APD/GBA (Belgium) - 57/2024: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=57/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-57-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |...") |
mNo edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 59: | Line 59: | ||
}} | }} | ||
The DPA held that | The DPA held that the controller failed to comply with the transparency principle by requesting an ID document as a deposit when renting a mobility aid, whilst failing to present an existing alternative to the data subject. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 25 June 2022, the data subject was asked for his identity card as a deposit when renting an aid | On 25 June 2022, the data subject was asked for his identity card as a deposit when renting an mobility aid to visit the controller's estate. He would get his identity card back upon returning the device. The data subject pointed out to the controller that this practice was not in accordance with the law. The controller replied that everyone surrendered their ID card as a deposit. Therefore, the data subject proceeded to do so and received a ticket in exchange. | ||
On the same day, the data subject filed a complaint using the controller's email address for privacy related matters. Three days later, the controller responded that the use of an ID document was allowed as no copies or scans would be made. | On the same day, the data subject filed a complaint using the controller's email address for privacy related matters. Three days later, the controller responded that the use of an ID document was allowed as no copies or scans would be made. | ||
Line 73: | Line 73: | ||
=== Holding === | === Holding === | ||
Firstly, regarding the material scope of the GDPR, the GBA indicated that under [[Article 2 GDPR#1|Article 2(1) GDPR]], the latter shall apply to the processing of personal data by automatic means or which form part of a filing system. The CJEU clarified the concept of "file" by holding that "the concept of a ‘filing system’ | Firstly, regarding the material scope of the GDPR, the GBA indicated that under [[Article 2 GDPR#1|Article 2(1) GDPR]], the latter shall apply to the processing of personal data by automatic means or which form part of a filing system. The CJEU clarified the concept of "file" by holding that "''the concept of a ‘filing system’ [...] covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, <u>if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use</u>.''" ([https://gdprhub.eu/index.php?title=CJEU_-_C-25/17_-_Jehovan_todistajat CJEU, 10 July 2018, Jehovan todistajat]). | ||
In the present case, the DPA considered that the controller seems to structure the ID cards based on the number of the device in order to retrieve them easily when the device is returned. Since an ID card contains personal data, this practice falls within the scope of the GDPR. | In the present case, the DPA considered that the controller seems to structure the ID cards based on the number of the device in order to retrieve them easily when the device is returned. Since an ID card contains personal data, this practice falls within the scope of the GDPR. |
Latest revision as of 14:47, 29 April 2024
APD/GBA - 57/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 18.04.2024 |
Published: | 18.04.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 57/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | nzm |
The DPA held that the controller failed to comply with the transparency principle by requesting an ID document as a deposit when renting a mobility aid, whilst failing to present an existing alternative to the data subject.
English Summary
Facts
On 25 June 2022, the data subject was asked for his identity card as a deposit when renting an mobility aid to visit the controller's estate. He would get his identity card back upon returning the device. The data subject pointed out to the controller that this practice was not in accordance with the law. The controller replied that everyone surrendered their ID card as a deposit. Therefore, the data subject proceeded to do so and received a ticket in exchange.
On the same day, the data subject filed a complaint using the controller's email address for privacy related matters. Three days later, the controller responded that the use of an ID document was allowed as no copies or scans would be made.
The data subject responded by indicating that internal regulations mentioned an alternative deposit of 100€ for those who did not have or did not want to provide proof of identity, an option which he was not proposed. He also referred to the Belgian DPA website ("GBA") which read that an ID card cannot be kept as a deposit, as it prevents the data subject from fulfilling it's legal obligation to carry their card (Royal Decree of 25 March 2003 on Identity cards - KB van 25 maart 2003 betreffende de identiteitskaarten).
On 5 July 2022, the data subject filed a complaint with the GBA.
Holding
Firstly, regarding the material scope of the GDPR, the GBA indicated that under Article 2(1) GDPR, the latter shall apply to the processing of personal data by automatic means or which form part of a filing system. The CJEU clarified the concept of "file" by holding that "the concept of a ‘filing system’ [...] covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use." (CJEU, 10 July 2018, Jehovan todistajat).
In the present case, the DPA considered that the controller seems to structure the ID cards based on the number of the device in order to retrieve them easily when the device is returned. Since an ID card contains personal data, this practice falls within the scope of the GDPR.
Secondly, the DPA pointed out that national Belgian Law (Article 1 Royal Decree of 25 March 2003 on identity cards) establishes that every Belgian of 15 years or more must hold an identity card. The website of the Federal Government Department of Home affairs adds that withholding an ID card would make this request impossible and that there is no justification for withholding the ID card for the duration of a visit.
The GBA therefore held that even if the controller had sufficient legal basis, this practice does not comply with national Belgian law.
Finally, regarding transparency, the data subject noted that he was in no way informed of the alternative to the processing of his personal data, even when he was opposed to the processing. This alternative was not mentioned in the ticket received in exchange for his ID card either. The GBA found that the processing was not sufficiently transparent.
The DPA therefore issued a warning against the controller. This was a prima facie decision.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute Chamber Decision 57/2024 of April 18, 2024 File number: DOS-2022-02875 Subject: requesting an identity card as guarantee The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 57/2024 — 2/8 I. Facts and procedure 1. The subject of the complaint concerns the use of the complainant's identity card as guarantee for the loan of an aid when visiting the domain defendant. 2. On 5 July 2022, the complainant submits a complaint to the Data Protection Authority against the defendant. On June 25, 2022, the complainant was asked to provide his identity card as security renting a tool to visit the defendant's domain. He would get his identity card back when returning the aid. The The complainant pointed out to the defendant that handing over his identity card would not was in accordance with the law, but the defendant replied that everyone is provided an identity card as security. The complainant has his identity card on it delivered and received back at the end of the day. The complainant submitted a complaint to the defendant via privacy on the same day defendant's email address. The complainant had a photo of the rental ticket and the statement is attached. The rental ticket shows the name of the customer and the date and the number of the aid used. The number of the identity card and signature are not completed. This ticket also states: stated: “An ID will be retained as a guarantee.” On June 28, 2022, the defendant responded that the use of a proof of identity was indeed allowed on the private domain of the defendant when no copies or scans would be made. She would do this checked with the competent government authorities. The confirmed defendant that no additional registrations or actions have been made with the identity card. The defendant further pointed to the internal regulations in which: Article 6 did indeed mention an alternative guarantee for those who do not had or wanted to hand over proof of identity, i.e. €100. That same day, the complainant responded with a reference to the website Data Protection Authority which read: “You can use the ID card not to hold a person as surety. This practice is not acceptable because you this prevents the data subject from complying with his legal obligation to carry your identity card on sight. Taking a copy of your identity card in these circumstances also poses problems with regard to the compatibility with the GDPR.” Decision 57/2024 — 3/8 3. On July 26, 2022, the First Line Service contacted the complainant with the question add contact details of the controller to the complaint to be able to handle them correctly. On July 31, 2022, the complainant sent the contact details of the defendant. In a second e-mail, the defendant sent the complainant again continued communication with the defendant and separately confirmed that he had alternative of €100 as a deposit was not offered when he initially resisted handing over his identity card. 4. On August 1, 2022, the complaint will be declared admissible by the First Line Service on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1 of the WOG transferred to the Disputes Chamber. 2 5. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations order of the GBA, the parties can request a copy of the file. If one both parties wish to make use of the opportunity to consult and copying the file, he or she must contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be. II. Justification 6. Article 2.1 of the GDPR determines the material scope of the GDPR: “This regulation applies to the fully or partially automated processing, as well as the processing of personal data contained in a file included or intended to be included therein.” The term 'file' is defined in Article 4.6) of the GDPR: “file: any structured set of personal data that is collected according to certain criteria accessible, regardless of whether it is completely centralized, decentralized or on functional or geographical grounds;” 7. The European Court of Justice clarified the scope of the concept of 'file' in its 3 judgment “Jehova”: “The answer to the second question must therefore be that Article 2(c) of Directive 95/46 must be interpreted as meaning that the term used in that provision “truce” also falls entirely within the context of a door-to-door proclamation collected personal data, consisting of the name and address of and others 1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible declared. 2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. 3See ECJ judgment C-25/17, Jehovan Todistajat, EU:C:2018:551; marginal number 62. Decision 57/2024 — 4/8 information about the people visiting the home, when this data is structured according to specific criteria that make it easy to obtain this data in practice retrieved for later use. To fall under this concept, one has to There are no index cards, specific lists or other organizing systems of this kind include." (own underlining) 8. The defendant rents out several resources within his domain. As a guarantee for these aids, the defendant asked for the complainant's identity card. Next to the tool the complainant also received a ticket with the identification number of the tool and its name. It is therefore possible that the identity cards received by the defendant are structured based on the number of the device, in order this can be easily found when the device is returned. It structuring identity cards based on the criteria 'type of aid' and/or 'number of the device' could become like a file on functional grounds considered. Since an identity card contains personal data, this practice would fall within the material scope of the GDPR. 9. Article 4.2) of the GDPR defines the concept of 'processing' as follows: “an operation or set of operations relating to personal data or a set of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieve, consult, use, provide by transmission, disseminate or otherwise make available, align or combine, shield, erase or destruction of data;” 10. The defendant requests the identity card for safekeeping. Since the the identity card details of the bearing company contain, can be requested and stored be considered as processing personal data. 11. Article 5.1.a) of the GDPR states: “Personal data must be processed in a manner that is lawful, fair and transparent with regard to the data subject (“legality, propriety and transparency”).” 12. With regard to legality and propriety, the Disputes Chamber refers to Article 1 of the 4 royal decree on identity cards, which states: “Every Belgian has the full fifteen years old, must be the holder of an identity card that serves as proof of registration in the population register applies in the event of loss, theft or destruction of that card certificate issued in accordance with Article 6. […] One of these two documents must be submitted at any request by the police, [...] and, in general, whenever the holder must provide proof of his identity.” On the Federal website 4KB of March 25, 2003 regarding identity cards. Decision 57/2024 — 5/8 Government Department of the Interior can be found under the FAQ on identity documents read: “The provisions of Article 1 of the Royal Decree regarding the identity cards dated March 25, 2003 state that each person is at all times must be able to present an identity card to a person who does so for legal reasons requests. However, withholding the identity card would make this request impossible. It is therefore not justified to keep the identity card during the period visit.”5 13. To the extent that the defendant would have a sufficient legal basis for the identity card of the complainant, this does not seem appropriate since the complainant is on the domain of the defendant cannot comply with Article 1 of the Royal Decree regarding the identity cards, whatever the complainant would have declared before his identity card has been issued. 14. With regard to transparency, the complainant declares that at the time of requesting his ID card was not informed in any way about an alternative to processing of his personal data, even if he initially opposed this processing. This alternative was also not mentioned on the ticket the complainant received in return for his identity card. Despite the inclusion of this alternative in the park regulations, it seems the processing is not sufficiently transparent. 15. The Disputes Chamber is of the opinion that on the basis of the above analysis concluded that the defendant may have violated the provisions of the GDPR were committed, which justifies taking action in this case a decision on the basis of Article 95, § 1, 4° of the WOG, more specifically a warning to formulate with regard to the defendant that requesting and maintaining the a visitor's identity card as a guarantee for a tool may constitute an infringement determine the lawfulness, fairness and transparency of the processing. 16. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant, in the context of the “procedure prior to the decision on the merits” 6 and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and Article 95, § 1, 4° of the WOG, to formulate a warning with regard to the defendant with regard to the legality, propriety and transparency of the requesting and keeping the identity card as guarantee for the use of a tool in the domain of the defendant. 5https://ibz.rrn.fgov.be/nl/identitydocuments/eid/faq/ ; more specifically under the question: “Is one allowed at the reception of a public building, ask for an identity card and keep it up to date?” 6Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 57/2024 — 6/8 17. The purpose of this decision is to inform the defendant of the fact that this may have committed an infringement of the provisions of the GDPR and this in the the opportunity to still comply with the aforementioned provisions. 18. If the defendant does not agree with the content of this prima facie case decision and is of the opinion that it can put forward factual and/or legal arguments that could lead to a new decision, it can request a reconsideration submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction 99 of the WOG, known as a “treatment on the merits”. This request must be sent to the email address litigationchamber@apd-gba.be within a period of 30 days after notification of this primafacie decision. If applicable, implementation will take place of this decision is suspended for the above-mentioned period. 19. In the event of a continuation of the merits of the case, the Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the invite WOG to submit their defenses and any documents they consider useful to be added to the file. If necessary, the present decision will become final suspended. 20. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures referred to in Article 100 of the 7 WOG . III. Publication of the decision 21. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the 7Article 100. § 1. The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem; 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10°the rectification, limitation or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 57/2024 — 8/8 9 in accordance with Article 1034quinquies of the Dutch Civil Code. ,or via the Deposit Information System the Ministry of Justice (Article 32ter of the Judicial Code). (get). Hielke H IJMANS Chairman of the Disputes Chamber 9The petition with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.