APD/GBA (Belgium) - 11/2023: Difference between revisions

From GDPRhub
No edit summary
 
(4 intermediate revisions by 3 users not shown)
Line 67: Line 67:
}}
}}


The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to [[Index.php?title=Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. The DPA determined that the controller should also order recipients of the personal data to erase the it.
The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. The DPA determined that the controller should also order recipients to erase the data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on these request. In April 2022, the data subject contacted the DPO with a request of erasure. The DPO confirmed that his personal data would only be used processed for legal obligations (e.g. tax purposes) and that his phone number and mail address had been deleted from the CRM. Despite this, the data subject would still receive calls from the controller through different phone numbers.
The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on this request.  
 
In April 2022, the data subject contacted the controller's DPO with a request of erasure. The DPO confirmed that his personal data would only be processed for legal obligations (e.g. tax purposes) and that his phone number and mail address had been deleted from the customer database.  
 
Despite this, the data subject would still receive calls from the controller through different phone numbers. He therefore filed a complaint with the Belgian DPA.


=== Holding ===
=== Holding ===
The DPA determined that using the phone number (or mail address) of a data subject to send him promotional materials constitutes direct marketing in the sense of [[Article 21 GDPR#2|Article 21(2) GDPR]]. The same article grants the right to object to direct marketing, meaning that the personal data can no longer be processed for direct marketing purposes pursuant [[Article 21 GDPR#3|Article 21(3) GDPR.]] As such, the controller was obliged to delete, as soon as possible and within one month in line with [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]], the phone number of the data subject unless the controller had another legal basis to process it. On top of that, the controller is obliged to inform all recipients of the phone number to delete it according to [[Article 19 GDPR|Article 19 GDPR]].
The DPA determined that using the phone number (or email address) of a data subject to send him promotional materials constituted direct marketing in the sense of [[Article 21 GDPR#2|Article 21(2) GDPR]]. The same article grants the right to object to direct marketing, meaning that the personal data can no longer be processed for direct marketing purposes pursuant [[Article 21 GDPR#3|Article 21(3) GDPR.]]  
 
As such, in line with [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]], the controller was obliged to delete, as soon as possible and within one month, the phone number of the data subject unless the controller had another legal basis to process it. On top of that, the controller is obliged to inform all recipients of the phone number to delete it according to [[Article 19 GDPR]].


The DPA held that the controllers could have breached [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] and [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]] by still processing the personal data for direct marketing purposes and by not erasing it as well as potentially breaching [[Article 19 GDPR|Article 19 GDPR]] by not informing recipients of the personal data to erase it.  
The DPA held that the controllers could have breached [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] and [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]] by still processing the personal data for direct marketing purposes and by not erasing it. The controllers could as well be breaching [[Article 19 GDPR|Article 19 GDPR]] by not ordering to recipients of the personal data to erase it.  


The DPA ordered the controller to comply with the objection and erasure request pursuant [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) LCA (Law establishing the data protection authority).
The DPA ordered the controller to comply with the objection and erasure request pursuant [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) LCA (Law establishing the data protection authority).

Latest revision as of 13:51, 28 February 2023

APD/GBA - 11/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 17(1)(c) GDPR
Article 19 GDPR
Article 21(2) GDPR
Article 21(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 09.08.2022
Decided: 13.02.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 11/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Gegevensbeschermingsautoriteit (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to Article 58(2)(c) GDPR. The DPA determined that the controller should also order recipients to erase the data.

English Summary

Facts

The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on this request.

In April 2022, the data subject contacted the controller's DPO with a request of erasure. The DPO confirmed that his personal data would only be processed for legal obligations (e.g. tax purposes) and that his phone number and mail address had been deleted from the customer database.

Despite this, the data subject would still receive calls from the controller through different phone numbers. He therefore filed a complaint with the Belgian DPA.

Holding

The DPA determined that using the phone number (or email address) of a data subject to send him promotional materials constituted direct marketing in the sense of Article 21(2) GDPR. The same article grants the right to object to direct marketing, meaning that the personal data can no longer be processed for direct marketing purposes pursuant Article 21(3) GDPR.

As such, in line with Article 17(1)(c) GDPR, the controller was obliged to delete, as soon as possible and within one month, the phone number of the data subject unless the controller had another legal basis to process it. On top of that, the controller is obliged to inform all recipients of the phone number to delete it according to Article 19 GDPR.

The DPA held that the controllers could have breached Article 21(2) GDPR, Article 21(3) GDPR and Article 17(1)(c) GDPR in combination with Article 12(3) GDPR by still processing the personal data for direct marketing purposes and by not erasing it. The controllers could as well be breaching Article 19 GDPR by not ordering to recipients of the personal data to erase it.

The DPA ordered the controller to comply with the objection and erasure request pursuant Article 58(2)(c) GDPR and Article 95(1)(5) LCA (Law establishing the data protection authority).

Comment

This was a preliminary (Prima Facie) decision according to Article 95 WOG, prior to a decision on the merits.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/8





                                                                          Litigation Chamber


                                                          Decision 11/2023 of February 13, 2023





File number: DOS-2022-03252


Subject: Complaint relating to the exercise of marketing opposition rights

directly and the erasure of data




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The plaintiff: Mr. X, hereinafter “the plaintiff”; .

                                                                                                          .
                                                                                                          .
The defendant: Y, hereinafter: “the defendant”. Decision 11/2023 - 2/8



I. Facts and procedure


1. According to his complaint, the plaintiff states that he was a client of the defendant

    until December 2021.


2. He indicates that despite the fact that he was no longer a client of the defendant, he continued to

    receive after this date telephone calls from various telephone numbers (… and

    … for example) offering him services from the defendant. He adds that, in response to these

    calls, requested the deletion of his personal data without his oral requests

    are not followed up.

3. The complainant reports that he then contacted the Data Protection Officer in April 2022.

    data (DPO) of the defendant. However, he did not produce his request. Asked about this

    point in the context of the preparation of the file, the complainant indicated that he seemed to have

    sent his request via an online form of which he has no record.


4. The complainant, on the other hand, produces the response received from the DPO of the defendant on April 22, 2022.

    Under it, the DPO indicates that further to the complainant's request, "we can

    confirm that in the meantime your email address and mobile phone number have been

    erased from the CRM system of [read the defendant] and that your account (…) has also been

    removed”. The defendant adds that in accordance with Article 17.3. of the GDPR and its

    privacy policy, this deletion is not absolute. She adds that since the

    complainant is a former customer, it is authorized to retain data relating to the services

    provided (e.g. invoices) for accounting and tax purposes in a timely manner

    prescription provided. The DPO concludes by indicating that it is self-evident that these data

    will not be used to contact the complainant for solicitation purposes.


5. Notwithstanding the guarantees received from the DPO of the defendant, the plaintiff alleges

    still receiving unsolicited calls from the defendant (in the month of

    July for example) or offering him at the very least the services of the defendant, this point

    not being entirely clear in his request.

6. On August 9, 2022, the complaint is declared admissible by the SPL of the DPA on the basis of articles 58

    and 60 of the LCA and the complaint is transmitted to the Litigation Chamber under article 62,

    § 1 of the ACL .2








1
 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has
been declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
of this complaint, the file was forwarded to him. Decision 11/2023 - 3/8



II. Motivation


 7. It appears in this case that the defendant was processing personal data

       relating to the complainant, his e-mail address and his mobile phone number to all

       less, as indicated by the defendant in its email of April 22, 2022. These

       information is personal data relating to the complainant within the meaning of

       section 4.1. of the GDPR in that they allow it to be identified, here directly. The complainant
       is therefore a "data subject" within the meaning of Article 4.1. (second part) of the GDPR.


 8. These data were also subject to automated processing by the defendant at the

       meaning of Article 4.2. of the GDPR.


 9. The GDPR grants any data subject a number of rights (including the right to

       of opposition and the right to erasure relevant in the case in point) the terms of which
       of exercise and the correlative obligations for the data controller are detailed in

       article 12 of the GDPR. The Litigation Chamber here refers to article 12.3. in execution of which

       the data controller who receives a request to exercise the rights

       (Articles 15 to 22) is, subject to exceptions, required to provide the data subject with

       information on the measures taken following his request within one month.

       When the request proves to be particularly complex, this period may be extended by two

       months, but the author of the request to exercise the right must nevertheless be informed of this within the

       1 month period.


 As for the right of opposition in prospecting (“direct marketing”)

 10. The GDPR does not define what is meant by “processing for marketing purposes” or

       for the purposes of "direct marketing" according to the English terminology. In its Recommendation

       01/2020 of 17 January 2020 relating to the processing of personal data at

       direct marketing purposes, the APD indicates that it should be understood as “direct marketing”

       as “any communication, whether solicited or unsolicited, aimed at promoting a

       organization or a person, services, products, whether paid for or

       free, as well as marks or ideas, sent by an organization or a person

       acting in a commercial or non-commercial context, directly to one or more

       natural persons in a private or professional context, by any means,

       involving the processing of personal data” (page 8 of Recommendation

       - definition).

 11. The processing of a mobile phone number or an e-mail address such as that of the

       plaintiff to send him promotional offers of certain products constitutes a

       processing of personal data for prospecting purposes (direct marketing) within the meaning of



3 See. in this regard Decision 64/2020 of the Litigation Chamber (point 23):
https://autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf Decision 11/2023 - 4/8


        section 21.2. of the GDPR. In this case, the data subject is entitled to exercise his right


        objection pursuant to Article 21.2 of the GDPR. The complainant indicates in the terms of his

        complaint that he no longer wished to be contacted by the defendant and has, on several occasions,

        tried unsuccessfully to object to said processing (points 1-3) both orally and via, affirms

        he, an online form.


 12. Accordingly, the Respondent was, prima facie, required to provide the Complainant with

        information on the measures taken following the exercise of his right of opposition in the

        period of one month from receipt of his request as provided for in Article 12.3. of

        GDPR. The defendant's DPO thus confirmed to the plaintiff on April 22, 2022 that his

        telephone number and e-mail would no longer be processed for canvassing purposes

                                                                                                               6
        (commercial prospecting / direct marketing). Pursuant to Article 21.3 of the GDPR,

        when the data subject opposes the processing for prospecting purposes, the

        personal data can no longer be processed for these purposes.


 13. Notwithstanding this undertaking, the Complainant complains that he continues to receive calls

        promotional material from the defendant.


 As for the consequences of the right of opposition in terms of erasure

 14. As a result of the exercise of the right to object based on Article 21.2 of the GDPR by the


        plaintiff, the defendant was not only required to stop processing the data

        of the complainant for marketing purposes but also under the obligation, pursuant to
                                   7
        Article 17.1 c) of the GDPR, to delete the complainant's telephone number as soon as possible

        deadlines, ideally within a month. Only if it processes this same data for

        another purpose and in support of a basis of lawfulness specific to the data controller,

        here presumably the defendant, is authorized to keep it.








4 Section 21.2. of the GDPR: The controller notifies each recipient to whom the personal data
personal data have been communicated any rectification or erasure of personal data or any
restriction of processing carried out in accordance with Article 16, Article 17, paragraph 1, and Article 18, unless such
communication is impossible or requires disproportionate effort. The controller provides the

data subject information about these recipients if the data subject so requests.
5Section 12.3. of the GDPR: The controller provides the data subject with information on the measures
TAKEN FOLLOWING A REQUEST MADE IN APPLICATION OF ARTICLES 15 TO 22, AS SOON AS POSSIBLE, ATTEMPTING ANY STATE OF CASE

within one month of receipt of the request. If necessary, this period may be extended by two months,
given the complexity and number of requests.
this extension and the reasons for the postponement within one month of receipt of the request.
6Section 21.3. GDPR: . When the data subject objects to processing for prospecting purposes, the data to be

personal character are no longer processed for these purposes.
7Section 17.1. c) of the GDPR: The data subject has the right to obtain from the controller the erasure, within the
as soon as possible, of personal data concerning it and the data controller has the obligation to erase these
personal data as soon as possible, where one of the following grounds applies: (…) the person

concerned objects to the processing pursuant to Article 21, paragraph 1, and there are no overriding legitimate grounds for the
processing, or the data subject objects to the processing pursuant to Article 21(2);
8See. in this regard Decision 62/2021 of the Litigation Chamber (points 14 and s.):
https://autoriteprotectiondonnees.be/publications/advisory-62-2021.pdf Decision 11/2023 - 5/8


                                               9
 15. Pursuant to Article 19 of the GDPR, the controller is also required to

       notify any deletion of personal data carried out (in accordance with

       Article 17.1 c) of the GDPR – see. above) to each recipient to whom the data to be

       personal character would have been communicated.

 16. In the present case, the complaint and the documents in the file seem to reveal that the processing of the

       complainant’s mobile phone business continued for prospecting purposes despite

       the opposition of the latter and the assurances given by the DPO of the defendant.


 As to the decision of the Litigation Chamber

 17. The Litigation Chamber considers that on the basis of the aforementioned facts, there is reason to

       conclude that the defendant may have breached the provisions of the GDPR, in

       particular of Articles 21.2., 21.3. and 17.1.c) of the GDPR combined with Article 12.3. of the GDPR. This

       finding justifies the adoption by the Litigation Chamber of a decision against it in

       application of Article 95, § 1, 5° of the LCA, consisting more specifically in ordering him to

       follow up on the complainant's request to exercise the right of opposition within one month

       months from the notification of this decision and this, in support of the motivation which

       precedes as well as to follow up on his right to erasure within the limits set by

       the operative part of this decision.


 18. This decision is a prima facie decision taken by the Litigation Chamber

       in accordance with article 95 of the ACL on the basis of the complaint lodged by the complainant in
                                                                        10
       the framework of the “procedure prior to the substantive decision”. It is therefore not a

       decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.

 19. The purpose of this decision is to inform the defendant, allegedly responsible for the

       processing, of the fact that it may have committed a breach of the provisions of the GDPR and of

       to still comply with the aforementioned provisions.


 20. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order

       inside the DPA, a copy of the file may be requested by the parties. If one of

       parties wishes to make use of the possibility of consulting the file, the latter is required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.

 21. If the Respondent does not agree with the content of this prima facie decision and

       believes that it can make factual and/or legal arguments that could




9Article 19 of the GDPR: The controller notifies each recipient to whom the personal data

have been communicated any rectification or erasure of personal data or any limitation of the
processing carried out in accordance with Article 16, Article 17(1) and Article 18, unless such
communication is impossible or requires disproportionate effort. The controller provides the
data subject information about these recipients if the data subject so requests.
10Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive). Decision 11/2023 - 6/8


        lead to another decision, it can address to the Litigation Chamber a request

        processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and

        this within 30 days of notification of this decision. If applicable,

        the execution of this decision will be suspended for the aforementioned period.


 42. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

        juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

        conclusions and to attach to the file all the documents they deem useful. If applicable,

        this decision will be permanently suspended.


 43. With a view to transparency, the Litigation Division finally emphasizes that a

        dealing with the case on the merits may lead to the imposition of the measures mentioned in

        section 100 of the ACL. 11


 44. Finally, without this constituting any corrective measure or sanction whatsoever for the

        meaning of Article 95 of the LCA, the Litigation Chamber reminds the defendant that it

        is obliged to put in place the technical and organizational measures necessary to

        allow the exercise of the rights of the persons concerned, in particular the procedures for

        monitoring of requests to exercise rights. These procedures are all the more important

        that the defendant processes a considerable volume of data due to the nature of its

        activities and the number of people affected by them.






















11Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;

 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients
     Datas ;
 11° order the withdrawal of the approval of the certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;

 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 11/2023 - 7/8


III. Publication of the decision


 44. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority

       data (APD). However, it is not necessary for this purpose that the data
       identification of the parties are directly mentioned.



    FOR THESE REASONS,

    the Litigation Chamber of the Data Protection Authority decides, subject to

    the introduction of a request by the defendant for treatment on the merits in accordance with

    to articles 98 e.s. of the ACL:

       - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order

           the defendant to comply with the plaintiff's request to exercise his rights,

           as soon as possible and at the latest within 30 days of notification of the

           this Decision, more specifically:

             o his right to object (art. 21.2 of the GDPR) and consequently, (a) to cease all

                 processing of the personal data of the complainant for the purposes of

                 prospecting (article 21.3 of the GDPR) as well as (b) to proceed with the deletion of

                 personal data of the complainant (article 17.1 c) of the GDPR), except to be able to
                 rely on a distinct basis of lawfulness authorizing the processing of the data

                 of the complainant for another purpose and (c) to comply with its obligation to

                 notification as provided for in Article 19 of the GDPR, or to notify the deletion

                 made to any potential recipient of the personal data of the

                 complainant;

       - to order the defendant to inform, by e-mail, the Data Protection Authority

           data (Litigation Chamber) of the follow-up given to this decision, in the

           same 30-day period, via the e-mail address litigationchamber@apd-gba.be; And

       - if the defendant does not comply in good time with what is requested of it

           above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of

           the ACL.






In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party

defendant. Decision 11/2023 - 8/8



Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code (C. jud.) . 12


The interlocutory request must be filed with the registry of the Market Court in accordance with

article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of

Justice (article 32ter of the C. jud.).










    (Sr.) Hielke H IJMANS

    President of the Litigation Chamber

















































12
  The request contains on pain of nullity:
  (1) indication of the day, month and year;
  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;

  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
  (4) the object and summary of the grounds of the application;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.

13The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.