APD/GBA (Belgium) - 135/2022: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
|GDPR_Article_5=Article 26 GDPR | |GDPR_Article_5=Article 26 GDPR | ||
|GDPR_Article_Link_5=Article 26 GDPR | |GDPR_Article_Link_5=Article 26 GDPR | ||
|GDPR_Article_6= | |GDPR_Article_6=Article 56(1) GDPR | ||
|GDPR_Article_Link_6= | |GDPR_Article_Link_6= | ||
|GDPR_Article_7= | |GDPR_Article_7= | ||
Revision as of 14:30, 5 October 2022
| APD/GBA - Decision 135/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(23) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 26 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.09.2019 |
| Decided: | 22.09.2022 |
| Published: | 02.10.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Decision 135/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | GBA (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated articles 15(1), 15(3) and 12(3) GDPR for deleting data instead of providing access to data after an access request by the data subject.
English Summary
Facts
The data subject submitted an access request Article 15 GDPR for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address.
The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail.
After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following:
The controller's Belgian company is jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated Article 12(1) GDPR, Article 12(2) GDPR, Article 15(1) GDPR and Article 15(3) GDPR. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way.
The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA.
The DPA reiterated that after Brexit, each Member State in which a new principal place of business was established, would become the DPA including for complaints under examination, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller Article 56(1) GDPR), each DPA of the other members states has jurisdiction regarding the controller insofar as the GDPR applies.
There was no agreement between the controler's companies in Belgium and the UK regarding joint controllership.
Holding
Lead supervisory Authority and compentence of the Belgian DPA
The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries.
The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing (Article 4(23) GDPR). There was no agreement between the joint controllers (Article 26 GDPR). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions (controller) and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom.
Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepeted by the DPA in the UK.
The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA.
The DPA held that it was not necessary to specify relationship between the joint controllers in the UK and in Belgium.
Belgian DPA decided to close the case
The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject.
Nonetheless, the DPA held that the controller had violated Articles 15(1) GDPR (confirmation of the processing of data and information) and 15(3) GDPR (copy of the data). The Controller also violated Article 12(3) GDPR (the response to a request to exercise a right must be made, with certain exceptions, within one month).
The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/11
Litigation Chamber
Decision 135/2022 of September 22, 2022
File number: DOS-2019-05983
Subject: Complaint relating to the exercise of a right of access against a company – co-
responsibility – classification without follow-up
The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, President, sitting alone;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to
processing of personal data (hereinafter LTD);
Having regard to the Rules of Procedure as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: Mr. X, hereinafter “the plaintiff”;
The defendant: […], the defendant's English company,
[….] Belgian company of the defendant
Hereinafter “the defendant”; Decision 135/2022 - 2/11
I. Facts and procedure
1. On November 25, 2019, the complainant filed a complaint with the Data Protection Authority
data (APD).
2. His complaint concerns the exercise of his right of access (article 15 of the GDPR) and the action taken
inadequate reserved for this request by the defendant.
3. The complainant thus reports that on September 26, 2019, he sent a request for access
with the defendant's customer service, requesting to recover all the related data
on both accounts (…) and (…). An exchange of emails dated September 28, 2019 followed
this request at the end of which the defendant verified the identity of the complainant and
informed that a follow-up would be given to his request to obtain a copy of his
personal data within one month in accordance with the applicable regulations
in terms of data protection. These first e-mail exchanges took place with a
person using a .be email address and presenting himself as being in charge of
customer accounts with the defendant (customer accounts).
4. In the absence of follow-up given to these first exchanges, the complainant sent a reminder to the
defendant on November 4, 2019, more than a month after its initial request of November 26
September 2019 (point 3 above).
5. In response, the complainant this time received an email dated 7 November 2019 sent from
the address privacy@[...].uk , signed by the Privacy team of the defendant, and informing it that at the
following its request for erasure, all the personal data that the defendant
held "and which fall within the scope of your (read "his") right to
erasure under data protection regulations had been
deleted” (excerpt from the email produced). The defendant further specifies that it advised
of this erasure all third parties who processed the complainant's data on his behalf,
referring in this respect to its privacy policy. Finally, the defendant indicates that the
right to erasure does not necessarily imply that all personal data
be erased when, in certain circumstances, exceptions provided for by the
GDPR can play. The defendant refers the complainant in this respect to the information
available on the website of the Commission Nationale Informatique et Libertés (CNIL) either
the French data protection authority. Should the complainant be dissatisfied with
the response received, the defendant finally invites him to file a complaint with the CNIL,
again referring to its privacy policy.
6. On the same day, November 7, 2019, the complainant objected by return email that he had not
not requested the deletion of his data but access to them. Under his
complaint, the complainant indicates that this last email remained unanswered by the
defendant. Decision 135/2022 - 3/11
7. On December 3, 2019, the Front Line Service (SPL) of the APD declares the complaint
admissible on the basis of Articles 58 and 60 of the LCA, and transmits it to the Chamber
Litigation in accordance with Article 62, § 1 of the LCA.
8. During the session of December 17, 2019, the Litigation Chamber decides to request a
investigation at the inspection service (SI). On December 20, 2019, the Litigation Chamber seized
the Inspector General of a request for an investigation. On the same date, the complainant was informed
of what the inspection was seized.
9. According to his investigation report of March 3, 2020, the Inspector General notes what
follows:
- The Belgian company of the defendant is jointly responsible for the processing with the
defendant's English law company established in the United Kingdom (hereinafter together
"the defendant"). This co-responsibility results from the privacy policy
available on the website of the Belgian company of the defendant;
- The plaintiff received an e-mail from the defendant's Privacy team (see point 5)
confirming the deletion of his personal data in response to his request for
get a copy. Reference is also made in this e-mail to the CNIL with regard to
the filing of any complaint. In this regard, the IS concludes that there is a breach of the
sections 12.1., 12.2., 15.1. and 15.3. of the GDPR on the part of the defendant.
- the defendant indicated to SI that these shortcomings were both due to an error
human, the handler of the request having in all likelihood had to use the
poor French-speaking model available.
- In order to prevent the problem that has arisen from recurring, the defendant indicates that
implementation of additional training and the establishment of a process
automatic management of requests to exercise rights under the GDPR.
- Finally, the IS notes that two other complaints were listed in the system of
1
cooperation (one-stop shop - IMI) of EU data protection authorities
European Union against the defendant. In these complaints the Information
British Commissioner (ICO) is identified as a lead authority within the meaning of
section 56.1. GDPR (Lead Supervisory Authority - LSA) due to the implementation of
the principal establishment of the defendant in the United Kingdom (via the company
defendant's English - see. below).
1The Internal Market Information System (IMI) is an online tool that facilitates the exchange of information between
public authorities involved in the practical application of EU law. IMI helps authorities fulfill their
cross-border administrative cooperation obligations in many market areas
unique, including the field of data protection (GDPR). Decision 135/2022 - 4/11
10. After examining the Inspection report and the investigation documents, the Litigation Chamber
notes that said report mentions that the defendant's English law company (UK)
and the defendant's Belgian law company (BE) are joint data controllers without
however, draw conclusions as to the identification of the LSA and the competence of the
ODA. The SI report establishes that the defendant's privacy policy
mentions the possibility for each complainant to file a complaint with the ICO and/or
DPA. This possibility does not, however, entail the competence of one or the other
and the other otherwise) data protection authority such as LSA. This double
possibility is simply the expression of what the complainant has the choice to file his complaint
with its local control authority which may, according to the criteria of
determination of the GDPR to be LSA or simple “concerned authority” (CSA) within the meaning of article
4.22.c) of the GDPR with, in the latter case, the obligation to transfer the complaint to the LSA in the
framework of the cooperation mechanism between the data protection authorities (one-stop
single – articles 56 and s. ) implemented by the GDPR.
11. To determine which is the lead data protection authority (LSA) in the event of
cross-border processing within the meaning of Article 4.23 of the GDPR as in the present case and co-
data controllers, the Litigation Chamber refers to the Guidelines of the
2
European Data Protection Board (EDPB) on LSA identification. These
guidelines state the following:
“The general regulations do not specifically cover the question of the
determination of a lead authority when several persons in charge of the
processing established in the Union jointly determine the purposes and
means of processing, i.e. in the case of joint controllers.
Article 26, paragraph 1, and recital 79 make it clear that, in this
situation, the joint controllers define in a manner
transparency of their respective obligations in order to ensure compliance with
regulatory requirements. Therefore, in order to benefit from the principle of
one-stop-shop, the joint controllers must designate the one-stop-shop
their establishments (among those where decisions are taken) who will have the power to
enforce decisions about processing with respect to all
joint controllers. This establishment will then be considered
as the main establishment for processing involving responsible persons
treatment spouses. The agreement between the joint controllers
2
Working Party Article 29, Guidelines for the designation of a lead supervisory authority of a
responsible for processing or a processor, WP244 of 5 April 2017. The EDP Has adopted these guidelines on its behalf
by decision of 25 May 2018 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-identifying-
controller-or-processors-lead_en Decision 135/2022 - 5/11
is without prejudice to the rules on liability established by the regulation
general, in particular in Article 82, paragraph 4 (point 2.1.3.)”.
12. In the absence of agreement within the meaning of Article 26 of the GDPR at its disposal, the Litigation Chamber
relied on various elements of the complaint to consider that it was the company of
English law of the defendant (UK) which was to be considered as the establishment
principal with regard to data processing decisions (responsible for
treatment) and their application.
13. These elements were:
has. In the various countries of the European Union in which the defendant offers
its services, each of the privacy policies mentions that the
data controller is the defendant's English law company (UK) and
the local company of the country concerned as joint managers (SPRL of
Belgian law of the defendant in Belgium, SAS the defendant in France etc.
);
b. The defendant's company governed by English law (UK) is therefore "joint" in
each case;
vs. In the context of this complaint, after an initial intervention by the service
“local” customer (Belgian in this case – see point 3), the relay was taken over by the Privacy team
in the United Kingdom (point 4) which depends on the English law company of the
defendant, which supports local services in terms of responding to
requests to exercise rights under the GDPR;
d. As part of the investigation conducted by the IS, the defendant produced in this regard
internal documents that explain the procedure for exercising rights with a
“escalation” system to the Privacy team (central support team for
UK-based personal data issues). the defendant
further explains that this procedure was prepared by the parent company in
UK.
e. As mentioned in point 9 above, the data protection authority
Italian data (Garante) also received a complaint about the
defendant and considered that the ICO was LSA, which the ICO accepted.
14. In support of the foregoing, the Litigation Chamber therefore seized the ICO of the
complaint received from the complainant on November 20, 2020. At the time, notwithstanding the release
3As mentioned by the EDPS in the excerpt cited in point 11, Article 26 of the GDPR requires joint controllers
transparently define their respective obligations in order to ensure compliance with the requirements of the GDPR,
in particular with regard to the exercise of the rights of the data subject, and their respective obligations with regard to the
communication of the information referred to in Articles 13 and 14 by agreement between them, subject to exceptions. Decision 135/2022 - 6/11
from the United Kingdom from the European Union, the ICO was still taking part until 31 December
2020 to the cooperation mechanism (one-stop shop) set up under Chapter
VII GDPR .4
13. On January 11, 2021, the Litigation Chamber informed the complainant of this.
14. In the course of 2021, a data protection authority with which
complaint had also been filed against the defendant informed his counterparts
that it had made a point of verifying whether the defendant had designated a new establishment
principal in the post-Brexit European Union, after the exit of the ICO from the mechanism of
cooperationandone-stop-shop.The data protection authority of the Member State of
EU 27 in which this new main establishment would have been established would become LSA, in
including for complaints under review, (even if this review is not completed by the ICO,)
filed before the exit of the ICO from the one-stop shop with data protection authorities
EU data.
15. The data protection authorities have not established that the defendant appointed
new main establishment in the EU and concluded that as a result, each of the
data protection authorities receiving a complaint were now competent to
treat it.
16. The Litigation Division agrees with this analysis and bases its jurisdiction on it. In
Indeed, the single window mechanism (and therefore the competence of a lead authority
- LSA), assumes the existence of cross-border processing within the meaning of Article 4.23 of the GDPR
as well as the existence of a main establishment or a single establishment of the
controller in the EU (article 56.1 of the GDPR). In the absence of an establishment
principal of the defendant in the EU as following Brexit, each authority of
data protection is responsible for it insofar as the GDPR is
application.
17. In the present case, with regard to co-controllers, the DPA currently considers itself
competent with respect to each of the entities, whether it is the English law company of the
defendant or the defendant's company governed by Belgian law. Indeed, if the influence
dominant factual evidence from the English law society of the defendant justified, before the release
of the ICO of the one-stop-shop mechanism, that the examination of the complaint be entrusted to it
of LSA (see above), the fact remains that the two entities are jointly responsible for
processing subject to the GDPR, which justifies that the DPA (via its Litigation Chamber),
4WithdrawaloftheUnitedKingdomfromtheEuropeanUnionexclusionfromtheEUdecisionmakinganddecision-shaping
as of the withdrawal date and exceptions provided for in the withdrawal agreement. (Appendix). Ref. Ares(2020)469682-
01/24/2020.
5In accordance with the Agreement on the European Economic Area (EEA), as of July 20, 2018, the EEA countries, Iceland,
Lichtenstein and Norway are also part of the EDPB and the Single Window system. Decision 135/2022 - 7/11
now competent post Brexit, jointly addresses this decision to them. For
need of this decision, it is not necessary to specify the relationship between these two
entities.
II. Motivation
15. Based on the facts described in the complaint file as summarized above, and on the
basis of the powers attributed to it by the legislator under Article 95, § 1
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file. In this case, the
Litigation Chamber decides to proceed with the dismissal of the complaint,
in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.
16. In matters of dismissal, the Litigation Chamber is required to justify its
step-by-step decision and:
- to pronounce a classification without technical continuation if the file does not contain or not
sufficient elements likely to lead to a sanction or if it includes a
technical obstacle preventing him from rendering a decision;
- or pronounce a classification without further opportunity, if despite the presence
elements likely to lead to a sanction, the continuation of the examination of the
file does not seem to him to be appropriate given the priorities of ODA such as
specified and illustrated in the Chamber's Discontinued Classification Policy
Litigation. 7
17. In the event of dismissal based on several grounds, the latter (respectively,
classification without technical follow-up and classification without opportunity follow-up) must be
addressed in order of importance .8
18. In this case, the Litigation Chamber decides to proceed with a classification without follow-up
the complaint for a reason of opportunity. The decision of the Litigation Chamber is based more
specifically on the following reasons why it considers it inappropriate to
continue to examine the complaint, and therefore decides not to proceed, between
others, to deal with the case on the merits.
19. The Litigation Chamber notes that the findings of the IS were made (between 20
December 2019 and 3 March 2020) on a date on which the competence of the DPA was not, at
6Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
7
In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf.
8
See Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber. Decision 135/2022 - 8/11
at least vis-à-vis English law of the defendant, not established. Bedroom
Contentious therefore does not consider that it can reliably rely on the said findings.
20. The Litigation Division is also of the opinion that these breaches could be
constituting human error. The first exchanges of emails with the complainant attached to
the complaint attest to the fact that the GDPR has been taken into account and knowledge of the deadlines
to answer him. The response then provided by the “Privacy team” regarding the request
erasure, if it is certainly inadequate given the request for access made by
the complainant and not of erasure, also certifies that the GDPR has been taken into account. Account
taking into account all the concrete circumstances of the case (elapsed time, subject of
the complaint and the absence of a high societal or personal impact for the complainant in this case
(these are data relating to user accounts with the defendant), the
Litigation Chamber concludes that the continuation of an examination on the merits would be
disproportionate. However, it intends that it will be specified in point 24 to communicate
this decision to the defendant for information and awareness.
21. Indeed, without prejudice to the foregoing considerations, the Litigation Chamber does not
IS NOT LESS, BASED ON THE ATTACHMENTS TO THE COMPLAINT ALONE, ABLE TO POINT OUT THAT, PRIMA
facie, the defendant did not respond adequately to the complainant's request for access,
deleting the latter's personal data instead of sending him a copy and this, in
breach of Articles 15.1 (confirmation that data is being processed and elements
information) and 15.3. (copy of data) of the GDPR. Therefore, the defendant has not
elsewhere, and always prima facie, not complied with the requirements of article 12.3. of the GDPR (the answer
to a request to exercise a right must be made, with some exceptions, within one month).
22. Notwithstanding its decision to close without further action, the Litigation Chamber therefore recalls this
which follows, a reminder which, without constituting any corrective measure or sanction within the meaning
of Articles 95 or 100 of the LCA, aims to inform the defendant as best as possible:
- The establishment of effective procedures to follow up on exercise requests
of the rights of data subjects is part of the obligations of those responsible for
treatment (spouses) and the effectiveness of said rights;
9
- As the EDPS points out in his Guidelines on the right of access,
“where two or more controllers process data jointly, the arrangement of the joint
controllers regarding their respective responsibilities with regards to the exercise of
data subject's rights, especially concerning the answer to access requests, does not
9
European Data Protection Board (EDPB), Guidelines 01/2022 on data subject’s rights – right of access,
version 1.0. dated 18 January 2022. This text is only available in English: https://edpb.europa.eu/system/files/2022-
01/edpb_guidelines_012022_right-of-access_0.pdf This document has been submitted for public consultation. It is therefore not
excluded that an amended version of these guidelines will be published in the future. Decision 135/2022 - 9/11
affect the rights of the data subjects towards the controller to whom they address their
request (item 34)” 10
- Still according to the EDPS, “the controllers should be proactively ready to handle the
requests for access to personal data. This means that the controller should be prepared
to receive the request, assess it properly (this assessment is the subject of this section
oftheguidelines)andprovideanappropriatereplywithoutunduedelaytotherequesting
person. The way the controllers will prepare themselves for the exercise of access
requests should be adequate and proportionate and depend on the nature, scope,
context and purposes of processing as well as the risks to the rights and freedoms of
natural persons, in accordance with Art. 24 GDPR. Depending on the particular
circumstances,thecontrollersmayfor exampleinsomecasesberequiredtoimplement
anappropriateprocedure,theimplementationofwhichshouldguaranteethesecurityof
the data without hindering the exercise of the data subject’s rights (point 42)”. 11
- Finally, as the EDPS also points out in his Guidelines already mentioned, and
without calling into question its conclusion that human error stops producing
in this case, the Litigation Chamber recalls that “the controller shall not deliberately
escape the obligation to provide the requested personal data by erasing or modifying
personal data in response to a request for access. If, in the course of processing the
access request, the controller discovers inaccurate data or unlawful processing, the
controller has to assess the state of the processing and to inform the data subject
12
accordingly before complying with its other obligations (point 39)”.
10 See. the aforementioned Right of Access Guidelines. Free translation: "When two or more than two
controller process data jointly, the arrangement of the co-controllers relating
their respective responsibilities with regard to the exercise of the rights of data subjects (especially
with regard to the response to be given to a request for access), cannot affect the rights of the person concerned with regard to the
data controller to whom it addressed its request (point 34)”.
11See. the EDPS guidelines on the right of access already cited. Free translation: “Those responsible for
should be proactively prepared to deal with requests for access to personal data. This means that
theprocessorshouldbepreparedtoreceivetherequest,toexamineitadequately (this examination is
discussed in this section) and to provide a relevant response as soon as possible to the applicant. The
how controllers prepare for these requests to exercise the right of access should be
adequate, proportionate and dependent on the nature, scope, context and purpose of the processing as well as the
risks to the rights and freedoms of natural persons in accordance with Article 24 of the GDPR. Depending of
circumstances, data controllers could for example sometimes be required to put in place a procedure
specific, which implementation should guarantee the security of the data without preventing the exercise of the rights of the
data subject (point 42)”.
12 See. the EDPS guidelines relating to the right of access already cited.
cannot deliberately evade its obligation to provide the personal data by erasing or modifying the
data to be provided in response to the access request. If as part of the process of responding to such request, the
data controller discovers that the data is inaccurate or that it is being processed unlawfully, the
data controller must examine the processing and inform the person concerned before complying with its
other obligations (item 42)”. Decision 135/2022 - 10/11
- With regard to the response given regarding erasure, the Litigation Chamber
reminds that it is important that the person know about the data that has been erased
and that if exceptions are applicable, they must be formulated in a way
relevant to the particular situation.
III. Publication and communication of the decision
23. Given the importance of transparency with regard to the process
decision-making and the decisions of the Litigation Chamber, this decision will be published on the
ODA website. However, for this purpose it is not necessary that the data
identification of the parties are directly mentioned.
24. In accordance with its policy of dismissal, the Litigation Chamber
communicate the decision to the defendant. Indeed, the Litigation Chamber decided
to communicate the decisions of classification without follow-up to the defendant party by default.
However, the Litigation Division refrains from such communication when the
plaintiff requested anonymity vis-à-vis the defendant and when the
communication of the decision to the latter, even pseudonymised, nevertheless risks
allow re-identification. This is not the case in the present case.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation,
to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (Court
d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party
defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code (C. jud) . The interlocutory motion
13Cf. Title 5 – Will the ranking without continuation be published? Will the opposing party be informed? of the policy of
dismissal of the Litigation Chamber.
14Ibidem.
15The application contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary of the grounds of the application; Decision 135/2022 - 11/11
must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C.
jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
To allow him to consider any other possible course of action, the Litigation Chamber sends
the complainant to the explanations provided in its dismissal policy. 17
(Sé). Hielke HIJMANS
President of the Litigation Chamber
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
16The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
17Cf. Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up
Litigation.
