APD/GBA (Belgium) - 12/2023: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=12/2023 |ECLI= |Ori...") |
mNo edit summary |
||
Line 71: | Line 71: | ||
}} | }} | ||
The Belgian DPA found a violation of Articles 12 and 13 | The Belgian DPA found a violation of [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]] GDPR by a department of the King's office but considered that the King's immunity extended to his office and therefore declared the complaint inadmissible. | ||
== English Summary == | == English Summary == | ||
Line 78: | Line 78: | ||
The controller in this case is a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority (the Government of the German-speaking Community, hereafter the Government) which had only partially responded to his request for information. The data subject wrote several letters to the King. These letters contained personal data: his surname, first name and address. The service of the King's office (controller) received these letters and transferred them to the Government. | The controller in this case is a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority (the Government of the German-speaking Community, hereafter the Government) which had only partially responded to his request for information. The data subject wrote several letters to the King. These letters contained personal data: his surname, first name and address. The service of the King's office (controller) received these letters and transferred them to the Government. | ||
The data subject requested access to his data from the controller in accordance with Article 15 and requested information about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also considered that there was no basis for lawfulness of the processing. He stated in particular that the transfer of his data to the Government was not necessary, since the controller could have simply contacted the Government to remind it to respond to the requests for information. | The data subject requested access to his data from the controller in accordance with [[:Category:Article 15 GDPR|Article 15]] and requested information about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also considered that there was no basis for lawfulness of the processing. He stated in particular that the transfer of his data to the Government was not necessary, since the controller could have simply contacted the Government to remind it to respond to the requests for information. | ||
He therefore filed a complaint with the Belgian DPA. | He therefore filed a complaint with the Belgian DPA. | ||
Line 85: | Line 85: | ||
=== Holding === | === Holding === | ||
Lawfulness | '''Lawfulness''' | ||
The DPA examined the existence of a legal basis on the basis of [[:Category:Article 6(1) GDPR|Article 6(1)(e) GDPR]], which requires that the processing operation is carried out in the public interest and that it is necessary for the performance of that task. | |||
On the subject of the public task, the DPA refers to a report which states that the King has a duty to form an opinion on the cases submitted to him. The Controller is part of the King's services and has the task of dealing with requests for social assistance addressed to the King. The DPA considered that the fact that the person concerned sent his request to the King showed that he was aware of the King's possibility to intervene in citizens' requests. It added that it was foreseeable for the data subject that his data would be transferred to the Government - the old letters he had sent had been transferred without his reacting. | On the subject of the public task, the DPA refers to a report which states that the King has a duty to form an opinion on the cases submitted to him. The Controller is part of the King's services and has the task of dealing with requests for social assistance addressed to the King. The DPA considered that the fact that the person concerned sent his request to the King showed that he was aware of the King's possibility to intervene in citizens' requests. It added that it was foreseeable for the data subject that his data would be transferred to the Government - the old letters he had sent had been transferred without his reacting. | ||
Regarding the necessity criteria, the DPA recalled that Article 6(3) requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred are related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government. | Regarding the necessity criteria, the DPA recalled that [[:Category:Article 6(3) GDPR|Article 6(3)]] requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred are related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government. | ||
On lawfulness, the DPA therefore concluded that there was no breach of [[:Category:Article 5(1)(a) GDPR|Article 5(1)(a)]] and [[:Category:Article 6(1) GDPR|Article 6(1)]]. | |||
'''Rights of the data subject''' | |||
In the absence of any indication from the controller, the DPA considered that it had not provided the information required by [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]]. It therefore considered that these articles were breached. As regards the request for access under [[:Category:Article 15 GDPR|Article 15]], the DPA did not, however, consider that this Article had been violated. It explained that the data subject's request was for the controller to acknowledge his failures to comply with the GDPR and was therefore not valid. | |||
'''Immunity from jurisdiction''' | |||
Immunity from jurisdiction | |||
The DPA explained that the King enjoys immunity on the basis of the Constitution. Whether this immunity extends to his collaborators, however, is controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with Articles 12 and 13. | The DPA explained that the King enjoys immunity on the basis of the Constitution. Whether this immunity extends to his collaborators, however, is controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with [[:Category:Article 12 GDPR|Articles 12]] and [[:Category:Article 13 GDPR|13]]. | ||
== Comment == | == Comment == |
Revision as of 15:56, 17 February 2023
APD/GBA - 12/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 6(3) GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 19.11.2020 |
Decided: | 16.02.2023 |
Published: | 17.02.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 12/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | ls |
The Belgian DPA found a violation of Articles 12 and 13 GDPR by a department of the King's office but considered that the King's immunity extended to his office and therefore declared the complaint inadmissible.
English Summary
Facts
The controller in this case is a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority (the Government of the German-speaking Community, hereafter the Government) which had only partially responded to his request for information. The data subject wrote several letters to the King. These letters contained personal data: his surname, first name and address. The service of the King's office (controller) received these letters and transferred them to the Government.
The data subject requested access to his data from the controller in accordance with Article 15 and requested information about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also considered that there was no basis for lawfulness of the processing. He stated in particular that the transfer of his data to the Government was not necessary, since the controller could have simply contacted the Government to remind it to respond to the requests for information.
He therefore filed a complaint with the Belgian DPA.
The Controller found that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.
Holding
Lawfulness
The DPA examined the existence of a legal basis on the basis of Article 6(1)(e) GDPR, which requires that the processing operation is carried out in the public interest and that it is necessary for the performance of that task.
On the subject of the public task, the DPA refers to a report which states that the King has a duty to form an opinion on the cases submitted to him. The Controller is part of the King's services and has the task of dealing with requests for social assistance addressed to the King. The DPA considered that the fact that the person concerned sent his request to the King showed that he was aware of the King's possibility to intervene in citizens' requests. It added that it was foreseeable for the data subject that his data would be transferred to the Government - the old letters he had sent had been transferred without his reacting.
Regarding the necessity criteria, the DPA recalled that Article 6(3) requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred are related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.
On lawfulness, the DPA therefore concluded that there was no breach of Article 5(1)(a) and Article 6(1).
Rights of the data subject
In the absence of any indication from the controller, the DPA considered that it had not provided the information required by Articles 12 and 13. It therefore considered that these articles were breached. As regards the request for access under Article 15, the DPA did not, however, consider that this Article had been violated. It explained that the data subject's request was for the controller to acknowledge his failures to comply with the GDPR and was therefore not valid.
Immunity from jurisdiction
The DPA explained that the King enjoys immunity on the basis of the Constitution. Whether this immunity extends to his collaborators, however, is controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with Articles 12 and 13.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.