APD/GBA (Belgium) - 55/2021: Difference between revisions

From GDPRhub
No edit summary
 
(4 intermediate revisions by 3 users not shown)
Line 58: Line 58:
}}
}}


Belgian DPA held that a father alone cannot submit an access request to a controller on behalf of a child, where the mother shares parental authority. The Belgian DPA also found several other violations of the GDPR by the controller in the case, which is a public administration in charge of childcare.  
The Belgian DPA held that in this specific case, concerning a father and mother sharing parental authority, the request to have data about the child erased, introduced by the father alone, had not been submitted in a way that could be accepted. The Belgian DPA also found several other violations of the GDPR by the controller.  


== English Summary ==
== English Summary ==
Line 68: Line 68:


=== Dispute ===
=== Dispute ===
- Can a father alone (without the mother) submit an access request to the controller on behalf of a minor ?
- Can a father alone (without the mother, being the other guardian) submit an request for erasure to the controller on behalf of a minor ?
- How precise should the applicable legislation be on which the administration relies to process the data on the basis of Article 6.1.e GDPR ?
- How precise should the applicable legislation be on which the administration relies to process the data on the basis of Article 6.1.e GDPR ?
- Did the administration sharing confidential data with a third party violates article 25 GDPR ?   
- Did the administration sharing confidential data with a third party violates article 25 GDPR ?   
Line 79: Line 79:
- The lack of information on the identity of the controller and the DPO amounts to a violation of Article 13(1)(a) and (b) GDPR
- The lack of information on the identity of the controller and the DPO amounts to a violation of Article 13(1)(a) and (b) GDPR
- The communication of  personal data about the child to the mother without reminding that the data should be kept confidential and should not be used in another procedure is a violation of Article 25 GDPR (lack of organisational measures)
- The communication of  personal data about the child to the mother without reminding that the data should be kept confidential and should not be used in another procedure is a violation of Article 25 GDPR (lack of organisational measures)
- The request to access the data about the child cannot be lodged by the father only, considering that he is not the sole guardian of the child
- The request to delete the data about the child cannot be lodged by the father only, considering that he is not the sole guardian of the child and other elements in this specific case
- Since the access request was not sent to the appropriate organ of the administration, the Belgian DPA did not consider that the answer to the access request was communicated too late
- Since the access request was not sent to the appropriate organ of the administration, the Belgian DPA did not consider that the answer to the access request was communicated too late




== Comment ==
== Comment ==
One should note that the Belgian DPA concluded to a violation of Article 6(1)(e) and 6(GDPR but did not hold the administration responsible for the lack of clarity of the law
One should note that the Belgian DPA concluded to a violation of Article 6(1)(e) and 6(3) GDPR but did not hold the administration responsible for the lack of clarity of the law


== Further Resources ==
== Further Resources ==

Latest revision as of 16:59, 12 December 2023

APD/GBA - 55/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(1)(e) GDPR
Article 6(3) GDPR
Article 13(1)(a) GDPR
Article 13(1)(b) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 22.04.2021
Published: 22.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 55/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA website (in FR)
Initial Contributor: n/a

The Belgian DPA held that in this specific case, concerning a father and mother sharing parental authority, the request to have data about the child erased, introduced by the father alone, had not been submitted in a way that could be accepted. The Belgian DPA also found several other violations of the GDPR by the controller.

English Summary

Facts

The Belgian DPA issued a reprimand against a public administration in charge of child care for the violation of article 13(1) GDPR (lack of information on the processing) and 25 GDPR (lack of technical, organisational measures).

The DPA also concluded to the lack of appropriate legal basis to continue the processing of personal data under the new legislation in place (article 6(1)(e) and 6(3)), but decided to not suspend the processing at stake in order to let the administration perform its tasks relating to child care. The DPA will instead contact the legislator to further clarify the legal basis on which the administration relies.

Dispute

- Can a father alone (without the mother, being the other guardian) submit an request for erasure to the controller on behalf of a minor ? - How precise should the applicable legislation be on which the administration relies to process the data on the basis of Article 6.1.e GDPR ? - Did the administration sharing confidential data with a third party violates article 25 GDPR ? - Should the administration have informed the data subjects on the aspects of the processing which was based on Article 6.1.e ?


Holding

- The lack of foreseeability of the law upon which the processing takes place under Article 6(1)(e) GDPR amounts to a violation of Article 6(1)(e) and 6(1) GDPR - The lack of information on the identity of the controller and the DPO amounts to a violation of Article 13(1)(a) and (b) GDPR - The communication of personal data about the child to the mother without reminding that the data should be kept confidential and should not be used in another procedure is a violation of Article 25 GDPR (lack of organisational measures) - The request to delete the data about the child cannot be lodged by the father only, considering that he is not the sole guardian of the child and other elements in this specific case - Since the access request was not sent to the appropriate organ of the administration, the Belgian DPA did not consider that the answer to the access request was communicated too late


Comment

One should note that the Belgian DPA concluded to a violation of Article 6(1)(e) and 6(3) GDPR but did not hold the administration responsible for the lack of clarity of the law

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Page 1
1/34Litigation ChamberDecision on the merits 55/2021 of 22 April 2021File No .: DOS-2019-05270Subject: Complaint against a public institution for refusal of erasure and infringement ofprinciple of confidentiality in the processing of a fileThe Contentious Chamber of the Data Protection Authority (hereinafter APD), made up ofMr. Hielke Hijmans, president, and Messrs. Ch. Boeraeve and Y. Poullet, members.Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to theprotection of individuals with regard to the processing of personal data and thefree movement of these data, and repealing Directive 95/46 / EC (General Regulation on theData Protection), hereinafter GDPR;Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA ) ;Given the internal regulations of the Data Protection Authority as approved by theChamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;Having regard to the documents in the file;Took the following decision regarding:- The complainant: Mr X,- The data controller (defendant): Y (Y1), with advice from Maîtres MarcUyttendaele (m. Uyttendaele@ugka.be ) and Patricia Minsier ( p.minsier@ugka.be ).
Page 2
Decision 55/2021 - 2/34I.Facts and retroacts1) History1. The complainant lodges a complaint with the DPA about a request for erasure ofpersonal data processed by Y1 (hereinafter Y1). In his complaint, he indicates to requestthe erasure of his data as well as that of his son. The complainant sent, bythrough his lawyer, two letters within three months, without these havingled to a response.2. It appears from the documents in the file that the complainant and Mrs Z (hereafter: the mother of the child)were in the process of divorce at the material time. They participated in an aid programof Y1 concerning their son, for whom specialized help seemed necessary. The firstaid program was dated September 18, 2017 and valid for a period of one year (here-afterwards, the first aid program). According to the defendant, it would have been followed by a secondaid program which would have ended in February 2019 (hereafter, the second aid program).The existence of this second aid program is disputed by the complainant.3. During an email communication between the mother of the child and a Y1 delegate, the motherof the child asks the delegate if she was able to speak with the father of the child (i.e.say the complainant), or with the child's teacher. The mother says she is worried about the situationof her son who would become increasingly agitated and aggressive (email of January 9, 2019).4. On January 10, 2019, the Y1 delegate responded to this email, writing in particular the paragraphreproduced below:“I was able to talk to Mr. X before the holidays as agreed. When I confrontMonsieur to the difficulties he would seem to encounter with his son at home, Monsieur denies and says thateverything is fine. It contradicts everything you have told me or observed and minimizes the consequencesthat overly violent action movies might have on her son. "5. On May 9, 2019, the complainant sent an email to the Secretariat of the Ethics Committee 1(hereafter: the Commission). On June 14, 2019, the complainant's lawyer sent a letter to theCommission, in which he complains that the child's mother allegedly usedconfidential information of the Y1 in the civil proceedings between them in courtof the family. The complainant identifies this information as "information1 Ethics Committee, letter of January 8, 2020 and Opinion 219, p.1. This email is not provided to the Litigation Chamber.
Page 3
Decision 55/2021 - 3/34confidential and reports issued by your service ”. He considers it an offenseto the Code of Ethics, as a result of which he declares that he wishes to terminatethe intervention of Y1 This letter follows a first email which would have been sent on May 92019, but which was not added to the file.He also requests that the file containing his personal data and those of his sonbe erased in accordance with Article 17 of the GDPR.6. On July 5, 2019, the Ethics Committee replied to this letter by email. She declares therein essence that the practice denounced is not the work of a Y1 employee, but ofthe opposing party (the mother of the child) in the civil proceedings. The Commission does not consider itselfnot competent to give an opinion on this subject and decides to close the examination of therequest. It adds that it is not competent to examine a request for erasure ofpersonal data contained in ongoing files 2 .7. In response, the complainant sent a second letter dated 22 July 2019 in which he specifiedthat this is how the Y1 would have transmitted confidential information to the motherof the child involved. It specifically refers to the content of the 10January 2019 (see point 4) and to the text of the agreement relating to the first aid program, datedof September 18, 2017 (see point 2). He reiterates his intention to end the intervention of theY1 and requests a response to its erasure request.2) Procedure before the contentious chamber8. On October 8, 2019, the complainant lodged his complaint with the DPA. This concerns therequest for erasure. The complaint is declared admissible by the frontline service onOctober 29, 2019 and sent to the Litigation Chamber.9. On December 3, 2019, the Litigation Chamber decides to deal with the case on the merits. Thisdecision is communicated to the parties the same day by registered mail. The partdefendant is identified as the General Administration of Y1. he is alsoasked the complainant to provide the email from the Ethics Commission of July 5, 2019, whichhad not hitherto been brought to the attention of the Litigation Chamber.2 A first email sent at 2:55 p.m. is sent to the complainant and does not mention the request for erasure. Asecond email sent at 3:30 p.m. the same day, addressed to the plaintiff's lawyers, contains a sentence indicating that theCommission considers itself incompetent with regard to the request for erasure.
Page 4
Decision 55/2021 - 4/3410. On December 16, 2019, the complainant sends the requested email to the Contentious Chamber andrequests a copy of the documents in the file as well as confirmation of the schedule for exchangingconclusions. The Litigation Chamber responds to the complainant's requests on December 172019.11. On December 31, 2019, the counsel for the defendant, identified by them as beingY, ask for a copy of the documents in the file. This is sent by the Chamberlitigation on January 7, 2020. Counsel for the defendant send theirconclusions on January 14, 2020.12. They indicate first of all that the lack of response to the complainant's request for erasureis explained by the fact that it was addressed to the Ethics Commission, a bodyindependent, dealing exclusively with ethical issues in this area. Theyadd that the Ethics Committee is lagging far behind in the processing ofrequests, which explains why it has not yet issued an opinion on the ethical questioncontained in the complainant's request.13. Next, the defendant considers that it cannot grant the request for erasureof the complainant, given that the processing is necessary to comply with a legal obligationor to perform a task of public interest (article 17.3 of the GDPR). Clear this datawould prevent the defendant from carrying out its legal missions, which continue even afterclosing the file.14. Furthermore, the defendant adds that the complainant does not have the sole authorityparentage on his son, and that the request should therefore in principle come from both parents,who together have parental authority. She adds that the data processingcontained in the file is also necessary from an accounting point of view. Those dataare in fact used as proof of payment of certain costs ( in casu , costsinterpretation), the retention of which is necessary within the framework of the financial control exercised,in particular, by the Court of Auditors.15. The respondent also sets out a new policy that it has put in place in order tomake its practices compliant with the GDPR.16. Finally, it expresses in the alternative its arguments concerning a possible sanction andthe proportionality of it.
Page 5
Decision 55/2021 - 5/3417. It is also clear from the defendant's submissions that it sent a letter to theEthics Commission on December 23, 2019, asking it to rule urgentlyon the complaint. The response of the Ethics Commission dated January 8 is appendedto conclusions. It indicates in substance that it is not competent for the questionsrelating to the request for erasure and having informed the plaintiff's lawyers of this byemail July 5, 2019. She adds that the ethical aspects of the complaint will be in orderof the day of the meeting of January 15, 2020.18. On January 15, 2020, the Ethics Committee delivers an opinion on the complainant's request 3 .It declares that it is not competent with regard to the request for erasure orthe use by one of the parties of a document from the Y1 file in a procedure separate fromthe one responsible for the case. However, the Ethics Commission notes twoethical breaches on the part of the Y1 delegate in the way in whichinformation concerning the complainant (contained in the email of January 10) was transmittedto the mother of the child.19. In his reply submissions sent on January 28, 2020, the complainant invokes thefirst time a series of other GDPR violations (Articles 5.1.a, 5.1.f, 5.2, 6.1.a, 6.1.f, 12,13, 17 and 25). In particular, it raises the question of the basis for lawfulness of this processing, of thesecuring data, information and transparency of processing, non-compliancethe one-month period for responding to his request and the lack of precautions in thedata processing.20. On February 11, 2020, the defendant sends its summary conclusions. Beyondelements already invoked in its conclusions, it denies a violation of Articles 5 and6 and 17. In particular, it details the regulations regarding the aid program. Itfurther concedes that it did not correctly inform the complainant as to the identity of thedata controller and data protection officer. The defendantalso details the measures that are underway to improve its compliance with the GDPR.21. Subsequently, the complainant repeatedly requested a hearing before the Chamber.contentious. He wishes to present new documents at the hearing or by mailelectronic. The contentious chamber replied that his case was being processed.3 Ethics Commission, Opinion 216, January 15, 2019.
Page 6
Decision 55/2021 - 6/3422. A hearing is organized on December 14, 2020 to which both parties are invited. Theyare informed that they can submit new documents until 7December 2020.23. On December 7, 2020, the complainant sent a new document to the Chamberlitigation, as well as to the defendant. These are extracts from summary conclusionspresented by the mother of the child to the family court on March 18, 2019 in aprocedure opposing him to the complainant. The excerpts presented are largely censored andhighlighted by the complainant. There appear several references to Y1 as well as to findings orremarks that the latter would have made.24. The complainant also asks to be able to speak English during the hearing. Thisrequest is refused by the opposing party given that several of these representativesnot master this language.25. The hearing takes place on December 14 in the presence of both parties. The complainant expresses himself inEnglish. An interpreter translates into French.3) hearing26. At the hearing, apart from the arguments already put forward by the parties in their submissions,several elements were brought to the attention of the contentious chamber. These aresummaries below:- The two parties agree on the fact that the use of data from the file of theY1 by the mother of the child in the family court proceedings constitutes aviolation of the confidentiality obligation.- A first agreement on the aid program has indeed been signed between the complainant, the mother ofchild, and Y1 in September 2017. This agreement ended in September 2018.- According to the defendant, a second agreement was subsequently concluded until February 2019.This is contested by the complainant who indicates that this agreement was never concluded and that thedefendant cannot provide proof of the existence of this agreement. According to the complainant,the Y1 intervention should therefore have ended in September 2018.- According to the defendant, the file was consulted by the mother of the child.For the complainant, it is actually her lawyer.
Page 7
Decision 55/2021 - 7/34- The defendant explains the measures implemented to guarantee confidentialityfile information. Each sheet of the file contains the legislation in force on theconfidentiality. The people who consult the file are accompanied by a delegate from theY1. This information was not on the January 10, 2019 email, however, sothan it should normally be. Staff have since been reminded of this ruleof Y1.- Counsel for the defendant considers that there may be a problem ofethics in sending email. Perhaps he should have been better detailed and made areminder of the confidentiality obligation. It is therefore a problem of ethics in thecommunication, but not a GDPR issue. The delegate for the protection ofdata speaks of a "quack" and believes that there were small flaws in the mode ofoperation of the Y1, but that these faults have since been corrected. She adds thatmajor measures have been put in place to improve compliance with the GDPR and that this workcontinues, in particular on the basis of emerging problems.- Having regard to the complainant's request, the defendant closed the case after havingmet with the complainant and the mother of the child February 2019 4 .PLACEII.On the grounds for the decision1) As regards the processing of personal data in dispute and the alleged violations.27. The complaint lodged with the Data Protection Authority relates only to therequest for erasure. However, during the exchange of conclusions between the parties, thecomplainant raised possible violations of Articles 5.1.a, 5.1.f, 5.2, 6.1.a, 6.1.f, 12, 13,17 and 25 of the GDPR. The defendant had the opportunity to defend itself against theseallegations. Some of his violations were also discussed during the hearing.28. According to the terms of the complaint, the request for erasure relates to all dataof the complainant, as well as those of his son, which are contained in the databasesdata and other Y1 archives. The Contentious Chamber considers that the data onwhich make the complaint and the request for erasure are clearly identified.4 The precise contentious House that the defendant's summary conclusions indicate the 1 st April as dateclosure of the file.
Page 8
Decision 55/2021 - 8/3429. With regard to the processing of data the legality of which has been called into question by thecomplainant during the exchange of conclusions, these relate to the data contained inthe Y1 file which concerns the complainant, his son and the mother of the child. Based ondocuments in the file, the Litigation Chamber considers that this file contains in particular thetext of the agreement relating to the first aid program of September 18, 2017; email fromJanuary 10, 2019; and other information from Y1 mentioned in the extracts fromconclusions of the mother of the child of March 18, 2019 before the family court. It's aboutdocuments that have been brought to the attention of the contentious chamber, includingthe existence is proven and the treatment of which is contested on the basis of specific complaints.30. With regard to the first aid program, the Litigation Chamber notes that itsexistence is recognized by both parties. The document states that "this agreement collectsthe approval of all those concerned and is established between Ms. Z, Mr. Xand the Advisor ”. The copy of the document, provided to the contentious chamber, is signed byan Advisor. Places are provided for the signature of the mother of the child and thecomplainant. A copy of this document had been provided by the complainant to the DPA when filingof his complaint. This first aid program started on September 15, 2017 and endedno later than September 15, 2018.31. The Contentious Chamber notes that the argument relating to the existence of a second programaid closed in February 2019 is advanced by the defendant, but contested by the complainant.In the absence of any document confirming the existence and signature of this second aid program,the contentious Chamber considers that its existence has not been proven.32. The Contentious Chamber notes a certain confusion during the hearing as to the periodduring which the defendant would have continued its mission after the finalization of the firstaid program. Indeed, on this occasion, the complainant indicated on several occasions thatthe processing of his data would have continued for a year and a half after the end ofthe intervention of the defendant. However, the complainant does recognize the existence of the firstassistance program that was in effect from September 15, 2017 to September 15, 2018.activities of the defendant which are denounced by the plaintiff (in particular the meetingwhich he participated and the contact with the mother of the child by email) therefore took place four timesat most months after the end of the first aid program and not a year and a half.33. As it has had the opportunity to indicate in the past, in particular in its decision 3/2020of February 21, 2020, the Litigation Chamber recalls that the communication of data tooral personal character does not constitute data processing within the meaning of
Page 9
Decision 55/2021 - 9/34Article 4.2 of the GDPR 5 . Any transmission of information by this channel cannot therefore bebe considered by the House.34. In addition, the subsequent processing of his data by the mother of the child ( in casu , thereuse of file data to integrate them into its conclusions in the court offamily) will not be examined by the Litigation Chamber. Indeed, the complainant did notdirected his complaint against the mother of the child, but against Y1. The mother ofthe child is therefore not a party to the case. The contentious chamber cannot thereforenot to comment on this point, even if it notes that the two parties agree tosay that the use of these data by the mother of the child in her conclusions before thefamily court is contrary to the confidentiality obligation to which the documents of thedossier are submitted.35. The contentious chamber will first examine the legality of the processing ofdata. It will first look at the lawfulness of the processing (section 2). Then shewill analyze the question of the duty of information and transparency and of the transfer to third parties(section 3). Finally, it will study the issue of security and confidentiality of processing.(section 4).Secondly, it will examine the complainant's request for erasure (section 5).2) The lawfulness of the processing36. As regards the basis for lawfulness of the processing, the complainant alleges a violation ofArticles 6.1.a) and 6.1.f) and a lack of consent. The defendant justifies thelawfulness of the processing on the basis of Articles 6.1.b), c) and e). Article 6 is partially reproducedbelow :"Article 6Lawfulness of processing5 Decision on the merits 3/2020 of February 21, 2020, p. 8. ( https://www.autoriteprotectiondonnees.be/publications/decision-as to the background-n-03-2020.pdf )
Page 10
Decision 55/2021 - 10/341. Processing is only lawful if, and insofar as, at least one of the following conditions isfulfilled:a) the data subject has consented to the processing of their personal data forone or more specific purposes;b) the processing is necessary for the performance of a contract to which the data subject isparty or the execution of pre-contractual measures taken at the request of the latter;c) the processing is necessary for compliance with a legal obligation to which the controllertreatment is submitted;d) the processing is necessary to protect the vital interests of the data subjector another natural person;e) the processing is necessary for the performance of a task of public interest or falling withinthe exercise of public authority vested in the controller;f) the processing is necessary for the purposes of the legitimate interests pursued by the controllerprocessing or by a third party, unless the interests or freedoms and rightsfundamental data of the data subject which require protection of personal datapersonal, especially when the data subject is a child.Point f) of the first subparagraph does not apply to processing carried out by public authorities inthe execution of their missions.2. Member States may maintain or introduce more specific provisions to adaptthe application of the rules of this Regulation with regard to the processing with the aim of respectingpoint (c) and (e) of paragraph 1, determining more precisely the specific requirements applicableprocessing as well as other measures to ensure lawful and fair processing, including inother special processing situations as provided for in Chapter IX.3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be defined by:(a) Union law; orb) the law of the Member State to which the controller is subject.
Page 11
Decision 55/2021 - 11/34The purposes of the processing are defined in this legal basis or, with regard to the processingreferred to in point (e) of paragraph 1 are necessary for the performance of a task in the public interest or falling within thethe exercise of public authority vested in the controller. This legal basismay contain specific provisions to adapt the application of the rules of this Regulation,among others: the general conditions governing the lawfulness of the processing by the controllertreatment; the types of data that are processed; the people concerned; the entitiesto which personal data may be communicated and the purposes forwhich they can be; limitation of purposes; retention periods; and operationsand processing procedures, including measures to ensure lawful and fair processing, such asthan those provided for in other specific processing situations as provided for in chapterIX. Union law or the law of the Member States meets an objective of public interest and isproportionate to the legitimate objective pursued. "37. As it has already done in other decisions, the Litigation Chamber first of all recallsthat it is the responsibility of the controller to identify a single legal basis on whichhe bases his treatment. This requirement of a basis of legality is one of the three main principles- with those of loyalty and transparency - which it is up to him to implement (article5.1.a) of the GDPR - explained in recital 39 of the GDPR). Different consequencesarising from one or the other basis of lawfulness, in particular in terms of rights fordata subjects, it is not accepted that the controller invokes one or morethe other depending on the circumstances. 638. For the Litigation Chamber, it is obvious that a public institution which, in the context ofits legal mission, intervenes at the request of the parties or of a judge, in situationsfamily in order to provide specialized assistance exercises a mission of public interest. Theconstitution of a file containing personal information on the parties involved(parents and child) constitutes data processing directly related to this missionof public interest. The respondent therefore rightly argues that the processing maybased on article 6.1.e) of the GDPR. The complainant's consent is therefore not required.for this processing to be lawful, especially since this basis of lawfulness is not claimedby the defendant.39. As regards the basis of legality of Article 6.1.b, the respondent does not explain thecontract to which it refers which would justify the disputed treatment. Bedroomlitigation may consider that the contract in question is the first aid program signed betweenthe parents of the child and the defendant. It does, however, refer to the developments in6 Decision 28/2021 of 23 March 2021, § 44.
Page 12
Decision 55/2021 - 12/34points 30 and 31 of this decision, which demonstrate that the processing continued afterthe expiration of the first program. The legal basis of Article 6.1.b is therefore notapplicable in this case.40. For that of Article 6.1.c, the defendant does not make explicit the legal obligation to whichit would be required and from which the processing in question would derive. The contentious chambertherefore cannot examine it in more detail.41. On the basis of the above elements, it appears that the data processing at issue is foundedon the basis of lawfulness provided for in Article 6.1.e). However, it is necessary to verify that theconditions provided for by this article are indeed fulfilled in the present case. Under Article 6.3.b) andof recital 45 of the GDPR, processing based on Article 6.1.e) must fulfill twoconditions:- The data controller must be entrusted with the performance of a public interest mission orwithin the exercise of public authority by virtue of a legal basis, whether in the law ofthe European Union or under the law of the Member State;- The purposes of the processing must be necessary for the performance of the public interest missionor the exercise of public authority.A legal basis42. Recital 41 clarifies the quality of this legal basis. It isreproduced below:'Where this Regulation refers to a legal basis or a legislative measure, thisdoes not necessarily mean that the adoption of a legislative act by a parliament is required, withoutprejudice to the obligations provided for under the constitutional order of the Member State concerned.However, this legal basis or legislative measure should be clear and precise and itsapplication should be predictable for litigants, in accordance with the case law of the Court ofJustice of the European Union (hereinafter referred to as the "Court of Justice") and the European Court ofhuman rights ".43. It is therefore necessary to verify that the legal basis meets the criteria imposed. This standardmust be legally binding in domestic law. It must meet the conditions defined bythe European Court of Human Rights (hereinafter ECHR) on the basis of Article 8 of theEuropean Convention on Human Rights and Fundamental Freedoms. The treatment is
Page 13
Decision 55/2021 - 13/34falling within the scope of European Union law, the legal basis mustalso comply with Articles 7 and 8 of the Charter of Fundamental Rights of the UnionEuropean Union, as interpreted by the Court of Justice of the European Union. In accordanceto this case law, the standard must be clear and precise and its application must be predictablefor litigants.44. It appears from the defendant's conclusions that it was based on two legislative textssuccessive for the exercise of its mission. The first being Decree 1 and the second being Decree2 which replaced Order before since 1 st January 2019. Both texts frame thepublic interest mission of the defendant. It is within the framework of these two decrees thatthe interactions between the complainant and the defendant take place.45. In its conclusions, the defendant develops in particular the legal framework of Decree 2,and how a royal decree and circular regulate its work. It is in particularquestion of "first contact report", of "social investigation report" whichpart of the file of the persons concerned. The defendant also details howthe right of access to this file is regulated. This legislation and entered into force on 1 st January2019, i.e. after the expiration of the first aid program. This program was thereforeregulated by Decree 1 about which the defendant has shown much lesstalkative. However, it reproduced an article of this decree, which regulates the right of access tofolder.46. 2 The decree currently being in force and that since 1 st January 2019, it is thelegislation which was applicable during the disputed actions of the defendant, andin particular the sending of the email of January 10, 2019. For these reasons the Contentious Chamberwill only review this legislation.47. For the Contentious Chamber, it therefore appears that the public interest mission hasa legal basis in national law. The contentious chamber will therefore examine whether this basislegal fulfills the requirements of the GDPR.A clear, precise and predictable legal basis48. In accordance with recital 41, this legal basis or legislative measure should beclear and precise and its application should be predictable for litigants, in accordance withto the case law of the Court of Justice of the European Union and the ECHR.
Page 14
Decision 55/2021 - 14/3449. The ECHR has in several judgments established this notion of foreseeability of the legal basis,in particular in its Rotaru 7 judgment . This judgment relating to surveillance systemsthe security apparatus of a state, its context differs somewhat from the present case. Inother cases, the ECHR has indeed indicated that it could draw inspiration from these principles, butit considers that these relatively strict criteria, established and followed in the specific contextof telecommunications surveillance are not applicable as such to allbusiness 8 .50. The Court of Justice explains in its recent judgment of 20 December 2020 “that it emerges fromArticle 52, paragraph 1, of the Charter, which allows limitations on the exercise of these rights,provided that these limitations are provided for by law, that they respect the contentessential of those rights and that, while respecting the principle of proportionality, they arenecessary and effectively meet objectives of general interest recognized by the Unionor the need to protect the rights and freedoms of others ”. 9 The Court specifies that, “formeet the proportionality requirement, regulations must provide clear rulesand precise rules governing the scope and application of the measure at issue and imposing requirementsminimum, so that the persons whose personal data areconcerned have sufficient guarantees to effectively protect thesedata against the risk of abuse. This regulation must be legally bindingin domestic law and, in particular, indicate under what circumstances and under what conditionsa measure providing for the processing of such data may be taken, thereby ensuring thatthe interference is limited to what is strictly necessary. " 1051. In its Fernandez-Martinez judgment , the ECHR recalled that the criterion of foreseeability of the lawconsists in that "the internal legislation must use terms clear enough to indicate to allsufficiently in what circumstances and under what conditions it authorizes thepublic authorities to resort to measures affecting their rights protected by the Convention". 1152. This criterion of foreseeability implies that certain elements constituting the processingregistered in the legal basis, including in particular the processing purpose. For the Chambercontentious, the central question in the present case is whether this basislegal is foreseeable with regard to its purpose. This is indeed one of the main grievances7 Eur Court. HR, May 4, 2000, Rotaru v. Romania.8 Eur. HR, September 2, 2010, Uzun v. Germany, § 66.9 Joined cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, ECLI: EU: C: 2020: 791, § 121.10 Ibidem, § 132.11 Eur Court. HR, June 12, 2014, Fernández Martínez v. Spain, § 117.
Page 15
Decision 55/2021 - 15/34brought by the complainant, namely that the processing of his data continued without his knowledgeand against the original purpose.53. The legal basis in question only rarely makes direct reference to the principlesof data protection law. Many essential elements of treatment do notremain nonetheless directly identifiable in the legislation. An article of decree 2 byexample defines the competent administration as "administration Y1", whichmakes it possible to identify the data controller.54. The purposes of the processing, although numerous, are developed either in the “Thefundamental principles and rights ”of the decree, or as regards the presentdossier, in Book 3. Decree 2 covers several types of activities, which constitutes apublic interest mission with a wide field of action. It necessarily follows that theprocessing carried out in this context may be numerous and pursue purposesrelatively wide. The GDPR does not preclude this type of broad normative anchoring, since it“Does not require a specific legal provision for each individual treatment. Alegal provision may be sufficient to found several processing operations based on alegal obligation to which the controller is subject or when the processingis necessary for the performance of a mission of public interest or relating to the exercise ofpublic authority. " 1255. Moreover, in its conclusions, the defendant emphasizes that the data processed in theframework of the file are for several purposes. Indeed, the defendant indicates that “thedata have been collected so that the Y1 can carry out its missions, namely not onlyimplementing assistance programs but also keeping documents relating to this assistanceprovision, in the first place, of the children concerned. " 13 . The Litigation Chamber includesof this formulation that the defendant refers to the measures provided for in Book 3 of the Decree2. The defendant adds subsequently that “the collection and processing of data in theservice information program triggers certain mechanisms, in particularaccountants. The data collected then becomes proof of payment, to whichthe Court of Auditors must have regard in the exercise of its missions ” 14 .56. It therefore appears that the processing pursues several distinct purposes. The first andmain purpose relates to the implementation of aid programs, which is one of themissions of the defendant assigned to it by decree. A second purpose that follows12 GDPR, recital 45.13 Conclusions of the defendant, p. 5.14 Ibidem, p. 7.
Page 16
Decision 55/2021 - 16/34directly from the latter, is to keep the documents relating to this assistance available tochildren concerned. Finally, a third purpose relates to the processing of data in aaccounting or archiving purposes.57. The Contentious Chamber recalls that by virtue of the documents presented to its knowledge (seepoint 30), the first aid program ended in September 2018 and the processingthe complainant's data continued after that date. The defendant says to baseon the existence, of which it cannot provide proof, of a second aid program forjustify the continuation of this treatment.58. However, it appears that the defendant continued to process personal datacontained in the file, in particular by a meeting with the complainant which gave rise tothe transmission by email of certain personal data concerning him to the mother ofchild, beyond the end of the first aid program, on September 15, 2018 (see point4). This continued processing cannot be explained by the achievement of the two purposeswhat are the keeping of documents available to the children concerned or the treatment inan accounting or archiving purpose, since the actions carried out seem to be unrelated tothese.59. The Contentious Chamber specifies that it is not competent to exercise control over thelegality in the broad sense of the actions of the defendant. In this case, it does not know if thedefendant was legally entitled, from the point of view of the law of its field of action, tocontinue its mission after the expiration of this agreement, or in the absence of conclusion of anew agreement.60. It must nevertheless be noted that the processing which continued after the finalization of thefirst program, was under the empire of decree 2, without it being able to enterin one of the three identified purposes. It follows that the legal basis constituted by the decree2 cannot be characterized as "foreseeable" since it does not allow the personconcerned, upon reading it, to know all the circumstances and conditions underwhich the defending party is authorized to process their data.61. Due to this lack of predictability, the legal basis cannot be considered as avalid legal basis within the meaning of Article 6.3 of the GDPR. The defendant cannot thereforerely on Article 6.1.e to justify the processing and it is therefore unlawful. Surebased on these elements, the Litigation Chamber finds a violation of the articles6.1.e) juncto 6.3.
Page 17
Decision 55/2021 - 17/3462. Moreover, the defendant, having communicated both in its conclusions and in itsthe hearing that the case had been closed, the contentious chamber considers thatthe data it contains can no longer be processed in relation to the main purpose.Their processing is limited to keeping documents relating to this assistance available tochildren concerned or processing for accounting or archiving purposes. In other words,the data processing is, since the date of the discontinuance of the complainant's fileby the defendant, strictly limited to the achievement of these last two purposes.3) Obligations of transparency and information63. The complainant alleges breaches of the principles of information and transparencyin several ways. On the basis of Articles 5,1a and 13,1, e), it raises a violation of the principletransparency due to the fact that he was unaware that the information contained in the Y1 filewould be transmitted to the mother of the child and her lawyer (point a). Without referring tospecific articles of the GDPR, the complainant repeatedly stressed that he believed that thefile with Y1 was closed and there was no more data processing in progress(point b). The complainant also considers that he was not informed of the identity of the person responsibleprocessing and the elements contained in Article 13.2 (point c).64. In its conclusions, the defendant describes in detail the legal provisions organizing theright of access of the persons concerned to their file within the framework of its intervention. Thisright of access is provided for in Decree 1 and Decree 2. It also indicates thatcontest the fact of not having given sufficiently clear information as to the identity of thedata controller and the Data Protection Officer. She developsat length in point 3.4 of its conclusions, the measures that have been put in place since2017 in order to adopt a digital policy and to comply with theGDPR.a) The transmission of information to the mother of the child or to her lawyer65. In his pleadings in reply, the complainant considers that he was not properly informedbecause a lot of information and personal data concerning him would betransmitted to the mother of the child, who would then have used them in her conclusions beforefamily court. The defendant considers that its data has beencollected by the mother of the child during the exercise of her right of access, which is provided for, bothin decree 1 than in decree 2.
Page 18
Decision 55/2021 - 18/3466. For the Contentious Chamber, the existence of a right of access to the documents in the file is clear.This right of access is explicitly provided for and regulated in the two aforementioned decrees.Even if this is not mentioned by the defendant, this right of access also existsunder Article 15 of the GDPR. The question examined here, however, relates to informationand transparency about this right of access vis-à-vis the complainant.67. The Litigation Chamber notes that the text of the first aid program mentionsspecifically that " persons associated with the measures taken have been informed of theirrights and obligations, in particular on the rights recognized by the articles of the said decreeand Article 1034ter of the Judicial Code ”. The mentioned article contains a first paragraph writtenas following :68. A third paragraph regulates the modalities and the cost of obtaining a copy of the file.69. The mention of this article being explicit in the text of the first aid program, theLitigation Chamber considers that the defendant has fulfilled its information obligations in this regard.regard and that the complainant was properly informed of the existence of this right.b) The fact that the treatment is still in progress70. Without relating this to a specific violation of the GDPR, the complainant criticizes itthat he had not been informed that the processing of his data was still in progressafter the closure of the first aid program in September 2018. Since the missionof the defendant's public interest involves the processing of personal data, theLitigation Chamber considers that this is a question which can be examined from the angle oftransparency and the data subject's right to information.71. This question is strongly linked to the one developed above on the subject ofpredictability of the legal basis (see point 48 et seq.). However, having no informationdemonstrating that the complainant would or would not have been clearly informed of the variousstages of processing, it cannot rule on a violation of the obligations oftransparency and information in this regard.72. The Litigation Chamber wonders, however, whether one of the parties concerned byaid program from the defendant may be so surprised by the actions of thedefendant and consider that he was not properly informed that the file wasstill open. Moreover, without it having information allowing it to know whether
Page 19
Decision 55/2021 - 19/34whether or not this has been done, the Litigation Chamber considers that the entry into force of anew legislation governing the public interest mission of the defendant during thedisputed data processing entails an obligation to inform the complainant.c) Information on the identity of the data controller and the data protection officerdata.73. The fact that the complainant was not clearly informed of the identity of the person responsible forprocessing and the data protection officer is not contested by the defendant 15 .The Contentious Chamber therefore finds a violation of Articles 13.1.a and b) onthis point.4) The security and confidentiality of the data processed by the defendant.74. The issue of data security and confidentiality is also raisedby the complainant, who considers that there has been a violation of Articles 5.1.a) and 25 of the GDPR.75. In essence, the complainant considers that there has been a breach of confidentiality obligationsand security because his personal data has been transmitted without his knowledge to the mother ofthe child and his lawyer and that he only discovered this after reading the conclusions in courtof the family. He also adds that the Y1 did not take the necessary precautions plannedin article 25.2 of the RGPD since these same people were able to have access to his datapersonal without his intervention. Likewise, it considers that the measures put in placeby the defendant are insufficient since in casu they did not prevent the use ofpersonal data in the context of other legal proceedings, when this iscontrary to its privacy policy. These allegations relate to different datapersonal data of the complainant contained in the defendant's file, such ascontained in the email of January 10, 2019, the text of the agreement relating to the first programhelp, as well as other personal data that were included in the conclusionswith the family court.76. The respondent does not respond specifically to the complaints concerning Article 25 inhis conclusions despite the fact that the complainant mentioned this article specifically. Thedata security and confidentiality was, however, the subject of an intervention by thedefendant during the hearing during which she explained the measures put in place toguarantee the confidentiality of the file (see point 26). In particular, she indicated that all15 Summary conclusions, p. 11
Page 20
Decision 55/2021 - 20/34sheets were stamped with a confidentiality clause and that this confidentiality wasfrequently reminded to those involved from the start of the procedure.77. Article 25 of the GDPR in question is reproduced below:"Article 25Data protection by design and data protection by default1. Taking into account the state of knowledge, the costs of implementation and the nature,scope, context and purposes of the processing as well as the risks, including the degree of probabilityand of varying severity, that the processing presents for the rights and freedoms of natural persons, thecontroller implements, both when determining the means ofprocessing that at the time of the processing itself, technical and organizational measuresappropriate, such as pseudonymization, which are intended to implement the principles relating todata protection, for example data minimization, effectively and to matchthe processing of the guarantees necessary in order to meet the requirements of this Regulation andprotect the rights of the data subject.2.The data controller implements the technical and organizational measuresappropriate to ensure that, by default, only personal data that isnecessary for each specific purpose of the processing are processed. This applies to thequantity of personal data collected, to the extent of their processing, to their durationconservation and accessibility. In particular, these measures ensure that, by default,personal data is not made accessible to an unspecified number of peoplephysical without the intervention of the natural person concerned.3. A certification mechanism approved under section 42 may serve as a component fordemonstrate compliance with the requirements set out in paragraphs 1 and 2 of this article. "78. As it has already established previously, for the contentious Chamber, the existence of a rightaccess of the complainant, the mother of the child and the child to the file handled by the defendantthere is no doubt. The mother of the child was therefore entitled to consult this file and evenobtain a copy, in accordance with the provisions contained in the two decrees citedpreviously and according to article 15.3 of the GDPR. In addition, certain documents in the file, fromin essence, were to be sent to the complainant and the mother of the child. It's the casein particular the agreement on the first aid program (see point 30).
Page 21
Decision 55/2021 - 21/3479. However, as recalled by the respondent, these data are considered to bebeing confidential and cannot be used in other proceedings. Both the complainantthat the defendant agree that the mother of the child used her datain a way that would be improper, given that she used them in her conclusionsin family court. As she has already mentioned, the Contentious Chamber is notnot asked to comment on the regularity or not of the data processing operated by the motherof the child (see point 34). Nevertheless, the Chamber may consider the question ofif the defendant has, as controller, implemented measurestechnical and organizational necessary to ensure respect for the rights of individualsconcerned or aimed at limiting the accessibility of personal data (article 25.2 of the GDPR).80. As it established in its decision 74/2020 of 24 November 2020, “the objective ofdata protection by design […] is to protect the rights of individualsconcerned and ensure that the protection of their personal data is specific('integrated') to the processing. What matters in this regard is that the 'appropriate measures'that a controller must take aim to ensure that the principles relating todata protection are effectively integrated so that the risks of data breachthe rights and freedoms of the persons concerned are limited. " 1681. For the examination of its complaints, the Contentious Chamber wishes to make a distinction betweenpersonal data contained in the email of January 10, 2019 (point a), those containedin the text of the aid agreement (point b) and those contained in the conclusions for thefamily court (point c). It will finally look into a possible limitation of the rightaccess to safeguard the rights of the complainant (point d).a) Personal data contained in the email of January 10, 201982. The information contained in the January 10 email undoubtedly constitutespersonal data relating to the complainant. Its data is part of the file processed by theY1. As established in section 3 above, the mother of the child, as an involved partyin the Y1 procedure, has the right to access the file.83. The Ethics Committee has issued an opinion on this matter 17 . It indicates in particular"Than a message transmitting to a parent, without any other form of contextualization ornuance, information about the attitude of the other parent, following an interview with thedelegated, is not necessarily likely to promote the development of beneficiaries16 Decision 74/2020 of 24 November 2020, § 132.17 Ethics Commission, Opinion 216, January 15, 2019.
Page 22
Decision 55/2021 - 22/34help or prevent their disruption ”which is a duty according to article 7.3 of the Code ofdeontology.84. Furthermore, the Ethics Committee considers that the message in question “betrays alack of caution in not reminding the recipient of the message of the characterconfidentiality of the information communicated and the prohibition to invoke it in a procedureseparate from that relating to the aid measure which is the subject of the dossier ”.85. Counsel for the respondent conceded that there may be a problem ofethics in sending email. Perhaps he should have been better detailed and made areminder of the confidentiality obligation. For the lawyer, it is therefore a problem ofethics in communication, but not a problem with the GDPR. Duringthe hearing, the defendant's data protection officer spoke of a "hiccup"regarding this email.86. While it is not disputed that these personal data were part of the file, to which the motherof the child had access, this does not imply that they must be transmitted to himautomatically without the knowledge of the person concerned. The fact that this transmission by aagent of the person in charge is made without reminder of the rules of confidentiality, whereas it isthe defending party of a habitual rule, infringes human rightsconcerned.87. For the reasons mentioned above, the Contentious Chamber considers that the transmission ofpersonal data of the complainant, by email, at the initiative of the defendant and withoutreminder of the rules of confidentiality violates the principle of confidentiality. Bedroomlitigation notes that this error was recognized by the defendant during the hearing.88. In addition, the Contentious Chamber notes that on this occasion, the defendant transferredof initiative to the mother of the child, personal data concerning the complainant, which does notcan by definition, cannot be understood as an exercise of the right of access, which must beexercised at the initiative of the person concerned. In the event that this information would havebeen provided to the mother of the child for the purpose of transparency, there is no reason that this sametransparency was not applied to the complainant, who did not receive a copy of the email and wasnot informed of its dispatch. The fact that an email, such as the one being examined, that informs themother of the child, unbeknownst to the complainant, the content of a conversation that the respondent hadhad with the latter an obvious problem of data confidentiality.
Page 23
Decision 55/2021 - 23/3489. For the reasons mentioned above, the Contentious Chamber concludes that the partydefendant violated article 25, §1 and 2, by not respecting the measurestechnical and organizational that it had itself put in place to ensurerespect for the rights of data subjects or those aiming to limitaccessibility of personal data .b) Personal data contained in the text of the agreement relating to the first programassistance from September 2017 to September 201890. Regarding the text of the first aid program which has already been describedpreviously (see paragraph 30), the Chamber notes that this does indeed contain a clause ofconfidentiality which recalls the possibilities of access to the file, specifying that it "does notmay be used in any procedure other than that relating to the aid measure whichthe subject of the file from which it is drawn ”. This clause seems to be present on each sheet,in accordance with what was explained by the defendant during the hearing.91. A copy of this document was provided by the complainant to the DPA when filing his complaint.The latter cannot therefore reasonably maintain that he was unaware that his information would betransmitted to the mother of the child, since she herself is a party to the agreement. It is perfectlyIt is therefore logical that she received a copy of this document for signature. Bedroomlitigation therefore finds no breach of the principle of confidentiality on this point.c) The other data from the Y1 file mentioned in the extracts from the conclusionssynthesis of the mother of the child92. The complainant also contests the transmission of additional information fromof the Y1 file and which were used in the summary conclusions of the mother ofthe child before the Family Court. The extracts from this document that the complainant broughtunder consideration by the contentious chamber are fragmentary. Several sentences seemhowever refer to the complainant. A complete sentence mentioning the complainant is legibleas a whole. Reference is made many times to the findings or comments of thedefendant. A document entitled “Y1 report of September 28, 2017” is included inthe parts inventory.93. A footnote to the extract from summary conclusions before the family courtspecifies that the elements contained in the conclusions come from the Y1 file. She isworded as follows:
Page 24
Decision 55/2021 - 24/34"The elements described herein emerge from the Y1 file (which cannot be produced butthe summary of which can be included in the conclusions) which can be consulted in their offices and which is notconfidential as Mr X claims, he could also have had access to it if he had made itrequest, the prosecution may also take cognizance of the file with a view to the hearing ofpleadings; "94. As has already been stated on several occasions, the parties' right of access to the file isclearly established in the relevant legislation, as well as in the GDPR. It is therefore normal thatthe parties, including the mother of the child, had access to the file. All these legislationsalso provide for a right to a copy of the file, which complies with the GDPR (see point68). The contentious chamber cannot therefore find a specific violation of Article 25 tothis regard.d) A possible limitation of the right of access95. The Contentious Chamber wishes, however, to make some considerations on this point.On the basis of the file, it considers that the risk of re-using the data in anotherprocedure than that before the defendant, is proven and this despite the clauses ofconfidentiality. This risk is all the greater if the request for access to the file is madeone of the parents, while the couple is in the process of divorce. In this case, themeasures put in place were insufficient since, according to both parties, confidentialitywas actually severed by the child's mother. It is for this reason thatthe complainant requested the defendant to erase his data (see paragraphs 5 and 104).In order to respond to the complainant's request, the contentious division considers that thedefendant should consider additional measures aimed at enforcingthe confidentiality clause and to reduce the risk of violation of this clause.96. It recalls in particular that article 15.4 of the RGPD provides that “The right to obtain a copyreferred to in paragraph 3 does not affect the rights and freedoms of others ”. The defendantis therefore in a position to refuse to provide a copy of documents in the file if it considers that therisk of irregular reuse of its parts is too great or if one of the parts alreadymakes use of the parts which is contrary to the confidentiality clause.97. On the other hand, in connection with the delimitation of the purposes of the processing (see point 54 et seq.) And thetransparency as to whether the processing is still in progress or not (see point70 et seq.), The Litigation Chamber considers that the precise methods of consultationshould be able to be adapted according to the precise status of the case, depending on whether it isconsidered to be open or closed.
Page 25
Decision 55/2021 - 25/3498. The contentious Chamber is of the opinion that the right of access of the mother of the child to herpersonal data contained in the file must be weighed against the right toprotection of the complainant's personal data and in particular his right to confidentialityof its data. The data of these two data subjects being inseparablymelee, it is in practice difficult to grant the first the benefit of itsright of access without infringing on the rights of the second and in particular the right to confidentialityof its data.99. Consequently, the Contentious Chamber decides that, in view in particular of the infringement ofconfidentiality of the complainant's data already established (see paragraph 89), it is necessary topriority to respect for their rights over the access rights of the mother of the child and thereforeto limit the latter.100. The Contentious Chamber nevertheless notes that in its conclusions, the defendantrefers to the reform of the right of access which was undertaken within the framework of Decree 2.It cites the explanatory memorandum to the decree which explains the considerations which led toreform of the right of access to the file in Decree 2 and reports on the requests of numerousinstitutions to strengthen this right to information and access to the file.101. In order to take these elements into account and in view of the sensitivity of the matter, the Chamberlitigation does not consider it wise to unilaterally impose on the defendant a limitationthe right of access of the mother of the child. She therefore asks the defendant to inform her ofthe feasibility of imposing such a limitation. This would consist, as long as the file is classifiedwithout follow-up, to a limitation of the right of access to the file to the only child concerned, in order topreserve the rights of the complainant, and respect for the confidentiality of his personal datastaff.102. Furthermore, as it concluded previously, the Contentious Chamber recalls that thecase having been closed without further action, it can only be processed for the remaining purposes, namelythe consultation by the child of his file and the conservation for accounting purposes orarchiving.5) The erasure request (article 17 of the GDPR)a) The right to erasure
Page 26
Decision 55/2021 - 26/34103. As mentioned above, the complainant's request for erasure relates to allpersonal data of the complainant, as well as those of his son, which would be contained inY1 databases and other archives. It is based on article 17 of the GDPR which ispartially reproduced below:"Article 17 - Right to erasure (" right to be forgotten ")1. The data subject has the right to obtain from the controller the erasure, withinas soon as possible, of personal data concerning him and the controller hasthe obligation to erase this personal data as soon as possible, when one of thefollowing grounds apply:a) the personal data are no longer necessary for the purposes for whichthey have been collected or otherwise processed;b) the data subject withdraws the consent on which the processing is based, in accordance withArticle 6 (1) (a) or Article 9 (2) (a), and there is no otherlegal basis for processing;c) the data subject objects to the processing pursuant to Article 21 (1) and there is nono compelling legitimate grounds for the processing, or the data subject objects to the processingunder Article 21, paragraph 2;d) the personal data have been processed unlawfully;e) personal data must be erased in order to comply with a legal obligation whichis provided for by Union law or by the law of the Member State to which the controlleris submitted;f) the personal data has been collected as part of the company's service offerthe information referred to in Article 8 (1).2. When he has made the personal data public and is required to erase themunder paragraph 1, the controller, taking into account the available technologies andimplementation costs, take reasonable measures, including technical ones, to informdata controllers who process such personal data that the personconcerned has requested the deletion by these controllers of any link to this dataof a personal nature, or any copy or reproduction thereof.
Page 27
Decision 55/2021 - 27/343. Paragraphs 1 and 2 do not apply insofar as this processing is necessary:a) to exercise the right to freedom of expression and information;b) to comply with a legal obligation which requires the processing provided for by Union law or bythe law of the Member State to which the controller is subject, or to perform a taskof public interest or relating to the exercise of public authority vested in the person responsible fortreatment;[…] "104. The complainant first requests this request for erasure, because of the faultethics, which according to him was committed 18 .105. In response to this complaint, the defendant considers in its submissions that it cannotgrant the complainant's request for erasure since their data is necessary tocomply with a legal obligation or perform a task of public interest, as provided forArticle 17.3.b).106. The defendant points out that the data were collected by the Y1 inthe purpose of carrying out its missions. In the interests of the children, these documents should be keptin order to be able to trace the course of the file within the services. Delete this datawould amount to preventing the defendant from carrying out its duties and would deprive certainchildren who have reached the age of majority have the right to access documents concerning them.107. The defendant cites in this connection an article of Decree 2 which is reproduced below:108. According to the defendant, this data retention is sometimes the only wayfor some children to understand their life course and have access to informationconcerning their childhood. She adds that this access to the file must be possible "at alltime ”including after the closing of the files and the assumptions made inenforcement of the Code.109. In addition, the defendant adds that the complainant does not have the sole authorityparent on his son and that the request should therefore in principle come from both parents18 Complainant's letter of June 14, 2019.
Page 28
Decision 55/2021 - 28/34who together have parental authority. She adds that the data processingcontained in the file is also necessary for the other two purposes (accountingand archiving. See point 54 et s).110. In his submissions in response, the complainant indicates that he is making his request for erasurefor the following reasons :- The data is no longer required as the first aid program isclosed (article 17.1.a) of the GDPR),- He withdraws his consent on which he considers that the processing is based (article 17.1.b) ofGDPR),- The data has been the subject of unlawful processing given the obvious violation ofconfidentiality to which they would have been subject (article 17.1.d) of the GDPR).111. He also emphasizes that the consent of both parents with parental authorityis necessary to process his son's data. Withdrawal of parental consent,therefore results in a lack of valid consent for the processing.112. He adds that the Y1 did not provide any effective assistance, and that its intervention was limited tonotification of a relative agreement for the first aid program of September 18, 2017 and thatthere was no concrete action on the part of the defendant. He therefore wonders aboutthe interest his son would have in consulting his archives in the future, given that he has neverbeen in contact with the defendant. He concludes that nothing prevents the gamedefendant to anonymize the data if it wishes to keep them for statistical purposes.113. In its pleadings in reply, the defendant responds to the complainant by pointing outthat the beneficiary of the right to consultation is the child himself and that the decision towhether or not to consult the archives is up to him. The fact that the complainant considers it unlikely that hisson consults the archives one day cannot, according to the defendant, justify erasing thedata.114. For the Contentious Chamber, it is therefore a question of examining two different questions. Thefirst question is whether the complainant alone can request the erasure of thepersonal data of his son. The second concerns the applicability of the article17.3.b) in the present circumstances, as claimed by the defendant. Indeed,this article specifies that "paragraphs 1 and 2 do not apply insofar as thistreatment is necessary:[…]
Page 29
Decision 55/2021 - 29/34b) to comply with a legal obligation which requires the processing provided for by the law ofthe Union or by the law of the Member State to which the controller is subject,or to carry out a mission of public interest or relating to the exercise of authoritythe public vested in the controller; "The application of article 17.3.b makes it impossible for the complainant to invoke articles 17.1 a,b and d).115. The first question concerns the exercise of the right to erasure of the son's data by hisfather (the complainant). The defendant argues in this regard that, not being the only holderparental authority over his son, the complainant cannot alone exercise the right to erasurefor their personal data. The consent of both parent parentsspouses of parental authority, would be necessary for the exercise of this right. The complainantargues that the consent of both parents is required for data processingpersonal information concerning his son. Withdrawing the consent of one of the parents therefore makes thisconsent lapsed. This withdrawal of consent therefore allows the exercise of the right toerasure on the basis of article 17.1.b.116. For the contentious Chamber, the question of consent as a basis of legality and, byTherefore, the exercise of the right to erasure on the basis of article 17.1.b must be distinguishedthe question of the valid exercise, by a parent, of the right to erasure of the data of achild.117. In the present case, as has been developed previously, the processing of datacarried out by the defendant is not based on the consent of the data subject,but of course on article 6.1.e) (see point 38). The contentious chamber will therefore examineonly the question of the valid exercise, by a parent, of the right to erasure for theaccount of a child.118. This question is of particular importance in the case of the right to erasure. Indeed, atUnlike the other rights provided for in Articles 15 to 22, the right to erasure is exhausted byhis exercise. It also results in the subsequent impossibility of exercising the other rights provided for.to Articles 15 to 22, since these require the processing of personal data, whichhave been erased by exercising the right provided for in Article 17. The right to erasure is, ofby its very essence, disposable and definitive. These two characteristics therefore requireto exercise a certain vigilance when a person with parental authorityclaims to exercise this right on behalf of a minor.
Page 30
Decision 55/2021 - 30/34119. In view of these characteristics, the Litigation Chamber considers that the exercise of the right tothe erasure of a minor's data belongs first and foremost to the minor himself, asthat person concerned 19 . If this minor data subject does not have thesufficient discernment to exercise this right, it can be exercised by the holders ofparental authority. This exercise must be carried out in accordance with the rules relating to authority.parental and exclusively in the interests of the child.120. The Contentious Chamber notes in the present case that the request for erasure is notnot exercised by the child, but by his father. It appears from the documents in the file that the fatherexercises this request alone, that is, without the approval of the mother of the child, who seemsbe the joint holder of parental authority. The complainant does not justify how thiserasing the data would be in his son's best interest. It does not appear that the conditionsexercise of the right of erasure by one of the parents, on behalf of the child, are metin this case.121. Since the complainant's request related not only to his son's data,but also on their own personal data, this request must be examined morein detail on this last point. With this in mind, the Litigation Chamber must examinethe applicability of the exception provided for in Article 17.3 to the present case.122. As it has already, developed previously (see point 38), for the Contentious Chamber,the defendant exercises a mission of public interest. The constitution of a file containingpersonal information about the parties involved (parents and child) is aprocessing of data directly related to this public interest mission within the meaning of Article17.3.b. The erasure of his data would constitute a clear interference with the exercise of the missionpublic interest of the defendant, since it would no longer allow him to havean antecedent on the situation of the families who were the subject of a follow-up by this service. Theseantecedents are essential for the defendant to have a correct image ofthe family situation of the people she cares for. In general, it is not excludedthat the defendant be seized with the same family situation several years after afirst intervention. The erasure of the data of a data subject during thefirst intervention would seriously undermine the ability of Y1 to carry out its missionof public interest in a correct manner.19 Article 17.1 of the GDPR begins in effect as follows: "The data subject has the right to obtain from the data controllerprocessing the erasure, as soon as possible, of personal data concerning him ” (this is the Chamber oflitigation which underlines).
Page 31
Decision 55/2021 - 31/34123. It follows that, due to the application of Article 17.3.b, the complainant cannot invokea reason provided for in article 17.1 or 17.2 for requesting the erasure of data concerning him.b) The response time from the data controller124. The complainant also considers that the controller did not respond to hisrequest for erasure only after a period of 6 months and the sending of an email (May 9, 2019) andtwo letters from lawyers (the first of which was sent on June 14, 2019), which would be contrary toArticle 12.3 of the GDPR which establishes a maximum period of one month.125. The defendant argues for its part that the Ethics Commission is aindependent commission whose mission is to give opinions on ethicsin this sector. Since the request for erasure has, according to the defendant, notwas made to the right person, she was not able to book him auseful continuation.126. The Contentious Chamber notes that the two requests for erasure sent byletters were directed to the Ethics Committee 20 . She replied to the lawyersof the complainant on 5 July 2019, declaring that he did not consider himself competent to respond to thecomplainant's request and not being competent for the erasure request (see point 6and note 2).127. The Contentious Chamber considers that a person concerned cannot be expected tosystematically directs to the person designated within an institution to exercise theirrights. This does not exclude, however, that it must move towards the institution which is indeed thecontroller.128. The Chamber considers that this condition is not necessarily fulfilled in casu , sincethat the complainant went to an ethics committee which was probably notnot responsible for the processing and which indicated on July 5, that is to say within a shorter periodone month after the first letter, not be competent to examine the requesterasure of the complainant.The Contentious Chamber cannot therefore find a violation of Article 12.4 on this point.20 Not having had access to the email of May 9, 2019, the Contentious Chamber cannot examine its content and does not know whether it containedalready a request for erasure. On this subject, see notes 1 and 2, above. In addition, in its letter of January 8, 2020, theEthics Commission indicates that this email did not contain a request for deletion. The first certain date forthe request for erasure must therefore be considered as being that of the first letter sent on June 14, 2019.
Page 32
Decision 55/2021 - 32/34129. The Contentious Chamber notes, however, that the sending of two different emails,respectively to the complainant and his lawyers, the second of which contained a response as todemand for erasure, but not the first, is certainly not likely to facilitate theunderstanding by the complainant of the follow-up to his file.130. The Litigation Chamber also considers that breaches of the duty to informand transparency noted in point 73 of this decision have largely contributed to thecauses the complainant to be directed to the wrong institution. Correct information atsubject of the identity of the data controller and the data protection officerwould no doubt have facilitated the complainant's exercise of his rights.6) Regarding corrective measures and sanctions131. Under article 100 LCA, the Litigation Chamber has the power to:1 ° dismiss the complaint;2 ° order the dismissal;3 ° pronounce a suspension of the pronouncement;4 ° propose a transaction;5 ° issue warnings or reprimands;6 ° order compliance with the requests of the person concerned to exercise these rights;7 ° order that the person concerned be informed of the security problem;8 ° order the freezing, limitation or temporary or definitive prohibition of processing;9 ° order that the processing be brought into conformity;10 ° order the rectification, restriction or erasure of the data and the notification thereofci to data recipients;11 ° order the withdrawal of accreditation of certification bodies;12 ° give periodic penalty payments;13 ° issue administrative fines;14 ° order the suspension of transborder data flows to another State or ainternational body;15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequencesdata on file;16 ° decide on a case-by-case basis to publish its decisions on the website of the Protection AuthorityDatas.132. The Contentious Chamber recalls that under article 221.2 ° of the Law of July 30, 2018on the protection of individuals with regard to the processing of personal data
Page 33
Decision 55/2021 - 33/34personal character, it cannot impose a fine on the defendant, since it isa public authority within the meaning of article 5.1 ° of the same law.133. On the basis of the elements developed above, the Litigation Chamber noted aviolation of articles 6.1.e) juncto 6.3, 13.1.a and b), as well as articles 25.1 and 25.2 ofGDPR.134. With regard to the violation of Articles 6.1.e) juncto 6.3, the Contentious Chamber isaware of the fact that the defendant is under an obligation to continue these missionslegal in its field of action. It considers that the defendant cannot beheld responsible for the shortcomings of the legal basis which imposes on it or invests it in certainmissions. With the aim of not disproportionately disrupting the pursuit of aessential public service mission, the Litigation Chamber decides not to ordersuspension or interruption of treatment, as permitted by article 100, §1, 8 ° of theLCA.135. It nevertheless considers that bringing the basis of lawfulness into conformity is essentialso that it meets in particular the predictability criteria developed above (see points48 and s.). For this reason, the Data Protection Authority will contact for this purposewith the legislator and / or the government of the federated entity.136. The violations of Articles 13.1.a and b) were clearly recognized by the partydefendant. The contentious chamber is not in a position to determine whether this violationconcerned only the complainant or if it concerned all the persons concerned intowards whom these articles should be respected.137. The Contentious Chamber also found a clear violation of Articles 25.1 and 25.2of the GDPR. It notes, however, that the defendant acknowledged that the processinghad not been the subject of the necessary technical and organizational measures. According todefendant, this problem was recognized as such and the necessary measures weretaken.138. In conclusion of the foregoing, and in view of all the circumstances of the case, the ChamberLitigation considers that the reprimand (i.e. the call to order referred to in Article 58.2.b) of the GDPR)is in this case, the effective, proportionate and dissuasive sanction which is necessary with regard to thedefendant 21 .21 As it has already had the opportunity to specify in several decisions, the Contentious Chamber recalls here thatthe warning sanctions a breach which is likely to occur: see. Article 58.2.a) of the PDR in this regard.
Page 34
Decision 55/2021 - 34/34139. Following up on what she explained previously (see paragraph 95 et seq.), She also asksthe defendant to inform him of the feasibility of imposing, as long as the complainant's fileis closed without action with the defendant, of a limitation of the right of access to the fileto the only child concerned, in order to preserve the rights of the complainant, and respect for theconfidentiality of his personal data.7) Publication of the decision140. In view of the importance of transparency in the decision-making processand the decisions of the Litigation Chamber, this decision will be published on the website ofthe Data Protection Authority by deleting identification datadirect from the parties and the named persons, whether natural or legal.FOR THESE REASONS,the Contentious Chamber of the Data Protection Authority decides, after deliberation of:- issue a reprimand against the defendant on the basis of article100.1, 5 ° LCA, for violations of articles 13.1.a and b), as well as articles 25.1and 25.2 of the GDPR;- dismiss the complaint for other aspects without further action on the basis of article 100.1,1 ° LCA.Under Article 108 § 1 LCA, this decision may be appealed against to the Court ofcontracts (Brussels Court of Appeal) within 30 days of its notification, withthe Data Protection Authority as respondent.(Sé) Hielke HijmansPresident of the Litigation Chamber