APD/GBA (Belgium) - 11/2023: Difference between revisions
No edit summary |
(→Facts) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to [[ | The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. The DPA determined that the controller should also order recipients to erase the data. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on | The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on this request. | ||
In April 2022, the data subject contacted the controller's DPO with a request of erasure. The DPO confirmed that his personal data would only be processed for legal obligations (e.g. tax purposes) and that his phone number and mail address had been deleted from the customer database. | |||
Despite this, the data subject would still receive calls from the controller through different phone numbers. He therefore filed a complaint with the Belgian DPA. | |||
=== Holding === | === Holding === | ||
The DPA determined that using the phone number (or | The DPA determined that using the phone number (or email address) of a data subject to send him promotional materials constituted direct marketing in the sense of [[Article 21 GDPR#2|Article 21(2) GDPR]]. The same article grants the right to object to direct marketing, meaning that the personal data can no longer be processed for direct marketing purposes pursuant [[Article 21 GDPR#3|Article 21(3) GDPR.]] | ||
As such, in line with [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]], the controller was obliged to delete, as soon as possible and within one month, the phone number of the data subject unless the controller had another legal basis to process it. On top of that, the controller is obliged to inform all recipients of the phone number to delete it according to [[Article 19 GDPR]]. | |||
The DPA held that the controllers could have breached [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] and [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]] by still processing the personal data for direct marketing purposes and by not erasing it as well | The DPA held that the controllers could have breached [[Article 21 GDPR#2|Article 21(2) GDPR]], [[Article 21 GDPR#3|Article 21(3) GDPR]] and [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] in combination with [[Article 12 GDPR#3|Article 12(3) GDPR]] by still processing the personal data for direct marketing purposes and by not erasing it. The controllers could as well be breaching [[Article 19 GDPR|Article 19 GDPR]] by not ordering to recipients of the personal data to erase it. | ||
The DPA ordered the controller to comply with the objection and erasure request pursuant [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) LCA (Law establishing the data protection authority). | The DPA ordered the controller to comply with the objection and erasure request pursuant [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and Article 95(1)(5) LCA (Law establishing the data protection authority). |
Latest revision as of 13:51, 28 February 2023
APD/GBA - 11/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(3) GDPR Article 17(1)(c) GDPR Article 19 GDPR Article 21(2) GDPR Article 21(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 09.08.2022 |
Decided: | 13.02.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 11/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Gegevensbeschermingsautoriteit (in FR) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA ordered a controller to comply with an objection and erasure request pursuant to Article 58(2)(c) GDPR. The DPA determined that the controller should also order recipients to erase the data.
English Summary
Facts
The data subject was a client of the controller until December 2021. Afterwards, the controller kept calling him, from numerous phone numbers, to sell its services. The data subject requested, orally, to delete his personal data. The controller never followed-up on this request.
In April 2022, the data subject contacted the controller's DPO with a request of erasure. The DPO confirmed that his personal data would only be processed for legal obligations (e.g. tax purposes) and that his phone number and mail address had been deleted from the customer database.
Despite this, the data subject would still receive calls from the controller through different phone numbers. He therefore filed a complaint with the Belgian DPA.
Holding
The DPA determined that using the phone number (or email address) of a data subject to send him promotional materials constituted direct marketing in the sense of Article 21(2) GDPR. The same article grants the right to object to direct marketing, meaning that the personal data can no longer be processed for direct marketing purposes pursuant Article 21(3) GDPR.
As such, in line with Article 17(1)(c) GDPR, the controller was obliged to delete, as soon as possible and within one month, the phone number of the data subject unless the controller had another legal basis to process it. On top of that, the controller is obliged to inform all recipients of the phone number to delete it according to Article 19 GDPR.
The DPA held that the controllers could have breached Article 21(2) GDPR, Article 21(3) GDPR and Article 17(1)(c) GDPR in combination with Article 12(3) GDPR by still processing the personal data for direct marketing purposes and by not erasing it. The controllers could as well be breaching Article 19 GDPR by not ordering to recipients of the personal data to erase it.
The DPA ordered the controller to comply with the objection and erasure request pursuant Article 58(2)(c) GDPR and Article 95(1)(5) LCA (Law establishing the data protection authority).
Comment
This was a preliminary (Prima Facie) decision according to Article 95 WOG, prior to a decision on the merits.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/8 Litigation Chamber Decision 11/2023 of February 13, 2023 File number: DOS-2022-03252 Subject: Complaint relating to the exercise of marketing opposition rights directly and the erasure of data The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Mr. X, hereinafter “the plaintiff”; . . . The defendant: Y, hereinafter: “the defendant”. Decision 11/2023 - 2/8 I. Facts and procedure 1. According to his complaint, the plaintiff states that he was a client of the defendant until December 2021. 2. He indicates that despite the fact that he was no longer a client of the defendant, he continued to receive after this date telephone calls from various telephone numbers (… and … for example) offering him services from the defendant. He adds that, in response to these calls, requested the deletion of his personal data without his oral requests are not followed up. 3. The complainant reports that he then contacted the Data Protection Officer in April 2022. data (DPO) of the defendant. However, he did not produce his request. Asked about this point in the context of the preparation of the file, the complainant indicated that he seemed to have sent his request via an online form of which he has no record. 4. The complainant, on the other hand, produces the response received from the DPO of the defendant on April 22, 2022. Under it, the DPO indicates that further to the complainant's request, "we can confirm that in the meantime your email address and mobile phone number have been erased from the CRM system of [read the defendant] and that your account (…) has also been removed”. The defendant adds that in accordance with Article 17.3. of the GDPR and its privacy policy, this deletion is not absolute. She adds that since the complainant is a former customer, it is authorized to retain data relating to the services provided (e.g. invoices) for accounting and tax purposes in a timely manner prescription provided. The DPO concludes by indicating that it is self-evident that these data will not be used to contact the complainant for solicitation purposes. 5. Notwithstanding the guarantees received from the DPO of the defendant, the plaintiff alleges still receiving unsolicited calls from the defendant (in the month of July for example) or offering him at the very least the services of the defendant, this point not being entirely clear in his request. 6. On August 9, 2022, the complaint is declared admissible by the SPL of the DPA on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber under article 62, § 1 of the ACL .2 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following of this complaint, the file was forwarded to him. Decision 11/2023 - 3/8 II. Motivation 7. It appears in this case that the defendant was processing personal data relating to the complainant, his e-mail address and his mobile phone number to all less, as indicated by the defendant in its email of April 22, 2022. These information is personal data relating to the complainant within the meaning of section 4.1. of the GDPR in that they allow it to be identified, here directly. The complainant is therefore a "data subject" within the meaning of Article 4.1. (second part) of the GDPR. 8. These data were also subject to automated processing by the defendant at the meaning of Article 4.2. of the GDPR. 9. The GDPR grants any data subject a number of rights (including the right to of opposition and the right to erasure relevant in the case in point) the terms of which of exercise and the correlative obligations for the data controller are detailed in article 12 of the GDPR. The Litigation Chamber here refers to article 12.3. in execution of which the data controller who receives a request to exercise the rights (Articles 15 to 22) is, subject to exceptions, required to provide the data subject with information on the measures taken following his request within one month. When the request proves to be particularly complex, this period may be extended by two months, but the author of the request to exercise the right must nevertheless be informed of this within the 1 month period. As for the right of opposition in prospecting (“direct marketing”) 10. The GDPR does not define what is meant by “processing for marketing purposes” or for the purposes of "direct marketing" according to the English terminology. In its Recommendation 01/2020 of 17 January 2020 relating to the processing of personal data at direct marketing purposes, the APD indicates that it should be understood as “direct marketing” as “any communication, whether solicited or unsolicited, aimed at promoting a organization or a person, services, products, whether paid for or free, as well as marks or ideas, sent by an organization or a person acting in a commercial or non-commercial context, directly to one or more natural persons in a private or professional context, by any means, involving the processing of personal data” (page 8 of Recommendation - definition). 11. The processing of a mobile phone number or an e-mail address such as that of the plaintiff to send him promotional offers of certain products constitutes a processing of personal data for prospecting purposes (direct marketing) within the meaning of 3 See. in this regard Decision 64/2020 of the Litigation Chamber (point 23): https://autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf Decision 11/2023 - 4/8 section 21.2. of the GDPR. In this case, the data subject is entitled to exercise his right objection pursuant to Article 21.2 of the GDPR. The complainant indicates in the terms of his complaint that he no longer wished to be contacted by the defendant and has, on several occasions, tried unsuccessfully to object to said processing (points 1-3) both orally and via, affirms he, an online form. 12. Accordingly, the Respondent was, prima facie, required to provide the Complainant with information on the measures taken following the exercise of his right of opposition in the period of one month from receipt of his request as provided for in Article 12.3. of GDPR. The defendant's DPO thus confirmed to the plaintiff on April 22, 2022 that his telephone number and e-mail would no longer be processed for canvassing purposes 6 (commercial prospecting / direct marketing). Pursuant to Article 21.3 of the GDPR, when the data subject opposes the processing for prospecting purposes, the personal data can no longer be processed for these purposes. 13. Notwithstanding this undertaking, the Complainant complains that he continues to receive calls promotional material from the defendant. As for the consequences of the right of opposition in terms of erasure 14. As a result of the exercise of the right to object based on Article 21.2 of the GDPR by the plaintiff, the defendant was not only required to stop processing the data of the complainant for marketing purposes but also under the obligation, pursuant to 7 Article 17.1 c) of the GDPR, to delete the complainant's telephone number as soon as possible deadlines, ideally within a month. Only if it processes this same data for another purpose and in support of a basis of lawfulness specific to the data controller, here presumably the defendant, is authorized to keep it. 4 Section 21.2. of the GDPR: The controller notifies each recipient to whom the personal data personal data have been communicated any rectification or erasure of personal data or any restriction of processing carried out in accordance with Article 16, Article 17, paragraph 1, and Article 18, unless such communication is impossible or requires disproportionate effort. The controller provides the data subject information about these recipients if the data subject so requests. 5Section 12.3. of the GDPR: The controller provides the data subject with information on the measures TAKEN FOLLOWING A REQUEST MADE IN APPLICATION OF ARTICLES 15 TO 22, AS SOON AS POSSIBLE, ATTEMPTING ANY STATE OF CASE within one month of receipt of the request. If necessary, this period may be extended by two months, given the complexity and number of requests. this extension and the reasons for the postponement within one month of receipt of the request. 6Section 21.3. GDPR: . When the data subject objects to processing for prospecting purposes, the data to be personal character are no longer processed for these purposes. 7Section 17.1. c) of the GDPR: The data subject has the right to obtain from the controller the erasure, within the as soon as possible, of personal data concerning it and the data controller has the obligation to erase these personal data as soon as possible, where one of the following grounds applies: (…) the person concerned objects to the processing pursuant to Article 21, paragraph 1, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); 8See. in this regard Decision 62/2021 of the Litigation Chamber (points 14 and s.): https://autoriteprotectiondonnees.be/publications/advisory-62-2021.pdf Decision 11/2023 - 5/8 9 15. Pursuant to Article 19 of the GDPR, the controller is also required to notify any deletion of personal data carried out (in accordance with Article 17.1 c) of the GDPR – see. above) to each recipient to whom the data to be personal character would have been communicated. 16. In the present case, the complaint and the documents in the file seem to reveal that the processing of the complainant’s mobile phone business continued for prospecting purposes despite the opposition of the latter and the assurances given by the DPO of the defendant. As to the decision of the Litigation Chamber 17. The Litigation Chamber considers that on the basis of the aforementioned facts, there is reason to conclude that the defendant may have breached the provisions of the GDPR, in particular of Articles 21.2., 21.3. and 17.1.c) of the GDPR combined with Article 12.3. of the GDPR. This finding justifies the adoption by the Litigation Chamber of a decision against it in application of Article 95, § 1, 5° of the LCA, consisting more specifically in ordering him to follow up on the complainant's request to exercise the right of opposition within one month months from the notification of this decision and this, in support of the motivation which precedes as well as to follow up on his right to erasure within the limits set by the operative part of this decision. 18. This decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the ACL on the basis of the complaint lodged by the complainant in 10 the framework of the “procedure prior to the substantive decision”. It is therefore not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 19. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, of the fact that it may have committed a breach of the provisions of the GDPR and of to still comply with the aforementioned provisions. 20. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. 21. If the Respondent does not agree with the content of this prima facie decision and believes that it can make factual and/or legal arguments that could 9Article 19 of the GDPR: The controller notifies each recipient to whom the personal data have been communicated any rectification or erasure of personal data or any limitation of the processing carried out in accordance with Article 16, Article 17(1) and Article 18, unless such communication is impossible or requires disproportionate effort. The controller provides the data subject information about these recipients if the data subject so requests. 10Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive). Decision 11/2023 - 6/8 lead to another decision, it can address to the Litigation Chamber a request processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and this within 30 days of notification of this decision. If applicable, the execution of this decision will be suspended for the aforementioned period. 42. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and to attach to the file all the documents they deem useful. If applicable, this decision will be permanently suspended. 43. With a view to transparency, the Litigation Division finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL. 11 44. Finally, without this constituting any corrective measure or sanction whatsoever for the meaning of Article 95 of the LCA, the Litigation Chamber reminds the defendant that it is obliged to put in place the technical and organizational measures necessary to allow the exercise of the rights of the persons concerned, in particular the procedures for monitoring of requests to exercise rights. These procedures are all the more important that the defendant processes a considerable volume of data due to the nature of its activities and the number of people affected by them. 11Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients Datas ; 11° order the withdrawal of the approval of the certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 11/2023 - 7/8 III. Publication of the decision 44. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority data (APD). However, it is not necessary for this purpose that the data identification of the parties are directly mentioned. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to comply with the plaintiff's request to exercise his rights, as soon as possible and at the latest within 30 days of notification of the this Decision, more specifically: o his right to object (art. 21.2 of the GDPR) and consequently, (a) to cease all processing of the personal data of the complainant for the purposes of prospecting (article 21.3 of the GDPR) as well as (b) to proceed with the deletion of personal data of the complainant (article 17.1 c) of the GDPR), except to be able to rely on a distinct basis of lawfulness authorizing the processing of the data of the complainant for another purpose and (c) to comply with its obligation to notification as provided for in Article 19 of the GDPR, or to notify the deletion made to any potential recipient of the personal data of the complainant; - to order the defendant to inform, by e-mail, the Data Protection Authority data (Litigation Chamber) of the follow-up given to this decision, in the same 30-day period, via the e-mail address litigationchamber@apd-gba.be; And - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party defendant. Decision 11/2023 - 8/8 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code (C. jud.) . 12 The interlocutory request must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke H IJMANS President of the Litigation Chamber 12 The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary of the grounds of the application; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 13The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.