APD/GBA (Belgium) - 52/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=52/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-52-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...")
 
mNo edit summary
Line 79: Line 79:
Regarding the lawfulness of processing, under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], the processing of personal data for purposes other than those for which the personal data were initially collected can be authorized if the processing is compatible with the purposes for which the personal data were initially collected. The APD went on to examine if the sending of the email to the third person was compatible with the initial processing.  
Regarding the lawfulness of processing, under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], the processing of personal data for purposes other than those for which the personal data were initially collected can be authorized if the processing is compatible with the purposes for which the personal data were initially collected. The APD went on to examine if the sending of the email to the third person was compatible with the initial processing.  


The APD indicated that further processing is only lawful if there is a legal basis. As the third person indicated that they were “wrongly addressed” and that the controller itself referred to the third person as “wrongly addressed”. Therefore, it could be understood that forwarding the personal data to the third person was not the controller’s purpose. Thus, the APD decided that the processing could be classified as an error and not as a processing for which the controller had established a legal basis in advance. The APD concluded that there may have been a breach of Articles 5(1)(a), 5(1)(b) and 6 GDPR.  
The APD indicated that further processing is only lawful if there is a legal basis. As the third person indicated that they were “wrongly addressed” and that the controller itself referred to the third person as “wrongly addressed”. Therefore, it could be understood that forwarding the personal data to the third person was not the controller’s purpose. Thus, the APD decided that the processing could be classified as an error and not as a processing for which the controller had established a legal basis in advance. The APD concluded that there may have been a breach of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#1b|5(1)(b)]] and [[Article 6 GDPR|6 GDPR]].  


Regarding the principle of integrity and confidentiality, Articles 5(1)(f) and 32(1)(b) GDPR establish that the controller must implement appropriate technical and organizational measures to ensure appropriate security of the personal data. The APD considered that there was a breach of confidentiality, namely an unauthorized disclosure of personal data. Therefore, the APD held that the technical and organizational measures taken by the controller may have been insufficient to avoid such a breach, violating Articles 5(1)(f) and 32(1)(b) GDPR.  
Regarding the principle of integrity and confidentiality, [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR#1b|32(1)(b) GDPR]] establish that the controller must implement appropriate technical and organizational measures to ensure appropriate security of the personal data. The APD considered that there was a breach of confidentiality, namely an unauthorized disclosure of personal data. Therefore, the APD held that the technical and organizational measures taken by the controller may have been insufficient to avoid such a breach, violating [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR#1b|32(1)(b) GDPR]].  


Regarding the notification of the data breach to the supervisory authority, [[Article 33 GDPR#1|Article 33(1) GDPR]] provides that the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. In the present case, the APD noted that the controller received confirmation that the third person did not open the attachments to the email and immediately deleted it. Therefore, the APD considered that the data breach was unlikely to pose a risk to the rights and freedoms of the data subject and that there was no obligation to notify the DPA.  
Regarding the notification of the data breach to the supervisory authority, [[Article 33 GDPR#1|Article 33(1) GDPR]] provides that the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. In the present case, the APD noted that the controller received confirmation that the third person did not open the attachments to the email and immediately deleted it. Therefore, the APD considered that the data breach was unlikely to pose a risk to the rights and freedoms of the data subject and that there was no obligation to notify the DPA.  


The APD decided, prima facie, that there may have been violations of Articles 5(1)(a), 5(1)(b), 5(1)(f), 6 and 32 GDPR and issued a warning against the controller.
The APD decided, prima facie, that there may have been violations of [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 5 GDPR#1b|5(1)(b)]], [[Article 5 GDPR#1f|5(1)(f)]], [[Article 6 GDPR|6]] and [[Article 32 GDPR|32 GDPR]] and issued a warning against the controller.


== Comment ==
== Comment ==

Revision as of 08:14, 17 April 2024

APD/GBA - 52/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 32(1)(b) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 03.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 52/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA found that wrongly addressing an email to a third person cannot be considered as a further processing as the controller had not established a legal basis for this processing in advance.

English Summary

Facts

In the context of the sale of a property, a notary (“controller”) sent the data subject’s personal details (name, address, civil status, date of birth, nation register numbers of their heirs) to an incorrect addressee. The latter informed all addressees by email that she had mistakenly received the email.

The data subject lodged a complaint with the Belgian DPA (“APD”).

Holding

Regarding the lawfulness of processing, under Article 5(1)(b) GDPR, the processing of personal data for purposes other than those for which the personal data were initially collected can be authorized if the processing is compatible with the purposes for which the personal data were initially collected. The APD went on to examine if the sending of the email to the third person was compatible with the initial processing.

The APD indicated that further processing is only lawful if there is a legal basis. As the third person indicated that they were “wrongly addressed” and that the controller itself referred to the third person as “wrongly addressed”. Therefore, it could be understood that forwarding the personal data to the third person was not the controller’s purpose. Thus, the APD decided that the processing could be classified as an error and not as a processing for which the controller had established a legal basis in advance. The APD concluded that there may have been a breach of Articles 5(1)(a), 5(1)(b) and 6 GDPR.

Regarding the principle of integrity and confidentiality, Articles 5(1)(f) and 32(1)(b) GDPR establish that the controller must implement appropriate technical and organizational measures to ensure appropriate security of the personal data. The APD considered that there was a breach of confidentiality, namely an unauthorized disclosure of personal data. Therefore, the APD held that the technical and organizational measures taken by the controller may have been insufficient to avoid such a breach, violating Articles 5(1)(f) and 32(1)(b) GDPR.

Regarding the notification of the data breach to the supervisory authority, Article 33(1) GDPR provides that the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. In the present case, the APD noted that the controller received confirmation that the third person did not open the attachments to the email and immediately deleted it. Therefore, the APD considered that the data breach was unlikely to pose a risk to the rights and freedoms of the data subject and that there was no obligation to notify the DPA.

The APD decided, prima facie, that there may have been violations of Articles 5(1)(a), 5(1)(b), 5(1)(f), 6 and 32 GDPR and issued a warning against the controller.

Comment

As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7



                                                                          Dispute Chamber


                                                     Decision52/2024 of April 3, 2024


File number: DOS-2024-00220


Subject: Complaint due to sending an e-mail with personal data of the

complainant to wrong addressee



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


Complainant: X, hereinafter “the complainant”



The defendant: Y, hereinafter “the defendant” Decision 52/2024 — 2/7



I. Facts and procedure


 1. On January 5, 2024, the complainant submits a complaint to the Data Protection Authority

       against the defendant.

 2. The subject of the complaint concerns the sending by the defendant of an e-mail with

       personal data of the complainant to an incorrect addressee. The defendant resigned

       acts as a notary in the context of the sale of real estate of a testator. On 30

       In November 2023, the defendant sent an email to the heirs with attachments

       the draft of the deed of sale and the settlement. These attachments contain the names,

       addresses, marital statuses, dates of birth, and national register numbers of the 17 heirs,

       including the complainant. The defendant also sent this email to a wrong person

       third person addressee. This person sent an email to all on December 1, 2023
       recipients know that they received the email in error.


 3. On January 30, 2024, the complaint will be declared admissible by the First Line Service on

       on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
                                                          2
       of the WOG transferred to the Disputes Chamber.

 4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations

       order of the GBA, the parties can request a copy of the file. If one

       both parties wish to make use of the opportunity to consult and

       copying the file, he or she must contact the secretariat of the

       Disputes Chamber, preferably via litigationchamber@apd-gba.be.



II. Justification


    II.1. The lawfulness of the processing


 5. In accordance with Article 5.1.a) and Article 6.1 of the GDPR, any processing of

       personal data is based on a legal basis prior to processing

       determined by the controller.


 6. In the present case, the defendant acted as a notary in the context of the sale of

       immovable property of a testator. To this end, the defendant processed, among other things, the
       personal data of the complainant, as the latter was an heiress. The complaint

       relates to the fact that the defendant in that context has accessed the personal data of the







1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 52/2024 — 3/7


     complainant forwarded it to a third person by email. The Disputes Chamber will follow suit

     to determine whether this further processing can be considered lawful.

7. To begin with, the Disputes Chamber notes that the addressed third person, after the

     received the email, it sent the following to all recipients: “Wrong email

     address this is not for me”. In her email to the complainant on December 4, 2023, refers

     furthermore, the defendant also refers to the third person as “the wrong addressee”.

     Since the third person - as the defendant also indicates - was incorrectly addressed

     was, it can be understood that sending the email to the third person does not lead to
     the original purpose of the processing of the personal data.


8. In accordance with Article 5.1.b) GDPR, the processing of personal data for other

     purposes other than those for which the personal data was initially collected

     be permitted if the processing is compatible with the purposes for which the
     personal data was initially collected. Taking the criteria into account

     included in article 6.4 GDPR and recital 50 GDPR, it must be determined whether

     the further processing, in this case the sending of the email to the third person, then

     is not compatible with the initial processing in the context of the sale of the property

     property of the testator. When assessing this, the reasonable expectations of the

     person concerned plays an important role. In the present case, the complainant could not reasonably have done so
     expect that the defendant would share the data with the third person, since

     this person is not involved in the sale of the property.


9. This leads to the conclusion that there may be an incompatible further
     processing. In that case, a separate legal basis would be required for it

     sending the complainant's personal data to the third party as lawful

     could be considered.


10. Processing of personal data, including incompatible processing
     processing as – possible – in the present case, is only lawful if there is such a reason

     legal basis exists. For incompatible further processing

     reverted to Article 6.1 GDPR. Article 6.1 of the GDPR stipulates that the processing must

     take place on the basis of one of the following legal bases: the data subject has

     has given permission for the processing of his personal data for one or more

     specific purposes (Article 6.1.a) GDPR); the processing is necessary for the execution
     of an agreement to which the data subject is a party or for the execution of

     pre-contractual measures taken at the request of the data subject (Article 6.1.b)

     GDPR); the processing is necessary to comply with a legal obligation

     controller is subject (Article 6.1.c) GDPR); the processing is

     necessary for the vital interests of the data subject or of another natural person

     to protect (Article 6.1.d) GDPR); the processing is necessary for the fulfillment of a Decision 52/2024 - 4/7


     task of general interest or a task in the context of the performance of public duties

     authority vested in the controller (Article 6.1.e) GDPR) or the

     processing is necessary for the pursuit of the legitimate interests of the

     controller or of a third party, except where the interests or
     fundamental rights and freedoms of the data subject which are intended to protect

     personal data outweigh those interests, especially when the

     the data subject is a child (Article 6.1.f) GDPR).


11. As noted in paragraphs 7 and 8 of this decision, the third person was
     “wrongly” addressed. Since the defendant himself also refers to the third person

     refers to as the “wrong recipient”, it can be interpreted as forwarding

     of the personal data to the third person was not the purpose of the defendant. The

     the processing in question could thus be regarded as an error, and not as

     a processing for which the defendant had established a legal basis at the outset. On

     on this basis, the Disputes Chamber is of the opinion that the defendant is prima facie opting out
     can rely on any legal basis from which the lawfulness of the processing would appear.


12. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible

     Article 5.1.a), Article 5.1.b) and Article 6.1 of the GDPR has been infringed.


   II.2. The basic principle of integrity and confidentiality


13. According to Article 5.1.f) and Article 32.1.b) GDPR, personal data must be “by taking

     appropriate technical or organizational measures in such a way

     processes that appropriate security is guaranteed, and that they, among other things,

     are protected against unauthorized or unlawful processing and against accidental processing

     loss, destruction or damage”.

14. Based on the documents from the file, the Disputes Chamber determines that the

     personal data of the complainant without legal basis was communicated to a

     third person. There has been a breach of confidentiality, namely a
     unauthorized or unintended disclosure of or access to personal data.

     It can therefore be concluded that the technical and organizational measures that

     the defendant had or had not taken were insufficient to justify such an infringement

     It is therefore possible that the defendant has failed to take appropriate technical measures

     to establish organizational measures.

15. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible

     Article 5.1.f) and Article 32.1.b) GDPR have been infringed. Decision 52/2024 — 5/7


    II.3. Notification of a personal data breach to the supervisory authority
         authority


 16. A data breach as defined in Article 4.12 GDPR is “a

       security breach more accidentally or unlawfully leads to destruction,

       the loss, alteration, unauthorized disclosure or unauthorized access
       to data transmitted, stored or otherwise processed”.


 17. The Disputes Chamber recalls that when such an infringement occurs in connection with

       personal data occurs, Article 33.1 GDPR stipulates that the

       controller is obliged to do this “without unreasonable delay and, if
       possible, no later than 72 hours after [the controller] becomes aware of it

       taken” to the competent national supervisory authority, unless it is not

       it is likely that the data breach poses a risk to the

       rights and freedoms of natural persons. If the infringement is likely to be a high

       poses a risk to the rights and freedoms of natural persons
       controller on the basis of Article 34.1 GDPR, Gook obliges this infringement

       to the persons whose personal data the infringement relates to.


 18. In the present case, the Disputes Chamber notes that the defendant has legal action
       undertaken to avert risks to the rights and freedoms of natural persons.

       In her email of December 4, 2023 to the complainant, the defendant indicates that

       it has received confirmation from the misdirected third party that this

       last but not least, the attachments to the email (the draft of the deed of sale and the settlement).

       opened it and immediately deleted the email. On that basis it can be

       understood that it is prima facie not likely that the infringement in connection with
       personal data poses a risk to the rights and freedoms of natural persons.

       In that case, there would be no obligation to report the infringement to the

       Data Protection Authority, or to communicate the infringement to the persons affected by it

       personal data the infringement relates to.


III. Decision


 19. The Disputes Chamber is of the opinion that on the basis of the above analysis

       concluded that the defendant may have violated the provisions of the GDPR

       committed, which justifies taking a decision in this case

       decision on the basis of Article 95, § 1, 4° of the WOG, more specifically the defendant

       warn that providing personal data to a third person without
       any applicable legal basis, constitutes unlawful processing and a

       constitutes an infringement of the integrity and confidentiality of the processing. Decision 52/2024 — 6/7


 20. This decision is a prima facie decision taken by the Disputes Chamber

        in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,

        in the context of the “procedure prior to the decision on the merits” 3 and none

        decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.


 21. The purpose of this decision is to inform the defendant of the fact that

        it may have committed an infringement of the provisions of the GDPR and this is in the

        the opportunity to still comply with the aforementioned provisions.


 22. If the defendant does not agree with the content of this prima facie case

        decision and is of the opinion that it can put forward factual and/or legal arguments that

        could lead to a new decision, it can request a reconsideration

        submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction

        99 of the WOG, known as a “treatment on the merits”. This request must be

        sent to the email address litigationchamber@apd-gba.be within a period of 30

        days after notification of this primafacie decision. If applicable, implementation will take place

        of this decision is suspended for the above-mentioned period.


 23. In the event of a continuation of the merits of the case, the

        Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG

        invite them to submit their defenses as well as any documents they consider useful in the case

        file to add. If necessary, the present decision will be permanently suspended.


 24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
                                                                                                             4
        of the case may lead to the imposition of the measures stated in Article 100 of the WOG.









3Section 3, Subsection 2 of the WOG (Articles 94 to 97).

4Article 100. § 1. The Disputes Chamber has the authority to:
 1° to dismiss a complaint;
 2° to order the dismissal of prosecution;
 3° order the suspension of the ruling;
 4° to propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;

 7° to order that the person concerned is informed of the security problem;
 8° order that processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing be brought into compliance;
 10°the rectification, limitation or deletion of data and its notification to the recipients of the data
     recommend data;
 11° order the withdrawal of the recognition of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° the suspension of cross-border data flows to another State or an international institution
     command;

 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
     follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the
     Data Protection Authority.