APD/GBA (Belgium) - 32/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=32/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-32-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lang...") |
m (→Comment) |
||
| Line 82: | Line 82: | ||
== Comment == | == Comment == | ||
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision. | |||
== Further Resources == | == Further Resources == | ||
Revision as of 17:15, 18 March 2024
| APD/GBA - 32/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 26.12.2023 |
| Decided: | 13.02.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 32/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA held that when files constituted by other entities have been consulted in examining a data subject’s credit application, if the latter makes an access request, the controller must give him access to all the documents consulted during the examination.
English Summary
Facts
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents.
The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as an image of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman.
Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).
Holding
Under Article 15(1) GDPR, the data subject has the right to obtain from the controller, a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by Article 15(1) GDPR.
Moreover, Article 15(3) GDPR provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated Article 15(3) GDPR.
Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determines the means and purposes of the processing of the personal data in question. However, without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification.
The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.
Comment
As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Dispute Chamber
Decision 32/2024 of February 13, 2024
File number: DOS-2024-00078
Subject: Complaint due to insufficient response to a request for access
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 32/2024 — 2/7
I. Facts and procedure
1. On December 26, 2023, the complainant will submit a complaint to the Data Protection Authority
against the defendant.
2. The subject of the complaint concerns the exercise of the right of access by the complainant
without receiving an adequate response from the controller.
The complainant had exercised his right of access after his credit application was refused
by the defendant. As a result, the defendant informed the complainant that there were three
files were consulted in examining his credit application, namely that
from the defendant itself, the Central Office for Credit to Private Individuals, and a
financing company. The defendant sent “a complete content of the data
that are in our files” to the complainant. Of the data in the remaining
two files, the defendant shared only the identity and contact information of the
respective controllers.
The complainant disputed that the data he was given access to was complete. He asked
namely that the defendant also had the “purpose of the credit” and an image
of his identity card. He once again requested the defendant “to provide the files you as
lender [sic] has in your possession, as you inform me, to transfer to me.” The complainer
had also filed a complaint with the defendant's financial services ombudsman, and
the documents available to the Disputes Chamber show that communication between the
defendant and the complainant focused mainly on the rest for a certain period of time
investigating the substantive reasons for the refusal of the credit, which is outside the
scope of this decision. After some time, the complainant made contact again
contacted the defendant to ask for confirmation that he had been given access to all
his personal data. The defendant responded as follows:
"Dear,
We have other data in our possession, namely the one we received in the context
of your complaint to the financial services ombudsman.
3. On January 8, 2024, the complaint will be declared admissible by the First Line Service on the grounds
of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, § 1 of
the WOG has been transferred to the Disputes Chamber.
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations
order of the GBA, the parties can request a copy of the file. If one
both parties wish to make use of the opportunity to consult and
copying the file, he or she must contact the secretariat of the
Disputes Chamber, preferably via litigationchamber@apd-gba.be. Decision 32/2024 — 3/7
II. Justification
5. According to Article 15.1 GDPR, the data subject has the right to obtain from the
controller to obtain clarity about whether or not to process
personal data concerning him and, if applicable, to obtain access to it
those personal data and the information referred to in Article 15.1.a) to h), GDPR.
In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof
Regulation, the controller must take appropriate measures to ensure that
the data subject the communications referred to in Article 15 GDPR in connection with the processing
in a concise, transparent, understandable and easily accessible form and in
receives clear and simple language”. Article 12.2 GDPR also stipulates that the
controller must exercise the data subject's rights
facilitate.
6. The Disputes Chamber notes that the complainant submitted his request for access on 6
October 2023.
7. On October 17, 2023, the defendant informed the complainant that in the investigation of his
file, three files were consulted. These files were those of (1) the
defendant itself, (2) the Central Office for Credit to Private Individuals, and (3) a
financing company. The same email contained, according to the defendant, “a complete
content of the data contained in our files”. However, the complainant disputed
that this information was complete. In particular, he stated that the defendant would also
have the “purpose of the credit”.
On December 26, 2023, the complainant asked the defendant to confirm that he had access
had received in all his personal data. The defendant responded that also “other
data” were processed, and referred to the data provided by the complainant
provides financial services in the context of his complaint to the Ombudsman
defendant. Since the defendant did not directly answer the question of the
complainant whether he had been given access to all his personal data, the complainant did not obtain any
clear information about whether or not certain personal data are processed.
Consequently, the complainant has not been provided with sufficient clarity or insight as required in Article
15.1 GDPR.
8. Furthermore, the complainant states that the defendant has an image of his identity card
processed, and failed to provide a copy of it in response to the
request for inspection. In this context, the Disputes Chamber recalls that Article 15.3 GDPR
provides that the controller “a copy of the personal data that
are processed” must be provided to the data subject. If the defendant indeed Decision 32/2024 — 4/7
processes an image of the complainant's identity card, the defendant must also have one
provide a copy of this image to satisfy the complainant's right of inspection.
9. Regarding the two other files that the defendant consulted, communicated
the defendant only the identification details and addresses of the respective
controllers. The results of the consultations by the defendant –
namely the contents of the files – the defendant did not communicate this to the complainant. At
the latter was told to contact the administrators of that
files to exercise his right of access. To the extent that the defendant
determines the purposes and means of the processing of the personal data concerned
However, he is a data controller and is therefore obliged to follow up himself
the complainant's right of access in accordance with Article 15.1 GDPR. In this respect it is
appropriate to recall that the aim of the right of access is to ensure that
the data subject “can inform himself of the processing and its lawfulness
can check this” (recital 63 GDPR). The right of access thus supports it
right to the protection of personal data, and facilitates the exercise of others
rights included in the GDPR, and in particular the right to rectification. Without
access to the data that the defendant did or did not consult with the two parties involved
files, the complainant is unable to determine whether it is necessary to contact them
with those responsible for those files to assert his right to rectification.
Furthermore, it should be noted that Article VII.79 of the Code of Economic Law
stipulates that the “lender shall immediately provide the consumer with the result of the loan free of charge
consultation [communicates] as well as the identity and address of the person responsible for the
processing the files he consulted” (emphasis added).
10. The Disputes Chamber is of the opinion that based on the above analysis
concluded that the defendant may have violated the provisions of the GDPR
was committed, which justifies taking one in this case
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically the
order the controller to comply with the exercise by the
complainant of his right of access (Article 15.1 GDPR).
11. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
2
in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
1CJEU December 20, 2017, Peter Nowak v. Data Protection Commissioner, C-434/16, ECLI:EU:C:2017:994
2Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 32/2024 – 5/7
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request
of the data subject to exercise his rights, in particular the right of access such as
determined in Article 15 GDPR.
12. The purpose of this decision is to inform the defendant of the fact that this
may have committed an infringement of the provisions of the GDPR and this in the
the opportunity to still comply with the aforementioned provisions.
13. If the defendant does not agree with the content of the present primafacie
decision and is of the opinion that it can apply factual and/or legal arguments
that could lead to a different decision, this can be done via the e-mail address
litigationchamber@apd-gba.be send a request to hear the merits of the case
to the Disputes Chamber within 30 days after notification of this
decision. The implementation of this decision will, if necessary, continue for a period of time
suspended for the aforementioned period.
14. In the event of a continuation of the merits of the case, the
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG
invite them to submit their defenses as well as any documents they consider useful in the case
file to add. If necessary, the present decision will be permanently suspended.
15. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3
16. In accordance with Article 57WOG, and with regard to the language in which the complaint is submitted,
Dutch is used as the procedural language.
3Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority. Decision 32/2024 — 6/7
III. Publication of the decision
17. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary that the
identification details of the parties are disclosed directly.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, with reservations
from the submission of a request by the defendant for a hearing on the merits
in accordance with Article 98 et seq. of the WOG, to:
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the
order the defendant to comply with the data subject's request
to exercise its rights, in particular the right of access (Article 15 GDPR), by
to grant the complainant access to all personal data relating to him
processed by the defendant, as well as a copy of the data concerned
provided, and this within a period of 30 days from the
notification of this decision;
- order the defendant to contact the Data Protection Authority (Dispute Chamber)
by e-mail within the same period of the consequences
this decision will be given via the email address litigationchamber@apd-gba.be;
and
- in the absence of timely implementation of the above by the defendant,
to consider the merits of the case ex officio in accordance with Articles 98 et seq.
of the WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
4
must contain statements listed in Article 1034ter of the Judicial Code. It
4The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought; Decision 32/2024 — 7/7
an objection petition must be submitted to the registry of the Market Court
in accordance with Article 1034quinquies of the Dutch Civil Code. , 5 or via e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke IJMANS
Chairman of the Disputes Chamber
6° the signature of the applicant or his lawyer.
5
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry.
