APD/GBA (Belgium) - 161/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(11 intermediate revisions by 2 users not shown)
Line 65: Line 65:
}}
}}


The Belgian DPA dismissed a complaint of a data subject who received unwanted marketing e-mails. The GDPR was not applicable because the controller was not established in the EEA ([[Article 3 GDPR|Article 3(1) GDPR)]], it only offered its services incidentally to data subjects in the EEA and it did not use the Euro as accepted currency for payments ([[Article 3 GDPR|Article 3(2) GDPR]]).  
The Belgian DPA dismissed a complaint concerning unwanted marketing e-mails. The GDPR was not applicable because the controller did not have any establishments in the EEA ([[Article 3 GDPR|Article 3(1) GDPR]]), there was no offering of goods and services to data subjects in the EEA ([[Article 3 GDPR#2a|Article 3(2)(a) GPDR]]) nor did any monitoring of EU-based individuals take place ([[Article 3 GDPR|Article 3(2)(b) GDPR]]).  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject received marketing e-mails twice from a controller in the United Stated (US). This controller had the goal of creating a platform for discussing the challenges and triumphs of Jewish Women by offering writing-workshops and selling a book, which was only available in English. The controller did not accept the Euro as currency for payments. The book could only be delivered to adresses in the US, Canada, and Israel. The data subject claimed it never had any contact with the controller. The controller aldo failed to respond to an erasure request from the data subject within one month. ([[Article 17 GDPR|Article 17]] GDPR).  
The data subject received marketing e-mails twice from a controller in the United Stated (US). This controller had the goal of creating a platform for discussing the challenges and triumphs of Jewish Women by offering writing-workshops and selling a book, which was only available in English. The controller did not accept the Euro as currency for payments. The book could only be delivered to addresses in the US, Canada, and Israel. The data subject claimed it never had any contact with the controller. The controller also failed to respond to an erasure request from the data subject within one month. ([[Article 17 GDPR|Article 17]] GDPR).  


=== Holding ===
=== Holding ===
The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that [[Article 3 GDPR|Article 3(1) GDPR]] was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA). The DPA also determined that [[Article 3 GDPR|Article 3(2) GDPR]] did not apply. The controller did not comply with all three cumulative requirements for GDPR applicability under [[Article 3 GDPR|Article 3(2) GDPR]]. The controller complied with the first requirement by not being established in the EEA. However, the controller did not comply with the second requirement because it was not clear whether or not the data subject was actually in EEA territory when he received the e-mails. The controller also failed to comply with the third requirement, because the processing did not relate to ''<nowiki/>'offering of service''s' or ''<nowiki/>'monitoring of behaviour'''
The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that [[Article 3 GDPR#1|Article 3(1) GDPR]] was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA).  


The DPA determined that there was no ‘''offering of goods and services’'' specifically to data subjects in the EEA ([[Article 3 GDPR|Article 3(2)(a) GPDR]]). Several elements could be taken into account for this assessment, looking at the specifics of this case ''(‘in concreto’'').  The DPA recited several elements from recital 23 which provide not enough evidence on its own, such as the accessibility of the controller’s website in the EEA and the posting of an e-mail address, geographical address or phone number without international code on its website. The DPA also referred to [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf EDPB guidelines 03/2018] to support its argument. These guidelines state that in case controllers offer goods and services incidentally or unintentionally to data subjects in the EEA, then any related processing of personal data does not fall under the GDPR.  
The DPA also determined that [[Article 3 GDPR#2|Article 3(2) GDPR]] did not apply. First, the DPA noted that it was not clear from the complaint whether or not the data subject was located in the EEA when he received the e-mails.    


Since the only available language for the book and workshops was English, the fact that the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Sjekel, the DPA determined that there was no ''offering of goods and services''. The DPA also concluded that there no ''monitoring of behaviour'' because there were no facts in the present case to support this. Therefore, [[Article 3 GDPR|Article 3(2)(a) GDPR]] was not applicable. '' ''
Second, the DPA determined that there was no ‘''offering of goods and services’'' specifically to data subjects in the EEA ([[Article 3 GDPR#2a|Article 3(2)(a) GPDR]]). The DPA stated that this ‘''offering of goods and services''’ had to be understood as an offering specifically - and not "incidentally" ([https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf EDPB guidelines 03/2018]) - aimed at data subjects in the EEA. The DPA named several examples which could indicate such specific offering, such as using one of the languages used in the EEA or the possibility to pay in Euro for the products and services. However, in the present case, the only available language for the book and workshops was English, the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Shekel. Therefore, the DPA determined that there was no ''offering of goods and services'' ([[Article 3 GDPR#2a|Article 3(2)(a) GPDR]]).  


The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized. It refered to the USA authorities to apply the GDPR in this case.  
Third, the DPA also held that there was no ''monitoring of behaviour'' ([[Article 3 GDPR|Article 3(2)(b) GDPR]]) because there were no facts in the present case to support this. The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized to handle this complaint.  


The DPA dismissed the complaint (Article 95(1)(3) LCA).  
The DPA dismissed the complaint (Article 95(1)(3) LCA) (Act estblishing the data protection authority).


== Comment ==
== Comment ==
''Share your comments here!''
The DPA seems to have made a small mistake in paragraph 13 of the decision. When describing that there was no monitoring of behaviour of data subjects, the DPA reffered to [[Article 3 GDPR#2a|Article 3(2)(a) GPDR]], whereas this most likely should have been [[Article 3 GDPR|Article 3(2)(b) GDPR]].


== Further Resources ==
== Further Resources ==

Latest revision as of 15:30, 23 November 2022

APD/GBA - 161/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 3(1) GDPR
Article 3(2) GDPR
Article 17 GDPR
Article 77 GDPR
Type: Complaint
Outcome: Other Outcome
Started: 29.08.2022
Decided: 08.11.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Gegevensbeschermingsautoriteit (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA dismissed a complaint concerning unwanted marketing e-mails. The GDPR was not applicable because the controller did not have any establishments in the EEA (Article 3(1) GDPR), there was no offering of goods and services to data subjects in the EEA (Article 3(2)(a) GPDR) nor did any monitoring of EU-based individuals take place (Article 3(2)(b) GDPR).

English Summary

Facts

The data subject received marketing e-mails twice from a controller in the United Stated (US). This controller had the goal of creating a platform for discussing the challenges and triumphs of Jewish Women by offering writing-workshops and selling a book, which was only available in English. The controller did not accept the Euro as currency for payments. The book could only be delivered to addresses in the US, Canada, and Israel. The data subject claimed it never had any contact with the controller. The controller also failed to respond to an erasure request from the data subject within one month. (Article 17 GDPR).  

Holding

The Belgian DPA issued a technical dismissal because the DPA was not authorized to handle the case due to a lack of GDPR applicability. The DPA held that Article 3(1) GDPR was not applicable, because the controller was established in the US and had no establishment in the European Economic Area (EEA).

The DPA also determined that Article 3(2) GDPR did not apply. First, the DPA noted that it was not clear from the complaint whether or not the data subject was located in the EEA when he received the e-mails.

Second, the DPA determined that there was no ‘offering of goods and services’ specifically to data subjects in the EEA (Article 3(2)(a) GPDR). The DPA stated that this ‘offering of goods and services’ had to be understood as an offering specifically - and not "incidentally" (EDPB guidelines 03/2018) - aimed at data subjects in the EEA. The DPA named several examples which could indicate such specific offering, such as using one of the languages used in the EEA or the possibility to pay in Euro for the products and services. However, in the present case, the only available language for the book and workshops was English, the book could only be delivered in the US, Canada and Israel and the fact that it was only possible to pay in Dollars and Shekel. Therefore, the DPA determined that there was no offering of goods and services (Article 3(2)(a) GPDR).

Third, the DPA also held that there was no monitoring of behaviour (Article 3(2)(b) GDPR) because there were no facts in the present case to support this. The DPA also stated that no other legislation regarding data protection was applicable. Therefore, the DPA was not authorized to handle this complaint.

The DPA dismissed the complaint (Article 95(1)(3) LCA) (Act estblishing the data protection authority).

Comment

The DPA seems to have made a small mistake in paragraph 13 of the decision. When describing that there was no monitoring of behaviour of data subjects, the DPA reffered to Article 3(2)(a) GPDR, whereas this most likely should have been Article 3(2)(b) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6







                                                                                  Dispute room



                                                     Decision 161/2022 of 8 November 2022





File number : DOS-2022-03527



Subject : Complaint for failure to comply with a request for
data erasure


The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman, sitting alone;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                  .

The complainant: Mr X, hereinafter referred to as “the complainant”; .

                                                                                                  .

The Defendant: Y, hereinafter referred to as “the Defendant”. Decision 161/2022 - 2/6




I. Facts procedure


1. On 29 August 2022, the complainant lodged a complaint with the Data Protection Authority against the

    defendant.


    The complaint concerns the unsolicited sending of newsletters by the defendant. The complainant states that

    he received unwanted emails from the defendant on July 19, 2022 and August 29, 2022,

    despite the fact that he never had contact with the defendant. On 20 July 2022, the complainant heeft

    his request for the right to erasure exercised in accordance with Article 17 GDPR at

    regard to the defendant. However, he was not allowed to receive an answer to this within the legal framework
    provided period of 1 month.


2. On October 11, 2022, the complaint will be declared admissible by the Frontline Service on the basis of the

    Articles 58 and 60 of the WOG and the complaint pursuant to Article 62, §1 of the WOG is forwarded to the

    Dispute room.





II. Justification


3. Based on the elements in the file known to the Disputes Chamber and on the basis of the

    powers assigned to it by the legislator on the basis of Article 95, §1 WOG, the

    Disputes room about the further follow-up of the file; in this case, the Disputes Chamber proceeds to:

    the dismissal of the complaint in accordance with Article 95, §1, 3° WOG, based on the following

    motivation.

4. In the event of a dismissal, the Disputes Chamber must gradually investigate and motivate: 1


    - whether there is insufficient prospect of a conviction, after which a technical dismissal follows;

    - whether a successful conviction would be technically feasible but on grounds, in general

        interest, a (further) prosecution is undesirable, followed by a policy dismissal.


    In the event that more than one soil is disposed of, the discarded soils (or technical
                                                                          2
    and policy dismissal) should be treated in order of importance.


5. Based on the information currently available to the Disputes Chamber, it considers it

    impossible to follow up on the complaint for the reasons that will be explained below

    explained. Consequently, it decides to proceed with a technical dismissal.


6. So that the Disputes Chamber - to which the complainant relied on the basis of Article 77 of the GDPR -
    would be competent to handle his complaint, it is in the first place necessary that the GDPR



1
 cf. judgment of the Brussels Court of Appeal (Marktenhof), 2 September 2020, no. 2020/5460, 18.
2Ibid. Decision 161/2022 - 3/6




    applies to the facts at issue or whether other legislation relating to

    data protection that may form the basis of the jurisdiction of the Disputes Chamber, of

    applies.

7. The AVG only applies if the data processing is within the scope of the AVG

    fall.


8. With regard to the territorial scope of the GDPR, Article 3 of the GDPR assumes

    of two different cases. In the first case (Article 3.1 of the GDPR), the

    data processing carried out in the context of the activities of an establishment of a

    controller in the territory of the European Economic Area. This first
                                                                    3
    hypothesis therefore presupposes the existence of an establishment on the territory of European
    Economic Area. The complaint in the present case is against a legal person who is

    United States of which there is no establishment in the territory of the European

    Economic Area exists. Article 3.1. of the GDPR therefore does not apply.


9. The second case provided for in article 3.2GDPR specifies that the GDPR applies to the processing

    of personal data that meet the following three cumulative conditions:


      - the processing was carried out by a controller who is not established in the

         European Economic Area;
      - the processing concerns data subjects who are located on the territory of the European

         Economic Area; and

      - these processing activities are related to:

         a) offering goods or services to these data subjects (Article 3.2.a) GDPR) or

         b) monitoring their behavior, insofar as this behavior in the European Economic Area

         takes place (Article 3.2.b) GDPR).



10. On the basis of the documents in the file, the Disputes Chamber is of the opinion that in this case this

    cumulative conditions are met. With regard to the first condition, the Disputes Chamber

    established that the defendant is indeed not established in the European Economic Area. For what

    Concerning the second condition, the Disputes Chamber notes that it is not clear from the complaint whether the
    the complainant was located in the territory of the European Economic Area. Assuming

    that the complainant was indeed located in the territory of the European Economic Area in the

    at the time of the alleged facts - which is therefore not clear from the complaint - has not been fulfilled

    to the third condition. The processing activity in question is not related to "offering

    of goods and services" , nor with "monitoring of data subjects' behaviour".




3The concept of establishment is explained in recital 22: Establishment presupposes the effective and effective exercise of
activities through sustainable relationships. The legal form of such relationships, whether a branch or a
subsidiary with legal personality, is not decisive in this regard. Decision 161/2022 - 4/6




11. The offering of goods and services should be understood as an offer of goods and

    services specifically aimed at data subjects in the European Economic Area

    (for example, on a website located outside the borders of the European Economic Area, which

    offer goods and services in one of the languages of the European Economic Area, with

    possibility to pay in euros, etc.) . These elements must be assessed in concrete terms

    to determine whether goods and services are being offered. 5 The

    Litigation Chamber recalls that Recital 23 confirms that the accessibility of the website

    of the controller, processor or an intermediary in the European Economic Area

    Space, the mention on the website of his e-mail or geographical address, or of his telephone number

    without an international code, does not in itself constitute sufficient evidence that the

    controller or processor intends to offer goods or services

    to a data subject in the European Economic Area. In this regard, the Disputes Chamber refers

    to the Guidelines of the European Data Protection Board (EDPB) stating that

    when goods or services are inadvertently or incidentally supplied to a person on the

    territory of the European Economic Area, the related processing of

    personal data does not fall under the territorial scope of the GDPR. 6


12. In this case, the purpose of the controller is to create an (English) platform

    where insights and experiences can be shared about the challenges and triumphs of

    Jewish women. In this context, writing workshops as well as a book with testimonials

    of Jewish women in Israel for sale. The workshops and the book are only available in

    in English and are also only offered for sale against payment in dollars and shekels. The book can

    also only be delivered within the United States of America and Canada on the one hand and Israel

    on the other hand. The Disputes Chamber therefore concludes that there is no question of an offer of

    goodsandservicesspecificallyfocusedonthepersonsintheEuropeanEconomicSpace

    in accordance with Article 3.2.a) GDPR.


13. By "monitoring the behavior of the data subjects", it is understood, the

    trackingactivitiesofthebehaviourontheinternetbutnotjustthat. More generally it's possible

    include activities to monitor the behavior of data subjects, such as behavioral advertising,

    geolocation for direct marketing purposes, the use of cookies or surveillance cameras. There is

    also the condition that this behavior must take place within the European Economic Area. From the



4see Article 29 Data Working Party, EU General Data Protection Regulation: General Information Document, p.2, available at
https://www.appaforum.org/wp-content/uploads/2019/10/appa-gdpr-general-information-document.pdf.

5D. SVANTESSON “Article 3. Territorial scope”, in C. KUNER. the EU General Data Protection Regulation, A Commentary, Oxford University
Press 2020, p. 90.
6
  EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 18, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf.
7 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 19, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf
8
  EDPB Guidelines 3/2018 on the territorial scope of the GDPR (art. 3) dated. November 19, 2019, p. 20, available at
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf Decision 161/2022 - 5/6




    There is no indication in the complaint that there would be any monitoring of the behavior of the person concerned. The
    The Disputes Chamber therefore concludes that there is no monitoring of the behavior of

    data subjects in accordance with Article 3.2.a) GDPR.


14. In view of the above, the Disputes Chamber decides that the GDPR does not apply to the facts

    presented in the complaint.


15. The Disputes Chamber also notes that with regard to the facts in the present complaint, no

    some other legislation on the protection of personal data applies which means that
    there are no elements giving rise to its competence. In that case, it belongs to the

    competent US authorities to apply the GDPR in this case.


16. Since the GDPR does not apply in this case, nor does any other legislation containing provisions

    contains on the protection of the processing of personal data, which could be the basis

    constitute the competence of the Data Protection Authority, it is not possible that the

    The Disputes Chamber will handle your complaint. Pursuant to art. 95, §1, 3° of the law of 3

    December 2017 establishing the Data Protection Authority, the Disputes Chamber decides
    consequently to dismiss the complaint.





III.Publication of the decision


17. In view of the importance of transparency with regard to the decision-making of the Disputes Chamber,

    this decision will be published on the website of the Data Protection Authority. It is

    however, it is not necessary for the identification of the parties to be directly used for this purpose

    announced.



    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

    - pursuant to art. 95, §1, 3° WOG to dismiss the complaint.





Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as Defendant.


Such an appeal may be lodged by means of an adversarial petition that the
                                                                                  9
1034terof the Judicial Code, the statements listed should contain .The application to



9The petition states on pain of nullity: Decision 161/2022 - 6/6




contradiction must be submitted to the registry of the Market Court in accordance with Article

1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter


of the Ger.W.).







(get). Hielke Hijmans

Chairman of the Disputes Chamber

























































  1° the day, month and year;
  2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or

     company number;
  3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned;
  4° the subject matter and the brief summary of the grounds of the claim;
  5° the court before whom the claim is brought;
  6° the signature of the applicant or of his lawyer.

10The application with its annex shall be sent, in as many copies as there are interested parties, by registered letter to the
clerk of the court or at the registry.