APD/GBA (Belgium) - 85/2021: Difference between revisions
(→Facts) |
|||
(One intermediate revision by the same user not shown) | |||
Line 52: | Line 52: | ||
}} | }} | ||
The Belgian DPA closed a case regarding the use of a municipality database for a political campaign, despite finding | The Belgian DPA closed a case regarding the use of a municipality database for a political campaign, despite finding a violation of the purpose limitation principle. The case involved two defendants, and it could not be established that the first defendant had used the database for the campaign. The second defendant, who did have access to the database, died after the complaint. | ||
== English Summary == | == English Summary == | ||
Line 61: | Line 61: | ||
was subject to a disciplinary measure by the municipality. | was subject to a disciplinary measure by the municipality. | ||
=== Holding === | === Holding === | ||
The litigation chamber of the Belgian DPA closed the case, considering that there was not enough elements to | The litigation chamber of the Belgian DPA closed the case, considering that there was not enough elements to find a violation of the GDPR by the defendant who was still alive. | ||
== Comment == | == Comment == |
Latest revision as of 14:16, 11 August 2021
APD/GBA (Belgium) - 85/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | |
Decided: | 29.07.2021 |
Published: | 29.07.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 85/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French French |
Original Source: | APD (in FR) APD (in FR) |
Initial Contributor: | n/a |
The Belgian DPA closed a case regarding the use of a municipality database for a political campaign, despite finding a violation of the purpose limitation principle. The case involved two defendants, and it could not be established that the first defendant had used the database for the campaign. The second defendant, who did have access to the database, died after the complaint.
English Summary
Facts
The complainant received a letter for a political campaign from candidate to the local elections. The candidates used the "list of seniors" held by the municipality. One of the candidates was working for the municipality, had access to the database at stake, and was subject to a disciplinary procedure after the use of the database was revealed. The candidate died after the complaint was filed. However, it could not be established that the other candidate had access to the database and would be the controller for the sending of the letters he signed.
was subject to a disciplinary measure by the municipality.
Holding
The litigation chamber of the Belgian DPA closed the case, considering that there was not enough elements to find a violation of the GDPR by the defendant who was still alive.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/8 Contentious Room Decision on the merits 85/2021 of July 29, 2021 File number: DOS-2018-05419 Subject: Decision of classification without follow-up for lack of qualification of person in charge of treatment in the defendant's lead - compliance with the finality principle in the sending context electoral propaganda letters The Contentious Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs Robert Robert and Dirk Van Der Kelen, members, taking up the case in this composition; Vule Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on protection of natural persons with regard to the processing of personal data and on free movement of this data, and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the internal regulations as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; took the following decision regarding: . The complainant: Mrs X (hereinafter “the complainant”); . . The defendant: Mr. Y (hereinafter “the defendant”). Decision on the merits 85/2021 - 2/8 I. Facts and procedure 1. On October 2, 2018, the complainant filed a complaint with the APD. 2. On October 26, 2018, his complaint was declared admissible. 3. On November 21, 2018, the Litigation Chamber referred the matter to the Inspectorate. 4. On March 25, 2020, the Inspector General transmitted his investigation report to the Chamber Litigation. 5. On July 3, 2020, the Litigation Chamber informed the parties of its decision to consider the case as ready for substantive processing on the basis of Article 98 LCA and their communicated a timetable for the exchange of conclusions. The Litigation Chamber notes in this regard that neither party has concluded. 6. The complaint concerns the sending by the defendant of electoral propaganda letters to senior citizens of the municipality of Z, including the complainant, in the context of the October 2018 municipal elections. 7. In particular, the complainant received an election propaganda letter headed "La Bourgmestre's list ”in particular signed by the defendant. This letter was co-signed by a second person, Mr. V, against whom the complainant had also testified complaint. As this person died during the proceedings, the Litigation Chamber has, in support of the inspection report and the death notice, closes the case against him on July 3 2020. 8. According to the complaint form, the complainant suspects the respondent of having used the file. council of seniors to send him the mail, litigation thus diverting this file from its purpose and using his quality of alderman - especially seniors - in defiance of the rules of the GDPR and more particularly, of the principle of finality. 9. The letter is in fact addressed specifically to seniors in the municipality in these terms: “Dear Seniors, In recent years, the development of activities for seniors has been the subject of special attention and keen interest. It is useful to briefly recall the various initiatives, concrete actions and activities diversified implementations. 1. Excursions in Belgium and trips abroad 2. […….] 3. […….] Decision on the merits 85/2021 - 3/8 [….] All these actions are the result of teamwork led by the Mayor [...], by Mr. V, (…) And by Y, […]. To continue the work already undertaken, we invite you to vote for these 3 candidates and others of the mayor's list ”. Monsieur V Y [read respondent] […] (signature and photograph) (signature and photograph) 10. The complainant relies on the fact that the label affixed to the envelope for sending said letter is identical in all respects to the one on the letters she used to receive of the municipality as a senior. 11. The proof of this is a syntax error in her last name, as is the case on the label affixed to the letters it receives when the municipality is no longer particularly to seniors. 12. She further notes that the disputed letter is jointly addressed to her husband (wording Monsieur et Madame [wrong name X]), yet deceased since 2015 and which appeared in the file seniors during his lifetime. In this regard, it points out that the list of voters available to candidates in the elections lists the voters individually and that, taking into account the death of her husband since 2015, the latter could not be included. II. The investigation report of the Inspection Service of March 25, 2020 13. According to his investigation during which he contacted the municipality of Z, whose Data Protection Officer (DPO,) as well as with the complainant, the Inspector General makes, to With regard to the defendant, the following observation: "From the explanations provided by Mr. Y [read the defendant] and from the other documents in the file, the Inspection service can only see that it has signed the standard letter which the subject of the disputed shipment. However, the Inspection Service does not see any elements leaving think that Mr. Y [read the respondent] determined the means of treatment consisting of use the data from the list of seniors in the municipality of Z. The Inspection Service is therefore not able to demonstrate that Mr. Y would have processed data in contravention of the rules applicable to electoral propaganda ”. Decision on the merits 85/2021 - 4/8 14. As part of his inspection, the Inspector General contacted the municipality of Z in his capacity as responsible for processing the municipal senior citizen file. Through the voice of his burgomaster, the municipality listed the actions it took following the disputed facts: - An internal disciplinary procedure was conducted against Mr. V by the College communal. The latter, […], was the subject of a disciplinary warning for to have used the said file as a candidate for the elections; - Since early 2019, the municipal administration has used the services of a delegate for data protection (DPO) which regularly reminds the various the administration what are the obligations to which the municipality is bound and how whose data processing must take place to be in compliance with the GDPR. III. PLACE III.1.As for the misuse of purpose by the defendant (article 5.1.b) in combination with section 5.2. of the GDPR) 15. Under the terms of several decisions, the Contentious Chamber has already reiterated the necessary respect of the principle of finality in the context of sending electoral propaganda letters. 16. The principle of finality is an angular principle of data protection. Dedicated in 1981 to Article 5 (b) of the Convention for the Protection of Individuals with regard to Automatic Processing of personal data of the Council of Europe (ETS 108), it was set out in Article 6.1 b) of Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and to the free movement of these data as well as Article 4.1, 2 ° of the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data. During the consecration of the right to data protection as a fundamental right by Article 8 of the Charter of Fundamental Rights of the European Union in 2000, the principle of finality was there stated as a key element of this right. This principle has logically been taken up in Article 5.1.b) of the GDPR under the Principles relating to the processing of personal data (Chapter II). 17. Article 5.1 b) of the GDPR provides as follows: "1. Personal data must be: (...) b) collected for specific, explicit and legitimate purposes, and not to be processed subsequently in a manner incompatible with these purposes; further processing for purposes archival purposes in the public interest, for scientific or historical research purposes or for 1 See. decisions 10/2019, 11/2019 and 53/2020 of the Contentious Chamber. Decision on the merits 85/2021 - 5/8 statistics is not considered in accordance with Article 89 (1) as incompatible with the initial purposes ”(limitation of purposes). 18. In other words, this principle requires that data be collected for purposes determined, explicit and legitimate, and not subsequently processed in a incompatible with these purposes. Further processing of personal data for other purposes than that (s) for which these data were initially collected is only authorized if this further processing is compatible with the purposes for which the personal data were initially collected, taking into account the link between purposes for which they were collected and the purposes of the further processing envisaged, framework in which the personal data were collected, consequences possible of the further processing envisaged for the data subject and of the existence of appropriate guarantees. A compatible purpose is, for example, a purpose that the person concerned may provide for or may be considered compatible under a provision legal (see article 6.4. of the GDPR). 19. In its “Elections” note published in the early 2000s on its website and updated following the entry into force of the GDPR, the DPA mentions that: "In this perspective, it is not therefore not allowed to reuse personal data saved in files aforementioned [both public and professional files for example] for the purpose of propaganda electoral. Such processing is incompatible with the purposes for which these data were initially collected, which is punishable under article 83.5 of the GDPR ”. 20. The note goes on to state that: “For example, the personal data of citizens that have been obtained in the during the exercise of an alderman mandate cannot be reused for the organization of a election campaign. This is therefore an abusive use of information obtained in a lawful manner. within the framework of the exercise of an alderman mandate. Such use of personal data personnel is not only prohibited due to the principle of limitation of purposes but also breaks equality between political parties and equality between candidates. The legislation aims to address all applicants on an equal footing by giving them access to the same data, namely those appearing on the voters' lists ”. 21. Finally, the Litigation Chamber recalls, as mentioned in point 19 above, that any use incompatible later is prohibited with two exceptions provided for in Article 6.4. of the GDPR. When the data subject has given their consent to further processing for a purpose separate (1) or when the processing is based on a legal provision which constitutes a necessary and proportionate in a democratic society, in particular for the guarantee of important purposes of public interest (2), the controller still has the possibility Decision on the merits 85/2021 - 6/8 to subsequently process this personal data for other purposes, whether compatible or not with the initial purposes. 22. This principle of finality - and the concrete consequences which flow from it in the electoral context as recalled above - is binding on the controller. Indeed, Article 5.2. from GDPR clearly states that it is "the controller [who] is responsible for compliance of paragraph 1 and is able to demonstrate that it is respected (responsibility) ”. 23. It is therefore the controller responsible for respecting the principle of finality set out in Article 5.1.b) of the GDPR. Is defined as being responsible for processing "the natural person or legal entity, public authority, service or other body which, alone or jointly with others, determine the purposes and means of processing (…) ”(article 4.7. of the GDPR). 24. According to his investigation report, as mentioned above in point 13, the Inspector General concludes that he does not have any basis for concluding that the Respondent has determined the processing method consisting of using the data from the listing of seniors of the municipality of Z and therefore, to conclude that the defendant is responsible for processing. 25. The Contentious Chamber has no information enabling it to refute this finding. 26. In the light of the foregoing and on the basis of the elements of the file of which it is aware and of the powers assigned to it by the legislator under Article 100.1. LCA, the Litigation Chamber therefore decides to proceed with the classification without further action of the complaint, in accordance with Article 100.1., 1 ° LCA, on the basis of the above reasons. 27. In matters of discontinuance, the contentious chamber must justify its decision step by step. and: - pronounce a classification without technical follow-up if the file does not contain or not sufficient element likely to result in a sanction or if it entails an obstacle technique preventing him from making a decision; - or pronounce a classification without continuation of opportunity, if despite the presence of elements likely to result in a sanction, the continuation of the examination of the file does not seem to him timely given its priorities. 28. If the discontinuation takes place on the basis of several reasons (respectively technical or opportunity), the reasons for the dismissal should be dealt with in order of importance. 29. In the present case, the Contentious Chamber therefore pronounces a classification without technical follow-up. to decide not to pursue further examination of the case, the defendant implicated by the Complainant cannot, failing to be able to be qualified as data controller within the meaning of Decision on the merits 85/2021 - 7/8 Article 4.7 of the GDPR, be held responsible for any breach of Article 5.1.b) (principle of purpose) read in conjunction with section 5.2. of the GDPR. 2 30. Without prejudice to the foregoing, the Litigation Chamber notes that the municipality of Z, as responsible for processing the municipal file, has taken a number of measures to both to sanction the facts against Mr. V and to prevent any recurrence. It does indeed matter that a municipality, via its mayor, with the assistance of its DPO, educate staff on respect for fundamental data protection principles, including the principle of finality. He him is also responsible for ensuring the security of municipal files to prevent any undue access to these and any possible misuse of their purpose, especially during elections, among other measures, via an adequate access policy. In this regard, the Litigation Chamber recalls that a candidate for elections is not authorized to use a municipal file for the purposes of election propaganda. In this regard, a copy of this decision is communicated under anonymized form for information to the municipality of Z. IV. Publication of the decision 31. Considering the importance of transparency with regard to the decision-making process and decisions of the Litigation Chamber, this decision will be published on the website of the APD by deleting the direct identification data of the parties and of the persons named, whether they are physical or legal. 2 See. in this regard, the classification criteria without technical follow-up mentioned in the note "Classification policy without follow-up of the Litigation Chamber "published on June 18, 2021 on the APD website - point 3.1. https://autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf Decision on the merits 85/2021 - 8/8 FOR THESE REASONS, the Contentious Chamber of the Data Protection Authority decides, after deliberation: - to dismiss the present complaint in accordance with article 100.1., 1 ° of the Law of 3 December 2017 establishing the Data Protection Authority (LCA) when the outcome of the examination of the complaint and the facts it reports, the Contentious Chamber concludes that it does not have any elements likely to lead to a finding of a violation of the GDPR in the head of the defendant. er Under Article 108, § 1 of the LCA, this decision may be appealed against to the Market Court within thirty days of its notification, with the Authority data protection as a respondent. (se.) Hielke Hijmans President of the Litigation Chamber