APD/GBA (Belgium) - 115/2023: Difference between revisions
mNo edit summary |
m (→Comment) |
||
(8 intermediate revisions by 2 users not shown) | |||
Line 59: | Line 59: | ||
}} | }} | ||
The Belgian DPA dismissed a complaint, despite the existence of GDPR | The Belgian DPA dismissed a complaint, despite the existence of GDPR violations. The DPA was of the opinion that the breaches did not result in a ''"major social and/or personal impact,"'' thus the resources required to investigate the complaint would be disproportionate. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The complaint concerned an alleged data breach. The data subject tried to submit a document to his personal profile on the controller's platform twice but it was submitted to his employer's company account instead. The data subject argued that the information incorrectly registered included payment details and the data subject's power of attorney. | |||
On 4 July 2023, the data subject submitted a complaint to the Belgian DPA. | |||
=== Holding === | === Holding === | ||
The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. | The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that ''"in order to evaluate the foregoing'' [complaint] ''... the'' [DPA] ''... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."'' | ||
Firstly, the Belgian DPA created a test of "major social and/or personal impact" as a criteria for evaluating complaints. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the admissibility of complaints. [[Article 35 GDPR]] imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints. | |||
[[Article | Secondly, the Belgian DPA read Article 35 GDPR in line with Article 77 GDPR. The DPA interpreted the right to lodge a complaint with a supervisory authority under [[Article 77 GDPR|Article 77 GDPR ]], concluding that the right to lodge a complaint is not absolute. On this point, the Belgian DPA stated that: | ||
The Belgian | ''"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"'' | ||
The Belgian DPA | The Belgian DPA dismissed the complaint as it found a lack of "major social and/or personal impact," a test which the DPA has drawn from Article 35 GDPR. It argued that as a result, there was no reason to further investigate the complaint, despite having acknowledged the existence of ''prima facie'' violations of the GDPR. | ||
== Comment == | |||
''<nowiki>https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf</nowiki>'' | |||
''(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)'' | |||
''(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)'' | Article 57 GDPR sets out the tasks afforded to supervisory authorities under the Regulation. A primary task of supervisory authorities is to ''"monitor and enforce the application of this Regulation"'' (Article 57(1)(a) GDPR), therefore there is an obligation upon supervisory authorities to enforce against breaches of the GDPR. Commentators recognise that due to the limited resources afforded to DPAs, DPAs often need to prioritise the complaints brought to them. Hijmans contends that "the need for effectiveness and accountability justifies the conclusion that strategic approaches are not just optional for DPAs but required by the GDPR."<ref>Hijmans, Hielke, ' Article 57 Tasks', in Christopher Kuner and others (eds), ''The EU General Data Protection Regulation (GDPR): A Commentary'' (New York, 2020; online edn, Oxford Academic), <nowiki>https://doi.org/10.1093/oso/9780198826491.003.0099</nowiki>, accessed 6 Sept. 2023.</ref><ref>To note, Prof Dr ''Hielke Hijmans'' is President of the Belgian Data Protection Authority.</ref> Therefore, the evaluation and prioritisation of complaints by the Belgian DPA is not contrary to the GDPR. However, its reliance on Article 35 GDPR to do so, is questionable. | ||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Latest revision as of 06:45, 14 September 2023
APD/GBA - 115/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 35 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 04.07.2023 |
Decided: | 16.08.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 115/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA dismissed a complaint, despite the existence of GDPR violations. The DPA was of the opinion that the breaches did not result in a "major social and/or personal impact," thus the resources required to investigate the complaint would be disproportionate.
English Summary
Facts
The complaint concerned an alleged data breach. The data subject tried to submit a document to his personal profile on the controller's platform twice but it was submitted to his employer's company account instead. The data subject argued that the information incorrectly registered included payment details and the data subject's power of attorney.
On 4 July 2023, the data subject submitted a complaint to the Belgian DPA.
Holding
The Belgian DPA dismissed the case on "policy grounds", mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that "in order to evaluate the foregoing [complaint] ... the [DPA] ... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."
Firstly, the Belgian DPA created a test of "major social and/or personal impact" as a criteria for evaluating complaints. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the admissibility of complaints. Article 35 GDPR imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints.
Secondly, the Belgian DPA read Article 35 GDPR in line with Article 77 GDPR. The DPA interpreted the right to lodge a complaint with a supervisory authority under Article 77 GDPR , concluding that the right to lodge a complaint is not absolute. On this point, the Belgian DPA stated that:
"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"
The Belgian DPA dismissed the complaint as it found a lack of "major social and/or personal impact," a test which the DPA has drawn from Article 35 GDPR. It argued that as a result, there was no reason to further investigate the complaint, despite having acknowledged the existence of prima facie violations of the GDPR.
Comment
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)
Article 57 GDPR sets out the tasks afforded to supervisory authorities under the Regulation. A primary task of supervisory authorities is to "monitor and enforce the application of this Regulation" (Article 57(1)(a) GDPR), therefore there is an obligation upon supervisory authorities to enforce against breaches of the GDPR. Commentators recognise that due to the limited resources afforded to DPAs, DPAs often need to prioritise the complaints brought to them. Hijmans contends that "the need for effectiveness and accountability justifies the conclusion that strategic approaches are not just optional for DPAs but required by the GDPR."[1][2] Therefore, the evaluation and prioritisation of complaints by the Belgian DPA is not contrary to the GDPR. However, its reliance on Article 35 GDPR to do so, is questionable.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Litigation room Decision 115/2023 of 16 August 2023 File number : DOS-2023-02893 Subject : Complaint due to the repeated occurrence of a data breach The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainant: Mr. X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 115/2023 - 2/6 I. Factual Procedure 1. The object of the complaint concerns the repeated occurrence of a data breach. complainant wanted to have a document registered on his personal […] user profile, but the payment request and the actual power of attorney were both initially (incorrectly) registered on the account of the company […]instead of the personal[…]- user profile of the complainant as an individual citizen. The personal data that was available through the […] user profile is at least the names of the relevant principals and holders of [the document].On the basis of the documents attached to the complaint, it is unclear whether the contents of [the document] are also available wash (see below). If this was the case, then the national register number and the addresses of those involved can be consulted. 2. On July 4, 2023, the complainant submits a complaint to the Data Protection Authority against defendant. 3. On August 14, 2023, the complaint will be declared admissible by the First Line Service on pursuant to Articles 58 and 60 of the WOG and the complaint is settled pursuant to Art. 62, § 1 WOG submitted to the Disputes Chamber. II. Motivation 4. On the basis of the elements in the file known to the Litigation Chamber, and on the basis of the powers conferred on it by the legislator pursuant to Article 95, § 1 WOG assigned, the Litigation Chamber decides on the further follow-up of the file; in this case the Disputes Chamber will proceed to dismiss the complaint in accordance with Article 95, § 1, 3° WOG, on the basis of the following motivation. 5. When a complaint is dismissed, the Disputes Chamber makes its decision step-by-step motivation and: - declare a technical dismissal if the file is not sufficient or not sufficient contains elements that could lead to a conviction, or if there are not enough there is a prospect of a conviction for a technical impediment, as a result of which it cannot reach a decision; - or pronounce a policy dismissal, if despite the presence of elements which may lead to a sanction, the continuation of the investigation of the dossier does not seem appropriate in the light of the priorities of the 1Court of Appeal Brussels, Section Marktenhof, 19 Chamber A, Chamber for Market Affairs, Judgment 2020/AR/329, 2 September 2020, p. 18. Decision 115/2023 - 3/6 Data Protection Authority, as specified and explained in the dismissal policy of the Litigation Chamber . 2 6. In the present file, the Disputes Chamber proceeds to dismiss the complaint, based on policy grounds for dismissal. What follows is the basis of the decision of the Disputes Chamber why it considers it undesirable to take further action to the file and therefore decides not to proceed, inter alia, with a treatment ground. 7. First of all, the Disputes Chamber checks, in accordance with its dismissal policy, whether the submitted complaint contains grievances with a major social and/or personal impact . 4 In order to evaluate the foregoing, the Litigation Chamber takes into account the criteria that European data protection authorities handle processing operations with a “high risk” within the meaning of Article 35 GDPR. In this case, the Disputes Chamber establishes that the processing in question is subject to the complaint The allegations filed by the complainant prima facie cannot be accommodated one of the cases listed in Article 35.3 GDPR. 5 8. The Disputes Chamber also takes into account that the principal of [the document] (Z) does not submit a complaint himself and that the email address used by the complainant refers to the relevant company (…) which may explain the cause of the error/mistake. although such an error (particularly if it occurs twice) is regrettable, the Disputes Chamber is of the opinion that the complaint does not fall under one of the criteria taken into account to identify major data processing operations societal and/or personal impact, such as through the Data Protection Authority described in its dismissal policy. The Dispute Room weighs the personal consequences of the circumstances of the complaint for the fundamental rights and freedoms of the complainant against the effectiveness of her action when it decides whether it considers it appropriate to deal with the complaint further. 9. This does not mean that the Dispute Chamber lawfully determines that there has been no violation occurred, but that the resources required to deal with the complaint are provided 2 In this regard, the Litigation Chamber refers to its dismissal policy as set out in detail on the website of the GBA: https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf 3It concerns 3.2.1 (General criteria for gr“Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.” 4Ibid, Section 3.2.1. p. 9. 5A) A systematic and comprehensive assessment of personal aspects of natural persons, which is based on automated processing, including profiling, and on which decisions are based on which the natural person have legal consequences or which similarly significantly affect the natural person; b) Large-scale processing of special categories of personal data as referred to in Article 9(1) or of data in relation to criminal convictions and offenses referred to in Article 10; or c) Systematic and large-scale monitoring of publicly accessible spaces. Decision 115/2023 - 4/6 be (possibly) excessive, as the complaint does not involve any major social and/or 6 has a personal impact. 10. In addition, the Disputes Chamber is of the opinion that ground for dismissal B.5 applies. Since it has already been shown that there does not seem to be a large social and/or personal impact, the Disputes Chamber only checks whether there is case, there is sufficient detailed evidence to support a decision of the Litigation room possible. 11. The complainant informs the Disputes Chamber that access is via the […] user profile would have been possible until [the] completed [document], but this does not appear as such from the documents – here only a blank [document] is linked to the […] user profile. The Disputes Chamber also learns that the complainant is in contact recorded with the defendant via the online complaint form of […], but none here further heeded. However, the complainant has not attached a copy of this complaint and it is therefore unclear to the Litigation Chamber whether the complainant has rights in this complaint under theGDPR is merely mentioning the alleged dataseemsancillary measures (the dismissal of the employee in question), independent of the GDPR. 12. Despite the fact that the Disputes Chamber can establish prima facie that there are indeed breaches of the GDPR have occurred, the Litigation Chamber must take into account the lack of documentary evidence and the lack of a high existence personal/social impact conclude that the complaint in this case has not been dealt with fundamentally required. The Disputes Chamber decides not to act for reasons of expediency give to the file. Under Article 77 GDPR, every data subject whose personal data is processed within the territorial scope of the GDPR, of a complaint law. However, this objective right of complaint does not imply that every complaint is also can and will be thoroughly investigated by the competent authority, given its intrinsic nature lack of resources. 7 The Belgian legislator has in this regard “the need for the Data protection authority to be able to act selectively with a view to a effective and efficient enforcement policy” explicitly recognized . 13. However, the Litigation Chamber points out that, in the event of the receipt of repeated similar complaints concerning the same practices/or controller, a targeted investigation into the data controller concerned is possible be requested from the Inspection Service of the Data Protection Authority. It itself 6 https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf, section 3.2.2, point B.5., p. 15. 7cf. Court of Justice EU, Judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112. 8 Own emphasis in quote, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available from: https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg islat=54&dossierID=2648, 51. Decision 115/2023 - 5/6 after all, the repeated occurrence of such an incident may point to an earlier one systemic violation of Articles 25 and/or 32 GDPR, due to the lack of appropriate technical and organizational measures to ensure confidentiality and to ensure the security of personal data. 14. In addition, the Disputes Chamber points to the general obligation cf. article 33 AVG vande Y to report data leaks to the Data Protection Authority via the appropriate channel provided in the event that the incident poses risks to the fundamental rights and freedoms of those involved, although the Disputes Chamber cannot immediately determine that such risks exist in the present case. Every incident serves on the other hand, to be included in the incident register provided for this purpose, in accordance with Article 33.5 GDPR. III. Publication and communication of the decision 15. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. This will include the personal data of the complainant anonymized. 16. In accordance with its filing policy, the Litigation Chamber will give the decision to the defendant 9 to transfer . After all, the Disputes Chamber has decided to dismiss its decisions ex officio notification to the defendants. However, the Disputes Chamber waives it such notification when the complainant has requested anonymity with respect to it of the defendant (and the notification of the decision to the defendant, even if it is pseudonymised, nevertheless makes it possible to inform the complainant (re)identify . However, that is not the case in the present case. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to dismiss the present complaint pursuant to Article 95, § 1, 3° of the WOG. 9Cf. Title 5 – Will the dismissal of my complaint be published? Will the counterparty be notified? of the dismissal policy of the Litigation Chamber. 10Ibid. Decision 115/2023 - 6/6 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition must contain the information listed in Article 1034ter of the Judicial Code . It 11 a contradictory petition must be submitted to the Registry of the Market Court 12 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). To enable the complainant to consider other possible remedies, the Litigation Chamber the complainant to the explanation in its dismissal policy . 13 (get). Hielke HIJMANS Chairman of the Litigation Chamber 11 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 12The application with its annex is sent by registered letter, in as many copies as there are parties involved deposited with the clerk of the court or at the clerk's office. 13Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Litigation Chamber.
- ↑ Hijmans, Hielke, ' Article 57 Tasks', in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (New York, 2020; online edn, Oxford Academic), https://doi.org/10.1093/oso/9780198826491.003.0099, accessed 6 Sept. 2023.
- ↑ To note, Prof Dr Hielke Hijmans is President of the Belgian Data Protection Authority.