Article L. 1110-4 of the Public Health Code, which would not necessarily be involved by their legal certification mission. It is therefore incumbent on the regulatory power, when it sets the conditions under which the statutory auditors can contribute to the processing of this personal data, to provide the necessary guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of this mission.<br />
<br />
10. It follows from the provisions of Article L. 823-9 of the Commercial Code that auditors must only, for the performance of their legal mission of certifying the accounts of public health establishments, be able to justify that the annual accounts of these establishments are regular and fair and give a true picture of the results of operations for the past financial year as well as of their financial situation and their assets. It emerges from the documents in the file, in particular the observations of a general nature presented by the High Council of the statutory auditors in application of article R. 625-3 of the code of administrative justice, that access to all the data of health, taken from patients' medical files, mentioned in article R. 6113-1 of the public health code cited in point 6, is necessary for the accomplishment of this mission, for a sample of files allowing verification by sampling the reliability and traceability of the data used to calculate the establishment's revenue, from patient admission to billing. On the other hand, it does not appear that this mission cannot be accomplished on the basis of data subject to adequate technical and organizational protection measures, such as - failing the use, as an expert, of a doctor responsible for medical information in another establishment - the pseudonymization of data, which Article 25 of the General Data Protection Regulation provides for the implementation to protect the rights of the data subject and to ensure, to this end, that the persons whose data are processed cannot be identified. Consequently, if the contested decree was able, without disregarding the scope of Article L. 6113-7 of the Public Health Code, to regulate the conditions under which the auditors have access to these data, limited to, '' on the one hand, to provide that they can only consult them, within the framework of their legal mission, without creating or modifying data, with appropriate information for patients, by limiting their retention to the period strictly necessary for this mission and by recalling the obligation of secrecy to which they are subject and, on the other hand, to limit their access to only data "necessary (...) within the strict limit of what is necessary for their missions", without excluding by in principle their access to any of these data, it is, on the other hand, tainted with illegality in that it does not provide for technical and organizational measures capable of guaranteeing the protection of the right of the person concerned to respect for medical confidentiality recalled by the provisions. cited above in Article L. 1110-4 of the Public Health Code.<br />
<br />
Regarding external service providers:<br />
<br />
11. Pursuant to Article 28 of the General Data Protection Regulation: "1. When processing must be carried out on behalf of a controller, the latter only calls on processors who provide sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subject. / (...) 3. Processing by a processor is governed by a contract or other legal act under Union law or the law of a Member State, which binds the processor with regard to the controller, defines the object and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal act provides, in particular t, that the processor: / a) processes personal data only on the documented instruction of the controller (...); / b) ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; / (...) h) make available to the controller all the information necessary to demonstrate compliance with the obligations provided for in this article and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by him, and contribute to these audits (...) ".<br />
<br />
12. It follows from what has been said in points 5 to 7 that the legislator intended that the personnel placed under the authority of the practitioner responsible for medical information for the establishment can contribute to the processing of personal health data collected. by this doctor for the analysis of the activity and invoicing, by derogating from the respect of medical confidentiality recalled by the provisions cited above of Article L. 1110-4 of the Public Health Code in the only to the extent that the exercise of the mission which is recognized to them by article L. 6113-7 of the same code would necessarily imply it. Contrary to what the National Council of the Order of Physicians maintains, it does not follow from these provisions that it would have intended to exclude these personnel from being service providers outside the establishment, having the status of subcontractor where appropriate. within the meaning of the provisions cited in the previous point of the General Data Protection Regulation. However, it is the responsibility of the regulatory power, when it sets the conditions under which these service providers can contribute to the processing of this personal data, to provide the necessary guarantees to ensure that access to this data does not exceed that which is strictly necessary for the exercise of the mission recognized by law.<br />
<br />
13. By limiting themselves to providing that the external service providers who contribute to the processing of personal data mentioned in Article R. 6113-1 of the Public Health Code are placed under the responsibility of the doctor responsible for medical information, that they intervene within the framework of their subcontracting contract, that they are subject to the obligation of secrecy, the disregard of which is punished in accordance with articles 226-13 and 226-14 of the penal code, that they can access "only the necessary personal data (...) within the strict limit of what is necessary for their missions" and that they cannot keep the data made available by the establishment beyond the strictly necessary for the activities that have been entrusted to them by contract, without providing for technical and organizational measures to ensure that only the identifying data that are necessary with regard to s purposes of the processing or of provisions intended to guarantee that they effectively carry out these activities under the authority of the practitioner responsible for medical information, regardless of the location, the decree under appeal did not provide sufficient guarantees for ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognized by law.<br />
<br />
14. It follows from all of the foregoing that the National Council of the Order of Physicians is only justified in requesting the annulment of the decree which it attacks inasmuch as it does not provide for, when the commissioners have access to accounts with personal health data collected during the analysis of the activity, technical and organizational protection measures to ensure the absence of processing of identifying data and, when accessing this data from external service providers, technical and organizational measures designed to ensure that only the identifying data necessary for the purposes of the processing or provisions intended to guarantee that they effectively carry out their activities under the authority of the practitioner responsible for the processing are processed, with sufficient guarantees. medical information.<br />
<br />
15. Pending the enactment of the additional regulations necessarily implied by the execution of the annulment thus pronounced, this necessarily has the effect of avoiding an unjustified infringement of the right to respect for medical confidentiality of persons whose attacked decree organizes the processing of personal data relating to health, on the one hand, that the auditors, if they do not use the service of an expert doctor under the conditions mentioned in point 10, do not receive only pseudonymized data and, on the other hand, that each health establishment ensures that the work entrusted to any external service providers is organized in such a way that the practitioner responsible for medical information in each health establishment is able to organize and control the work of service providers under its responsibility, as required by Article L. 6113-7 of the Public Health Code, which implies that the composition of the teams, the place of exercise of the activity and the details of the services provided, and that it can ensure that they access identifying data within the strict limit of what is necessary for their missions.<br />
<br />
On the costs of the proceedings:<br />
<br />
16. It is appropriate, in the circumstances of the case, to put a sum of 2,000 euros payable by the State under Article L. 761-1 of the Code of Administrative Justice for the costs incurred. by the National Council of the Order of Physicians.<br />
<br />
<br />
<br />
DECIDES:<br />
--------------<br />
Article 1: Decree n ° 2018-1254 of December 26, 2018 relating to medical information departments is canceled insofar as it does not provide, when the auditors access personal health data collected during the '' analysis of the activity, technical and organizational protection measures suitable for guaranteeing the absence of processing of identifying data and, when external service providers access this data, technical and organizational measures suitable for ensuring that only processed, with sufficient guarantees, the identifying data necessary for the purposes of the processing and provisions intended to ensure that they effectively carry out their activities under the authority of the practitioner responsible for medical information. This cancellation includes the obligations set out in point 15 of this decision.<br />
Article 2: The State will pay a sum of 2,000 euros to the National Council of the Order of Physicians under Article L. 761-1 of the Code of Administrative Justice.<br />
Article 3: The surplus of the conclusions of the request is rejected.<br />
Article 4: This decision will be notified to the National Council of the Order of Physicians and to the Minister of Solidarity and Health.<br />
A copy will be sent to the Prime Minister and to the High Council of the Auditors. <br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CE_-_N%C2%B0_428451&diff=12725CE - N° 4284512020-12-07T06:39:55Z<p>Fra-data67: /* On the conditions laid down by the contested decree for the processing of data by external service providers */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=428451<br />
|ECLI=ECLI:FR:CECHR:2020:428451.20201125<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Date_Decided=25.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 9(3) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#3<br />
|GDPR_Article_3=Article 25 GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article L. 6113-7 Code de la santé publique<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304<br />
|National_Law_Name_2=Article R. 6113-7 Code de la santé publique<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006072665/LEGISCTA000006190793/#LEGISCTA000006190793<br />
|National_Law_Name_3=Loi informatique et libertés (version au 26/12/2018)<br />
|National_Law_Link_3=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2018-12-26/<br />
|National_Law_Name_4=Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale<br />
|National_Law_Link_4=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547?tab_selection=all&searchField=ALL&query=-%09D%C3%A9cret+n%C2%B02018-1254+du+26+d%C3%A9cembre+2018+&page=1&init=true<br />
<br />
|Party_Name_1=Conseil national de l'ordre des médecins<br />
|Party_Link_1=https://www.conseil-national.medecin.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
In its decision of 25/11/2020, the French supreme administrative court (Conseil d’Etat) annulled the decree of 26/12/2018 because it does not organise technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of the activity of a health establishment are collected.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.<br />
<br />
Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.<br />
<br />
The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.<br />
<br />
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French supreme administrative Court (Conseil d’Etat).<br />
<br />
===Dispute===<br />
In the present case, the debate concerns the following points: <br />
<br />
*Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the Public Health Code?<br />
*Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree?<br />
*Does the processing carried out in accordance with Article L. 6113-7 of the Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?<br />
<br />
===Holding===<br />
To reach the cancellation of the decree, the supreme administrative Court retained the following points.<br />
<br />
====On prior consultation====<br />
Contrary to what has been argued by the National Council of Physicians, the supreme administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree. <br />
<br />
====On the conditions laid down by the contested decree for the processing of data by auditors====<br />
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the supreme administrative court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.<br />
<br />
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).<br />
<br />
However, recalling the provisions of Articles 6 and 25 GDPR, the French supreme administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful. <br />
<br />
====On the conditions laid down by the contested decree for the processing of data by external service providers====<br />
Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.<br />
<br />
The French supreme administrative Court emphasises that although the decree provides certain guarantees governing the mission of external service providers (they are placed under the responsibility of the doctor responsible for medical information, are subject to the obligation of medical confidentiality, may only access the data necessary for their mission, and may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract), the decree has not provided for technical and organisational measures to ensure that only those identifying data are processed, with sufficient guarantees, which are necessary for the purposes of the processing, nor has it provided for provisions to ensure that they actually carry out these activities under the authority of the practitioner responsible for the medical information. The Courttherefore concludes that the decree is unlawful, due to the absence of sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.<br />
==Comment==<br />
This decision concerns the derogation from the prohibition on processing special categories of personal data, including health data. More specifically, this decision addresses a specific issue relating to the link between the protection of so-called sensitive data (health data) and the administrative requirements for the proper administration of healthcare systems.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CE_-_N%C2%B0_428451&diff=12724CE - N° 4284512020-12-07T06:25:32Z<p>Fra-data67: /* On prior consultation */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=428451<br />
|ECLI=ECLI:FR:CECHR:2020:428451.20201125<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Date_Decided=25.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 9(3) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#3<br />
|GDPR_Article_3=Article 25 GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article L. 6113-7 Code de la santé publique<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304<br />
|National_Law_Name_2=Article R. 6113-7 Code de la santé publique<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006072665/LEGISCTA000006190793/#LEGISCTA000006190793<br />
|National_Law_Name_3=Loi informatique et libertés (version au 26/12/2018)<br />
|National_Law_Link_3=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2018-12-26/<br />
|National_Law_Name_4=Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale<br />
|National_Law_Link_4=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547?tab_selection=all&searchField=ALL&query=-%09D%C3%A9cret+n%C2%B02018-1254+du+26+d%C3%A9cembre+2018+&page=1&init=true<br />
<br />
|Party_Name_1=Conseil national de l'ordre des médecins<br />
|Party_Link_1=https://www.conseil-national.medecin.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
In its decision of 25/11/2020, the French supreme administrative court (Conseil d’Etat) annulled the decree of 26/12/2018 because it does not organise technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of the activity of a health establishment are collected.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.<br />
<br />
Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.<br />
<br />
The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.<br />
<br />
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French supreme administrative Court (Conseil d’Etat).<br />
<br />
===Dispute===<br />
In the present case, the debate concerns the following points: <br />
<br />
*Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the Public Health Code?<br />
*Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree?<br />
*Does the processing carried out in accordance with Article L. 6113-7 of the Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?<br />
<br />
===Holding===<br />
To reach the cancellation of the decree, the supreme administrative Court retained the following points.<br />
<br />
====On prior consultation====<br />
Contrary to what has been argued by the National Council of Physicians, the supreme administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree. <br />
<br />
==== On the conditions laid down by the contested decree for the processing of data by auditors ====<br />
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the supreme administrative court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.<br />
<br />
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).<br />
<br />
However, recalling the provisions of Articles 6 and 25 GDPR, the French supreme administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful. <br />
<br />
==== On the conditions laid down by the contested decree for the processing of data by external service providers ====<br />
Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.<br />
<br />
It merely provides that external service providers who contribute to the processing of personal data are placed under the responsibility of the doctor responsible for medical information, that they act within the framework of their subcontracting contract, that they are subject to the obligation of secrecy, that they may access "only the personal data necessary within the strict limits of what is necessary for their missions" and that they may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract, without providing for technical and organisational measures capable of ensuring that only those identifying data are processed which are necessary for the purposes of the processing, with sufficient guarantees, nor provisions intended to ensure that they actually carry out those activities under the authority of the practitioner responsible for medical information, whatever the place, the contested decree has not provided sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.<br />
<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CE_-_N%C2%B0_428451&diff=12723CE - N° 4284512020-12-07T06:24:20Z<p>Fra-data67: /* Dispute */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=428451<br />
|ECLI=ECLI:FR:CECHR:2020:428451.20201125<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Date_Decided=25.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 9(3) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#3<br />
|GDPR_Article_3=Article 25 GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article L. 6113-7 Code de la santé publique<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304<br />
|National_Law_Name_2=Article R. 6113-7 Code de la santé publique<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006072665/LEGISCTA000006190793/#LEGISCTA000006190793<br />
|National_Law_Name_3=Loi informatique et libertés (version au 26/12/2018)<br />
|National_Law_Link_3=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2018-12-26/<br />
|National_Law_Name_4=Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale<br />
|National_Law_Link_4=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547?tab_selection=all&searchField=ALL&query=-%09D%C3%A9cret+n%C2%B02018-1254+du+26+d%C3%A9cembre+2018+&page=1&init=true<br />
<br />
|Party_Name_1=Conseil national de l'ordre des médecins<br />
|Party_Link_1=https://www.conseil-national.medecin.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
In its decision of 25/11/2020, the French supreme administrative court (Conseil d’Etat) annulled the decree of 26/12/2018 because it does not organise technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of the activity of a health establishment are collected.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.<br />
<br />
Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.<br />
<br />
The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.<br />
<br />
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French supreme administrative Court (Conseil d’Etat).<br />
<br />
===Dispute===<br />
In the present case, the debate concerns the following points: <br />
<br />
* Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the Public Health Code? <br />
* Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree? <br />
* Does the processing carried out in accordance with Article L. 6113-7 of the Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?<br />
<br />
===Holding===<br />
To reach the cancellation of the decree, the supreme administrative Court retained the following points.<br />
<br />
==== On prior consultation ====<br />
Contrary to what has been argued by the National Council of Physicians, the supreme administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree. <br />
<br />
On the conditions laid down by the contested decree for the processing of data by auditors : <br />
<br />
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the supreme administrative court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.<br />
<br />
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).<br />
<br />
However, recalling the provisions of Articles 6 and 25 GDPR, the French supreme administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful. <br />
<br />
On the conditions laid down by the contested decree for the processing of data by external service providers : <br />
<br />
Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.<br />
<br />
It merely provides that external service providers who contribute to the processing of personal data are placed under the responsibility of the doctor responsible for medical information, that they act within the framework of their subcontracting contract, that they are subject to the obligation of secrecy, that they may access "only the personal data necessary within the strict limits of what is necessary for their missions" and that they may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract, without providing for technical and organisational measures capable of ensuring that only those identifying data are processed which are necessary for the purposes of the processing, with sufficient guarantees, nor provisions intended to ensure that they actually carry out those activities under the authority of the practitioner responsible for medical information, whatever the place, the contested decree has not provided sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.<br />
<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CE_-_N%C2%B0_428451&diff=12722CE - N° 4284512020-12-07T06:22:43Z<p>Fra-data67: Created page with "{{COURTdecisionBOX |Jurisdiction=France |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CE |Court_With_Country=CE (France) |Case_Number_Name=428451 |ECLI=ECL..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=428451<br />
|ECLI=ECLI:FR:CECHR:2020:428451.20201125<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042570046?tab_selection=cetat&searchField=ALL&query=428451&searchType=ALL&juridiction=TRIBUNAL_CONFLIT&juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&juridiction=TRIBUNAL_ADMINISTATIF&sortValue=DATE_DESC&pageSize=10&page=1&tab_selection=cetat#cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Date_Decided=25.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6 GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR<br />
|GDPR_Article_2=Article 9(3) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#3<br />
|GDPR_Article_3=Article 25 GDPR<br />
|GDPR_Article_Link_3=Article 25 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article L. 6113-7 Code de la santé publique<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037090304<br />
|National_Law_Name_2=Article R. 6113-7 Code de la santé publique<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006072665/LEGISCTA000006190793/#LEGISCTA000006190793<br />
|National_Law_Name_3=Loi informatique et libertés (version au 26/12/2018)<br />
|National_Law_Link_3=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2018-12-26/<br />
|National_Law_Name_4=Décret n°2018-1254 du 26 décembre 2018 relatif aux départements d'information médicale<br />
|National_Law_Link_4=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000037864547?tab_selection=all&searchField=ALL&query=-%09D%C3%A9cret+n%C2%B02018-1254+du+26+d%C3%A9cembre+2018+&page=1&init=true<br />
<br />
|Party_Name_1=Conseil national de l'ordre des médecins<br />
|Party_Link_1=https://www.conseil-national.medecin.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
<br />
In its decision of 25/11/2020, the French supreme administrative court (Conseil d’Etat) annulled the decree of 26/12/2018 because it does not organise technical and organisational protection measures to ensure that only the data strictly necessary for the analysis of the activity of a health establishment are collected.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Article 9(3) GDPR provides that health data may be processed for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.<br />
<br />
Under the terms of Article L. 6113-7 of the French Public Health Code, health establishments, whether public or private, shall analyse their activity. In compliance with medical confidentiality and patients' rights, they implement information systems that take into account pathologies and treatment methods in order to improve knowledge and evaluation of their activity and costs and to promote the optimisation of the range of care offered. Practitioners practising in public and private healthcare institutions transmit the personal medical data required to analyse the activity and bill for it to the doctor responsible for medical information for the institution under conditions determined by regulation after consultation with the National Council of Physicians (Conseil national de l'ordre des Médecins). The practitioner responsible for medical information is a doctor appointed by the director of a public health establishment or the deliberative body of a private health establishment if there is one, following the opinion of the medical commission or medical conference. The conditions of this designation and the methods of organisation of the medical information function, in particular the conditions under which staff placed under the authority of the practitioner in charge or the statutory auditors acting in the context of the legal mission of certification of the accounts mentioned in Article L. 6145-16 may contribute to the processing of data, are set by decree.<br />
<br />
The decree of 26 December 2018 clarifies these provisions. It authorises and regulates access to patients' data for the purposes of analysing the activity, its invoicing and the control of this invoicing by the statutory auditors and external service providers.<br />
<br />
In this context, the National Council of Physicians (Conseil national de l'ordre des Médecins) is seeking the annulment of this decree by the French supreme administrative Court (Conseil d’Etat).<br />
<br />
=== Dispute ===<br />
In the present case, the debate concerns the following points: <br />
- Did the publication of this decree require prior consultation of the National Council of Physicians with regard to Articles L. 1112-1 and L. 6113-7 of the Public Health Code? <br />
- Did the publication of this decree require prior consultation of the data protection authority (Commission nationale de l’informatique et des libertés – CNIL) with regard to Article 11 of the French Data Protection law, as in force at the date of the contested decree? <br />
- Does the processing carried out in accordance with Article L. 6113-7 of the Public Health Code and the decree of 26 December 2018 comply with Articles 6, 9(3) and 25 GDPR?<br />
<br />
<br />
=== Holding ===<br />
To reach the cancellation of the decree, the supreme administrative Court retained the following points.<br />
<br />
On prior consultation: <br />
<br />
Contrary to what has been argued by the National Council of Physicians, the supreme administrative Court emphasizes that the provisions of the Public Health Code and the French Data Protection law did not require prior consultation of the National Council of Physicians and the DPA on the contested decree.<br />
<br />
On the conditions laid down by the contested decree for the processing of data by auditors : <br />
<br />
The Public Health Code requires the accounts of public health establishments to be certified by an auditor. Thus, charged with a legal obligation of certification, the law grants statutory auditors a right of access to personal health data collected by the doctor in charge of information for the establishment as part of the analysis of the activity. In this respect, the supreme administrative court emphasises that access to all health data from patients' medical files is necessary for the accomplishment of this mission, for a sample of files enabling the reliability and traceability of the data used to calculate the institution's revenue to be verified on a random basis, from patient admission to invoicing.<br />
<br />
In the present case, the Court notes that the decree provides a number of guarantees to ensure that access to this data does not exceed that which is strictly necessary for the performance of the statutory auditors' mission (consultation without modification of the data, appropriate information for patients, conservation limited to the duration strictly necessary for this mission, limited access to data only necessary for the mission, reminder of the obligation of medical secrecy).<br />
<br />
However, recalling the provisions of Articles 6 and 25 GDPR, the French supreme administrative Court stresses that the mission of the statutory auditors could have been carried out on the basis of data subject to appropriate technical and organisational protection measures (such as pseudonymisation of data) to ensure the protection of the data subject's right to medical confidentiality. Accordingly, the Court therefore concludes that the contested decree is unlawful. <br />
<br />
On the conditions laid down by the contested decree for the processing of data by external service providers : <br />
<br />
Recalling the rule laid down in Article 28 GDPR, the Court stresses that the external service providers cited by the decree must be considered as processors within the meaning of the Regulation.<br />
<br />
It merely provides that external service providers who contribute to the processing of personal data are placed under the responsibility of the doctor responsible for medical information, that they act within the framework of their subcontracting contract, that they are subject to the obligation of secrecy, that they may access "only the personal data necessary within the strict limits of what is necessary for their missions" and that they may not keep the data made available by the establishment beyond the duration strictly necessary for the activities entrusted to them by contract, without providing for technical and organisational measures capable of ensuring that only those identifying data are processed which are necessary for the purposes of the processing, with sufficient guarantees, nor provisions intended to ensure that they actually carry out those activities under the authority of the practitioner responsible for medical information, whatever the place, the contested decree has not provided sufficient guarantees to ensure that access to the data does not exceed that which is strictly necessary for the exercise of the mission recognised by law.<br />
<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-009&diff=12508CNIL (France) - SAN-2020-0092020-11-30T08:11:32Z<p>Fra-data67: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-009<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Legifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=18.11.2020<br />
|Date_Published=26.11.2020<br />
|Year=2020<br />
|Fine=800000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-11-30/<br />
|Party_Name_1=Carrefour Banque<br />
|Party_Link_1=https://www.carrefour-banque.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}<br />
After several checks between May and July 2019, the French data protection authority (CNIL) fined € 800 000 on CARREFOUR BANQUE following several violations of rules contained in the GDPR and French data protection law (Loi informatique et libertés) : loyalty and transparency of data processing, accessibility and content of information concerning data processing, illicit use of cookies.<br />
==English Summary==<br />
===Facts===<br />
CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.<br />
<br />
As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.<br />
<br />
Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.<br />
<br />
Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the RGPD and the French Data Protection law. <br />
<br />
===Dispute===<br />
In this case, the French data protection authority investigated several issues : <br />
<br />
*Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in [https://gdprhub.eu/Article_5_GDPR#.28a.29_Lawfulness.2C_fairness_and_transparency Article 5(1)(a) GDPR]?<br />
*Is the information relating to personal data processing operations easily accessible within the meaning of [https://gdprhub.eu/index.php?title=Article_12_GDPR articles 12] and [https://gdprhub.eu/index.php?title=Article_13_GDPR 13 GDPR]?<br />
*Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?<br />
*Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82]?<br />
<br />
===Holding===<br />
The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800,000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it. <br />
<br />
However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years. <br />
<br />
====On the violation of the obligation to fairly process personal data====<br />
In this case, when the subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOURS BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber. <br />
<br />
The French DPA concluded to the violation of article 5-1 (a) GDPR, as the information given to data subjects are imprecise and misleading. More specifically, the CNIL highlights that: <br />
<br />
*CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.<br />
*CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to subscriber prior to this mention.<br />
<br />
====On the lack of accessibility to information on processing of personal data====<br />
Quoting articles 12 & 13 GDPR, the French DPA distinguishes between : <br />
<br />
*'''Access to information relating to personal data protection''' : In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the Banking Data Protection tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the [https://www.cnil.fr/sites/default/files/atoms/files/wp260_enpdf_transparency.pdf WP29 guidelines on transparency], according to which data subjects should not have to search for information, but should have to immediate access to it. So the French data authority notices the violation of access information related to personal data protection. On the one hand, the vagueness of the title Protection of banking data does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.<br />
<br />
<br /><br />
<br />
*'''The information provided to data subjects throughout the online subscription process''' : According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complete these mentions by allowing people to read complete information by means of a link to this information. <br />
<br />
====On the vagueness of data retention periods====<br />
Based on article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL notes that the CARREFOUR BANQUE’s privacy policy is imprecise and vague about data conservation information. <br />
<br />
Indeed, the privacy policy contains vague and undefined formulations that confuse the data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.<br />
<br />
====On the use of cookies on the website====<br />
The French DPA recalls the provisions of article 82 of the French data protection law (loi informatique et libertés), wich requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.<br />
<br />
In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.<br />
<br />
Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.<br />
<br />
==Comment==<br />
The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the RGPD and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects. <br />
<br />
This sanction was taken jointly with [https://gdprhub.eu/index.php?title=CNIL_-_SAN-2020-008 CNIL - SAN-2020-008] which imposed a € 2 250 000 fine on Carrefour France.<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.</div>Fra-data67https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-009&diff=12507CNIL (France) - SAN-2020-0092020-11-30T08:10:02Z<p>Fra-data67: Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-009 |ECLI= |Origin..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFR.png<br />
|DPA_Abbrevation=CNIL<br />
|DPA_With_Country=CNIL (France)<br />
<br />
|Case_Number_Name=SAN-2020-009<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Legifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=18.11.2020<br />
|Date_Published=26.11.2020<br />
|Year=2020<br />
|Fine=800000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-11-30/<br />
|Party_Name_1=Carrefour Banque<br />
|Party_Link_1=https://www.carrefour-banque.fr/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Fra-data67<br />
|<br />
}}After several checks between May and July 2019, the French data protection authority (CNIL) fined € 800 000 on CARREFOUR BANQUE following several violations of rules contained in the GDPR and French data protection law (Loi informatique et libertés) : loyalty and transparency of data processing, accessibility and content of information concerning data processing, illicit use of cookies.<br />
==English Summary==<br />
===Facts===<br />
CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.<br />
<br />
As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.<br />
<br />
Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.<br />
<br />
Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the RGPD and the French Data Protection law. <br />
<br />
===Dispute===<br />
In this case, the French data protection authority investigated several issues : <br />
<br />
* Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in [https://gdprhub.eu/Article_5_GDPR#.28a.29_Lawfulness.2C_fairness_and_transparency Article 5(1)(a) GDPR]? <br />
* Is the information relating to personal data processing operations easily accessible within the meaning of [https://gdprhub.eu/index.php?title=Article_12_GDPR articles 12] and [https://gdprhub.eu/index.php?title=Article_13_GDPR 13 GDPR]? <br />
* Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR? <br />
* Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82]?<br />
<br />
===Holding===<br />
The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800,000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it. <br />
<br />
However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years. <br />
<br />
====1° On the violation of the obligation to fairly process personal data====<br />
In this case, when the subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOURS BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber. <br />
<br />
The French DPA concluded to the violation of article 5-1 (a) GDPR, as the information given to data subjects are imprecise and misleading. More specifically, the CNIL highlights that: <br />
<br />
* CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription. <br />
* CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to subscriber prior to this mention. <br />
<br />
====2° On the lack of accessibility to information on processing of personal data====<br />
Quoting articles 12 & 13 GDPR, the French DPA distinguishes between : <br />
<br />
* '''Access to information relating to personal data protection''' : In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the Banking Data Protection tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the [https://www.cnil.fr/sites/default/files/atoms/files/wp260_enpdf_transparency.pdf WP29 guidelines on transparency], according to which data subjects should not have to search for information, but should have to immediate access to it. So the French data authority notices the violation of access information related to personal data protection. On the one hand, the vagueness of the title Protection of banking data does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.<br />
<br />
<br /><br />
<br />
* '''The information provided to data subjects throughout the online subscription process''' : According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complete these mentions by allowing people to read complete information by means of a link to this information. <br />
<br />
====3° On the vagueness of data retention periods====<br />
Based on article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL notes that the CARREFOUR BANQUE’s privacy policy is imprecise and vague about data conservation information. <br />
<br />
Indeed, the privacy policy contains vague and undefined formulations that confuse the data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.<br />
<br />
====4° On the use of cookies on the website====<br />
The French DPA recalls the provisions of article 82 of the French data protection law (loi informatique et libertés), wich requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.<br />
<br />
In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.<br />
<br />
Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.<br />
<br />
==Comment==<br />
The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the RGPD and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects. <br />
<br />
This sanction was taken jointly with [https://gdprhub.eu/index.php?title=CNIL_-_SAN-2020-008 CNIL - SAN-2020-008] which imposed a € 2 250 000 fine on Carrefour France.<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.</div>Fra-data67