APD/GBA (Belgium) - 41/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA (Belgium) |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=41/2022 |E...")
 
 
(2 intermediate revisions by the same user not shown)
Line 58: Line 58:


=== Facts ===
=== Facts ===
Three data subjects registered as volunteers for the distribution of mouth masks with their email addresses. They claimed that the controller, the municipality that organised the campaign, had used their email addresses for other purposes.  
Three data subjects registered as volunteers for the distribution of filtering facepieces with their email addresses. They claimed that the controller, the municipality that organised the campaign, had used their email addresses for other purposes. They did not, however specify those alleged purposes. 
 
According to the controller, the volunteers' data were only used for one purpose, namely the organisation of the distribution of the filtering facepieces. In this process, the recipients of the email were placed in "BCC" and the e-mail addresses were deleted after the invitation was sent.  


=== Holding ===
=== Holding ===
The DPA found no violation by the controller. There was no indication that the controller had used the emails for other purposes than the campaign. In particular, it had used the BCC function when sending out emails to the mailing list so that the recipients could not see each others contact data.  
The DPA found no violation by the controller. There was no indication that the controller had used the emails for other purposes than the campaign. In particular, it had used the BCC function when sending out emails to the mailing list so that the recipients could not see each others contact data.  
According to the DPA, the controller was justified by [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] which allows processing of personal data for the purposes of public interest, especially since the data had been provided by the data subjects themselves. Furthermore, the controller had complied with the principles of data minimisation (Article 5(1)(c) GDPR) and of storage limitation (Article 5(1)(e) GDPR).
 
According to the DPA, the controller was justified by [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] which allows processing of personal data for the purposes of public interest, especially since the data had been provided by the data subjects themselves. Furthermore, the controller had complied with the principles of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) and of storage limitation ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]).


== Comment ==
== Comment ==

Latest revision as of 16:04, 23 March 2022

APD/GBA (Belgium) - 41/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(e) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 18.03.2022
Published:
Fine: None
Parties: n/a
National Case Number/Name: 41/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: kc

The Belgian DPA held that a municipality was entitled to send emails to data subjects who had previously registered their email addresses for a campaign as volunteers.

English Summary

Facts

Three data subjects registered as volunteers for the distribution of filtering facepieces with their email addresses. They claimed that the controller, the municipality that organised the campaign, had used their email addresses for other purposes. They did not, however specify those alleged purposes.

According to the controller, the volunteers' data were only used for one purpose, namely the organisation of the distribution of the filtering facepieces. In this process, the recipients of the email were placed in "BCC" and the e-mail addresses were deleted after the invitation was sent.

Holding

The DPA found no violation by the controller. There was no indication that the controller had used the emails for other purposes than the campaign. In particular, it had used the BCC function when sending out emails to the mailing list so that the recipients could not see each others contact data.

According to the DPA, the controller was justified by Article 6(1)(e) GDPR which allows processing of personal data for the purposes of public interest, especially since the data had been provided by the data subjects themselves. Furthermore, the controller had complied with the principles of data minimisation (Article 5(1)(c) GDPR) and of storage limitation (Article 5(1)(e) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                        1/6








                                                                                      Dispute room



                                                Decision on the merits41/2022 of 18 March 2022






File number: DOS-2020-03145 / DOS-2020-3155 / DOS-2020-03156



Subject : Improper use of email addresses





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs Dirk Van Der Kelen and Christophe Boeraeve, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;





has taken the following decision regarding:

                                                                                                       †

The complainants: Mrs. X1, hereinafter “complainant 1”; †

                    Mr X2, hereinafter referred to as “complainant 2”; †

                    Mr X3, hereinafter “complainant 3”;



The Defendant: Mrs. Y, hereinafter referred to as “the Defendant”, Decision on the merits 41/2022 - 2/6




I. Facts procedure



    1. On 29 June 2020, the complainants each filed a separate complaint with the

        Data protection authority against the defendant.


        The subject of the complaint concerns the use by the defendant, aldermen of the municipality (…),

        from e-mail addresses obtained via the general e-mail address of the municipality (…) in the context of

        a call for volunteers for the distribution of mouth masks, to personally meet the volunteers

        via her own professional email address (…).


    2. On 6 July 2020, the complaint will be declared admissible by the Frontline Service on the basis of the

        Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the

        Dispute room.


    3. On September 23, 2020, the Disputes Chamber decides to join the three complaints, since it

        subject of the complaint is the same. Pursuant to Article 95, §1, 1° and Article 98 WOG,

        also decides that the file is ready for treatment on the merits and the parties concerned are

        parties have been notified of the provisions as stated in article 95, §2, as well as of this article

        98 WOG. They are also informed, pursuant to Article 99 of the WOG, of the time limits to

        to submit their defences.


        The deadline for receipt of the defendant's statement of defense was thereby set

        laid down on November 3, 2020, this for the conclusion of the complainants' reply on 24

        November 2020 and those for the defendant's statement of reply on December 15, 2020.


    4. On September 23, 2020, complainant 3 requests a copy of the file (art. 95, §2, 3° WOG), which

        it was transferred on October 21, 2020.


    5. On October 29, 2020, the defendant states that defenses will be filed and states

        know that they wish to make use of the opportunity to be heard, in accordance with

        article 98 WOG.


    6. On November 2, 2020, the Disputes Chamber will receive the statement of defense from the

        defendant. She states that as ships of communication she received permission on May 19, 2020

        of the College of Mayor and Aldermen to coordinate and communicate

        the distribution of the mouth masks in consultation with an official. The data that the

        volunteers, were, according to the defendant, only used for the purpose

        for which they were intended, namely the organization of the distribution of mouth masks. She has

        addressed the volunteers as aldermen of communication through her municipal e-mail address and

        solely for the intended purpose. The recipients of the email were placed in “bcc” and

        the e-mail addresses were deleted after the invitation was sent., Decision on the merits 41/2022 - 3/6




    7. On November 23, 2020, the Disputes Chamber will receive the statement of reply from complainants 1 and 2

        stating that there is as yet no evidence that the defendant had the consent

        obtained from the College of Mayor and Aldermen and the general director. Complainants 1

        and 2 add that a decision of the College of Mayor and Aldermen is not in conflict

        may be in accordance with applicable law. On the same day, the Disputes Chamber also receives the

        conclusion of the complainant's reply 3. This contains, in outline, the statement that the

        mouth mask distribution was officially assigned and not to a mandatary. The defendant is

        not a processor or controller. According to complainant 3, there would be an incompatible

        further processing has taken place and he refers for this to Article 75, 2° of the law

        of 30 July 2018 . Complainant 3 also relies on the law of 30 July with regard to the legal basis

        2018, in particular Article 74, 4°.


    8. The defendant has not made use of the opportunity to add another statement of reply

        to submit.


    9. On January 13, 2022, the parties will be notified that the hearing will take place

        on March 10, 2022.


    10. On March 10, 2022, complainant 3 and the defendant will be heard by the Disputes Chamber. Complainants 1

        and 2 have not appeared.


    11. The minutes of the hearing will be submitted to the parties on 11 March 2022.


    12. On March 11, 2022, the Disputes Chamber receives the response from the defendant that it does not

        has any comments with regard to the summary of what is at the hearing forward

        brought.


    13. On March 17, 2022, the Disputes Chamber receives a notification from the complainant that he does not

        has comments with regard to the official report. He does, however, specify

        which the Disputes Chamber decides to include in its deliberations.




II. Justification



    14. The complainants argue that their e-mail addresses from which they had addressed the

        general e-mail address of the municipality (…) in order to register as a candidate volunteer for

        the distribution of mouth masks, were used by the defendant to personally protect them

        contact us. The complainants allege that the defendant does not have access to the relevant e-mail

        receive e-mail addresses and thus not process this personal data, since the

        the defendant did not need this information for the performance of its function. Support the complainants




1
 Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, Decision on the merits 41/2022 - 4/6





         their argument on the absence of any decision by the college of aldermen in which the

         the defendant would have been assigned a task in the context of the organization of the volunteer work

         in the distribution of face masks.


    15. The Disputes Chamber establishes that the e-mail addresses of the complainants have been provided by themselves on their own initiative


         movement were provided as volunteers within the framework of the municipality

         organized distribution of mouth masks. The municipality must be regarded as the

         controller within the meaning of Article 4. 7) GDPR , as she is the body that

         purpose and means for the processing of the personal data, in this case the relevant e-mail

                                                       3
         email addresses. The legal basis for the municipality to collect the personal data of the

         volunteers – including their e-mail addresses – is the need to perform a task of

         public interest (Article 6.1 e) GDPR), in particular the need to take measures


         take with a view to preventing the further spread among the citizens of

         infection with the coronavirus. The factual elements of the file do not show that the

         defendant uses the email addresses of the volunteers for any purpose other than that for which

         the data was collected, has used. There is no indication whatsoever that the defendant


         has appropriated the personal data of the volunteers who registered by email

         for any purpose other than that for which they were collected, in particular the organization of the

         mouth mask distribution. The defendant brought in the volunteers, including the complainants

         this framework and thus with respect for the purpose limitation principle (Article 5.1 b) GDPR) contacted in


         connection with the practical organization of the mouth mask distribution. She also did this from



2Article 4.

For the purposes of this Regulation:

†
7) 'controller' means a natural or legal person, a public authority, a service or other body
which, alone or jointly with others, determines the purposes and means of the processing of personal data; when the

the purposes and means of such processing may be established in Union or Member State law
determine who the controller is or according to which criteria it is designated;
33
  In this regard, complainant 3 relies for the legal basis on Article 74 of the Law of 30 July 2018 on the protection of
natural persons with regard to the processing of personal data. The Disputes Chamber points out that this provision only
applies to the protection of natural persons with regard to the processing of personal data by the
intelligence and security services (see Subtitle I of Title 3 of the law of 30 July 2018). However, the present file has no
relating to data processing by intelligence and security services. This applies equally to articles 75, 2° and 84 of

the law of 30 July 2018 on which complainant 3 relies, so that the provisions cited by complainant 3 do not apply.
4Article 6.

1. Processing is only lawful if and insofar as at least one of the following conditions is met:

†
e) the processing is necessary for the performance of a task carried out in the public interest or of a task carried out in the exercise

from the public authority entrusted to the controller;
†

5Article 5

1. Personal data must:
†

b) collected for specified, explicit and legitimate purposes and may not be further
are processed in a manner incompatible with those purposes; further processing with a view to archiving in general

interest, scientific or historical research or statistical purposes shall not be regarded as
considered incompatible with the original purposes ("purpose limitation");, Decision on the merits 41/2022 - 5/6




        her professional email address in her capacity as ships, so by no means from her

        personal private email address.



    16. The defendant acted fully within the original purpose for which the

        data were obtained and involved by the municipality as controller

        volunteers contacted from her position as aldermen on behalf of the municipality, as also

        according to the session report of the Board of Mayor and Aldermen dated 19 May 2020

        which explicitly states that the coordination of the mouth mask distribution will be


        entrusted to one official “in association with ships Y” (being the defendant).


    17. In addition, when sending the e-mail which is the subject of the

        complaint made use of the “bcc” function which allows the intended recipients of the email

        can be reached in a single movement without the e-mail addresses of everyone being visible. The


        data processing was therefore by no means excessive and was done in full accordance with
                                                                                6
        the principle of data minimum processing (Article 5.1 c) GDPR).


    18. The principle of storage limitation (Article 5.1 e) GDPR) was also complied with. After all, as soon as it

        purpose - the distribution of mouth masks - was reached, the e-mail addresses were destroyed. The

        the defendant has stated that this destruction took place, which the complainant does not regard as


        is thus disputed. In addition, there is no document showing that the defendant

        would have used e-mail addresses after the mouth mask distribution, so that there is no doubt about it

        the fact that the data was indeed destroyed after the purpose was achieved.


    19. The Disputes Chamber thus concludes that the defendant has not committed any infringement of

        the AVG.

















6Article 5

1. Personal data must:
†

c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("minimum"
data processing”);
7
 Article 5

1. Personal data must:
e) be kept in a form that makes it possible to identify the data subjects for no longer than for the purposes for which
the personal data are processed is necessary; personal data may be stored for longer periods for

insofar as the personal data is solely for the purpose of archiving in the public interest, scientific or historical research or
statistical purposes shall be processed in accordance with Article 89(1) provided that the appropriate technical requirements required by this Regulation
and organizational measures are taken to protect the rights and freedoms of the data subject
("storage limitation");, Decision on the merits 41/2022 - 6/6




III. Publication of the decision



    20. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. It is not necessary, however, that the identification data

       of the parties shall be published directly.




   FOR THESE REASONS,

   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to

   of Article 100, §1, 1° WOG, to dismiss the complaint in view of the fact that there is no infringement in this regard

   can be determined on the basis of the GDPR.



   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.








(Sé). Hielke Hijmans


Chairman of the Disputes Chamber