APD/GBA (Belgium) - 129/2023: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by one other user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a ''"high personal impact"'' on the data subject. | The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a ''"high personal impact"'' on the data subject within the meaning of Article 35 GDPR. | ||
== English Summary == | == English Summary == | ||
Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
The Belgian DPA dismissed the complaint on the grounds of (1) ''"lack of sufficient personal impact | The Belgian DPA dismissed the complaint on the grounds of (1) ''"lack of sufficient personal impact"'' for the purposes of [[Article 35 GDPR|Article 35 GDPR]], and (2) ''"insufficient documentary evidence"'' that an ''"effective"'' infringement of the GDPR had taken place. | ||
In reaching its conclusion on these two grounds, the DPA stated that "''the complainant raises a socially relevant issue, but does not demonstrate that an <u>effective</u> infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."''<ref>para 12. </ref> | In reaching its conclusion on these two grounds, the DPA stated that "''the complainant raises a socially relevant issue, but does not demonstrate that an <u>effective</u> infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."''<ref>para 12. </ref> | ||
The DPA concluded that the burden of proof lay on the data subject to establish GDPR violations, and noted that the data subject could resubmit a complaint if they could demonstrate a breach of the duty to inform under [[Article 14 GDPR|Article 14]] or lack of confidentiality under [[Article 5 GDPR#1f|Article 5(1)(f)]]. | |||
== Comment == | == Comment == | ||
Line 92: | Line 94: | ||
''In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a <u>major social and/or personal impact</u>, in other words if it involves one of the following situations:'' | ''In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a <u>major social and/or personal impact</u>, in other words if it involves one of the following situations:'' | ||
# ''Profiling and predictive activities relating to aspects of the individual's | # ''Profiling and predictive activities relating to aspects of the individual's work performance, economic status, health, personal preferences or interests, reliability or behaviour, or location and travel.'' | ||
# ''Automated decision-making with legal effect (or similar significant effects) on the | # ''Automated decision-making with legal effect (or similar significant effects) on the data subject (e.g. granting credit based on automated criteria).'' | ||
# ''Processing operations used to observe, monitor or control data subjects, including | # ''Processing operations used to observe, monitor or control data subjects, including the collection of data over networks or by "systematic surveillance of a publicly accessible area" (e.g. camera surveillance in public places).'' | ||
# ''Processing of sensitive data of a highly personal nature, namely personal data | # ''Processing of sensitive data of a highly personal nature, namely personal data as referred to in Article 9 of the GDPR (data concerning health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data relating to a person's sexual behaviour or sexual orientation), as well as personal data relating to criminal convictions or offences (Article 10 of the GDPR).'' | ||
# ''Widely processed data, taking into account the following factors:'' | # ''Widely processed data, taking into account the following factors:'' | ||
#* ''the number of people affected, either in absolute terms or in relation to the | #* ''the number of people affected, either in absolute terms or in relation to the population under consideration;'' | ||
#* ''the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).'' | #* ''the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).'' | ||
# ''Cross-referencing or combining data sets from different processing activities in a | # ''Cross-referencing or combining data sets from different processing activities in a way that goes beyond the data subject's reasonable expectations (e.g. other than the purposes for which the data were collected).'' | ||
# ''Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).'' | # ''Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).'' | ||
# ''Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).'' | # ''Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).'' | ||
# ''Processing that prevents data subjects from exercising a right or receiving a service or contract."'' | # ''Processing that prevents data subjects from exercising a right or receiving a service or contract.'' | ||
''These criteria are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under Article 35 GDPR. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person). Please consult the professional section of [our] website if you would like further explanation on the criteria of Article 35 GDPR."'' | |||
== Further Resources == | == Further Resources == |
Latest revision as of 06:45, 20 September 2023
APD/GBA - 129/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 18.07.2023 |
Decided: | 06.09.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 129/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA dismissed a complaint regarding automatic number plate recognition cameras, because the complaint did not meet the criteria of having had a "high personal impact" on the data subject within the meaning of Article 35 GDPR.
English Summary
Facts
The controller is a parking space provider using Automatic Number Plate Recognition (ANPR) Cameras. The controller used an ANPR system to facilitate the automatic opening and closing of entry bariers to the premises. After a customer payed for the parking time registed to a vehicle with a certain number plate, the exit to the premises automatically opened for a vehicle with that number plate.
Using this system, the controller collected the following information (1) the automatic registration of a car's number plate once it has entered the premises, (2) an exact timestamp of entering the premises and duration of parking, and (3) a picture of each vehicle.
On 12 July 2023, the data subject contacted the controller asking whether a data protection impact assessment had been undertaken prior to the implementation of the system, and if so, what the outcome of it was.
On 14 July 2023, the controller replied stating that their new payment mechanism "guarantees the privacy of all users", but disregarded the data subject's question regarding the data protection impact assessment.
On 18 July 2023, the data subject filed a complaint with the Belgian DPA regarding the controller's failure to respond adequately to their request.
Holding
The Belgian DPA dismissed the complaint on the grounds of (1) "lack of sufficient personal impact" for the purposes of Article 35 GDPR, and (2) "insufficient documentary evidence" that an "effective" infringement of the GDPR had taken place.
In reaching its conclusion on these two grounds, the DPA stated that "the complainant raises a socially relevant issue, but does not demonstrate that an effective infringement of the GDPR has occured. As the complainant does not exercise any rights of a data subject and is merely asking for more information regarding a possible data protection impact assessment, the [DPA] finds that the grievances raised by the complainant do not meet the criteria of high personal impact."[1]
The DPA concluded that the burden of proof lay on the data subject to establish GDPR violations, and noted that the data subject could resubmit a complaint if they could demonstrate a breach of the duty to inform under Article 14 or lack of confidentiality under Article 5(1)(f).
Comment
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
Belgian DPA dismissal policy (in Dutch).
In this document, the Belgian DPA's criteria for "high personal impact" is stated as follows:
"3.2.1 General criteria for high social and/or personal impact
In principle, the [Belgian DPA] will deem it appropriate to deal with your complaint in depth if it involves grievances with a major social and/or personal impact, in other words if it involves one of the following situations:
- Profiling and predictive activities relating to aspects of the individual's work performance, economic status, health, personal preferences or interests, reliability or behaviour, or location and travel.
- Automated decision-making with legal effect (or similar significant effects) on the data subject (e.g. granting credit based on automated criteria).
- Processing operations used to observe, monitor or control data subjects, including the collection of data over networks or by "systematic surveillance of a publicly accessible area" (e.g. camera surveillance in public places).
- Processing of sensitive data of a highly personal nature, namely personal data as referred to in Article 9 of the GDPR (data concerning health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a person, or data relating to a person's sexual behaviour or sexual orientation), as well as personal data relating to criminal convictions or offences (Article 10 of the GDPR).
- Widely processed data, taking into account the following factors:
- the number of people affected, either in absolute terms or in relation to the population under consideration;
- the volume of data and/or range of different data elements processed;- The geographical scope of the processing activity (e.g. cross-border or not).
- Cross-referencing or combining data sets from different processing activities in a way that goes beyond the data subject's reasonable expectations (e.g. other than the purposes for which the data were collected).
- Data concerning vulnerable persons who cannot freely consent (e.g. children,workers, mentally ill people, asylum seekers, patients).
- Use of new technological or organisational solutions whose impact on data subjects is not easily foreseeable (e.g. facial recognition systems).
- Processing that prevents data subjects from exercising a right or receiving a service or contract.
These criteria are inspired by those used by the European Data Protection Authorities to identify "high-risk" processing operations that should be subject to a prior impact assessment under Article 35 GDPR. These criteria take into account both societal (impact on multiple individuals) and personal factors (impact on a single person). Please consult the professional section of [our] website if you would like further explanation on the criteria of Article 35 GDPR."
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6 Dispute Chamber Decision 129/2023 of September 6, 2023 File number: DOS-2023-03077 Subject: introducing a payment system based on ANPR cameras underground parking lots The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Defendant: Mr. X, hereinafter “the complainant”; The defendant: Y, hereinafter “the defendant”. Decision 129/2023 — 2/6 I. Facts and procedure 1. The subject of the complaint concerns the introduction of a new payment system at the using ANPR cameras in the underground car parks of Y. 2. The complainant wrote to the defendant on July 12, 2023 in connection with the payment mechanism the underground car parks of Y. The car parks use ANPR cameras when the car enters a parking garage, the license plate is automatically displayed is registered and the barrier goes up automatically. When leaving, the driver enters his license plate into one of the payment terminals, after which the terminal according to the complainant, would provide an overview with the following information: i) confirmation of the presence of the car in the garage, ii) the exact time of entry and the duration of parking, iii) a photo of the car involved. Driver serves next to confirm and pay and can then leave the garage through the barrier automatically, without any intervention by the driver, goes up again, again on the basis of ANPR cameras placed at the exit of the parking garage . 3. In particular, the complainant questions the data protection law nature of this system. He expressly inquires whether there is one data protection impact assessment (hereinafter: GEB) took place around practice and what the results were. 4. In the answer on behalf of the defendant dated July 14, 2023, the Z replied that this new payment mechanism that also guarantees the privacy of all users. She also explains why the system gains in efficiency. It does not respond to the complainant's request results of a GEB and does not indicate whether such an investigation has been carried out took place. 5. On July 18, 2023, the complainant submits a complaint to the Data Protection Authority against the defendant. 6. On July 20, 2023, the complaint will be declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. II. Justification 7. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case 1 ¨[…] Decision 129/2023 — 3/6 the Disputes Chamber will dismiss the complaint in accordance with Article 95, § 1, 3° WOG, based on the following justification. 8. If a complaint is dismissed, the Disputes Chamber will make its decision 2 to motivate gradually and: - to issue a technical dismissal if the file does not exist or is insufficient contains elements that could lead to a conviction, or if there is insufficient there is a prospect of a conviction due to a technical obstacle, which prevents her from reaching a decision; - or declare a policy rejection, if despite the presence of elements that could lead to a sanction, the continuation of the investigation dossier does not seem appropriate in the light of the priorities of the Data Protection Authority, as specified and explained in the dismissal policy of the Disputes Chamber. 3 9. In the event of dismissal on more than one ground, the grounds for dismissal (resp. technical dismissal and policy dismissal) should be treated in order of importance. 4 10. In the present file, the Disputes Chamber will dismiss the complaint, on the grounds of a lack of personal interest. What follows is the basis of the decision of the Disputes Chamber as to why it considers it undesirable to take further action to the file and therefore decides not to proceed with, inter alia, a hearing at ground. 11. First of all, the Disputes Chamber will check in accordance with its dismissal policy whether the submitted complaint contains grievances with a major personal impact. The Dispute Chamber emphasizes firstly, that the complainant does not exercise any rights in this case. Both in the communication he has sent to the defendant if the actual complaint does not mention any rights of one data subject - as included in the GDPR - exercised. The Dispute Chamber takes furthermore, take into account that the complainant does not demonstrate that he himself was a user of one parking with such a payment system. 12. The complainant raises a socially relevant issue, but does not demonstrate that there is any an effective infringement of the GDPR occurs. Since the complainant has no rights of any the person concerned wishes to exercise and merely requests more information about a 2Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020, p. 18. 3 In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf 4 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the dismissal policy of the Disputes Chamber. 5In accordance with grounds for dismissal B.5. Decision 129/2023 — 4/6 possible GEB, the Disputes Chamber determines that the grievances put forward by the complainant do not meet the criteria of high personal impact, as set by the GBA described in his dismissal policy. 13. Despite the fact that the Disputes Chamber cannot prima facie establish that there is no violations of the GDPR have occurred, the Disputes Chamber must take this into account with the lack of personal interest and the lack of documentary evidence conclude that the complaint in this case does not require substantive treatment. Under Article 77 GDPR, every data subject, whose personal data is processed within the territorial scope of the GDPR, of a right of complaint. Moreover, it can be done accordingly Article 58 WOG anyone – and not just those involved – can file a complaint with the Data Protection Authority. However, this objective right to complain does not imply that any complaint can and will be thoroughly investigated by the competent authority 6 the intrinsic lack of resources. The Belgian legislator has “the need for this the Data Protection Authority to be able to act selectively with a view to a effective and efficient enforcement policy” is explicitly recognised. 14. However, the Disputes Chamber points out the right of the complainant to submit a new complaint, if he can provide documents that prove that the complainant is indeed personally involved interest and the complainant indicates which rights as a data subject have been violated (for example, the lack of information in accordance with Article 14 GDPR when entering of the parking garage about the relevant processing of personal data occur or a breach of confidentiality of personal data on it time of payment in accordance with Article 5.1.f GDPR). In this case it will also be taken into account will be taken into account with previously submitted complaints regarding the same issue. III. Publication and communication of the decision 15. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. On the other hand, it is not necessary that the identification details of the parties are disclosed directly. 16. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the defendant to transfer . After all, the Disputes Chamber has decided to dismiss its decisions 6Cf. Court of Justice EU, judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112. 7 Own emphasis in quotation, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available via: https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg islat=54&fileID=2648, 51. 8Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this? of the dismissal policy of the Disputes Chamber. Decision 129/2023 — 5/6 ex officio to the defendants. However, the Dispute Chamber decided not to do so such a notification when the complainant has requested anonymity in this regard of the defendant and the notification of the decision to the defendant, even if it is pseudonymised, nevertheless makes it possible to contact the complainant 9 (re)identify . However, this is not the case in the present case. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, after deliberation, to dismiss the present complaint on the basis of Article 95, § 1, 3° of the WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition must contain information listed in Article 1034ter of the Judicial Code. It 10 an objection petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). To enable the complainant to consider other possible remedies, the Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 12 9Ibid. 10The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 11 The petition with its attachment will be sent by registered letter in as many copies as there are parties involved. deposited with the clerk of the court or at the registry. 12 Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber. Decision 129/2023 — 6/6 The Disputes Chamber emphasizes that the closure of cases by the Data Protection Authority may be taken into account for its future determine priorities and/or may give rise to future investigations on its own initiative by the Inspection Service of the Data Protection Authority. (get). HielkeIJMANS Chairman of the Disputes Chamber
- ↑ para 12.