APD/GBA (Belgium) - 135/2022: Difference between revisions

From GDPRhub
No edit summary
 
(9 intermediate revisions by one other user not shown)
Line 38: Line 38:
|GDPR_Article_5=Article 26 GDPR
|GDPR_Article_5=Article 26 GDPR
|GDPR_Article_Link_5=Article 26 GDPR
|GDPR_Article_Link_5=Article 26 GDPR
|GDPR_Article_6=
|GDPR_Article_6=Article 56(1) GDPR
|GDPR_Article_Link_6=
|GDPR_Article_Link_6=Article 56 GDPR#1
|GDPR_Article_7=
|GDPR_Article_7=Article 4(23) GDPR
|GDPR_Article_Link_7=
|GDPR_Article_Link_7= Article 4 GDPR#23


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 67: Line 67:
}}
}}


The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated articles 15(1), 15(3) and 12(3) GDPR for deleting data instead of providing access to data after an access request by the data subject.   
The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated [[Article 15 GDPR#1|Article 15(1) GDPR]], [[Article 15 GDPR#3|Article 15(3) GDPR]] and [[Article 12 GDPR#3|Article 12(3) GDPR]] GDPR for deleting data instead of providing access to data after an access request by the data subject.   


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject submitted an access request (Article 15 GDPR) for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address.  
The data subject submitted an access request [[Article 15 GDPR|Article 15 GDPR]] for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address.  


The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail.   
The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail.   
Line 78: Line 78:
After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following:   
After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following:   


The controller's Belgian company is jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated Articles 12(1), 12(2), 15(1) and 15(3) GDPR. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way.   
The controller's Belgian company was jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way.   


The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA.   
The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA.   


The DPA reiterated that after Brexit, each Member State in which a new principal place of business was established, would become the DPA including for complaints under examination, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller (Article 56(1) GDPR), each DPA of the other members states has jurisdiction regarding the controller insofar as the GDPR applies.  
The DPA reiterated that after Brexit, each Member State in which a new principal place of business of the controller was established, would become the DPA including for complaints against the controller, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller [[Article 56 GDPR#1|(Article 56(1) GDPR]]), every DPA of the other EU members states have jurisdiction regarding the controller insofar as the GDPR applies.  
 
There was no agreement between the controler's companies in Belgium and the UK regarding joint controllership.
 
 


There was no agreement between the controller's companies in Belgium and the UK regarding joint controllership.
=== Holding ===
=== Holding ===
<u>Lead supervisory Authority and compentence of the Belgian DPA</u>   
<u>Lead supervisory Authority and competence of the Belgian DPA</u>   


The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries.   
The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in its privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries.   


The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing (Article 4(23) GDPR). There was no agreement between the joint controllers (Article 26 GDPR). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions (controller) and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom.  
The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing [[Article 4 GDPR#23|(Article 4(23) GDPR)]]. There was no agreement between the joint controllers [[Article 26 GDPR|(Article 26 GDPR]]). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom.  


Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepeted by the DPA in the UK.   
Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepted by the DPA in the UK.   


The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA.   
The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA.   


The DPA held that it was not necessary to specify relationship between the joint controllers in the UK and in Belgium.   
The DPA held that it was not necessary to specify the relationship between the joint controllers in the UK and in Belgium.   


<u>Belgian DPA decided to close the case</u>     
<u>Belgian DPA decided to close the case</u>     
Line 105: Line 102:
The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject.   
The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject.   


Nonetheless, the DPA held that the controller had violated Articles 15(1) GDPR (confirmation of the processing of data and information) and 15(3) GDPR (copy of the data). The Controller also violated [[Article 12 GDPR#3|Article 12(3) GDPR]] (the response to a request to exercise a right must be made, with certain exceptions, within one month).   
Nonetheless, the DPA held that the controller had violated [[Article 15 GDPR#1|Article 15(1) GDPR]] (confirmation of the processing of data and information) and [[Article 15 GDPR#3|Article 15(3) GDPR]] (copy of the data). The Controller also violated [[Article 12 GDPR#3|Article 12(3) GDPR]] (the response to a request to exercise a right must be made, with certain exceptions, within one month). All these violations were found because the controller had failed to provide access to the requested data.   


The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access.  
The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access.  

Latest revision as of 08:57, 29 June 2023

APD/GBA - Decision 135/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(23) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 26 GDPR
Article 56(1) GDPR
Article 4(23) GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.09.2019
Decided: 22.09.2022
Published: 02.10.2022
Fine: n/a
Parties: n/a
National Case Number/Name: Decision 135/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: GBA (in FR)
Initial Contributor: n/a

The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated Article 15(1) GDPR, Article 15(3) GDPR and Article 12(3) GDPR GDPR for deleting data instead of providing access to data after an access request by the data subject.

English Summary

Facts

The data subject submitted an access request Article 15 GDPR for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address.

The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail.

After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following:

The controller's Belgian company was jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated Article 12(1) GDPR, Article 12(2) GDPR, Article 15(1) GDPR and Article 15(3) GDPR. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way.

The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA.

The DPA reiterated that after Brexit, each Member State in which a new principal place of business of the controller was established, would become the DPA including for complaints against the controller, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller (Article 56(1) GDPR), every DPA of the other EU members states have jurisdiction regarding the controller insofar as the GDPR applies.

There was no agreement between the controller's companies in Belgium and the UK regarding joint controllership.

Holding

Lead supervisory Authority and competence of the Belgian DPA

The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in its privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries.

The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing (Article 4(23) GDPR). There was no agreement between the joint controllers (Article 26 GDPR). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom.

Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepted by the DPA in the UK.

The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA.

The DPA held that it was not necessary to specify the relationship between the joint controllers in the UK and in Belgium.

Belgian DPA decided to close the case

The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject.

Nonetheless, the DPA held that the controller had violated Article 15(1) GDPR (confirmation of the processing of data and information) and Article 15(3) GDPR (copy of the data). The Controller also violated Article 12(3) GDPR (the response to a request to exercise a right must be made, with certain exceptions, within one month). All these violations were found because the controller had failed to provide access to the requested data.

The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                                1/11






                                                                        Litigation Chamber


                                                 Decision 135/2022 of September 22, 2022







File number: DOS-2019-05983


Subject: Complaint relating to the exercise of a right of access against a company – co-

responsibility – classification without follow-up



The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke

Hijmans, President, sitting alone;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the

data protection), hereinafter GDPR;

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);


Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to

processing of personal data (hereinafter LTD);

Having regard to the Rules of Procedure as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Made the following decision regarding:



The plaintiff: Mr. X, hereinafter “the plaintiff”;


The defendant: […], the defendant's English company,


                       [….] Belgian company of the defendant


                       Hereinafter “the defendant”; Decision 135/2022 - 2/11



I. Facts and procedure


 1. On November 25, 2019, the complainant filed a complaint with the Data Protection Authority

       data (APD).

 2. His complaint concerns the exercise of his right of access (article 15 of the GDPR) and the action taken

       inadequate reserved for this request by the defendant.

 3. The complainant thus reports that on September 26, 2019, he sent a request for access

       with the defendant's customer service, requesting to recover all the related data

       on both accounts (…) and (…). An exchange of emails dated September 28, 2019 followed

       this request at the end of which the defendant verified the identity of the complainant and

       informed that a follow-up would be given to his request to obtain a copy of his
       personal data within one month in accordance with the applicable regulations

       in terms of data protection. These first e-mail exchanges took place with a

       person using a .be email address and presenting himself as being in charge of

       customer accounts with the defendant (customer accounts).

 4. In the absence of follow-up given to these first exchanges, the complainant sent a reminder to the

       defendant on November 4, 2019, more than a month after its initial request of November 26

       September 2019 (point 3 above).

 5. In response, the complainant this time received an email dated 7 November 2019 sent from

       the address privacy@[...].uk , signed by the Privacy team of the defendant, and informing it that at the

       following its request for erasure, all the personal data that the defendant

       held "and which fall within the scope of your (read "his") right to

       erasure under data protection regulations had been
       deleted” (excerpt from the email produced). The defendant further specifies that it advised

       of this erasure all third parties who processed the complainant's data on his behalf,

       referring in this respect to its privacy policy. Finally, the defendant indicates that the

       right to erasure does not necessarily imply that all personal data

       be erased when, in certain circumstances, exceptions provided for by the

       GDPR can play. The defendant refers the complainant in this respect to the information
       available on the website of the Commission Nationale Informatique et Libertés (CNIL) either

       the French data protection authority. Should the complainant be dissatisfied with

       the response received, the defendant finally invites him to file a complaint with the CNIL,

       again referring to its privacy policy.

 6. On the same day, November 7, 2019, the complainant objected by return email that he had not

       not requested the deletion of his data but access to them. Under his

       complaint, the complainant indicates that this last email remained unanswered by the

       defendant. Decision 135/2022 - 3/11



 7. On December 3, 2019, the Front Line Service (SPL) of the APD declares the complaint

       admissible on the basis of Articles 58 and 60 of the LCA, and transmits it to the Chamber

       Litigation in accordance with Article 62, § 1 of the LCA.


 8. During the session of December 17, 2019, the Litigation Chamber decides to request a

       investigation at the inspection service (SI). On December 20, 2019, the Litigation Chamber seized

       the Inspector General of a request for an investigation. On the same date, the complainant was informed
       of what the inspection was seized.


 9. According to his investigation report of March 3, 2020, the Inspector General notes what

       follows:


       - The Belgian company of the defendant is jointly responsible for the processing with the

           defendant's English law company established in the United Kingdom (hereinafter together
           "the defendant"). This co-responsibility results from the privacy policy

           available on the website of the Belgian company of the defendant;


       - The plaintiff received an e-mail from the defendant's Privacy team (see point 5)

           confirming the deletion of his personal data in response to his request for

           get a copy. Reference is also made in this e-mail to the CNIL with regard to

           the filing of any complaint. In this regard, the IS concludes that there is a breach of the
           sections 12.1., 12.2., 15.1. and 15.3. of the GDPR on the part of the defendant.


       - the defendant indicated to SI that these shortcomings were both due to an error

           human, the handler of the request having in all likelihood had to use the

           poor French-speaking model available.

       - In order to prevent the problem that has arisen from recurring, the defendant indicates that

           implementation of additional training and the establishment of a process

           automatic management of requests to exercise rights under the GDPR.


       - Finally, the IS notes that two other complaints were listed in the system of
                                               1
           cooperation (one-stop shop - IMI) of EU data protection authorities
           European Union against the defendant. In these complaints the Information

           British Commissioner (ICO) is identified as a lead authority within the meaning of

           section 56.1. GDPR (Lead Supervisory Authority - LSA) due to the implementation of

           the principal establishment of the defendant in the United Kingdom (via the company

           defendant's English - see. below).



1The Internal Market Information System (IMI) is an online tool that facilitates the exchange of information between
public authorities involved in the practical application of EU law. IMI helps authorities fulfill their
cross-border administrative cooperation obligations in many market areas

unique, including the field of data protection (GDPR). Decision 135/2022 - 4/11



 10. After examining the Inspection report and the investigation documents, the Litigation Chamber

       notes that said report mentions that the defendant's English law company (UK)

       and the defendant's Belgian law company (BE) are joint data controllers without

       however, draw conclusions as to the identification of the LSA and the competence of the

       ODA. The SI report establishes that the defendant's privacy policy

       mentions the possibility for each complainant to file a complaint with the ICO and/or

       DPA. This possibility does not, however, entail the competence of one or the other

       and the other otherwise) data protection authority such as LSA. This double

       possibility is simply the expression of what the complainant has the choice to file his complaint

       with its local control authority which may, according to the criteria of
       determination of the GDPR to be LSA or simple “concerned authority” (CSA) within the meaning of article

       4.22.c) of the GDPR with, in the latter case, the obligation to transfer the complaint to the LSA in the

       framework of the cooperation mechanism between the data protection authorities (one-stop

       single – articles 56 and s. ) implemented by the GDPR.


 11. To determine which is the lead data protection authority (LSA) in the event of

       cross-border processing within the meaning of Article 4.23 of the GDPR as in the present case and co-

       data controllers, the Litigation Chamber refers to the Guidelines of the
                                                                                             2
       European Data Protection Board (EDPB) on LSA identification. These
       guidelines state the following:


               “The general regulations do not specifically cover the question of the

               determination of a lead authority when several persons in charge of the

               processing established in the Union jointly determine the purposes and

               means of processing, i.e. in the case of joint controllers.

               Article 26, paragraph 1, and recital 79 make it clear that, in this

               situation, the joint controllers define in a manner

               transparency of their respective obligations in order to ensure compliance with
               regulatory requirements. Therefore, in order to benefit from the principle of

               one-stop-shop, the joint controllers must designate the one-stop-shop

               their establishments (among those where decisions are taken) who will have the power to

               enforce decisions about processing with respect to all

               joint controllers. This establishment will then be considered

               as the main establishment for processing involving responsible persons

               treatment spouses. The agreement between the joint controllers




2
  Working Party Article 29, Guidelines for the designation of a lead supervisory authority of a
responsible for processing or a processor, WP244 of 5 April 2017. The EDP Has adopted these guidelines on its behalf
by decision of 25 May 2018 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-identifying-
controller-or-processors-lead_en Decision 135/2022 - 5/11



                is without prejudice to the rules on liability established by the regulation

                general, in particular in Article 82, paragraph 4 (point 2.1.3.)”.


 12. In the absence of agreement within the meaning of Article 26 of the GDPR at its disposal, the Litigation Chamber

       relied on various elements of the complaint to consider that it was the company of

       English law of the defendant (UK) which was to be considered as the establishment

       principal with regard to data processing decisions (responsible for

       treatment) and their application.

 13. These elements were:


            has. In the various countries of the European Union in which the defendant offers

                its services, each of the privacy policies mentions that the

                data controller is the defendant's English law company (UK) and

                the local company of the country concerned as joint managers (SPRL of

                Belgian law of the defendant in Belgium, SAS the defendant in France etc.

                );

            b. The defendant's company governed by English law (UK) is therefore "joint" in
                each case;

            vs. In the context of this complaint, after an initial intervention by the service

                “local” customer (Belgian in this case – see point 3), the relay was taken over by the Privacy team

                in the United Kingdom (point 4) which depends on the English law company of the

                defendant, which supports local services in terms of responding to

                requests to exercise rights under the GDPR;

            d. As part of the investigation conducted by the IS, the defendant produced in this regard

                internal documents that explain the procedure for exercising rights with a

                “escalation” system to the Privacy team (central support team for

                UK-based personal data issues). the defendant
                further explains that this procedure was prepared by the parent company in

                UK.

            e. As mentioned in point 9 above, the data protection authority

                Italian data (Garante) also received a complaint about the

                defendant and considered that the ICO was LSA, which the ICO accepted.


 14. In support of the foregoing, the Litigation Chamber therefore seized the ICO of the

       complaint received from the complainant on November 20, 2020. At the time, notwithstanding the release



3As mentioned by the EDPS in the excerpt cited in point 11, Article 26 of the GDPR requires joint controllers

transparently define their respective obligations in order to ensure compliance with the requirements of the GDPR,
in particular with regard to the exercise of the rights of the data subject, and their respective obligations with regard to the
communication of the information referred to in Articles 13 and 14 by agreement between them, subject to exceptions. Decision 135/2022 - 6/11



       from the United Kingdom from the European Union, the ICO was still taking part until 31 December

       2020 to the cooperation mechanism (one-stop shop) set up under Chapter
       VII GDPR .4


 13. On January 11, 2021, the Litigation Chamber informed the complainant of this.


 14. In the course of 2021, a data protection authority with which

       complaint had also been filed against the defendant informed his counterparts

       that it had made a point of verifying whether the defendant had designated a new establishment

       principal in the post-Brexit European Union, after the exit of the ICO from the mechanism of

       cooperationandone-stop-shop.The data protection authority of the Member State of

       EU 27 in which this new main establishment would have been established would become LSA, in

       including for complaints under review, (even if this review is not completed by the ICO,)
       filed before the exit of the ICO from the one-stop shop with data protection authorities

       EU data.


 15. The data protection authorities have not established that the defendant appointed

       new main establishment in the EU and concluded that as a result, each of the

       data protection authorities receiving a complaint were now competent to

       treat it.

 16. The Litigation Division agrees with this analysis and bases its jurisdiction on it. In

       Indeed, the single window mechanism (and therefore the competence of a lead authority

       - LSA), assumes the existence of cross-border processing within the meaning of Article 4.23 of the GDPR

       as well as the existence of a main establishment or a single establishment of the

       controller in the EU (article 56.1 of the GDPR). In the absence of an establishment

       principal of the defendant in the EU as following Brexit, each authority of

       data protection is responsible for it insofar as the GDPR is

       application.


 17. In the present case, with regard to co-controllers, the DPA currently considers itself

       competent with respect to each of the entities, whether it is the English law company of the

       defendant or the defendant's company governed by Belgian law. Indeed, if the influence
       dominant factual evidence from the English law society of the defendant justified, before the release

       of the ICO of the one-stop-shop mechanism, that the examination of the complaint be entrusted to it

       of LSA (see above), the fact remains that the two entities are jointly responsible for

       processing subject to the GDPR, which justifies that the DPA (via its Litigation Chamber),



4WithdrawaloftheUnitedKingdomfromtheEuropeanUnionexclusionfromtheEUdecisionmakinganddecision-shaping
as of the withdrawal date and exceptions provided for in the withdrawal agreement. (Appendix). Ref. Ares(2020)469682-

01/24/2020.

5In accordance with the Agreement on the European Economic Area (EEA), as of July 20, 2018, the EEA countries, Iceland,
Lichtenstein and Norway are also part of the EDPB and the Single Window system. Decision 135/2022 - 7/11



       now competent post Brexit, jointly addresses this decision to them. For

       need of this decision, it is not necessary to specify the relationship between these two

       entities.



II. Motivation


 15. Based on the facts described in the complaint file as summarized above, and on the

       basis of the powers attributed to it by the legislator under Article 95, § 1

       of the LCA, the Litigation Chamber decides on the follow-up to be given to the file. In this case, the

       Litigation Chamber decides to proceed with the dismissal of the complaint,

       in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.

 16. In matters of dismissal, the Litigation Chamber is required to justify its

       step-by-step decision and:


            - to pronounce a classification without technical continuation if the file does not contain or not

                sufficient elements likely to lead to a sanction or if it includes a

                technical obstacle preventing him from rendering a decision;


            - or pronounce a classification without further opportunity, if despite the presence
                elements likely to lead to a sanction, the continuation of the examination of the

                file does not seem to him to be appropriate given the priorities of ODA such as

                specified and illustrated in the Chamber's Discontinued Classification Policy

                Litigation. 7


 17. In the event of dismissal based on several grounds, the latter (respectively,

       classification without technical follow-up and classification without opportunity follow-up) must be

       addressed in order of importance .8


 18. In this case, the Litigation Chamber decides to proceed with a classification without follow-up

       the complaint for a reason of opportunity. The decision of the Litigation Chamber is based more

       specifically on the following reasons why it considers it inappropriate to

       continue to examine the complaint, and therefore decides not to proceed, between

       others, to deal with the case on the merits.

 19. The Litigation Chamber notes that the findings of the IS were made (between 20

       December 2019 and 3 March 2020) on a date on which the competence of the DPA was not, at




6Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
7
 In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf.
8
 See Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber. Decision 135/2022 - 8/11



       at least vis-à-vis English law of the defendant, not established. Bedroom

       Contentious therefore does not consider that it can reliably rely on the said findings.


 20. The Litigation Division is also of the opinion that these breaches could be

       constituting human error. The first exchanges of emails with the complainant attached to

       the complaint attest to the fact that the GDPR has been taken into account and knowledge of the deadlines
       to answer him. The response then provided by the “Privacy team” regarding the request

       erasure, if it is certainly inadequate given the request for access made by

       the complainant and not of erasure, also certifies that the GDPR has been taken into account. Account

       taking into account all the concrete circumstances of the case (elapsed time, subject of

       the complaint and the absence of a high societal or personal impact for the complainant in this case

       (these are data relating to user accounts with the defendant), the

       Litigation Chamber concludes that the continuation of an examination on the merits would be

       disproportionate. However, it intends that it will be specified in point 24 to communicate
       this decision to the defendant for information and awareness.


 21. Indeed, without prejudice to the foregoing considerations, the Litigation Chamber does not

       IS NOT LESS, BASED ON THE ATTACHMENTS TO THE COMPLAINT ALONE, ABLE TO POINT OUT THAT, PRIMA

       facie, the defendant did not respond adequately to the complainant's request for access,

       deleting the latter's personal data instead of sending him a copy and this, in

       breach of Articles 15.1 (confirmation that data is being processed and elements
       information) and 15.3. (copy of data) of the GDPR. Therefore, the defendant has not

       elsewhere, and always prima facie, not complied with the requirements of article 12.3. of the GDPR (the answer

       to a request to exercise a right must be made, with some exceptions, within one month).


 22. Notwithstanding its decision to close without further action, the Litigation Chamber therefore recalls this

       which follows, a reminder which, without constituting any corrective measure or sanction within the meaning

       of Articles 95 or 100 of the LCA, aims to inform the defendant as best as possible:

       - The establishment of effective procedures to follow up on exercise requests

           of the rights of data subjects is part of the obligations of those responsible for

           treatment (spouses) and the effectiveness of said rights;

                                                                                                    9
       - As the EDPS points out in his Guidelines on the right of access,
           “where two or more controllers process data jointly, the arrangement of the joint

           controllers regarding their respective responsibilities with regards to the exercise of

           data subject's rights, especially concerning the answer to access requests, does not



9
 European Data Protection Board (EDPB), Guidelines 01/2022 on data subject’s rights – right of access,
version 1.0. dated 18 January 2022. This text is only available in English: https://edpb.europa.eu/system/files/2022-
01/edpb_guidelines_012022_right-of-access_0.pdf This document has been submitted for public consultation. It is therefore not
excluded that an amended version of these guidelines will be published in the future. Decision 135/2022 - 9/11



             affect the rights of the data subjects towards the controller to whom they address their

             request (item 34)” 10


        - Still according to the EDPS, “the controllers should be proactively ready to handle the

             requests for access to personal data. This means that the controller should be prepared

             to receive the request, assess it properly (this assessment is the subject of this section

             oftheguidelines)andprovideanappropriatereplywithoutunduedelaytotherequesting


             person. The way the controllers will prepare themselves for the exercise of access

             requests should be adequate and proportionate and depend on the nature, scope,

             context and purposes of processing as well as the risks to the rights and freedoms of

             natural persons, in accordance with Art. 24 GDPR. Depending on the particular

             circumstances,thecontrollersmayfor exampleinsomecasesberequiredtoimplement

             anappropriateprocedure,theimplementationofwhichshouldguaranteethesecurityof

             the data without hindering the exercise of the data subject’s rights (point 42)”. 11


        - Finally, as the EDPS also points out in his Guidelines already mentioned, and

             without calling into question its conclusion that human error stops producing

             in this case, the Litigation Chamber recalls that “the controller shall not deliberately

             escape the obligation to provide the requested personal data by erasing or modifying

             personal data in response to a request for access. If, in the course of processing the

             access request, the controller discovers inaccurate data or unlawful processing, the


             controller has to assess the state of the processing and to inform the data subject
                                                                                           12
             accordingly before complying with its other obligations (point 39)”.





 10 See. the aforementioned Right of Access Guidelines. Free translation: "When two or more than two
 controller process data jointly, the arrangement of the co-controllers relating

 their respective responsibilities with regard to the exercise of the rights of data subjects (especially
 with regard to the response to be given to a request for access), cannot affect the rights of the person concerned with regard to the
 data controller to whom it addressed its request (point 34)”.

11See. the EDPS guidelines on the right of access already cited. Free translation: “Those responsible for
should be proactively prepared to deal with requests for access to personal data. This means that

theprocessorshouldbepreparedtoreceivetherequest,toexamineitadequately (this examination is
discussed in this section) and to provide a relevant response as soon as possible to the applicant. The
how controllers prepare for these requests to exercise the right of access should be

adequate, proportionate and dependent on the nature, scope, context and purpose of the processing as well as the
risks to the rights and freedoms of natural persons in accordance with Article 24 of the GDPR. Depending of
circumstances, data controllers could for example sometimes be required to put in place a procedure
specific, which implementation should guarantee the security of the data without preventing the exercise of the rights of the

data subject (point 42)”.

 12 See. the EDPS guidelines relating to the right of access already cited.
 cannot deliberately evade its obligation to provide the personal data by erasing or modifying the

 data to be provided in response to the access request. If as part of the process of responding to such request, the
 data controller discovers that the data is inaccurate or that it is being processed unlawfully, the
 data controller must examine the processing and inform the person concerned before complying with its
 other obligations (item 42)”. Decision 135/2022 - 10/11



       - With regard to the response given regarding erasure, the Litigation Chamber

           reminds that it is important that the person know about the data that has been erased

           and that if exceptions are applicable, they must be formulated in a way

           relevant to the particular situation.



III. Publication and communication of the decision


 23. Given the importance of transparency with regard to the process

       decision-making and the decisions of the Litigation Chamber, this decision will be published on the

       ODA website. However, for this purpose it is not necessary that the data

       identification of the parties are directly mentioned.


 24. In accordance with its policy of dismissal, the Litigation Chamber

       communicate the decision to the defendant. Indeed, the Litigation Chamber decided

       to communicate the decisions of classification without follow-up to the defendant party by default.

       However, the Litigation Division refrains from such communication when the

       plaintiff requested anonymity vis-à-vis the defendant and when the

       communication of the decision to the latter, even pseudonymised, nevertheless risks

       allow re-identification. This is not the case in the present case.





    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, after deliberation,

    to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.





In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (Court

d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party

defendant.

Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code (C. jud) . The interlocutory motion



13Cf. Title 5 – Will the ranking without continuation be published? Will the opposing party be informed? of the policy of

dismissal of the Litigation Chamber.
14Ibidem.
15The application contains on pain of nullity:

 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
    Business Number;

 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary of the grounds of the application; Decision 135/2022 - 11/11




must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C.

jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).


To allow him to consider any other possible course of action, the Litigation Chamber sends

the complainant to the explanations provided in its dismissal policy. 17









(Sé). Hielke HIJMANS


President of the Litigation Chamber
























































  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.

16The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter

recommended to the court clerk or filed with the court office.
17Cf. Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up

Litigation.