APD/GBA (Belgium) - 135/2022: Difference between revisions
No edit summary |
m (Mg moved page APD/GBA (Belgium) - Decision 135/2022 to APD/GBA (Belgium) - 135/2022: consistency) |
||
(11 intermediate revisions by one other user not shown) | |||
Line 38: | Line 38: | ||
|GDPR_Article_5=Article 26 GDPR | |GDPR_Article_5=Article 26 GDPR | ||
|GDPR_Article_Link_5=Article 26 GDPR | |GDPR_Article_Link_5=Article 26 GDPR | ||
|GDPR_Article_6= | |GDPR_Article_6=Article 56(1) GDPR | ||
|GDPR_Article_Link_6= | |GDPR_Article_Link_6=Article 56 GDPR#1 | ||
|GDPR_Article_7= | |GDPR_Article_7=Article 4(23) GDPR | ||
|GDPR_Article_Link_7= | |GDPR_Article_Link_7= Article 4 GDPR#23 | ||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
Line 67: | Line 67: | ||
}} | }} | ||
The | The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated [[Article 15 GDPR#1|Article 15(1) GDPR]], [[Article 15 GDPR#3|Article 15(3) GDPR]] and [[Article 12 GDPR#3|Article 12(3) GDPR]] GDPR for deleting data instead of providing access to data after an access request by the data subject. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject | The data subject submitted an access request [[Article 15 GDPR|Article 15 GDPR]] for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address. | ||
The data subject sent a reminder to the controller on 4 November 2019 after | The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail. | ||
After the data subject filed | After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following: | ||
The | The controller's Belgian company was jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated [[Article 12 GDPR#1|Article 12(1) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 15 GDPR#3|Article 15(3) GDPR]]. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way. | ||
The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA. | |||
The DPA reiterated that after Brexit, each Member State in which a new principal place of business of the controller was established, would become the DPA including for complaints against the controller, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller [[Article 56 GDPR#1|(Article 56(1) GDPR]]), every DPA of the other EU members states have jurisdiction regarding the controller insofar as the GDPR applies. | |||
There was no agreement between the controller's companies in Belgium and the UK regarding joint controllership. | |||
=== Holding === | === Holding === | ||
<u>Lead supervisory Authority and competence of the Belgian DPA</u> | |||
The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in its privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries. | |||
The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing [[Article 4 GDPR#23|(Article 4(23) GDPR)]]. There was no agreement between the joint controllers [[Article 26 GDPR|(Article 26 GDPR]]). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom. | |||
Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepted by the DPA in the UK. | |||
The | The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA. | ||
The DPA held that it was not necessary to specify the relationship between the joint controllers in the UK and in Belgium. | |||
<u>Belgian DPA decided to close the case</u> | |||
The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject. | |||
Nonetheless, the DPA held that the controller had violated [[Article 15 GDPR#1|Article 15(1) GDPR]] (confirmation of the processing of data and information) and [[Article 15 GDPR#3|Article 15(3) GDPR]] (copy of the data). The Controller also violated [[Article 12 GDPR#3|Article 12(3) GDPR]] (the response to a request to exercise a right must be made, with certain exceptions, within one month). All these violations were found because the controller had failed to provide access to the requested data. | |||
The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access. | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Latest revision as of 08:57, 29 June 2023
APD/GBA - Decision 135/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(23) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 26 GDPR Article 56(1) GDPR Article 4(23) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 26.09.2019 |
Decided: | 22.09.2022 |
Published: | 02.10.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Decision 135/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | GBA (in FR) |
Initial Contributor: | n/a |
The Belgian DPA held that a controller, with companies in both Belgium and the UK, violated Article 15(1) GDPR, Article 15(3) GDPR and Article 12(3) GDPR GDPR for deleting data instead of providing access to data after an access request by the data subject.
English Summary
Facts
The data subject submitted an access request Article 15 GDPR for his two accounts to the controller’s customer service department. The controller verified the data subject’s identity and informed him that his request would be followed up with a view to obtaining a copy of his personal data within one month. These initial exchanges of e-mails took place with the controller using a .be (Belgium) e-mail address.
The data subject sent a reminder to the controller on 4 November 2019 after he hadn’t heard back from the controller. The Data subject received an email on 7 November 2019 from the privacy team of the controller using a privacy@[...].uk (United Kingdom) e-mail address. In this e-mail, it was stated that all the personal data of the data subject had been deleted following its request for deletion. On the same day, 7 November 2019, the data subject objected by e-mail that he had not requested the deletion of personal data but access to personal data. According to the data subject, the controller didn't answer this e-mail.
After the data subject filed his complaint which was deemed admissible by the Belgian DPA, the DPA ordered an investigation into the matter. In its investigation report, it held the following:
The controller's Belgian company was jointly responsible for the processing with the controllers UK company. This joint responsibility results from the privacy policy, available on the website of the Belgian company of the controller. The investigation unit also held that the controller violated Article 12(1) GDPR, Article 12(2) GDPR, Article 15(1) GDPR and Article 15(3) GDPR. The controller had deleted the data of the data subject instead of providing access to the data. The controller stated that this was most likely caused by human error. To prevent the problem from occurring in the future, the controller started putting in place additional training and automated processed to handle requests of data subjects under the GDPR in a better way.
The DPA held that the investigations unit didn’t answer the question which DPA was the lead supervisory authority. The controller stated in its privacy-policy that a complaint could be filed at either the DPA in the UK or the Belgium DPA.
The DPA reiterated that after Brexit, each Member State in which a new principal place of business of the controller was established, would become the DPA including for complaints against the controller, after the DPA in the UK had left the cooperation mechanism and the one-stop shop. In the absence of a principal place of business in the EU of the controller (Article 56(1) GDPR), every DPA of the other EU members states have jurisdiction regarding the controller insofar as the GDPR applies.
There was no agreement between the controller's companies in Belgium and the UK regarding joint controllership.
Holding
Lead supervisory Authority and competence of the Belgian DPA
The DPA held that the fact that the controller had mentioned the possibility of filing a complaint in both countries in its privacy policies said nothing about the competence of either the Belgian DPA or the DPA in the UK as lead supervisory authority in this case. The Belgian DPA held that this was merely an expression of the right of the data subject to file complaints in both countries.
The DPA held that the DPA in the UK should be regarded as the lead supervisory authority in this case of cross-border processing (Article 4(23) GDPR). There was no agreement between the joint controllers (Article 26 GDPR). Therefore, the DPA considered several factors to decide why the company in the UK should be regarded as the principal place of business for the purposes of data processing decisions and their application. One factor was the fact that in each of the privacy policies of the controller's companies across EU-member states, it was explicitly mentioned that the controller is the company incorporated under English law (UK). It also mentions that the other companies, such as the Belgian one, are joint Controllers. Another factor was that the communication with the data subject was taken over by the privacy team in the United Kingdom from the customer service in Belgium. The controller also produced internal documents which explain the procedure for exercising rights with a system of 'escalation' to the Privacy team in the UK, for example form the customer service in Belgium to the privacy team in the United Kingdom. The controller further specified that the procedure for this decision was also prepared by the parent company in the United Kingdom.
Another factor which the DPA considered was the fact that the Italian DPA had also received a complaint against the controller and had considered the DPA in the UK to be the lead supervisory authority. This consideration was accepted by the DPA in the UK.
The DPA held that it is competent to deal with this decision, because the controller didn’t establish a new principal place of business in an EU member state after Brexit. As a result, the Belgium DPA was therefore competent to deal with the complaint since a complaint was filed at the Belgian DPA.
The DPA held that it was not necessary to specify the relationship between the joint controllers in the UK and in Belgium.
Belgian DPA decided to close the case
The DPA decided to close the case because of several reasons. The findings of investigations unit were made at a time when the jurisdiction of the Belgian DPA was not established in UK Law. The DPA therefore held that it couldn't rely on these findings. It also held that the violations of the controller were the result of human error. It also held that GDPR was taken into account with the handling of the complaint. It further considered the concrete circumstances of the case, such as the time elapsed, the subject matter and the absence of high impact for the data subject.
Nonetheless, the DPA held that the controller had violated Article 15(1) GDPR (confirmation of the processing of data and information) and Article 15(3) GDPR (copy of the data). The Controller also violated Article 12(3) GDPR (the response to a request to exercise a right must be made, with certain exceptions, within one month). All these violations were found because the controller had failed to provide access to the requested data.
The DPA didn’t sanction the controller but informed the controller how it could comply better with the GDPR in the future by referring to EDPB guidelines 01/2022 regarding the right of access.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/11 Litigation Chamber Decision 135/2022 of September 22, 2022 File number: DOS-2019-05983 Subject: Complaint relating to the exercise of a right of access against a company – co- responsibility – classification without follow-up The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to processing of personal data (hereinafter LTD); Having regard to the Rules of Procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Mr. X, hereinafter “the plaintiff”; The defendant: […], the defendant's English company, [….] Belgian company of the defendant Hereinafter “the defendant”; Decision 135/2022 - 2/11 I. Facts and procedure 1. On November 25, 2019, the complainant filed a complaint with the Data Protection Authority data (APD). 2. His complaint concerns the exercise of his right of access (article 15 of the GDPR) and the action taken inadequate reserved for this request by the defendant. 3. The complainant thus reports that on September 26, 2019, he sent a request for access with the defendant's customer service, requesting to recover all the related data on both accounts (…) and (…). An exchange of emails dated September 28, 2019 followed this request at the end of which the defendant verified the identity of the complainant and informed that a follow-up would be given to his request to obtain a copy of his personal data within one month in accordance with the applicable regulations in terms of data protection. These first e-mail exchanges took place with a person using a .be email address and presenting himself as being in charge of customer accounts with the defendant (customer accounts). 4. In the absence of follow-up given to these first exchanges, the complainant sent a reminder to the defendant on November 4, 2019, more than a month after its initial request of November 26 September 2019 (point 3 above). 5. In response, the complainant this time received an email dated 7 November 2019 sent from the address privacy@[...].uk , signed by the Privacy team of the defendant, and informing it that at the following its request for erasure, all the personal data that the defendant held "and which fall within the scope of your (read "his") right to erasure under data protection regulations had been deleted” (excerpt from the email produced). The defendant further specifies that it advised of this erasure all third parties who processed the complainant's data on his behalf, referring in this respect to its privacy policy. Finally, the defendant indicates that the right to erasure does not necessarily imply that all personal data be erased when, in certain circumstances, exceptions provided for by the GDPR can play. The defendant refers the complainant in this respect to the information available on the website of the Commission Nationale Informatique et Libertés (CNIL) either the French data protection authority. Should the complainant be dissatisfied with the response received, the defendant finally invites him to file a complaint with the CNIL, again referring to its privacy policy. 6. On the same day, November 7, 2019, the complainant objected by return email that he had not not requested the deletion of his data but access to them. Under his complaint, the complainant indicates that this last email remained unanswered by the defendant. Decision 135/2022 - 3/11 7. On December 3, 2019, the Front Line Service (SPL) of the APD declares the complaint admissible on the basis of Articles 58 and 60 of the LCA, and transmits it to the Chamber Litigation in accordance with Article 62, § 1 of the LCA. 8. During the session of December 17, 2019, the Litigation Chamber decides to request a investigation at the inspection service (SI). On December 20, 2019, the Litigation Chamber seized the Inspector General of a request for an investigation. On the same date, the complainant was informed of what the inspection was seized. 9. According to his investigation report of March 3, 2020, the Inspector General notes what follows: - The Belgian company of the defendant is jointly responsible for the processing with the defendant's English law company established in the United Kingdom (hereinafter together "the defendant"). This co-responsibility results from the privacy policy available on the website of the Belgian company of the defendant; - The plaintiff received an e-mail from the defendant's Privacy team (see point 5) confirming the deletion of his personal data in response to his request for get a copy. Reference is also made in this e-mail to the CNIL with regard to the filing of any complaint. In this regard, the IS concludes that there is a breach of the sections 12.1., 12.2., 15.1. and 15.3. of the GDPR on the part of the defendant. - the defendant indicated to SI that these shortcomings were both due to an error human, the handler of the request having in all likelihood had to use the poor French-speaking model available. - In order to prevent the problem that has arisen from recurring, the defendant indicates that implementation of additional training and the establishment of a process automatic management of requests to exercise rights under the GDPR. - Finally, the IS notes that two other complaints were listed in the system of 1 cooperation (one-stop shop - IMI) of EU data protection authorities European Union against the defendant. In these complaints the Information British Commissioner (ICO) is identified as a lead authority within the meaning of section 56.1. GDPR (Lead Supervisory Authority - LSA) due to the implementation of the principal establishment of the defendant in the United Kingdom (via the company defendant's English - see. below). 1The Internal Market Information System (IMI) is an online tool that facilitates the exchange of information between public authorities involved in the practical application of EU law. IMI helps authorities fulfill their cross-border administrative cooperation obligations in many market areas unique, including the field of data protection (GDPR). Decision 135/2022 - 4/11 10. After examining the Inspection report and the investigation documents, the Litigation Chamber notes that said report mentions that the defendant's English law company (UK) and the defendant's Belgian law company (BE) are joint data controllers without however, draw conclusions as to the identification of the LSA and the competence of the ODA. The SI report establishes that the defendant's privacy policy mentions the possibility for each complainant to file a complaint with the ICO and/or DPA. This possibility does not, however, entail the competence of one or the other and the other otherwise) data protection authority such as LSA. This double possibility is simply the expression of what the complainant has the choice to file his complaint with its local control authority which may, according to the criteria of determination of the GDPR to be LSA or simple “concerned authority” (CSA) within the meaning of article 4.22.c) of the GDPR with, in the latter case, the obligation to transfer the complaint to the LSA in the framework of the cooperation mechanism between the data protection authorities (one-stop single – articles 56 and s. ) implemented by the GDPR. 11. To determine which is the lead data protection authority (LSA) in the event of cross-border processing within the meaning of Article 4.23 of the GDPR as in the present case and co- data controllers, the Litigation Chamber refers to the Guidelines of the 2 European Data Protection Board (EDPB) on LSA identification. These guidelines state the following: “The general regulations do not specifically cover the question of the determination of a lead authority when several persons in charge of the processing established in the Union jointly determine the purposes and means of processing, i.e. in the case of joint controllers. Article 26, paragraph 1, and recital 79 make it clear that, in this situation, the joint controllers define in a manner transparency of their respective obligations in order to ensure compliance with regulatory requirements. Therefore, in order to benefit from the principle of one-stop-shop, the joint controllers must designate the one-stop-shop their establishments (among those where decisions are taken) who will have the power to enforce decisions about processing with respect to all joint controllers. This establishment will then be considered as the main establishment for processing involving responsible persons treatment spouses. The agreement between the joint controllers 2 Working Party Article 29, Guidelines for the designation of a lead supervisory authority of a responsible for processing or a processor, WP244 of 5 April 2017. The EDP Has adopted these guidelines on its behalf by decision of 25 May 2018 https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-identifying- controller-or-processors-lead_en Decision 135/2022 - 5/11 is without prejudice to the rules on liability established by the regulation general, in particular in Article 82, paragraph 4 (point 2.1.3.)”. 12. In the absence of agreement within the meaning of Article 26 of the GDPR at its disposal, the Litigation Chamber relied on various elements of the complaint to consider that it was the company of English law of the defendant (UK) which was to be considered as the establishment principal with regard to data processing decisions (responsible for treatment) and their application. 13. These elements were: has. In the various countries of the European Union in which the defendant offers its services, each of the privacy policies mentions that the data controller is the defendant's English law company (UK) and the local company of the country concerned as joint managers (SPRL of Belgian law of the defendant in Belgium, SAS the defendant in France etc. ); b. The defendant's company governed by English law (UK) is therefore "joint" in each case; vs. In the context of this complaint, after an initial intervention by the service “local” customer (Belgian in this case – see point 3), the relay was taken over by the Privacy team in the United Kingdom (point 4) which depends on the English law company of the defendant, which supports local services in terms of responding to requests to exercise rights under the GDPR; d. As part of the investigation conducted by the IS, the defendant produced in this regard internal documents that explain the procedure for exercising rights with a “escalation” system to the Privacy team (central support team for UK-based personal data issues). the defendant further explains that this procedure was prepared by the parent company in UK. e. As mentioned in point 9 above, the data protection authority Italian data (Garante) also received a complaint about the defendant and considered that the ICO was LSA, which the ICO accepted. 14. In support of the foregoing, the Litigation Chamber therefore seized the ICO of the complaint received from the complainant on November 20, 2020. At the time, notwithstanding the release 3As mentioned by the EDPS in the excerpt cited in point 11, Article 26 of the GDPR requires joint controllers transparently define their respective obligations in order to ensure compliance with the requirements of the GDPR, in particular with regard to the exercise of the rights of the data subject, and their respective obligations with regard to the communication of the information referred to in Articles 13 and 14 by agreement between them, subject to exceptions. Decision 135/2022 - 6/11 from the United Kingdom from the European Union, the ICO was still taking part until 31 December 2020 to the cooperation mechanism (one-stop shop) set up under Chapter VII GDPR .4 13. On January 11, 2021, the Litigation Chamber informed the complainant of this. 14. In the course of 2021, a data protection authority with which complaint had also been filed against the defendant informed his counterparts that it had made a point of verifying whether the defendant had designated a new establishment principal in the post-Brexit European Union, after the exit of the ICO from the mechanism of cooperationandone-stop-shop.The data protection authority of the Member State of EU 27 in which this new main establishment would have been established would become LSA, in including for complaints under review, (even if this review is not completed by the ICO,) filed before the exit of the ICO from the one-stop shop with data protection authorities EU data. 15. The data protection authorities have not established that the defendant appointed new main establishment in the EU and concluded that as a result, each of the data protection authorities receiving a complaint were now competent to treat it. 16. The Litigation Division agrees with this analysis and bases its jurisdiction on it. In Indeed, the single window mechanism (and therefore the competence of a lead authority - LSA), assumes the existence of cross-border processing within the meaning of Article 4.23 of the GDPR as well as the existence of a main establishment or a single establishment of the controller in the EU (article 56.1 of the GDPR). In the absence of an establishment principal of the defendant in the EU as following Brexit, each authority of data protection is responsible for it insofar as the GDPR is application. 17. In the present case, with regard to co-controllers, the DPA currently considers itself competent with respect to each of the entities, whether it is the English law company of the defendant or the defendant's company governed by Belgian law. Indeed, if the influence dominant factual evidence from the English law society of the defendant justified, before the release of the ICO of the one-stop-shop mechanism, that the examination of the complaint be entrusted to it of LSA (see above), the fact remains that the two entities are jointly responsible for processing subject to the GDPR, which justifies that the DPA (via its Litigation Chamber), 4WithdrawaloftheUnitedKingdomfromtheEuropeanUnionexclusionfromtheEUdecisionmakinganddecision-shaping as of the withdrawal date and exceptions provided for in the withdrawal agreement. (Appendix). Ref. Ares(2020)469682- 01/24/2020. 5In accordance with the Agreement on the European Economic Area (EEA), as of July 20, 2018, the EEA countries, Iceland, Lichtenstein and Norway are also part of the EDPB and the Single Window system. Decision 135/2022 - 7/11 now competent post Brexit, jointly addresses this decision to them. For need of this decision, it is not necessary to specify the relationship between these two entities. II. Motivation 15. Based on the facts described in the complaint file as summarized above, and on the basis of the powers attributed to it by the legislator under Article 95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the file. In this case, the Litigation Chamber decides to proceed with the dismissal of the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below. 16. In matters of dismissal, the Litigation Chamber is required to justify its step-by-step decision and: - to pronounce a classification without technical continuation if the file does not contain or not sufficient elements likely to lead to a sanction or if it includes a technical obstacle preventing him from rendering a decision; - or pronounce a classification without further opportunity, if despite the presence elements likely to lead to a sanction, the continuation of the examination of the file does not seem to him to be appropriate given the priorities of ODA such as specified and illustrated in the Chamber's Discontinued Classification Policy Litigation. 7 17. In the event of dismissal based on several grounds, the latter (respectively, classification without technical follow-up and classification without opportunity follow-up) must be addressed in order of importance .8 18. In this case, the Litigation Chamber decides to proceed with a classification without follow-up the complaint for a reason of opportunity. The decision of the Litigation Chamber is based more specifically on the following reasons why it considers it inappropriate to continue to examine the complaint, and therefore decides not to proceed, between others, to deal with the case on the merits. 19. The Litigation Chamber notes that the findings of the IS were made (between 20 December 2019 and 3 March 2020) on a date on which the competence of the DPA was not, at 6Cour des marchés (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. 7 In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de- classification-without-continuation-of-the-litigation-chamber.pdf. 8 See Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the dismissal policy of the Litigation Chamber. Decision 135/2022 - 8/11 at least vis-à-vis English law of the defendant, not established. Bedroom Contentious therefore does not consider that it can reliably rely on the said findings. 20. The Litigation Division is also of the opinion that these breaches could be constituting human error. The first exchanges of emails with the complainant attached to the complaint attest to the fact that the GDPR has been taken into account and knowledge of the deadlines to answer him. The response then provided by the “Privacy team” regarding the request erasure, if it is certainly inadequate given the request for access made by the complainant and not of erasure, also certifies that the GDPR has been taken into account. Account taking into account all the concrete circumstances of the case (elapsed time, subject of the complaint and the absence of a high societal or personal impact for the complainant in this case (these are data relating to user accounts with the defendant), the Litigation Chamber concludes that the continuation of an examination on the merits would be disproportionate. However, it intends that it will be specified in point 24 to communicate this decision to the defendant for information and awareness. 21. Indeed, without prejudice to the foregoing considerations, the Litigation Chamber does not IS NOT LESS, BASED ON THE ATTACHMENTS TO THE COMPLAINT ALONE, ABLE TO POINT OUT THAT, PRIMA facie, the defendant did not respond adequately to the complainant's request for access, deleting the latter's personal data instead of sending him a copy and this, in breach of Articles 15.1 (confirmation that data is being processed and elements information) and 15.3. (copy of data) of the GDPR. Therefore, the defendant has not elsewhere, and always prima facie, not complied with the requirements of article 12.3. of the GDPR (the answer to a request to exercise a right must be made, with some exceptions, within one month). 22. Notwithstanding its decision to close without further action, the Litigation Chamber therefore recalls this which follows, a reminder which, without constituting any corrective measure or sanction within the meaning of Articles 95 or 100 of the LCA, aims to inform the defendant as best as possible: - The establishment of effective procedures to follow up on exercise requests of the rights of data subjects is part of the obligations of those responsible for treatment (spouses) and the effectiveness of said rights; 9 - As the EDPS points out in his Guidelines on the right of access, “where two or more controllers process data jointly, the arrangement of the joint controllers regarding their respective responsibilities with regards to the exercise of data subject's rights, especially concerning the answer to access requests, does not 9 European Data Protection Board (EDPB), Guidelines 01/2022 on data subject’s rights – right of access, version 1.0. dated 18 January 2022. This text is only available in English: https://edpb.europa.eu/system/files/2022- 01/edpb_guidelines_012022_right-of-access_0.pdf This document has been submitted for public consultation. It is therefore not excluded that an amended version of these guidelines will be published in the future. Decision 135/2022 - 9/11 affect the rights of the data subjects towards the controller to whom they address their request (item 34)” 10 - Still according to the EDPS, “the controllers should be proactively ready to handle the requests for access to personal data. This means that the controller should be prepared to receive the request, assess it properly (this assessment is the subject of this section oftheguidelines)andprovideanappropriatereplywithoutunduedelaytotherequesting person. The way the controllers will prepare themselves for the exercise of access requests should be adequate and proportionate and depend on the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, in accordance with Art. 24 GDPR. Depending on the particular circumstances,thecontrollersmayfor exampleinsomecasesberequiredtoimplement anappropriateprocedure,theimplementationofwhichshouldguaranteethesecurityof the data without hindering the exercise of the data subject’s rights (point 42)”. 11 - Finally, as the EDPS also points out in his Guidelines already mentioned, and without calling into question its conclusion that human error stops producing in this case, the Litigation Chamber recalls that “the controller shall not deliberately escape the obligation to provide the requested personal data by erasing or modifying personal data in response to a request for access. If, in the course of processing the access request, the controller discovers inaccurate data or unlawful processing, the controller has to assess the state of the processing and to inform the data subject 12 accordingly before complying with its other obligations (point 39)”. 10 See. the aforementioned Right of Access Guidelines. Free translation: "When two or more than two controller process data jointly, the arrangement of the co-controllers relating their respective responsibilities with regard to the exercise of the rights of data subjects (especially with regard to the response to be given to a request for access), cannot affect the rights of the person concerned with regard to the data controller to whom it addressed its request (point 34)”. 11See. the EDPS guidelines on the right of access already cited. Free translation: “Those responsible for should be proactively prepared to deal with requests for access to personal data. This means that theprocessorshouldbepreparedtoreceivetherequest,toexamineitadequately (this examination is discussed in this section) and to provide a relevant response as soon as possible to the applicant. The how controllers prepare for these requests to exercise the right of access should be adequate, proportionate and dependent on the nature, scope, context and purpose of the processing as well as the risks to the rights and freedoms of natural persons in accordance with Article 24 of the GDPR. Depending of circumstances, data controllers could for example sometimes be required to put in place a procedure specific, which implementation should guarantee the security of the data without preventing the exercise of the rights of the data subject (point 42)”. 12 See. the EDPS guidelines relating to the right of access already cited. cannot deliberately evade its obligation to provide the personal data by erasing or modifying the data to be provided in response to the access request. If as part of the process of responding to such request, the data controller discovers that the data is inaccurate or that it is being processed unlawfully, the data controller must examine the processing and inform the person concerned before complying with its other obligations (item 42)”. Decision 135/2022 - 10/11 - With regard to the response given regarding erasure, the Litigation Chamber reminds that it is important that the person know about the data that has been erased and that if exceptions are applicable, they must be formulated in a way relevant to the particular situation. III. Publication and communication of the decision 23. Given the importance of transparency with regard to the process decision-making and the decisions of the Litigation Chamber, this decision will be published on the ODA website. However, for this purpose it is not necessary that the data identification of the parties are directly mentioned. 24. In accordance with its policy of dismissal, the Litigation Chamber communicate the decision to the defendant. Indeed, the Litigation Chamber decided to communicate the decisions of classification without follow-up to the defendant party by default. However, the Litigation Division refrains from such communication when the plaintiff requested anonymity vis-à-vis the defendant and when the communication of the decision to the latter, even pseudonymised, nevertheless risks allow re-identification. This is not the case in the present case. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (Court d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code (C. jud) . The interlocutory motion 13Cf. Title 5 – Will the ranking without continuation be published? Will the opposing party be informed? of the policy of dismissal of the Litigation Chamber. 14Ibidem. 15The application contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary of the grounds of the application; Decision 135/2022 - 11/11 must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). To allow him to consider any other possible course of action, the Litigation Chamber sends the complainant to the explanations provided in its dismissal policy. 17 (Sé). Hielke HIJMANS President of the Litigation Chamber (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 16The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office. 17Cf. Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up Litigation.