APD/GBA (Belgium) - 145/2022: Difference between revisions
(consistent use of they/them pronouns when referring to data subject; corrected typos, clarified the facts to be in chronological order) |
No edit summary |
||
(11 intermediate revisions by 3 users not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The Belgian DPA warned a controller for a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID to | The Belgian DPA warned a controller for a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring the data subject to provide the copy of an ID card to exercise their right of erasure under [[Article 17 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller | The controller sent out a newsletter as part of its marketing activity. The data subject in this case stated they had never signed up for it in the first place and wished to unsubscribe. The data subject exercised their right of access, which the controller complied with. After this, the data subject wanted to exercise their right of erasure. However, the controller asked for the identification card (ID) of the data subject in order to move on with the request. The controller's privacy policy stated that a written letter with proof of identity was required for exercising rights. The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this and filed a complaint before the Belgian DPA. | ||
The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this. | |||
=== Holding === | === Holding === | ||
The DPA recalled that [[Article 12 GDPR#2|Article 12(2) GDPR]] | The DPA recalled that under [[Article 12 GDPR#2|Article 12(2) GDPR]] the controller was not allowed to refuse a data subject the possibility to exercise their rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification. | ||
The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising data subject rights, such as the right of access ([[Article 15 GDPR]]) and the right of erasure ([[Article 17 GDPR]]). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes. | The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising data subject rights, such as the right of access ([[Article 15 GDPR]]) and the right of erasure ([[Article 17 GDPR]]). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes. | ||
The DPA warned the controller pursuant to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and stated that it expected that the controller would adjust the privacy policy to make it complaint with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | The DPA stated that the controller should adjust his practises to prevent similar facts and possibly new complaints in the future. Moreover, the DPA warned the controller pursuant to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95, §1, 4° WOG, and stated that it expected that the controller would adjust the privacy policy accordingly to make it complaint with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
== Comment == | == Comment == | ||
' | The DPA mentions [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] as a provision to warn the controller, also stating that it expected that the controller would adjust the privacy policy to make it complaint with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. However, [[Article 58 GDPR|Article 58(2)(b) GDPR]] contains the authority of the DPA to reprimand a controller. [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] contains the possibility to order the controller to comply with the data subject's requests to exercise his or her rights. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 16:10, 25 October 2022
APD/GBA - 145/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 12(2) GDPR Article 58(2)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 30.08.2022 |
Decided: | 12.10.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 145/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | n/a |
The Belgian DPA warned a controller for a violation of Article 5(1)(c) GDPR by requiring the data subject to provide the copy of an ID card to exercise their right of erasure under Article 17 GDPR.
English Summary
Facts
The controller sent out a newsletter as part of its marketing activity. The data subject in this case stated they had never signed up for it in the first place and wished to unsubscribe. The data subject exercised their right of access, which the controller complied with. After this, the data subject wanted to exercise their right of erasure. However, the controller asked for the identification card (ID) of the data subject in order to move on with the request. The controller's privacy policy stated that a written letter with proof of identity was required for exercising rights. The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this and filed a complaint before the Belgian DPA.
Holding
The DPA recalled that under Article 12(2) GDPR the controller was not allowed to refuse a data subject the possibility to exercise their rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification.
The DPA held that the controller violated Article 5(1)(c) GDPR by requiring an ID for exercising data subject rights, such as the right of access (Article 15 GDPR) and the right of erasure (Article 17 GDPR). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes.
The DPA stated that the controller should adjust his practises to prevent similar facts and possibly new complaints in the future. Moreover, the DPA warned the controller pursuant to Article 58(2)(c) GDPR and Article 95, §1, 4° WOG, and stated that it expected that the controller would adjust the privacy policy accordingly to make it complaint with Article 5(1)(c) GDPR.
Comment
The DPA mentions Article 58(2)(c) GDPR as a provision to warn the controller, also stating that it expected that the controller would adjust the privacy policy to make it complaint with Article 5(1)(c) GDPR. However, Article 58(2)(b) GDPR contains the authority of the DPA to reprimand a controller. Article 58(2)(c) GDPR contains the possibility to order the controller to comply with the data subject's requests to exercise his or her rights.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Dispute room Decision 145/2022 of October 12, 2022 File number : DOS-2022-03529 Subject : Provision of identity card as a condition for data erasure The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, single chairperson; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The controller: Y, hereinafter “the controller” Decision 145/2022 - 2/6 I. Facts procedure 1. On August 30, 2022, the complainant lodged a complaint with the Data Protection Authority against the controller. 2. The subject of the complaint concerns the privacy statement in which the controller requests the complainant's proof of identity if he/she wishes to deregister from the receipt of newsletters. The complainant has exercised his right of access to which the controller has followed up. Subsequently, the complainant wishes to to exercise data erasure, but establishes that in accordance with the privacy statement of the the controller must submit his proof of identity to the controller. In addition, the complainant claims to have never registered to receive newsletters from the controller. The complainant has therefore requested the controller to provide information on how the controller has come into possession of his personal data. The controller states that the complainant has given his consent via VIP Response B.V. (Netherlands) by participating in a campaign. However, the complainant denies this. 3. On September 5, 2022, the complaint will be declared admissible by the Frontline Service on the grounds of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, §1 WOG transferred to the Disputes Chamber. II. Justification 4. The Disputes Chamber determines on the basis of the documents that support the complaint that the privacy policy of the controller determines that for the exercise of rights a written request and proof of identity via registered letter is required. With regard to the provision of identification data, Article 12.2 of the GDPR provides that the controller may not refuse to comply with the data subject's request for their rights, including to exercise the right of access (Article 15 GDPR) and the right to erasure (Article 17 GDPR), unless the controller demonstrates that it is unable to protect the data subject identify .However, it does not appear from the factual elements that are the subject of the complaint that the controller cannot identify the complainant. After all, the complainant has exercised the right of access and the controller has complied with this 1 See in that regard 3.1.3. of the guideline 01/2022 on rights of data subjects – right of access: https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision 145/2022 - 3/6 request without the need to provide any proof of identity beforehand was deemed. In practice it has therefore been shown that the complainant can be sufficiently identified by the controller to follow up on the request of the complainant to provide information about the way in which the controller has come into possession of his personal data. From this follows ipso facto that the complainant in the present case is also sufficiently identified as soon as he/she intends to exercise its right to erasure and controller cannot require proof of identity to be provided. 5. By subjecting the exercise of rights in the privacy statement to the preceding provision of an identity document, the controller disregards the principle of minimum data processing (Article 5.1 c) GDPR). The concrete application of this principle with with regard to the processing of identity documents in the context of the exercise of rights by the data subject implies that the controller cannot require that a proof of identity is provided in cases where the data subject can be identified on the basis of the personal data already processed by him in order to be able to follow up indicate the exercise of its rights to prevent processing more data than is necessary for the purpose of identifying the data subject in light of the exercise of rights with regard to direct marketing. In concrete terms, this means that if – as in this case – the controller makes use of the complainant's e-mail address to send these direct marketing messages, it is sufficient that the complainant addresses the controller using the same email address to exercise its rights. 6. The Disputes Chamber is of the opinion that on the basis of the above analysis, concluded that a breach of the provisions of the GDPR was committed, which justifies the taking of a decision on the basis of Article 95, §1, 4° WOG, more specifically to inform the controller warn that the condition included in the privacy statement for the provision of a proof of identity in the context of exercising rights with regard to direct marketing infringes Article 5.1 c) GDPR. 7. The Disputes Chamber is of the opinion that the controllers should be given the opportunity be offered to adjust its course of action as a result of this first complaint, so that in similar facts and possibly new complaints about them in the future avoided. The Disputes Chamber therefore expects the privacy statement to be specific on this point is adapted and brought into line with the principle of minimum data processing. Decision 145/2022 - 4/6 8. The present decision is a prima facie decision made by the Disputes Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of 2 the ‘procedure prior to the decision on the merits’ and not a decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 9. The purpose of this decision is to notify the controller of the fact that it may have infringed the provisions of the GDPR and that it is in the possibility to still conform to the aforementioned provisions. 10. However, if the controller does not agree with the content of this prima facie decision and considers that it may allow factual and/or legal arguments funds that could lead to a different decision, can be sent to the email address litigationchamber@apd-gba.be address a request for treatment on the merits of the case to the Dispute Chamber and this within the period of 30 days after notification of this decision. The enforcement of this decision will, if necessary, be during the aforementioned period suspended. 11. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their to submit defenses and to attach to the file any documents they deem useful. The If necessary, this decision will be definitively suspended. 12. For the sake of completeness, the Disputes Chamber is informed that a treatment on the merits of the case may be 3 lead to the imposition of the measures referred to in Article 100 WOG. 13. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), this should contact the secretariat 2 Section 3, Subsection 2 WOG (Articles 94 to 97). 3 1° to dismiss a complaint; 2° order the suspension of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° to formulate warnings and reprimands; 6° order compliance with the data subject's requests to exercise his or her rights; 7° to order that the data subject is informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing is brought into conformity; 10° the rectification, restriction or deletion of data and its notification to the recipients of the data command; 11° order the withdrawal of the recognition of certification bodies; 12° to impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° to hand over the file to the public prosecutor's office in Brussels, who will inform it of the consequence that the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 145/2022 - 5/6 of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. 14. If a copy of the file is requested, the documents will be sent electronically if possible or else delivered by regular mail. 4 III. Publication of the decision 15. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary that the identification data of the parties be published directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the controller for processing on the merits in accordance with Article 98 et seq. WOG, to: - on the basis of Article 58.2, c) GDPR and Article 95, §1, 4° WOG to the controller warn that with the intended processing similar to that which is the subject of the present complaint infringes Article 5.1 c) GDPR; - to request the controller from the Data Protection Authority (Dispute Chamber) by e-mail within 30 days of notification of this decision presenting the result of this decision in order to inform the Disputes Chamber about the adjustment of the privacy statement regarding the condition for providing proof of identity in in the context of the exercise of rights, this via the e-mail address litigationchamber@apd-gba.be; and - in the absence of the timely implementation of the above by the controller, to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG. 4Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication is in principle electronic. Decision 145/2022 - 6/6 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as Defendant. Such an appeal may be lodged by means of an adversarial petition that the 1034terof the Judicial Code, the statements listed should contain .The application on 5 contradiction must be submitted to the registry of the Market Court in accordance with Article 6 1034quinquies of the Ger.W. , or via the Justice Deposit Information System (Article 32ter of the Ger.W.). (get). Hielke Hijmans Chairman of the Disputes Chamber 5The petition states on pain of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and the brief summary of the grounds of the claim; 5° the court before whom the claim is brought; 6° the signature of the applicant or of his lawyer. 6 The application with its annex is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or at the registry.