APD/GBA (Belgium) - 87/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=87/2023 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-87-2023.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_...")
 
 
(One intermediate revision by one other user not shown)
Line 74: Line 74:


=== Facts ===
=== Facts ===
A data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under [[Article 17 GDPR#1|Article 17(1) GDPR]] but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA.
A Belgian data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under [[Article 17 GDPR#1|Article 17(1) GDPR]] but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA.


=== Holding ===
=== Holding ===
Line 81: Line 81:
In this case, the DPA considered that the processing activity in question was related to the offering of goods and services to a data subject in the EU. Indeed, some conferences organized by the controller happen in Europe and the controller has a GDPR policy. These elements imply, according to the DPA, that the controller had an intention to actively offer these services within the EU.  
In this case, the DPA considered that the processing activity in question was related to the offering of goods and services to a data subject in the EU. Indeed, some conferences organized by the controller happen in Europe and the controller has a GDPR policy. These elements imply, according to the DPA, that the controller had an intention to actively offer these services within the EU.  


Regarding the erasure request, the DPA considered that by not responding to the erasure request, the controller breached Articles 12(3), 12(4) and 17(1) GDPR.  
Regarding the erasure request, the DPA considered that by not responding to the erasure request, the controller breached [[Article 12 GDPR|Articles 12(3)]], [[Article 12 GDPR|12(4)]] and [[Article 17 GDPR|17(1) GDPR.]]


The DPA added that the controller should have appointed a representative in one of the Member States where it is active according to [[Article 27 GDPR#3|Article 27(3) GDPR]] and that the identity and contact details of such representative must be provided to the data subjects according to Articles 13 and 14 GDPR. The DPA therefore warned the controller.
The DPA added that the controller should have appointed a representative in one of the Member States where it is active according to [[Article 27 GDPR#3|Article 27(3) GDPR]] and that the identity and contact details of such representative must be provided to the data subjects according to [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR.]] The DPA therefore warned the controller.  
 
This decision is prima facie. Its purpose is to notify the controller of its breaches and give it the opportunity to comply with the provisions.


== Comment ==
== Comment ==
''Share your comments here!''
This decision is ''prima facie''. Its purpose is to notify the controller of its breaches and give it the opportunity to comply with the provisions.


== Further Resources ==
== Further Resources ==

Latest revision as of 20:10, 4 July 2023

APD/GBA - 87/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 13 GDPR
Article 14 GDPR
Article 17(1) GDPR
Article 27(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.06.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 87/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: n/a

According to the Belgian DPA, a US-based controller whose activity includes the organisation of conferences in Europe is subject to the GDPR and must, among other obligations, appoint a representative.

English Summary

Facts

A Belgian data subject was receiving direct marketing emails from a controller based in the US whose activity was to organize conferences in different countries, including in Europe. On 23 February 2023, he requested from the controller to delete his data under Article 17(1) GDPR but the controller did not follow up. On 28 March 2023, the data subject filed a complaint with the Belgian DPA.

Holding

The DPA first assessed if the GDPR was applicable. Since the controller was based outside the EU, according to Article 3(2) GDPR, two cumulative conditions must be met for the GDPR to be applicable: the processing must concern a data subject that is in the Union and the processing activity relates to the offering of goods or services to these data subjects or the monitoring of their behavior as far as their behavior takes place in the EU.

In this case, the DPA considered that the processing activity in question was related to the offering of goods and services to a data subject in the EU. Indeed, some conferences organized by the controller happen in Europe and the controller has a GDPR policy. These elements imply, according to the DPA, that the controller had an intention to actively offer these services within the EU.

Regarding the erasure request, the DPA considered that by not responding to the erasure request, the controller breached Articles 12(3), 12(4) and 17(1) GDPR.

The DPA added that the controller should have appointed a representative in one of the Member States where it is active according to Article 27(3) GDPR and that the identity and contact details of such representative must be provided to the data subjects according to Articles 13 and 14 GDPR. The DPA therefore warned the controller.

Comment

This decision is prima facie. Its purpose is to notify the controller of its breaches and give it the opportunity to comply with the provisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7







                                                                                  Litigation room



                                                            Decision 87/2023 of 27 June 2023



File number : DOS-2023-01459



Subject: Exercising the right to erasure without the defendant having done so

follows



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
sole chairman;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (general
Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                  .

The complainant: Mr X, hereinafter referred to as “the complainant”; .
                                                                                                  .

The Defendant: Y, hereinafter “the Defendant”. Decision 87/2023 - 2/7



I. Factual Procedure


    1. On March 28, 2023, the complainant filed a complaint with the Data Protection Authority against the

        defendant.


    2. The complainant receives direct marketing emails from the defendant. On February 23, 2023, the

        the complainant sends a request for data erasure to the defendant. However, the complainant receives
        no reply to the request to view, but still direct marketing emails on 1,3,6,9,15,20,

        22, and 28 March 2023. On 28 March 2023, the complainant repeated its request for data erasure. Also

        the complainant receives no response to this request. Following this, the complainant submits a complaint to the

        Data Protection Authority and hereby makes the two requests for data erasure and the

        receive direct marketing emails about.

    3. On April 6, 2023, the complaint will be declared admissible by the First Line Service on the basis of the

        articles 58 and 60 WOG and the complaint is settled on the basis of art. 62, §1 WOG transferred to the

        Litigation room.


II. Motivation


    4. In order for the Disputes Chamber - to which the complainant appealed pursuant to Article 77 of the GDPR -

        would be competent to deal with his complaint, it is first of all necessary that the
        GDPR applies to the litigious facts or that other legislation related to

        data protection that may form the basis of the competence of the Litigation Chamber

        applies to.


    5. With regard to the territorial scope of the GDPR, Article 3 of the GDPR is assumed
        of two different cases. In the first case (Article 3.1 of the GDPR), the

        data processing carried out in the context of the activities of an establishment of a

        controller in the territory of the European Economic Area. This

        The first hypothesis therefore presupposes the existence of an establishment on the territory of

        European Economic Area. The complaint in the present case is directed against a legal entity
        which is located in the United States and has no place of business in the territory of the

        European Economic Area exists. Article 3.1 of the GDPR is therefore not applicable.


    6. The second case provided for in Article 3.2 GDPR specifies that the GDPR applies to the

        processing of personal data that meet the following three cumulative conditions:

      - the processing has been carried out by a controller that is not established in the

         European Economic Area;

      - the processing concerns data subjects who are located on the territory of the European

         Economic Area; and

      - these processing activities are related to: Decision 87/2023 - 3/7



       a) offering goods or services to these data subjects (article 3.2.a) GDPR) or

       b) monitoring their behavior, insofar as this behavior in the European Economic Area

       takes place (article 3.2.b) GDPR).



7. On the basis of the documents in the file, the Disputes Chamber is of the opinion that in this case

    cumulative conditions are met. With regard to the first condition, the
    Litigation Chamber established that the defendant is indeed not established in the European Economic Area

    Room.With regard to the second condition, the Litigation Chamber notes that the complaint does not

    it is clear whether the complainant was on the territory of the European Economic Area.

    Assuming that the complainant was indeed on the territory of the European

    Economic Area at the time of the indicted facts, this has also been complied with. Finally

    is also satisfied with the third condition. After all, the processing activity in question is related
    with "offering goods and services". After all, the defendant organizes conferences

    in different parts of the world, including Europe (namely Amsterdam) and informs the data subject of this

    and of its practical aspects, such as ticket sales and discount codes

    direct marketing emails. The intention to also actively offer these services within the

    European Economic Area is evidenced by the fact that the defendant has a "privacy policy" and a

    published “GDPR policy”. Consequently, the contested processing fulfills the conditions
    of Article 3.2 GDPR, which means that the GDPR applies.


8. Article 27.1 of the GDPR stipulates that controllers or processors acting on the basis of

    Article 3.2 GDPR, fall under the GDPR, are obliged to appoint a representative in the Union.

    The obligation contained in paragraph 1 of this article does not apply to: (i) incidental processing that does not

    large-scale processing of special categories of personal data as referred to in Article
    9(1) does not concern the processing of personal data related to criminal law

    convictions and criminal offenses as referred to in Article 10, and where there is a small chance that they will be a

    poses a risk to the rights and freedoms of natural persons, taking into account the

    nature, context, scope and purposes of processing; or (ii). a government agency or

    government body. These exemption criteria do not apply as the defendant

    actively targets those affected in the European Economic Area territory for it
    offering their services, and since the defendant is not a government agency or

    government body.


9. The representative is established in one of the Member States where the data subjects are located whose

    personal data are processed in connection with the provision of goods or services to them,

    or whose behavior is being observed (Article 27.3 GDPR). The identity and contact details of the
    representative must be provided to data subjects in accordance with Articles13 and

    14 GDPR. However, the Litigation Chamber notes that the GDPR Policy as published on the website

    of the defendant does not state the identity and contact details of the defendant. Decision 87/2023 - 4/7




    10. In view of the above, the Disputes Chamber therefore considers it appropriate to dismiss the defendant
        warn in accordance with article 58.1.a) AVG j ° article 95, § 1, 4 ° WOG, that they are considered not in the Union

        established controller that is subject to the GDPR, but not

        representative in the Union, or does not inform the data subjects about this, the

        violates Articles 13.1.a), 14.1.a) and 27.1 GDPR.


    11. The Disputes Chamber determines on the basis of the documents that substantiate the complaint that the complainant is entitled

        exercised on data erasure in accordance with Article 17.1 GDPR on February 23, 2023. Pursuant to

        Article 12.3 GDPR, the controller, in the case of the defendant, must respond to the request
        to respond to data erasure within one month of receipt of the request. Possibly possible

        this period may be extended by a further two months, given the complexity of the

        request. The complainant must then inform about this within one month of the request for data erasure

        extension will be notified. If the defendant decides not to comply with the

        request of the complainant, it must communicate this within one month of receipt of the request

        to the data subject, in accordance with Article 12.4 GDPR. It does not appear from the file that the complainant has any

        received a reply regarding the action taken by the defendant to the

        data erasure is performed. As a result, the controller has acted in

        contravenes Articles 12.3 and 12.4 GDPR, as well as Article 17.1 GDPR.

    12. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be

        concluded that a breach of the provisions of the GDPR was committed by the defendant,

        which justifies that in this case a decision is taken on the basis

        of Article 95, §1, 5° WOG, more specifically to order the defendant to comply with the

        exercise by the complainant of his right to erasure (article 17.1 GDPR).

    13. The present decision is a prima facie decision taken by the Litigation Chamber

        in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of

        the 'procedure prior to the decision on the merits' and no decision on the merits of the

        Disputes Chamber within the meaning of Article 100 WOG. The Disputes Chamber has thus decided on the basis

        of Articles 58.2. c) and 95, §1, 5° of the Law of 3 December 2017, to order the defendant

        that the data subject's requests to exercise his rights are met, more

        determines the right to erasure (“right to be forgotten”) as stipulated in Article 17 GDPR.

    14. The purpose of this decision is to inform the defendant that it is a

        has committed an infringement of the provisions of the GDPR and to enable it

        still to comply with the aforementioned provisions.


    15. However, if the defendant does not agree with the contents of this prima facie

        decision and is of the opinion that it can assert factual and/or legal arguments that lead to



1Section 3, Subsection 2 WOG (Articles 94 through 97). Decision 87/2023 - 5/7



        could lead to a different decision, this can be done via the email address litigationchamber@apd-

        gba.be submit a request for consideration of the merits of the case to the Disputes Chamber and this

        within 30 days of notification of this decision. The implementation of

        if necessary, this decision will be suspended during the aforementioned period.


    16. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber

        the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

        submit defenses as well as attach any documents they deem useful to the file. The

        the present decision will, if necessary, be definitively suspended.


    17. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place

        lead to the imposition of the measures referred to in Article 100 WOG. 2


    18. Finally, the Disputes Chamber points out the following:


        If one of the parties wishes to make use of the possibility to consult and

        copying the file (Article 95, § 2, 3 ° WOG), it should turn to the secretariat

        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

        If a copy of the file is requested, the documents will be provided if possible

        delivered electronically or otherwise by regular mail. 3




III. Publication of the decision


    19. Given the importance of transparency with regard to decision-making by the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. However, it is not necessary for this to include the identification data

        of the parties are disclosed directly.






2
 1° to dismiss a complaint;
 2° to order the exclusion of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° order that the data subject be informed of the security problem;
 8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
 9° order that the processing be brought into compliance;
 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data

command;
 11° to order the withdrawal of the accreditation of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° order the suspension of cross-border data flows to another State or an international institution;
 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the
file is given;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
3
 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision 87/2023 - 6/7





    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, subject to the

    submission of a request by the defendant for a hearing on the merits in accordance with Article
                 1
    98 ff. WOG , at:


   - pursuant to article 58.2.a) AVG and article 95, §1, 4° WOG to warn the defendant that

       she as a controller not established in the Union that does fall under the GDPR, but

       has not appointed a representative in the Union or the data subjects have not

       informs , Articles 13.1.a), 14.1.a) and 27.1 GDPR violates GDPR.



   - on the basis of article 58.2.c) AVG and article 95, §1, 5 ° WOG to order the defendant that

       complied with the request of the data subject to exercise his rights, in particular the right

       to data deletion (article 17.1 GDPR), and to delete the relevant data

       personal data, and this within a period of 30 days from the notification of

       this decision;



   - order the defendant to inform the Data Protection Authority (Dispute Chamber) by e-mail

       within the same timeframe of the outcome of this decision via the e-mail

       email address litigationchamber@apd-gba.be; and



   - in the absence of the timely implementation of the above stated by the defendant, the case

       to be dealt with on the merits ex officio in accordance with Articles 98 et seq. of the WOG.




Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as defendant.


Such an appeal may be lodged by means of an inter partes petition that the in art
                                                                                    4
1034terofthe Judicial Codemustcontainenumeratedenumerations.

contradictions must be submitted to the Registry of the Market Court in accordance with Article







4 The petition states under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    enterprise number;
 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer. Decision 87/2023 - 7/7




1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of

the Ger.W.).





(get). Hilke Hijmans


Chairman of the Litigation Chamber






































































5 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the
clerk of the court or deposited with the clerk of the court.