APD/GBA (Belgium) - 17/2023: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 71: | Line 71: | ||
}} | }} | ||
A data subject noticed that his national register file was consulted twice and did not get the requested explanation from the municipality. The Belgian DPA ordered the municipality to comply with the access request | A data subject noticed that his national register file was consulted twice and did not get the requested explanation from the municipality. The Belgian DPA ordered the municipality to comply with the access request and recommended to log the access to the national registry as a security measure. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller was a city municipality and the data subject, a citizen of that municipality. The data subject noticed that his national register file had been consulted by the controller. On the 10 November 2022, he contacted their DPO for more information on the consultation . On 16 November, the data subject noticed a new consultation and contacted the DPO again requesting an explanation. However, both requests remained unanswered. | The controller was a city municipality and the data subject, a citizen of that municipality. The data subject noticed that his national register file had been consulted by the controller. On the 10 November 2022, he contacted their DPO for more information on the consultation. On 16 November, the data subject noticed a new consultation and contacted the DPO again requesting an explanation. However, both requests remained unanswered. | ||
=== Holding === | === Holding === | ||
The DPA reinstated that [[article 15 GDPR#1a|Article 15(1)(a) GDPR]] grants each data subject the right to obtain information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly and that a controller | The DPA reinstated that [[article 15 GDPR#1a|Article 15(1)(a) GDPR]] grants each data subject the right to obtain information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly and that a controller was obliged to answer such request within 1 month under [[article 12 GDPR#3|Article 12(3) GDPR]], which the controller did not do in this case. | ||
The DPA | The DPA also suggested that controller implements appropriate security measures to protect the personal data against unauthorised access as stipulated in [[article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The DPA referred to [[article 32 GDPR|Article 32 GDPR]] and recommended a logging measure and to keep track of the log ins. This practice is not especially included in [[article 32 GDPR|Article 32]] but is listed in Article 17 of the national law organising a national register for natural persons. | ||
Given the above, the DPA concluded that the controller may have violated, among others, [[article 15 GDPR#1|Article 15(1) GDPR]] by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject. | Given the above, the DPA concluded that the controller may have violated, among others, [[article 15 GDPR#1|Article 15(1) GDPR]] by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject. |
Latest revision as of 15:21, 8 March 2023
APD/GBA - 17/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(1)(a) GDPR Article 32 GDPR Article 17 Loi organisant un registre national des personnes physiques |
Type: | Complaint |
Outcome: | Upheld |
Started: | 03.02.2023 |
Decided: | 01.03.2023 |
Published: | 06.03.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 17/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Gegevensbeschermingsautoriteit (in FR) |
Initial Contributor: | Enzo Marquet |
A data subject noticed that his national register file was consulted twice and did not get the requested explanation from the municipality. The Belgian DPA ordered the municipality to comply with the access request and recommended to log the access to the national registry as a security measure.
English Summary
Facts
The controller was a city municipality and the data subject, a citizen of that municipality. The data subject noticed that his national register file had been consulted by the controller. On the 10 November 2022, he contacted their DPO for more information on the consultation. On 16 November, the data subject noticed a new consultation and contacted the DPO again requesting an explanation. However, both requests remained unanswered.
Holding
The DPA reinstated that Article 15(1)(a) GDPR grants each data subject the right to obtain information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly and that a controller was obliged to answer such request within 1 month under Article 12(3) GDPR, which the controller did not do in this case.
The DPA also suggested that controller implements appropriate security measures to protect the personal data against unauthorised access as stipulated in Article 5(1)(f) GDPR. The DPA referred to Article 32 GDPR and recommended a logging measure and to keep track of the log ins. This practice is not especially included in Article 32 but is listed in Article 17 of the national law organising a national register for natural persons.
Given the above, the DPA concluded that the controller may have violated, among others, Article 15(1) GDPR by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject.
Comment
This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits.
Further Resources
Share blogs or news Articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/6 Litigation Chamber Decision 17/2023 of March 1, 2023 File number: DOS-2023-00290 Subject: consultation of the national register and lack of response to the exercise of the right access The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: X, hereinafter “the plaintiff”; . . . The defendant: Commune Y, hereinafter: “the defendant”. Decision 17/2023 – 2/6 I. Facts and procedure 1. The subject of the complaint concerns the consultation of the complainant's national register file by Commune Y and the lack of response to its request for access. The complainant noted that his national registry file had been consulted by the municipality Y on May 25, 2022. After calling the municipality in June, he contacted the data protection officer of the municipality by email on November 10, 2022 after midday asking for explanations about this consultation. This email would have remained without answer. On November 16, 2022, the complainant noticed that a new consultation of its data from the national register took place on November 10, 2022 in the morning. He writes to again to the data protection officer of the municipality to justify these different consultations. This email would also have remained unanswered. 2. On February 3, 2023, the complainant lodged a complaint with the Data Protection Authority given against the defendant. 3. On the same day, the complaint is declared admissible by the Front Line Service on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber in pursuant to Article 62, § 1 of the LCA. 4. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. II. Motivation 5. Article 15.1.a) of the GDPR provides that the data subject can contact the controller processing in order to achieve the purpose of the processing. 6. Under Article 12.3 of the GDPR, the controller has a maximum period one month from the request for access to provide a response. This period may, under conditions, be extended for two additional months. 7. Furthermore, in its capacity as data controller, the defendant is required to implement data protection principles and must be able to demonstrate that these are respected (principle of responsibility – article 5.2. of the GDPR). This includes the 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following of this complaint, the file was forwarded to him. Decision 17/2023 – 3/6 principle of security included in article 5.1.f) and which is now erected in the GDPR at the same rank than the fundamental principles of legality, transparency and fairness. 8. The obligations of data controllers with regard to the security of processing are established in articles 32 et seq. of the GDPR. Although logging is not expressly mentioned in the GDPR, keeping a journal of log files constitutes a technical and organizational measure envisaged in Article 32 GDPR. It constitutes a good practice, recommended to the data controller when this measure is adapted to the risks associated with the characteristics of the processing. This practice has also been enshrined by the legislator who integrated this obligation into article 17 of the law of 8 August 1983 organizing a national register of natural persons. 3 4 9. In this case, it appears from the emails sent by the complainant to the municipality, that he exercised his right of access regarding the purpose of the consultation of his file in the register national (Article 15.1a) of the GDPR). 10. It appears from the complainant's emails and the content of the complaint that the municipality would never have Responded to the complainant's access requests. 11. The Litigation Division considers that on the basis of the aforementioned facts, there is reason to conclude that the defendant may have breached the provisions of the GDPR, which which justifies that in this case, it is making a decision in accordance with Article 95, § 1, 5° of the LCA, more specifically, to order compliance with the request of the complainant of the complainant to exercise his right of access (article 15.1 of the GDPR) and this in particular seen: - That under article 17 of the law of August 8, 1983 organizing a national register of natural persons, the data controller must be able to justify the consultations carried out and provide the purpose of the consultations; - The evidence provided by the complainant demonstrating that there was indeed consultation with its national registry file by the defendant; - Copies of emails sent by the plaintiff demonstrating that he has exercised his right access provided for in Article 15.1 of the GDPR; - That the complainant indicates that he received no response to his requests for access. 3 Law of 8 August 1983 organizing a national register of natural persons. Available on https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi 4For more details, the Litigation Chamber refers in particular to its decision 129/2021 of November 26, 2021, § 33 and s. Available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf Decision 17/2023 – 4/6 12. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint lodged by the complainant/the complainant, within the framework of the “procedure prior to the substantive decision” and not a 5 decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 13. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 14. If, however, the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, it may send the Litigation Chamber a request for treatment on the merits of the case via the e-mail address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case applicable, the execution of this decision is suspended for the period aforementioned. 15. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they deem useful. If applicable, the this decision is permanently suspended. 16. With a view to transparency, the Litigation Chamber finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL .6 5Section 3, Subsection 2 of the ACL (Articles 94 to 97 inclusive). 6Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 17/2023 – 5/6 III. Publication of the decision 17. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to comply with the request of the person concerned to exercise his right of access (article 15.1 of the GDPR) regarding the consultation of his file of the national register, and to send the information to the complainant within the 30 days from the date of notification of this decision; - to order the defendant to inform by e-mail the Data Protection Authority data (Litigation Chamber) of the follow-up given to this decision, in the same deadline, via the e-mail address litigationchamber@apd-gba.be; And - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the 7 information listed in article 1034ter of the Judicial Code. The interlocutory motion must be 7The request contains on penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; Decision 17/2023 – 6/6 8 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (S.) Hielke H IJMANS President of the Litigation Chamber 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 8 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.