APD/GBA (Belgium) - 49/2024: Difference between revisions
From GDPRhub
m (→Facts) |
No edit summary |
||
| Line 65: | Line 65: | ||
}} | }} | ||
The DPA found a controller rightfully declined an erasure request in accordance with [[Article 17 GDPR|Article 17(3)(e) GDPR]] since the controller | The DPA found a controller rightfully declined an erasure request in accordance with [[Article 17 GDPR|Article 17(3)(e) GDPR]] since the controller demonstrated that the data is needed for future criminal proceedings against the data subject. | ||
== English Summary == | == English Summary == | ||
Revision as of 15:05, 7 August 2024
| APD/GBA - 49/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 17(3)(e) GDPR Article 10(1)(3) Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 29.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 49/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | wp |
The DPA found a controller rightfully declined an erasure request in accordance with Article 17(3)(e) GDPR since the controller demonstrated that the data is needed for future criminal proceedings against the data subject.
English Summary
Facts
A data subject requested access to and erasure of their personal data. A fear of a “major negative personal impact”, including possible defamation was indicated as a reason for the request to erase the data.
The data controller rejected the erasure request, because the data subject gave consent to the data processing and, afterwards, the controller needed to keep the data for an overriding public interest.
The data subject filed a complaint with Dutch DPA (APD/GBA).
During the examination proceedings, the controller argued that the decision to reject the erasure request was based on Article 10 (1)(1) and Article 10 (1)(3) of the Dutch Personal Data Protection Law (Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens). This law authorized the controller to process the data contrary to data subject’s request, since the data subject would potentially be accused of criminal offences and the controller would be involved in the proceedings. Hence, as a party to the proceedings, the controller could provide the authority with necessary evidence.
In addition, the data controller explained that an overriding public interest referred to a type of potential proceedings.
Holding
The DPA considered that the compliant consisted of two separate issues, namely the refusal answer the access request and the refusal to fulfil the erasure request.
The DPA rejected the alleged refusal to act on the access request. According to the DPA, the controller did not respond to data subject access request, but during the proceedings the controller confirmed their readiness to do so.
On the allegation of the erasure request refusal, the DPA found it manifestly unfounded. The DPA referred to the wording of Article 17(3)(e) GDPR, which excluded the application of right to erasure in cases where data are necessary “for the establishment, exercise or defence of legal claims.”. The controller proved it was reasonably plausible the data at hand would be used for future (possible) criminal proceedings against data subject. Also, the scope of data requested by the data subject suggested a future proceedings with the data subject were likely.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Dispute Chamber
Decision 49/2024 of March 29, 2024
File number: DOS-2024-00015
Subject: complaint for failure to respond to a request for access and refusal
erasure of data for reasons of important public interest
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”;
The defendant: Y, represented by master K RISTIEN V ANDERHEIDEN, hereinafter “de
defendant". Decision 49/2024 — 2/7
I. Facts and procedure
1. The subject of the complaint concerns the failure to respond to a request for access and the
refuse erasure of data for reasons of important public interest.
2. On December 30, 2023, the complainant filed a complaint with the
Data Protection Authority against the defendant.
On October 13, 2023, the complainant submitted a request for access and subsequent deletion of his
personal data submitted to the defendant. After all, the complainant feared a “major
negative personal impact” in the form of possible defamation and defamation. On October 22
2023, the defendant replied that he had received the requests and would submit them
with his counsel. On December 30, 2023, the defendant replied that he had no action
could grant his request for data erasure because the complainant agreed upon registration
had given to process his data and because the defendant needed the data
retained for the sake of an important public interest.
3. On January 9, 2024, the complaint was declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint was dismissed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
4. On February 23, 2024, the Disputes Chamber asked 3 questions for clarification
defendant:
- On what exception does the defendant base his refusal to inspect?
the complainant's personal data in his possession, as the defendant,
based on the documents, does not appear to grant access?
- On what “prior agreement”, as mentioned in the email of December 30
2023, the defendant relies on the inspection and/or deletion of
refuse personal data?
- On what “important public interest”, as cited in the email of 30
December 2023, the defendant believes he can support the erasure of
refuse personal data and what legal basis he believes he has for this
can invoke, given that the term 'substantial public interest' is used in the GDPR
used in the context of processing special categories of
facts?
The Disputes Chamber also points out to the defendant Article 15.4 GDPR and recital 63 GDPR
which states that the complainant should not be withheld all information.
The complainant confirmed receipt of these requests for clarification to the same day
defendant. Decision 49/2024 — 3/7
5. On March 6, 2024, the defendant responded to the questions of the Disputes Chamber. The
the complainant also received a copy of this response.
- The defendant had not allowed access because of a possible danger
the privacy of others, partly because the police will open a file in June 2023
would have been opened against the complainant. The defendant wanted to handle the
personal data, but is now prepared to provide access to the data of the
complainant.
- The “prior agreement” concerns the privacy statement that the complainant has
signed. The defendant does not rely on this document to justify the erasure
to refuse.
- The grounds used by the defendant to refuse the erasure are based on Article
10, §1, 1° and 3° of the Act on the Protection of Natural Persons
regarding the processing of personal data from July 30, 2018. The
the complainant would have been accused of criminal offences, in which the
defendant would be involved as a party or in which the defendant
could contribute evidence or crucial precedents in favor of
the common interest. The heavy weight of the common interest is explained by the
fact that it contains details of criminal convictions or criminal offences
Re.
The defendant adds that Article 15.4 GDPR was complied with by signing
of the privacy policy document by the complainant.
II. Justification
6. From the documents available to the Disputes Chamber, it concludes that the complaint consists of:
2 parts. On the one hand, the defendant did not respond to a request for access
the complainant's personal data. On the other hand, the defendant refused the
to erase personal data of the complainant upon his request. The Dispute Chamber
will treat the 2 parts separately in its motivation.
7. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case
the Disputes Chamber will dismiss the complaint in accordance with Article 95,
§ 1, 3° WOG, based on the following justification. Decision 49/2024 — 4/7
8. If a complaint is dismissed, the Disputes Chamber will make its decision
1
to motivate gradually and:
- to issue a technical dismissal if the file does not exist or is insufficient
contains elements that could lead to a conviction, or if there is insufficient
there is a prospect of a conviction due to a technical obstacle,
which prevents her from reaching a decision;
- or declare a policy rejection, if despite the presence of elements
that could lead to a sanction, the continuation of the investigation
dossier does not seem appropriate in the light of the priorities of the
Data Protection Authority, as specified and explained in the
dismissal policy of the Disputes Chamber. 2
9. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
technical dismissal and policy dismissal) should be treated in order of importance. 3
Part 1: failure to respond to a request for access to personal data
10. In the present file, the Disputes Chamber will dismiss this part
1 of the complaint for reasons of expediency, which makes it undesirable to continue
to follow up on the file and therefore decide not to proceed with, inter alia, one
treatment on the merits. The Disputes Chamber weighs the personal consequences of the
circumstances of the complaint affect the fundamental rights and freedoms of the complainant
against the effectiveness of its action, when it decides whether it considers it appropriate
to handle the complaint further. In this case, the subject of the complaint has disappeared as a result
of the measures taken by the defendant. 4
11. Although the defendant did not respond to the request for access submitted by the complainant
on October 13, 2023, the defendant responded to the
The Disputes Chamber has still declared its willingness to grant access to the complainant:
“The client is now prepared to grant [the complainant] access to the file in question
his personal data. The Client will make the necessary practical arrangements for this
with [the complainant].”
Part 2: refusing to erase data for compelling general reasons
interest
1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 49/2024 — 5/7
12. In the present file, the Disputes Chamber will dismiss this part
2 of the complaint on the basis of a technical dismissal. After all, she judges that part 2 of
the complaint is manifestly unfounded, as a result of which it considers it undesirable to take further action
to the file and therefore decides not to proceed with, inter alia, a hearing at
ground.
13. The complaint is manifestly unfounded as the right to erasure of data according to Article
17, § 3, e) GDPR does not apply if the processing is necessary “for the establishment,
exercise or substantiation of a legal claim”. The defendant makes it
sufficiently plausible in the documents that such a legal action will result in the future
the possibilities, resulting in the deletion of the complainant's data
could prevent substantiation of this possible legal claim.
14. In addition, the complainant also indirectly points out facts that may be of such a nature that a
legal action is possible
- to state in his complaint that it concerns “unproven facts”;
- to state in his request that he wants access to the following documents:
o “The report of the day of the complaint itself […]”
o “A copy of the procedure for dealing with cross-border
behaviour […]"
o “A copy of the so-called “logbook”, in which all the events step
are described step by step […]”
15. Given the nature of the alleged facts, in particular transgressive behavior, it is not
unthinkable that criminal proceedings could be initiated against the complainant.
Because of the secrecy of the research, it would not be unusual for the
defendant would not be aware of this investigation. For these reasons the
Dispute Chamber it is sufficient that there is a 'possible' legal action
take place in the future to justify that the complainant's data is not
be deleted on the basis of Article 17.3.e) GDPR. The Disputes Chamber points out the same point
also on the defendant's responsibility to exercise due care and appropriateness
the complainant's personal data, especially given the circumstances of this situation. In
in particular, the Disputes Chamber points out the defendant's duty to:
ensure confidentiality and integrity of the personal data, as provided
in Article 5.1.f) GDPR.
5Cf. criterion A.2 in the dismissal policy of the Disputes Chamber. Decision 49/2024 — 7/7
To enable the complainant to consider other possible remedies, the
Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 10
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
10Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
