APD/GBA (Belgium) - 26/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=26/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-26-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig...") |
mNo edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 63: | Line 63: | ||
}} | }} | ||
The Belgian DPA dismissed a complaint and indicated that in the context of an erasure request, the controller was not expected to search of its own accord for the existence of data subject's email addresses other than the one mentioned by the data subject in the request. | |||
== English Summary == | == English Summary == | ||
| Line 70: | Line 70: | ||
A data subject filed a complaint against a controller concerning the lack of appropriate action regarding his several requests for erasure of his personal data under [[Article 17 GDPR#1|Article 17(1) GDPR]], in particular his e-mail address which was used by the controller to send unsolicited advertising to the data subject. The controller indicated that necessary action would be taken, however, the data subject received unsolicited advertising again. The data subject had 2 accounts with 2 different e-mail addresses and the second e-mail address had not been deleted as (i) it was not the subject of the first request and (ii) the controller only used the e-mail address as a unique identifier to distinguish the different profiles in their database. | A data subject filed a complaint against a controller concerning the lack of appropriate action regarding his several requests for erasure of his personal data under [[Article 17 GDPR#1|Article 17(1) GDPR]], in particular his e-mail address which was used by the controller to send unsolicited advertising to the data subject. The controller indicated that necessary action would be taken, however, the data subject received unsolicited advertising again. The data subject had 2 accounts with 2 different e-mail addresses and the second e-mail address had not been deleted as (i) it was not the subject of the first request and (ii) the controller only used the e-mail address as a unique identifier to distinguish the different profiles in their database. | ||
The controller notified the Belgian DPA (“APD”) that the data subject’s email address had been deleted, but the data subject still received unsolicited advertising, which led to this complaint. | |||
=== Holding === | === Holding === | ||
The APD considered that the controller was not expected to search of its own accord for a second or even multiple accounts with a similar or different email address(es) that might belong to the data subject without the identity of the data subject | The APD considered that the controller was not expected to search of its own accord for a second or even multiple accounts with a similar or different email address(es) that might belong to the data subject without the identity of the data subject. | ||
The APD therefore indicated that the controller made every effort to clarify the situation for the data subject and proceeded to remove the e-mail address as soon as it was established that the second account with another e-mail address belonged to the data subject and thus, there was no breach of Articles 12(3) and 12(4) in conjunction with [[Article 17 GDPR#1|Article 17(1) GDPR]]. | Furthermore, the APD added that in this case, there were no elements for the controller to doubt the data subject’s identity so there was no reason for the controller to request additional information to confirm its identity under [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
The APD therefore indicated that the controller made every effort to clarify the situation for the data subject and proceeded to remove the e-mail address as soon as it was established that the second account with another e-mail address belonged to the data subject and thus, there was no breach of [[Article 12 GDPR#3|Articles 12(3)]] and [[Article 12 GDPR#4|12(4)]] in conjunction with [[Article 17 GDPR#1|Article 17(1) GDPR]]. | |||
== Comment == | == Comment == | ||
'' | In this case, the judges made an ''obiter dictum'' by mentioning [[Article 12 GDPR#6|Article 12(6) GDPR]]. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 10:12, 21 February 2024
| APD/GBA - 26/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 17(1) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 07.02.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 26/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The Belgian DPA dismissed a complaint and indicated that in the context of an erasure request, the controller was not expected to search of its own accord for the existence of data subject's email addresses other than the one mentioned by the data subject in the request.
English Summary
Facts
A data subject filed a complaint against a controller concerning the lack of appropriate action regarding his several requests for erasure of his personal data under Article 17(1) GDPR, in particular his e-mail address which was used by the controller to send unsolicited advertising to the data subject. The controller indicated that necessary action would be taken, however, the data subject received unsolicited advertising again. The data subject had 2 accounts with 2 different e-mail addresses and the second e-mail address had not been deleted as (i) it was not the subject of the first request and (ii) the controller only used the e-mail address as a unique identifier to distinguish the different profiles in their database.
The controller notified the Belgian DPA (“APD”) that the data subject’s email address had been deleted, but the data subject still received unsolicited advertising, which led to this complaint.
Holding
The APD considered that the controller was not expected to search of its own accord for a second or even multiple accounts with a similar or different email address(es) that might belong to the data subject without the identity of the data subject.
Furthermore, the APD added that in this case, there were no elements for the controller to doubt the data subject’s identity so there was no reason for the controller to request additional information to confirm its identity under Article 12(6) GDPR.
The APD therefore indicated that the controller made every effort to clarify the situation for the data subject and proceeded to remove the e-mail address as soon as it was established that the second account with another e-mail address belonged to the data subject and thus, there was no breach of Articles 12(3) and 12(4) in conjunction with Article 17(1) GDPR.
Comment
In this case, the judges made an obiter dictum by mentioning Article 12(6) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/5
Dispute Chamber
Decision on the merits 26/2024 of 7 February 2024
File number: DOS-2023-03948
Subject: Exercise of the right to erasure of data regarding e-mail address
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, chairman, and Messrs. DiAN D ERK ELEN and Frank D ESMET, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: Mr.
The defendant: Y, hereinafter “the defendant” Decision on the merits 26/2024 - 2/5
I. Facts and procedure
1. On 20 September 2023, the complainant lodged a complaint with the Data Protection Authority
against defendant.
2. The subject of the complaint concerns the lack of appropriate action by the defendant
to the complainant's request to erase his personal data, more specifically
email address […], which is used by the defendant to send unsolicited emails to the complainant
to send advertisements. The complainant requested data deletion on 9
November 2022 and again on November 14, 2022. Notwithstanding the second
request will be received following confirmation from the defendant that the necessary action is being taken
complainant again on January 16, 2023 unsolicited advertising by email from the defendant. This
has given rise to Decision 09/2023 of 9 February 2023. Notwithstanding that
the defendant pursuant to the aforementioned decision to the Disputes Chamber on March 8, 2023
has reported that the complainant's email address has been deleted, but the complainant is receiving it again
unsolicited advertising from the defendant, which led to the current complaint.
3. On October 6, 2023, the complaint will be declared admissible by the First Line Service
on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
4. On October 31, 2023, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98
WOG that the file is ready for substantive treatment and will be involved
parties are notified by registered mail of the provisions as stated in
Article 95, § 2, as well as that in Article 98 WOG. They are also subject to Article 99
WOG informed of the deadlines for submitting their defenses.
The deadline for receipt of the defendant's statement of defense was
recorded on December 11, 2023, for the complainant's response
on January 3, 2024 and this for the defendant's response on January 24
2024.
5. On November 14, 2023, the Disputes Chamber will receive on behalf of the defendant, within the
predetermined conclusion period, a detailed explanation explaining the cause
set out to explain how the complainant can also continue after Decision 09/2023 of February 9, 2023
have received any unwanted e-mail messages.
6. Notwithstanding the conclusion period allowed to the complainant, no conclusion of
response by the complainant is submitted to the Disputes Chamber. Thus, no conclusion is reached
response thereto submitted by the defendant.
7. On February 1, 2024, the complainant informs the Disputes Chamber that the complaint is still pending
is always up to date. Decision on the merits 26/2024 - 3/5
II. Justification
8. The factual elements that formed the basis of Decision 09/2023 of February 9, 2023
concern the receipt of unwanted advertising messages at the email address [...] In the present
the present complaint that gives rise to the current decision was made by the complainant merely
referred to the aforementioned Decision 09/2023 which was stated not to be
carried out by the defendant and leaving the complainant undesirable
would receive advertising messages. This conduct of the defendant may have had consequences
result in an infringement of Articles 12.3 and 12.4 GDPR in conjunction with Article 17.1 GDPR.
9. However, the defendant explains that the right to erasure of the complainant's data dated 9 November
2022 the email address […] concerned and that the effectiveness of this right was confirmed to
the Disputes Chamber in accordance with Decision 09/2023 and thus the
personal data of the complainant linked to the relevant email address in the database
were removed. The defendant adds that the complainant apparently has another
account with a different email address. After a new request from the complainant by the
defendant was received informing him that the complainant had again received a prospecting
had received the email, the defendant was able to link the email address [...] to the email address based on this
first and last name of the complainant. This second account had a different email address and was lost
that reason was not removed as it was not the subject of the initial request. The
Defendant hereby points out that the unique identification code used to identify the
different profiles in the database can only be distinguished by the e-mail address. Any request
sent via an email address will therefore only be sent to the same email address
processed to avoid confusion in case of homonyms. This explains why
unwanted advertising messages were sent by email to […].
10. The defendant declares that the complainant's account and the associated account are indeed valid
e-mail address […] as stated in the complaint and in the documents submitted by the complainant, which
gave rise to Decision 09/2023, was deleted, as confirmed to the
Disputes Chamber by letter dated March 8, 2023. In the meantime, in response to the current
complaintsafter it became clear that the complainant still had a second account with hot-
email address […] this was also removed.
11. The explanation provided by the defendant convinces the Disputes Chamber, since the
documents that the complainant provided to substantiate the exercise of his right to
erasure of data to which the defendant did not comply, which gives rise to
until Decision 09/2023, only related to the e-mail address
[...] The defendant could not deduce from any factual element of the file that the complainant
had a second account with a somewhat similar or different email address.
Nor can the defendant be expected to search for it on his own initiative
a second or even more accounts with a similar email address(es) that may
belong to the same data subject without the identity of the data subject being known with certainty
data subject to whom the account belongs has been established. This also follows from Article 17.1 GDPR in which
it is stated that the data subject has the right to erasure of data concerning him or her
personal data, and therefore does not imply an obligation for the defendant to transfer
to delete personal data that it is not established that it belongs to the data subject
to belong. This also explains that Article 12.6 GDPR states that when the
controller has reasons to doubt the identity of the
natural person who submits the request referred to in Articles 15 to 21, om
may request additional information necessary to confirm the identity of the
person involved. However, the Disputes Chamber is of the opinion that in this case there is no
elements were available to doubt the identity of the complainant and the actions taken by him
exercised the right to erasure of data with regard to [...] on the basis of the information provided by him
supporting documents that only related to that e-mail address, which means that
There was therefore no reason for the defendant to collect additional information
questions to confirm his identity in relation to […].
12. It follows from the above that the Disputes Chamber is of the opinion that the defendant has done everything
has made every effort to clarify the situation for the benefit of the complainant
proceeded to delete the email address [...] as soon as it was established that there was a
second account with this email address belonged to the complainant; and previously the e-
email address […] was deleted in compliance with the data erasure order as imposed
in Decision 09/2023. This leads the Disputes Chamber to the conclusion that the current complaint is not
gives rise to the finding of a new infringement of Articles 12.3 and 12.4 GDPR in conjunction
Article 17.1 GDPR. Decision on the merits 26/2024 - 5/5
III. Publication of the decision
14. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary that the
identification details of the parties are disclosed directly.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority, after deliberation, decides to
on the basis of Article 100, § 1, 1° WOG, to dismiss this complaint in view of the fact that
no infringement of the GDPR can be established in this regard.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
must contain statements listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke IJMANS
Chairman of the Disputes Chamber
1The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
2The petition with its attachment, in as many copies as there are parties involved, will be sent by registered letter
deposited with the clerk of the court or at the registry.
