APD/GBA (Belgium) - 101/2024: Difference between revisions

From GDPRhub
m (link added)
m (Short summary wording changed.)
 
(5 intermediate revisions by the same user not shown)
Line 65: Line 65:
}}
}}


A data controller received an order from the DPA to answer the data subjects’ access request under [[Article 15 GDPR|Article 15 GDPR]] regarding delivery of unsolicited advertising e-mails.
The DPA ordered a controller to answer the data subjects’ access request under [[Article 15 GDPR|Article 15 GDPR]] regarding the delivery of unsolicited advertising e-mails.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Employees of company A, including a DPO, received an advertising e-mail. The e-mail was sent to the professional e-mail address, promoting an auction organised by the company B (data controller). Later on, the employees were received other unsolicited, advertising e-mails.  
Employees of company A, including a DPO, received an advertising e-mail. The e-mail was sent to the professional e-mail address, promoting an auction organised by the company B (data controller). Later on, the employees received other unsolicited, advertising e-mails.  


The DPO, acting on behalf of the company’s A employees and themselves, exercised the right of access under [[Article 15 GDPR|Article 15 GDPR]], asking for explanation how the controller got access to the list of employees’ e-mail addresses.  
The DPO, acting on behalf of the company’s A employees and themselves, exercised the right of access under [[Article 15 GDPR|Article 15 GDPR]], asking for explanation how the controller got access to the list of employees’ e-mail addresses.  
Line 79: Line 79:
The DPA upheld the complaint.  
The DPA upheld the complaint.  


The DPA held the controller violated [[Article 12 GDPR|Article 12 GDPR]] because it did not react to the request made under [[Article 15 GDPR|Article 15 GDPR]] in a proper manner. Also, the DPA emphasised that [[Article 15 GDPR|Article 15 GDPR]] plays crucial role for every data subject, mostly because it enables them to exercise their right stemming from the GDPR.
The DPA held the controller violated [[Article 12 GDPR|Article 12 GDPR]] because it did not react to the request made under [[Article 15 GDPR|Article 15 GDPR]] in a proper manner. Also, the DPA emphasised that [[Article 15 GDPR|Article 15 GDPR]] had to be treated as a "gateway" allowing the data subject to exercise other  rights conferred on them by the GDPR.


Consequently, the DPA found the violation of Article 12(3) and 12 (4) GDPR and [[Article 15 GDPR|Article 15 GDPR]]. The DPA decided to issue prima facie decision under Article 95 of Act establishing the Data Protection Authority ([https://etaamb.openjustice.be/fr/loi-du-03-decembre-2017_n2017031916.html Loi du 3 décembre 2017 portant création de l'Autorité de protection des données]). The DPA ordered the controller to answer the request of the company’s A employees within 30 days.
Consequently, the DPA found the violation of [[Article 12 GDPR|Article 12(3) GDPR]], [[Article 12 GDPR|Article 12(4) GDPR]] and [[Article 15 GDPR|Article 15 GDPR]]. The DPA issued a prima facie decision under [https://etaamb.openjustice.be/fr/loi-du-03-decembre-2017_n2017031916.html Article 95 of Act establishing the Data Protection Authority] (Loi du 3 décembre 2017 portant création de l'Autorité de protection des données), ordering the controller to comply with the data subjects request within 30 days.


== Comment ==
== Comment ==

Latest revision as of 12:33, 28 August 2024

APD/GBA - 101/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 95 Loi du 3 décembre 2017 portant création de l'Autorité de protection des données
Type: Complaint
Outcome: Upheld
Started:
Decided: 25.07.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 101/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APB/GBA (Belgium) (in FR)
Initial Contributor: wp

The DPA ordered a controller to answer the data subjects’ access request under Article 15 GDPR regarding the delivery of unsolicited advertising e-mails.

English Summary

Facts

Employees of company A, including a DPO, received an advertising e-mail. The e-mail was sent to the professional e-mail address, promoting an auction organised by the company B (data controller). Later on, the employees received other unsolicited, advertising e-mails.

The DPO, acting on behalf of the company’s A employees and themselves, exercised the right of access under Article 15 GDPR, asking for explanation how the controller got access to the list of employees’ e-mail addresses.

The controller did not respond to the request. Hence, the DPO lodged a complaint with the Belgian DPA (APD/BGA) on behalf one of the employees and themselves.

Holding

The DPA upheld the complaint.

The DPA held the controller violated Article 12 GDPR because it did not react to the request made under Article 15 GDPR in a proper manner. Also, the DPA emphasised that Article 15 GDPR had to be treated as a "gateway" allowing the data subject to exercise other rights conferred on them by the GDPR.

Consequently, the DPA found the violation of Article 12(3) GDPR, Article 12(4) GDPR and Article 15 GDPR. The DPA issued a prima facie decision under Article 95 of Act establishing the Data Protection Authority (Loi du 3 décembre 2017 portant création de l'Autorité de protection des données), ordering the controller to comply with the data subjects request within 30 days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7

Litigation Chamber

Decision 101/2024 of 25 July 2024

File number: DOS-2023-04076

Subject: Complaint regarding the lack of response to the exercise of the right of access

The Litigation Chamber of the Data Protection Authority, consisting of Mr.

Hielke H IJMANS, President;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“LCA”;

Having regard to the internal regulations as approved by the Chamber of Representatives on 20

December 2018 and published in the Belgian Official Journal on 15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The complainant: X, hereinafter “the complainant”;

The defendant: Y, hereinafter: “the defendant” or “the defendant”. Decision 101/2024 — 2/7

I. Facts and procedure

1. On 4 October 2023, the complainant, in his capacity as DPO of company Z, lodged a complaint

with the Data Protection Authority (hereinafter “the DPA”) on behalf of the

company’s employees and in his own name, against Y (hereinafter “the

respondent” or “the respondent party”).

2. The subject of the complaint concerns a failure to respond to the exercise of the right of access.

3. On 26 September 2023, the complainant received an automated email at his

personal professional email address from the respondent, which promoted an

auction organised by the latter.

4. On 27 September 2023, the complainant exercised his right of access by requesting the

defendant, on behalf of the company’s employees as well as on his own behalf, to

provide him with specific information. More specifically, he requested that the

defendant provide him with the means by which it was able to access the list of

professional email addresses of the staff of the company where the complainant is

employed.

5. In the complaint form, the complainant indicated that his colleagues had been

receiving unsolicited advertising emails on their professional addresses for

several days.

In an annex to his complaint, the complainant provided as evidence the

email he had received on 26 September 2023 on his only nominative professional

email address.

6. On 24 November 2023, the complaint was declared admissible by the Front Line Service

(hereinafter "FLS") on the basis of Articles 58 and 60 of the LCA and the complaint was forwarded to the
2nd Litigation Chamber pursuant to Article 62, § 1 of the LCA.

7. On 24 January 2024, the complainant informed the DPA that there had been no response from the

defendant.

II. Grounds

8. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the data

protection principles contained in the GDPR and other laws containing

provisions relating to the protection of the processing of personal data.

9. Pursuant to Article 33, § 1 of the LCA, the Litigation Chamber is the administrative litigation body of the APD. It is seized of complaints that the SPL transmits to it pursuant to Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with Article 60, paragraph 2 of the LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the information necessary for

1
Pursuant to Article 61 of the LCA, the Litigation Chamber hereby informs the parties that the complaint has been
2declared admissible.
Pursuant to Article 95, § 2 of the LCA, the Litigation Chamber hereby informs the parties that, following
this complaint, the file has been forwarded to it. Decision 101/2024 — 3/7

identify the processing of personal data to which they relate and which

fall within the competence of the DPA.

10. Pursuant to Articles 51 et seq. of the GDPR and Article 4, § 1 of the LCA, it is up to the

Litigation Chamber, as the administrative litigation body of the DPA, to exercise

effective control of the application of the GDPR and to protect the fundamental rights and

freedoms of natural persons with regard to the processing and to facilitate the free flow

of personal data within the Union.

11. Pursuant to Article 95 § 2, 3° of the LCA and Article 47 of the

Rules of Procedure of the DPA, a copy of the file may be requested by the parties. If one of the

parties wishes to make use of the possibility of consulting the file, it is required to

contact the secretariat of the Litigation Chamber, preferably via the address

litigationchamber@apd-gba.be.

12. On the basis of the facts described in the complaint file as summarised above, and on

the basis of the powers assigned to it by the legislator under Article 95,

§ 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the complaint; in

this case, the Litigation Chamber decides on the basis of Article 58.2.c) of the GDPR and

Article 95, § 1, 5° of the LCA, to order the defendant to comply with the

request of the person concerned to exercise his rights, more precisely the right of access

submitted by the complainant on 27 September 2023, and this within 30 days from

notification of this decision.

13. The Litigation Chamber takes into consideration the complaint raised by the complainant regarding

the lack of response from the defendant to his request for access exercised

on 27 September 2023, in accordance with Article 15 of the GDPR.

14. Article 4.7) of the GDPR defines the “data controller” as “the natural or legal person, public authority, service or other body which, alone or

jointly with others, determines the purposes and means of the processing”. 3

15. The Litigation Chamber recalls that the data controller must respond to the

request made pursuant to Articles 15 to 22 of the GDPR by the data subject,

in this case a request for access provided for in Article 15 of the GDPR, and in compliance with the

conditions set out in Article 12 of the GDPR.

16. Under Article 12.1 of the GDPR, it is the responsibility of the data controller to take "

appropriate measures to provide any information referred to in Articles 13 and 14 and

to carry out any communication under Articles 15 to 22 and Article 34 with regard to

3
According to Article 4, 2) of the GDPR, "processing" of personal data means "any operation or set of

operations which is performed on personal data or on sets of personal

data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or

alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of

availability, alignment or combination, restriction, erasure or destruction".

GDPR, Art. 12. Decision 101/2024 — 4/7

relates to the processing to the data subject in a concise, transparent,

comprehensible and easily accessible manner, in clear and simple terms [...]. ».

17. The Litigation Chamber also stresses that it is the responsibility of the data controller

to provide the data subject with information on the measures taken following a

request made pursuant to Articles 15 to 22 of the GDPR, as soon as possible and
5
in any event within one month of receipt of the request.

Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months,

taking into account the complexity and number of requests. In such a case, the data controller

shall inform the data subject of this extension and of the reasons for the postponement

within one month of receipt of the request. 7

18. In the event that the controller does not respond to the request made

by the data subject, it shall inform the data subject without delay and at the latest

within one month of receipt of the request of the reasons for its inaction and of the

possibility of lodging a complaint with a supervisory authority and of seeking a

judicial remedy.

19. Furthermore, the Chamber also recalls that, as the controller, the

defendant is required to comply with the data protection principles and must be

able to demonstrate that these are being complied with. It must also

implement all necessary measures to this end (principle of liability – Articles 5.2 and 24 of the

GDPR).

20. Finally, the Litigation Chamber recalls that the right of access is one of the

major requirements of the right to data protection, it constitutes the "gateway" that allows

the exercise of the other rights that the GDPR confers on the data subject, such as the

right to rectification, the right to limitation of processing or the right to erasure.

21. On the basis of the documents supporting the complaint, the Litigation Chamber notes that the

complainant did indeed exercise his right of access on 27 September 2023, in accordance

with Article 15.1 of the GDPR. In addition, it should be noted that the complainant, not appearing to have received a

response to his request, submitted his complaint to the APD on 24 November 2023, thus exceeding the

5GDPR, Art. 12.2 and 12.3 deadlines.

6GDPR, Art. 12.3.
7
8GDPR, art. 12.3.
GDPR, art. 12.4.
9Under this Article 15, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where they are, access to the said personal data as well as the following information (Article 15.1. of the GDPR): the purposes of the processing (a), the categories of personal data (b), the recipients or categories of recipients of the data (c), the retention period (d), information on other rights conferred by the GDPR (e), the right to lodge a complaint with the data protection authority (f), any information on the source of the data when these have not been collected from the data subject (g) and the existence of automated decision-making (h). Article 15.2 of the GDPR
provides that if data is transferred to a third country or an international organisation, the data subject has the
right to be informed of the appropriate safeguards relating to the transfer, in accordance with Article 46 of the GDPR. Article 15.3.
of the GDPR provides that the controller must provide a copy of the personal data undergoing
processing. The controller may charge a reasonable fee for additional copies. If the data subject makes
the request by electronic means, the information must be provided in a commonly used electronic form, unless the data subject
requests otherwise. Decision 101/2024 — 5/7

of the response to the controller pursuant to Articles 12.3 and 12.4 of the GDPR.

As of 24 January 2024, no response has been provided to the complainant. Finally, the

Litigation Chamber underlines that if the defendant had fully complied with the

requirements set out in Article 12 of the GDPR, it would have taken the request for access into account.

This approach would have potentially avoided the complainant having to initiate proceedings before

the DPA.

22. Following the above analysis, the Litigation Chamber considers that the defendant

may have committed a violation of the following provisions: Article 15 of the

GDPR, in conjunction with Articles 12.3 and 12.4 of the GDPR; which justifies the taking of a prima facie decision

by the Litigation Chamber which is as follows: pursuant to Article

58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to

comply with the complainant's request to exercise his right of access.

23. This decision is a prima facie decision taken by the Litigation Chamber

in accordance with Article 95 of the LCA on the basis of the complaint lodged by the complainant,
10
within the framework of the "procedure prior to the substantive decision" and not a decision on the

merits of the Litigation Chamber within the meaning of Article 100 of the LCA.

24. The purpose of this decision is to inform the defendant, presumed to be responsible

for the processing, of the fact that it may have committed a violation of the provisions of the

GDPR, in order to enable it to still comply with the aforementioned provisions.

25. If the defendant does not agree with the content of this prima facie decision and

considers that it can provide factual and/or legal arguments that could lead to a

new decision, it may request a review by the Litigation Chamber in accordance with the

procedure established by Articles 98juncto99 of the LCA, known as the "procedure

on the merits" or "processing of the case on the merits". This request must be sent to

the email address litigationchamber@apd-gba.be within 30 days of

notification of this prima facie decision. Where applicable, the execution of this

decision is suspended for the aforementioned period.

26. In the event of continued processing of the case on the merits, pursuant to Articles 98, 2° and 3°

in conjunction with Article 99 of the LCA, the Litigation Chamber will invite the parties to submit their

submissions and to attach to the file all the documents they deem useful. Where applicable, this

decision is definitively suspended.

27. In the interests of transparency, the Litigation Chamber finally stresses that

processing of the case on the merits may lead to the imposition of the measures referred to in

Article 100 of the LCA.

10
11Section 3 Subsection 2 of the LCA (Articles 94 to 97 inclusive).
Art. 100. § 1 . The Litigation Chamber has the power to

1° dismiss the complaint without further action;

2° order the dismissal of the case;

3° pronounce the suspension of the decision; Decision 101/2024 — 7/7

litigationchamber@apd-gba.be, and this within 30 days after notification of this

decision. If applicable, the execution of this decision is suspended during the

abovementioned period.

And, on the other hand, the defendant may lodge an appeal against this decision in

accordance with Article 108, § 1 of the LCA, within 30 days of its notification, with the

Market Court (Brussels Court of Appeal), with the Data Protection Authority as the

defendant party. Such an appeal may be lodged by means of an interlocutory application which must

contain the information listed in Article 1034ter 12 of the Judicial Code. The interlocutory application must be filed with the registry of the Market Court in accordance with Article

1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice

(Article 32ter of the Judicial Code).

(sé). Hielke H IJMANS

President of the Litigation Chamber

12The application must contain, under penalty of nullity:
1° the indication of the day, month and year;
2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualities and his/her national register number or
company number;

3° the surname, first name, address and, where applicable, the quality of the person to be summoned;
4° the subject and summary statement of the grounds of the application;
5° the indication of the judge who is seized of the application;
6° the signature of the applicant or his/her lawyer.
13The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.