APD/GBA (Belgium) - 165/2022: Difference between revisions
No edit summary |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 75: | Line 75: | ||
}} | }} | ||
The Belgian DPA ordered a Covid-19 contact | The Belgian DPA ordered a Covid-19 contact tracking centre to answer an access request, to which the centre did not reply. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 3 February 2022, the data subject was called by Covid-19 contact tracer (controller) after a confirmed Covid-19 infection within the family of the data subject. The data subject asked questions to an employee of the controller on the phone regarding data processing done by the controller. However, this employee was not able to answer the questions regarding this processing. On 4 February 2022, the data subject also filed an access request, to which the controller did not respond either. | |||
The data subject | The data subject filed a complaint at the Belgian DPA on 21 March 2022 regarding two potential violations: a lack of transparency and the failure to address the data subject’s request. The investigation service of the DPA (investigation service) started an investigation into the controller and determined that the data subject did not have a sufficient interest. In her complaint, the data subject did not link the processing operation of the controller to herself. She was not able to prove that the controller was processing personal data at all and if so, what kind of personal data the controller was processing. Therefore, the data subject was acting in public interest, which made the complaint inadmissible according to the investigation service. The data subject disagreed and stated that the controller had asked for several categories of personal data (including medical information) regarding the data subject and her family in a phone call. According to the data subject, it seemed that this personal data was also saved by the controller, since the mother and husband of the data subject were called shortly after the data subject provided their contact details. | ||
=== Holding === | === Holding === | ||
The DPA disagreed with its investigation service, and stated that the complaint was admissible. The DPA stated that Article 58 WOG (Act establishing the DPA) allowed every data subject with a ‘sufficient interest’ to submit a complaint. The DPA confirmed that the controller processed the data subject’s personal data and stated that the data subject could also represent her daughter in this procedure. This meant that there was not just a public interest addressed in this complaint. Despite the complaint being admissible, the DPA emphasised that the procedure would be limited to the processing of the data subject and her daughter, since the data subject could represent her during the procedure. The processing regarding the husband and other family members was not part of this procedure. | |||
The DPA further assessed whether the controller fulfilled its transparency obligations under [[Article 12 GDPR#1|Articles 12(1)]], [[Article 13 GDPR#1|Article 13(1)]] and [[Article 13 GDPR#2|(2)]], and [[Article 14 GDPR#1|Article 14(1)]] and [[Article 14 GDPR#2|(2) GDPR]]. These obligations are concretization of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA held that the controller's privacy policy was clear and transparent, because the controller used clear titles and clear language in the policy. The policy was also easily accessible using the controller’s website, pursuant to [[Article 12 GDPR#1|Article 12(1) GDPR]]. The DPA also determined that all the necessary information was present in the policy, pursuant to [[Article 13 GDPR#1|Article 13(1)]] and [[Article 13 GDPR#2|(2)]], and [[Article 14 GDPR#1|Article 14(1)]] and [[Article 14 GDPR#2|(2) GDPR]]. Therefore, the DPA dismissed this part of the complaint because it was manifestly unfounded ([[Article 57 GDPR#4|Article 57(4) GDPR]]). | |||
However, the DPA held that the controller did not follow up on a data subject’s access request pursuant to [[Article 15 GDPR]]. The controller did not respect the period of 1 month to reply pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]]. The DPA ordered the controller to fulfil the request pursuant to Article 95(1)(5) WOG and [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. | |||
The DPA emphasised that this a preliminary (prima facie) decision, not a decision on the merits. | |||
== Comment == | == Comment == | ||
This a prima facie decision, not a decision on the merits. Both parties still have the possibility to continue with the procedure if they wish so. | This is a prima facie decision, not a decision on the merits. Both parties still have the possibility to continue with the procedure if they wish so. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 13:40, 14 December 2022
APD/GBA - 165/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 12(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 15 GDPR Article 57(4) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 21.03.2022 |
Decided: | 18.11.2022 |
Published: | |
Fine: | n/a |
Parties: | Zorg & Gezondheid |
National Case Number/Name: | 165/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA ordered a Covid-19 contact tracking centre to answer an access request, to which the centre did not reply.
English Summary
Facts
On 3 February 2022, the data subject was called by Covid-19 contact tracer (controller) after a confirmed Covid-19 infection within the family of the data subject. The data subject asked questions to an employee of the controller on the phone regarding data processing done by the controller. However, this employee was not able to answer the questions regarding this processing. On 4 February 2022, the data subject also filed an access request, to which the controller did not respond either.
The data subject filed a complaint at the Belgian DPA on 21 March 2022 regarding two potential violations: a lack of transparency and the failure to address the data subject’s request. The investigation service of the DPA (investigation service) started an investigation into the controller and determined that the data subject did not have a sufficient interest. In her complaint, the data subject did not link the processing operation of the controller to herself. She was not able to prove that the controller was processing personal data at all and if so, what kind of personal data the controller was processing. Therefore, the data subject was acting in public interest, which made the complaint inadmissible according to the investigation service. The data subject disagreed and stated that the controller had asked for several categories of personal data (including medical information) regarding the data subject and her family in a phone call. According to the data subject, it seemed that this personal data was also saved by the controller, since the mother and husband of the data subject were called shortly after the data subject provided their contact details.
Holding
The DPA disagreed with its investigation service, and stated that the complaint was admissible. The DPA stated that Article 58 WOG (Act establishing the DPA) allowed every data subject with a ‘sufficient interest’ to submit a complaint. The DPA confirmed that the controller processed the data subject’s personal data and stated that the data subject could also represent her daughter in this procedure. This meant that there was not just a public interest addressed in this complaint. Despite the complaint being admissible, the DPA emphasised that the procedure would be limited to the processing of the data subject and her daughter, since the data subject could represent her during the procedure. The processing regarding the husband and other family members was not part of this procedure.
The DPA further assessed whether the controller fulfilled its transparency obligations under Articles 12(1), Article 13(1) and (2), and Article 14(1) and (2) GDPR. These obligations are concretization of Article 5(1)(a) GDPR. The DPA held that the controller's privacy policy was clear and transparent, because the controller used clear titles and clear language in the policy. The policy was also easily accessible using the controller’s website, pursuant to Article 12(1) GDPR. The DPA also determined that all the necessary information was present in the policy, pursuant to Article 13(1) and (2), and Article 14(1) and (2) GDPR. Therefore, the DPA dismissed this part of the complaint because it was manifestly unfounded (Article 57(4) GDPR).
However, the DPA held that the controller did not follow up on a data subject’s access request pursuant to Article 15 GDPR. The controller did not respect the period of 1 month to reply pursuant to Article 12(3) GDPR. The DPA ordered the controller to fulfil the request pursuant to Article 95(1)(5) WOG and Article 58(2)(c) GDPR.
The DPA emphasised that this a preliminary (prima facie) decision, not a decision on the merits.
Comment
This is a prima facie decision, not a decision on the merits. Both parties still have the possibility to continue with the procedure if they wish so.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/9 Litigation room Decision 165/2022 of November 18, 2022 File number : DOS-2022-01504 Subject: Complaint about contact tracing in the context of COVID-19 The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mrs X, hereinafter referred to as “the complainant”; . . The defendant: Y, hereinafter “the controller”. Decision 165/2022 - 2/9 I. Factual Procedure 1. On March 21, 2022, the complainant filed a complaint with the Data Protection Authority against the controller. 2. The object of the complaint is twofold. First, the complaint concerns contact tracing in the framework of COVID-19. The complainant was called by contact tracers of the controller in response to established COVID-19 infection within the family of the complainant, and of third parties that can be linked to the family of the complainant. This one contacts took place on February 3, 2022. The complainant states that the employee of the controller could not answer her questions in connection with the data processing in the context of contact tracing. Based on these contacts the complainant has a request for information from the controller on 4 February 2022 submitted to obtain more information about the processing of its personal data. Ten second, the complaint concerns the failure to respond to the complainant's request for information by the controller. The complainant maintains that this request was submitted in accordance with the procedure as indicated in the privacy statement of the Contact Tracing Service of the controller. The complainant claims not to have received any reply. 3. On April 11, 2022, the complaint will be declared admissible by the First Line Service on the basis of the Articles 58 and 60 WOG and the complaint pursuant to Article 62, §1 WOG is transferred to the Litigation room. 4. On 3 May 2020, in accordance with Article 96, § 1 WOG, the request of the Disputes Chamber for the conducting an investigation submitted to the Inspectorate, together with the complaint and the inventory of the items. 5. On 23 June 2022, in accordance with Article 96, §1 WOG, the request of the Disputes Chamber for the conducting an investigation submitted to the Inspectorate, together with the complaint and the inventory of the items. 6. The report contains findings regarding the subject matter of the complaint and concludes that the Inspectorate that the complainant cannot demonstrate a sufficient interest. Consequently, the Inspectorate that it is unnecessary to examine other elements of this file. 7. On July 19, 2022, in accordance with Article 96, §2, the request of the Litigation Chamber for the conducting an additional investigation submitted to the Inspectorate. 8. The additional investigation by the Inspectorate will be completed on August 8, 2022, the report attached to the file and forwarded by the Inspector General to the President of the Litigation Chamber (Article 91, § 1 and § 2 WOG). The report contains the following findings regarding the object of the complaints decision: Decision 165/2022 - 3/9 - no violation of Article 5 (1) (a) and (2) GDPR, Article 6 (1) GDPR and Article 24 (1) of the GDPR; and - no violation of Article 12 (1) GDPR, Article 13 (1) and (2) GDPR, Article 14 (1) and (1) 2 GDPR, Article 5 (2) GDPR, Article 24 (1) GDPR and Article 25 (1) GDPR. II. Motivation II.1. Interest of the complainant 9. In its Inspection Report, the Inspectorate notes that there are no elements to indicate that the the complainant has a sufficient interest. The Inspectorate concludes that the complainant has a denounces the processing practice of the controller, but that processing practice not specifically linked to itself. After all, the complainant claims that certain personal data concerning herself, her family and others were processed, but cannot prove this therefore, according to the Inspectorate, pursue a public interest. 10. With regard to the interest of the complainant, the Disputes Chamber refers to Article 58 WOG that reads as follows: “Anyone may submit a complaint or request in writing, dated and signed to the Data Protection Authority”. In accordance with Article 60, paragraph 2 of the WOG, a complaint is admissible when she: - is drawn up in one of the national languages; - contains a statement of the facts, as well as the necessary indications for the identification of the processing to which it relates; - it falls within the competence of the Data Protection Authority. 11. Pursuant to Article 4.1 GDPR, the person involved in the processing of personal data is the person to whom the data that are the subject of the processing relate. 12. The Litigation Chamber has considered this issue in previous decisions as follows: “While the GDPR approaches the 'complaint' from the point of view of the data subject, by the imposing obligations on control authorities when a person makes a complaint (see the Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent national law from allowing persons other than the gives data subjects the opportunity to lodge a complaint with the national supervisory authority. The possibility of such a lawsuit corresponds, moreover, to the orders that assigned by the GDPR to the supervisory authorities. In that regard and generally speaking, each supervisory authority ensures: the monitoring and enforcement of the application of the GDPR (article 1See, inter alia, decision 106/2022 dd. June 2, 2022, decision 117/2021 dd. October 22, 2021, 80/2020 dd. December 17, 2020 and decision 30/2020 dd. June 8, 2020, available at https://www.dataprotectionauthority.be/burger/publicaties/besluiten Decision 165/2022 - 4/9 57, 1., a) GDPR), and the performance of all other tasks related to the protection of personal data (Article 57, 1., v) GDPR).” In short, the WOG does not exclude that a person other than the data subject or the person authorized by the the person concerned is authorized, as referred to in Article 220 of the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, a can file a complaint with the GBA. More specifically, the Disputes Chamber rules that Article 58 WOG every person the opportunity to submit a complaint, provided that the complainant demonstrates that he is willing to do so 2 has sufficient interest. 13. In the present case, the Disputes Chamber notes that the complainant wrote the following in this regard the Inspection Service: “During the conversations I had with the employees of the Contact Tracing Service, I became asked to provide various personal data of my daughter, myself, other members of the family and third parties with whom she had had contact. That's what I was asked for, among other things to confirm my daughter's national register number, as well as my civil status, my address, the phone number of my husband, of my mother and the medical complaints of each of these persons whether or not shown. In my opinion, these data all concern personal data. It seemed as if this personal data were then at least also registered in the systems of the Contact tracing service since my mother and husband were called shortly afterwards by same service.” 14. This shows that there is not only a public interest, as the Inspectorate concludes in the Inspection Report. 15. The Disputes Chamber notes that various personal data of the complainant were also used processed, such as the address, marital status, telephone number and her relationships with her children and mother. The mother can also act in the interest of her (minor) daughter. For what concerns the personal data of her husband and mother or her daughter herself, the complainant shows does not indicate an interest, nor does it demonstrate any power of representation. In the complaint, the informs the complainant that she is submitting the complaint in her own name. This decision will therefore only concern on the personal data relating to the complainant himself. II.2. Transparency Obligations 16. Based on the elements in the file known to the Litigation Chamber and on the basis of the powers assigned to it by the legislator on the basis of Article 95, §1 WOG, decides the Litigation chamber about the further follow-up of the file; in this case, the Disputes Chamber proceeds to 2 In this sense, see also Marktenhof, 2022/AR/42 dd. June 8, 2022. Decision 165/2022 - 5/9 the dismissal of the grievances with regard to the transparency obligations accordingly article 95, §1, 3° WOG, based on the following motivation. 17. In the event of a dismissal, the Disputes Chamber must gradually investigate and substantiate: 3 - whether there is insufficient prospect of a conviction, after which a technical dismissal follows; - whether a successful conviction would be technically feasible but on grounds, in general importance, a (further) prosecution is undesirable, after which a policy dismissal follows. In the event that more than one ground is dropped, the grounds for dismissal (or technical dismissal) must be 4 and policy dismissal) should be dealt with in order of importance. 18. On the basis of the information currently available to the Dispute Chamber, it considers it up to date impossible to follow up on the grievances regarding the transparency obligations for the reasons which will be explained below. Consequently, it decides to proceed with a technical dismissal. 19. With regard to the grievances regarding the transparency obligations, the Disputes Chamber proceeds to a technical dismissal since the Litigation Chamber, on the basis of the facts, submitted the final complaint legal grievances, and the supplementary Inspection Report cannot conclude that there is 5 of a breach of the GDPR and data protection regulations. 20. Based on Article 12(1) of the GDPR, Article 13(1) and (2) of the GDPR and Article 14(1) and (2) of the GDPR, it is necessary that the VV is concise, transparent and comprehensible to the data subjects provides information about the personal data being processed. The aforementioned transparency obligations constitute a concretization of the general transparency obligation Article 5(1)(a) GDPR. Moreover, the Disputes Chamber has previously emphasized that the information which must be carried out by the controller in accordance with Articles 13 and 14 of the GDPR 6 provided to the data subjects must be complete and clear. The Inspectorate sets its supplementary report that the Privacy Statement on data processing and protection in the context of the COVID-19 contact investigation for those involved: - transparent and accessible through the use of clear titles and language and easy is accessible via the webpage https://www.zorg-en-gezondheid.be/privacy-bij-contactonderzoek (cf. Article 12, paragraph 1 of the GDPR), and; - provides the necessary information about the processed personal data (cf. Article 13, paragraph 1 and paragraph 2 of the GDPR and Article 14(1) and (2) of the GDPR). 3Cf. Brussels Court of Appeal judgment (Marktenhof), 2 September 2020, no. 2020/5460, 18. 4 Ibid. 5Cf. criterion A.2. in the dismissal policy of the Litigation Chamber. 6 Decision on the merits 41/2020 of 29 July 2020 of the Disputes Chamber of the GBA available via the web page https://www.dataprotectionauthority.be/professioneel/publicaties/besluiten. Decision 165/2022 - 6/9 21. Referring to the supplementary Inspection Report, the Litigation Chamber sees no reason for a deviation take a position in this regard. The complaint should therefore be declared manifestly unfounded considered within the meaning of Article 57.4 of the GDPR. II.3. Exercise of the right of access 22. Based on the elements of the file, the Litigation Chamber establishes that the complainant on 4 February 2022 has exercised its right of access agreement Article 15 GDPR, to which the according to the complainant, the controller has not taken sufficient action. Based on documents of the file, the Disputes Chamber determines that the period of one month has not been respected by the controller in accordance with Article 12.3 GDPR. 23. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that the controller has committed a breach of the provisions of the GDPR was committed, which justifies taking a decision in this case pursuant to Article 95, §1, 5° WOG, in particular to order the controller to to follow up on the exercise by the complainant of his right to (Article 15 GDPR) and this in in particular in view of the documents submitted by the complainant showing that the complainant has exercised its right has exercised access to it, but the controller has not acted upon it given. 24. The present decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the 7 'procedure prior to the decision on the merits and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. The Disputes Chamber has thus decided on the grounds of Articles 58.2.c) and 95, §1, 5° of the Law of 3 December 2017, the to order the controller to comply with the requests of the data subject to exercise his rights, in particular the right of access as stipulated in Article 15 GDPR. 25. The purpose of this decision is to inform the controller of the fact thattheseahascommittedainfringementoftheprovisionsoftheGDPRandthisopportunity still comply with the aforementioned provisions. 26. However, if the controller does not agree with the contents of this prima facie decisions are of the opinion that they can allow factual and/or legal arguments to apply which could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the Litigation Chamber and this within the period of 30 days after the notification of this decision. 7Section 3, Subsection 2 WOG (Articles 94 through 97). Decision 165/2022 - 7/9 If necessary, the implementation of this decision will be during the aforementioned period suspended. 27. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will decide the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their defenses as well as all documents that are deemed useful to be added to the file. The present decision will be permanently suspended. 28. For the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case is possible lead to the imposition of the measures referred to in Article 100 WOG. 8 29. Finally, the Disputes Chamber points out the following: if one of the parties wishes to use making it possible to consult and copy the file (article 95, §2, 3° WOG), he should contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be in order to make an appointment. If requesting a copy of the file is requested, the documents will be sent electronically if possible or else by regular mail 9 Worried. III. Publication of the decision 30. Given the importance of transparency with regard to the decision-making of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. It is however, it is not necessary for this purpose that the identification data of the parties be made directly announced. 81° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 9 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision 165/2022 - 8/9 FOR THESE REASONS, - the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: on the basis of art. 95, §1, 3° WOG the grievances from the complaint regarding the transparency obligations to dismiss. - the Disputes Chamber of the Data Protection Authority also decides, under subject to the submission of a request by the controller to treatment on the merits in accordance with Article 98 et seq. WOG, to: o pursuant to Article 58.2.c) GDPR and Article 95, §1, 5° WOG the to order the controller to comply with the request of the complainant to exercise his rights, more specifically the right of access (Article 15 GDPR). within a period of 30 days from the notification of this decision; o to order the controller to inform the Data Protection Authority (Litigation Chamber) by e-mail within the same period of time result of this decision via the e-mail address litigationchamber@apd-gba.be; and o in the absence of timely implementation of the above by the controller, to deal ex officio with the substance of the matter in accordance with Articles 98 et seq. WOG The Disputes Chamber will send a copy of the present decision to the data controller. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Decision 165/2022 - 9/9 Such an appeal may be lodged by means of an inter partes petition that the in art 10 1034ter of the Judicial Code . The petition in contradiction must be submitted to the Registry of the Market Court in accordance with Article 1034quinquies of the Ger.W. , or via the e-Deposit computer system of the Ministry of Justice (article 32ter of the Ger.W.). (get). Hilke Hijmans Chairman of the Litigation Chamber 10 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 11 The petition with its appendix, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited at the clerk's office.