APD/GBA (Belgium) - 73/2023: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=73/2023 |ECLI= |Original_Source_Name_1=Autorité de protection des données |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-73-2023.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Origina...") |
m (Fixed a typo and punctuation) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
An employee using a personal phone to take pictures of an asylum seeker's social medias to use it in the asylum procedure is not violating the GDPR, even if the asylum office prohibited the use of private devices at work. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons ( | During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons (controller) took photographs with his private phone of social networks of the applicant (data subject). The photographs were added to his file. | ||
The CGRA responded to the data subject that the employee only had his best interests at heart i.e. an effective and swift procedure. | The data subject was concerned whether this was standard practice and what happened with the pictures on the mobile phone. The CGRA responded to the data subject that the employee only had his best interests at heart, i.e. an effective and swift procedure. Unsatisfied, the data subject filed a complaint with the Belgian DPA. | ||
In its defense, the controller stressed that it provides its employees with work equipment and that there is no BYOD (Bring Your Own Device) policy. The usage of a private mobile phone was thus not allowed. It emphasised that this practice is neither widespread nor official and this has been communicated to the employee in question, as well as all other employees to prevent similar situations from occurring. The controller also added that the pictures were deleted immediately after the interviews. | |||
=== Holding === | === Holding === | ||
The Belgian DPA established that the taking of photographs with a private phone | The Belgian DPA established that the taking of photographs with a private phone constituted processing of personal data according to [[Article 4 GDPR#1|Article 4(1)]] and [[Article 4 GDPR#2|Article 4(2)]] and that the employer was the controller according to [[Article 4 GDPR#7|Article 4(7)]], regardless of the employee acting in breach or in compliance of internal procedures. | ||
The DPA noted that the awareness measures to prevent further incidents constituted a good practice. | |||
Concerning the use of private phone, the DPA stated that the implementation of BYOD for work related activities is not a problem ''per se'' but can present certain risks, a risk assessment is thus required, especially when dealing with personal data in a sensitive context, such as an asylum application. | |||
In this case, the DPA concluded that nothing pointed towards a breach of the GDPR, regardless of the usage of personal equipment being against the controller's policy. The DPA reminded that the pictures were taken in favour of the data subject and were removed immediately from the personal device when retention was no longer required. | |||
Based on the above, the DPA dismissed the | Based on the above, the DPA dismissed the complaint. | ||
== Comment == | == Comment == | ||
In another case, an employee was qualified as controller when breaching the employers' internal procedures, and processing data for private purposes : [https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-129-2021.pd case 129/2021]. The difference in this case is that the purpose of the processing was to perform the employer's activity. | |||
The | |||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Latest revision as of 11:59, 26 June 2023
APD/GBA - 73/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 95, §1, 3° Loi portant création de l’Autorité de protection des données |
Type: | Complaint |
Outcome: | Rejected |
Started: | 23.02.2023 |
Decided: | 12.06.2023 |
Published: | |
Fine: | n/a |
Parties: | Commissariat Général aux Réfugiés et Apatrides (CGRA) |
National Case Number/Name: | 73/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | Enzo Marquet |
An employee using a personal phone to take pictures of an asylum seeker's social medias to use it in the asylum procedure is not violating the GDPR, even if the asylum office prohibited the use of private devices at work.
English Summary
Facts
During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons (controller) took photographs with his private phone of social networks of the applicant (data subject). The photographs were added to his file.
The data subject was concerned whether this was standard practice and what happened with the pictures on the mobile phone. The CGRA responded to the data subject that the employee only had his best interests at heart, i.e. an effective and swift procedure. Unsatisfied, the data subject filed a complaint with the Belgian DPA.
In its defense, the controller stressed that it provides its employees with work equipment and that there is no BYOD (Bring Your Own Device) policy. The usage of a private mobile phone was thus not allowed. It emphasised that this practice is neither widespread nor official and this has been communicated to the employee in question, as well as all other employees to prevent similar situations from occurring. The controller also added that the pictures were deleted immediately after the interviews.
Holding
The Belgian DPA established that the taking of photographs with a private phone constituted processing of personal data according to Article 4(1) and Article 4(2) and that the employer was the controller according to Article 4(7), regardless of the employee acting in breach or in compliance of internal procedures.
The DPA noted that the awareness measures to prevent further incidents constituted a good practice.
Concerning the use of private phone, the DPA stated that the implementation of BYOD for work related activities is not a problem per se but can present certain risks, a risk assessment is thus required, especially when dealing with personal data in a sensitive context, such as an asylum application.
In this case, the DPA concluded that nothing pointed towards a breach of the GDPR, regardless of the usage of personal equipment being against the controller's policy. The DPA reminded that the pictures were taken in favour of the data subject and were removed immediately from the personal device when retention was no longer required.
Based on the above, the DPA dismissed the complaint.
Comment
In another case, an employee was qualified as controller when breaching the employers' internal procedures, and processing data for private purposes : case 129/2021. The difference in this case is that the purpose of the processing was to perform the employer's activity.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 73/2023 of June 12, 2023 File number: DOS-2023-00901 Subject: Complaint relating to the taking of photographs with a mobile phone personnel by an employee in the performance of his or her duties The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to processing of personal data (hereinafter LTD); Having regard to the Rules of Procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The plaintiff: Mr. X, hereinafter “the plaintiff”; The defendant: The General Commissariat for Refugees and Stateless Persons (CGRA), whose headquarters is established at 1070 Brussels (Anderlecht), rue Ernest Blérot, 39 and registered with the Crossroads Bank for Enterprises (BCE) under number 0308.356.862, below after "the defendant". Decision 73/2023 - 2/9 I. Facts and procedure 1. The complaint concerns the taking of photographs by an employee of the defendant using his personal mobile phone during a hearing organized as part of the complainant's asylum application process. 2. On February 23, 2023, the complainant filed a complaint with the Authority for the Protection of data (APD). He directs his complaint against the attaché in charge of contacts with lawyers (see also note 1). 3. In his complaint, the Complainant states the following. 4. During the month of November 2022, the complainant, accompanied by his counsel, was interviewed by the defendant. The plaintiff reports that during this interview, the police officer 1 protection (employee of the defendant) in charge of the plaintiff's file has, on 4 occasions with a cell phone, taken photographs of social media pages of members of the complainant's family and attach them to the file. 5. Following this hearing, Counsel for the Complainant contacted the Respondent to inform of his astonishment at this taking of photographs and of what this practice seemed to violate applicable data protection regulations. THE plaintiff's counsel notes in this respect that "it is about the taking of a photo by mobile phone (professional or personal? [see below]) data of the applicant for protection international on the mobile phone of the applicant for international protection without having requested his prior consent and which concerns data of third parties”. In this same letter, the Counsel for the Complainant therefore also asks the question of the assets whether these photographs were taken with a private or professional mobile phone, if it is a practice generalized within the defendant and what happens to the photographs recorded on the mobile phone of the author of the photos. 6. In December 2022, the defendant will, through the attaché responsible for contacts with the lawyers to whom counsel for the plaintiff had addressed, responded in the manner next : 1The protection officer and his function are described as follows on the CGRA website: https://www.cgra.be/fr/travailler-pour-le-cgra The protection officer protection is the key figure in the fulfillment of the fundamental mission of the CGRS. He has a university education, is passionate about human rights and international politics and has excellent writing skills. The protection officer develops in-depth knowledge of the countries of origin applicants for international protection and regularly follows training in order to keep its expertise and the skills necessary for the exercise of his function. The protection officer hears the applicant for international protection about all the elements contained in the file. He checks the credibilityandexamineswhetherthereasonsfortherequestmeetthecriteriathatmayresultinthegrantingofprotectionstatus.Theprotectionofficerthen drafts a duly substantiated proposal for a decision. Decision 73/2023 - 3/9 “Master X, We would like to follow up on your intervention of […] November by informing you of what follows. It emerges from discussions with the protection officer who heard your client that he actually used his private phone to take photographs. He rocks that he has always been committed to strictly respecting confidentiality and data of the applicants. He had no other intention than to achieve efficient and rapid handling of the file for which he is responsible. The photographs taken were attached to the administrative file and deleted from his phone immediately after the November […] interview. However, this way of proceeding is incompatible with the modus operandi of the CGRS. The CGRS provides its employees with work equipment necessary for the performance of their professional duties. Therefore, take photos with an employee's private cell phone should not have happened. We insist on the fact that this is a practice at the CGRS which is neither generalized nor official. This was also communicated to the protection officer in question. And will be also communicated to other employees to prevent this situation from occurring. reproduce”. 7. On February 23, 2023, i.e. the same day the complaint was filed, the Service de Première Ligne (SPL) of the DPA declares the said complaint admissible on the basis of Articles 58 and 60 of the LCA, and sends it to the Litigation Division in accordance with Article 62, § 1 of the LCA. II. Motivation 8. The Litigation Chamber notes, as already mentioned in point 1, that in its form of complaint, the complainant directs his complaint against the attaché in charge of contacts with lawyers. In his post-hearing letter (point 5), the complainant also seems directly implicate the protection officer who took the decision photographs during the hearing. 9. The Litigation Chamber is of the opinion that this last employee of the defendant is not the controller in this case. Indeed, while it is undeniable that taking photographs of family members in the context described by the complaint is constituting a processing (article 4.2.) of personal data (article 4.1.) within the meaning of GDPR, the only circumstance that these photographs were taken by the employee in question does not make him a controller of said data within the meaning of Decision 73/2023 - 4/9 section 4.7. of the GDPR. Furthermore, the fact that this employee took these photographs with his personal mobile phone, even in violation of the internal rules of application with the defendant, does not make him a controller within the meaning of this same item. 10. The data controller is indeed defined therein as being “the natural person or legal entity, public authority, service or other body which, alone or jointly with others,determinesthepurposesandmeansofprocessing”.Article 4.7.further specifies that “when the purposes and means of this processing are determined by the law of the Union or the law of a Member State, the controller may be designated or the specific criteria for its designation may be provided for by Union law or by the law of a Member State". 11. The Litigation Chamber is of the opinion that the employee concerned did not determine the purposes data processing. The processing complained of took place in the exercise of its function of protection officer of the defendant, in compliance with the missions legally assigned to the defendant. In this regard, the Litigation Chamber notes that the defendant has a privacy policy available on its website under the terms of which he identifies as data controller (see the section “Data of contact”) and under the terms of which it describes that in the context of the execution of legal, it processes personal data for the purpose of making decisions about applications for international protection/asylum as was the case in this case . 3 12. The Litigation Chamber also considers that even if he certainly used his telephone personal mobile phone - and not a professional mobile phone - (i.e. a "means" in the of section 4.7. of the GDPR) apart, it seems, from the instructions given by the defendant to In this respect, this discrepancy does not, in this case, make him a data controller who would have determined the purposes (quod non – see point 11 above) and the means, these elements being cumulative. The present case should be distinguished from the situation in which an employee would divert the purpose determined by the data controller to substitute a own purpose, for example. The Litigation Chamber has thus already had the opportunity to requalify an employee as a data controller in cases where the latter had misappropriated access to the national register granted to him in the exercise of his functions for the 4 consult for strictly personal purposes. The same applies to the subcontractor who 2Emphasis added by the Litigation Chamber. 3The basis for the lawfulness of the data processing carried out by the defendant does not therefore have to be based on the consent of the applicant for protection. Data such as photographs of members of his family also become data concerning him as soon as he mentions them in the context of a hearing in support of his own request. 4See. for example decision 129/2021 of the Litigation Chamber, point 23 in fine: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf . See. also decision 56/2021 of the Litigation Chamber, points 51 to 60 and the references cited: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-56-2021.pdf Decision 73/2023 - 5/9 would go beyond the instructions received from the data controller and would pursue a own purpose. In this case, he is requalified as data controller. 13. In the present case, this last scenario is also not applicable since the employee concerned is no more a subcontractor than he is a data controller. Bedroom Litigation recalls that is defined as a subcontractor within the meaning of Article 4.8. GDPR, “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. THE processor is therefore, as underlined by the EDPS in its guidelines relating to the notions of data controller and processor in the GDPR already mentioned "a separate entity from that of the data controller”. The EDPS thus states that "for be considered a processor, two basic conditions must be met: a) be a separate entity from the controller and b) process personal data staff on behalf of the controller (point 76). The EDPS adds that "a separate entity means that the data controller decides to delegate all or part 6 processing activities to an external organization (point 77)”. 14. It follows a fortiori from the foregoing that the defendant's attaché responsible for contacts with the lawyers and identified by the complainant as data controller under the terms of the complaint form (see note 1) is also not responsible for processing or sub- treating. 15. If they are not responsible for processing or subcontracting, the above-mentioned employees shall not may be accused of breach(es) of the GDPR. 16. These employees of the defendant are on the other hand “persons acting under the authority of the controller” within the meaning of Article 29 of the GDPR who, when they have access to personal data can only, except in exceptional cases, be processed on the instructions of the controller, or on the instructions of the defendant. In this regard, the Chamber Litigation notes that the defendant indicates that, following the facts complained of, he took awareness-raising measures for the employee concerned as well as for all personnel to prevent incidents such as the one denounced. This initiative is relevant. 17. The Litigation Chamber will now examine whether a breach of the GDPR or the rules data protection with which the Litigation Chamber is required to ensure compliance must be found on the part of the defendant who assumes the quality of responsible treatment. 5. European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR 6ttps://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, point 86. European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR https://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, page 4 of the French version and points 76-77. See. also Decision 175/2022 of the Litigation Chamber. Decision 73/2023 - 6/9 18. The Litigation Chamber recalls that the use of personal equipment by employees in the performance of their duties is a choice of the employer to authorize it or not, if necessary under certain conditions. In this case, we speak of BYOD, an acronym for “Bring Your Own Device” (in French: “Bring Your Personal Equipment from Communication" or AVEC), which designates the use of personal computer equipment in a professional context. This may be, for example, an employee who, in order to connect to the company network, use personal equipment such as their computer, his tablet or smartphone or, as in this case, the use of his telephone personal laptop for taking photographs to be attached in a file as evidence or documentation or the use of his telephone staff for computer testing. 19. BYOD is not “personal data processing” per se. It's a particular technical means, by means of which data processing takes place applicable. 20. The use of such personal equipment can certainly present increased risks, 7 particularly in terms of data security and should be subject to an evaluation particularly vigilant in terms of risk. Without this constituting a any remedy or sanction within the meaning of Article 95 of the ACL, the Chamber Contentious recalls in this regard the importance of data security, a fortiori when sensitive data is regularly processed - as in the case of the defendant - by the very nature of the missions entrusted to it or more generally, when data processing (sensitive or not) takes place in a context delicate as that of obtaining a right or the request for recognition of a status (as in the present case) which may expose the person concerned or his entourage at risk. 21. In this case, the defendant specifies that the use of personal equipment, such as a telephone personal laptop, by one of its employees in the exercise of its function, is contrary to the rules that it has in place. The use of their mobile phone by the employee concerned is an isolated fact contrary to the defendant's practices. 22. However, as recalled in point 19, the use of his mobile phone personnel by the employee concerned, even in contravention of internal rules, is not constituting processing within the meaning of the GDPR. Nothing in the file attests to the fact that the processing of said data would also have taken place in violation of the rules of data protection. If, as the Litigation Chamber explained above, the appeal 7The CNIL recommends a certain number of good practices relating to the use of BYOD here: https://www.cnil.fr/fr/byod-quelles-sont-les-bonnes-pratiques. See. also the work of the EDPS “Guidelines on the protection of personal data in mobile devices used by European institutions (December 2015), in particular points 90 and following devoted to the specific risks of BYOD: https://edps.europa.eu/sites/edp/files/publication/15-12-17_mobile_devices_en.pdf Decision 73/2023 - 7/9 to BYOD (whether in contradiction or in accordance with internal practices) increases potentially the risk of breaching the security of the data processed by means of such equipment, nothing in the file provides proof of a breach of the obligation security or any other breach of the GDPR. The defendant further clarified that thephotographsareimmediatelydeletedfromtheemployee's personal phone concerned. 23. Based on the facts described in the complaint file as summarized above and the parts produced, and on the basis of the powers attributed to it by the legislator under article 95, § 1 of the LCA, the Litigation Chamber decides on the action to be taken case. In this case, the Litigation Chamber decides to proceed with the classification without following up on the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below. 24. In matters of dismissal, the Litigation Chamber is required to justify its step-by-step decision and: - to pronounce a classification without technical continuation if the file does not contain or not sufficient elements likely to lead to a sanction or if it includes a technical obstacle preventing him from rendering a decision; - or pronounce a classification without further opportunity, if despite the presence elements likely to lead to a sanction, the continuation of the examination of the file does not seem to him to be appropriate given the priorities of the Autorité de data protection as specified and illustrated in the Privacy Policy dismissal of the Litigation Chamber. 9 25. In the event of dismissal based on several grounds, the latter (respectively, classification without technical follow-up and classification without opportunity follow-up) must be 10 dealt with in order of importance. 26. In this case, the Litigation Chamber decides to close the complaint without action on the grounds technical when it considers that no breach of the GDPR or the rules of protection of the data for which it cannot control, on the basis of grievances and documents produced in support of the complaint, be blamed on the defendant (criterion A.2. of the dismissal of the Litigation Chamber). III. Publication and communication of the decision 8. Court of Markets (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p.18. 9. In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf. 10Cf.Titre 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the classification policy without follow-up of the Litigation Chamber. Decision 73/2023 - 8/9 27. Given the importance of transparency with regard to the process decision-making and the decisions of the Litigation Chamber, this decision will be published on the ODA website. However, for this purpose it is not necessary that the data identification of the complainant are mentioned. 28. With regard to the identification of the defendant, the Litigation Chamber considers that the complete understanding of the decision - which one (without this being a criterion decisive) does not otherwise accuse the defendant of any breach - requires that the identity of the defendant is published. This depends on the specific nature of the defendant's mission, references cited relevant to the motivation of this decision and therefore to the effect useful transparency desired by the Litigation Chamber. 29. In accordance with its policy of dismissal, the Litigation Chamber 11 communicate the decision to the respondent. Indeed, the Litigation Chamber decided to communicate dismissal decisions to default defendants. There However, the Litigation Chamber refrains from such communication when the complainant requested anonymity vis-à-vis the defendant and when the communication of the decision to the defendant, even if pseudonymised, nevertheless risks being re-identified. 12 This is not the case in the present case. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be 11Cf.Titre 5 – Will the classification without follow-up be published? Will the opposing party be informed? of the classification policy without follow-up of the Contentious Chamber. 12. Ibidem. 1. The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or company number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. Decision 73/2023 - 9/9 14 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (se). Hielke HIJMANS President of the Litigation Chamber 14. The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.