APD/GBA (Belgium) - 39/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=39/2022 |E...") |
No edit summary |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 53: | Line 53: | ||
}} | }} | ||
The Belgian DPA reprimanded a controller for | The Belgian DPA reprimanded a controller for failing to delete a former client's personal data in violation of [[Article 17 GDPR#1|Article 17(1) GDPR]], and for not handling the erasure request within the one-month period under [[Article 12 GDPR#3|Article 12(3) GDPR]]. | ||
== English Summary == | == English Summary == | ||
Line 60: | Line 60: | ||
The data subject is a former client of the controller. | The data subject is a former client of the controller. | ||
In June 2019, the data subject requested the deletion of | In June 2019, the data subject requested the deletion of their customer account and their personal data from the controller. They sent their request from their current email address [email address 2] and mentioned their old email address [email address 1] in the request. The controller acknowledged the receipt of the request and sent the data subject several messages assuring them that a follow-up was in progress. | ||
However, in September 2019, the data subject received a new advertising email to email address 1, and subsequently sent a new request for deletion of | However, in September 2019, the data subject received a new advertising email to email address 1, and subsequently sent a new request for deletion of their data to the controller. The controller's customer service department acknowledged the receipt of the request and announced a response within seven working days. | ||
In October 2019, the data subject lodged a complaint with the DPA because | In October 2019, the data subject lodged a complaint with the DPA because they had not received any follow-up after their latest request. They claimed that their right to erasure (Article 17(1) GDPR) and their right to access (Article 15(1)(b) GDPR and [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]]) had been violated. | ||
In February 2020, following several hearings of the parties, the controller sent a letter to the data subject, informed | In February 2020, following several hearings of the parties, the controller sent a letter to the data subject, informed them about the deletion of the account linked to email address 1 and the date of deletion. Furthermore, the controller told the data subject that their request for deletion of the data related to email address 2 had been taken into account. The email addresses were stored in two seperate databases of the controller as "prospect" and "client". | ||
The controller claimed that the data subject's request did not concern a request for access under [[Article 15 GDPR#1b|Article 15(1)(b) GDPR]] and [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]], but a request for information on the erasure of data by the controller. | The controller claimed that the data subject's request did not concern a request for access under [[Article 15 GDPR#1b|Article 15(1)(b) GDPR]] and [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]], but a request for information on the erasure of data by the controller. | ||
Line 74: | Line 74: | ||
The DPA reprimanded the controller for several violations of the GDPR. | The DPA reprimanded the controller for several violations of the GDPR. | ||
First, the DPA found that the controller had violated [[Article 17 GDPR#1|Article 17(1) GDPR]]. Due to the superficial examination of the data subject's claim, the controller had not deleted both email addresses even though that would have been its responsibility. The fact that the two email addresses were recorded in separate databases and were not subject to the same processing was not sufficient justification to rule out a violation of [[Article 17 GDPR#1|Article 17(1) GDPR]], especially since the data subject provided in | First, the DPA found that the controller had violated [[Article 17 GDPR#1|Article 17(1) GDPR]]. Due to the superficial examination of the data subject's claim, the controller had not deleted both email addresses even though that would have been its responsibility. The fact that the two email addresses were recorded in separate databases and were not subject to the same processing was not sufficient justification to rule out a violation of [[Article 17 GDPR#1|Article 17(1) GDPR]], especially since the data subject provided in their initial request the old email address 1. | ||
The DPA noted that the controllers procedure for managing requests has been reviewed and adapted in a way that such errors should not happen again. | The DPA noted that the controllers procedure for managing requests has been reviewed and adapted in a way that such errors should not happen again. | ||
Second, the DPA agreed with the controller that the data subject had not made a request for access under [[Article 15 GDPR#1b|Article 15(1)(b) GDPR]] and [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]], but a request for information on the erasure of data by the controller. It noted that, while the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a reason not to act on it, the data subjects request objectively related to the deletion of the data and not their access. Therefore, the DPA dealt with this issue in accordance with [[Article 12 GDPR#3|Article 12(3) GDPR]] and not [[Article 15 GDPR#1|Article 15(1) GDPR]]. | Second, the DPA agreed with the controller that the data subject had not made a request for access under [[Article 15 GDPR#1b|Article 15(1)(b) GDPR]] and [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]], but a request for information on the erasure of data by the controller. It noted that, while the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a reason not to act on it, the data subjects request objectively related to the deletion of the data and not their access. Therefore, the DPA dealt with this issue in accordance with [[Article 12 GDPR#3|Article 12(3) GDPR]] and not [[Article 15 GDPR#1|Article 15(1) GDPR]]. | ||
Since the controller had not provided the data subject with the information on the measures taken following | Since the controller had not provided the data subject with the information on the measures taken following their request, the DPA found a violation of [[Article 12 GDPR#3|Article 12(3) GDPR]]. This provision sets a maximum period of one month to respont to such a request. | ||
Lastly, the DPA briefly discussed the issue of the legal basis of data processing relating to direct marketing purposes, but did not reopen the proceedings at this stage in this regard. | Lastly, the DPA briefly discussed the issue of the legal basis of data processing relating to direct marketing purposes, but did not reopen the proceedings at this stage in this regard. |
Latest revision as of 15:58, 23 March 2022
APD/GBA (Belgium) - 39/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 17(1) GDPR Article 13 ePrivacy Directive |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.03.2022 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 39/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | kc |
The Belgian DPA reprimanded a controller for failing to delete a former client's personal data in violation of Article 17(1) GDPR, and for not handling the erasure request within the one-month period under Article 12(3) GDPR.
English Summary
Facts
The data subject is a former client of the controller.
In June 2019, the data subject requested the deletion of their customer account and their personal data from the controller. They sent their request from their current email address [email address 2] and mentioned their old email address [email address 1] in the request. The controller acknowledged the receipt of the request and sent the data subject several messages assuring them that a follow-up was in progress.
However, in September 2019, the data subject received a new advertising email to email address 1, and subsequently sent a new request for deletion of their data to the controller. The controller's customer service department acknowledged the receipt of the request and announced a response within seven working days.
In October 2019, the data subject lodged a complaint with the DPA because they had not received any follow-up after their latest request. They claimed that their right to erasure (Article 17(1) GDPR) and their right to access (Article 15(1)(b) GDPR and Article 15(1)(d) GDPR) had been violated.
In February 2020, following several hearings of the parties, the controller sent a letter to the data subject, informed them about the deletion of the account linked to email address 1 and the date of deletion. Furthermore, the controller told the data subject that their request for deletion of the data related to email address 2 had been taken into account. The email addresses were stored in two seperate databases of the controller as "prospect" and "client".
The controller claimed that the data subject's request did not concern a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller.
Holding
The DPA reprimanded the controller for several violations of the GDPR.
First, the DPA found that the controller had violated Article 17(1) GDPR. Due to the superficial examination of the data subject's claim, the controller had not deleted both email addresses even though that would have been its responsibility. The fact that the two email addresses were recorded in separate databases and were not subject to the same processing was not sufficient justification to rule out a violation of Article 17(1) GDPR, especially since the data subject provided in their initial request the old email address 1. The DPA noted that the controllers procedure for managing requests has been reviewed and adapted in a way that such errors should not happen again.
Second, the DPA agreed with the controller that the data subject had not made a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller. It noted that, while the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a reason not to act on it, the data subjects request objectively related to the deletion of the data and not their access. Therefore, the DPA dealt with this issue in accordance with Article 12(3) GDPR and not Article 15(1) GDPR.
Since the controller had not provided the data subject with the information on the measures taken following their request, the DPA found a violation of Article 12(3) GDPR. This provision sets a maximum period of one month to respont to such a request.
Lastly, the DPA briefly discussed the issue of the legal basis of data processing relating to direct marketing purposes, but did not reopen the proceedings at this stage in this regard.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/10 Litigation Chamber Decision on the merits 39/2022 of 17 March 2022 File number: DOS-2019-04973 Subject: Complaint against a commercial company concerning a request for erasure of data and a request for access to this data The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, Chairman, and Messrs. Romain Robert and Christophe Boeraeve; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of this data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; made the following decision regarding: . The plaintiff: Mr. X, hereinafter “the plaintiff”; . . The defendant: Y, represented by Me Olivier Proust lawyer, hereinafter: "the defendant", Decision on the merits 39/2022 - 2/10 I. Facts and procedure 1. The Complainant is a former client of the Respondent. Following a move on June 10, 2019, it requests the deletion of his customer account and his personal data from the defendant. The complainant is using his current email address [email address 2] to send this request, and also mentions his old email address [email address 1]. 2. The defendant acknowledges receipt of the request and sends the complainant several messages assuring him that a follow-up is in progress (11/07/2019; 22/07/2019 and 05/08/2019). 3. On September 13, 2019, however, the complainant received a new advertising email to the address old [email address 1] , and sends a new request for deletion of his data to the defendant. The defendant's customer service department acknowledges receipt of the request at this same date and announces a response within 7 working days. 4. On October 1, 2019, the complainant lodged a complaint with the Data Protection Authority given against the defendant due to the fact that no follow-up was given to its last demand. 5. On October 31, 2019, the complaint was declared admissible by the Front Line Service on the basis articles 58 and 60 of the LCA and this same complaint is transmitted to the Litigation Chamber in er pursuant to Article 62, § 1 of the LCA. 6. On December 9, 2019, the Litigation Division decides, pursuant to Article 95, § 1, 1° and Article 98 of the ACL, that the case can be dealt with on the merits. 7. The subject of the complaint, according to the facts as understood and qualified by the Litigation Chamber in its invitation to conclude concerns: at. the exercise of the right to erasure (article 17.1 of the GDPR) of the personal data of the plaintiff in the databases of the defendant and b. the complainant's right of access to the categories of personal data held about him or her in the defendant's database (articles 15.1.b GDPR) and the right of access to information regarding the retention period of personal data held about it by the defendant (15.1.d GDPR). 8. Indeed, the request is worded in the complaint as follows: “Statement of facts: dated 06/10/2019, I asked company Y, under the legal provisions on GDPR, to delete my account, to delete all my personal data and to follow up positive to my request for the "right to be forgotten". The complainant attaches to his complaint the initial request addressed to the defendant on June 10, 2019, in which he also requests the communication, by the defendant, of the “legal deadlines that you will use and the nature of the information that you delete (with the precise indication of the different dates of deletion)", Decision on the merits 39/2022 - 3/10 9. On December 10, 2019, the parties concerned are informed by registered letter of the provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their conclusions. 10. The deadline for receipt of the defendant's submissions in response is 17 January 2020, that for the complainant's reply submissions dated February 14, 2020 and that for the Defendant's reply submissions dated February 28, 2020. 11. On February 4, 2020, the Respondent requests a new procedural calendar, having not received the first invitation to conclude due to the closure of the company's head office during the Christmas period, and requests a full copy of the file electronically (art. 95, §2, 3° ACL). The defendant also manifests its intention to have recourse to the possibility of being heard, in accordance with Article 98 of the LCA. 12. On February 19, 2020, the Litigation Division sends the parties a copy of the file and grants a new deadline to conclude. The new deadline for receipt of conclusions in respondent's response is set for March 11, 2020, that for the submissions in reply of the complainant on March 25, 2020 and that for the defendant's reply submissions on April 8 2020. 13. On February 26, 2020, the defendant sent a letter to the complainant to inform him of the taking into account of his request for deletion vis-à-vis the e-mail address [email address 2] and with regard to concerns the “prospect” account linked to his old email address [email address 1]. The 1 defendant informs the complainant of the nature of the information deleted and the date deletion of this data. Regarding the request to delete the new e-mail address of the plaintiff, the defendant indicates in this letter that "the request made on June 10 was indeed taken into account with regard to your customer account”. 14. On March 10, 2020, the Litigation Chamber receives the submissions in response from the defendant. They can be summarized as follows: - The defendant promptly granted the request to erase the data for the address email linked to the “customer” account [email address 2], but the deletion did not take place immediately with regard to the data linked to the former email address of the complainant [email address 1], this address being itself linked to a "prospect" account kept by the defendant in a separate database. Therefore, the violation of article 17.1 of the GDPR and was only partial. Once confirmed that the 2 email address also belonged to the complainant and that it was not a homonym, this address has also been removed definitively from the defendant's "prospects" database. 1Respondent's Exhibit 5., Decision on the Merits 39/2022 - 4/10 - The plaintiff's request relating to the "legal deadlines you will use and the nature of the information that you will delete with the precise indication of the different dates erasure” must be attached to his erasure request, and must not be interpreted as a request for access within the meaning of Article 15.1 d) of the GDPR. His complaint states that he wished to obtain confirmation that his data had indeed been erased. the GDPR does not impose on the controller an obligation to communicate the date erasure of the data as such, but rather an obligation to confirm to the data subject what measures have been taken to respond to his or her request (Art. 12.3 GDPR). The defendant also voluntarily provided the complainant with an explanation detailed information on the retention period of the data and the date of erasure of the data. 15. Following these conclusions in response, the Litigation Chamber did not receive any other document from the part of the parties (no conclusion from the complainant and no new conclusion - in reply - from the defendant). 16. On January 28, 2022, the parties are informed that the hearing will take place on February 17, 2022. By this same letter, the Litigation Chamber informs the parties of the fact that the plaintiff marked his wish not to participate in the hearing. 17. On February 17, 2022, the defendant was heard by the Litigation Chamber. er 18. On March 1, 2022, the minutes of the hearing are submitted to the defendant, with the possibility of attach within one week any comments without this implying reopening of the debates. The Litigation Chamber did not receive any remarks relating to the trial- verbal. II. Motivation On the violation of Article 17.1 of the GDPR 19. Article 17.1 of the GDPR states that “the data subject has the right to obtain from the data controller processing the erasure, as soon as possible, of personal data concerning him and the controller has an obligation to erase such personal data within the as soon as possible, when one of the following reasons applies: a) The personal data are no longer necessary for the purposes for which it was collected or otherwise processed; b) The person withdraws the consent on which the processing is based, in accordance with article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing”, Decision on the merits 39/2022 - 5/10 20. In the present case, based on the aforementioned elements and the conclusions of the defendant, the latter actually infringes Article 17.1 of the GDPR because the circumstance that the two email addresses were recorded in separate databases and were not subject to the same processing, is not sufficient justification to rule out a violation of Article 17.1 of the GDPR, especially since the complainant provided in his initial request of June 10, 2019 the former address email to be deleted. 21. Therefore, given the partial deletion of the complainant's data, the Litigation Chamber must find a partial violation of Article 17.1 of the GDPR. The Litigation Chamber notes that this violation results from a superficial examination of the claim of the plaintiff by the defendant to whom he responsibility to seek clarification in case of doubt about the scope of the deletion request. The defendant seems to believe that it could legitimately believe that the email address indicated as old was no longer used by the defendant and was not the subject of the deletion request. However, the Litigation Chamber considers that the defendant should have check whether it was not also his responsibility to remove the old email address from his system of mailing. The Litigation Division further notes that, according to the defendant, the service customer care also had access to the prospect database, and could have searched for this old email address to remove any doubt. Moreover, this misunderstanding could have been avoided if the defendant had informed the complainant of the concrete follow-up given to his request for erasure concerning the first email address (see below, on the violation of Article 12.3 of the GDPR). 22. The Litigation Division also notes that the procedure for managing requests has been reviewed in its new access request management policy (“GDPR department – data subject rights – procedure”) and that these requests will henceforth be directed to the service of the Delegate to data protection (DPO), which should prevent this type of error from happening again. 23. The Litigation Division also notes that the data for the second address were deleted by the defendant after clarification by the complainant of the addresses for which he was requesting suppression. 24. The Litigation Chamber understands, however, that failing to qualify the plaintiff's request as a request for access to all the data concerning him, the defendant abstained to search for all the data she had about him, and presumably lost a chance to make the link between the “customer” database and the “prospects” database containing different email details for the same customer. The latter, however, had departure provided his two addresses in his deletion request, one in the body of his message to the defendant (my old email is [email address 1]), the other via the address [address email 2] from which his request itself was sent to the defendant. It's this last address that was deleted and not the address entered as old. It was incumbent on elsewhere to the defendant, as data controller, to ensure that it had a view clear on the data to be deleted in order to respond to the wish of the complainant namely, in fine, au-, Decision on the merits 39/2022 - 6/10 beyond the request to erase the data, no longer receive advertising emails from the defendant. On the violation of Article 15.1 of the GDPR 25. Article 15.1 of the GDPR states that “the data subject has the right to obtain from the data controller processing the confirmation that personal data concerning him are or are not not processed and, when they are, access to said personal data as well as the following information: a) The purposes of the processing; b) The categories of personal data concerned; vs) […] d) Where possible, the envisaged retention period for personal data or, where this is not possible, the criteria used to determine this duration; […]”. 26. In its conclusions, the defendant argues that the plaintiff's request did not concern a request for access under Article 15.1.b and Article 15.1.d of the GDPR, but a request information on the erasure of data by the controller. 27. In this regard, the Litigation Chamber wishes to recall that the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a pretext 2 not to act on it (useful). 28. In order to give useful effect to the complainant's request, the controller must proactively identify the will of the latter. In this case, and given the different exchanges between the parties, the Litigation Chamber considers that the main object of the plaintiff's request, as formulated (request to communicate the “nature of the information that you will delete (with precise indication of the different erasure dates”) did not mainly relate to access to these data but on their deletion. 29. Therefore, the Litigation Chamber follows the defendant's reasoning and admits that the request of the complainant, including with regard to the nature of the data deleted, is related to exercise of the right to be forgotten. The request for information must therefore be dealt with in accordance with Article 12.3 of the GDPR (right to information on the measures taken following a request to exercise right), and not on the basis of article 15.1 of the GDPR (right of access). 2See decision of the Litigation Chamber no. 41/2020 of 29 July 2020 and decision of the Litigation Chamber no. 44/2020 of 5 August 2020., Decision on the merits 39/2022 - 7/10 On the violation of Article 12.3 of the GDPR 30. Article 12.3 provides that “the controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any case within one month from the receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests related to the exercise of a GDPR right. The person in charge of processing is then required to inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request”. 31. Article 12.3 sets a maximum period of one month to respond to such a request, and it appears from the defendant's exhibit file that the information on the follow-up given to the request deletion of the second email address was only provided on February 26, 2020, i.e. more eight months after the initial request for erasure, which exceeds the legal period including a period reasonable grace due to possible technical or organizational contingencies. 32. Pursuant to Article 12.3 of the GDPR, the onus was on the defendant to inform the complainant of the measures taken to respond to the request to delete the two email addresses concerned, within the legal period of one month. This information was not provided for the first email address removed. As a result, the defendant deprived itself of the possibility of clarifying directly with the complainant the scope of the deletion request, relating to two addresses email and not on one. 33. Moreover, if the defendant believed that it had responded to its initial request after erasing a first e-mail address, this confusion does not justify the new lack of response on the action undertaken by the defendant following the complainant's last request dated September 13 2019. The Litigation Chamber considers in this respect particularly regrettable that the defendant undertook to respond "within 7 days" to the complainant's last reminder and er either then abstained from follow-up within the self-imposed time limit so that on the 1 October, the complainant had not yet received any news in this regard. 34. Therefore, the Litigation Chamber must find a violation of Article 12.3 of the GDPR in respect of of the defendant due to the absence of information provided by the defendant within the legal period one month on the measures taken to respond to the request to erase data from the complainant, with regard to the “customer” email address [email address 2] and the “prospect” address and with regard to the email address [email address 1]. This one-month response time had to be taken taken into account from the complainant's initial request made on June 10, 2019. None extension or grace period was in this case justified by possible contingencies technical or organizational, which the defendant does not demonstrate. The defendant, in fact, did not make any justified request for an extension with regard to the complainant deadline under the conditions permitted by Article 12.3 of the GDPR., Decision on the merits 39/2022 - 8/10 35. However, the Litigation Chamber takes note of the defendant's explanations in the hearing concerning the management policy for access requests introduced after this incident: it is provided that access requests receive by default a response in the month by means of concise, transparent, intelligible and easily accessible information (article 5.1 of the document “GDPR Data subject rights – procedure”, provided to the Litigation Chamber”). The repetition of the incident should also be avoided by the new procedure for handling complaint which provides for a transfer mechanism to the DPO for requests to exercise rights more complex such as the request at the origin of the complaint (concerning several email addresses and requiring investigation in the databases). 36. In addition, the Litigation Chamber emphasizes that the processing of personal data is only lawful if carried out in accordance with Article 6.1 of the GDPR. In the present case, the Litigation Chamber expresses all reservations as to the existence of a legal basis that allowed the defendant to send emails to prospects at the time, but does not reopen the proceedings on this point at this stage insofar as the inclusion of personal data “prospects” had place, either on the legal basis of consent, or on the legal basis of legitimate interest in view of to send prospecting emails for products or services similar to those purchased or previously subscribed by the person concerned, according to the explanations provided by the defendant in court. 37. The Litigation Division recalls the applicable principles set out in the recommendation of the Data Protection Authority nr 01/2020 of January 17, 2020 relating to the processing of personal data for direct marketing purposes. “Before looking at how the legal basis of legitimate interests works, you should examine whether or not you fall under the application of one or other special law that applies to you would prevent its use. As a reminder, when you send unsolicited communications direct marketing by electronic means, including via automated calling systems and communication without human intervention (automatic calls), fax machines or mail electronically, for commercial purposes, you must have the prior consent of the subscribers or users to do so (article 13.1 of the e-Privacy Directive). However, Article 13.2 of this Directive provides for a so-called “soft opt-in” exception for emails (defined as: any message in the form of text, voice, sound or image sent over a public communications network which may be stored on the network or in the terminal equipment of the recipient until the latter retrieves it) of marketing direct, addressed to existing customers or subscribers from whom an organization has obtained the electronic contact details in the context of the sale of a product or service of its own making. In this context, this organization is authorized to send an e-mail to these categories of persons for the purpose of direct prospecting for similar products or services itself provides provided that said customers are clearly and expressly given, Decision on the merits 39/2022 - 9/10 the ability to object, free of charge and in a simple manner, to such use of contact details electronics at the time they are collected and during each message, in case they would not have immediately refused such exploitation. These rules apply only in this specific context and only in this one. If you wish to make use of this exception, you must comply with all of its terms application.The principles adopted therein are also useful for examining the legal basis legitimate interests for data controllers who wish to use it without entering in data processing situations covered by the scope of e-Privacy Directive. » On the address of the data controller and the implementation of article 13.1 of the GDPR 38. Given that the defendant wished to be contacted at an address different from that informed by the plaintiff in his complaint, the Litigation Chamber asked the parties to enlighten him on the contact address of the controller and the way in which the defendant fulfills its information obligations under Article 13.1.a of the GDPR regarding the identity and contact details of the controller (letter of invitation to conclude of February 19, 2020). 39. In its submissions, the Defendant informed the Litigation Chamber of its address as mentioned in its Privacy Policy, and which corresponds to its registered office. Requirement made to the APD to correspond with another address, namely the address of the operating site principal of the defendant in Belgium and of its Managing Director, is not contrary to Article 13.1.a of the GDPR, the Director General wishing to be heard during the hearing by the Chamber Litigation. 40. Consequently, the Litigation Chamber, which had initially not considered it necessary to seek the intervention of the Inspection Service on this point, concludes that there is ultimately no dispute on the identity of the data controller and his contact address. On the sanction to be adopted by the Litigation Chamber 41. Based on the above elements, the Litigation Division finds the violation of Articles 12.3 and 17.1 of the GDPR, due to (i) the absence of information as to the deletion of the first address email [email address 2] and (ii) failure to follow up on the complainant's request for erasure concerning his 2nd email address [email address 1] within the prescribed legal period of one month. 42. The Litigation Chamber nevertheless takes into account the partial fulfillment of the request of the complainant as a mitigating circumstance. The absence of a link between the database "prospect" and the defendant's "client" database does not constitute a circumstance mitigating because it was incumbent on the defendant to carry out with sufficient care a, Decision on the merits 39/2022 - 10/10 searches for personal data held about the customer in databases in order to delete them according to his request, taking into account the basic data provided by the customer who did mention his old email address in his initial request. Bedroom Litigation therefore considers that a reprimand is the most appropriate sanction for breaches observed and that the facts are not of such gravity that it is necessary to impose a fine, in particular insofar as the Litigation Chamber did not observe that the shortcomings observed would impact a large group of citizens. III. Publication of the decision 43. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Authority for the protection of data. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation: er - Pursuant to Article 100, §1, 5° of the LCA, to impose a reprimand for violation of Articles 12.3 and 17.1 of the GDPR by the defendant; er Under Article 108, § 1 of the LCA, this decision may be appealed to the Court of Markets within thirty days of its notification, with the Authority of data protection as defendant. (Sr.) Hielke Hijmans President of the Litigation Chamber