APD/GBA (Belgium) - 189/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
The data subject was contacted on 24 August 2022 by the controller, a human resources provider. The controller stated that it possessed the data subjects file and wanted to provide assistance for job hunting. The data subject filed an access request at the controller after she received this message. | The data subject was contacted on 24 August 2022 by the controller, a human resources provider. The controller stated that it possessed the data subjects file and wanted to provide assistance for job hunting. The data subject filed an access request at the controller after she received this message. She requested information regarding the source of personal data, the purpose of processing, the storage period and the legal basis. | ||
On 25 August 2022, the data subject received a response from the controller | On 25 August 2022, the data subject received a response from the controller. The controller explained how the data subject could exercise her right of erasure. The data subject responded that she did not request erasure, but merely wanted access at this point in time. The controller provided its privacy policy as a response and stated that the data subject could look for an answer in this policy. The data subject replied that the answer was not in the privacy policy and that she was still unable to determine the source of personal data, the purpose of processing, the storage period and the legal bases. On 29 August 2022, the controller did provide some information regarding the source of the data: It received the data subject's data from another service (nature and name of the service not disclosed), which worked together with employers to find suitable jobs for potential employees. | ||
The data subject filed a complaint at the Belgian DPA on 14 December 2022, because the controller did not respond within one month to the access request ([[Article 12 GDPR#3|Article 12(3) GDPR]]) and also did not inform her about any extension of this period ([[Article 12 GDPR#4|Article 12(4) GDPR]]). | The data subject filed a complaint at the Belgian DPA on 14 December 2022, because the controller did not respond within one month to the access request ([[Article 12 GDPR#3|Article 12(3) GDPR]]) and also did not inform her about any extension of this period ([[Article 12 GDPR#4|Article 12(4) GDPR]]). | ||
=== Holding === | === Holding === | ||
The DPA | The DPA deemed the controllers answer to the access request inadequate, because it had only provided the name of the source of personal data while the data subject requested more information described in [[Article 15 GDPR#1|Article 15(1) GDPR]]. Therefore, the controller violated [[Article 12 GDPR#3|Articles 12(3)]], [[Article 12 GDPR#4|12(4)]] and [[Article 15 GDPR#1|15(1) GDPR]]. | ||
The DPA went into further detail regarding information which related to the source of the personal data. The DPA specified that the controller had the obligation to provide certain basic information to the data subject because of the accountability ([[Article 5 GDPR#2|Article 5(2) GDPR]]). The controller had to show that personal data was processed in a GDPR compliant manner. This would also obligate the controller to show | The DPA went into further detail regarding information which related to the source of the personal data. The DPA specified that the controller had the obligation to provide certain basic information to the data subject because of the accountability principle ([[Article 5 GDPR#2|Article 5(2) GDPR]]). The controller had to show that personal data was processed in a GDPR compliant manner. This would also obligate the controller to show it had assessed if a third party was lawfully processing personal data before the receiving personal data from this third party. For this reason, the data subject could expect the controller to provide information about the way the third party had collected the data subject's personal data in the first place, as well as provide information about the legal basis this third party was using for its processing. The controller should also provide the contact details of this third party to the data subject. This would enable the data subject to exercise the right of access by contacting this third party. | ||
The DPA ordered the controller to comply with the access request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) WOG. This was a preliminary decision prior to the decision on the merits. | The DPA ordered the controller to comply with the access request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) WOG. This was a preliminary decision prior to the decision on the merits. |
Revision as of 12:14, 10 January 2023
APD/GBA - 189/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(2) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 58(2)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 14.12.2022 |
Decided: | 22.12.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 189/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | n/a |
The Belgian DPA ordered a human resources provider to comply with an access request pursuant of Article 15 GDPR. The DPA also explained that the accountability principle of Article 5(2) GDPR obligated the controller to provide the data subject certain information regarding the source of personal data.
English Summary
Facts
The data subject was contacted on 24 August 2022 by the controller, a human resources provider. The controller stated that it possessed the data subjects file and wanted to provide assistance for job hunting. The data subject filed an access request at the controller after she received this message. She requested information regarding the source of personal data, the purpose of processing, the storage period and the legal basis.
On 25 August 2022, the data subject received a response from the controller. The controller explained how the data subject could exercise her right of erasure. The data subject responded that she did not request erasure, but merely wanted access at this point in time. The controller provided its privacy policy as a response and stated that the data subject could look for an answer in this policy. The data subject replied that the answer was not in the privacy policy and that she was still unable to determine the source of personal data, the purpose of processing, the storage period and the legal bases. On 29 August 2022, the controller did provide some information regarding the source of the data: It received the data subject's data from another service (nature and name of the service not disclosed), which worked together with employers to find suitable jobs for potential employees.
The data subject filed a complaint at the Belgian DPA on 14 December 2022, because the controller did not respond within one month to the access request (Article 12(3) GDPR) and also did not inform her about any extension of this period (Article 12(4) GDPR).
Holding
The DPA deemed the controllers answer to the access request inadequate, because it had only provided the name of the source of personal data while the data subject requested more information described in Article 15(1) GDPR. Therefore, the controller violated Articles 12(3), 12(4) and 15(1) GDPR.
The DPA went into further detail regarding information which related to the source of the personal data. The DPA specified that the controller had the obligation to provide certain basic information to the data subject because of the accountability principle (Article 5(2) GDPR). The controller had to show that personal data was processed in a GDPR compliant manner. This would also obligate the controller to show it had assessed if a third party was lawfully processing personal data before the receiving personal data from this third party. For this reason, the data subject could expect the controller to provide information about the way the third party had collected the data subject's personal data in the first place, as well as provide information about the legal basis this third party was using for its processing. The controller should also provide the contact details of this third party to the data subject. This would enable the data subject to exercise the right of access by contacting this third party.
The DPA ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and Article 95(1)(5) WOG. This was a preliminary decision prior to the decision on the merits.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Litigation room Decision 189/2022 of 22 December 2022 File number : DOS-2022-05088 Subject: Exercise of the right of access without the controller follows it The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mrs X, hereinafter referred to as “the complainant”; . . The controller: Y, hereinafter “the controller” Decision on the substance 189/2022 - 2/7 I. Factual Procedure 1. On 14 December 2022, the complainant lodged a complaint with the Data Protection Authority against the controller. 2. The object of the complaint concerns the exercise of the right of inspection by the complainant without that it has received a substantively satisfactory answer from the controller active in the human resources sector, within the period of one month (article 12.3 GDPR), nor to notify the extension of that period (article 12.4 GDPR). The specific reason for the exercise of the right of access was the fact that the complainant became on August 24, 2022 contacted by the controller who stated that the file of the complainant located in its database, offering the complainant to provide assistance in finding a new professional challenge. The complainant will also be asked to renew the contract. On August 25, 2022, the complainant will receive a response to the effect that the controller explains how the complainant can obtain data erasure. The complainant, in turn, responds that it wishes to erase data and, for the time being, no data the complainant will receive on August 25, 2022 from the controller the privacy statement with the question whether she can find the answer to her questions on August 29, 2022 that this is not the case and that she still did not receive an answer to her ask about the origin, purpose, retention period, and legal basis for the hair regarding data processing. The controller informs the complainant about 30 August 2022 that her personal data was obtained as a result of a registration with the […] that forwards the data to employers who work with them the framework of job placement, with the aim of finding suitable employment. The the complainant subsequently stated on 2 December 2022 that he still had no answer received on her question about the legal basis for the data processing and the retention period of it, nor about the extent to which it was informed about the data processing and how processing fits within the principle of purpose limitation, the principle of minimum data processing and correctness, since she has been employed with her for more than two years current employer and has never lived or worked in (…), nor has any interest in doing so shown. 3. On December 14, 2022, the complaint will be declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is settled on the basis of art. 62, §1 WOG transferred to the Disputes Chamber. Decision on the substance 189/2022 - 3/7 II. Motivation 4. Based on the documents supporting the complaint, the Litigation Chamber determines that the complainant has its right has exercised access, but the controller has failed to do so to take appropriate action by limiting itself to only mentioning the name of the body whose personal data were obtained, notwithstanding the fact that the complainant also requested other information (including legal basis, retention period) included in Article 15.1 AVG. As a result, the controller has acted in violation of Articles 12.3 and 12.4 1 2 GDPR , as well as Article 15.1 GDPR . 3 5. Specifically with regard to the origin of the personal data about which the controller, the Litigation Chamber states that the accountability 4 (article 5.2 GDPR) of the controller entails basic information is provided to the person concerned, being the complainant, showing that the controller itself processes the data in accordance with the GDPR and prior to the obtaining the personal data checks whether that data is lawfully processed by the authority from which the personal data originates. Thus, the complainant can expect that the 1Article 12 GDPR. […] 3. The controller shall provide the data subject without undue delay and in any event within one month of receipt of the request information on the action taken on the request under Articles 15 to 22. Depending on the complexity of the requests and the number of requests, that period may be extended by a further two months if necessary. The The controller shall inform the data subject of such an extension within one month of receipt of the request. When the data subject submits his request electronically, the information shall be provided electronically if possible, unless the data subject otherwise requests. 4. Where the controller does not comply with the request of the data subject, it shall inform the data subject without undue delay and no later than one month after receipt of the request why the request has not been acted upon, and informs him about this the possibility to lodge a complaint with a supervisory authority and to appeal to the courts. 2Article 15 GDPR 1. The data subject has the right to obtain from the controller a confirmation as to whether or not his or her data are processed concerning personal data and, where that is the case, to obtain access to that personal data and to the following information: a) the processing purposes; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the period for which the personal data is expected to be stored, or if not possible, the criteria for determining that period; e) that the data subject has the right to request from the controller that personal data be rectified or erased, or that the processing of personal data concerning him is restricted, as well as the right to object to that processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data is not collected from the data subject, all available information about the source of that data; (h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subject. […] 3See in this regard: Decision 14/2021 February of 09 February 2021; Decision 20/2021 of February 12, 2021 4 Article 5.2 GDPR: The controller is responsible for compliance with paragraph 1 and can demonstrate this (“accountability”). Decision on the substance 189/2022 - 4/7 controller provides information on how that body, in this case […], came into possession of the complainant's personal data, as well as the legal basis on which it is based whose data are processed by that authority in order to demonstrate that the data from the complainant have been lawfully obtained by the controller. In order to the rights of the complainant, the controller must also provide it with the make contact details of that authority available in order to enable the complainant to exercise its right of access vis-à-vis that authority, being the […]. 6. With regard to the other information that the complainant has requested and is entitled to Pursuant to Article 15.1 GDPR, the controller has left nothing there to provide an answer. 7. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be concluded that the controller has committed a breach of the provisions of the GDPR was committed, which justifies taking a decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in orders to follow up on the exercise by the complainant of his right of access (art 15.1 GDPR) and this in particular in view of the document submitted by the complainant showing that the complainant has indeed exercised its right of access, but the controller has not taken appropriate action. 8. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the 'procedure prior to the decision on the merits' and no decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 9. The purpose of this decision is to inform the controller of the fact that it may have committed a breach of the provisions of the GDPR and put it in the possibility to still comply with the aforementioned provisions. 10. However, if the controller does not agree with the content of this prima facie decision and considers that it may leave factual and/or legal arguments funds that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the Litigation Chamber and this within the period of 30 days after notification of this decision. The enforcement of this decision will, if necessary, take place during the aforementioned period suspended. 5Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision on the substance 189/2022 - 5/7 11. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their submit defenses as well as attach any documents they deem useful to the file. The the present decision will, if necessary, be definitively suspended. 12. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place 6 lead to the imposition of the measures referred to in Article 100 WOG. 13. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. If a copy of the file is requested, the documents will be sent electronically if possible or otherwise delivered by regular mail. 7 III. Publication of the decision 14. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for this to include the identification data of the parties are disclosed directly. 61° to dismiss a complaint; 2° to order the exclusion of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° order that the data subject be informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data command; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 7Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision on the substance 189/2022 - 6/7 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the controller for treatment on the merits in accordance with Article 98 et seq. WOG , to: - on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller order that the data subject's request to exercise his rights be complied with, in particular the right of inspection (article 15.1 AVG), and to proceed to the provision to the complainant of the information it has requested, within the period of 30 days from the notification of this decision; - to order the controller to notify the Data Protection Authority (Dispute Chamber) by e-mail within the same term of the result of this decision via the e-mail address litigationchamber@apd-gba.be; and - in the absence of timely implementation of the above by the controller, to handle the case ex officio on the merits in accordance with articles 98 et seq. WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as defendant. Decision on the substance 189/2022 - 7/7 Such an appeal may be lodged by means of an inter partes petition that the in art 8 1034terofthe Judicial Codemustcontainenumeratedenumerations. contradictions must be submitted to the Registry of the Market Court in accordance with Article 1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of the Ger.W.). (get). Hilke Hijmans Chairman of the Litigation Chamber 8 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 9 The petition with its appendix, in as many copies as there are parties involved, is sent by registered letter to the clerk of the court or deposited with the clerk of the court.