APD/GBA (Belgium) - 69/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=69/2024 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-69-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original...") |
mNo edit summary |
||
| (12 intermediate revisions by 4 users not shown) | |||
| Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=APD/GBA | |Original_Source_Name_1=APD/GBA (Belgium) | ||
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-69-2024.pdf | |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-69-2024.pdf | ||
|Original_Source_Language_1=Dutch | |Original_Source_Language_1=Dutch | ||
| Line 20: | Line 20: | ||
|Type=Complaint | |Type=Complaint | ||
|Outcome= | |Outcome=Rejected | ||
|Date_Started= | |Date_Started= | ||
|Date_Decided=02.05.2024 | |Date_Decided=02.05.2024 | ||
|Date_Published= | |Date_Published= | ||
| Line 28: | Line 28: | ||
|Currency= | |Currency= | ||
|GDPR_Article_1= | |GDPR_Article_1=Article 32 GDPR | ||
|GDPR_Article_Link_1= | |GDPR_Article_Link_1=Article 32 GDPR | ||
|GDPR_Article_2= | |GDPR_Article_2= | ||
|GDPR_Article_Link_2= | |GDPR_Article_Link_2= | ||
|GDPR_Article_3= | |||
|GDPR_Article_Link_3= | |||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
| Line 38: | Line 40: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1= | ||
|National_Law_Link_1= | |National_Law_Link_1= | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
|Party_Name_1= | |Party_Name_1=X | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2=Y | ||
|Party_Link_2= | |Party_Link_2= | ||
|Party_Name_3= | |||
|Party_Link_3= | |||
|Party_Name_4= | |||
|Party_Link_4= | |||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Unknown | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor= wp | ||
| | | | ||
}} | }} | ||
The DPA dismissed a complaint | The DPA dismissed a complaint filed by a data subject after a data breach. It found the controller’s technical and organisational measures under [[Article 32 GDPR|Article 32 GDPR]] were appropriate. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A bank’s employee, an ex-girlfriend of data subject, allegedly consulted data subject's personal data for one and a half of a year. | |||
The data subject | The data subject contacted the bank (controller) twice, claiming that the controller’s employee (his ex-girlfriend) breached the confidentiality of the data, as she consulted the data outside controller's instructions, namely to stalk the data subject. Also, the data subject asked about the measures taken by the controller against the employee. | ||
Later on, the data subject decided to file a complaint with the police against his ex-girlfriend on charge of stalking. | |||
In response, the controller explained that the employee processed the data subject's data outside of her professional capacity and without controller's instruction. Additionally, the controller, implemented necessary and proportionate measures, as well as reported the breach with the Belgian DPA (APD/GBA). | |||
The data subject did not share the views of the controller and, consequently, filed a complaint with the DPA and [https://www.nationaleombudsman.nl/ the National Ombudsman] (Nationale ombudsman), claiming a breach of confidentiality by the controller. | |||
=== Holding === | === Holding === | ||
The | The DPA dismissed the data subject's complaint. | ||
Firstly, the actions taken by the controller after data subject’s notification were sufficient in the situation at hand. The controller implemented measures which adequately dealt with the breach of confidentiality. As a result, the DPA found no evidence that the measures were ineffective, especially they did not stop the employee from further unlawful conduct. At the same time, the controller acted proactively, preventing similar breaches to occur in the future. Therefore, the subject matter of the case was obsolete. | |||
Secondly, the DPA stated the complaint brought by the data subject also covered the criminal offence of stalking. However, the DPA had no jurisdiction over criminal cases of that kind, which made this part of compliant inadmissible. | |||
== Comment == | == Comment == | ||
| Line 142: | Line 148: | ||
The defendant: La banque Y, hereinafter “the defendant”. Decision 69/2024 — 2/6 | The defendant: La banque Y, hereinafter “the defendant”. Decision 69/2024 — 2/6 | ||
| Line 208: | Line 214: | ||
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG | of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG | ||
transferred to the Disputes Chamber. Decision 69/2024 — 3/6 | transferred to the Disputes Chamber. Decision 69/2024 — 3/6 | ||
| Line 267: | Line 273: | ||
8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken | 8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken | ||
were taken by the controller. 4 | were taken by the controller. 4 | ||
| Line 287: | Line 293: | ||
dismissal policy of the Disputes Chamber. | dismissal policy of the Disputes Chamber. | ||
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 69/2024 — 4/6 | 4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 69/2024 — 4/6 | ||
| Line 367: | Line 373: | ||
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system | in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system | ||
of the Ministry of Justice (Article 32ter of the | of the Ministry of Justice (Article 32ter of the Dutch Civil Code). | ||
| Line 439: | Line 445: | ||
1The petition with its attachment will be sent by registered letter | 1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved | ||
deposited with the clerk of the court or at the registry. | deposited with the clerk of the court or at the registry. | ||
1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber. | 1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber. | ||
</pre> | </pre> | ||
Latest revision as of 07:29, 20 August 2024
| APD/GBA - 69/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 02.05.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | X Y |
| National Case Number/Name: | 69/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (Belgium) (in NL) |
| Initial Contributor: | wp |
The DPA dismissed a complaint filed by a data subject after a data breach. It found the controller’s technical and organisational measures under Article 32 GDPR were appropriate.
English Summary
Facts
A bank’s employee, an ex-girlfriend of data subject, allegedly consulted data subject's personal data for one and a half of a year.
The data subject contacted the bank (controller) twice, claiming that the controller’s employee (his ex-girlfriend) breached the confidentiality of the data, as she consulted the data outside controller's instructions, namely to stalk the data subject. Also, the data subject asked about the measures taken by the controller against the employee.
Later on, the data subject decided to file a complaint with the police against his ex-girlfriend on charge of stalking.
In response, the controller explained that the employee processed the data subject's data outside of her professional capacity and without controller's instruction. Additionally, the controller, implemented necessary and proportionate measures, as well as reported the breach with the Belgian DPA (APD/GBA).
The data subject did not share the views of the controller and, consequently, filed a complaint with the DPA and the National Ombudsman (Nationale ombudsman), claiming a breach of confidentiality by the controller.
Holding
The DPA dismissed the data subject's complaint.
Firstly, the actions taken by the controller after data subject’s notification were sufficient in the situation at hand. The controller implemented measures which adequately dealt with the breach of confidentiality. As a result, the DPA found no evidence that the measures were ineffective, especially they did not stop the employee from further unlawful conduct. At the same time, the controller acted proactively, preventing similar breaches to occur in the future. Therefore, the subject matter of the case was obsolete.
Secondly, the DPA stated the complaint brought by the data subject also covered the criminal offence of stalking. However, the DPA had no jurisdiction over criminal cases of that kind, which made this part of compliant inadmissible.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Dispute Chamber
Decision 69/2024 of May 2, 2024
File number: DOS-2024-01292
Subject: Your complaint regarding a breach of your confidentiality
personal data
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”;
The defendant: La banque Y, hereinafter “the defendant”. Decision 69/2024 — 2/6
I. Facts and procedure
1. The subject of the complaint concerns an alleged breach of confidentiality
personal data of the complainant that are processed by the defendant.
2. On March 7, 2024, the complainant filed a complaint with the GBA. The complaint concerns an infringement
the confidentiality of the complainant's personal data by an employee of the
defendant.
On February 8, 2024, the complainant sent an email to the defendant to complain
about an employee who would use the complainant's personal data several times
have been consulted in the last 1.5 years. The employee was due to do so in December
2023 have been addressed by the defendant and the consultations of the
admitted personal data. The complainant inquired about the
measures taken against this employee, who has also been the ex-girlfriend of 1.5 years
complainant were struck by the defendant.
On February 16, 2024, the complainant contacted the defendant again
inquire about the measures taken against the employee, because
he had been told that these measures were far from sufficient.
On February 17, 2024, the complainant filed a complaint with the police, of which the PV is responsible
attached in the documents. The complainant stated that he felt morally damaged and
to be concerned that the defendant could no longer be stalked
would have taken sufficient measures to prevent this.
On February 28, 2024, the defendant responded to the complaint. She confirmed that the
employee consulted the complainant's data “without a professional context
and without a mandate”. “Necessary and proportionate measures” were taken
taken against the employee. The defendant also reported that the infringement
was reported to the Data Protection Authority.
On March 4, 2024, the complainant responded to the communication by email
defendant with the message that he did not consider the measures proportionate and that
in the meantime he had filed a complaint with the police against the employee. He asked
also that he would file a complaint with the ombudsman and with the
Data Protection Authority.
3. On March 28, 2024, the complaint was declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber. Decision 69/2024 — 3/6
II. Justification
4. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case
the Disputes Chamber will dismiss the complaint in accordance with Article 95,
§ 1, 3° WOG, based on the following justification.
5. If a complaint is dismissed, the Disputes Chamber will make its decision
1
to motivate gradually and:
- to issue a technical dismissal if the file does not exist or is insufficient
contains elements that could lead to a conviction, or if there is insufficient
there is a prospect of a conviction due to a technical obstacle,
which prevents her from reaching a decision;
- or declare a policy rejection, if despite the presence of elements
that could lead to a sanction, the continuation of the investigation
dossier does not seem appropriate in the light of the priorities of the
Data Protection Authority, as specified and explained in the
dismissal policy of the Disputes Chamber. 2
6. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
3
technical dismissal and policy dismissal) should be treated in order of importance.
7. In the present file, the Disputes Chamber will dismiss the complaint,
on the basis of an expediency dismissal. There are two motives underlying the decision
decision of the Disputes Chamber as to why it considers it undesirable to take further action
to the file and therefore decides not to proceed with, inter alia, a hearing at
ground
8. Firstly, the subject of the complaint appears to have disappeared as a result of the measures taken
were taken by the controller. 4
The complaint of February 8, 2024, addressed to the defendant, seems to have been brought to her attention
have on the possible violation of the confidentiality of the personal data of
1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber. Decision 69/2024 — 4/6
the complainant by an employee. This means that the defendant is the employee
who allegedly admitted the violation.
On February 28, 2024, the defendant informed the complainant of this
violation of the confidentiality of personal data and of the necessary and
proportionate measures that would have been taken to avoid this violation in the
future. The defendant has also submitted a data breach notification
to the Data Protection Authority.
9. The Disputes Chamber has no elements that could indicate that the violation
of the confidentiality of the complainant's personal data would not have stopped and
that the defendant's measures would not have been sufficient to prevent a
to prevent similar violations in the future. Without the importance of it forward
want to minimize the incident, the Disputes Chamber rules that a
treatment on the merits does not seem appropriate.
10. Secondly, the complaint is a secondary dispute in a broader dispute that must be settled
for courts and tribunals. 5
Following the alleged facts, the complainant filed a complaint on February 17, 2024
submitted to the police, the report of which was added to the documents. In this complaint
the complainant declares that he no longer wants to be stalked and that he feels morally damaged.
Stalking, which is the legal term under attack, is made punishable in Article 442bis of
6
the Criminal Code, which does not fall within the powers of the Disputes Chamber. The
Disputes Chamber is also not authorized to assess any moral damage suffered by a party
assess data protection breach.
Given the interpersonal context of the complaint, given the complaint filed with
the police before a complaint was filed with the Data Protection Authority and seen
the Disputes Chamber does not appear to have jurisdiction over various elements of the main dispute
a treatment on the merits of this breach of confidentiality
personal data by the Disputes Chamber is also not appropriate.
III. Publication and communication of the decision
11. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
5Cf. criterion B.3 in the dismissal policy of the Disputes Chamber.
6Article 442bis SW: “He who has harassed a person while he knew or should have known that his behavior caused him to rest in peace
would seriously disturb that person, shall be punished with imprisonment of fifteen days to two years and with
fine of fifty [euros] to three hundred [euros] or one of those penalties alone. […]” Decision 69/2024 — 6/6
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system
of the Ministry of Justice (Article 32ter of the Dutch Civil Code).
To enable the complainant to consider other possible remedies, the
11
Disputes Chamber will refer the complainant to the explanation in its dismissal policy.
[The Dispute Chamber emphasizes that the closure of cases by the
Data Protection Authority may be taken into account for its future
determine priorities and/or may give rise to future investigations on its own initiative
by the Inspection Service of the Data Protection Authority].
(get). Hielke IJMANS
Chairman of the Disputes Chamber
1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
