APD/GBA (Belgium) - 136/2022: Difference between revisions
No edit summary |
m (Mg moved page APD/GBA (Belgium) - Decision 136-2022 to APD/GBA (Belgium) - 136/2022: consistency) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
When the controller refused to provide access to the freeze frame data of a vehicle (a type of component reading) to the data subject, the Belgian DPA held that the controller had to provide an answer to the request within 14 days. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject made an access request for a full diagnosis report with freeze frame data regarding his vehicle to the car company (controller). Freeze frame data | The data subject made an access request for a full diagnosis report with freeze frame data regarding his vehicle to the car company (controller). Freeze frame data is information which can be extracted from a vehicle, usually in addition with an error code. This data can be used to diagnose issues. It can provide additional insight from build-in sensors when an error occurs. | ||
The data subject stated that he had requested | The data subject stated that he had requested access to the diagnosis report to conduct an expertise (not specified). The controller answered this request within the term of one month ([[Article 12 GDPR#3|Article 12(3) GDPR)]], but stated that the requested data could not be transferred to the data subject. This was because of the ban on sharing internal documents with third parties outside the car brand network. This ban was internal company policy. | ||
=== Holding === | === Holding === | ||
The DPA stated that it is possible for a controller to reject an access request but that it must provide a reason why it didn’t comply with the request to the extent that there is a legal ground for restricting the right of access (Article 12(4) GDPR). | The DPA stated that it is possible for a controller to reject an access request but that it must provide a reason why it didn’t comply with the request to the extent that there is a legal ground for restricting the right of access ([[Article 12 GDPR#4|Article 12(4) GDPR]]). | ||
The DPA held that data concerning the vehicle of the complainant is personal data (Article 4(1) GDPR), since the | The DPA held that data concerning the vehicle of the complainant is personal data [[Article 4 GDPR#1|(Article 4(1) GDPR]]), since the data subject can be identified on the basis of his vehicle. | ||
The DPA held that solely on the basis of the internal company policy, the controller cannot deny the right of access of a data subject to its personal data. The data subject is a customer of the controller and has the right to a copy of the personal data being processed, if necessary in electronic form (Article 15(3) GDPR). The internal company policy wasn’t sufficient enough justification for the controller to deny the data subject the information it requested. The DPA held that | The DPA held that solely on the basis of the internal company policy, the controller cannot deny the right of access of a data subject to its personal data. The data subject is a customer of the controller and has the right to a copy of the personal data being processed, if necessary in electronic form [[Article 15 GDPR#3|(Article 15(3) GDPR)]]. The internal company policy wasn’t sufficient enough justification for the controller to deny the data subject the information it requested. The DPA held that the controller unilaterally limited the data subjects right to access his own personal data. | ||
The DPA held that the controller violated | The DPA held that the controller violated [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]] and held that the controller had to make a decision regarding the access request within 14 days. | ||
Latest revision as of 08:49, 29 June 2023
APD/GBA - Decision 136-2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 21.06.2022 |
Decided: | 26.09.2022 |
Published: | 02.10.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Decision 136-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | n/a |
When the controller refused to provide access to the freeze frame data of a vehicle (a type of component reading) to the data subject, the Belgian DPA held that the controller had to provide an answer to the request within 14 days.
English Summary
Facts
The data subject made an access request for a full diagnosis report with freeze frame data regarding his vehicle to the car company (controller). Freeze frame data is information which can be extracted from a vehicle, usually in addition with an error code. This data can be used to diagnose issues. It can provide additional insight from build-in sensors when an error occurs.
The data subject stated that he had requested access to the diagnosis report to conduct an expertise (not specified). The controller answered this request within the term of one month (Article 12(3) GDPR), but stated that the requested data could not be transferred to the data subject. This was because of the ban on sharing internal documents with third parties outside the car brand network. This ban was internal company policy.
Holding
The DPA stated that it is possible for a controller to reject an access request but that it must provide a reason why it didn’t comply with the request to the extent that there is a legal ground for restricting the right of access (Article 12(4) GDPR).
The DPA held that data concerning the vehicle of the complainant is personal data (Article 4(1) GDPR), since the data subject can be identified on the basis of his vehicle. The DPA held that solely on the basis of the internal company policy, the controller cannot deny the right of access of a data subject to its personal data. The data subject is a customer of the controller and has the right to a copy of the personal data being processed, if necessary in electronic form (Article 15(3) GDPR). The internal company policy wasn’t sufficient enough justification for the controller to deny the data subject the information it requested. The DPA held that the controller unilaterally limited the data subjects right to access his own personal data. The DPA held that the controller violated Article 15(1) GDPR and Article 15(3) GDPR and held that the controller had to make a decision regarding the access request within 14 days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Dispute room Decision 136/2022 of 26 September 2022 File number : DOS-2022-02599 Subject : Exercise of the right of access without the controller results in it The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, single chairperson; Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: . The complainant: Mr X, hereinafter referred to as “the complainant”; . . The controller: Y, hereinafter “the controller” Decision 136/2022 - 2/6 I. Facts procedure 1. On 21 June 2022, the complainant submitted a request for mediation to the Data Protection Authority, handled by the Frontline Service. Since the mediation procedure did not lead to a favorable outcome given the lack of response on behalf of the controller, pursuant to that determination, with the consent of the the complainant converted the request for mediation on 8 August 2022 into a complaint against the controller. 2. The subject of the complaint concerns the exercise of the right of access by the complainant who data controller has requested to send him the complete diagnosis report with freeze want to transfer frame data concerning his vehicle in the context of the execution of a expertise. The controller has replied to this request within the legal term of one month (Article 12.3 GDPR), but stated that the requested data cannot be be transferred to the complainant in view of the prohibition to share internal documents with third parties outside the car brand network . 3. On August 9, 2022, the complaint will be declared admissible by the Frontline Service on the basis of Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the Dispute room. II. Justification 4. First of all, the Disputes Chamber clarifies that the data concerning the vehicle of the complainant must be regarded as personal data, since the complainant on the basis of his vehicle data can be identified within the meaning of Article 4. 1) GDPR . 5. Although the controller has responded to the complainant's request within the legal period of one month (Article 12.3 GDPR), it has refused to grant the complainant the to provide requested data due to the ban on sharing internal documents with third parties outside the car brand network . It is possible for the controller to not to comply with the request for access provided that it is stated why the request is made without 1Article 4 GDPR. For the purposes of this Regulation: 1) 'personal data' means any information relating to an identified or identifiable natural person ('the data subject'); if identifiable is a natural person who can be identified, directly or indirectly, in particular by reference to a identifier such as a name, an identification number, location data, an online identifier or of one or more elements that characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; Decision 136/2022 - 3/6 2 has remained effective (Article 12.4 GDPR) to the extent that there is a legal ground for limiting the right of access. 6. The Disputes Chamber rules that solely on the basis of the internal company policy, the right cannot the complainant will be denied access to the complainant pursuant to Article 15.1 of the GDPR concerning data. The complainant is a customer of the controller and has right to a copy of the personal data being processed, if necessary in electronic form form (article 15.3 GDPR). That the internal company policy would prevent data concerning customer vehicles – which identify these customers so that these data are in fact personal data – to be provided does not constitute sufficient motivation to refuse the complainant the information requested by him. The internal ban on which the controller invokes to share data with third parties, cannot be invoked against the customers as such, as this will result in the controller unilaterally prejudices the complainant's right to access his own data. This would mean that the rights of the complainant are set aside in function of a internal prohibition, which cannot be accepted. Consequently, the Disputes Chamber deems demotivation on which the controller invokes the provision of the data to the to refuse the complainant is not admissible and the complainant is in this case entitled to the data of the complainant concerning vehicle. 7. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled to exercised access to, but the controller wrongly refused to follow up on it. As a result, the controller has acted in violation of article 15.1. and 15.3 GDPR. 3 2See also Recital 59 GDPR. […] The controller should be obliged without undue delay and at the latest within one month to respond to a request from the data subject, and to state the reasons for any intended refusal to comply with such requests to comply. 3Article 15 GDPR 1. The data subject has the right to obtain confirmation from the controller as to whether or not he/she is being processed concerning personal data and, where that is the case, to obtain access to that personal data and the following information: a) the processing purposes; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) if possible, the period for which the personal data is expected to be stored, or if not possible, the criteria for determining that term; e) that the data subject has the right to request the controller to rectify or erase personal data, or that the processing of personal data concerning him is restricted, as well as the right to object to such processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information about the source of that data; (h) the existence of automated decision-making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the person concerned. […] Decision 136/2022 - 4/6 8. The Disputes Chamber is of the opinion that on the basis of the above analysis, concluded that a breach of the provisions of the GDPR was committed, which justifies the taking of a decision on the basis of Article 95, §1, 5° WOG, more specifically to inform the controller Orders to comply with the complainant's exercise of his right of access (Article 15.1 and 15.3 AVG) and this in particular in view of the documents that the complainant has provided from which it appears that the complainant has indeed exercised his right of access, but the controller has refused to comply with this. 9. The present decision is a prima facie decision made by the Disputes Chamber in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the ‘procedure prior to the decision on the merits’ and not a decision on the merits of the Disputes Chamber within the meaning of Article 100 WOG. 10. The purpose of this decision is to notify the controller of the fact that it may have infringed the provisions of the GDPR and that it is in the possibility to still conform to the aforementioned provisions. 11. However, if the controller does not agree with the contents of this prima facie decision and considers that it may allow factual and/or legal arguments funds that could lead to a different decision, can be sent to the email address litigationchamber@apd-gba.be address a request for treatment on the merits of the case to the Disputes Chamber and this within the period of 14 days after notification of this decision. The enforcement of this decision will, if necessary, be during the aforementioned period suspended. 12. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their to submit defenses and to attach to the file any documents they deem useful. The If necessary, this decision will be definitively suspended. 13. For the sake of completeness, the Disputes Chamber points out that a hearing of the merits of the case can be lead to the imposition of the measures referred to in Article 100 WOG. 5 4 Section 3, Subsection 2 WOG (Articles 94 to 97). 51° to dismiss a complaint; 2° order the suspension of prosecution; 3° order the suspension of the judgment; 4° propose a settlement; 5° to formulate warnings and reprimands; 6° order compliance with the data subject's requests to exercise his or her rights; 7° to order that the data subject is informed of the security problem; 8° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing is brought into conformity; 10° rectification, restriction or deletion of data and its notification to data recipients in Decision 136/2022 - 5/6 14. Finally, the Disputes Chamber points out the following: If one of the parties wishes to make use of the possibility to consult and copying the file (art. 95, §2, 3° WOG), this should contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment to capture. If a copy of the file is requested, the documents will be sent electronically if possible or else delivered by regular mail. 6 III. Publication of the decision 15. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary that the identification data of the parties be published directly. command; 11° order the withdrawal of the recognition of certification bodies; 12° to impose periodic penalty payments; 13° impose administrative fines; 14° order the suspension of cross-border data flows to another State or an international institution; 15° to hand over the file to the public prosecutor's office in Brussels, who will inform it of the consequence that the file is given; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 6Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the Dispute room NOT provided. In addition, all communication is in principle electronic. Decision 136/2022 - 6/6 FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, subject to the submission of a request by the controller for processing on the merits in accordance with article 98 et seq. WOG, to: - on the basis of article 58.2, c) AVG and article 95, 1.5° WOG to the controller order compliance with the data subject's request to exercise their rights, in particular the right of access (Article 15.1 and 15.3 GDPR), and to proceed with the provision to the complainant of the information requested by him, within the period of 14 days count from the notification of this decision; - order the controller to the Data Protection Authority (Dispute Chamber) by e-mail within the same period of the result of this decision via the e-mail address litigationchamber@apd-gba.be; and - in the absence of the timely execution of the above by the controller, to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the Data Protection Authority as Defendant. Such an appeal may be lodged by means of an adversarial petition that the 1034terof the Judicial Code, the statements listed should contain .The application to contradiction must be submitted to the registry of the Market Court in accordance with Article 1034quinquiesof the Ger.W. , or via the Justice Deposit Information System (Article 32ter of the Ger.W.). (get). Hielke Hijmans Chairman of the Disputes Chamber 7The petition states on pain of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and the brief summary of the grounds of the claim; 5° the court before whom the claim is brought; 6° the signature of the applicant or of his lawyer. 8The application with its annex is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or at the registry.