APD/GBA (Belgium) - 49/2024: Difference between revisions
m (few changes - short summary. facts and holding.) |
mNo edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 47: | Line 47: | ||
|National_Law_Link_3= | |National_Law_Link_3= | ||
|Party_Name_1= | |Party_Name_1= | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
|Party_Name_3= | |Party_Name_3= | ||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA found a controller rightfully declined an erasure request | The DPA found a controller rightfully declined an erasure request in accordance with [[Article 17 GDPR|Article 17(3)(e) GDPR]] since the controller demonstrated that the data is needed for future criminal proceedings against the data subject. | ||
== English Summary == | == English Summary == | ||
Line 74: | Line 74: | ||
The data controller rejected the erasure request, because the data subject gave consent to the data processing and, afterwards, the controller needed to keep the data for an overriding public interest. | The data controller rejected the erasure request, because the data subject gave consent to the data processing and, afterwards, the controller needed to keep the data for an overriding public interest. | ||
The data subject filed a complaint with | The data subject filed a complaint with the Belgian DPA (APD/GBA). | ||
During the examination proceedings, the controller argued that the decision to reject the erasure request was based on Article 10 (1)(1) and Article 10 (1)(3) of the [https://etaamb.openjustice.be/nl/wet-van-30-juli-2018_n2018040581.html Dutch Personal Data Protection Law] (Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens). This law authorized the controller to process the data contrary to data subject’s request, since the data subject would potentially be accused of criminal offences and the controller would be involved in the proceedings. Hence, as a party to the proceedings, the controller could provide the authority with necessary evidence. | During the examination proceedings, the controller argued that the decision to reject the erasure request was based on Article 10 (1)(1) and Article 10 (1)(3) of the [https://etaamb.openjustice.be/nl/wet-van-30-juli-2018_n2018040581.html Dutch Personal Data Protection Law] (Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens). This law authorized the controller to process the data contrary to data subject’s request, since the data subject would potentially be accused of criminal offences and the controller would be involved in the proceedings. Hence, as a party to the proceedings, the controller could provide the authority with necessary evidence. | ||
Line 85: | Line 85: | ||
The DPA rejected the alleged refusal to act on the access request. According to the DPA, the controller did not respond to data subject access request, but during the proceedings the controller confirmed their readiness to do so. | The DPA rejected the alleged refusal to act on the access request. According to the DPA, the controller did not respond to data subject access request, but during the proceedings the controller confirmed their readiness to do so. | ||
On the allegation of the erasure request refusal, the DPA found it manifestly unfounded. The DPA referred to the wording of [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]], which excluded the application of right to erasure in cases where data are necessary “for the establishment, exercise or defence of legal claims.”. The controller proved it was reasonably plausible the data at hand be used for future (possible) criminal proceedings against data subject. Also, the scope of data requested by the data subject suggested a future proceedings | On the allegation of the erasure request refusal, the DPA found it manifestly unfounded. The DPA referred to the wording of [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]], which excluded the application of right to erasure in cases where data are necessary “for the establishment, exercise or defence of legal claims.”. The controller proved it was reasonably plausible the data at hand would be used for future (possible) criminal proceedings against data subject. Also, the scope of data requested by the data subject suggested a future proceedings with the data subject were likely. | ||
== Comment == | == Comment == |
Latest revision as of 07:27, 20 August 2024
APD/GBA - 49/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 17(3)(e) GDPR Article 10(1)(3) Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 29.03.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 49/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | wp |
The DPA found a controller rightfully declined an erasure request in accordance with Article 17(3)(e) GDPR since the controller demonstrated that the data is needed for future criminal proceedings against the data subject.
English Summary
Facts
A data subject requested access to and erasure of their personal data. A fear of a “major negative personal impact”, including possible defamation was indicated as a reason for the request to erase the data.
The data controller rejected the erasure request, because the data subject gave consent to the data processing and, afterwards, the controller needed to keep the data for an overriding public interest.
The data subject filed a complaint with the Belgian DPA (APD/GBA).
During the examination proceedings, the controller argued that the decision to reject the erasure request was based on Article 10 (1)(1) and Article 10 (1)(3) of the Dutch Personal Data Protection Law (Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens). This law authorized the controller to process the data contrary to data subject’s request, since the data subject would potentially be accused of criminal offences and the controller would be involved in the proceedings. Hence, as a party to the proceedings, the controller could provide the authority with necessary evidence.
In addition, the data controller explained that an overriding public interest referred to a type of potential proceedings.
Holding
The DPA considered that the compliant consisted of two separate issues, namely the refusal answer the access request and the refusal to fulfil the erasure request.
The DPA rejected the alleged refusal to act on the access request. According to the DPA, the controller did not respond to data subject access request, but during the proceedings the controller confirmed their readiness to do so.
On the allegation of the erasure request refusal, the DPA found it manifestly unfounded. The DPA referred to the wording of Article 17(3)(e) GDPR, which excluded the application of right to erasure in cases where data are necessary “for the establishment, exercise or defence of legal claims.”. The controller proved it was reasonably plausible the data at hand would be used for future (possible) criminal proceedings against data subject. Also, the scope of data requested by the data subject suggested a future proceedings with the data subject were likely.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Dispute Chamber Decision 49/2024 of March 29, 2024 File number: DOS-2024-00015 Subject: complaint for failure to respond to a request for access and refusal erasure of data for reasons of important public interest The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant”; The defendant: Y, represented by master K RISTIEN V ANDERHEIDEN, hereinafter “de defendant". Decision 49/2024 — 2/7 I. Facts and procedure 1. The subject of the complaint concerns the failure to respond to a request for access and the refuse erasure of data for reasons of important public interest. 2. On December 30, 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. On October 13, 2023, the complainant submitted a request for access and subsequent deletion of his personal data submitted to the defendant. After all, the complainant feared a “major negative personal impact” in the form of possible defamation and defamation. On October 22 2023, the defendant replied that he had received the requests and would submit them with his counsel. On December 30, 2023, the defendant replied that he had no action could grant his request for data erasure because the complainant agreed upon registration had given to process his data and because the defendant needed the data retained for the sake of an important public interest. 3. On January 9, 2024, the complaint was declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint was dismissed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. 4. On February 23, 2024, the Disputes Chamber asked 3 questions for clarification defendant: - On what exception does the defendant base his refusal to inspect? the complainant's personal data in his possession, as the defendant, based on the documents, does not appear to grant access? - On what “prior agreement”, as mentioned in the email of December 30 2023, the defendant relies on the inspection and/or deletion of refuse personal data? - On what “important public interest”, as cited in the email of 30 December 2023, the defendant believes he can support the erasure of refuse personal data and what legal basis he believes he has for this can invoke, given that the term 'substantial public interest' is used in the GDPR used in the context of processing special categories of facts? The Disputes Chamber also points out to the defendant Article 15.4 GDPR and recital 63 GDPR which states that the complainant should not be withheld all information. The complainant confirmed receipt of these requests for clarification to the same day defendant. Decision 49/2024 — 3/7 5. On March 6, 2024, the defendant responded to the questions of the Disputes Chamber. The the complainant also received a copy of this response. - The defendant had not allowed access because of a possible danger the privacy of others, partly because the police will open a file in June 2023 would have been opened against the complainant. The defendant wanted to handle the personal data, but is now prepared to provide access to the data of the complainant. - The “prior agreement” concerns the privacy statement that the complainant has signed. The defendant does not rely on this document to justify the erasure to refuse. - The grounds used by the defendant to refuse the erasure are based on Article 10, §1, 1° and 3° of the Act on the Protection of Natural Persons regarding the processing of personal data from July 30, 2018. The the complainant would have been accused of criminal offences, in which the defendant would be involved as a party or in which the defendant could contribute evidence or crucial precedents in favor of the common interest. The heavy weight of the common interest is explained by the fact that it contains details of criminal convictions or criminal offences Re. The defendant adds that Article 15.4 GDPR was complied with by signing of the privacy policy document by the complainant. II. Justification 6. From the documents available to the Disputes Chamber, it concludes that the complaint consists of: 2 parts. On the one hand, the defendant did not respond to a request for access the complainant's personal data. On the other hand, the defendant refused the to erase personal data of the complainant upon his request. The Dispute Chamber will treat the 2 parts separately in its motivation. 7. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case the Disputes Chamber will dismiss the complaint in accordance with Article 95, § 1, 3° WOG, based on the following justification. Decision 49/2024 — 4/7 8. If a complaint is dismissed, the Disputes Chamber will make its decision 1 to motivate gradually and: - to issue a technical dismissal if the file does not exist or is insufficient contains elements that could lead to a conviction, or if there is insufficient there is a prospect of a conviction due to a technical obstacle, which prevents her from reaching a decision; - or declare a policy rejection, if despite the presence of elements that could lead to a sanction, the continuation of the investigation dossier does not seem appropriate in the light of the priorities of the Data Protection Authority, as specified and explained in the dismissal policy of the Disputes Chamber. 2 9. In the event of dismissal on more than one ground, the grounds for dismissal (resp. technical dismissal and policy dismissal) should be treated in order of importance. 3 Part 1: failure to respond to a request for access to personal data 10. In the present file, the Disputes Chamber will dismiss this part 1 of the complaint for reasons of expediency, which makes it undesirable to continue to follow up on the file and therefore decide not to proceed with, inter alia, one treatment on the merits. The Disputes Chamber weighs the personal consequences of the circumstances of the complaint affect the fundamental rights and freedoms of the complainant against the effectiveness of its action, when it decides whether it considers it appropriate to handle the complaint further. In this case, the subject of the complaint has disappeared as a result of the measures taken by the defendant. 4 11. Although the defendant did not respond to the request for access submitted by the complainant on October 13, 2023, the defendant responded to the The Disputes Chamber has still declared its willingness to grant access to the complainant: “The client is now prepared to grant [the complainant] access to the file in question his personal data. The Client will make the necessary practical arrangements for this with [the complainant].” Part 2: refusing to erase data for compelling general reasons interest 1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020, p. 18. 2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf 3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the dismissal policy of the Disputes Chamber. 4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 49/2024 — 5/7 12. In the present file, the Disputes Chamber will dismiss this part 2 of the complaint on the basis of a technical dismissal. After all, she judges that part 2 of the complaint is manifestly unfounded, as a result of which it considers it undesirable to take further action to the file and therefore decides not to proceed with, inter alia, a hearing at ground. 13. The complaint is manifestly unfounded as the right to erasure of data according to Article 17, § 3, e) GDPR does not apply if the processing is necessary “for the establishment, exercise or substantiation of a legal claim”. The defendant makes it sufficiently plausible in the documents that such a legal action will result in the future the possibilities, resulting in the deletion of the complainant's data could prevent substantiation of this possible legal claim. 14. In addition, the complainant also indirectly points out facts that may be of such a nature that a legal action is possible - to state in his complaint that it concerns “unproven facts”; - to state in his request that he wants access to the following documents: o “The report of the day of the complaint itself […]” o “A copy of the procedure for dealing with cross-border behaviour […]" o “A copy of the so-called “logbook”, in which all the events step are described step by step […]” 15. Given the nature of the alleged facts, in particular transgressive behavior, it is not unthinkable that criminal proceedings could be initiated against the complainant. Because of the secrecy of the research, it would not be unusual for the defendant would not be aware of this investigation. For these reasons the Dispute Chamber it is sufficient that there is a 'possible' legal action take place in the future to justify that the complainant's data is not be deleted on the basis of Article 17.3.e) GDPR. The Disputes Chamber points out the same point also on the defendant's responsibility to exercise due care and appropriateness the complainant's personal data, especially given the circumstances of this situation. In in particular, the Disputes Chamber points out the defendant's duty to: ensure confidentiality and integrity of the personal data, as provided in Article 5.1.f) GDPR. 5Cf. criterion A.2 in the dismissal policy of the Disputes Chamber. Decision 49/2024 — 7/7 To enable the complainant to consider other possible remedies, the Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 10 (get). Hielke H IJMANS Chairman of the Disputes Chamber 10Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.