APD/GBA (Belgium) - 25/2024: Difference between revisions
mNo edit summary |
(→Facts) |
||
Line 70: | Line 70: | ||
On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law. | On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law. | ||
From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner | From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner for the second controller. He was informed of this registration in the UBO register on 13 July 2023. The data subject claimed that he was not a beneficial owner and that the registration was in error. | ||
On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register. | On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register. | ||
The data subject considered that | The data subject considered that the second controller did not provide clear information as to how it was possible for him to be registered. | ||
=== Holding === | === Holding === |
Latest revision as of 13:30, 14 February 2024
APD/GBA - 25/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(d) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 05.02.2024 |
Published: | |
Fine: | n/a |
Parties: | Federale Overheidsdienst Financiën |
National Case Number/Name: | 25/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD (in NL) |
Initial Contributor: | nzm |
The Belgian DPA issued a warning against a controller for failing to provide clear information under Article 13 to the data subject.
English Summary
Facts
On 18 December 2023, a data subject filed a complaint with the Belgian DPA (“APD”) against two controllers, regarding the storage and retention of personal data in a beneficial ownership register (“UBO register”). Two controllers were concerned: the first controller was the Federal Department of Finance who processed data in order to prevent money laundering and operated the modalities of the UBO register and the second controller was a company who had a legal obligation to declare a beneficial owner under Belgian law.
From 13 July 2023 to 27 August 2023, the data subject was added as a beneficial owner for the second controller. He was informed of this registration in the UBO register on 13 July 2023. The data subject claimed that he was not a beneficial owner and that the registration was in error.
On 10 August 2023, the data subject asked to be removed from the UBO register. The first controller confirmed that the data subject was no longer registered as a beneficial owner. On 24 November 2023, the second controller informed him that his personal data would be completely removed from the UBO register.
The data subject considered that the second controller did not provide clear information as to how it was possible for him to be registered.
Holding
Firstly, Article 5(1)(d) GDPR states that the controller must take all reasonable steps to ensure that the data is accurate and up-to date in view of the purposes for which they are processed. If the data is inaccurate, the controller must erase or rectify it. The APD considered that the first controller did in fact comply with this obligation since they informed the data subject by email that his data would be completely removed from the UBO registry so that his name would no longer appear in the history of changes.
Secondly, under Article 13 GDPR, the controller must deliver certain information regarding the processing to the data subject. In this case, the APD considered that not all essential information was communicated to the data subject, in particular the legal basis, the recipients, whether the data subject could invoke his rights or what retention period would apply. Therefore, the APD considered that the second controller failed to comply with its duty to provide information under Article 13 GDPR.
The APD thus dismissed the complaint to the extent it related to the first controller, and issued a warning to the second controller for failing to fulfill its duty to provide information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute Chamber Decision 25/2024 of February 5, 2024 File number: DOS-2023-05153 Subject: Incorrectly storing a data subject as “ultimate beneficial owner” in the UBO register by the person responsible for providing information The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant” The defendants: the Federal Public Service Finance, Koning Albert II laan box 1, 1030 Schaerbeek, hereinafter “the first defendant” and Y, hereinafter “the second defendant” Decision 25/2024 — 2/8 I. Facts and procedure 1. On December 18, 2023, the complainant will submit a complaint to the Data Protection Authority against the first and second defendants. 2. The subject of the complaint concerns the storage and retention of personal data the complainant in the register for ultimate beneficial owners (hereinafter, the 'UBO register'). Between October 2022 and August 2023, the complainant played a supporting role in the second defendant. He was taken by the legal representative of the second defendant added to the UBO register as the final beneficiary of the aforementioned non-profit organization the period from July 13, 2023 to August 27, 2023. On July 13, 2023, the complainant received a notification from the first defendant that he had been registered in the UBO register as the beneficial owner of the second defendant. Since the complainant has no was the ultimate beneficiary, it was an incorrect registration. On August 10, 2023, the complainant asked the second respondent to be struck off of the UBO register. The second defendant confirmed that the complainant no longer was registered in the UBO register as the ultimate beneficiary. On November 24, 2023, the first respondent informed the complainant that the personal data of the latter would be completely removed from the UBO registry. 3. The complainant states that he “has not received a clear explanation from UBO as to how they got me can register”, and that “the registration system does not guarantee that persons be wrongly added to the UBO register.” He further states that “The release of my personal data to register in the UBO register [...] without that the necessary requirements have been met for this […]” was a violation of his “privacy”. 4. On January 3, 2024, the complaint will be declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. II. Justification 5. The elements in the present case concern two different ones controllers. This decision is therefore divided into two parts. Regarding the processing of incorrect data by the first defendant: 6. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case Decision 25/2024 - 3/8 the Disputes Chamber will dismiss the complaint in accordance with Article 95, § 1, 3° WOG, based on the following justification. 7. If a complaint is dismissed, the Disputes Chamber will make its decision to motivate gradually and: - to issue a technical dismissal if the file does not exist or is insufficient contains elements that could lead to a conviction, or if there is insufficient there is a prospect of a conviction due to a technical obstacle, which prevents her from reaching a decision; - or declare a policy rejection, if despite the presence of elements that could lead to a sanction, the continuation of the investigation dossier does not seem appropriate in the light of the priorities of the Data Protection Authority, as specified and explained in the dismissal policy of the Disputes Chamber. 2 8. In the event of dismissal on more than one ground, the grounds for dismissal (resp. technical dismissal and policy dismissal) should be treated in order of importance. 3 9. In the present file, the Disputes Chamber will dismiss the complaint, based on technical considerations. There is one motive at the basis of the decision of the Disputes Chamber as to why it considers it undesirable to take further action to the file and therefore decides not to proceed with, inter alia, a hearing at ground. 10. The relevant processing of the complainants' personal data by the first respondent took place in the context of the obligations owed to the second defendant according to the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism and limiting the use of cash, and the Royal decision of 30 July 2018 regarding the operating modalities of the UBO register. 11. The second defendant is an information officer as referred to in Article 2, 1° of the Royal Decree of July 30, 2018. In accordance with articles 74 and 75 of the Law of 18 September 2017, and Article 3 §2 of the Royal Decree of 30 July 2018, “all reporting agents, who are a non-profit association, an international non-profit association or foundation, to the register electronically the [referred to in Article 3 §2, 1° to 13°] information about each of their final 1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020, p. 18. 2 In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf 3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the dismissal policy of the Disputes Chamber. Decision 25/2024 — 4/8 beneficiaries participate […]”. In the present case, the legal person responsible for the second defendant registered the complainant in the UBO register as “ultimate beneficiary” of the second defendant for the period from July 13, 2023 to August 27 2023. 12. Article 4, 27° of the law of 18 September 2017 defines “beneficial owners” however, as “the natural person(s) who is/are the ultimate owner of or has (have) control over the client, the client's agent or the beneficiary of life insurance contracts and/or the natural person(s) for whom account a transaction is carried out or a business relationship is entered into.” The plaintiff has never been a “beneficial beneficiary” of the second defendant. As was also established by the first defendant in his email dated 24 November 2024 the complainant was therefore incorrectly registered in the UBO register as the ultimate beneficiary of the second defendant. 13. In accordance with Article 5(1)(d) GDPR, the controller must make all reasonable efforts take measures to ensure that the data is correct and up to date in view of the purposes for which they are processed. Data that is not, should be deleted or corrected. Article 21 of the Royal Decree of 30 July 2018 provides in addition the following: “The reporting agent must, under his sole responsibility, keep the information in his own files registered incorrect data with regard to its ultimate beneficiary and correct or to delete in accordance with Article 5, paragraph 1, d) of Regulation 2016/679 and these amendments without delay to be communicated to the register.” 14. The plaintiff's incorrect registration was established when the first defendant contacted the plaintiff informed by email on July 13, 2023 that he was registered as a final beneficiary of the second defendant. This email gave the complainant the opportunity to question registration. In his email on November 24, 2023, the first explains defendant that automatic notification of data subjects who are registered as ultimate beneficiaries, thus providing a mechanism to avoid incorrect registrations. 15. In accordance with Article 21 of the Royal Decree of 30 July 2018, the information officer, being the second defendant, responsible for the improvement or deletion of incorrect data recorded in its own files with with regard to its ultimate beneficiaries. The first defendant therefore indicated the complainant initially receives the following instructions: “You will have to contact the non-profit organization and inform them that they should remove your name. You may inform them that they should contact the UBO register because their file is not is complete.” Decision 25/2024 – 5/8 The complainant states in his complaint that he contacted the second respondent, and that the latter confirmed on September 4, 2023 that the complainant was removed from the UBO register deleted. 16. With regard to the first defendant, the Disputes Chamber notes that on November 24 2023 informed the complainant by email that his data was “completely” from the UBO register would be removed so that his name would no longer appear in the history of the amendments of the second defendant. On this basis, the Disputes Chamber determines that: the first defendant has taken reasonable measures in accordance with Article 5.1, d) GDPR taken to “the personal data that, taking into account the purposes for which they are used processed, are incorrect, be deleted without delay”. 17. The Disputes Chamber therefore decides that the first defendant has not committed an infringement to Article 5.1, d) GDPR. Thus, the complaint is valid to the extent it relates to the the first defendant is manifestly unfounded within the meaning of Article 57.4 GDPR. Regarding the information obligation of the second defendant: 18. However, the Disputes Chamber notes that the complainant indicates that he was not aware of the purpose of the collection and processing of his data by the second defendant. After all, the factual elements show that the second defendant is the complainant only mentioned in passing that the collection of his national register number was for the purpose “add to the UBO register”. 19. Based on Article 13 GDPR, the controller has, in this case, the second defendant has an obligation to provide information to the data subject. When the data is collected directly from the data subject, he must be informed be brought from both those referred to in paragraphs 1 and 2 of Article 13 of the GDPR elements, in particular: the identity and contact details of the controller and, where applicable, the contact details of the data protection officer; the processing purposes for which the personal data are intended, as well as the legal basis for the processing; the recipients or categories of recipients of the processing; the intention of the controller for the data outside the European Economic Area to pass on; the period during which the personal data will be stored stored; the rights of the data subject under the GDPR, including the right to to file a complaint with a supervisory authority, or the provision of personal data is a legal or contractual obligation or a necessary one condition for concluding an agreement, and what the possible consequences are when this information is not provided; and the existence of automated decision-making, including profiling referred to in Article 22 of the GDPR. The The Disputes Chamber has further determined that the person concerned must be able to determine in advance Decision 25/2024 - 6/8 what the extent of the consequences of the processing are, so that it is not relevant at a later stage surprises arise with the way his personal data has been used. The information must be concrete and reliable, should not be abstract or ambiguous terms are formulated and should not leave room for differences interpretations. In particular, the purposes and legal basis for the processing of personal data are clear. 20. Moreover, Article 21 of the Royal Decree of 30 July 2018 specifies in this case what information the reporting agents must provide to their ultimate beneficiaries communicate. This information contains the obligation of the reporting agents to: to communicate relevant data to the register; the registration, processing and keeping this data in the register; the name and address of the service within the Treasury Administration is responsible for managing the register; the access to the register for the purposes referred to in Articles 6 and 7 of the Royal Decree listed entities and persons; the rights of the ultimate beneficial owner such as provided for in Articles 12 to 22 and 34 of the GDPR; and the retention period of the data in the register stored data. 21. In the present case, the Disputes Chamber notes that not all essential information was communicated to the complainant. The factual elements show that the information that provided to the complainant was limited to the following email dated June 23, 2023 from the legal responsibility of the second defendant to the complainant and two others those involved: “[…] I still have to add you to the UBO register. For this I need your national number. Thank you for delivering this.” For example, it was not clear from this email for what purpose the data was processed would be, on the basis of which legal basis this would happen, who the recipients would be that the data subject could rely on his rights set out in Articles 12 to 22 and 34 of the GDPR, or which retention period would apply. 22. In view of the foregoing, the Disputes Chamber decides that the second defendant is information obligation in accordance with Article 5.1a) GDPR, in conjunction with Article 13 GDPR has not been fulfilled. 23. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations order of the GBA, the parties can request a copy of the file. If one both parties wish to make use of the opportunity to consult and 4See also Decision on the merits 41/2020 of 29 July 2020, available on the website of the GBA Decision 25/2024 — 7/8 copying the file, he or she must contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be. III. Publication and communication of the decision 24. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. On the other hand, it is not necessary that the identification details of the complainant and the second respondent directly announced. The identity of the first defendant is stated in view of his identity unavoidable identification as being responsible for the UBO register. 25. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the respondents to transfer . After all, the Disputes Chamber has decided to dismiss its decisions ex officio to the defendants. However, the Dispute Chamber decided not to do so such notification where the complainant has requested anonymity of the defendants and the notification of the decision to the defendants, even if it is pseudonymised, nevertheless makes it possible to contact the complainant (re)identify . However, this is not the case in the present case. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - the complaint to the extent to which it relates to the first defendant to be dismissed on the basis of Article 95, § 1, 3° of the WOG, in view of the fact that no infringement of the GDPR can be established in this regard; and - to formulate a warning on the basis of Article 95, § 1, 4° of the WOG against the second defendant for failing to fulfill his obligation to provide information. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition must contain statements listed in Article 1034ter of the Judicial Code. It 5Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this? of the dismissal policy of the Disputes Chamber. 6 Ibid. 7The petition states, under penalty of nullity: 1° the day, month and year; Decision 25/2024 — 8/8 an objection petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Dutch Civil Code. , 8 or via e-Deposit IT system of Justice (Article 32ter of the Judicial Code). To enable the complainant to consider other possible remedies, the 9 Disputes Chamber will refer the complainant to the explanation in its dismissal policy. (get). Hielke H IJMANS Chairman of the Disputes Chamber 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 8 The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved. deposited with the clerk of the court or at the registry. 9 Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.