APD/GBA (Belgium) - 60/2024: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA held that a controller failed | The DPA held that a controller failed unlawfully disclosed the data subject's client number in order to consult a public body's database to determine if the data subject could benefit from a preferential price. However, the latter had never made such a request. | ||
== English Summary == | == English Summary == | ||
Line 76: | Line 76: | ||
On the same day, the data subject asked that these applications be closed as she never gave consent for them. A day later, she received a new notification from the public body stating, once again, that she did not meet the criteria. | On the same day, the data subject asked that these applications be closed as she never gave consent for them. A day later, she received a new notification from the public body stating, once again, that she did not meet the criteria. | ||
The data subject lodged a complaint with the Belgian DPA ("APD") against the controller for an unlawful transfer of personal data. On 17 November 2023, the controller's DPO indicated that the controller consulted the public body's database to determine the eligibility of another customer, but mistakenly used the data subject's number. The controller also explained that the public body misunderstood the data subject's request of 26 October 2023 and thought the latter requested a new check to confirm the first request, which led to two refusal notifications. The controller also argued that there was no disclosure of personal data to the public body, and it was simply a consultation of its database, carried out by the controller. | The data subject lodged a complaint with the Belgian DPA ("APD") against the controller for an unlawful transfer of personal data. On 17 November 2023, the controller's DPO indicated that the controller consulted the public body's database to determine the eligibility of another customer, but mistakenly used the data subject's client number. The controller also explained that the public body misunderstood the data subject's request of 26 October 2023 and thought the latter requested a new check to confirm the first request, which led to two refusal notifications. The controller also argued that there was no disclosure of personal data to the public body, and it was simply a consultation of its database, carried out by the controller. | ||
The data subject indicated that her personal data should have never been in the public body's database in the first place. | The data subject indicated that her personal data should have never been in the public body's database in the first place. | ||
Line 83: | Line 83: | ||
Firstly, under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], the controller must process data in a manner that ensures appropriate security, including protection against unlawful processing, by using appropriate technical or organisational measures. Secondly, [[Article 24 GDPR|Article 24 GDPR]] establishes that the controller must implement appropriate technical and orgnaisational measures and review and update them when necessary. Finally, [[Article 32 GDPR|Article 32 GDPR]] gives a non-exhaustive list of these measures. | Firstly, under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], the controller must process data in a manner that ensures appropriate security, including protection against unlawful processing, by using appropriate technical or organisational measures. Secondly, [[Article 24 GDPR|Article 24 GDPR]] establishes that the controller must implement appropriate technical and orgnaisational measures and review and update them when necessary. Finally, [[Article 32 GDPR|Article 32 GDPR]] gives a non-exhaustive list of these measures. | ||
The APD noted that the controller acknowledged itself that personal data had been transferred to the public body by error. The DPA held that this illustrates that the controller might have breached Articles 5(1)(f), 24 and 32 GDPR by failing to establish technical and organisational measures such as to prevent personal data from being erroneously communicating a customer's personal data such a large number of times. | The APD noted that the controller acknowledged itself that personal data had been transferred to the public body by error. The DPA held that this illustrates that the controller might have breached [[Article 5 GDPR#1f|Articles 5(1)(f)]], [[Article 24 GDPR|24]] and [[Article 32 GDPR|32 GDPR]] by failing to establish technical and organisational measures such as to prevent personal data from being erroneously communicating a customer's personal data such a large number of times. | ||
Therefore, the APD adopted a warning against the controller. This was a prima facie decision. | Therefore, the APD adopted a warning against the controller. This was a prima facie decision. |
Latest revision as of 07:43, 30 April 2024
APD/GBA - 60/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 24 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 22.04.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 60/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD (in FR) |
Initial Contributor: | nzm |
The DPA held that a controller failed unlawfully disclosed the data subject's client number in order to consult a public body's database to determine if the data subject could benefit from a preferential price. However, the latter had never made such a request.
English Summary
Facts
On 24 October 2023, the data subject received a notification from a public body stating that, after examination of the documents she had submitted to apply for a price reduction with the controller (a private company) in light of her low income ("social tariff"), it had been concluded that she did not meet the criteria. The data subject was a client of the controller.
On 25 October 2023, the data subject responded, indicating that she had not submitted a request of verification with the public body.
On 26 October 2023, the public body responded that the requests were initiated by the controller and provided a summary of the data subject's file containing all the requests made by the controller. It also informed the data subject that another application was pending and that she should lodge a complaint with the controller if these applications had been made by mistakes.
On the same day, the data subject asked that these applications be closed as she never gave consent for them. A day later, she received a new notification from the public body stating, once again, that she did not meet the criteria.
The data subject lodged a complaint with the Belgian DPA ("APD") against the controller for an unlawful transfer of personal data. On 17 November 2023, the controller's DPO indicated that the controller consulted the public body's database to determine the eligibility of another customer, but mistakenly used the data subject's client number. The controller also explained that the public body misunderstood the data subject's request of 26 October 2023 and thought the latter requested a new check to confirm the first request, which led to two refusal notifications. The controller also argued that there was no disclosure of personal data to the public body, and it was simply a consultation of its database, carried out by the controller.
The data subject indicated that her personal data should have never been in the public body's database in the first place.
Holding
Firstly, under Article 5(1)(f) GDPR, the controller must process data in a manner that ensures appropriate security, including protection against unlawful processing, by using appropriate technical or organisational measures. Secondly, Article 24 GDPR establishes that the controller must implement appropriate technical and orgnaisational measures and review and update them when necessary. Finally, Article 32 GDPR gives a non-exhaustive list of these measures.
The APD noted that the controller acknowledged itself that personal data had been transferred to the public body by error. The DPA held that this illustrates that the controller might have breached Articles 5(1)(f), 24 and 32 GDPR by failing to establish technical and organisational measures such as to prevent personal data from being erroneously communicating a customer's personal data such a large number of times.
Therefore, the APD adopted a warning against the controller. This was a prima facie decision.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/6 Litigation Chamber Decision 60/2024 of April 22, 2024 File number: DOS-2023-04811 Subject: Complaint relating to the unlawful sharing of personal data without consent prior The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter “ACL”; Considering the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: The defendant: Y, hereinafter: “the defendant” Decision 60/2024 — 2/6 I. Facts and procedure 1. On October 26, 2023, the complainant filed a complaint with the Protection Authority data (hereinafter “the DPA”) against the defendant party, Y (hereinafter “the defendant"), of whom she is a customer. 2. The subject of the complaint concerns unlawful sharing of personal data by the defendant without the consent of the plaintiff to a federal public interest organization (hereinafter “Z”), in order to verify its eligibility for “social tariff” status. 3. On October 24, 2023, the complainant received a notification from Z, indicating that, after review of the documents she had submitted to request the social tariff from Y, it had been concluded that it did not meet the conditions set out in article (..) (hereinafter “refusal 1 of the TS”). 4. On October 25, 2023, the defendant reacted to a request from the plaintiff with reference to the notification of the “refusal1 of the TS” from “Z”, specifying that she had not submitted a request verification at Z. 5. On October 26, 2023, Z responded to a request from the complainant regarding the verification of its status for the social tariff. Z reiterated the information previously communicated, in particular by explaining that the verification requests were initiated by the defendant (Y) and not by Z himself. Z also provided a summary of the file of the plaintiff, mentioning all requests made by the defendant, including a first request dated 10/16, closed by Zfollowing the email of October 24, 2023, as well that a new request “introduced twice by (the defendant) dated 10/25”. Finally, Z explained the procedure followed by applicants when requesting verification of the conditions for granting the social tariff. Z informed the complainant that another request was in progress and that she should file a complaint with the defendant if these requests had been submitted in error. 6. The same day, the complainant requested the closure of all requests for “tariff” status social” in her name, because she had never given her consent for such requests. She also asked Z to warn the defendant to stop all requests similar. 7. On October 27, 2023, the complainant received further notification from Z stating that, following upon examination of the documents she had submitted to request the social rate from Y, it had been concluded that it did not meet the necessary conditions (hereinafter “refusal 2 of the TS”). THE same day, the plaintiff filed a complaint against the defendant for illicit transfer of its data. 8. On November 17, 2023, the data protection officer (hereinafter “DPO”) of the defendant explained to the complainant that Y consulted Z’s database by mistake Decision 60/2024 — 3/6 to determine eligibility for the social tariff using their customer number, instead of that from another customer who had requested it. Following the complainant’s first complaint, The complaint was handled by the same customer service agent who misunderstood the request and had requested on October 25, 2023 a new verification of the basis of data from Z to confirm the first request for eligibility for the social tariff dated 16 October 2023. These errors led to two refusal notifications from Z. The DPO held to clarify that this was not a disclosure of the complainant's personal data to Z, but of a consultation carried out by Y, and he apologized for the inconvenience caused. The same day, the complainant reiterated that his data should never have been found in Z's database. 9. On November 27, 2023, the complaint was declared admissible by the Front Line Service 1 on the basis of articles 58 and 60 of the ACL and the complaint was transmitted to the Chamber st 2 Litigation under article 62, § 1 of the LCA. 10. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations internal to the DPA, a copy of the file may be requested by the parties. If one of the parties wish to make use of the possibility of consulting the file, they are required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. II. Motivation 11. The Litigation Chamber notes that article 5.2 of the GDPR provides that any responsible processing must be able to demonstrate compliance with the first paragraph of the same article (principle commonly called “accountability”). 12. Point f) of Article 5.1 of the GDPR more specifically provides that the person responsible for processing must ensure that “technical or organizational measures are put in place "appropriate", that is to say measures capable of guaranteeing sufficient security of personal data relating to a data subject, thereby protecting these of unauthorized or unlawful processing, and accidental events such as their loss or destruction, in particular. 13. Article 24 of the GDPR specifies that these measures must be subject to review and review. updating if necessary, and that they must be adopted with regard to “the nature, the 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared admissible. 2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint, the file was sent to him. Decision 60/2024 — 4/6 scope, context and purposes of the processing as well as the risks, including the degree of probability and severity varies, for the rights and freedoms of natural persons. 14. Article 32 of the GDPR illustrates – without being exhaustive – this obligation to take measures appropriate technical or organizational arrangements, giving the following examples: “a) the pseudonymization and encryption of personal data; b) means to ensure confidentiality, integrity, availability and resilience constants of processing systems and services; c) means enabling restore the availability of and access to personal data in appropriate deadlines in the event of a physical or technical incident; (d) a procedure aimed at testing, to regularly analyze and evaluate the effectiveness of technical measures and organizational measures to ensure the security of the processing. » 15. In the present case, the Litigation Chamber notes that the defendant’s DPO recognized itself that the personal data of the complainant were transferred by error in Z with three occurrences (see point 8). In this way, it appears that the defendant could have disregarded articles 5.1.f), 24 and 32 of the GDPR by not having established technical or organizational measures such as to avoid communicate in error the personal data of a client such a number of times. 16. The Litigation Chamber considers that on the basis of the above-mentioned facts, there is reason to conclude that the defendant may have committed a violation of the provisions of the GDPR, which which justifies that in this case, a decision is taken in accordance with article er 95, § 1, ° of the LCA, more precisely the adoption of a warning decision, and this in particular seen: 17. This decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant, 3 within the framework of the “procedure prior to the substantive decision” and not a decision on the merits of the Litigation Chamber within the meaning of article 100 of the LCA. 18. The purpose of this decision is to inform the defendant, presumed responsible for the processing, due to the fact that it may have committed a violation of the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 19. If, however, the defendant does not agree with the content of this decision prima facie and considers that it can put forward factual and/or legal arguments which could lead to another decision, it may address to the Litigation Chamber a request for processing on the merits of the case via the email address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case 3Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive). Decision 60/2024 — 6/6 Litigation a request for processing on the merits of the case via the email address litigationchamber@apd-gba.be, within 30 days of notification of this decision. If applicable, the execution of this decision is suspended for the period mentioned above. And, on the other hand, the defendant may lodge an appeal against this decision in accordance with Article 108, § 1 of the LCA, within 30 days from its notification, to the Court of Markets (Brussels Court of Appeal), with the Data Protection Authority as a party defendant. Such an appeal may be introduced by means of an interlocutory request which must 5 contain the information listed in article 1034ter of the Judicial Code. The request interlocutory must be filed at the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the Judicial Code). (sé). Hielke H IJMANS President of the Litigation Chamber 5The request contains barely any nullity: 1° indication of the day, month and year; 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; 6° the signature of the applicant or his lawyer. 6 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.