APD/GBA (Belgium) - 27/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 65: Line 65:
}}
}}


The fact that the employee in charge of a data subject's file is on sick leave does not exonerate a controller from answering an access request within the deadline.   
The Belgian DPA emphasizes that the data controller is responsible for DSARs, regardless of employee circumstances. Sick leave does not excuse compliance with the GDPR rules on DSAR response deadlines.   


== English Summary ==
== English Summary ==
Line 72: Line 72:
This decision concerned a landlord (controller) who did not respond to an access request of a tenant (data subject).  
This decision concerned a landlord (controller) who did not respond to an access request of a tenant (data subject).  


On 2 December 2019, the data subject filed an access request with the controller.  
On 2 December 2019, the data subject filed an access request with the controller. On 31 December 2019, almost one month later, the controller notified the data subject that it would use the possibility in [[Article 12 GDPR#3|Article 12(3) GDPR]] to extend the normal deadline of one month with two additional months. On 3 March 2020, the  data subject filed a complaint with the Belgian DPA against the controller because no answer had been provided at that point.  
 
On 31 December 2019, almost one month later, the controller notified the data subject that it would use the possibility in [[Article 12 GDPR#3|Article 12(3) GDPR]] to extent the normal deadline of one month with two additional months  
 
On 3 March 2020, the  data subject filed a complaint with the Belgian DPA against the controller because no answer had been provided at that point.


On 2 September 2020, almost 10 months after the data subject had filed the original access request, the controller provided a reply. However, the data subject complained that the controller had not answered all the questions of the data subject. These questions concerned the existence of possible leaks of  personal data, the security protocols of the controller and, lastly, the security and organisational measures relating to processing by the controller's employees or contractors. The controller refused to answer these questions, stating that these would not fall within the scope of [[Article 15 GDPR#1|Article 15(1) GDPR]] and the controller was therefore not obligated to answer these questions.  
On 2 September 2020, almost 10 months after the data subject had filed the original access request, the controller provided a reply. However, the data subject complained that the controller had not answered all the questions of the data subject. These questions concerned the existence of possible leaks of  personal data, the security protocols of the controller and, lastly, the security and organisational measures relating to processing by the controller's employees or contractors. The controller refused to answer these questions, stating that these would not fall within the scope of [[Article 15 GDPR#1|Article 15(1) GDPR]] and the controller was therefore not obligated to answer these questions.  


On 29 September 2020, the controller clarified its position to the DPA. The controller acknowledged that no answer had been provided to the data subject. This was because the controller's employee in charge of the data subjects file had been on a long term sick leave. The access request was then simply forgotten, according to the controller.
On 29 September 2020, the controller clarified its position to the DPA. The controller acknowledged that no timely answer had been provided to the data subject because the controller's employee in charge of the data subjects file had been on a long term sick leave. The access request was then simply forgotten, according to the controller.


=== Holding ===
=== Holding ===
The DPA first reiterated the legal requirements of [[Article 15 GDPR|Article 15 GDPR]]. In particular, the DPA stressed the importance of the right of access under [[Article 15 GDPR|Article 15 GDPR]], since this right allowed data subjects to check the lawfulness of each processing activity and, if necessary, to have the processed personal data rectified or deleted.  
The DPA first reiterated the legal requirements of [[Article 15 GDPR|Article 15 GDPR]]. In particular, the DPA stressed the importance of the right of access under [[Article 15 GDPR|Article 15 GDPR]], since this right allowed data subjects to check the lawfulness of each processing activity and, if necessary, to have the processed personal data rectified or deleted.  


Assessing the facts of the case, the DPA confirmed that the controller did not respond to the access request within the provided deadline, also not after the extension. The DPA rejected the explanation of the controller why it had not replied to the request. The fact that the responsible employee had been on long term sick leave and the fact that the access request was then simply forgotten was not a valid exoneration for the controller to not fulfill its obligations towards the data subject. This practice constituted a breach of [[Article 15 GDPR|Articles 15(1),]] [[Article 12 GDPR|12(3)]] and [[Article 12 GDPR|12(4) GDPR]]. The DPA reprimanded the controller for these violations.  
Assessing the facts of the case, the DPA confirmed that the controller did not respond to the access request within the provided deadline, also not after the extension. The fact that the responsible employee had been on long term sick leave and the fact that the access request was then simply forgotten was not a valid exoneration for the controller to not fulfill its obligations towards the data subject. This practice constituted a breach of [[Article 15 GDPR|Articles 15(1),]] [[Article 12 GDPR|12(3)]] and [[Article 12 GDPR|12(4) GDPR]]. The DPA reprimanded the controller for these violations.  


== Comment ==
== Comment ==

Revision as of 10:03, 12 April 2023

APD/GBA - 27/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 34(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 03.03.2020
Decided: 13.03.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 27/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: GBA (in FR)
Initial Contributor: kv33

The Belgian DPA emphasizes that the data controller is responsible for DSARs, regardless of employee circumstances. Sick leave does not excuse compliance with the GDPR rules on DSAR response deadlines.

English Summary

Facts

This decision concerned a landlord (controller) who did not respond to an access request of a tenant (data subject).

On 2 December 2019, the data subject filed an access request with the controller. On 31 December 2019, almost one month later, the controller notified the data subject that it would use the possibility in Article 12(3) GDPR to extend the normal deadline of one month with two additional months. On 3 March 2020, the data subject filed a complaint with the Belgian DPA against the controller because no answer had been provided at that point.

On 2 September 2020, almost 10 months after the data subject had filed the original access request, the controller provided a reply. However, the data subject complained that the controller had not answered all the questions of the data subject. These questions concerned the existence of possible leaks of personal data, the security protocols of the controller and, lastly, the security and organisational measures relating to processing by the controller's employees or contractors. The controller refused to answer these questions, stating that these would not fall within the scope of Article 15(1) GDPR and the controller was therefore not obligated to answer these questions.

On 29 September 2020, the controller clarified its position to the DPA. The controller acknowledged that no timely answer had been provided to the data subject because the controller's employee in charge of the data subjects file had been on a long term sick leave. The access request was then simply forgotten, according to the controller.

Holding

The DPA first reiterated the legal requirements of Article 15 GDPR. In particular, the DPA stressed the importance of the right of access under Article 15 GDPR, since this right allowed data subjects to check the lawfulness of each processing activity and, if necessary, to have the processed personal data rectified or deleted.

Assessing the facts of the case, the DPA confirmed that the controller did not respond to the access request within the provided deadline, also not after the extension. The fact that the responsible employee had been on long term sick leave and the fact that the access request was then simply forgotten was not a valid exoneration for the controller to not fulfill its obligations towards the data subject. This practice constituted a breach of Articles 15(1), 12(3) and 12(4) GDPR. The DPA reprimanded the controller for these violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7





                                                                        Litigation Chamber


                                          Decision on the merits 27/2023 of 13 March 2023





File number: DOS-2020-01123


Subject: Lack of satisfactory response to the exercise of the right of access




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter "GDPR";


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The plaintiff: X, hereinafter “the plaintiff”;


The defendant: Y, hereinafter: "the defendant". Decision on the merits 27/2023 – 2/7


I. Facts and procedure


 1. On March 3, 2020, the complainant lodged a complaint with the Data Protection Authority

       given against the defendant.


        The subject of the complaint concerns the lack of a satisfactory response to the exercise of the right
        complainant's access, outside the extended two-month period. On December 2, 2019,

        the plaintiff exercised his right of access to the defendant, his former

        owner. The defendant notified him on December 31, 2019 of the extension of the

        two month response. The defendant did not subsequently respond to the plaintiff's request

        as September 2, 2020.


 2. On March 9, 2020, the complaint was declared admissible by the Front Line Service on the
       basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber

       pursuant to Article 62, § 1 of the LCA.

                                                                                             er
 3. On September 18, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and

       of article 98 of the LCA, that the case can be dealt with on the merits.

 4. On August 18, 2020, the parties concerned are informed by registered letter of the

       provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are

       also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their

       conclusions.

        For findings relating to the subject of the complaint, the deadline for receipt of

        conclusions in response of the defendant was set for September 29, 2020, that for

        the complainant's submissions in reply to October 20, 2020 and finally that for the

        submissions in reply of the defendant on November 10, 2020.

 5. On August 19, 2020, the Complainant agrees to receive all communications relating to

       the matter electronically.

 6. On August 26, 2020, the defendant agrees to receive all communications relating

       to the case electronically and expresses its intention to make use of the possibility of being

       heard, this in accordance with article 98 of the LCA


 7. On September 29, 2020, the Litigation Chamber receives the submissions in response from the
       defendant with regard to the findings relating to the subject-matter of the complaint. There

       defendant does not contest the lack of response to the exercise of the right of access by the

       complainant. The defendant would have consulted lawyers in order to provide an answer

       satisfactory to the complainant. The response would never have been sent due to the absence

       of one of its employees. The complainant's request was then forgotten, but a response was

       finally brought on September 2, 2020. Decision on the merits 27/2023 – 3/7


 8. On October 9, 2020, the Litigation Chamber received the conclusions in response from the complainant.

       The complainant emphasizes the lateness of the response. Moreover, the defendant refused to

       answer some of his questions.

 9. On November 10, 2020, the Litigation Chamber receives the submissions in reply from the

       of the defendant concerning the findings relating to the subject matter of the complaint. There

       defendant repeats that forgetting to answer was not voluntary. The defendant has

       actually refused to answer part of the complainant's questions because she would not
       not legally obliged to respond under Article 15 of the GDPR.


 10. On February 8, 2023, the parties are informed that the hearing will take place on 02/24/2023.

 11. On February 24, 2023, the parties are heard by the Litigation Chamber.


 12. On March 2, 2023, the minutes of the hearing are submitted to the parties. Bedroom
       Litigation did not receive any remarks from the defendant relating to the minutes that she

       decides to resume its deliberation.




II. Motivation

    II.1. On the violation of the right of access (articles 15.1, 12.3 and 12.4 of the GDPR)


        II.1.1. Content and scope of the right of access


 13. In its capacity as data controller, the defendant is required to comply with the

       data protection principles and must be able to demonstrate that these are

       respected. It must also implement all the necessary measures for this purpose.
       (principle of responsibility – articles 5.2 and 24 of the GDPR).


 14. The right of access has three components. First, under Article 15.1 of the GDPR,

       the data subject has the right to obtain from the controller confirmation that
       personal data concerning him are or are not processed.

       Secondly, when there is processing of personal data, the person

       concerned has the right to obtain access to said personal data as well as to a

       series of information listed in Article 15.1 a) - h) such as the purpose of the processing of its

       data, the possible recipients of his data as well as information relating to

       the existence of his rights, including the right to request the rectification or erasure of his
       data or that of filing a complaint with the DPA. Third, under

       15.3 GDPR, the data subject also has the right to obtain a copy of the

       personal data which is the subject of the processing. Article 15.4 of the GDPR provides

       that this right to copy may not infringe the rights and freedoms of others. Decision on the merits 27/2023 – 4/7


15. The Litigation Chamber emphasizes the importance of respecting the right of access of persons

      concerned. This right allows data subjects to control the legality of each

      processing activity and, where appropriate, to have the personal data rectified or erased

      staff processed.

       II.1.2. Terms of the right of access


16. Article 12 of the GDPR relating to the procedures for exercising their rights by persons

      concerned provides that the controller must facilitate the exercise of

      their rights by the data subject (article 12.2 of the GDPR) and provide them with information
      on the measures taken following his request as soon as possible and at the latest

      the period of one month from its request (article 12.3 of the GDPR). For more requests

      complex, or when the controller receives a large number of

      requests, this initial period of one month can be extended by two months (article 12.3 of the GDPR).

      When the data controller does not intend to respond to the request, he must

      notify its refusal within one month accompanied by the information that a
      appeal against this refusal may be lodged with the supervisory authority for the protection of

      data (12.4 GDPR).


       II.1.3. As for the defendant's belated response to the exercise of the right of access by the
           plaintiff


17. It appears from the documents in the file that the complainant did indeed exercise his right of access to the

      defendant on December 2, 2019. On December 31, 2019, the defendant notified the
      complainant of the extension of its two-month deadline for reply. The defendant did not

      however, did not respond within this two-month period: the complainant only received a response in

      September 2020. The Litigation Chamber also notes that the defendant has not

      followed up on the complainant's request that shortly after receiving a letter from the

      Litigation Division, informing the parties of a procedure on the merits. There

      Nor does the defendant dispute the absence of a satisfactory response from it.

18. To explain this delay, the Respondent indicates that it intended to respond to the

      plaintiff's request, but, the employee responsible for processing the plaintiff's file being then

      absent due to long-term sick leave, no response was sent

      to the complainant. The plaintiff's request was then forgotten. This fortuitous circumstance
      cannot, however, exonerate a data controller from his obligations with regard to the

      persons concerned. It is therefore a violation on the part of the defendant of the

      articles 15.1, 12.3 and 12.4 of the GDPR.


19. The Litigation Division notes however, on the basis of the evidence provided by the
      defendant, that the defendant had indeed begun to prepare a response to the

      plaintiff with the help of lawyers. The defendant also claims to have adopted Decision on the merits 27/2023 – 5/7



       organizational measures to guarantee access to the personal data of

       his clients. During the hearing, the defendant explained that it had created a mailbox

       where access requests from other data subjects are forwarded. This box of

       messaging is accessible to several employees of the defendant in order to prevent a

       request of this kind remains unanswered. The Litigation Chamber will take into

       take these elements into consideration when adopting a sanction.

        II.1.4. As for the defendant's incomplete response to the right of access of the
            plaintiff


 20. In his submissions, the Complainant raises the fact that the Respondent refused to answer

       to some of the complainant's questions. These questions concerned the existence

       possible leaks of the complainant's data following security flaws, the protocols

       information security measures adopted by the complainant as well as the security and

       organizational arrangements relating to the processing of personal data by the

       employees or contractors of the defendant (respectively questions 7, 8 and 9

       of the complainant). The defendant refused to answer these questions because the information

       requested would not fall within the scope of Article 15.1 of the GDPR.


 21. Regarding the refusal to answer questions 8 and 9, a data controller is not

       not required to share information regarding security protocols and

       organizational measures because this information is not included in article 15,

       paragraph 1, items (a) to (h) or by Article 13, paragraphs 1 to 2. The defendant was therefore

       not required to answer questions relating to this information.

 22. With regard to question 7, a data leak is defined by the GDPR as a

       data security breach. Under Article 34.1 of the GDPR, a data controller

       processing is only obliged to notify the data subject when “a breach of

       personal data is likely to create a high risk for the rights

       and freedoms of a natural person". It does not appear in any part of the file that such

       breach of the complainant's data has occurred. The defendant therefore did not have to answer

       to question 7.


 23. The Litigation Chamber thus follows the reasoning of the defendant as it was

       not obliged to answer questions 7, 8 and 9 of the plaintiff.

       was therefore late but complete.









1 Art. 4.12 of the GDPR: “a breach of security resulting, accidentally or
unlawful, destruction, loss, alteration, unauthorized disclosure of personal data transmitted,
stored or otherwise processed, or unauthorized access to such data”. Decision on the merits 27/2023 – 6/7


 24. Furthermore, the Litigation Division notes that, despite the absence of an obligation to respond

       to questions 7, 8 and 9, the defendant nevertheless provided the complainant with an answer to these

       questions from the hearing of February 24, 2023.




III. Sanction



 25. The Litigation Division notes that it is a question of the violation of Articles 15.1, 12.3 and

       12.4 GDPR. Although the defendant responded to the exercise of the right of access of the

       complainant, it was found that breaches of the GDPR had taken place.
       of the right of access of data subjects is fundamental in the protection of

       data.


 26. The Litigation Division considers that there are sufficient elements to formulate a

       reprimand, which constitutes a light and sufficient sanction in light of the violations of the
       GDPR observed in this file. When determining the penalty, the Chamber

       Litigation takes into account the fact that the defendant has rectified the situation and the efforts

       of the defendant to guarantee in the future the right of access of the persons concerned.


IV. Publication of the decision


 27. Given the importance of transparency regarding the decision-making process of the Chamber
       Litigation, this decision is published on the website of the Protection Authority

       Datas. However, it is not necessary for this purpose that the identification data

       of the parties are communicated directly.






    FOR THESE REASONS,

    The Litigation Chamber of the Data Protection Authority decides, after

    deliberation:


    - Pursuant to Article 100, §1, paragraph 5° of the LCA, to issue a reprimand to

        towards the defendant as regards the violation of Article 15, paragraph 1,

        of Article 12, paragraphs 3 and 4, of the GDPR.




In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision on the merits 27/2023 – 7/7



Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 3


via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).







          (Sr.) Hielke H IJMANS


          President of the Litigation Chamber






















































2The request contains on penalty of nullity:

  (1) indication of the day, month and year;
  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;

  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
  (4) the object and summary statement of the means of the request;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.
3
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.