APD/GBA (Belgium) - 25/2024: Difference between revisions

From GDPRhub
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 63: Line 63:
}}
}}


The Belgian DPA issued a warning against a controller for failing to provide clear information under Article 13 to the data subject.
The Belgian DPA issued a warning against a controller for failing to provide clear information under [[Article 13 GDPR|Article 13]] to the data subject.


== English Summary ==
== English Summary ==
Line 70: Line 70:
On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law.
On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law.


From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner of a non-profit organization. He was informed of this registration in the UBO register on 13 July 2023. The data subject claimed that he was not a beneficial owner and that the registration was in error.
From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner for the second controller. He was informed of this registration in the UBO register on 13 July 2023. The data subject claimed that he was not a beneficial owner and that the registration was in error.


On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register.
On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register.


The data subject considered that he did not receive a clear explanation from the second controller as to how it was possible for him to be registered.
The data subject considered that the second controller did not provide clear information as to how it was possible for him to be registered.


=== Holding ===
=== Holding ===

Latest revision as of 13:30, 14 February 2024

APD/GBA - 25/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(d) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 05.02.2024
Published:
Fine: n/a
Parties: Federale Overheidsdienst Financiën
National Case Number/Name: 25/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD (in NL)
Initial Contributor: nzm

The Belgian DPA issued a warning against a controller for failing to provide clear information under Article 13 to the data subject.

English Summary

Facts

On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law.

From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner for the second controller. He was informed of this registration in the UBO register on 13 July 2023. The data subject claimed that he was not a beneficial owner and that the registration was in error.

On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register.

The data subject considered that the second controller did not provide clear information as to how it was possible for him to be registered.

Holding

Firstly, Article 5(1)(d) GDPR states that the controller must take all reasonable steps to ensure that the data is accurate and up-to date in view of the purposes for which they are processed. If the data is inaccurate, the controller must erase or rectify it. The APD considered that the first controller did in fact comply with this obligation since they informed the data subject by email that his data would be completely removed from the UBO registry so that his name would no longer appear in the history of changes.

Secondly, under Article 13 GDPR, the controller must deliver certain information regarding the processing to the data subject. In this case, the APD considered that not all essential information was communicated to the data subject, in particular the legal basis, the recipients, whether the data subject could invoke his rights or what retention period would apply. Therefore, the APD considered that the second controller failed to comply with its duty to provide information under Article 13 GDPR.

The APD thus dismissed the complaint to the extent it related to the first controller, and issued a warning to the second controller for failing to fulfill its duty to provide information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8



                                                                          Dispute Chamber


                                                 Decision 25/2024 of February 5, 2024


File number: DOS-2023-05153


Subject: Incorrectly storing a data subject as “ultimate beneficial owner” in the

UBO register by the person responsible for providing information



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:



Complainant: X, hereinafter “the complainant”


The defendants: the Federal Public Service Finance, Koning Albert II laan box 1, 1030

                   Schaerbeek, hereinafter “the first defendant”


                   and


                   Y, hereinafter “the second defendant” Decision 25/2024 — 2/8


I. Facts and procedure


 1. On December 18, 2023, the complainant will submit a complaint to the Data Protection Authority

       against the first and second defendants.

 2. The subject of the complaint concerns the storage and retention of personal data

       the complainant in the register for ultimate beneficial owners (hereinafter, the 'UBO register'). Between

       October 2022 and August 2023, the complainant played a supporting role in the second

       defendant. He was taken by the legal representative of the second defendant
       added to the UBO register as the final beneficiary of the aforementioned non-profit organization

       the period from July 13, 2023 to August 27, 2023. On July 13, 2023, the complainant received a

       notification from the first defendant that he had been registered in the UBO register

       as the beneficial owner of the second defendant. Since the complainant has no

       was the ultimate beneficiary, it was an incorrect registration.

       On August 10, 2023, the complainant asked the second respondent to be struck off

       of the UBO register. The second defendant confirmed that the complainant no longer

       was registered in the UBO register as the ultimate beneficiary.

       On November 24, 2023, the first respondent informed the complainant that the

       personal data of the latter would be completely removed from the UBO

       registry.

 3. The complainant states that he “has not received a clear explanation from UBO as to how they got me

       can register”, and that “the registration system does not guarantee that persons

       be wrongly added to the UBO register.” He further states that “The release of

       my personal data to register in the UBO register [...] without that
       the necessary requirements have been met for this […]” was a violation of his “privacy”.


 4. On January 3, 2024, the complaint will be declared admissible by the First Line Service on the basis

       of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
       transferred to the Disputes Chamber.



II. Justification


 5. The elements in the present case concern two different ones

       controllers. This decision is therefore divided into two parts.

Regarding the processing of incorrect data by the first defendant:


 6. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
       of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG

       assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case Decision 25/2024 - 3/8



       the Disputes Chamber will dismiss the complaint in accordance with Article 95,

       § 1, 3° WOG, based on the following justification.

 7. If a complaint is dismissed, the Disputes Chamber will make its decision

       to motivate gradually and:


            - to issue a technical dismissal if the file does not exist or is insufficient

                contains elements that could lead to a conviction, or if there is insufficient

                there is a prospect of a conviction due to a technical obstacle,

                which prevents her from reaching a decision;


            - or declare a policy rejection, if despite the presence of elements

                that could lead to a sanction, the continuation of the investigation

                dossier does not seem appropriate in the light of the priorities of the
                Data Protection Authority, as specified and explained in the

                dismissal policy of the Disputes Chamber. 2


 8. In the event of dismissal on more than one ground, the grounds for dismissal (resp.

       technical dismissal and policy dismissal) should be treated in order of importance. 3


 9. In the present file, the Disputes Chamber will dismiss the complaint,

       based on technical considerations. There is one motive at the basis of the

       decision of the Disputes Chamber as to why it considers it undesirable to take further action

       to the file and therefore decides not to proceed with, inter alia, a hearing at

       ground.

 10. The relevant processing of the complainants' personal data by the first respondent

       took place in the context of the obligations owed to the second defendant

       according to the Act of 18 September 2017 on the prevention of money laundering and the

       financing of terrorism and limiting the use of cash, and the Royal

       decision of 30 July 2018 regarding the operating modalities of the UBO register.


 11. The second defendant is an information officer as referred to in Article 2, 1° of the

       Royal Decree of July 30, 2018. In accordance with articles 74 and 75 of the Law of 18

       September 2017, and Article 3 §2 of the Royal Decree of 30 July 2018, “all

       reporting agents, who are a non-profit association, an international

       non-profit association or foundation, to the register electronically

       the [referred to in Article 3 §2, 1° to 13°] information about each of their final



1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
2
 In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber. Decision 25/2024 — 4/8


      beneficiaries participate […]”. In the present case, the legal person responsible for

      the second defendant registered the complainant in the UBO register as “ultimate

      beneficiary” of the second defendant for the period from July 13, 2023 to August 27

      2023.


12. Article 4, 27° of the law of 18 September 2017 defines “beneficial owners”

      however, as “the natural person(s) who is/are the ultimate owner of or
      has (have) control over the client, the client's agent or the beneficiary

      of life insurance contracts and/or the natural person(s) for whom

      account a transaction is carried out or a business relationship is entered into.”


      The plaintiff has never been a “beneficial beneficiary” of the second defendant. As

      was also established by the first defendant in his email dated 24 November 2024

      the complainant was therefore incorrectly registered in the UBO register as the ultimate beneficiary of the
      second defendant.


13. In accordance with Article 5(1)(d) GDPR, the controller must make all reasonable efforts

      take measures to ensure that the data is correct and up to date in view of the

      purposes for which they are processed. Data that is not, should be

      deleted or corrected. Article 21 of the Royal Decree of 30 July 2018 provides

      in addition the following:

              “The reporting agent must, under his sole responsibility, keep the information in his own files
              registered incorrect data with regard to its ultimate beneficiary and correct or to

              delete in accordance with Article 5, paragraph 1, d) of Regulation 2016/679 and these amendments without delay

              to be communicated to the register.”

14. The plaintiff's incorrect registration was established when the first defendant contacted the plaintiff

      informed by email on July 13, 2023 that he was registered as a final

      beneficiary of the second defendant. This email gave the complainant the opportunity

      to question registration. In his email on November 24, 2023, the first explains

      defendant that automatic notification of data subjects who are registered as

      ultimate beneficiaries, thus providing a mechanism to avoid incorrect registrations.

15. In accordance with Article 21 of the Royal Decree of 30 July 2018, the

      information officer, being the second defendant, responsible for the improvement or

      deletion of incorrect data recorded in its own files with

      with regard to its ultimate beneficiaries. The first defendant therefore indicated the

      complainant initially receives the following instructions:

              “You will have to contact the non-profit organization and inform them that they should remove your name.

              You may inform them that they should contact the UBO register because their file is not

              is complete.” Decision 25/2024 – 5/8


     The complainant states in his complaint that he contacted the second respondent, and that

     the latter confirmed on September 4, 2023 that the complainant was removed from the UBO register

     deleted.

16. With regard to the first defendant, the Disputes Chamber notes that on November 24

     2023 informed the complainant by email that his data was “completely” from the UBO register

     would be removed so that his name would no longer appear in the history of the

     amendments of the second defendant. On this basis, the Disputes Chamber determines that:
     the first defendant has taken reasonable measures in accordance with Article 5.1, d) GDPR

     taken to “the personal data that, taking into account the purposes for which they are used

     processed, are incorrect, be deleted without delay”.

17. The Disputes Chamber therefore decides that the first defendant has not committed an infringement

     to Article 5.1, d) GDPR. Thus, the complaint is valid to the extent it relates to the

     the first defendant is manifestly unfounded within the meaning of Article 57.4 GDPR.

Regarding the information obligation of the second defendant:


18. However, the Disputes Chamber notes that the complainant indicates that he was not aware

     of the purpose of the collection and processing of his data by the second
     defendant. After all, the factual elements show that the second defendant is the complainant

     only mentioned in passing that the collection of his national register number was for the purpose

     “add to the UBO register”.

19. Based on Article 13 GDPR, the controller has, in this case, the

     second defendant has an obligation to provide information to the data subject. When the

     data is collected directly from the data subject, he must be informed

     be brought from both those referred to in paragraphs 1 and 2 of Article 13 of the GDPR

     elements, in particular: the identity and contact details of the

     controller and, where applicable, the contact details of the
     data protection officer; the processing purposes for which the

     personal data are intended, as well as the legal basis for the processing; the recipients

     or categories of recipients of the processing; the intention of the

     controller for the data outside the European Economic Area

     to pass on; the period during which the personal data will be stored
     stored; the rights of the data subject under the GDPR, including the right to

     to file a complaint with a supervisory authority, or the provision of

     personal data is a legal or contractual obligation or a necessary one

     condition for concluding an agreement, and what the possible consequences are when

     this information is not provided; and the existence of automated

     decision-making, including profiling referred to in Article 22 of the GDPR. The
     The Disputes Chamber has further determined that the person concerned must be able to determine in advance Decision 25/2024 - 6/8


       what the extent of the consequences of the processing are, so that it is not relevant at a later stage

       surprises arise with the way his personal data has been used. The

       information must be concrete and reliable, should not be abstract or ambiguous

       terms are formulated and should not leave room for differences

       interpretations. In particular, the purposes and legal basis for the processing

       of personal data are clear.

 20. Moreover, Article 21 of the Royal Decree of 30 July 2018 specifies in this case

       what information the reporting agents must provide to their ultimate beneficiaries

       communicate. This information contains the obligation of the reporting agents to:

       to communicate relevant data to the register; the registration, processing and

       keeping this data in the register; the name and address of the service within

       the Treasury Administration is responsible for managing the register; the

       access to the register for the purposes referred to in Articles 6 and 7 of the Royal Decree

       listed entities and persons; the rights of the ultimate beneficial owner such as

       provided for in Articles 12 to 22 and 34 of the GDPR; and the retention period of the data in the register

       stored data.

 21. In the present case, the Disputes Chamber notes that not all essential information

       was communicated to the complainant. The factual elements show that the information that

       provided to the complainant was limited to the following email dated June 23, 2023 from the

       legal responsibility of the second defendant to the complainant and two others

       those involved:

               “[…] I still have to add you to the UBO register.

               For this I need your national number.

               Thank you for delivering this.”


       For example, it was not clear from this email for what purpose the data was processed

       would be, on the basis of which legal basis this would happen, who the recipients would be
       that the data subject could rely on his rights set out in Articles 12 to 22 and 34

       of the GDPR, or which retention period would apply.


 22. In view of the foregoing, the Disputes Chamber decides that the second defendant is

       information obligation in accordance with Article 5.1a) GDPR, in conjunction with Article 13 GDPR has not been fulfilled.

 23. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations

       order of the GBA, the parties can request a copy of the file. If one

       both parties wish to make use of the opportunity to consult and






4See also Decision on the merits 41/2020 of 29 July 2020, available on the website of the GBA Decision 25/2024 — 7/8



       copying the file, he or she must contact the secretariat of the
       Disputes Chamber, preferably via litigationchamber@apd-gba.be.



III. Publication and communication of the decision


 24. Considering the importance of transparency with regard to decision-making

       Dispute Chamber, this decision will be published on the website of the

       Data Protection Authority. On the other hand, it is not necessary that the

       identification details of the complainant and the second respondent directly

       announced. The identity of the first defendant is stated in view of his identity

       unavoidable identification as being responsible for the UBO register.


 25. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the respondents
       to transfer . After all, the Disputes Chamber has decided to dismiss its decisions

       ex officio to the defendants. However, the Dispute Chamber decided not to do so

       such notification where the complainant has requested anonymity

       of the defendants and the notification of the decision to the defendants, even if

       it is pseudonymised, nevertheless makes it possible to contact the complainant

       (re)identify . However, this is not the case in the present case.




    FOR THESE REASONS   ,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


        - the complaint to the extent to which it relates to the first defendant

            to be dismissed on the basis of Article 95, § 1, 3° of the WOG, in view of the fact that

            no infringement of the GDPR can be established in this regard; and

        - to formulate a warning on the basis of Article 95, § 1, 4° of the WOG

            against the second defendant for failing to fulfill his obligation to provide information.



Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant.


Such an appeal can be lodged by means of an inter partes petition
must contain statements listed in Article 1034ter of the Judicial Code. It




5Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this?
of the dismissal policy of the Disputes Chamber.
6
 Ibid.
7The petition states, under penalty of nullity:
 1° the day, month and year; Decision 25/2024 — 8/8


an objection petition must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Dutch Civil Code. , 8 or via e-Deposit


IT system of Justice (Article 32ter of the Judicial Code).

To enable the complainant to consider other possible remedies, the

                                                                          9
Disputes Chamber will refer the complainant to the explanation in its dismissal policy.






 (get). Hielke H IJMANS


 Chairman of the Disputes Chamber
















































 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or

     company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
     summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.
8
 The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry.
9
 Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.