APD/GBA (Belgium) - 143/2022: Difference between revisions
(GDPR articles layout) |
(This is not a final decision, but an order. Reflected this in the summary.) |
||
(11 intermediate revisions by 3 users not shown) | |||
Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1= | |Original_Source_Name_1=Gegevensbeschermingsautoriteit | ||
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-143-2022.pdf | |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-143-2022.pdf | ||
|Original_Source_Language_1=French | |Original_Source_Language_1=French | ||
Line 23: | Line 23: | ||
|Date_Started=10.08.2022 | |Date_Started=10.08.2022 | ||
|Date_Decided=11.10.2022 | |Date_Decided=11.10.2022 | ||
|Date_Published= | |Date_Published=17.10.2022 | ||
|Year=2022 | |Year=2022 | ||
|Fine= | |Fine= | ||
|Currency= | |Currency= | ||
|GDPR_Article_1=Article 12(3) GDPR | |GDPR_Article_1=Article 4(1) GDPR | ||
| | |GDPR_Article_Link_1=Article 4 GDPR#1 | ||
| | |GDPR_Article_2=Article 12 GDPR | ||
| | |GDPR_Article_Link_2=Article 12 GDPR | ||
| | |GDPR_Article_3=Article 12(3) GDPR | ||
| | |GDPR_Article_Link_3=Article 12 GDPR#3 | ||
| | |GDPR_Article_4=Article 12(4) GDPR | ||
| | |GDPR_Article_Link_4=Article 12 GDPR#4 | ||
| | |GDPR_Article_5=Article 15 GDPR | ||
| | |GDPR_Article_Link_5=Article 15 GDPR | ||
|GDPR_Article_6=Article 15(1) GDPR | |||
|GDPR_Article_Link_6=Article 15 GDPR#1 | |||
|GDPR_Article_7=Article 15(3) GDPR | |||
|GDPR_Article_Link_7=Article 15 GDPR#3 | |||
|GDPR_Article_8= | |||
|GDPR_Article_Link_8= | |||
|GDPR_Article_9= | |||
|GDPR_Article_Link_9= | |||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
Line 56: | Line 64: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Unknown | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=Enzo Marquet | ||
| | | | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA ordered an employer to process an access request from its employee even though the employer claimed to have never received the request. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject submitted an access request to his employer (controller) on 7 July 2022, requesting a copy of all his personal data pursuant of [[Article 15 GDPR#3|Article 15(3) GDPR]]. He also wanted to receive a copy of the | The data subject submitted an access request to his employer, a school, (controller) on 7 July 2022, requesting a copy of all his personal data pursuant of [[Article 15 GDPR#3|Article 15(3) GDPR]]. He also wanted to receive a copy of the emails and notes in which he was directly and indirectly identified. In particular, he wanted the following information: internal and external documents, his administrative file, his disciplinary record, emails, manual or paper-based internal notes and logs. Lastly, the data subject requested all the elements listed in [[Article 15 GDPR#1|Article 15(1) GDPR]], such as the purpose and legal basis of each processing operation. The data subject stated that the controller did not answer this request and did not act within one month. The data subject stated that the letter he sent was returned to him, and therefore not received by the controller. | ||
Lastly, the data subject requested all the elements listed in [[Article 15 GDPR#1|Article 15(1) GDPR]], such as the purpose and legal basis of each processing operation. | |||
The data subject | |||
The data subject filed a complaint at the DPA on 10 August 2022 because the controller failed to reply to the access request in a satisfactory way. According to the data subject. This resulted in a violation of [[Article 15 GDPR#1|Articles 15(1)]], [[Article 15 GDPR#3|Article 15(3)]] and [[Article 12 GDPR#3|Article 12(3) GDPR]]. The data subject requested that he would remain anonymous during his complaint procedure. | |||
=== Holding === | === Holding === | ||
The DPA held that the controller could not refuse to give useful effect to the request for access, simply because the formulation of the request itself was incomplete, based on an erroneous provision or based on a misunderstanding or misinterpretation of the rights invoked. | The DPA held that the controller could not refuse to give useful effect to the request for access, simply because the formulation of the request itself was incomplete, based on an erroneous provision or based on a misunderstanding or misinterpretation of the rights invoked. | ||
Regarding the requested anonymity of the data subject, the DPA noted that the data subject had the option, provided on the form of the DPA complaint, to hide his personal data. However, the data subject was also obliged to give justification for this requested anonymity. When the data subject did not provide justification, the DPA could ask for consent to the data subject to disclose the information or close the complaint without further action. | |||
The DPA held that the data subject was entitled to his right of access. The controller had to provide a response within one month, whether it was going to comply with the request ([[Article 12 GDPR#3|Article 12(3) GDPR]]) or not ([[Article 12 GDPR#4|Article 12(4) GDPR]]). | The DPA held that the data subject was entitled to his right of access. The controller had to provide a response within one month, whether it was going to comply with the request ([[Article 12 GDPR#3|Article 12(3) GDPR]]) or not ([[Article 12 GDPR#4|Article 12(4) GDPR]]). | ||
Without addressing a potential breach of the GDPR, the DPA ordered the controller to comply with the access request pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) LCA (act establishing the data protection authority). The DPA also mentioned [https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf EDPB Guidelines 01/2022] as a tool for the controller to make its processing GDPR compliant. | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Latest revision as of 08:06, 3 November 2022
APD/GBA - 143/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 12 GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 15(1) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.08.2022 |
Decided: | 11.10.2022 |
Published: | 17.10.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 143/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Gegevensbeschermingsautoriteit (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA ordered an employer to process an access request from its employee even though the employer claimed to have never received the request.
English Summary
Facts
The data subject submitted an access request to his employer, a school, (controller) on 7 July 2022, requesting a copy of all his personal data pursuant of Article 15(3) GDPR. He also wanted to receive a copy of the emails and notes in which he was directly and indirectly identified. In particular, he wanted the following information: internal and external documents, his administrative file, his disciplinary record, emails, manual or paper-based internal notes and logs. Lastly, the data subject requested all the elements listed in Article 15(1) GDPR, such as the purpose and legal basis of each processing operation. The data subject stated that the controller did not answer this request and did not act within one month. The data subject stated that the letter he sent was returned to him, and therefore not received by the controller.
The data subject filed a complaint at the DPA on 10 August 2022 because the controller failed to reply to the access request in a satisfactory way. According to the data subject. This resulted in a violation of Articles 15(1), Article 15(3) and Article 12(3) GDPR. The data subject requested that he would remain anonymous during his complaint procedure.
Holding
The DPA held that the controller could not refuse to give useful effect to the request for access, simply because the formulation of the request itself was incomplete, based on an erroneous provision or based on a misunderstanding or misinterpretation of the rights invoked.
Regarding the requested anonymity of the data subject, the DPA noted that the data subject had the option, provided on the form of the DPA complaint, to hide his personal data. However, the data subject was also obliged to give justification for this requested anonymity. When the data subject did not provide justification, the DPA could ask for consent to the data subject to disclose the information or close the complaint without further action.
The DPA held that the data subject was entitled to his right of access. The controller had to provide a response within one month, whether it was going to comply with the request (Article 12(3) GDPR) or not (Article 12(4) GDPR).
Without addressing a potential breach of the GDPR, the DPA ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and Article 95(1)(5) LCA (act establishing the data protection authority). The DPA also mentioned EDPB Guidelines 01/2022 as a tool for the controller to make its processing GDPR compliant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/8 Litigation Chamber Decision 143/2022 of October 11, 2022 File number: DOS-2022-03313 Subject: Complaint relating to the exercise of a right of access The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Mr. X, hereinafter “the plaintiff”; . . The defendant: Y, Hereinafter: “the defendant”. . Decision 143/2022 - 2/8 I. Facts and procedure 1. On August 10, 2022, the complainant lodged a complaint with the Data Protection Authority data (APD) involving the defendant. 2. Under the latter, the complainant alleges an unsatisfactory response from the defendant to exercise its right of access (Articles 15 and 12 of the GDPR). 3. It appears from the complaint and the annexed documents that on July 7, 2022, the complainant requested the defendant a copy of all the personal data it held about him pursuant to Article 15.3. of the GDPR. 4. At the end of this same letter, the complainant also indicated that he would like to receive a copy of the email documents, notes, minutes in which he was identified directly and indirectly and in particular, according to the very terms of its complaint, which follows: - Internal documents and those sent outside, including the minutes of all orders; - His administrative file; - His disciplinary file; - The emails, including and in a non-exhaustive manner, those exchanged about him with the management, its administration, the Organizing Power, the Segec, the DPO, etc. - Manual internal notes or in paper format; - Computer logs (Logs); - … 5. Finally, still under the terms of this letter of July 7, 2022, the complainant requests that he be specified, for each processing: the related processing, its purpose, its legal basis, the source of the personal data and the persons to whom this data has been transferred. Bedroom Litigation notes that these elements refer to those listed in Article 15.1 of the GDPR. 6. The plaintiff indicates that the registered mail he sent for these purposes to the defendant returned to him and was therefore not received. No response was given to his request. within one month. 7. Under the terms of his complaint, the complainant therefore alleges a breach of both Article 15 (paragraphs 1 and 3) than in Article 12.3. of the GDPR. As far as necessary, the Chamber Litigation recalls that in any event, the formulation of a request for access (or exercise of any other right elsewhere) – even incomplete or based on a provision erroneous or in support of a misunderstanding or interpretation of the right invoked – ne Decision 143/2022 - 3/8 may serve as a pretext for the data controller not to take appropriate action. In other words, the data controller requested cannot hide behind the formulation of the request so as not to give it a useful effect and thus satisfy its 1 obligation to facilitate the exercise of the rights of data subjects (article 12.2 of the GDPR). 8. On August 12, 2022, the complaint was declared admissible by the Service de Première Ligne (SPL) of DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber Litigation under Article 62, § 1 of the LCA .3 9. Upon receipt of the complaint, the Litigation Chamber noted that according to the terms of the form of complaint filed, the complainant requested that his identity be masked. 10. This request by the plaintiff follows the possibility given to him to tick the box "I request to hide my data" of the form. This possibility, however, is accompanied by the following statement: "Your contact details may be hidden for the controller if there is a serious risk that the communication of your identity to the opposing party leads to detrimental consequences. If you want use this possibility, you must check the box below and give your justification. If your anonymity hinders the processing of your complaint, the AMF may request your agreement to disclose your details anyway or if necessary classify your complaint without follow-up”. 11. On September 9, 2022, the Litigation Chamber explained to the Complainant that in view of the subject his complaint (right of access) and the documents filed as well as to allow an examination adequate of it, the Litigation Chamber sought its agreement to disclose its identity and other personal data concerning him that he had communicated to the DPA when lodging its complaint. She also told him that these data could therefore be transmitted to the school (i.e. to the defendant) that it implicated. 12. Still according to its email of September 9, 2022, the Litigation Chamber clarified to the complainant that this request was in response to the information provided to him at the terms of the complaint form that, if his anonymity hinders the processing of the complaint, the DPA may request the complainant's agreement to disclose his contact details or, where applicable, in the event of maintaining the request for "anonymity" (to be understood as requestforconfidentialitywith regardtotheparty complained of), file the complaint without further action. In this case, since the complainant requested that a response be given to his request 1See. decision 41/2020 of the Litigation Chamber (point 42). 2Under article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 3Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following of this complaint, the file was forwarded to him. Decision 143/2022 - 4/8 access to personal data concerning him, the Litigation Division informed the complainant that she was unable to deal with her complaint without notifying her employer (either the defendant) of his identity. 13. On the same day, i.e. September 9, 2022, the complainant agreed to the lifting of the his "anonymity". II. Motivation 14. The GDPR grants any data subject (Art. 4.1 GDPR) a right of access such as formulated in Article 15 of the GDPR. 15. Under this Article 15, the data subject has the right, inter alia, to obtain controller confirmation that personal data the concerning are or are not processed and, when they are, access to said data to personal character as well as the following information (article 15.1. of the GDPR): the purposes of the processing (a), the categories of personal data (b), the recipients or categories of data recipients (c), retention period (d), information relating to the other rights conferred by the GDPR (e), the right to lodge a complaint with the data protection authority (f), any information relating to the source of the data when these have not been collected from the person concerned (g) and the existence automated decision-making (h). 16. Section 15.3. of the GDPR provides for its part that the data controller provides a copy of the personal data being processed. 17. As the Litigation Chamber has already had occasion to underline the right to obtain copy relates to the personal data of the data subject. In others In other words, Article 15.3 requires the controller to provide a copy of the personal data processed to the person concerned. This right to obtain a copy of the data does not entail the right for the person concerned to obtain a copy of the original document containing this data since in certain cases, the communication of this document could infringe the rights and freedoms of others (see point 19 below). below and the reference to Article 15.4. GDPR). 18. In this case, the Litigation Division is of the opinion that the plaintiff is entitled to exercise his right of access to the defendant - who is presumed to be responsible for processing in its capacity as the complainant's employer - and to obtain a response from him with due respect the terms of Article 12 of the GDPR, in particular Article 12.3. which requires a person responsible of processing that it responds to the request for access sent to it within a period of one month. 4See. decision 41/2020 of the Litigation Chamber (point 39). Decision 143/2022 - 5/8 months from receipt, unless extended. In the latter case, the person responsible for processing – here presumably the defendant – must inform the data subject, here the complainant. 19. The Litigation Chamber adds that if the defendant intended to rely on a 5 exception from which she felt she could benefit, she was nonetheless required to respond to the complainant within the same deadlines as those mentioned in point 18 above, in application of article 12.4 of the GDPR. Indeed, under this provision, "if the controller does not respond to the request made by the person concerned, he informs the latter without delay and at the latest within one month from the receipt of the request for the reasons for its inaction and the possibility of introducing a complaint to a supervisory authority and to lodge a judicial appeal”. 20. The Litigation Division considers that on the basis of the aforementioned facts reported by the complainant and the exhibits produced, it must be concluded that the defendant may have committed a violation of the provisions of the GDPR, in particular Articles 15.1 and 15.3. combined with Article 12.3. of the GDPR. 21. This observation justifies the adoption by the Litigation Chamber of a decision against it in application of Article 95, § 1, 5° of the LCA, consisting more specifically in ordering him to respond to the complainant's request for access within one month from the date of the notification of this decision, in support of the foregoing reasoning. 22. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the sole complaint lodged by the 6 complainant in the context of the “procedure prior to the substantive decision”. It is therefore not not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the ACL. 23. The purpose of this decision is to inform the defendant of the fact that she may have committed a breach of the provisions of the GDPR and to enable it to still comply with the aforementioned provisions. The Litigation Chamber draws the attention of the defendant on the existence of Guidelines of the European Committee for the Protection of data relating to the right of access .7 24. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of 5 Section 15.4. provides in this regard that the right to obtain a copy does not infringe the rights and freedoms of others. Other exceptions provided for by national legislation may exist provided that they meet the conditions set out in Article 23 of the GDPR. 6Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive). 7 European Data Protection Board, Guidelines 01/2022 on data subject rights – right of access – version 1.0 of 18 January 2022 https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022- data-subject-rights-right_en . This document is only available in English. It was submitted to a public consultation, the results are under review. At the end of this examination, it is not excluded that the guidelines will be supplemented, even amended on certain points. Decision 143/2022 - 6/8 parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. 25. If the Respondent does not agree with the contents of this prima facie decision and believes that it can make factual and/or legal arguments that could lead to another decision, it can address to the Litigation Chamber a request processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and this within 30 days of notification of this decision. If applicable, the execution of this decision will be suspended for the aforementioned period. 26. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their arguments in the form of conclusions and to attach to the file all the documents they will find useful. If necessary, this decision will be definitively suspended. 27. With a view to transparency, the Litigation Division finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL. III. Publication of the decision 28. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the APD. However, it is not it is not necessary for this purpose that the identification data of the parties be directly mentioned. 8Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients Datas ; 11° order the withdrawal of the approval of the certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 143/2022 - 7/8 FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to comply with the plaintiff's request to exercise his rights, more precisely his right of access (article 15.1 and 15.3. of the GDPR), and this in the as soon as possible and at the latest within 30 days of notification of this decision ; - to order the defendant to inform, by e-mail, the Data Protection Authority data (Litigation Chamber) of the follow-up given to this decision, in the same 30-day period, via the e-mail address litigationchamber@apd-gba.be; and - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party defendant. Decision 143/2022 - 8/8 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code (C. jud.) . The interlocutory motion must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C. 10 jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke H IJMANS President of the Litigation Chamber 9The request contains on penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary of the grounds of the application; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 10 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.