APD/GBA (Belgium) - 91/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=91/2024 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-91-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original...") |
No edit summary |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 59: | Line 59: | ||
}} | }} | ||
The DPA dismissed a case considering that the | The DPA dismissed a case considering that the right to lodge a complaint does not imply that every complaint will be thoroughly investigated by the competent authority. The authority can choose to handle complaints selectively with a view to an effective and efficient enforcement policy. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject’s parents leased a property to a relative. Upon termination of the residential lease, a release of the rental deposit was agreed. The data subject was asked by a bank (‘controller’) to provide a copy of the identity cards of her parents, or for | The data subject’s parents leased a property to a relative. Upon termination of the residential lease, a release of the rental deposit was agreed. The data subject was asked by a bank (‘controller’) to provide a copy of the identity cards of her parents, or for her parents to go to the bank in person for the purpose of identification. | ||
The data subject refused to do so, arguing that neither the anti-money laundering legislation, nor the legislation on residential tenancy imposed such a requirement for the release of the rental deposit. Moreover, due to their health condition, her parents could not visit the controller in person. | The data subject refused to do so, arguing that neither the anti-money laundering legislation, nor the legislation on residential tenancy imposed such a requirement for the release of the rental deposit. Moreover, due to their health condition, her parents could not visit the controller in person. | ||
| Line 71: | Line 71: | ||
=== Holding === | === Holding === | ||
The GBA explained that the DPA can decide to dismiss a case and that there are two types of dismissals: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA. In the present case, the GBA adopted a ‘policy dismissal’. | The GBA explained that the DPA can decide to dismiss a case and that there are two types of dismissals: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA. In the present case, the GBA adopted such a ‘policy dismissal’. | ||
First, the GBA did not consider it appropriate to | First, the GBA did not consider it appropriate to conduct a hearing on the merits because of the low probability of success of the complaint. The DPA explained that it was clear from the submissions made by the data subject that the controller processed identity cards in the context of the obligations imposed on financial banking institutions under the Anti-Money Laundering Act. This regulation requires banks to identify and verify persons at the beginning of the business relationship, but also on an ongoing basis when occasional transactions occur. | ||
The DPA referred to the duty of identification ( | The DPA referred to the duty of identification (know your customer principle) and to the duty of vigilance (Anti-Money Laundering Act) and considered that due to the existence of such a legal obligation on the controller, it was not appropriate to deal with the complaint in a hearing on the merits. | ||
Second, the GBA decided not to follow up on the case for reasons of expediency. The DPA indicated that under [[Article 77 GDPR|Article 77 GDPR]], any data subject whose personal data are processed within the territorial scope of the GDPR has the right to lodge a complaint. However, the GBA held that this objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, given the intrinsic lack of resources and referred to CJEU, 16 July 2020, DPC v Facebook Ireland and Maximilan Schrems, C-311/18, §112 for this argument. The DPA pointed out that in this regard, the Belgian legislator has explicitly recognised the need for the DPA to be able to act selectively with a view to an effective and efficient enforcement policy in an explanatory memorandum to a legislative measure proposal. | Second, the GBA decided not to follow up on the case for reasons of expediency. The DPA indicated that under [[Article 77 GDPR|Article 77 GDPR]], any data subject whose personal data are processed within the territorial scope of the GDPR has the right to lodge a complaint. However, the GBA held that this objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, given the intrinsic lack of resources and referred to [https://curia.europa.eu/juris/document/document.jsf;jsessionid=292B69C4B165B0FAF5E955BA9E6051B3?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8365356 CJEU, 16 July 2020, DPC v Facebook Ireland and Maximilan Schrems, C-311/18], §112 for this argument. The DPA pointed out that in this regard, the Belgian legislator has explicitly recognised the need for the DPA to be able to act selectively with a view to an effective and efficient enforcement policy in an explanatory memorandum to a legislative measure proposal. | ||
Finally, the GBA considered that the complaint | Finally, the GBA considered that the context of the complaint made it more appropriate for it to be dealt with by another competent authority. | ||
== Comment == | == Comment == | ||
The GDPR in no way states that the objective right to lodge a complaint does not imply that every complaint can and will be thoroughly investigated. The GBA referenced §112 of the Schrems II case which indicates the following: | |||
“''Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence''.” | |||
This in no way confirms the argument that the DPA is trying to put forward. Therefore, referencing this CJEU case to argue that a DPA does not have to thoroughly investigate the complaint given the intrinsic lack of resources is quite peculiar. | This in no way confirms the argument that the DPA is trying to put forward. Therefore, referencing this CJEU case to argue that a DPA does not have to thoroughly investigate the complaint given the intrinsic lack of resources is quite peculiar. | ||
In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action. | In fact, the CJEU has even confirmed in the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA Schufa judgement] that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action. | ||
But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, such a practice would evidently be contrary to the GDPR and CJEU case-law. | |||
== Further Resources == | == Further Resources == | ||
Revision as of 14:31, 26 June 2024
| APD/GBA - 91/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 77 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 03.06.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 91/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | nzm |
The DPA dismissed a case considering that the right to lodge a complaint does not imply that every complaint will be thoroughly investigated by the competent authority. The authority can choose to handle complaints selectively with a view to an effective and efficient enforcement policy.
English Summary
Facts
The data subject’s parents leased a property to a relative. Upon termination of the residential lease, a release of the rental deposit was agreed. The data subject was asked by a bank (‘controller’) to provide a copy of the identity cards of her parents, or for her parents to go to the bank in person for the purpose of identification.
The data subject refused to do so, arguing that neither the anti-money laundering legislation, nor the legislation on residential tenancy imposed such a requirement for the release of the rental deposit. Moreover, due to their health condition, her parents could not visit the controller in person.
The data subject still provided a copy of her parents’ identity card; expressly stating that this action did not imply her agreement with the requirement to present these documents. She lodged a complaint with the Belgian DPA (‘GBA’) against the controller.
Holding
The GBA explained that the DPA can decide to dismiss a case and that there are two types of dismissals: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA. In the present case, the GBA adopted such a ‘policy dismissal’.
First, the GBA did not consider it appropriate to conduct a hearing on the merits because of the low probability of success of the complaint. The DPA explained that it was clear from the submissions made by the data subject that the controller processed identity cards in the context of the obligations imposed on financial banking institutions under the Anti-Money Laundering Act. This regulation requires banks to identify and verify persons at the beginning of the business relationship, but also on an ongoing basis when occasional transactions occur.
The DPA referred to the duty of identification (know your customer principle) and to the duty of vigilance (Anti-Money Laundering Act) and considered that due to the existence of such a legal obligation on the controller, it was not appropriate to deal with the complaint in a hearing on the merits.
Second, the GBA decided not to follow up on the case for reasons of expediency. The DPA indicated that under Article 77 GDPR, any data subject whose personal data are processed within the territorial scope of the GDPR has the right to lodge a complaint. However, the GBA held that this objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, given the intrinsic lack of resources and referred to CJEU, 16 July 2020, DPC v Facebook Ireland and Maximilan Schrems, C-311/18, §112 for this argument. The DPA pointed out that in this regard, the Belgian legislator has explicitly recognised the need for the DPA to be able to act selectively with a view to an effective and efficient enforcement policy in an explanatory memorandum to a legislative measure proposal.
Finally, the GBA considered that the context of the complaint made it more appropriate for it to be dealt with by another competent authority.
Comment
The GDPR in no way states that the objective right to lodge a complaint does not imply that every complaint can and will be thoroughly investigated. The GBA referenced §112 of the Schrems II case which indicates the following:
“Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”
This in no way confirms the argument that the DPA is trying to put forward. Therefore, referencing this CJEU case to argue that a DPA does not have to thoroughly investigate the complaint given the intrinsic lack of resources is quite peculiar.
In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action.
But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, such a practice would evidently be contrary to the GDPR and CJEU case-law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Dispute Chamber
Decision 91/2024 of June 13, 2024
File number: DOS-2024-00832
Subject: Complaint regarding the obligation to submit (a copy).
of) of the identity card at a financial banking institution for fraud prevention
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 91/2024 — 2/6
I. Facts and procedure
1. On 29 November 2023, the complainant lodges a complaint with the Data Protection Authority
against the defendant.
2. The complainant's parents rented a property to a family member. Upon termination
of the housing lease became a release of the rental deposit
agreed. In this context, the defendant, a bank branch, informed the complainant
asked to either provide a copy of the landlord's identity card, i.e.
her parents, or that both parents would go to the bank office in person
for the purpose of identification. The complainant initially refused this because she stated that
neither the anti-money laundering legislation nor the legislation on residential rentals has any such effect
requirement in the context of the release of the rental deposit. Besides, it was for
her parents are unable to attend in person due to their health
defendant. With a view to a quick release of the guarantee, the complainant has
provided a copy of her parents' identity card, expressly stating:
indicates that this action does not imply that she agrees with the requirement to do so
to submit documents.
3. On February 14, 2024, the complaint will be declared admissible by the First Line Service on
on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
II. Justification
4. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case
the Disputes Chamber will dismiss the complaint in accordance with Article 95,
§ 1, 3° WOG, based on the following justification.
5. If a complaint is dismissed, the Disputes Chamber will make its decision
to motivate gradually and:
- to issue a technical dismissal if the file does not exist or is insufficient
contains elements that could lead to a conviction, or if there is insufficient
there is a prospect of a conviction due to a technical obstacle,
which prevents her from reaching a decision;
1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18. Decision 91/2024 — 3/6
- or declare a policy rejection, if despite the presence of elements
that could lead to a sanction, the continuation of the investigation
dossier does not seem appropriate in the light of the priorities of the
Data Protection Authority, as specified and explained in the
dismissal policy of the Disputes Chamber. 2
6. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
3
technical dismissal and policy dismissal) should be treated in order of importance.
7. In the present file, the Disputes Chamber will dismiss the complaint,
on the basis of policy grounds for dismissal. Below is an explanation of the
reasoning of the Disputes Chamber that is the basis for the decision as to why
considers it undesirable to take further action on the file and therefore decides not to proceed
proceed to, inter alia, a substantive treatment.
8. In this case, the Disputes Chamber does not consider it appropriate to proceed with a hearing
due to the low risk of the complaint. In accordance with Article 6 of the GDPR
There are six possible legal grounds on which a controller can carry out processing
can base. This is clearly evident from the documents submitted by the complainant
The defendant's processing of the complainant's identity card is part of the obligations
be imposed on a financial banking institution in accordance with the Wet tot
prevention of money laundering and the financing of terrorism
of the use of cash of October 6, 2017 (hereinafter: the Anti-Money Laundering Act).
9. Reference should therefore be made to the Anti-Money Laundering legislation that applies to
financial banking institutions (in particular Article 8, §2, 1°, Article 19, §1, 1° and 3°, Article 21,
§1 and 26, §1 and 27 and articles 30, 33 and 35). These provisions oblige banks to provide persons
to identify and verify, not only at the beginning of the business relationship, but also
continuously when occasional transactions occur (which is the case in this case). 4
10. The Disputes Chamber refers in this case to the identification obligation (according to the Know-Your-
Customer/Know-Your-Customer principle), as well as to the duty of vigilance provided for in
5
the Anti-Money Laundering legislation. The Disputes Chamber does not consider the current complaints procedure to be appropriate
2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3
Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.
4G. GOYVAERTS and V. SEYNAEVE, “[Preventive part of the anti-money laundering legislation] The law of 18 September 2017” in A.
TIBERGHIEN, Handbook of Tax Law, Wolters Kluwers Belgium, Mechelen, 2023, 3056.
5
Act of 18 September 2018 on the prevention of money laundering and the financing of terrorism and on limiting
of the use of cash, hereinafter “Anti-Money Laundering Act”:
https://www.ejustice.just.fgov.be/eli/wet/2017/09/18/2017013368/justel;enReglementvandeNationaleBankvanBelgiëvan
November 21, 2017 on the prevention of money laundering and terrorist financing; D. Goens, Data
protection at financial institutions, Intersentia, Antwerp, 2018, 442 et seq. Decision 91/2024 — 4/6
prevents the defendant from refusing to issue the requested release of the rental deposit
if the complainant continues to refuse the requested identification documents from her parents
and/or provide the update of these identification documents to the defendant and
that in the light of the aforementioned Anti-Money Laundering legislation. The Dispute Chamber points out
Please note that the institutions subject to these anti-money laundering obligations have a
have developed procedural processing activity that is plausible and that it
presentation of (a copy of) the electronic identity card
anti-money laundering purposes are not questioned by the Disputes Chamber. Also the
necessary/legal updating of the personal data via another copy or
reading of the identity card is not questioned by the Disputes Chamber.
11. It is because of the existence of such a legal obligation under
defendant that the Disputes Chamber does not consider it appropriate to file the relevant complaint
ground to be treated. Primafacie, they cannot establish a violation of the GDPR.
12. The Disputes Chamber decides not to follow up on the matter for expediency reasons
file. Under Article 77 of the GDPR, every data subject whose personal data
are processed within the territorial scope of the GDPR, of a
right of complaint. However, this objective right to complain does not imply that every complaint also applies
can and will be thoroughly investigated by the competent authority, given the intrinsic nature
lack of resources. 7 The Belgian legislator has recognized in this regard “the need for the
Data protection authority to be able to act selectively with a view to a
effective and efficient enforcement policy” is explicitly recognised. 8
13. Secondly, and in a subordinate order, the Disputes Chamber determines that the complaint is appropriate
in a broader context which it is more appropriate to be dealt with by a
other competent authority. The Disputes Chamber determines that the complaint must be framed
are in the broader context of the release of the rental deposit and the applicable
procedures set up for this purpose by the defendant in accordance with applicable legislation
about this. The Disputes Chamber does not consider it appropriate for it to suspend the procedures of
to test the defendant regarding the release of the rental deposit against the applicable
legislation in this regard. Bearing this in mind, the Disputes Chamber rules that its intervention in
in this case is not strictly necessary and that it is more expedient for the complainant to
6See in particular Article 35 of the Anti-Money Laundering Act
7Cf. Court of Justice EU, judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112
8
Own emphasis in quotation, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the
Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available via:
https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg
islat=54&fileID=2648, 51
9
Ground for dismissal B.3 of the dismissal policy of the Disputes Chamber, dated. June 18, 2021, available via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision 91/2024 — 6/6
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
To enable the complainant to consider other possible remedies, the
Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 15
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
14The application and its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
15Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
